Commit c7504ba2a5 for qemu.org

commit c7504ba2a560fd884557f6e5142f03b491aad0c7
Author: Vulnerability Report <vr@darknavy.com>
Date:   Fri Jan 9 10:35:48 2026 +0800

    hw/i386/kvm: fix PIRQ bounds check in xen_physdev_map_pirq()

    Reject pirq == s->nr_pirqs in xen_physdev_map_pirq().

    Fixes: aa98ee38a5 ("hw/xen: Implement emulated PIRQ hypercall support")
    Fixes: CVE-2026-0665
    Reported-by: DARKNAVY (@DarkNavyOrg) <vr@darknavy.com>
    Reviewed-by: David Woodhouse <dwmw@amazon.co.uk>
    Signed-off-by: Vulnerability Report <vr@darknavy.com>
    Link: https://lore.kernel.org/r/13FE03BE60EA78D6+20260109023548.4047-1-vr@darknavy.com
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

diff --git a/hw/i386/kvm/xen_evtchn.c b/hw/i386/kvm/xen_evtchn.c
index b65871f354..8b243984e4 100644
--- a/hw/i386/kvm/xen_evtchn.c
+++ b/hw/i386/kvm/xen_evtchn.c
@@ -1877,7 +1877,7 @@ int xen_physdev_map_pirq(struct physdev_map_pirq *map)
             return pirq;
         }
         map->pirq = pirq;
-    } else if (pirq > s->nr_pirqs) {
+    } else if (pirq >= s->nr_pirqs) {
         return -EINVAL;
     } else {
         /*