- Aug 25, 2020
-
-
Matt Turner authored
Signed-off-by:
Matt Turner <mattst88@gmail.com>
-
Matthieu Herrb authored
CVE-2020-14362 ZDI-CAN-11574 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by:
Matthieu Herrb <matthieu@herrb.eu> (cherry picked from commit 24acad216aa0fc2ac451c67b2b86db057a032050)
-
Matthieu Herrb authored
CVE-2020-14361 ZDI-CAN 11573 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by:
Matthieu Herrb <matthieu@herrb.eu> (cherry picked from commit 90304b3c2018a6b8f4a79de86364d2af15cb9ad8)
-
Matthieu Herrb authored
CVE-2020-14346 / ZDI-CAN-11429 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by:
Matthieu Herrb <matthieu@herrb.eu> (cherry picked from commit 1e3392b07923987c6c9d09cf75b24f397b59bd5e)
-
Matthieu Herrb authored
CVE-2020-14345 / ZDI 11428 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by:
Matthieu Herrb <matthieu@herrb.eu> (cherry picked from commit 11f22a3bf694d7061d552c99898d843bcdaf0cf1)
-
- Aug 18, 2020
-
-
On a DT-base PCI platform, the sysfs path of vga device is like this: /sys/devices/platform/bus@10000000/1a000000.pci/pci0000:00/0000:00:11.0/0000:04:00.0. Then the ID_PATH from udev is platform-1a000000.pci-pci-0000:04:00.0 and the BusID will be pci-0000:04:00.0, which causes Xorg start fail. This is because config_udev_odev_setup_attribs() use strstr() to search the first "pci-" in ID_PATH. To fix this, we implement a strrstr() function and use it to search the last "pci-" in ID_PATH, which can get a correct BusID. (backported from commit 9fbd3e43) Reviewed-by:
Dave Airlie <airlied@redhat.com> Signed-off-by:
Huacai Chen <chenhc@lemote.com>
-
Suppose you're in a Hyper-V guest and are trying to use PCI passthrough. The ID_PATH that udev will construct for that looks something like "acpi-VMBUS:00-pci-b8c8:00:00.0", and obviously looking for "pci-" in the first four characters of that is going to not work. Instead, strstr. I suppose it's possible you could have _multiple_ PCI buses in the path, in which case you'd want strrstr, if that were a thing. (backported from commit 9acff309) Signed-off-by:
Adam Jackson <ajax@redhat.com> Signed-off-by:
Huacai Chen <chenhc@lemote.com>
-
At the point where xf86BusProbe runs we haven't yet taken our own VT, which means we can't perform drm "master" operations on the device. This is tragic, because we need master to fish the bus id string out of the kernel, which we can only do after drmSetInterfaceVersion, which for some reason stores that string on the device not the file handle and thus needs master access. Fortunately we know the format of the busid string, and it happens to almost be the same as the ID_PATH variable from udev. Use that instead and stop calling drmSetInterfaceVersion. (backported from commit 0816e8fc) Reviewed-by:
Peter Hutterer <peter.hutterer@who-t.net> Signed-off-by:
Adam Jackson <ajax@redhat.com> Signed-off-by:
Huacai Chen <chenhc@lemote.com>
-
Avoid leaking un-initalized memory to clients by zeroing the whole pixmap on initial allocation. This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by:
Matthieu Herrb <matthieu@herrb.eu> Reviewed-by:
Alan Coopersmith <alan.coopersmith@oracle.com> (cherry picked from commit a6b2cbe9)
-
EDID1.4 replaced GTF Bit with Continuous or Non-Continuous Frequency Display. Check the "Display Range Limits Descriptor" for GTF support. If panel doesn't support GTF, then add gtf modes. Otherwise X will only show the modes in "Detailed Timing Descriptor". V2: Coding style changes. V3: Coding style changes, remove unused variate. V4: remove unused variate. BugLink: https://gitlab.freedesktop.org/drm/intel/issues/313 Signed-off-by:
Aaron Ma <aaron.ma@canonical.com> Reviewed-by:
Adam Jackson <ajax@redhat.com> (cherry picked from commit 6a79a737)
-
For Pixmap flips to have well defined outcomes the window must be contained by the valid region if such region was specified. The valid region is inserted as an argument to the check in window mode. Setting this argument is missing in screen mode as well but we ignore it for now and only add it to window mode. It seems there are none or only very few clients actually making use of valid regions at the moment. For simplicity we therefore just check if a valid region was set by the client and in this case do never flip, independently of the window being contained by the region or not. Signed-off-by:
Roman Gilg <subdiff@gmail.com> (cherry picked from commit 591916ea)
-
This can happen e.g. with weston's headless backend. Reviewed-by:
Olivier Fourdan <ofourdan@redhat.com> (cherry picked from commit e33453f9)
-
This couldn't have worked correctly for non-0 x1/y1. Noticed by inspection. Reviewed-by:
Simon Ser <contact@emersion.fr> (cherry picked from commits 9141196d) (cherry picked fixup from commit 85a6fd11)
-
Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com> (cherry picked from commit 0006aecb)
-
The way Xwayland works (like all Wayland clients), it first queries the Wayland registry, set up all relevant protocols and then initializes its own structures. That means Xwayland will get the Wayland outputs from the Wayland compositor, compute the physical size of the combined outputs and set the corresponding Xwayland screen properties accordingly. Then it creates the X11 screen using fbScreenInit() but does so by using a default DPI value of 96. That value is used to set the physical size of the X11 screen, hence overriding the value computed from the actual physical size provided by the Wayland compositor. As a result, the DPI computed by tools such as xdpyinfo will always be 96 regardless of the actual screen size and resolution. However, if the Wayland outputs get reconfigured, or new outputs added, or existing outputs removed, Xwayland will recompute and update the physical size of the screen, leading to an unexpected change of DPI. To avoid that discrepancy, use a fixed size DPI (defaults to 96, and can be set using the standard command lime option "-dpi") and compute a physical screen size to match that DPI setting. Note that only affects legacy core protocols, X11 clients can still get the actual physical output size as reported by the Wayland compositor using the RandR protocol, which also allows for the size to be 0 if the size is unknown or meaningless. Signed-off-by:
Olivier Fourdan <ofourdan@redhat.com> Reviewed-by:
Simon Ser <contact@emersion.fr> Closes: xorg/xserver#731 (cherry picked from commit b0413b6e)
-
Previously, linux-dmabuf was used unconditionally if the buffer had a modifier. However creating a linux-dmabuf buffer with a format/modifier which hasn't been advertised will fail. Change xwl_glamor_gbm_get_wl_buffer_for_pixmap to use linux-dmabuf when the format/modifier has been advertised only. Signed-off-by:
Simon Ser <contact@emersion.fr> Closes: xorg/xserver#1035 Tested-by:
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr> Reviewed-by:
Michel Dänzer <mdaenzer@redhat.com> (cherry picked from commit c0e13cbf)
-
During a VT-Switch a raw pointer to the shared cursor object is saved which is then freed (in case of low refcount) by a call to xf86CursorSetCursor with argument pCurs = NullCursor. This leads to a dangling pointer which can follow in a use after free. This fix ensures that there is a shared handle saved for the VT-Switch cycle. Reviewed-by:
Michel Dänzer <mdaenzer@redhat.com> (cherry picked from commit 7ae221ad)
-
Mostly http->https conversions, but also replaces gitweb.fd.o with gitlab.fd.o, and xquartz.macosforge.org with xquartz.org. Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com> (cherry picked from commit a5151f58)
-
- Aug 12, 2020
-
-
Olivier Fourdan authored
Xwayland is just a Wayland client, no X11 screensaver should be expected to work reliably on Xwayland when running rootless because Xwayland cannot grab the input devices so it has no way to actually lock the screen managed by the Wayland compositor. Turn off the screensaver on Xwayland when running rootless by setting the screensaver timeout and interval and their default values to zero and disable the MIT-SCREEN-SAVER extension. Closes: xorg/xserver#1051 Signed-off-by:
Olivier Fourdan <ofourdan@redhat.com> Reviewed-by:
