From 64782df9c7d78fb3bbb8aa4902f07e7eb20d990f Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 24 Jul 2025 08:45:06 +0200
Subject: [PATCH] 6.6-stable patches

added patches:
	kvm-x86-xen-fix-cleanup-logic-in-emulation-of-xen-schedop-poll-hypercalls.patch
---
 ...ation-of-xen-schedop-poll-hypercalls.patch | 36 +++++++++++++++++++
 queue-6.6/series                              |  1 +
 2 files changed, 37 insertions(+)
 create mode 100644 queue-6.6/kvm-x86-xen-fix-cleanup-logic-in-emulation-of-xen-schedop-poll-hypercalls.patch

diff --git a/queue-6.6/kvm-x86-xen-fix-cleanup-logic-in-emulation-of-xen-schedop-poll-hypercalls.patch b/queue-6.6/kvm-x86-xen-fix-cleanup-logic-in-emulation-of-xen-schedop-poll-hypercalls.patch
new file mode 100644
index 0000000000..90c607f924
--- /dev/null
+++ b/queue-6.6/kvm-x86-xen-fix-cleanup-logic-in-emulation-of-xen-schedop-poll-hypercalls.patch
@@ -0,0 +1,36 @@
+From 5a53249d149f48b558368c5338b9921b76a12f8c Mon Sep 17 00:00:00 2001
+From: Manuel Andreas <manuel.andreas@tum.de>
+Date: Wed, 23 Jul 2025 17:51:20 +0200
+Subject: KVM: x86/xen: Fix cleanup logic in emulation of Xen schedop poll hypercalls
+
+From: Manuel Andreas <manuel.andreas@tum.de>
+
+commit 5a53249d149f48b558368c5338b9921b76a12f8c upstream.
+
+kvm_xen_schedop_poll does a kmalloc_array() when a VM polls the host
+for more than one event channel potr (nr_ports > 1).
+
+After the kmalloc_array(), the error paths need to go through the
+"out" label, but the call to kvm_read_guest_virt() does not.
+
+Fixes: 92c58965e965 ("KVM: x86/xen: Use kvm_read_guest_virt() instead of open-coding it badly")
+Reviewed-by: David Woodhouse <dwmw@amazon.co.uk>
+Signed-off-by: Manuel Andreas <manuel.andreas@tum.de>
+[Adjusted commit message. - Paolo]
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/xen.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/xen.c
++++ b/arch/x86/kvm/xen.c
+@@ -1260,7 +1260,7 @@ static bool kvm_xen_schedop_poll(struct
+ 	if (kvm_read_guest_virt(vcpu, (gva_t)sched_poll.ports, ports,
+ 				sched_poll.nr_ports * sizeof(*ports), &e)) {
+ 		*r = -EFAULT;
+-		return true;
++		goto out;
+ 	}
+ 
+ 	for (i = 0; i < sched_poll.nr_ports; i++) {
diff --git a/queue-6.6/series b/queue-6.6/series
index a932c41241..8ebf8230e2 100644
--- a/queue-6.6/series
+++ b/queue-6.6/series
@@ -109,3 +109,4 @@ revert-selftests-bpf-adjust-dummy_st_ops_success-to-detect-additional-error.patc
 revert-selftests-bpf-dummy_st_ops-should-reject-0-for-non-nullable-params.patch
 i2c-omap-fix-deprecated-of_property_read_bool-use.patch
 nvmem-layouts-u-boot-env-remove-crc32-endianness-conversion.patch
+kvm-x86-xen-fix-cleanup-logic-in-emulation-of-xen-schedop-poll-hypercalls.patch
-- 
2.47.2