[PW_SID:1067079] RISC-V: KVM: Fix array out-of-bounds in firmware counter reads by linux-riscv-bot · Pull Request #1616 · linux-riscv/linux

linux-riscv-bot · 2026-03-16T04:26:21Z

PR for series 1067079 applied to workflow__riscv__fixes

Name: RISC-V: KVM: Fix array out-of-bounds in firmware counter reads
URL: https://patchwork.kernel.org/project/linux-riscv/list/?series=1067079
Version: 5

…_read_hi() When a guest invokes SBI_EXT_PMU_COUNTER_FW_READ or SBI_EXT_PMU_COUNTER_FW_READ_HI on a firmware counter that has not been configured via SBI_EXT_PMU_COUNTER_CFG_MATCH, the pmc->event_idx remains SBI_PMU_EVENT_IDX_INVALID (0xFFFFFFFF). get_event_code() extracts the lower 16 bits, yielding 0xFFFF (65535), which is then used to index into kvpmu->fw_event[]. Since fw_event is only RISCV_KVM_MAX_FW_CTRS (32) entries, this triggers an array-index-out-of-bounds: UBSAN: array-index-out-of-bounds in arch/riscv/kvm/vcpu_pmu.c:255:37 index 65535 is out of range for type 'kvm_fw_event [32]' Add a check for the known unconfigured case (SBI_PMU_EVENT_IDX_INVALID) and a WARN_ONCE guard for any unexpected out-of-bounds event codes, returning -EINVAL in both cases. Fixes: badc386 ("RISC-V: KVM: Support firmware events") Fixes: 08fb07d ("RISC-V: KVM: Support 64 bit firmware counters on RV32") Signed-off-by: Jiakai Xu <xujiakai2025@iscas.ac.cn> Signed-off-by: Jiakai Xu <jiakaiPeanut@gmail.com> Reviewed-by: Andrew Jones <andrew.jones@oss.qualcomm.com> Signed-off-by: Linux RISC-V bot <linux.riscv.bot@gmail.com>

The current sbi_pmu_test attempts to read firmware counters without configuring them first with SBI_EXT_PMU_COUNTER_CFG_MATCH. Previously this did not fail because KVM incorrectly allowed the read and accessed fw_event[] with an out-of-bounds index when the counter was unconfigured. After fixing that bug, the read now correctly returns SBI_ERR_INVALID_PARAM, causing the selftest to fail. Update the test to configure a firmware event before reading the counter. Also add a negative test to ensure that attempting to read an unconfigured firmware counter fails gracefully. Signed-off-by: Jiakai Xu <xujiakai2025@iscas.ac.cn> Signed-off-by: Jiakai Xu <jiakaiPeanut@gmail.com> Reviewed-by: Andrew Jones <andrew.jones@oss.qualcomm.com> Reviewed-by: Nutty Liu <nutty.liu@hotmail.com> Signed-off-by: Linux RISC-V bot <linux.riscv.bot@gmail.com>

linux-riscv-bot · 2026-03-16T04:32:28Z

Patch 1: "[v5,1/2] RISC-V: KVM: Fix array out-of-bounds in pmu_ctr_read() and pmu_fw_ctr_read_hi()"
build-rv32-defconfig
Desc: Builds riscv32 defconfig
Duration: 137.25 seconds
Result: PASS

linux-riscv-bot · 2026-03-16T04:49:38Z

Patch 1: "[v5,1/2] RISC-V: KVM: Fix array out-of-bounds in pmu_ctr_read() and pmu_fw_ctr_read_hi()"
build-rv64-clang-allmodconfig
Desc: Builds riscv64 allmodconfig with Clang, and checks for errors and added warnings
Duration: 1027.60 seconds
Result: PASS

linux-riscv-bot · 2026-03-16T05:12:49Z

Patch 1: "[v5,1/2] RISC-V: KVM: Fix array out-of-bounds in pmu_ctr_read() and pmu_fw_ctr_read_hi()"
build-rv64-gcc-allmodconfig
Desc: Builds riscv64 allmodconfig with GCC, and checks for errors and added warnings
Duration: 1389.38 seconds
Result: PASS

linux-riscv-bot · 2026-03-16T05:13:16Z

Patch 1: "[v5,1/2] RISC-V: KVM: Fix array out-of-bounds in pmu_ctr_read() and pmu_fw_ctr_read_hi()"
build-rv64-nommu-k210-defconfig
Desc: Builds riscv64 defconfig with NOMMU for K210
Duration: 26.09 seconds
Result: PASS

linux-riscv-bot · 2026-03-16T05:13:45Z

Patch 1: "[v5,1/2] RISC-V: KVM: Fix array out-of-bounds in pmu_ctr_read() and pmu_fw_ctr_read_hi()"
build-rv64-nommu-k210-virt
Desc: Builds riscv64 defconfig with NOMMU for the virt platform
Duration: 27.50 seconds
Result: PASS

linux-riscv-bot · 2026-03-16T05:13:48Z

Patch 1: "[v5,1/2] RISC-V: KVM: Fix array out-of-bounds in pmu_ctr_read() and pmu_fw_ctr_read_hi()"
checkpatch
Desc: Runs checkpatch.pl on the patch
Duration: 1.59 seconds
Result: WARNING
Output:

