On 5/11/2026 4:27 AM, Zishun Yi wrote:
The Zicfilp extension adds the MLPE field to the mseccfg CSR. According
to the RISC-V Privileged Specification, mseccfg exists if any extension
that adds a field to it is implemented.
Currently, the `have_mseccfg()` predicate function checks for Smepmp,
Zkr, and Smmpm, but misses Zicfilp. As a result, if a CPU is configured
with `zicfilp=true` but without the other extensions, accessing the
mseccfg CSR will incorrectly raise an illegal instruction exception.
This patch adds the missing check for `ext_zicfilp` to ensure the CSR
is properly accessible when the Zicfilp extension is enabled.
This issue was discovered and reported by SpecHunter, an AI-driven
architecture specification analysis tool.
Link:
https://github.com/yizishun/rv-isa-sec/blob/master/output/riscv-isa-manual/pr-2561/qemu.txt
Signed-off-by: Zishun Yi <[email protected]>
---
Reviewed-by: Daniel Henrique Barboza <[email protected]>
v2: Removed mistakenly added #include "cpu_bits.h".
v3: add a missing space after the Link tag clon
target/riscv/csr.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/target/riscv/csr.c b/target/riscv/csr.c
index da366cf56271..e1cd4a299cb0 100644
--- a/target/riscv/csr.c
+++ b/target/riscv/csr.c
@@ -783,6 +783,9 @@ static RISCVException have_mseccfg(CPURISCVState *env, int
csrno)
if (riscv_cpu_cfg(env)->ext_smmpm) {
return RISCV_EXCP_NONE;
}
+ if (riscv_cpu_cfg(env)->ext_zicfilp) {
+ return RISCV_EXCP_NONE;
+ }
return RISCV_EXCP_ILLEGAL_INST;
}
