[PW_SID:1062392] RISC-V: KVM: Fix array out-of-bounds in firmware counter reads by linux-riscv-bot · Pull Request #1565 · linux-riscv/linux

linux-riscv-bot · 2026-03-06T08:04:29Z

PR for series 1062392 applied to workflow__riscv__fixes

Name: RISC-V: KVM: Fix array out-of-bounds in firmware counter reads
URL: https://patchwork.kernel.org/project/linux-riscv/list/?series=1062392
Version: 1

When a guest invokes SBI_EXT_PMU_COUNTER_FW_READ on a firmware counter that has not been configured via SBI_EXT_PMU_COUNTER_CFG_MATCH, the pmc->event_idx remains SBI_PMU_EVENT_IDX_INVALID (0xFFFFFFFF). get_event_code() extracts the lower 16 bits, yielding 0xFFFF (65535), which is then used to index into kvpmu->fw_event[]. Since fw_event is only RISCV_KVM_MAX_FW_CTRS (32) entries, this triggers an array-index-out-of-bounds: UBSAN: array-index-out-of-bounds in arch/riscv/kvm/vcpu_pmu.c:255:37 index 65535 is out of range for type 'kvm_fw_event [32]' Add a bounds check on fevent_code before accessing the fw_event array, returning -EINVAL for invalid event codes. Fixes: badc386 ("RISC-V: KVM: Support firmware events") Signed-off-by: Jiakai Xu <xujiakai2025@iscas.ac.cn> Signed-off-by: Jiakai Xu <jiakaiPeanut@gmail.com> Signed-off-by: Linux RISC-V bot <linux.riscv.bot@gmail.com>

pmu_fw_ctr_read_hi() has the same issue as pmu_ctr_read(): when a guest reads a firmware counter that has not been configured, pmc->event_idx is SBI_PMU_EVENT_IDX_INVALID and get_event_code() returns 0xFFFF, causing an out-of-bounds access on kvpmu->fw_event[]. Add the same bounds check on fevent_code before accessing the fw_event array. Fixes: 08fb07d ("RISC-V: KVM: Support 64 bit firmware counters on RV32") Signed-off-by: Jiakai Xu <xujiakai2025@iscas.ac.cn> Signed-off-by: Jiakai Xu <jiakaiPeanut@gmail.com> Signed-off-by: Linux RISC-V bot <linux.riscv.bot@gmail.com>

linux-riscv-bot · 2026-03-06T08:10:38Z

Patch 1: "[1/2] RISC-V: KVM: Fix array out-of-bounds in pmu_ctr_read()"
build-rv32-defconfig
Desc: Builds riscv32 defconfig
Duration: 136.87 seconds
Result: PASS

linux-riscv-bot · 2026-03-06T08:27:34Z

Patch 1: "[1/2] RISC-V: KVM: Fix array out-of-bounds in pmu_ctr_read()"
build-rv64-clang-allmodconfig
Desc: Builds riscv64 allmodconfig with Clang, and checks for errors and added warnings
Duration: 1014.38 seconds
Result: PASS

linux-riscv-bot · 2026-03-06T08:50:53Z

Patch 1: "[1/2] RISC-V: KVM: Fix array out-of-bounds in pmu_ctr_read()"
build-rv64-gcc-allmodconfig
Desc: Builds riscv64 allmodconfig with GCC, and checks for errors and added warnings
Duration: 1397.78 seconds
Result: PASS

linux-riscv-bot · 2026-03-06T08:51:21Z

Patch 1: "[1/2] RISC-V: KVM: Fix array out-of-bounds in pmu_ctr_read()"
build-rv64-nommu-k210-defconfig
Desc: Builds riscv64 defconfig with NOMMU for K210
Duration: 26.70 seconds
Result: PASS

linux-riscv-bot · 2026-03-06T08:51:51Z

Patch 1: "[1/2] RISC-V: KVM: Fix array out-of-bounds in pmu_ctr_read()"
build-rv64-nommu-k210-virt
Desc: Builds riscv64 defconfig with NOMMU for the virt platform
Duration: 28.38 seconds
Result: PASS

linux-riscv-bot · 2026-03-06T08:51:54Z

Patch 1: "[1/2] RISC-V: KVM: Fix array out-of-bounds in pmu_ctr_read()"
checkpatch
Desc: Runs checkpatch.pl on the patch
Duration: 1.68 seconds
Result: WARNING
Output:

WARNING: line length of 107 exceeds 100 columns
#37: FILE: arch/riscv/kvm/vcpu_pmu.c:252:
+			pr_warn("Invalid firmware event code [%d] for counter [%ld]\n", fevent_code, cidx);

total: 0 errors, 1 warnings, 0 checks, 10 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

Commit 86dcc8a7d4fb ("RISC-V: KVM: Fix array out-of-bounds in pmu_ctr_read()") has style problems, please review.

