On Mon, Mar 16, 2026 at 7:15 AM Jiakai Xu <xujiakai2025@iscas.ac.cn> wrote:
>
> When a guest reads a firmware PMU counter via
> SBI_EXT_PMU_COUNTER_FW_READ or SBI_EXT_PMU_COUNTER_FW_READ_HI without
> first configuring it with SBI_EXT_PMU_COUNTER_CFG_MATCH, the counter's
> event_idx remains SBI_PMU_EVENT_IDX_INVALID (0xFFFFFFFF).
>
> get_event_code() extracts the lower 16 bits from event_idx, yielding
> 0xFFFF, which is then used to index into kvpmu->fw_event[]. Since the
> fw_event array only contains RISCV_KVM_MAX_FW_CTRS entries, this results
> in an out-of-bounds access that can be detected by UBSAN.
>
> Patch 1 fixes the issue by validating the firmware event code before
> accessing the fw_event array and returning -EINVAL for invalid values.
>
> After fixing the kernel behavior, the existing KVM selftest
> (sbi_pmu_test) fails because it attempts to read firmware counters
> without configuring them first. Patch 2 updates the selftest to
> configure a firmware event before reading the counter and adds a
> negative test to ensure that reading an unconfigured firmware counter
> fails gracefully.
>
> Jiakai Xu (2):
> RISC-V: KVM: Fix array out-of-bounds in pmu_ctr_read() and
> pmu_fw_ctr_read_hi()
> RISC-V: KVM: selftests: Fix firmware counter read in sbi_pmu_test
>
> arch/riscv/kvm/vcpu_pmu.c | 14 +++++++
> .../testing/selftests/kvm/include/riscv/sbi.h | 37 +++++++++++++++++++
> .../selftests/kvm/riscv/sbi_pmu_test.c | 20 +++++++++-
> 3 files changed, 70 insertions(+), 1 deletion(-)
>
> --
> 2.34.1
>
Queued this series for Linux-7.1
Thanks,
Anup