4.9-stable patches

added patches:
	btrfs-fix-block-group-leak-when-removing-fails.patch
	drm-edid-fix-off-by-one-in-dispid-dtd-pixel-clock.patch
	drm-qxl-qxl_release-leak-in-qxl_draw_dirty_fb.patch
	drm-qxl-qxl_release-leak-in-qxl_hw_surface_alloc.patch

diff --git a/queue-4.9/btrfs-fix-block-group-leak-when-removing-fails.patch b/queue-4.9/btrfs-fix-block-group-leak-when-removing-fails.patch
new file mode 100644 (file)
index 0000000..a80218e
--- /dev/null
+++ b/queue-4.9/btrfs-fix-block-group-leak-when-removing-fails.patch
@@ -0,0 +1,95 @@
+From f6033c5e333238f299c3ae03fac8cc1365b23b77 Mon Sep 17 00:00:00 2001
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Date: Tue, 21 Apr 2020 10:54:11 +0800
+Subject: btrfs: fix block group leak when removing fails
+
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+
+commit f6033c5e333238f299c3ae03fac8cc1365b23b77 upstream.
+
+btrfs_remove_block_group() invokes btrfs_lookup_block_group(), which
+returns a local reference of the block group that contains the given
+bytenr to "block_group" with increased refcount.
+
+When btrfs_remove_block_group() returns, "block_group" becomes invalid,
+so the refcount should be decreased to keep refcount balanced.
+
+The reference counting issue happens in several exception handling paths
+of btrfs_remove_block_group(). When those error scenarios occur such as
+btrfs_alloc_path() returns NULL, the function forgets to decrease its
+refcnt increased by btrfs_lookup_block_group() and will cause a refcnt
+leak.
+
+Fix this issue by jumping to "out_put_group" label and calling
+btrfs_put_block_group() when those error scenarios occur.
+
+CC: stable@vger.kernel.org # 4.4+
+Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/extent-tree.c |   16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -10645,7 +10645,7 @@ int btrfs_remove_block_group(struct btrf
+       path = btrfs_alloc_path();
+       if (!path) {
+               ret = -ENOMEM;
+-              goto out;
++              goto out_put_group;
+       }
+ 
+       /*
+@@ -10684,7 +10684,7 @@ int btrfs_remove_block_group(struct btrf
+               ret = btrfs_orphan_add(trans, inode);
+               if (ret) {
+                       btrfs_add_delayed_iput(inode);
+-                      goto out;
++                      goto out_put_group;
+               }
+               clear_nlink(inode);
+               /* One for the block groups ref */
+@@ -10707,13 +10707,13 @@ int btrfs_remove_block_group(struct btrf
+ 
+       ret = btrfs_search_slot(trans, tree_root, &key, path, -1, 1);
+       if (ret < 0)
+-              goto out;
++              goto out_put_group;
+       if (ret > 0)
+               btrfs_release_path(path);
+       if (ret == 0) {
+               ret = btrfs_del_item(trans, tree_root, path);
+               if (ret)
+-                      goto out;
++                      goto out_put_group;
+               btrfs_release_path(path);
+       }
+ 
+@@ -10871,9 +10871,9 @@ int btrfs_remove_block_group(struct btrf
+ 
+       ret = remove_block_group_free_space(trans, root->fs_info, block_group);
+       if (ret)
+-              goto out;
++              goto out_put_group;
+ 
+-      btrfs_put_block_group(block_group);
++      /* Once for the block groups rbtree */
+       btrfs_put_block_group(block_group);
+ 
+       ret = btrfs_search_slot(trans, root, &key, path, -1, 1);
+@@ -11131,6 +11131,10 @@ int btrfs_init_space_info(struct btrfs_f
+               flags = BTRFS_BLOCK_GROUP_DATA;
+               ret = update_space_info(fs_info, flags, 0, 0, 0, &space_info);
+       }
++
++out_put_group:
++      /* Once for the lookup reference */
++      btrfs_put_block_group(block_group);
+ out:
+       return ret;
+ }

diff --git a/queue-4.9/drm-edid-fix-off-by-one-in-dispid-dtd-pixel-clock.patch b/queue-4.9/drm-edid-fix-off-by-one-in-dispid-dtd-pixel-clock.patch
new file mode 100644 (file)
index 0000000..af55ffe
--- /dev/null
+++ b/queue-4.9/drm-edid-fix-off-by-one-in-dispid-dtd-pixel-clock.patch
@@ -0,0 +1,43 @@
+From 6292b8efe32e6be408af364132f09572aed14382 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Thu, 23 Apr 2020 18:17:43 +0300
+Subject: drm/edid: Fix off-by-one in DispID DTD pixel clock
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit 6292b8efe32e6be408af364132f09572aed14382 upstream.
+
+The DispID DTD pixel clock is documented as:
+"00 00 00 h → FF FF FF h | Pixel clock ÷ 10,000 0.01 → 167,772.16 Mega Pixels per Sec"
+Which seems to imply that we to add one to the raw value.
+
+Reality seems to agree as there are tiled displays in the wild
+which currently show a 10kHz difference in the pixel clock
+between the tiles (one tile gets its mode from the base EDID,
+the other from the DispID block).
+
+Cc: stable@vger.kernel.org
+References: https://gitlab.freedesktop.org/drm/intel/-/issues/27
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200423151743.18767-1-ville.syrjala@linux.intel.com
+Reviewed-by: Manasi Navare <manasi.d.navare@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_edid.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_edid.c
++++ b/drivers/gpu/drm/drm_edid.c
+@@ -3970,7 +3970,7 @@ static struct drm_display_mode *drm_mode
+       struct drm_display_mode *mode;
+       unsigned pixel_clock = (timings->pixel_clock[0] |
+                               (timings->pixel_clock[1] << 8) |
+-                              (timings->pixel_clock[2] << 16));
++                              (timings->pixel_clock[2] << 16)) + 1;
+       unsigned hactive = (timings->hactive[0] | timings->hactive[1] << 8) + 1;
+       unsigned hblank = (timings->hblank[0] | timings->hblank[1] << 8) + 1;
+       unsigned hsync = (timings->hsync[0] | (timings->hsync[1] & 0x7f) << 8) + 1;