Michel Dänzer <mdaenzer@redhat.com> Reviewed-by:
Peter Hutterer <peter.hutterer@who-t.net> (cherry picked from commit 5c20e4b8)
-
- Jul 22, 2020
-
-
In the log of the commit below, I claimed this wasn't necessary on the 1.20 branch, but this turned out to be wrong: It meant that event->buffer could already be destroyed in xwl_present_free_event, resulting in use-after-free and likely a crash. Fixes: 22c0808a "xwayland: Free all remaining events in xwl_present_cleanup"
-
- Jul 21, 2020
-
-
Alex Goins authored
RRHasScanoutPixmap() is called from xf86CheckHWCursor(), regardless of whether or not RandR has been initialized. As mentioned in commit 4226c6d0, it's possible that RandR has not been initialized if the server is configured with Xinerama and there is more than one X screen. Calling rrGetScrPriv when RandR isn't initialized causes an assertion failure that aborts the server: Xorg: ../include/privates.h:121: dixGetPrivateAddr: Assertion key->initialized' failed. Just as in commit 4226c6d0, fix the problem by checking dixPrivateKeyRegistered(rrPrivKey) before calling rrGetScrPriv. Signed-off-by:
Alex Goins <agoins@nvidia.com> Acked-by:
Olivier Fourdan <ofourdan@redhat.com> (cherry picked from commit 8eeff5d7)
-
Since the introduction of "modesetting: Remove unnecessary fb addition from drmmode_xf86crtc_resize" the fb_id isn't initialited at drmmode_xf86crtc_resize. Rotate operation of XRandR uses rotate_bo. So in this case the fb_id associated to the front_bo is not initialized at drmmode_set_mode_major. So fd_id remains 0. As every call to drmmode_xf86crtc_resize allocates a new front_bo we should destroy unconditionally the old_front_bo if operation success. So we free the allocated GBM handles. This avoids crashing xserver with a OOM in the RPI4 1Gb at 4k resolution after 3 series xrandr rotations from normal to left and vice versa reported at https://github.com/raspberrypi/firmware/issues/1345 Signed-off-by:
Jose Maria Casanova Crespo <jmcasanova@igalia.com> Reviewed-by:
Keith Packard <keithp@keithp.com> Closes: xorg/xserver#1024 Fixes: 87745321 "modesetting: Remove unnecessary fb addition from drmmode_xf86crtc_resize" (cherry picked from commit 73480f17)
-
- Jul 20, 2020
-
-
When a slave device causes the master virtual pointer device to change device types, the device's private data pointer (device->public.devicePrivate) is also changed to match the type of the slave device. This can be a problem though, as tablet pad devices will set the device's private data pointer to their own xwl_tablet_pad struct. This can cause us to dereference the pointer as the wrong type, and result in a segfault: Thread 1 "Xwayland" received signal SIGSEGV, Segmentation fault. wl_proxy_marshal (proxy=0x51, opcode=opcode@entry=0) at src/wayland-client.c:792 792 va_start(ap, opcode); (gdb) bt 0 wl_proxy_marshal (proxy=0x51, opcode=opcode@entry=0) at src/wayland-client.c:792 1 0x00005610b27b6c55 in wl_pointer_set_cursor (hotspot_y=0, hotspot_x=0, surface=0x0, serial=<optimized out>, wl_pointer=<optimized out>) at /usr/include/wayland-client-protocol.h:4610 2 xwl_seat_set_cursor (xwl_seat=xwl_seat@entry=0x5610b46d5d10) at xwayland-cursor.c:137 3 0x00005610b27b6ecd in xwl_set_cursor (device=<optimized out>, screen=<optimized out>, cursor=<optimized out>, x=<optimized out>, y=<optimized out>) at xwayland-cursor.c:249 4 0x00005610b2800b46 in miPointerUpdateSprite (pDev=0x5610b4501a30) at mipointer.c:468 5 miPointerUpdateSprite (pDev=0x5610b4501a30) at mipointer.c:410 6 0x00005610b2800e56 in miPointerDisplayCursor (pCursor=0x5610b4b35740, pScreen=0x5610b3d54410, pDev=0x5610b4501a30) at mipointer.c:206 7 miPointerDisplayCursor (pDev=0x5610b4501a30, pScreen=0x5610b3d54410, pCursor=0x5610b4b35740) at mipointer.c:194 8 0x00005610b27ed62b in CursorDisplayCursor (pDev=<optimized out>, pScreen=0x5610b3d54410, pCursor=0x5610b4b35740) at cursor.c:168 9 0x00005610b28773ee in AnimCurDisplayCursor (pDev=0x5610b4501a30, pScreen=0x5610b3d54410, pCursor=0x5610b4b35740) at animcur.c:197 10 0x00005610b28eb4ca in ChangeToCursor (pDev=0x5610b4501a30, cursor=0x5610b4b35740) at