On Tue, Aug 12, 2025 at 3:37 AM David Woodhouse <dwmw2@xxxxxxxxxxxxx> wrote:
>
> On Mon, 2025-08-04 at 08:44 +0200, Thijs Raymakers wrote:
> > min and dest_id are guest-controlled indices. Using
> > array_index_nospec()
> > after the bounds checks clamps these values to mitigate speculative
> > execution
> > side-channels.
> >
> > Signed-off-by: Thijs Raymakers <thijs@xxxxxxxxxxxx>
> > Cc: stable <stable@xxxxxxxxxx>
> > Cc: Sean Christopherson <seanjc@xxxxxxxxxx>
> > Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
> > Cc: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> > ---
> > Sean C. correctly pointed out that max_apic_id is inclusive, while
> > array_index_nospec is not.
>
> Fixes: 715062970f37 ("KVM: X86: Implement PV sched yield hypercall")
And possibly:
Fixes: bdf7ffc89922 ("KVM: LAPIC: Fix pv ipis out-of-bounds access")
Though, perhaps the blame really lies with commit 4180bf1b655a ("KVM:
X86: Implement "send IPI" hypercall").
> ?
