GitLab

The EGLStream backend keeps a queue of pending streams for each Xwayland
window.

However, when this pending queue is freed, the corresponding private
data may not be cleared (typically if the pixmap for this window has
changed before the compositor finished attaching the consumer for the
window's pixmap's original eglstream), leading to a use-after-free and a
crash when trying to use that data as the window pixmap.

Make sure to clear the private data when the pending stream is freed.

Closes: #1055Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Tested-by: Karol Szuster <karolsz9898@gmail.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>

Using multiple window buffers crashes with EGLStream, which does not
need it anyway as this is handled through EGL directly.

Add a flag to the EGL backend to indicate whether it would benefit from
multiple buffers and use this in the get_buffer() function.

Thanks to Adam Jackson <ajax@redhat.com> for pointing out that issue
with EGLStream.

v2: Fix logical test (Adam Jackson <ajax@redhat.com>)
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>

The present flip does not work with the EGLStream backend. Similarly,
the EGLStream backend does not require the buffer to be flushed as
eglSwapBuffers() should take care of this.

Instead of actually checking the backend in use in the present code,
add a flag in the form of a bitfield to the EGL backend to indicate
its features and requirements.

This should not introduce any functional change.

v2: Fix logical test (Adam Jackson <ajax@redhat.com>)
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>

Major/minor numbers are a.. major (ha) source of pain in FreeBSD porting.
In this case, Xwayland was thinking that /dev/dri/card0 is already a render node,
because the st_rdev on FreeBSD was passing the Linux-style check,
and because of the assumption, acceleration would fail because
various ioctls like AMDGPU_INFO would be denied on the non-render node.

Switch to libdrm's function that already works correctly on all platforms.
Signed-off-by: Greg V <greg@unrelenting.technology>
Reviewed-by: Emmanuel Vadot <manu@FreeBSD.org>

Move the copy in hw/xfree86/common to include/, and remove the one in
hw/kdrive/src/.

Fixes DIX glamor code including an xfree86 DDX header.

This is DIX code.

This is DIX code.

Fetch VariableRefresh option value from X conf file for
modesetting backend DDX driver. This option defaults to false,
and must be set to "true" in conf file for variable refresh
support in the DDX driver.
Signed-off-by: Uday Kiran Pichika <pichika.uday.kiran@intel.com>

Window wrappers gets the notification when the window
properties changes. These wrappers are mainly used to
keep track of per-window _VARIABLE_REFRESH property values.

These changes have been ported from AMDGPU
Signed-off-by: Uday Kiran Pichika <pichika.uday.kiran@intel.com>

These changes have been ported from AMD GPU DDX driver.

This patch adds support for setting the CRTC variable refresh property
for suitable windows flipping via the Present extension.

In order for a window to be suitable for variable refresh it must have
the _VARIABLE_REFRESH property set by the MESA and inform Modesetting
DDX driver with window property updates.

Then the window must pass the checks required to be suitable for
Present extension flips - it must cover the entire X screen and no
other window may already be flipping. And also DRM connector should
be VRR capable.

With these conditions met every CRTC for the X screen will have their
variable refresh property set to true.

Kernel Changes to support this feature in I915 driver is under development.

Tested with DOTA2, Xonotic and custom GLX apps.
Signed-off-by: Uday Kiran Pichika <pichika.uday.kiran@intel.com>

Reviewed-by: Roman Gilg <subdiff@gmail.com>

present_can_window_flip is only called from the Xorg modesetting
driver, never in WNMD mode.
Reviewed-by: Roman Gilg <subdiff@gmail.com>

present_wnmd_toplvl_pixmap_window returns a window with the same window
pixmap, so the check could never fail.
Reviewed-by: Roman Gilg <subdiff@gmail.com>

We can only flip if the window pixmap matches that of the toplevel
window. Doing so regardless could cause the toplevel window pixmap to
get destroyed while it was still referenced by the window, resulting in
use-after-free and likely a crash.

Closes: #1033Reviewed-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Roman Gilg <subdiff@gmail.com>

Noticed this was missing while working on the following fix.

v2:
* Dropped present_wnmd_can_window_flip hunk (that function is never
  called, will be cleaned up in a follow-up MR).

Reviewed-by: Olivier Fourdan <ofourdan@redhat.com> # v1
Reviewed-by: Roman Gilg <subdiff@gmail.com>

The need_rotate variable is only used once anymore and had semantics which lead
to errors in the past. In particular when negated we are dealing with a double
negation.

The variable gets replaced with a simple check on the xdg-output directly.
Signed-off-by: Roman Gilg <subdiff@gmail.com>

This reverts commit 427f8bc0.

When receiving an output update for the mode size we need to rotate the stored
width and height values if and only if we have an xdg-output for this output
since in this case the stored values describe the output's size in logical
space, i.e. rotated.

The here reverted commit made a code change with which we would not rotate though
when an xdg-output was available since in this case the need_rotate variable was
set to False what caused in the check afterwards the first branch to execute.

That is just a small style-change to the output_get_new_size function. The
function before did take first the height and then the width argument, what
is unusual since resolutions are normally named the other way around, for
example 1920x1080. Also compare the update_screen_size function.

Therefore change the order of arguments for output_get_new_size.
Signed-off-by: Roman Gilg <subdiff@gmail.com>

We can just read out the xdg_output field of the provided xwl_output to check
if a rotation is necessary or not.

This makes the function easier to understand. Additionally some documentation
is added.
Signed-off-by: Roman Gilg <subdiff@gmail.com>

The same pointer is kept in CurrentCursor as well, therefore two
RefCursor calls are needed.

Fixes use-after-free after switching VTs.

