xserver: Branch 'server-1.19-branch' - 42 commits
Adam Jackson
ajax at kemper.freedesktop.org
Mon Sep 25 19:36:33 UTC 2017
Xext/panoramiXprocs.c | 70 +++++++++--
Xi/sendexev.c | 24 ++-
Xi/xibarriers.c | 9 -
Xi/xiwarppointer.c | 4
dix/dispatch.c | 4
dix/events.c | 6
dix/swapreq.c | 7 +
glamor/glamor.c | 3
glamor/glamor_copy.c | 21 +--
glamor/glamor_dash.c | 2
glamor/glamor_fbo.c | 4
glamor/glamor_glyphblt.c | 26 ++--
glamor/glamor_largepixmap.c | 11 -
glamor/glamor_lines.c | 13 +-
glamor/glamor_points.c | 14 +-
glamor/glamor_rects.c | 13 +-
glamor/glamor_render.c | 5
glamor/glamor_segs.c | 14 +-
glamor/glamor_spans.c | 13 +-
glamor/glamor_transform.c | 11 +
glamor/glamor_transform.h | 2
glamor/glamor_utils.h | 4
glamor/glamor_xv.c | 9 -
hw/dmx/dmxsync.c | 2
hw/kdrive/ephyr/ephyr.c | 6
hw/kdrive/ephyr/ephyrvideo.c | 5
hw/kdrive/ephyr/hostx.c | 6
hw/xfree86/common/xf86Init.c | 1
hw/xfree86/dri2/pci_ids/i965_pci_ids.h | 63 +++++++---
hw/xfree86/drivers/modesetting/drmmode_display.c | 3
hw/xfree86/drivers/modesetting/vblank.c | 2
hw/xfree86/modes/xf86RandR12.c | 139 +++++++++++++++--------
hw/xfree86/os-support/shared/posix_tty.c | 3
hw/xfree86/parser/scan.c | 2
hw/xquartz/quartz.c | 1
hw/xwayland/drm.xml | 35 +++--
hw/xwayland/xwayland-input.c | 32 +++++
hw/xwayland/xwayland-output.c | 3
hw/xwayland/xwayland.c | 38 +++++-
os/io.c | 38 ++++--
os/osinit.c | 1
os/utils.c | 6
randr/rrcrtc.c | 5
record/record.c | 3
44 files changed, 490 insertions(+), 193 deletions(-)
New commits:
commit 69ab094a08513849bb68cd2750840e88db6e5933
Author: Olivier Fourdan <ofourdan at redhat.com>
Date: Wed Jul 26 16:00:38 2017 +0200
glamor: Avoid overflow between box32 and box16 box
glamor_compute_transform_clipped_regions() uses a temporary box32
internally which is copied back to a box16 to init the regions16,
thus causing a potential overflow.
If an overflow occurs, the given region is invalid and the pixmap
init region will fail.
Simply check that the coordinates won't overflow when copying back to
the box16, avoiding a crash later down the line in glamor.
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=101894
Signed-off-by: Olivier Fourdan <ofourdan at redhat.com>
Tested-by: Fabrice Bellet <fabrice at bellet.info>
Reviewed-by: Adam Jackson <ajax at redhat.com>
(cherry picked from commit 9869dcb349b49f6d4cc2fab5d927cd8b1d1f463c)
diff --git a/glamor/glamor_largepixmap.c b/glamor/glamor_largepixmap.c
index ebfdc9537..f9adb93bc 100644
--- a/glamor/glamor_largepixmap.c
+++ b/glamor/glamor_largepixmap.c
@@ -1,4 +1,5 @@
#include <stdlib.h>
+#include <stdint.h> /* For INT16_MAX */
#include "glamor_priv.h"
@@ -722,11 +723,11 @@ glamor_compute_transform_clipped_regions(PixmapPtr pixmap,
temp_box.x2 = MIN(temp_box.x2, pixmap->drawable.width);
temp_box.y2 = MIN(temp_box.y2, pixmap->drawable.height);
}
- /* Now copy back the box32 to a box16 box. */
- short_box.x1 = temp_box.x1;
- short_box.y1 = temp_box.y1;
- short_box.x2 = temp_box.x2;
- short_box.y2 = temp_box.y2;
+ /* Now copy back the box32 to a box16 box, avoiding overflow. */
+ short_box.x1 = MIN(temp_box.x1, INT16_MAX);
+ short_box.y1 = MIN(temp_box.y1, INT16_MAX);
+ short_box.x2 = MIN(temp_box.x2, INT16_MAX);
+ short_box.y2 = MIN(temp_box.y2, INT16_MAX);
RegionInitBoxes(temp_region, &short_box, 1);
DEBUGF("copy to temp source region \n");
DEBUGRegionPrint(temp_region);
commit 421814bc81ba8dfaa9be59b8b35b3a9114dbcb8b
Author: Olivier Fourdan <ofourdan at redhat.com>
Date: Wed Jul 26 16:00:37 2017 +0200
glamor: handle NULL source picture
COMPOSITE_REGION() can pass NULL as a source picture, make sure we
handle that nicely in both glamor_composite_clipped_region() and
glamor_composite_choose_shader().