NOTE: Ignored message types: ALLOC_SIZEOF_STRUCT CAMELCASE COMMIT_LOG_LONG_LINE GIT_COMMIT_ID MACRO_ARG_REUSE NO_AUTHOR_SIGN_OFF

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.
total: 0 errors, 1 warnings, 0 checks, 10 lines checked
WARNING: line length of 107 exceeds 100 columns

linux-riscv-bot · 2026-03-06T08:53:20Z

Patch 1: "[1/2] RISC-V: KVM: Fix array out-of-bounds in pmu_ctr_read()"
dtb-warn-rv64
Desc: Checks for Device Tree warnings/errors
Duration: 84.58 seconds
Result: PASS

linux-riscv-bot · 2026-03-06T08:53:22Z

Patch 1: "[1/2] RISC-V: KVM: Fix array out-of-bounds in pmu_ctr_read()"
header-inline
Desc: Detects static functions without inline keyword in header files
Duration: 0.24 seconds
Result: PASS

linux-riscv-bot · 2026-03-06T08:53:24Z

Patch 1: "[1/2] RISC-V: KVM: Fix array out-of-bounds in pmu_ctr_read()"
kdoc
Desc: Detects for kdoc errors
Duration: 0.89 seconds
Result: PASS

linux-riscv-bot · 2026-03-06T08:53:26Z

Patch 1: "[1/2] RISC-V: KVM: Fix array out-of-bounds in pmu_ctr_read()"
module-param
Desc: Detect module_param changes
Duration: 0.25 seconds
Result: PASS

linux-riscv-bot · 2026-03-06T08:53:28Z

Patch 1: "[1/2] RISC-V: KVM: Fix array out-of-bounds in pmu_ctr_read()"
verify-fixes
Desc: Verifies that the Fixes: tags exist
Duration: 0.27 seconds
Result: PASS

linux-riscv-bot · 2026-03-06T08:53:30Z

Patch 1: "[1/2] RISC-V: KVM: Fix array out-of-bounds in pmu_ctr_read()"
verify-signedoff
Desc: Verifies that Signed-off-by: tags are correct
Duration: 0.31 seconds
Result: PASS

linux-riscv-bot · 2026-03-06T08:56:02Z

Patch 2: "[2/2] RISC-V: KVM: Fix array out-of-bounds in pmu_fw_ctr_read_hi()"
build-rv32-defconfig
Desc: Builds riscv32 defconfig
Duration: 136.48 seconds
Result: PASS

linux-riscv-bot · 2026-03-06T09:12:58Z

Patch 2: "[2/2] RISC-V: KVM: Fix array out-of-bounds in pmu_fw_ctr_read_hi()"
build-rv64-clang-allmodconfig
Desc: Builds riscv64 allmodconfig with Clang, and checks for errors and added warnings
Duration: 1015.10 seconds
Result: PASS

linux-riscv-bot · 2026-03-06T09:36:04Z

Patch 2: "[2/2] RISC-V: KVM: Fix array out-of-bounds in pmu_fw_ctr_read_hi()"
build-rv64-gcc-allmodconfig
Desc: Builds riscv64 allmodconfig with GCC, and checks for errors and added warnings
Duration: 1384.04 seconds
Result: PASS

linux-riscv-bot · 2026-03-06T09:36:32Z

Patch 2: "[2/2] RISC-V: KVM: Fix array out-of-bounds in pmu_fw_ctr_read_hi()"
build-rv64-nommu-k210-defconfig
Desc: Builds riscv64 defconfig with NOMMU for K210
Duration: 27.01 seconds
Result: PASS

