Re: [PATCH] KVM: x86: Clamp the EOI vector if its OOB instead of bugging the kernel

From: Sean Christopherson

Date: Wed Jun 24 2026 - 09:20:01 EST

On Wed, Jun 24, 2026, Paolo Bonzini wrote:
> On 6/18/26 20:55, Sean Christopherson wrote:
> > If KVM handles an I/O APIC EOI exit request with a bad vector, clamp the
> > vector to 255 and hope for the best instead of bugging the host. In all
> > likelihood, a missed EOI is survivable for the guest, and it's most
> > definitely not remotely fatal to the host, i.e. potentially panicking the
> > host is completely unjustified. Arbitrarily use 255 for the dummy vector,
> > the goal is purely to ensure the vector is covered by the bitmap.
> >
> > Opportunistically ensure the EOI vector isn't negative, as it's a signed
> > integer, i.e. the "greater than 255" check won't guard against setting the
> > vector to a negative value (KVM uses -1 to say "no IRQ" in many flows).
> >
> > Signed-off-by: Sean Christopherson <seanjc@xxxxxxxxxx>
> > ---
> > arch/x86/kvm/x86.c | 5 ++++-
> > 1 file changed, 4 insertions(+), 1 deletion(-)
> >
> > diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
> > index d9d51803b7b2..fda09e03b960 100644
> > --- a/arch/x86/kvm/x86.c
> > +++ b/arch/x86/kvm/x86.c
> > @@ -11212,7 +11212,10 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu)
> > if (kvm_check_request(KVM_REQ_NMI, vcpu))
> > process_nmi(vcpu);
> > if (kvm_check_request(KVM_REQ_IOAPIC_EOI_EXIT, vcpu)) {
> > - BUG_ON(vcpu->arch.pending_ioapic_eoi > 255);
> > + if (WARN_ON_ONCE(vcpu->arch.pending_ioapic_eoi < 0 ||
> > + vcpu->arch.pending_ioapic_eoi > 255))
> > + vcpu->arch.pending_ioapic_eoi = 255;
> > +
>
> Yay, it's my turn to say "why?!?" I'm not going to go full Linus on
> it :) but I've been waiting for the moment for years!

LOL. Well, well, well, if it isn't the consequences of my own actions.

> If this happens we have a much bigger problem: the vector is set in
> kvm_ioapic_send_eoi() and ultimately comes from apic_find_highest_isr().
> It is simply not going to happen.
>
> Unlike pending_external_vector or highest_stale_pending_ioapic_eoi, this
> cannot even be -1...255 so make it u8 and call it a day?

Ya, that's waaay better, especially since pending_ioapic_eoi defaults to '0'
anyways.