From 8c990f4f55a9d6f5425ca24f749db0dddeb8712f Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 4 May 2020 11:12:21 +0200
Subject: [PATCH] 4.9-stable patches

added patches:
	btrfs-fix-block-group-leak-when-removing-fails.patch
	drm-edid-fix-off-by-one-in-dispid-dtd-pixel-clock.patch
	drm-qxl-qxl_release-leak-in-qxl_draw_dirty_fb.patch
	drm-qxl-qxl_release-leak-in-qxl_hw_surface_alloc.patch
---
 ...block-group-leak-when-removing-fails.patch | 95 +++++++++++++++++++
 ...off-by-one-in-dispid-dtd-pixel-clock.patch | 43 +++++++++
 ...xl_release-leak-in-qxl_draw_dirty_fb.patch | 37 ++++++++
 ...release-leak-in-qxl_hw_surface_alloc.patch | 35 +++++++
 queue-4.9/series                              |  4 +
 5 files changed, 214 insertions(+)
 create mode 100644 queue-4.9/btrfs-fix-block-group-leak-when-removing-fails.patch
 create mode 100644 queue-4.9/drm-edid-fix-off-by-one-in-dispid-dtd-pixel-clock.patch
 create mode 100644 queue-4.9/drm-qxl-qxl_release-leak-in-qxl_draw_dirty_fb.patch
 create mode 100644 queue-4.9/drm-qxl-qxl_release-leak-in-qxl_hw_surface_alloc.patch

diff --git a/queue-4.9/btrfs-fix-block-group-leak-when-removing-fails.patch b/queue-4.9/btrfs-fix-block-group-leak-when-removing-fails.patch
new file mode 100644
index 00000000000..a80218efde7
--- /dev/null
+++ b/queue-4.9/btrfs-fix-block-group-leak-when-removing-fails.patch
@@ -0,0 +1,95 @@
+From f6033c5e333238f299c3ae03fac8cc1365b23b77 Mon Sep 17 00:00:00 2001
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Date: Tue, 21 Apr 2020 10:54:11 +0800
+Subject: btrfs: fix block group leak when removing fails
+
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+
+commit f6033c5e333238f299c3ae03fac8cc1365b23b77 upstream.
+
+btrfs_remove_block_group() invokes btrfs_lookup_block_group(), which
+returns a local reference of the block group that contains the given
+bytenr to "block_group" with increased refcount.
+
+When btrfs_remove_block_group() returns, "block_group" becomes invalid,
+so the refcount should be decreased to keep refcount balanced.
+
+The reference counting issue happens in several exception handling paths
+of btrfs_remove_block_group(). When those error scenarios occur such as
+btrfs_alloc_path() returns NULL, the function forgets to decrease its
+refcnt increased by btrfs_lookup_block_group() and will cause a refcnt
+leak.
+
+Fix this issue by jumping to "out_put_group" label and calling
+btrfs_put_block_group() when those error scenarios occur.
+
+CC: stable@vger.kernel.org # 4.4+
+Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/extent-tree.c |   16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -10645,7 +10645,7 @@ int btrfs_remove_block_group(struct btrf
+ 	path = btrfs_alloc_path();
+ 	if (!path) {
+ 		ret = -ENOMEM;
+-		goto out;
++		goto out_put_group;
+ 	}
+ 
+ 	/*
+@@ -10684,7 +10684,7 @@ int btrfs_remove_block_group(struct btrf
+ 		ret = btrfs_orphan_add(trans, inode);
+ 		if (ret) {
+ 			btrfs_add_delayed_iput(inode);
+-			goto out;
++			goto out_put_group;
+ 		}
+ 		clear_nlink(inode);
+ 		/* One for the block groups ref */
+@@ -10707,13 +10707,13 @@ int btrfs_remove_block_group(struct btrf
+ 
+ 	ret = btrfs_search_slot(trans, tree_root, &key, path, -1, 1);
+ 	if (ret < 0)
+-		goto out;
++		goto out_put_group;
+ 	if (ret > 0)
+ 		btrfs_release_path(path);
+ 	if (ret == 0) {
+ 		ret = btrfs_del_item(trans, tree_root, path);
+ 		if (ret)
+-			goto out;
++			goto out_put_group;
+ 		btrfs_release_path(path);
+ 	}
+ 
+@@ -10871,9 +10871,9 @@ int btrfs_remove_block_group(struct btrf
+ 
+ 	ret = remove_block_group_free_space(trans, root->fs_info, block_group);
+ 	if (ret)
+-		goto out;
++		goto out_put_group;
+ 
+-	btrfs_put_block_group(block_group);
++	/* Once for the block groups rbtree */
+ 	btrfs_put_block_group(block_group);
+ 
+ 	ret = btrfs_search_slot(trans, root, &key, path, -1, 1);
+@@ -11131,6 +11131,10 @@ int btrfs_init_space_info(struct btrfs_f
+ 		flags = BTRFS_BLOCK_GROUP_DATA;
+ 		ret = update_space_info(fs_info, flags, 0, 0, 0, &space_info);
+ 	}
++
++out_put_group:
++	/* Once for the lookup reference */
++	btrfs_put_block_group(block_group);
+ out:
+ 	return ret;
+ }
diff --git a/queue-4.9/drm-edid-fix-off-by-one-in-dispid-dtd-pixel-clock.patch b/queue-4.9/drm-edid-fix-off-by-one-in-dispid-dtd-pixel-clock.patch
new file mode 100644
index 00000000000..af55ffe319f
--- /dev/null
+++ b/queue-4.9/drm-edid-fix-off-by-one-in-dispid-dtd-pixel-clock.patch
@@ -0,0 +1,43 @@
+From 6292b8efe32e6be408af364132f09572aed14382 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Thu, 23 Apr 2020 18:17:43 +0300
+Subject: drm/edid: Fix off-by-one in DispID DTD pixel clock
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville SyrjÃ¤lÃ¤ <ville.syrjala@linux.intel.com>
+
+commit 6292b8efe32e6be408af364132f09572aed14382 upstream.
+
+The DispID DTD pixel clock is documented as:
+"00 00 00 h â FF FF FF h | Pixel clock Ã· 10,000 0.01 â 167,772.16 Mega Pixels per Sec"
+Which seems to imply that we to add one to the raw value.
+
+Reality seems to agree as there are tiled displays in the wild
+which currently show a 10kHz difference in the pixel clock
+between the tiles (one tile gets its mode from the base EDID,
+the other from the DispID block).
+
+Cc: stable@vger.kernel.org
+References: https://gitlab.freedesktop.org/drm/intel/-/issues/27
+Signed-off-by: Ville SyrjÃ¤lÃ¤ <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200423151743.18767-1-ville.syrjala@linux.intel.com
+Reviewed-by: Manasi Navare <manasi.d.navare@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_edid.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_edid.c
++++ b/drivers/gpu/drm/drm_edid.c
+@@ -3970,7 +3970,7 @@ static struct drm_display_mode *drm_mode
+ 	struct drm_display_mode *mode;
+ 	unsigned pixel_clock = (timings->pixel_clock[0] |
+ 				(timings->pixel_clock[1] << 8) |
+-				(timings->pixel_clock[2] << 16));
++				(timings->pixel_clock[2] << 16)) + 1;
+ 	unsigned hactive = (timings->hactive[0] | timings->hactive[1] << 8) + 1;
+ 	unsigned hblank = (timings->hblank[0] | timings->hblank[1] << 8) + 1;
+ 	unsigned hsync = (timings->hsync[0] | (timings->hsync[1] & 0x7f) << 8) + 1;
diff --git a/queue-4.9/drm-qxl-qxl_release-leak-in-qxl_draw_dirty_fb.patch b/queue-4.9/drm-qxl-qxl_release-leak-in-qxl_draw_dirty_fb.patch
new file mode 100644
index 00000000000..9a17be8e558
--- /dev/null
+++ b/queue-4.9/drm-qxl-qxl_release-leak-in-qxl_draw_dirty_fb.patch
@@ -0,0 +1,37 @@
+From 85e9b88af1e6164f19ec71381efd5e2bcfc17620 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Mon, 27 Apr 2020 08:32:46 +0300
+Subject: drm/qxl: qxl_release leak in qxl_draw_dirty_fb()
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit 85e9b88af1e6164f19ec71381efd5e2bcfc17620 upstream.
+
+ret should be changed to release allocated struct qxl_release
+
+Cc: stable@vger.kernel.org
+Fixes: 8002db6336dd ("qxl: convert qxl driver to proper use for reservations")
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/22cfd55f-07c8-95d0-a2f7-191b7153c3d4@virtuozzo.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/qxl/qxl_draw.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/qxl/qxl_draw.c
++++ b/drivers/gpu/drm/qxl/qxl_draw.c
+@@ -348,9 +348,10 @@ void qxl_draw_dirty_fb(struct qxl_device
+ 		goto out_release_backoff;
+ 
+ 	rects = drawable_set_clipping(qdev, num_clips, clips_bo);
+-	if (!rects)
++	if (!rects) {
++		ret = -EINVAL;
+ 		goto out_release_backoff;
+-
++	}
+ 	drawable = (struct qxl_drawable *)qxl_release_map(qdev, release);
+ 
+ 	drawable->clip.type = SPICE_CLIP_TYPE_RECTS;
diff --git a/queue-4.9/drm-qxl-qxl_release-leak-in-qxl_hw_surface_alloc.patch b/queue-4.9/drm-qxl-qxl_release-leak-in-qxl_hw_surface_alloc.patch
new file mode 100644
index 00000000000..e0619af4831
--- /dev/null
+++ b/queue-4.9/drm-qxl-qxl_release-leak-in-qxl_hw_surface_alloc.patch
@@ -0,0 +1,35 @@
+From a65aa9c3676ffccb21361d52fcfedd5b5ff387d7 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Mon, 27 Apr 2020 08:32:51 +0300
+Subject: drm/qxl: qxl_release leak in qxl_hw_surface_alloc()
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit a65aa9c3676ffccb21361d52fcfedd5b5ff387d7 upstream.
+
+Cc: stable@vger.kernel.org
+Fixes: 8002db6336dd ("qxl: convert qxl driver to proper use for reservations")
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/2e5a13ae-9ab2-5401-aa4d-03d5f5593423@virtuozzo.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/qxl/qxl_cmd.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/qxl/qxl_cmd.c
++++ b/drivers/gpu/drm/qxl/qxl_cmd.c
+@@ -500,9 +500,10 @@ int qxl_hw_surface_alloc(struct qxl_devi
+ 		return ret;
+ 
+ 	ret = qxl_release_reserve_list(release, true);
+-	if (ret)
++	if (ret) {
++		qxl_release_free(qdev, release);
+ 		return ret;
+-
++	}
+ 	cmd = (struct qxl_surface_cmd *)qxl_release_map(qdev, release);
+ 	cmd->type = QXL_SURFACE_CMD_CREATE;
+ 	cmd->flags = QXL_SURF_FLAG_KEEP_DATA;
diff --git a/queue-4.9/series b/queue-4.9/series
index 6a92190e3f3..c495f172641 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -1 +1,5 @@
 ext4-fix-special-inode-number-checks-in-__ext4_iget.patch
+drm-edid-fix-off-by-one-in-dispid-dtd-pixel-clock.patch
+drm-qxl-qxl_release-leak-in-qxl_draw_dirty_fb.patch
+drm-qxl-qxl_release-leak-in-qxl_hw_surface_alloc.patch
+btrfs-fix-block-group-leak-when-removing-fails.patch
-- 
2.47.3