On 5/11/2026 12:14 AM, Zishun Yi wrote:
The Zicfilp extension adds the MLPE field to the mseccfg CSR. According
to the RISC-V Privileged Specification, mseccfg exists if any extension
that adds a field to it is implemented.
Currently, the `have_mseccfg()` predicate function checks for Smepmp,
Zkr, and Smmpm, but misses Zicfilp. As a result, if a CPU is configured
with `zicfilp=true` but without the other extensions, accessing the
mseccfg CSR will incorrectly raise an illegal instruction exception.
This patch adds the missing check for `ext_zicfilp` to ensure the CSR
is properly accessible when the Zicfilp extension is enabled.
This issue was discovered and reported by SpecHunter, an AI-driven
architecture specification analysis tool.
Link:https://github.com/yizishun/rv-isa-sec/blob/master/output/riscv-isa-manual/pr-2561/qemu.txt
Signed-off-by: Zishun Yi <[email protected]>
---
target/riscv/csr.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/target/riscv/csr.c b/target/riscv/csr.c
index da366cf56271..40b17e773236 100644
--- a/target/riscv/csr.c
+++ b/target/riscv/csr.c
@@ -17,6 +17,7 @@
* this program. If not, see <http://www.gnu.org/licenses/>.
*/
+#include "cpu_bits.h"
I don't think you need this header. LGTM otherwise.
Thanks,
Daniel
#include "qemu/osdep.h"
#include "qemu/log.h"
#include "qemu/timer.h"
@@ -783,6 +784,9 @@ static RISCVException have_mseccfg(CPURISCVState *env, int
csrno)
if (riscv_cpu_cfg(env)->ext_smmpm) {
return RISCV_EXCP_NONE;
}
+ if (riscv_cpu_cfg(env)->ext_zicfilp) {
+ return RISCV_EXCP_NONE;
+ }
return RISCV_EXCP_ILLEGAL_INST;
}