Closes: #1067

CVE-2020-14362 ZDI-CAN-11574

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>

CVE-2020-14361 ZDI-CAN 11573

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>

CVE-2020-14346 / ZDI-CAN-11429

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>

CVE-2020-14345 / ZDI 11428

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>

It always takes one update cycle for the copy to become visible on the
host windowing system, so waiting for the target MSC resulted in 1 cycle
delay.

We re-use the idle list for copies which were executed but need their
completion event sent.

Fixes black seams when resizing the "Builder" sub-window of

 GDK_BACKEND=x11 gtk4-demo

on Xwayland (see
https://gitlab.gnome.org/GNOME/mutter/-/issues/1290#note_873557).

Unfortunately, this cannot completely fix the seams with apps which
queue up multiple frames in advance, since there's always at least one
queued frame corresponding to the old window size. But it should at
least help a little in that case as well.

v2:
* Bug fix: Don't update exec_msc in present_wnmd_check_flip_window.
  (Roman Gilg)
* Use exec_msc = target_msc - 1 instead of exec_msc--, and add a
  comment, for clarity.
v3:
* Drop exec_msc = target_msc again in present_wnmd_execute.
* present_execute_copy should never set vblank->queued in
  present_wnmd_execute now, so replace that branch with an assertion.
  (Roman Gilg)
Reviewed-by: Roman Gilg <subdiff@gmail.com>
Tested-by: Roman Gilg <subdiff@gmail.com>

Allowing it to be called from more functions than before. No functional
change.
Reviewed-by: Roman Gilg <subdiff@gmail.com>
Tested-by: Roman Gilg <subdiff@gmail.com>

For tracking the MSC when the present can be executed separately from
the target MSC.

Allows removing the requeue field instead, plus more later.

v2:
* Rename wait_msc → exec_msc (Roman Gilg)
* Use exec_msc = target_msc instead of exec_msc++, for clarity.
* Bug fix: Set exec_msc = target_msc also if present_flip returned
  false in present_execute.
v3:
* Set exec_msc = target_msc also if present_wnmd_flip returned
  false in present_wnmd_execute, for consistency.
v4:
* Specifically check for exec_msc == crtc_msc + 1 in
  present_execute_wait/copy, to avoid re-introducing
  https://bugs.freedesktop.org/show_bug.cgi?id=94596 .
Reviewed-by: Roman Gilg <subdiff@gmail.com>
Tested-by: Roman Gilg <subdiff@gmail.com>

Preparation for different handling between SCMD & WNMD. No functional
change intended.
Reviewed-by: Roman Gilg <subdiff@gmail.com>
Tested-by: Roman Gilg <subdiff@gmail.com>

(Using GLSL 1.30 or newer)

The width/height members of xRectangle are unsigned, but they were
being interpreted as signed when converting to floating point for the
vertex shader, producing incorrect drawing for values > 32767.

v2:
* Use separate GL_UNSIGNED_SHORT vertex attribute for width/height.
  (Eric Anholt)
Reviewed-by: Eric Anholt <eric@anholt.net>

You will not find GL_ARB_* extensions in a GLES context by definition,
the droid you're looking for is named GL_KHR_debug.
Reviewed-by: Eric Anholt <eric@anholt.net>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>

Xwayland is just a Wayland client, no X11 screensaver should be
expected to work reliably on Xwayland when running rootless because
Xwayland cannot grab the input devices so it has no way to actually
lock the screen managed by the Wayland compositor.

Turn off the screensaver on Xwayland when running rootless by setting
the screensaver timeout and interval and their default values to zero
and disable the MIT-SCREEN-SAVER extension.

Closes: #1051Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>

Avoid leaking un-initalized memory to clients by zeroing the
whole pixmap on initial allocation.

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>

Replicate 7d2543a3 but for
all types of X servers

Instead of optionally return early when an event is aborted and potentially
clean it up in there we can only optionally inform Present if not aborted and
afterwards clean it up if required.

Saves some lines of code and conditional branches.
Signed-off-by: Roman Gilg <subdiff@gmail.com>

Update commit ea47af87 renaming master_pixmap to primary_pixmap in
struct PixmapRec.

On a DT-base PCI platform, the sysfs path of vga device is like this:
/sys/devices/platform/bus@10000000/1a000000.pci/pci0000:00/0000:00:11.0/0000:04:00.0.

Then the ID_PATH from udev is platform-1a000000.pci-pci-0000:04:00.0 and
the BusID will be pci-0000:04:00.0, which causes Xorg start fail. This
is because config_udev_odev_setup_attribs() use strstr() to search the
first "pci-" in ID_PATH. To fix this, we implement a strrstr() function
and use it to search the last "pci-" in ID_PATH, which can get a correct
BusID.
Signed-off-by: Huacai Chen <chenhc@lemote.com>

For Pixmap flips to have well defined outcomes the window must be contained by
the valid region if such region was specified.

The valid region is inserted as an argument to the check in window mode.
Setting this argument is missing in screen mode as well but we ignore it for now
and only add it to window mode.

It seems there are none or only very few clients actually making use of valid
regions at the moment. For simplicity we therefore just check if a valid region
was set by the client and in this case do never flip, independently of the
window being contained by the region or not.
Signed-off-by: Roman Gilg <subdiff@gmail.com>

The function is never called from present_screen.c in contrast to the behavior
in screen mode.

In present_wnmd.c we can simply remove the function which does an unnecessary
check of the property before setting it and directly set the property at the
two locations the function was called previously.
Signed-off-by: Roman Gilg <subdiff@gmail.com>

With the newly introduced separate API method for idling a presented Pixmap in
window mode we can simplify the logic by allowing calls to it at any point in
time.

This is done by setting the flip_idler flag if the Pixmap was idled before
being presented.
Signed-off-by: Roman Gilg <subdiff@gmail.com>