6.15-stable patches

author Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Thu, 24 Jul 2025 06:45:28 +0000 (08:45 +0200)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Thu, 24 Jul 2025 06:45:28 +0000 (08:45 +0200)
author Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 24 Jul 2025 06:45:28 +0000 (08:45 +0200)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 24 Jul 2025 06:45:28 +0000 (08:45 +0200)
diff --git a/queue-6.15/kvm-x86-xen-fix-cleanup-logic-in-emulation-of-xen-schedop-poll-hypercalls.patch b/queue-6.15/kvm-x86-xen-fix-cleanup-logic-in-emulation-of-xen-schedop-poll-hypercalls.patch

new file mode 100644 (file)

index 0000000..c83b9d0
--- /dev/null
+++ b/queue-6.15/kvm-x86-xen-fix-cleanup-logic-in-emulation-of-xen-schedop-poll-hypercalls.patch
@@ -0,0 +1,36 @@
+From 5a53249d149f48b558368c5338b9921b76a12f8c Mon Sep 17 00:00:00 2001
+From: Manuel Andreas <manuel.andreas@tum.de>
+Date: Wed, 23 Jul 2025 17:51:20 +0200
+Subject: KVM: x86/xen: Fix cleanup logic in emulation of Xen schedop poll hypercalls
+
+From: Manuel Andreas <manuel.andreas@tum.de>
+
+commit 5a53249d149f48b558368c5338b9921b76a12f8c upstream.
+
+kvm_xen_schedop_poll does a kmalloc_array() when a VM polls the host
+for more than one event channel potr (nr_ports > 1).
+
+After the kmalloc_array(), the error paths need to go through the
+"out" label, but the call to kvm_read_guest_virt() does not.
+
+Fixes: 92c58965e965 ("KVM: x86/xen: Use kvm_read_guest_virt() instead of open-coding it badly")
+Reviewed-by: David Woodhouse <dwmw@amazon.co.uk>
+Signed-off-by: Manuel Andreas <manuel.andreas@tum.de>
+[Adjusted commit message. - Paolo]
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/xen.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/xen.c
++++ b/arch/x86/kvm/xen.c
+@@ -1526,7 +1526,7 @@ static bool kvm_xen_schedop_poll(struct
+       if (kvm_read_guest_virt(vcpu, (gva_t)sched_poll.ports, ports,
+                               sched_poll.nr_ports * sizeof(*ports), &e)) {
+               *r = -EFAULT;
+-              return true;
++              goto out;
+       }
+ 
+       for (i = 0; i < sched_poll.nr_ports; i++) {
diff --git a/queue-6.15/series b/queue-6.15/series

index adf34882390e86ca64cab5e154b9817806d23292..0014463d20eecc3d9f43fd0d6a0cb1112dabaa05 100644 (file)
--- a/queue-6.15/series
+++ b/queue-6.15/series
@@ -185,3 +185,4 @@ sched-ext-prevent-update_locked_rq-calls-with-null-rq.patch
  drm-xe-mocs-initialize-mocs-index-early.patch
  drm-xe-move-page-fault-init-after-topology-init.patch
  smb-client-let-smbd_post_send_iter-respect-the-peers-max_send_size-and-transmit-all-data.patch
+kvm-x86-xen-fix-cleanup-logic-in-emulation-of-xen-schedop-poll-hypercalls.patch
author	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 24 Jul 2025 06:45:28 +0000 (08:45 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 24 Jul 2025 06:45:28 +0000 (08:45 +0200)
queue-6.15/kvm-x86-xen-fix-cleanup-logic-in-emulation-of-xen-schedop-poll-hypercalls.patch	[new file with mode: 0644]	patch \| blob
queue-6.15/series		patch \| blob \| blame \| history