From nobody Tue Apr  7 18:47:01 2026
Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com
 [205.220.180.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4E4443F23D8
	for <linux-kernel@vger.kernel.org>; Fri, 27 Feb 2026 13:50:41 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=205.220.180.131
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1772200243; cv=none;
 b=aRBxKzYAcbCPg1WjX+px9P8NIuQE04xfZoQ2otseUU6FV0QIVdLDd8192DgaJa6MUBunNzN+QGrKgN/XuzgScayktH8ue8uKxqeFuyZSThgSvSGEP/tMdJZvuF1uNiwfMlpggz8MPCJ2mvyja4h4/xXKJev+q7zWtP9RoYZalqk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1772200243; c=relaxed/simple;
	bh=c0baeBiKFtNIsavdttVW3dygLzDcANxJx5K2Q81vcXE=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type;
 b=LMWXD+G4jVrcFgXmk6WUsQ9Ny3fHleSLMizZORlPrxdZIfcnnoKOBlkBnkv+fs0GblRAE5+1j2b4yvXBqUMv1Bf8uQL+Qr378rSMUVM+aOaSpABJ9yf+Fb0JN0C2lpHwWQFpXWIwkMOGAxajvxCfNOQoewWFlrgXBLid1F2FzlA=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com;
 spf=pass smtp.mailfrom=oss.qualcomm.com;
 dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com
 header.b=XR3vXfwI;
 dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com
 header.b=B/K+9RLO; arc=none smtp.client-ip=205.220.180.131
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=oss.qualcomm.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com
 header.b="XR3vXfwI";
	dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com
 header.b="B/K+9RLO"
Received: from pps.filterd (m0279871.ppops.net [127.0.0.1])
	by mx0a-0031df01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id
 61RAlm3E1873162
	for <linux-kernel@vger.kernel.org>; Fri, 27 Feb 2026 13:50:40 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualcomm.com; h=
	cc:content-transfer-encoding:content-type:date:from:message-id
	:mime-version:subject:to; s=qcppdkim1; bh=UCqPGnCmWVQCsvHc/I8KF7
	mIauDPj2v0RjbE6kW19F0=; b=XR3vXfwIypu+k3TAlyzhOMwyBXzSoy3roAsh08
	jyjRjY0elVLYz5y8pD+WyB/LhJLYpXfDYRT9NEqFEj3UpgeZoLFP1MSsPx/D0OD0
	mZqZupUhNcV1IhlGRYWgmVoq0yq3IcSeA9jwIw7/7CBhQlqvTZ7HYjcfkXl4dpop
	/x5aD+b/GfUt9DVbz8AIXlSEPC+z+wnNkoCBhxoWnNHsDuS3cfYYT3nLRdxb6fgU
	MOjGevHIjTCdJ2MYtCrmw24aZrbPk4GpryBFDNSVcIxEK3Q0s6IhEP9HCndZOUAh
	nHWVZXarrQP5qyGOBFTOrCOh6Vy6P/UFD6T7Rt1BN7nCFFRg==
Received: from mail-qk1-f198.google.com (mail-qk1-f198.google.com
 [209.85.222.198])
	by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 4cjuytu5xa-1
	(version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NOT)
	for <linux-kernel@vger.kernel.org>; Fri, 27 Feb 2026 13:50:39 +0000 (GMT)
Received: by mail-qk1-f198.google.com with SMTP id
 af79cd13be357-8c70ab7f67fso2336243185a.3
        for <linux-kernel@vger.kernel.org>;
 Fri, 27 Feb 2026 05:50:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=oss.qualcomm.com; s=google; t=1772200239; x=1772805039;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=UCqPGnCmWVQCsvHc/I8KF7mIauDPj2v0RjbE6kW19F0=;
