- Dec 01, 2020
-
-
Matt Turner authored
Signed-off-by: Matt Turner <mattst88@gmail.com>
-
Avoid out of bounds memory accesses on too short request. ZDI-CAN 11572 / CVE-2020-14360 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> (cherry picked from commit 446ff2d3)
-
ZDI-CAN 11389 / CVE-2020-25712 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> (cherry picked from commit 87c64fc5)
-
Michel Dänzer authored
The region as passed in is in the source pixmap's coordinate space, so intersecting it with the clipList (which is in screen space) resulted in disappointment. Fixes Firefox popups such as the hamburger menu when using the EGL backend. v2: * Drop vblank->x/y_off from RegionTranslate call, since they're always 0 here (present_wnmd_check_flip rejects flips for x/y_off != 0). Reported-by: Robert Mader <robert.mader@posteo.de> Tested-by: Robert Mader <robert.mader@posteo.de> Reviewed-by: Olivier Fourdan <ofourdan@redhat.com> Tested-by: Joakim Tjernlund <joakim.tjernlund@infinera.com> # v1 (cherry picked from commit 466b8b43)
-
There was a time when setting a mode on a CRTC would not depend on the associated connector's state. If a mode had been set successfully once, it would mean it would work later on. This changed with the introduction of new connectors type that now require a link training sequence (DP, HDMI 2.0), and that means that some events may have happened while the X server was not master that would then prevent the mode from successfully be restored to its previous state. This patch relaxes the requirement that all modes should be restored on EnterVT, or the entire X-Server would go down by allowing modesets to fail (with some warnings). If a modeset fails, the CRTC will be disabled, and a RandR event will be sent for the desktop environment to fix the situation as well as possible. Additional patches might be needed to make sure that the user would never be left with all screens black in some scenarios. v2 (Martin Peres): - whitespace fixes - remove the uevent handling (it is done in a previous patch) - improve the commit message - reduce the size of the patch by not changing lines needlessly - return FALSE if one modeset fails in ignore mode - add comments/todos to explain why we do things - disable the CRTCs that failed the modeset Signed-off-by: Kishore Kadiyala <kishore.kadiyala@intel.com> Signed-off-by: Martin Peres <martin.peres@linux.intel.com> Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch> Tested-by: Kishore Kadiyala <kishore.kadiyala@intel.com> Closes: #1010 (cherry picked from commit efb3abdd)
-
Normally, we would receive a uevent coming from Linux's DRM subsystem, which would trigger the check for disappearing/appearing resources. However, this event is not received when X is not master (another VT is selected), and so the userspace / desktop environment would not be notified about the changes that happened while X wasn't master. To fix the issue, this patch forces a refresh on EnterVT by splitting the kms-checking code from the uevent handling into its own (exported) function called drmmode_update_kms_state. This function is then called from both the uevent-handling function, and on EnterVT right before restoring the modes. Signed-off-by: Martin Peres <martin.peres@linux.intel.com> Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch> Acked-by: Kishore Kadiyala <kishore.kadiyala@intel.com> Tested-by: Kishore Kadiyala <kishore.kadiyala@intel.com> (cherry picked from commit 293cf660)
-
- Nov 09, 2020
-
-
Olivier Fourdan authored
With autoconf, hashtable support is built along with Xres support. Yet, glvnd also use it, so when disabling Xres from configure, the build will fail at link time because hashtable functions are not available. Untie the build of hashtable from Xres support, just like meson build does. Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> Closes: xorg/xserver#1091 (cherry picked from commit 899cebb7)
-
Olivier Fourdan authored