diff --git a/queue-4.9/drm-qxl-qxl_release-leak-in-qxl_draw_dirty_fb.patch b/queue-4.9/drm-qxl-qxl_release-leak-in-qxl_draw_dirty_fb.patch
new file mode 100644 (file)
index 0000000..9a17be8
--- /dev/null
+++ b/queue-4.9/drm-qxl-qxl_release-leak-in-qxl_draw_dirty_fb.patch
@@ -0,0 +1,37 @@
+From 85e9b88af1e6164f19ec71381efd5e2bcfc17620 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Mon, 27 Apr 2020 08:32:46 +0300
+Subject: drm/qxl: qxl_release leak in qxl_draw_dirty_fb()
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit 85e9b88af1e6164f19ec71381efd5e2bcfc17620 upstream.
+
+ret should be changed to release allocated struct qxl_release
+
+Cc: stable@vger.kernel.org
+Fixes: 8002db6336dd ("qxl: convert qxl driver to proper use for reservations")
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/22cfd55f-07c8-95d0-a2f7-191b7153c3d4@virtuozzo.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/qxl/qxl_draw.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/qxl/qxl_draw.c
++++ b/drivers/gpu/drm/qxl/qxl_draw.c
+@@ -348,9 +348,10 @@ void qxl_draw_dirty_fb(struct qxl_device
+               goto out_release_backoff;
+ 
+       rects = drawable_set_clipping(qdev, num_clips, clips_bo);
+-      if (!rects)
++      if (!rects) {
++              ret = -EINVAL;
+               goto out_release_backoff;
+-
++      }
+       drawable = (struct qxl_drawable *)qxl_release_map(qdev, release);
+ 
+       drawable->clip.type = SPICE_CLIP_TYPE_RECTS;

diff --git a/queue-4.9/drm-qxl-qxl_release-leak-in-qxl_hw_surface_alloc.patch b/queue-4.9/drm-qxl-qxl_release-leak-in-qxl_hw_surface_alloc.patch
new file mode 100644 (file)
index 0000000..e0619af
--- /dev/null
+++ b/queue-4.9/drm-qxl-qxl_release-leak-in-qxl_hw_surface_alloc.patch
@@ -0,0 +1,35 @@
+From a65aa9c3676ffccb21361d52fcfedd5b5ff387d7 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Mon, 27 Apr 2020 08:32:51 +0300
+Subject: drm/qxl: qxl_release leak in qxl_hw_surface_alloc()
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit a65aa9c3676ffccb21361d52fcfedd5b5ff387d7 upstream.
+
+Cc: stable@vger.kernel.org
+Fixes: 8002db6336dd ("qxl: convert qxl driver to proper use for reservations")
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/2e5a13ae-9ab2-5401-aa4d-03d5f5593423@virtuozzo.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/qxl/qxl_cmd.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/qxl/qxl_cmd.c
++++ b/drivers/gpu/drm/qxl/qxl_cmd.c
+@@ -500,9 +500,10 @@ int qxl_hw_surface_alloc(struct qxl_devi
+               return ret;
+ 
+       ret = qxl_release_reserve_list(release, true);
+-      if (ret)
++      if (ret) {
++              qxl_release_free(qdev, release);
+               return ret;
+-
++      }
+       cmd = (struct qxl_surface_cmd *)qxl_release_map(qdev, release);
+       cmd->type = QXL_SURFACE_CMD_CREATE;
+       cmd->flags = QXL_SURF_FLAG_KEEP_DATA;

diff --git a/queue-4.9/series b/queue-4.9/series
index 6a92190e3f3ecdbbd3b665ad216c332aeb7c7dd0..c495f172641b0f58754a2885edfc1f52295f73cf 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -1 +1,5 @@
 ext4-fix-special-inode-number-checks-in-__ext4_iget.patch
+drm-edid-fix-off-by-one-in-dispid-dtd-pixel-clock.patch
+drm-qxl-qxl_release-leak-in-qxl_draw_dirty_fb.patch
+drm-qxl-qxl_release-leak-in-qxl_hw_surface_alloc.patch
+btrfs-fix-block-group-leak-when-removing-fails.patch