[PATCH 0/2] RISC-V: KVM: Fix array out-of-bounds in firmware counter reads

Next message: Manivannan Sadhasivam: "Re: [PATCH v2 0/2] bus: mhi: host: pci_generic: Improve boot performance and cleanup"
Previous message: Matthew Brost: "Re: drm_sched run_job and scheduling latency"
Next in thread: Jiakai Xu: "[PATCH 2/2] RISC-V: KVM: Fix array out-of-bounds in pmu_fw_ctr_read_hi()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jiakai Xu

Date: Fri Mar 06 2026 - 02:38:58 EST

When a guest reads a firmware PMU counter via SBI_EXT_PMU_COUNTER_FW_READ
or SBI_EXT_PMU_COUNTER_FW_READ_HI without first configuring it through
SBI_EXT_PMU_COUNTER_CFG_MATCH, pmc->event_idx is
SBI_PMU_EVENT_IDX_INVALID (0xFFFFFFFF). get_event_code() extracts the
lower 16 bits as 0xFFFF, which is used to index into the 32-entry
kvpmu->fw_event[] array, triggering a UBSAN array-index-out-of-bounds.

Both pmu_ctr_read() and pmu_fw_ctr_read_hi() are affected. Since they
were introduced in separate commits, the fixes are split accordingly:

Patch 1: Fix pmu_ctr_read()
Patch 2: Fix pmu_fw_ctr_read_hi()

Jiakai Xu (2):
RISC-V: KVM: Fix array out-of-bounds in pmu_ctr_read()
RISC-V: KVM: Fix array out-of-bounds in pmu_fw_ctr_read_hi()

arch/riscv/kvm/vcpu_pmu.c | 8 ++++++++
1 file changed, 8 insertions(+)

--
2.34.1