events.c:938 11 0x00005610b28ec99f in WindowHasNewCursor (pWin=pWin@entry=0x5610b4b2e0c0) at events.c:3362 12 0x00005610b291102d in ChangeWindowAttributes (pWin=0x5610b4b2e0c0, vmask=<optimized out>, vlist=vlist@entry=0x5610b4c41dcc, client=client@entry=0x5610b4b2c900) at window.c:1561 13 0x00005610b28db8e3 in ProcChangeWindowAttributes (client=0x5610b4b2c900) at dispatch.c:746 14 0x00005610b28e1e5b in Dispatch () at dispatch.c:497 15 0x00005610b28e5f34 in dix_main (argc=16, argv=0x7ffc7a601b68, envp=<optimized out>) at main.c:276 16 0x00007f8828cde042 in __libc_start_main (main=0x5610b27ae930 <main>, argc=16, argv=0x7ffc7a601b68, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffc7a601b58) at ../csu/libc-start.c:308 17 0x00005610b27ae96e in _start () at cursor.c:1064 Simple reproducer in gnome-shell: open up an Xwayland window, press some tablet buttons, lock and unlock the screen. Repeat if it doesn't crash the first time. So, let's fix this by registering our own device-specific private key for storing a backpointer to xwl_tablet_pad, so that all input devices have their private data pointers set to their respective xwl_seat. Reviewed-by:
Peter Hutterer <peter.hutterer@who-t.net> Signed-off-by:
Lyude Paul <lyude@redhat.com> (cherry picked from commit ba0e789b)
-
ProcVidModeGetGamma() relies on GetGamma() to initialise values if it returns TRUE. Without this, we're sending uninitialised values to clients. Fixes: xorg/xserver#1040 (cherry picked from commit 6748a409)
-
When running with a weston session without a pointer device (thus with the wl_seat not having a pointer) xwayland pointer warping and pointer confining should simply be ignored to avoid crashes. Signed-off-by:
Sjoerd Simons <sjoerd@collabora.com> (cherry picked from commit d35f6833)
-
Olivier Fourdan authored
Xwayland uses the device private to point to the `xwl_seat`. Device may be removed at any time, including on suspend. On resume, if the DIX code ends up calling a function that requires the `xwl_seat` such as `xwl_set_cursor()` we may end up pointing at random data. Make sure the clear the device private data on removal so that we don't try to use it and crash later. Signed-off-by:
Olivier Fourdan <ofourdan@redhat.com> Reviewed-by:
Peter Hutterer <peter.hutterer@who-t.net> xorg/xserver#709 (cherry picked from commit 4195e803)
-
At the end of xwl_present_cleanup, these events aren't reachable anymore, so if we don't free them first, they're leaked. (cherry picked from commit 64565ea344fef0171497952ef75f019cb420fe3b) v2: * Simpler backport, no need to keep a reference to the pixmap on the 1.20 branch.
-
Minor cleanup, and will make the next change simpler. No functional change intended. Reviewed-by:
Dave Airlie <airlied@redhat.com> (cherry picked from commit 1beffba6)
-
When present_wnmd_clear_window_flip is done, present_destroy_window frees struct present_window_priv, and the events in the flip queue become unreachable. So if we don't free them first, they're leaked. Also drop the call to present_wnmd_set_abort_flip, which just sets a flag in struct present_window_priv and thus can't have any observable effect after present_destroy_window. Closes: #1042 Reviewed-by:
Dave Airlie <airlied@redhat.com> (cherry picked from commit 1bdedc8d)
-
The comment was incorrect: Any reference held by the window (see present_wnmd_execute) is in addition to the one in struct present_vblank (see present_vblank_create). So if we don't drop the latter, the pixmap will be leaked. Reviewed-by:
Dave Airlie <airlied@redhat.com> (cherry picked from commit bc9dd1c7)
-
- Jul 03, 2020
-
-
Drop GBM_BO_USE_SCANOUT from the GBM_BO_IMPORT_FD import, add GBM_BO_USE_RENDERING to the GBM_BO_IMPORT_FD_MODIFIER import. If the DMA-BUF cannot be scanned out, gbm_bo_import with GBM_BO_USE_SCANOUT will fail. However Xwayland doesn't need to scan-out the buffer and can work fine without scanout. Glamor only needs GBM_BO_USE_RENDERING. Signed-off-by:
Simon Ser <contact@emersion.fr> Reviewed-by:
Michel Dänzer <mdaenzer@redhat.com> Reviewed-by:
Daniel Stone <daniels@collabora.com> (cherry picked from commit 421ce458)
