From 2471d3ef6d4a74530a1f55aff7cb01b2f5bbcd5c Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 22 Jun 2020 20:19:52 +0200
Subject: [PATCH] 4.9-stable patches

added patches:
	drm-dp_mst-reformat-drm_dp_check_act_status-a-bit.patch
	drm-qxl-use-correct-notify-port-address-when-creating-cursor-ring.patch
	selinux-fix-double-free.patch
---
 ...format-drm_dp_check_act_status-a-bit.patch | 72 +++++++++++++++++++
 ...rt-address-when-creating-cursor-ring.patch | 40 +++++++++++
 queue-4.9/selinux-fix-double-free.patch       | 46 ++++++++++++
 queue-4.9/series                              |  3 +
 4 files changed, 161 insertions(+)
 create mode 100644 queue-4.9/drm-dp_mst-reformat-drm_dp_check_act_status-a-bit.patch
 create mode 100644 queue-4.9/drm-qxl-use-correct-notify-port-address-when-creating-cursor-ring.patch
 create mode 100644 queue-4.9/selinux-fix-double-free.patch

diff --git a/queue-4.9/drm-dp_mst-reformat-drm_dp_check_act_status-a-bit.patch b/queue-4.9/drm-dp_mst-reformat-drm_dp_check_act_status-a-bit.patch
new file mode 100644
index 00000000000..51499eb9504
--- /dev/null
+++ b/queue-4.9/drm-dp_mst-reformat-drm_dp_check_act_status-a-bit.patch
@@ -0,0 +1,72 @@
+From a5cb5fa6c3a5c2cf492db667b8670ee7b044b79f Mon Sep 17 00:00:00 2001
+From: Lyude Paul <lyude@redhat.com>
+Date: Fri, 3 Apr 2020 14:08:32 -0400
+Subject: drm/dp_mst: Reformat drm_dp_check_act_status() a bit
+
+From: Lyude Paul <lyude@redhat.com>
+
+commit a5cb5fa6c3a5c2cf492db667b8670ee7b044b79f upstream.
+
+Just add a bit more line wrapping, get rid of some extraneous
+whitespace, remove an unneeded goto label, and move around some variable
+declarations. No functional changes here.
+
+Signed-off-by: Lyude Paul <lyude@redhat.com>
+[this isn't a fix, but it's needed for the fix that comes after this]
+Fixes: ad7f8a1f9ced ("drm/helper: add Displayport multi-stream helper (v0.6)")
+Cc: Sean Paul <sean@poorly.run>
+Cc: <stable@vger.kernel.org> # v3.17+
+Reviewed-by: Sean Paul <sean@poorly.run>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200406221253.1307209-3-lyude@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_dp_mst_topology.c |   22 ++++++++++------------
+ 1 file changed, 10 insertions(+), 12 deletions(-)
+
+--- a/drivers/gpu/drm/drm_dp_mst_topology.c
++++ b/drivers/gpu/drm/drm_dp_mst_topology.c
+@@ -2682,33 +2682,31 @@ fail:
+  */
+ int drm_dp_check_act_status(struct drm_dp_mst_topology_mgr *mgr)
+ {
++	int count = 0, ret;
+ 	u8 status;
+-	int ret;
+-	int count = 0;
+ 
+ 	do {
+-		ret = drm_dp_dpcd_readb(mgr->aux, DP_PAYLOAD_TABLE_UPDATE_STATUS, &status);
+-
++		ret = drm_dp_dpcd_readb(mgr->aux,
++					DP_PAYLOAD_TABLE_UPDATE_STATUS,
++					&status);
+ 		if (ret < 0) {
+-			DRM_DEBUG_KMS("failed to read payload table status %d\n", ret);
+-			goto fail;
++			DRM_DEBUG_KMS("failed to read payload table status %d\n",
++				      ret);
++			return ret;
+ 		}
+ 
+ 		if (status & DP_PAYLOAD_ACT_HANDLED)
+ 			break;
+ 		count++;
+ 		udelay(100);
+-
+ 	} while (count < 30);
+ 
+ 	if (!(status & DP_PAYLOAD_ACT_HANDLED)) {
+-		DRM_DEBUG_KMS("failed to get ACT bit %d after %d retries\n", status, count);
+-		ret = -EINVAL;
+-		goto fail;
++		DRM_DEBUG_KMS("failed to get ACT bit %d after %d retries\n",
++			      status, count);
++		return -EINVAL;
+ 	}
+ 	return 0;
+-fail:
+-	return ret;
+ }
+ EXPORT_SYMBOL(drm_dp_check_act_status);
+ 
diff --git a/queue-4.9/drm-qxl-use-correct-notify-port-address-when-creating-cursor-ring.patch b/queue-4.9/drm-qxl-use-correct-notify-port-address-when-creating-cursor-ring.patch
new file mode 100644
index 00000000000..4f44ade0a0d
--- /dev/null
+++ b/queue-4.9/drm-qxl-use-correct-notify-port-address-when-creating-cursor-ring.patch
@@ -0,0 +1,40 @@
+From 80e5f89da3ab949fbbf1cae01dfaea29f5483a75 Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhc@lemote.com>
+Date: Tue, 31 Mar 2020 14:18:08 +0800
+Subject: drm/qxl: Use correct notify port address when creating cursor ring
+
+From: Huacai Chen <chenhc@lemote.com>
+
+commit 80e5f89da3ab949fbbf1cae01dfaea29f5483a75 upstream.
+
+The command ring and cursor ring use different notify port addresses
+definition: QXL_IO_NOTIFY_CMD and QXL_IO_NOTIFY_CURSOR. However, in
+qxl_device_init() we use QXL_IO_NOTIFY_CMD to create both command ring
+and cursor ring. This doesn't cause any problems now, because QEMU's
+behaviors on QXL_IO_NOTIFY_CMD and QXL_IO_NOTIFY_CURSOR are the same.
+However, QEMU's behavior may be change in future, so let's fix it.
+
+P.S.: In the X.org QXL driver, the notify port address of cursor ring
+      is correct.
+
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Cc: <stable@vger.kernel.org>
+Link: http://patchwork.freedesktop.org/patch/msgid/1585635488-17507-1-git-send-email-chenhc@lemote.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/qxl/qxl_kms.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/qxl/qxl_kms.c
++++ b/drivers/gpu/drm/qxl/qxl_kms.c
+@@ -199,7 +199,7 @@ static int qxl_device_init(struct qxl_de
+ 				&(qdev->ram_header->cursor_ring_hdr),
+ 				sizeof(struct qxl_command),
+ 				QXL_CURSOR_RING_SIZE,
+-				qdev->io_base + QXL_IO_NOTIFY_CMD,
++				qdev->io_base + QXL_IO_NOTIFY_CURSOR,
+ 				false,
+ 				&qdev->cursor_event);
+ 
diff --git a/queue-4.9/selinux-fix-double-free.patch b/queue-4.9/selinux-fix-double-free.patch
new file mode 100644
index 00000000000..22e3f1cdfad
--- /dev/null
+++ b/queue-4.9/selinux-fix-double-free.patch
@@ -0,0 +1,46 @@
+From 65de50969a77509452ae590e9449b70a22b923bb Mon Sep 17 00:00:00 2001
+From: Tom Rix <trix@redhat.com>
+Date: Wed, 10 Jun 2020 14:57:13 -0700
+Subject: selinux: fix double free
+
+From: Tom Rix <trix@redhat.com>
+
+commit 65de50969a77509452ae590e9449b70a22b923bb upstream.
+
+Clang's static analysis tool reports these double free memory errors.
+
+security/selinux/ss/services.c:2987:4: warning: Attempt to free released memory [unix.Malloc]
+                        kfree(bnames[i]);
+                        ^~~~~~~~~~~~~~~~
+security/selinux/ss/services.c:2990:2: warning: Attempt to free released memory [unix.Malloc]
+        kfree(bvalues);
+        ^~~~~~~~~~~~~~
+
+So improve the security_get_bools error handling by freeing these variables
+and setting their return pointers to NULL and the return len to 0
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Tom Rix <trix@redhat.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/selinux/ss/services.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/security/selinux/ss/services.c
++++ b/security/selinux/ss/services.c
+@@ -2616,8 +2616,12 @@ err:
+ 	if (*names) {
+ 		for (i = 0; i < *len; i++)
+ 			kfree((*names)[i]);
++		kfree(*names);
+ 	}
+ 	kfree(*values);
++	*len = 0;
++	*names = NULL;
++	*values = NULL;
+ 	goto out;
+ }
+ 
diff --git a/queue-4.9/series b/queue-4.9/series
index d075cd9b6e0..f7fded8b11d 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -80,3 +80,6 @@ bcache-fix-potential-deadlock-problem-in-btree_gc_co.patch
 block-fix-use-after-free-in-blkdev_get.patch
 libata-use-per-port-sync-for-detach.patch
 drm-encoder_slave-fix-refcouting-error-for-modules.patch
+drm-dp_mst-reformat-drm_dp_check_act_status-a-bit.patch
+drm-qxl-use-correct-notify-port-address-when-creating-cursor-ring.patch
+selinux-fix-double-free.patch
-- 
2.47.3