--- /dev/null
+From 5a53249d149f48b558368c5338b9921b76a12f8c Mon Sep 17 00:00:00 2001
+From: Manuel Andreas <manuel.andreas@tum.de>
+Date: Wed, 23 Jul 2025 17:51:20 +0200
+Subject: KVM: x86/xen: Fix cleanup logic in emulation of Xen schedop poll hypercalls
+
+From: Manuel Andreas <manuel.andreas@tum.de>
+
+commit 5a53249d149f48b558368c5338b9921b76a12f8c upstream.
+
+kvm_xen_schedop_poll does a kmalloc_array() when a VM polls the host
+for more than one event channel potr (nr_ports > 1).
+
+After the kmalloc_array(), the error paths need to go through the
+"out" label, but the call to kvm_read_guest_virt() does not.
+
+Fixes: 92c58965e965 ("KVM: x86/xen: Use kvm_read_guest_virt() instead of open-coding it badly")
+Reviewed-by: David Woodhouse <dwmw@amazon.co.uk>
+Signed-off-by: Manuel Andreas <manuel.andreas@tum.de>
+[Adjusted commit message. - Paolo]
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/xen.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/xen.c
++++ b/arch/x86/kvm/xen.c
+@@ -1472,7 +1472,7 @@ static bool kvm_xen_schedop_poll(struct
+ if (kvm_read_guest_virt(vcpu, (gva_t)sched_poll.ports, ports,
+ sched_poll.nr_ports * sizeof(*ports), &e)) {
+ *r = -EFAULT;
+- return true;
++ goto out;
+ }
+
+ for (i = 0; i < sched_poll.nr_ports; i++) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
