From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 24 Jul 2025 06:45:28 +0000 (+0200)
Subject: 6.15-stable patches
X-Git-Tag: v6.1.147~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b46b71064c686a3ce3d9166e8025a9ad47be9825;p=thirdparty%2Fkernel%2Fstable-queue.git

6.15-stable patches

added patches:
	kvm-x86-xen-fix-cleanup-logic-in-emulation-of-xen-schedop-poll-hypercalls.patch
---

diff --git a/queue-6.15/kvm-x86-xen-fix-cleanup-logic-in-emulation-of-xen-schedop-poll-hypercalls.patch b/queue-6.15/kvm-x86-xen-fix-cleanup-logic-in-emulation-of-xen-schedop-poll-hypercalls.patch
new file mode 100644
index 0000000000..c83b9d0c0d
--- /dev/null
+++ b/queue-6.15/kvm-x86-xen-fix-cleanup-logic-in-emulation-of-xen-schedop-poll-hypercalls.patch
@@ -0,0 +1,36 @@
+From 5a53249d149f48b558368c5338b9921b76a12f8c Mon Sep 17 00:00:00 2001
+From: Manuel Andreas <manuel.andreas@tum.de>
+Date: Wed, 23 Jul 2025 17:51:20 +0200
+Subject: KVM: x86/xen: Fix cleanup logic in emulation of Xen schedop poll hypercalls
+
+From: Manuel Andreas <manuel.andreas@tum.de>
+
+commit 5a53249d149f48b558368c5338b9921b76a12f8c upstream.
+
+kvm_xen_schedop_poll does a kmalloc_array() when a VM polls the host
+for more than one event channel potr (nr_ports > 1).
+
+After the kmalloc_array(), the error paths need to go through the
+"out" label, but the call to kvm_read_guest_virt() does not.
+
+Fixes: 92c58965e965 ("KVM: x86/xen: Use kvm_read_guest_virt() instead of open-coding it badly")
+Reviewed-by: David Woodhouse <dwmw@amazon.co.uk>
+Signed-off-by: Manuel Andreas <manuel.andreas@tum.de>
+[Adjusted commit message. - Paolo]
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/xen.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/xen.c
++++ b/arch/x86/kvm/xen.c
+@@ -1526,7 +1526,7 @@ static bool kvm_xen_schedop_poll(struct
+ 	if (kvm_read_guest_virt(vcpu, (gva_t)sched_poll.ports, ports,
+ 				sched_poll.nr_ports * sizeof(*ports), &e)) {
+ 		*r = -EFAULT;
+-		return true;
++		goto out;
+ 	}
+ 
+ 	for (i = 0; i < sched_poll.nr_ports; i++) {
diff --git a/queue-6.15/series b/queue-6.15/series
index adf3488239..0014463d20 100644
--- a/queue-6.15/series
+++ b/queue-6.15/series
@@ -185,3 +185,4 @@ sched-ext-prevent-update_locked_rq-calls-with-null-rq.patch
 drm-xe-mocs-initialize-mocs-index-early.patch
 drm-xe-move-page-fault-init-after-topology-init.patch
 smb-client-let-smbd_post_send_iter-respect-the-peers-max_send_size-and-transmit-all-data.patch
+kvm-x86-xen-fix-cleanup-logic-in-emulation-of-xen-schedop-poll-hypercalls.patch