CHECK: Alignment should match open parenthesis
#45: FILE: arch/riscv/kvm/vcpu_pmu.c:231:
+	if (WARN_ONCE(fevent_code >= SBI_PMU_FW_MAX,
+	    "Invalid firmware event code: %d\n", fevent_code))

CHECK: Alignment should match open parenthesis
#60: FILE: arch/riscv/kvm/vcpu_pmu.c:262:
+		if (WARN_ONCE(fevent_code >= SBI_PMU_FW_MAX,
+		    "Invalid firmware event code: %d\n", fevent_code))

total: 0 errors, 0 warnings, 2 checks, 28 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

Commit 9e960025dd42 ("RISC-V: KVM: Fix array out-of-bounds in pmu_ctr_read() and pmu_fw_ctr_read_hi()") has style problems, please review.

NOTE: Ignored message types: ALLOC_SIZEOF_STRUCT CAMELCASE COMMIT_LOG_LONG_LINE GIT_COMMIT_ID MACRO_ARG_REUSE NO_AUTHOR_SIGN_OFF

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.
total: 0 errors, 0 warnings, 2 checks, 28 lines checked
CHECK: Alignment should match open parenthesis

linux-riscv-bot · 2026-03-16T05:15:11Z

Patch 1: "[v5,1/2] RISC-V: KVM: Fix array out-of-bounds in pmu_ctr_read() and pmu_fw_ctr_read_hi()"
dtb-warn-rv64
Desc: Checks for Device Tree warnings/errors
Duration: 81.38 seconds
Result: PASS

linux-riscv-bot · 2026-03-16T05:15:13Z

Patch 1: "[v5,1/2] RISC-V: KVM: Fix array out-of-bounds in pmu_ctr_read() and pmu_fw_ctr_read_hi()"
header-inline
Desc: Detects static functions without inline keyword in header files
Duration: 0.23 seconds
Result: PASS

linux-riscv-bot · 2026-03-16T05:15:15Z

Patch 1: "[v5,1/2] RISC-V: KVM: Fix array out-of-bounds in pmu_ctr_read() and pmu_fw_ctr_read_hi()"
kdoc
Desc: Detects for kdoc errors
Duration: 0.82 seconds
Result: PASS

linux-riscv-bot · 2026-03-16T05:15:17Z

Patch 1: "[v5,1/2] RISC-V: KVM: Fix array out-of-bounds in pmu_ctr_read() and pmu_fw_ctr_read_hi()"
module-param
Desc: Detect module_param changes
Duration: 0.24 seconds
Result: PASS

linux-riscv-bot · 2026-03-16T05:15:18Z

Patch 1: "[v5,1/2] RISC-V: KVM: Fix array out-of-bounds in pmu_ctr_read() and pmu_fw_ctr_read_hi()"
verify-fixes
Desc: Verifies that the Fixes: tags exist
Duration: 0.31 seconds
Result: PASS

linux-riscv-bot · 2026-03-16T05:15:20Z

Patch 1: "[v5,1/2] RISC-V: KVM: Fix array out-of-bounds in pmu_ctr_read() and pmu_fw_ctr_read_hi()"
verify-signedoff
Desc: Verifies that Signed-off-by: tags are correct
Duration: 0.49 seconds
Result: PASS

linux-riscv-bot · 2026-03-16T05:17:50Z

Patch 2: "[v5,2/2] RISC-V: KVM: selftests: Fix firmware counter read in sbi_pmu_test"
build-rv32-defconfig
Desc: Builds riscv32 defconfig
Duration: 135.75 seconds
Result: PASS

linux-riscv-bot · 2026-03-16T05:34:30Z

Patch 2: "[v5,2/2] RISC-V: KVM: selftests: Fix firmware counter read in sbi_pmu_test"
build-rv64-clang-allmodconfig
Desc: Builds riscv64 allmodconfig with Clang, and checks for errors and added warnings
Duration: 998.61 seconds
Result: PASS

linux-riscv-bot · 2026-03-16T05:56:56Z

Patch 2: "[v5,2/2] RISC-V: KVM: selftests: Fix firmware counter read in sbi_pmu_test"
build-rv64-gcc-allmodconfig
Desc: Builds riscv64 allmodconfig with GCC, and checks for errors and added warnings
Duration: 1344.10 seconds
Result: PASS