One general assumption in Xwayland is that the xwl_window remains the same for all the child windows of the toplevel window. When mapping a new X11 window, ensure_surface_for_window() checks for an existing xwl_window by using xwl_window_get() which will just check for the registered xwl_window for the window. That means that a client mapping a child window of an existing window with a xwl_window will get another different xwl_window. If an X11 client issues a Present request on the parent window, hence placed underneath its child window of the same size, the Wayland compositor may not send the frame callback event for the parent's Wayland surface which is reckoned to be not visible, obscured behind the other Wayland surface for the child X11 window. That bug affects some games running in wine which may get 1 fps because the repaint occurs only on timeout with a long interval (as with, e.g. https://bugs.winehq.org/show_bug.cgi?id=47066) Fix ensure_surface_for_window() by using xwl_window_from_window() which will walk the window tree, so that a child window won't get another xwl_window than its parent. xorg/xserver#1099 See-also: https://bugs.winehq.org/show_bug.cgi?id=47066 Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> Reviewed-by: Michel Dänzer <mdaenzer@redhat.com> (cherry picked from commit 606ba7fc)
-
Olivier Fourdan authored
When running non-rootless, Xwayland requires that the Wayland compositor supports the wl_shell protocol. Check for wl_shell protocol support at startup and exit cleanly if missing rather than segfaulting later in ensure_surface_for_window() while trying to use wl_shell_get_shell_surface(). Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> Reviewed-by: Michel Dänzer <mdaenzer@redhat.com> Reviewed-by: Simon Ser <contact@emersion.fr> (cherry picked from commit ffd02d9b)
-
- Nov 04, 2020
-
-
When making a pixmap exportable, glamor will currently create a temporary exported pixmap backed by a GBM bo, with the devKind updated to the stride of the bo. However, when the backing of the exported pixmap is swapped into the original, the devKind of the original is not updated. Some GBM bos may get implicitly padded, in which case the devKind of the pixmap will not match the stride of the backing bo. For example, an 800x600 pixmap will have a devKind of 3200, but the bo's stride will be 3328. This can cause corruption with PRIME, when the sink uses the wrong stride to display the shared pixmap. This commit changes glamor_make_pixmap_exportable() to update the devKind of the original pixmap after it swaps exported pixmap's backing into it, keeping everything consistent. Fixes issue #1018. Signed-off-by: Alex Goins <agoins@nvidia.com> Signed-off-by: Aaron Plattner <aplattner@nvidia.com> Reviewed-by: Michel Dänzer <mdaenzer@redhat.com> (cherry picked from commit 7a7e55c5)
-
- Nov 02, 2020
-
-
The address retrieved in "pip.start_ip" is not necessarily the same address as unw_get_proc_name finds as nearest symbol and returns in "off". Therefore using "pip.start_ip + off" is not reliable, at least visible in the binaries from the Debian repository. Bug-Debian: https://bugs.debian.org/971088 Signed-off-by: Bernhard Übelacker <bernhardu@mailbox.org> (cherry picked from commit c15dd0ba)
-
- Oct 08, 2020
-
-
It always takes one update cycle for the copy to become visible on the host windowing system, so waiting for the target MSC resulted in 1 cycle delay. We re-use the idle list for copies which were executed but need their completion event sent. Fixes black seams when resizing the "Builder" sub-window of GDK_BACKEND=x11 gtk4-demo on Xwayland (see https://gitlab.gnome.org/GNOME/mutter/-/issues/1290#note_873557 ). Unfortunately, this cannot completely fix the seams with apps which queue up multiple frames in advance, since there's always at least one queued frame corresponding to the old window size. But it should at least help a little in that case as well. v2: * Bug fix: Don't update exec_msc in present_wnmd_check_flip_window. (Roman Gilg) * Use exec_msc = target_msc - 1 instead of exec_msc--, and add a comment, for clarity. v3: * Drop exec_msc = target_msc again in present_wnmd_execute. * present_execute_copy should never set vblank->queued in present_wnmd_execute now, so replace that branch with an assertion. (Roman Gilg) Reviewed-by: Roman Gilg <subdiff@gmail.com> Tested-by: Roman Gilg <subdiff@gmail.com> (cherry picked from commit 1cccb486) [Since present_wnmd_event_notify hasn't been split up on the 1.20 branch, it needs to check vblank->flip. Doing the same in present_wnmd_free_idle_vblanks to be safe, though I'm not sure it's actually possible to hit non-flips there.]
-
Allowing it to be called from more functions than before. No functional change. Reviewed-by: Roman Gilg <subdiff@gmail.com> Tested-by: Roman Gilg <subdiff@gmail.com> (cherry picked from commit d14ea667)
-
For tracking the MSC when the present can be executed separately from the target MSC. Allows removing the requeue field instead, plus more later. v2: * Rename wait_msc → exec_msc (Roman Gilg) * Use exec_msc = target_msc instead of exec_msc++, for clarity. * Bug fix: Set exec_msc = target_msc also if present_flip returned false in present_execute. v3: * Set exec_msc = target_msc also if present_wnmd_flip returned false in present_wnmd_execute, for consistency. v4: * Specifically check for exec_msc == crtc_msc + 1 in present_execute_wait/copy, to avoid re-introducing https://bugs.freedesktop.org/show_bug.cgi?id=94596 . Reviewed-by: Roman Gilg <subdiff@gmail.com> Tested-by: Roman Gilg <subdiff@gmail.com> (cherry picked from commit b0b3159a)
-
Preparation for different handling between SCMD & WNMD. No functional change intended. Reviewed-by: Roman Gilg <subdiff@gmail.com> Tested-by: Roman Gilg <subdiff@gmail.com> (cherry picked from commit 4c92dea9)
-
- Oct 01, 2020
-
-
The EGLStream backend keeps a queue of pending streams for each Xwayland window. However, when this pending queue is freed, the corresponding private data may not be cleared (typically if the pixmap for this window has changed before the compositor finished attaching the consumer for the window's pixmap's original eglstream), leading to a use-after-free and a crash when trying to use that data as the window pixmap. Make sure to clear the private data when the pending stream is freed. Closes: xorg/xserver#1055 Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> Tested-by: Karol Szuster <karolsz9898@gmail.com> Reviewed-by: Adam Jackson <ajax@redhat.com> (cherry picked from commit a5f439dc)
-
Major/minor numbers are a.. major (ha) source of pain in FreeBSD porting. In this case, Xwayland was thinking that /dev/dri/card0 is already a render node, because the st_rdev on FreeBSD was passing the Linux-style check, and because of the assumption, acceleration would fail because various ioctls like AMDGPU_INFO would be denied on the non-render node. Switch to libdrm's function that already works correctly on all platforms. Signed-off-by: Greg V <greg@unrelenting.technology> Reviewed-by: Emmanuel Vadot <manu@FreeBSD.org> (cherry picked from commit 239ebdc9)
-
- Sep 30, 2020
-
-
Currently, when a X11 client (usually the X11 window manager from a Wayland compositor) changes the value of the X11 property `_XWAYLAND_ALLOW_COMMITS` from `false` to `true`, all pending frame callbacks on the window are discarded so that the commit occurs immediately. Weston uses that mechanism to prevent the content of the window from showing before it's ready when mapping the window initially, but discarding the pending frame callbacks has no effect on the initial mapping of the X11 window since at that point there cannot be any frame callback on a surface which hasn't been committed yet anyway. However, discarding pending frame callbacks can be problematic if we were to use the same `_XWAYLAND_ALLOW_COMMITS` mechanism to prevent damages to be posted before the X11 toplevel is updated completely (including the window decorations from the X11 window manager). Remove the portion of code discarding the pending frame callback, Xwayland should always wait for a pending frame callback if there's one before posting new damages. Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.com> Reviewed-by: Michel Dänzer <mdaenzer@redhat.com> xorg/xserver!333 (cherry picked from commit 66da95a1)
-
present_wnmd_toplvl_pixmap_window returns a window with the same window pixmap, so the check could never fail. Reviewed-by: Roman Gilg <subdiff@gmail.com> (cherry picked from commit b6b1161f)
-
We can only flip if the window pixmap matches that of the toplevel window. Doing so regardless could cause the toplevel window pixmap to get destroyed while it was still referenced by the window, resulting in use-after-free and likely a crash. Closes: xorg/xserver#1033 Reviewed-by: Olivier Fourdan <ofourdan@redhat.com> Reviewed-by: Roman Gilg <subdiff@gmail.com> (cherry picked from commit 4c25356d)
-
Noticed this was missing while working on the following fix. v2: * Dropped present_wnmd_can_window_flip hunk (that function is never called, will be cleaned up in a follow-up MR). Reviewed-by: Olivier Fourdan <ofourdan@redhat.com> # v1 Reviewed-by: Roman Gilg <subdiff@gmail.com> (cherry picked from commit 7ac303c7)
-
The same pointer is kept in CurrentCursor as well, therefore two RefCursor calls are needed. Fixes use-after-free after switching VTs. Closes: xorg/xserver#1067 (cherry picked from commit 919f1f46)
-
(Using GLSL 1.30 or newer) The width/height members of xRectangle are unsigned, but they were being interpreted as signed when converting to floating point for the vertex shader, producing incorrect drawing for values > 32767. v2: * Use separate GL_UNSIGNED_SHORT vertex attribute for width/height. (Eric Anholt) Reviewed-by: Eric Anholt <eric@anholt.net> (cherry picked from commit 032af356)
-
- Sep 25, 2020
-
-
Extending the decade old f0124ed9, to increase the number of input devices from 40 to 256. 40 translates at most 9 MD, while 256 will allow 63 MD. It is an arbitrary number, but people are hitting the current limit under reasonable conditions. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=64793 Signed-off-by: Arthur Williams <taaparthur@gmail.com> (cherry picked from commit fe439596)
-
- Sep 08, 2020
-
-
Olivier Fourdan authored
This reverts commit 74b7427c. xorg/xserver#1068
-
Olivier Fourdan authored
This reverts commit 5c96eb5f. xorg/xserver#1068
-
Olivier Fourdan authored
This reverts commit 249a12c5. xorg/xserver#1068
-
- Aug 25, 2020
-
-
Matt Turner authored
Signed-off-by: Matt Turner <mattst88@gmail.com>
-
Matthieu Herrb authored
CVE-2020-14362 ZDI-CAN-11574 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> (cherry picked from commit 24acad216aa0fc2ac451c67b2b86db057a032050)
-
Matthieu Herrb authored
CVE-2020-14361 ZDI-CAN 11573 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> (cherry picked from commit 90304b3c2018a6b8f4a79de86364d2af15cb9ad8)
-
Matthieu Herrb authored
CVE-2020-14346 / ZDI-CAN-11429 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> (cherry picked from commit 1e3392b07923987c6c9d09cf75b24f397b59bd5e)
-
Matthieu Herrb authored
CVE-2020-14345 / ZDI 11428 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> (cherry picked from commit 11f22a3bf694d7061d552c99898d843bcdaf0cf1)
-
- Aug 18, 2020
-
-
On a DT-base PCI platform, the sysfs path of vga device is like this: /sys/devices/platform/bus@10000000/1a000000.pci/pci0000:00/0000:00:11.0/0000:04:00.0. Then the ID_PATH from udev is platform-1a000000.pci-pci-0000:04:00.0 and the BusID will be pci-0000:04:00.0, which causes Xorg start fail. This is because config_udev_odev_setup_attribs() use strstr() to search the first "pci-" in ID_PATH. To fix this, we implement a strrstr() function and use it to search the last "pci-" in ID_PATH, which can get a correct BusID. (backported from commit 9fbd3e43) Reviewed-by: Dave Airlie <airlied@redhat.com> Signed-off-by: Huacai Chen <chenhc@lemote.com>
-
Suppose you're in a Hyper-V guest and are trying to use PCI passthrough. The ID_PATH that udev will construct for that looks something like "acpi-VMBUS:00-pci-b8c8:00:00.0", and obviously looking for "pci-" in the first four characters of that is going to not work. Instead, strstr. I suppose it's possible you could have _multiple_ PCI buses in the path, in which case you'd want strrstr, if that were a thing. (backported from commit 9acff309) Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Huacai Chen <chenhc@lemote.com>
-
At the point where xf86BusProbe runs we haven't yet taken our own VT, which means we can't perform drm "master" operations on the device. This is tragic, because we need master to fish the bus id string out of the kernel, which we can only do after drmSetInterfaceVersion, which for some reason stores that string on the device not the file handle and thus needs master access. Fortunately we know the format of the busid string, and it happens to almost be the same as the ID_PATH variable from udev. Use that instead and stop calling drmSetInterfaceVersion. (backported from commit 0816e8fc) Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Huacai Chen <chenhc@lemote.com>
-
Avoid leaking un-initalized memory to clients by zeroing the whole pixmap on initial allocation. This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> (cherry picked from commit a6b2cbe9)
-
EDID1.4 replaced GTF Bit with Continuous or Non-Continuous Frequency Display. Check the "Display Range Limits Descriptor" for GTF support. If panel doesn't support GTF, then add gtf modes. Otherwise X will only show the modes in "Detailed Timing Descriptor". V2: Coding style changes. V3: Coding style changes, remove unused variate. V4: remove unused variate. BugLink: https://gitlab.freedesktop.org/drm/intel/issues/313 Signed-off-by: Aaron Ma <aaron.ma@canonical.com> Reviewed-by: Adam Jackson <ajax@redhat.com> (cherry picked from commit 6a79a737)
-
For Pixmap flips to have well defined outcomes the window must be contained by the valid region if such region was specified. The valid region is inserted as an argument to the check in window mode. Setting this argument is missing in screen mode as well but we ignore it for now and only add it to window mode. It seems there are none or only very few clients actually making use of valid regions at the moment. For simplicity we therefore just check if a valid region was set by the client and in this case do never flip, independently of the window being contained by the region or not. Signed-off-by: Roman Gilg <subdiff@gmail.com> (cherry picked from commit 591916ea)
-
This can happen e.g. with weston's headless backend. Reviewed-by: Olivier Fourdan <ofourdan@redhat.com> (cherry picked from commit e33453f9)
-
This couldn't have worked correctly for non-0 x1/y1. Noticed by inspection. Reviewed-by: Simon Ser <contact@emersion.fr> (cherry picked from commits 9141196d) (cherry picked fixup from commit 85a6fd11)
-