-
- May 29, 2020
-
-
Mutter recently added headless tests, and when running those tests the Wayland compositor runs for a very short time. Xwayland is spawned by the Wayland compositor and upon startup will query the various Wayland protocol supported by the compositor. To do so, it will do a roundtrip to the Wayland server waiting for events it expects. If the Wayland compositor terminates before Xwayland has got the replies it expects, it will loop indefinitely calling `wl_display_roundtrip()` continuously. To avoid that issue, add a new `xwl_screen_roundtrip()` that checks for the returned value from `wl_display_roundtrip()` and fails if it is negative. Signed-off-by:
Olivier Fourdan <ofourdan@redhat.com> Reviewed-by:
Roman Gilg <subdiff@gmail.com> Reviewed-by:
Jonas Ådahl <jadahl@gmail.com> (cherry picked from commit 785e5906)
-
- May 22, 2020
-
-
The miPointerSpriteFunc swcursor code expects there to only be a single framebuffer and when the cursor moves it will undo the damage of the previous draw, potentially overwriting what ever is there in a new framebuffer installed after a flip. This leads to all kind of artifacts, so we need to disable pageflipping when a swcursor is used. The code for this has shamelessly been copied from the xf86-video-amdgpu code. Fixes: xorg/xserver#828 Reviewed-by:
Michel Dänzer <michel.daenzer@amd.com> Signed-off-by:
Hans de Goede <hdegoede@redhat.com> (cherry picked from commit 0aaac8d7) Signed-off-by:
Łukasz Spintzyk <lukasz.spintzyk@displaylink.com>
-
- Apr 15, 2020
-
-
c67f2eac ("dix: always send focus event on grab change") made dix always sent events when it's a NotifyGrab or NotifyUngrab, even if from == to, because 'from' can just come from a previous XSetInputFocus call. However, when an application calls XGrabKeyboard several times on the same window, we are now sending spurious FocusOut+FocusIn with NotifyGrab, even if the grab does not actually change. This makes screen readers for blind people spuriously emit activity events which disturb screen reading workflow when e.g. switching between menus. This commit avoids calling DoFocusEvents in that precise case, i.e. when oldWin is a previous grab and the new grab is the same window. Signed-off-by:
Samuel Thibault <samuel.thibault@ens-lyon.org> Reviewed-by:
Adam Jackson <ajax@redhat.com> (cherry picked from commit 364d6498)
-
- Mar 29, 2020
-
-
Matt Turner authored
Signed-off-by:
Matt Turner <mattst88@gmail.com>
-
- Mar 22, 2020
-
-
../hw/xfree86/os-support/stub/stub_init.c: In function ‘xf86OSInputThreadInit’: ../hw/xfree86/os-support/stub/stub_init.c:29:1: warning: old-style function definition [-Wold-style-definition] (cherry picked from commit 7c266caf)
-
- Mar 18, 2020
-
-
We were only calling xwl_present_unrealize_window for the toplevel window, but the list can contain entries from child windows as well, in which case we were leaving dangling pointers to freed memory. Closes: xorg/xserver#1000 Fixes: c5067fea "xwayland: Use single frame callback for Present flips and normal updates" Reviewed-by:
Olivier Fourdan <ofourdan@redhat.com> Tested-by:
Olivier Fourdan <ofourdan@redhat.com> (cherry picked from commit 5e915873)
-
- Mar 12, 2020
-
-
The compositor may send DRM_FORMAT_MOD_INVALID instead of a list of modifiers for various reasons. Handle this gracefully by ignoring it. Without this, if a compositor would send DRM_FORMAT_MOD_INVALID, it'd result in empty windows provided by Xwayland. Signed-off-by:
Jonas Ådahl <jadahl@gmail.com> Reviewed-by:
Olivier Fourdan <ofourdan@redhat.com> Reviewed-by:
Michel Dänzer <mdaenzer@redhat.com> (cherry picked from commit edf96443)
-
- Mar 07, 2020
-
-
Arthur Williams authored
There is a race when reseting the XServer that causes spriteInfo to be NULL in GetPairedDevice resulting a segfault and subsequent crash. The problem was noticed when opening a connection, creating master devices, destroying master devices and closing the connection during testing. Signed-off-by:
Arthur Williams <taaparthur@gmail.com> (cherry picked from commit e693c965)
-