linux-riscv-bot · 2026-03-16T05:57:24Z

Patch 2: "[v5,2/2] RISC-V: KVM: selftests: Fix firmware counter read in sbi_pmu_test"
build-rv64-nommu-k210-defconfig
Desc: Builds riscv64 defconfig with NOMMU for K210
Duration: 26.18 seconds
Result: PASS

linux-riscv-bot · 2026-03-16T05:57:54Z

Patch 2: "[v5,2/2] RISC-V: KVM: selftests: Fix firmware counter read in sbi_pmu_test"
build-rv64-nommu-k210-virt
Desc: Builds riscv64 defconfig with NOMMU for the virt platform
Duration: 28.10 seconds
Result: PASS

linux-riscv-bot · 2026-03-16T05:57:56Z

Patch 2: "[v5,2/2] RISC-V: KVM: selftests: Fix firmware counter read in sbi_pmu_test"
checkpatch
Desc: Runs checkpatch.pl on the patch
Duration: 1.00 seconds
Result: PASS

linux-riscv-bot · 2026-03-16T05:59:21Z

Patch 2: "[v5,2/2] RISC-V: KVM: selftests: Fix firmware counter read in sbi_pmu_test"
dtb-warn-rv64
Desc: Checks for Device Tree warnings/errors
Duration: 82.94 seconds
Result: PASS

linux-riscv-bot · 2026-03-16T05:59:22Z

Patch 2: "[v5,2/2] RISC-V: KVM: selftests: Fix firmware counter read in sbi_pmu_test"
header-inline
Desc: Detects static functions without inline keyword in header files
Duration: 0.22 seconds
Result: PASS

linux-riscv-bot · 2026-03-16T05:59:25Z

Patch 2: "[v5,2/2] RISC-V: KVM: selftests: Fix firmware counter read in sbi_pmu_test"
kdoc
Desc: Detects for kdoc errors
Duration: 0.85 seconds
Result: PASS

linux-riscv-bot · 2026-03-16T05:59:26Z

Patch 2: "[v5,2/2] RISC-V: KVM: selftests: Fix firmware counter read in sbi_pmu_test"
module-param
Desc: Detect module_param changes
Duration: 0.24 seconds
Result: PASS

linux-riscv-bot · 2026-03-16T05:59:28Z

Patch 2: "[v5,2/2] RISC-V: KVM: selftests: Fix firmware counter read in sbi_pmu_test"
verify-fixes
Desc: Verifies that the Fixes: tags exist
Duration: 0.21 seconds
Result: PASS

linux-riscv-bot · 2026-03-16T05:59:30Z

Patch 2: "[v5,2/2] RISC-V: KVM: selftests: Fix firmware counter read in sbi_pmu_test"
verify-signedoff
Desc: Verifies that Signed-off-by: tags are correct
Duration: 0.29 seconds
Result: PASS

6eanut added 2 commits March 16, 2026 04:26

Conversation

linux-riscv-bot commented Mar 16, 2026

Uh oh!

linux-riscv-bot commented Mar 16, 2026

Uh oh!

linux-riscv-bot commented Mar 16, 2026

Uh oh!

linux-riscv-bot commented Mar 16, 2026

Uh oh!

linux-riscv-bot commented Mar 16, 2026

Uh oh!

linux-riscv-bot commented Mar 16, 2026

Uh oh!

linux-riscv-bot commented Mar 16, 2026

Uh oh!

linux-riscv-bot commented Mar 16, 2026

Uh oh!

linux-riscv-bot commented Mar 16, 2026

Uh oh!

linux-riscv-bot commented Mar 16, 2026

Uh oh!

linux-riscv-bot commented Mar 16, 2026

Uh oh!

linux-riscv-bot commented Mar 16, 2026

Uh oh!

linux-riscv-bot commented Mar 16, 2026

Uh oh!

linux-riscv-bot commented Mar 16, 2026

Uh oh!

linux-riscv-bot commented Mar 16, 2026

Uh oh!

linux-riscv-bot commented Mar 16, 2026

Uh oh!

linux-riscv-bot commented Mar 16, 2026

Uh oh!

linux-riscv-bot commented Mar 16, 2026

Uh oh!

linux-riscv-bot commented Mar 16, 2026

Uh oh!

linux-riscv-bot commented Mar 16, 2026

Uh oh!

linux-riscv-bot commented Mar 16, 2026

Uh oh!

linux-riscv-bot commented Mar 16, 2026

Uh oh!

linux-riscv-bot commented Mar 16, 2026

Uh oh!

linux-riscv-bot commented Mar 16, 2026

Uh oh!

linux-riscv-bot commented Mar 16, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants