From f8174fc30ae62d3ea107d10da048d4d2c662a7ac Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 24 Jul 2025 08:45:19 +0200
Subject: [PATCH] 6.12-stable patches

added patches:
	kvm-x86-xen-fix-cleanup-logic-in-emulation-of-xen-schedop-poll-hypercalls.patch
---
 ...ation-of-xen-schedop-poll-hypercalls.patch | 36 +++++++++++++++++++
 queue-6.12/series                             |  1 +
 2 files changed, 37 insertions(+)
 create mode 100644 queue-6.12/kvm-x86-xen-fix-cleanup-logic-in-emulation-of-xen-schedop-poll-hypercalls.patch

diff --git a/queue-6.12/kvm-x86-xen-fix-cleanup-logic-in-emulation-of-xen-schedop-poll-hypercalls.patch b/queue-6.12/kvm-x86-xen-fix-cleanup-logic-in-emulation-of-xen-schedop-poll-hypercalls.patch
new file mode 100644
index 0000000000..b56059eb05
--- /dev/null
+++ b/queue-6.12/kvm-x86-xen-fix-cleanup-logic-in-emulation-of-xen-schedop-poll-hypercalls.patch
@@ -0,0 +1,36 @@
+From 5a53249d149f48b558368c5338b9921b76a12f8c Mon Sep 17 00:00:00 2001
+From: Manuel Andreas <manuel.andreas@tum.de>
+Date: Wed, 23 Jul 2025 17:51:20 +0200
+Subject: KVM: x86/xen: Fix cleanup logic in emulation of Xen schedop poll hypercalls
+
+From: Manuel Andreas <manuel.andreas@tum.de>
+
+commit 5a53249d149f48b558368c5338b9921b76a12f8c upstream.
+
+kvm_xen_schedop_poll does a kmalloc_array() when a VM polls the host
+for more than one event channel potr (nr_ports > 1).
+
+After the kmalloc_array(), the error paths need to go through the
+"out" label, but the call to kvm_read_guest_virt() does not.
+
+Fixes: 92c58965e965 ("KVM: x86/xen: Use kvm_read_guest_virt() instead of open-coding it badly")
+Reviewed-by: David Woodhouse <dwmw@amazon.co.uk>
+Signed-off-by: Manuel Andreas <manuel.andreas@tum.de>
+[Adjusted commit message. - Paolo]
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/xen.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/xen.c
++++ b/arch/x86/kvm/xen.c
+@@ -1472,7 +1472,7 @@ static bool kvm_xen_schedop_poll(struct
+ 	if (kvm_read_guest_virt(vcpu, (gva_t)sched_poll.ports, ports,
+ 				sched_poll.nr_ports * sizeof(*ports), &e)) {
+ 		*r = -EFAULT;
+-		return true;
++		goto out;
+ 	}
+ 
+ 	for (i = 0; i < sched_poll.nr_ports; i++) {
diff --git a/queue-6.12/series b/queue-6.12/series
index 08e3909dfa..e7c3a69319 100644
--- a/queue-6.12/series
+++ b/queue-6.12/series
@@ -156,3 +156,4 @@ drm-xe-mocs-initialize-mocs-index-early.patch
 drm-xe-move-page-fault-init-after-topology-init.patch
 smb-client-let-smbd_post_send_iter-respect-the-peers-max_send_size-and-transmit-all-data.patch
 iommu-vt-d-fix-misplaced-domain_attached-assignment.patch
+kvm-x86-xen-fix-cleanup-logic-in-emulation-of-xen-schedop-poll-hypercalls.patch
-- 
2.47.2