linux-riscv-bot · 2026-03-06T09:37:02Z

Patch 2: "[2/2] RISC-V: KVM: Fix array out-of-bounds in pmu_fw_ctr_read_hi()"
build-rv64-nommu-k210-virt
Desc: Builds riscv64 defconfig with NOMMU for the virt platform
Duration: 27.92 seconds
Result: PASS

linux-riscv-bot · 2026-03-06T09:37:04Z

Patch 2: "[2/2] RISC-V: KVM: Fix array out-of-bounds in pmu_fw_ctr_read_hi()"
checkpatch
Desc: Runs checkpatch.pl on the patch
Duration: 0.79 seconds
Result: PASS

linux-riscv-bot · 2026-03-06T09:38:28Z

Patch 2: "[2/2] RISC-V: KVM: Fix array out-of-bounds in pmu_fw_ctr_read_hi()"
dtb-warn-rv64
Desc: Checks for Device Tree warnings/errors
Duration: 82.96 seconds
Result: PASS

linux-riscv-bot · 2026-03-06T09:38:30Z

Patch 2: "[2/2] RISC-V: KVM: Fix array out-of-bounds in pmu_fw_ctr_read_hi()"
header-inline
Desc: Detects static functions without inline keyword in header files
Duration: 0.24 seconds
Result: PASS

linux-riscv-bot · 2026-03-06T09:38:32Z

Patch 2: "[2/2] RISC-V: KVM: Fix array out-of-bounds in pmu_fw_ctr_read_hi()"
kdoc
Desc: Detects for kdoc errors
Duration: 0.85 seconds
Result: PASS

linux-riscv-bot · 2026-03-06T09:38:34Z

Patch 2: "[2/2] RISC-V: KVM: Fix array out-of-bounds in pmu_fw_ctr_read_hi()"
module-param
Desc: Detect module_param changes
Duration: 0.25 seconds
Result: PASS

linux-riscv-bot · 2026-03-06T09:38:36Z

Patch 2: "[2/2] RISC-V: KVM: Fix array out-of-bounds in pmu_fw_ctr_read_hi()"
verify-fixes
Desc: Verifies that the Fixes: tags exist
Duration: 0.28 seconds
Result: PASS

linux-riscv-bot · 2026-03-06T09:38:38Z

Patch 2: "[2/2] RISC-V: KVM: Fix array out-of-bounds in pmu_fw_ctr_read_hi()"
verify-signedoff
Desc: Verifies that Signed-off-by: tags are correct
Duration: 0.31 seconds
Result: PASS

6eanut added 2 commits March 6, 2026 08:04

linux-riscv-bot closed this Mar 10, 2026

linux-riscv-bot deleted the pw1062392 branch March 10, 2026 07:20

Conversation

linux-riscv-bot commented Mar 6, 2026

Uh oh!

linux-riscv-bot commented Mar 6, 2026

Uh oh!

linux-riscv-bot commented Mar 6, 2026

Uh oh!

linux-riscv-bot commented Mar 6, 2026

Uh oh!

linux-riscv-bot commented Mar 6, 2026

Uh oh!

linux-riscv-bot commented Mar 6, 2026

Uh oh!

linux-riscv-bot commented Mar 6, 2026

Uh oh!

linux-riscv-bot commented Mar 6, 2026

Uh oh!

linux-riscv-bot commented Mar 6, 2026

Uh oh!

linux-riscv-bot commented Mar 6, 2026

Uh oh!

linux-riscv-bot commented Mar 6, 2026

Uh oh!

linux-riscv-bot commented Mar 6, 2026

Uh oh!

linux-riscv-bot commented Mar 6, 2026

Uh oh!

linux-riscv-bot commented Mar 6, 2026

Uh oh!

linux-riscv-bot commented Mar 6, 2026

Uh oh!

linux-riscv-bot commented Mar 6, 2026

Uh oh!

linux-riscv-bot commented Mar 6, 2026

Uh oh!

linux-riscv-bot commented Mar 6, 2026

Uh oh!

linux-riscv-bot commented Mar 6, 2026

Uh oh!

linux-riscv-bot commented Mar 6, 2026

Uh oh!

linux-riscv-bot commented Mar 6, 2026

Uh oh!

linux-riscv-bot commented Mar 6, 2026

Uh oh!

linux-riscv-bot commented Mar 6, 2026

Uh oh!

linux-riscv-bot commented Mar 6, 2026

Uh oh!

linux-riscv-bot commented Mar 6, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants