This is a note to let you know that I've just added the patch titled drm/qxl: qxl_release leak in qxl_draw_dirty_fb() to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: drm-qxl-qxl_release-leak-in-qxl_draw_dirty_fb.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 85e9b88af1e6164f19ec71381efd5e2bcfc17620 Mon Sep 17 00:00:00 2001 From: Vasily Averin <vvs@xxxxxxxxxxxxx> Date: Mon, 27 Apr 2020 08:32:46 +0300 Subject: drm/qxl: qxl_release leak in qxl_draw_dirty_fb() From: Vasily Averin <vvs@xxxxxxxxxxxxx> commit 85e9b88af1e6164f19ec71381efd5e2bcfc17620 upstream. ret should be changed to release allocated struct qxl_release Cc: stable@xxxxxxxxxxxxxxx Fixes: 8002db6336dd ("qxl: convert qxl driver to proper use for reservations") Signed-off-by: Vasily Averin <vvs@xxxxxxxxxxxxx> Link: http://patchwork.freedesktop.org/patch/msgid/22cfd55f-07c8-95d0-a2f7-191b7153c3d4@xxxxxxxxxxxxx Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/gpu/drm/qxl/qxl_draw.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- a/drivers/gpu/drm/qxl/qxl_draw.c +++ b/drivers/gpu/drm/qxl/qxl_draw.c @@ -348,9 +348,10 @@ void qxl_draw_dirty_fb(struct qxl_device goto out_release_backoff; rects = drawable_set_clipping(qdev, num_clips, clips_bo); - if (!rects) + if (!rects) { + ret = -EINVAL; goto out_release_backoff; - + } drawable = (struct qxl_drawable *)qxl_release_map(qdev, release); drawable->clip.type = SPICE_CLIP_TYPE_RECTS; Patches currently in stable-queue which might be from vvs@xxxxxxxxxxxxx are queue-4.14/drm-qxl-qxl_release-use-after-free.patch queue-4.14/drm-qxl-qxl_release-leak-in-qxl_draw_dirty_fb.patch queue-4.14/drm-qxl-qxl_release-leak-in-qxl_hw_surface_alloc.patch