        b=B/K+9RLOUULiRka65uzwUEZgWfA8Y6jhCSQ1mK3nyK4p0D6ktaNEeqZ1RBhBKFIJ9d
         PtJJnnL0WJNnD4Cl8nNB0bKGeHsr6X+KUaL8EgVb2nUqBnXqt0v7Ed3RqYMvntwhVJaC
         vfRRo9WMY9/Hr4okHg8ggqYASZfSXlguAT+eESx7KU7wFlPCPbsYUPzDMfv+OOKlbCmO
         1HQl6X7KtxX4K5SYyati/qkuGWH6AnAdR7HD031QN6k6OmTQ0ilKY7hZ9AjP1k/cHweo
         Sldyo8GrkPYDYszMr5RdE0xR2ZgSTvE6lVLDWt9FbO/q20AlH9nN4Bkc44GVsMWsToVW
         llDQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1772200239; x=1772805039;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=UCqPGnCmWVQCsvHc/I8KF7mIauDPj2v0RjbE6kW19F0=;
        b=j+ydVfucUkVATIHeJMNQG1aYT9oQ9961egFrVzPxssP9EgVXEa36+utNC2GbbsqafC
         RxrKtb9P5eVYn6z6Hhdea2YYdhyds31vnxVs23w94LasVVZDsjjDMzYRVTGIr+ITBBuX
         PcLfWE3uKKjunSQzJABWzHiFonowyEovLNcvT0NygSagnzsa8oRxHqGtkkvooEdeFUyA
         WJtyLM5ONzvJkTI1GYiIoD3HpjizlcfPmKLjxYrUNCqa3KDV5NuAHjpWxv8Oq0xN5E8O
         w+yj9illCO3u850BYdU0V3mqcdphu/DbKoe4brpHnonkIweGvNhaCqbQL8YijiHWqOzQ
         yj/w==
X-Forwarded-Encrypted: i=1;
 AJvYcCUxTQ4nTRWTUIK4Q8jjgLWMMKl/VeGHKmK1ojmmKtuQEetmPx2DeQkaY/NGO2fR+Yngd/PdUYO+BqWv30o=@vger.kernel.org
X-Gm-Message-State: AOJu0YyuYp66xv/9jGNHKxmKTSuyth6jE09dUoEvMt+/AUsTfwQ3Zsb2
	MMJ5YzB41wSSn8ojV/Vs9BLZguD8SX5f/xK8l7q2B/+RDYkVKF+ixQT5geMVjOY0aAeq9/tCvMN
	ykSFvAc/WOnpjX8yZeqtJqkbbEVD2lXcpWPxN4RJ6RX7qxxaKbUZvFMU9GAzY+wPPbro=
X-Gm-Gg: ATEYQzxNkxNWKi4Yl5r+qC5ABYQHc0Pq2Gphd1SqQ7V0orVkCpxIeYn72ETk2EY+wfV
	l17d9yLE0i4h7OpITnPuvYrtJQdc1wVSWEjssXcR/7eLK8dq+VRK/cyRg11dgl0YENyOlrEG0AV
	BCffeQL+iAsbknpxjHY6vuHRJPkkxF7gWEitUXr6F3EHfIUnIooFsiCF/Bm7x7fNIsWwNzVDgkj
	SqYBn9z+V09dVb7EC6L3HR95aKEPjKj8Ww60Oh9TZCKWrSSSoySSK9lPafIejLa9tJZ2HlmVzaz
	gqCPsO7aRSopB3Mg1CQ/Hl0LVxTeerZrtWiEqN7dg4L3nz+J0Q+yhVbgvkhQszOqDKLq1wRie4f
	YqTgbF4nguughk/9fU4n2jPV9GvVgmCwErtgF7QF5DJDIuYv30mIND5vRyHKI
X-Received: by 2002:a05:620a:28c2:b0:8c8:8126:7770 with SMTP id
 af79cd13be357-8cbc8e7b3e4mr334774685a.67.1772200238899;
        Fri, 27 Feb 2026 05:50:38 -0800 (PST)
X-Received: by 2002:a05:620a:28c2:b0:8c8:8126:7770 with SMTP id
 af79cd13be357-8cbc8e7b3e4mr334771285a.67.1772200238459;
        Fri, 27 Feb 2026 05:50:38 -0800 (PST)
Received: from localhost (ip-86-49-242-13.bb.vodafone.cz. [86.49.242.13])
        by smtp.gmail.com with ESMTPSA id
 a640c23a62f3a-b935aec7091sm149414866b.58.2026.02.27.05.50.37
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 27 Feb 2026 05:50:37 -0800 (PST)
From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?=
 <radim.krcmar@oss.qualcomm.com>
To: kvm-riscv@lists.infradead.org
Cc: Lukas Gerlach <lukas.gerlach@cispa.de>, Anup Patel <anup@brainfault.org>,
        Atish Patra <atish.patra@linux.dev>, Paul Walmsley <pjw@kernel.org>,
        Palmer Dabbelt <palmer@dabbelt.com>,
 Albert Ou <aou@eecs.berkeley.edu>,
        Alexandre Ghiti <alex@ghiti.fr>,
        Andrew Jones <ajones@ventanamicro.com>, kvm@vger.kernel.org,
        linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org
Subject: [PATCH] RISC-V: KVM: fix off-by-one array access in SBI PMU
Date: Fri, 27 Feb 2026 13:46:16 +0000
Message-ID: <20260227134617.23378-1-radim.krcmar@oss.qualcomm.com>
X-Mailer: git-send-email 2.51.2
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Authority-Analysis: v=2.4 cv=bJIb4f+Z c=1 sm=1 tr=0 ts=69a1a12f cx=c_pps
 a=qKBjSQ1v91RyAK45QCPf5w==:117 a=9tUHzIdeCh+UoOnba06Qjw==:17
 a=IkcTkHD0fZMA:10 a=HzLeVaNsDn8A:10 a=M51BFTxLslgA:10 a=s4-Qcg_JpJYA:10
 a=VkNPw1HP01LnGYTKEx00:22 a=u7WPNUs3qKkmUXheDGA7:22 a=3WHJM1ZQz_JShphwDgj5:22
 a=EUspDBNiAAAA:8 a=9SFidOni61YWn9SpgYUA:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10
 a=zZCYzV9kfG8A:10 a=NFOGd7dJGGMPyQGDc5-O:22
X-Proofpoint-ORIG-GUID: jbxly5i_gEMuqTX9ksDIAPhq1_TsrbuI
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMjI3MDEyMyBTYWx0ZWRfX61g7MvqLPwX+
 0LMMy6dDEVcIFOen9lvNqMUAmPPawi0QasNMP7t0cF/KxkMZnFuUexJesjXbPV7DuhevpzS8SJw
 L3Zp8wvgRFWBVGX7UQz66Sj2QSsuTsX2YmmiRquDYcifip+Le/lxBsx1vkI7yjgEzL7jtb56I0L
 Pdhe7R0Rhkr7ephuNqzItYoobWNKzx0MviZBqJYCV8jEbxFHZPVZUYn17+yCWlj9yKnH4Ps6jdU
 FExdMoJ1KtnxnHhcN6bqWFu/WZPfV5A5BnoZIKHGBO5TWR68tIUytsiZBx4xWlJxfR63AXFwuSO
 Z6ncx8FsBTg0JvNP7XF9vZOfzqBxMUZl+N1Sf+jUJ1xQ8gUNemon5H9Z+hjDTAJ+XrNClQGfYBd
 l4BII3g+WeS4WXN4skRqKPUqrdJz/fgkdYZQ9ZRJ4D4iNzwz5NDr+PCPdOXt7RXzvgTwPez/Fmn
 olIPHrxKy1PJq6IHlNg==
X-Proofpoint-GUID: jbxly5i_gEMuqTX9ksDIAPhq1_TsrbuI
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.51,FMLib:17.12.100.49
 definitions=2026-02-27_02,2026-02-27_01,2025-10-01_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 spamscore=0 lowpriorityscore=0 clxscore=1015 priorityscore=1501 bulkscore=0
 adultscore=0 phishscore=0 suspectscore=0 impostorscore=0 malwarescore=0
 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0
 reason=mlx scancount=1 engine=8.22.0-2602130000 definitions=main-2602270123

The indexed array only has RISCV_KVM_MAX_COUNTERS elements.
The out-of-bound access could have been performed by a guest, but it
could only access another guest accessible data.

Fixes: 8f0153ecd3bf ("RISC-V: KVM: Add skeleton support for perf")
Signed-off-by: Radim Kr=C4=8Dm=C3=A1=C5=99 <radim.krcmar@oss.qualcomm.com>
Reviewed-by: Anup Patel <anup@brainfault.org>
---
 arch/riscv/kvm/vcpu_pmu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/riscv/kvm/vcpu_pmu.c b/arch/riscv/kvm/vcpu_pmu.c
index 4d8d5e9aa53d..aec6b293968b 100644
--- a/arch/riscv/kvm/vcpu_pmu.c
+++ b/arch/riscv/kvm/vcpu_pmu.c
@@ -520,7 +520,7 @@ int kvm_riscv_vcpu_pmu_ctr_info(struct kvm_vcpu *vcpu, =
unsigned long cidx,
 {
 	struct kvm_pmu *kvpmu =3D vcpu_to_pmu(vcpu);
=20
-	if (cidx > RISCV_KVM_MAX_COUNTERS || cidx =3D=3D 1) {
+	if (cidx >=3D RISCV_KVM_MAX_COUNTERS || cidx =3D=3D 1) {
 		retdata->err_val =3D SBI_ERR_INVALID_PARAM;
 		return 0;
 	}
--=20
2.51.2