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=101894
Signed-off-by: Olivier Fourdan <ofourdan at redhat.com>
Reviewed-by: Adam Jackson <ajax at redhat.com>
(cherry picked from commit bd353e9b84e013fc34ed730319d5b63d20977903)
diff --git a/glamor/glamor_render.c b/glamor/glamor_render.c
index 52f073d05..a8b208101 100644
--- a/glamor/glamor_render.c
+++ b/glamor/glamor_render.c
@@ -992,7 +992,7 @@ glamor_composite_choose_shader(CARD8 op,
goto fail;
}
} else {
- if (!glamor_render_format_is_supported(source->format)) {
+ if (source && !glamor_render_format_is_supported(source->format)) {
glamor_fallback("Unsupported source picture format.\n");
goto fail;
}
@@ -1411,7 +1411,8 @@ glamor_composite_clipped_region(CARD8 op,
x_source, y_source, x_mask, y_mask, x_dest, y_dest, width, height);
/* Is the composite operation equivalent to a copy? */
- if (!mask && !source->alphaMap && !dest->alphaMap
+ if (source &&
+ !mask && !source->alphaMap && !dest->alphaMap
&& source->pDrawable && !source->transform
/* CopyArea is only defined with matching depths. */
&& dest->pDrawable->depth == source->pDrawable->depth
commit baa25315014af350c9c04c2c83beeee36aead042
Author: Olivier Fourdan <ofourdan at redhat.com>
Date: Thu Aug 31 10:23:00 2017 +0200
xwayland: Fix a segfault with pointer locking
Xwayland would crash in some circumstances while trying to issue a
pointer locking when the cursor is hidden when there is no seat focus
window set.
The crash signature looks like:
#0 zwp_pointer_constraints_v1_lock_pointer ()
#1 xwl_pointer_warp_emulator_lock () at xwayland-input.c:2584
#2 xwl_seat_maybe_lock_on_hidden_cursor () at xwayland-input.c:2756
#3 xwl_seat_maybe_lock_on_hidden_cursor () at xwayland-input.c:2765
#4 xwl_seat_cursor_visibility_changed () at xwayland-input.c:2768
#5 xwl_set_cursor () at xwayland-cursor.c:245
#6 miPointerUpdateSprite () at mipointer.c:468
#7 miPointerDisplayCursor () at mipointer.c:206
#8 CursorDisplayCursor () at cursor.c:150
#9 AnimCurDisplayCursor () at animcur.c:220
#10 ChangeToCursor () at events.c:936
#11 ActivatePointerGrab () at events.c:1542
#12 GrabDevice () at events.c:5120
#13 ProcGrabPointer () at events.c:4908
#14 Dispatch () at dispatch.c:478
#15 dix_main () at main.c:276
xwl_pointer_warp_emulator_lock() tries to use the surface from the
xwl_seat->focus_window leading to a NULL pointer dereference when that
value is NULL.
Check that xwl_seat->focus_window is not NULL earlier in the stack in
xwl_seat_maybe_lock_on_hidden_cursor() and return early if not the case
to avoid the crash.
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=102474
Signed-off-by: Olivier Fourdan <ofourdan at redhat.com>
Acked-by: Peter Hutterer <peter.hutterer at who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit cdd0352ba05d4d8482aaca41797e05d40e58da36)
diff --git a/hw/xwayland/xwayland-input.c b/hw/xwayland/xwayland-input.c
index add76f547..f2564d5d3 100644
--- a/hw/xwayland/xwayland-input.c
+++ b/hw/xwayland/xwayland-input.c
@@ -1535,6 +1535,9 @@ xwl_seat_maybe_lock_on_hidden_cursor(struct xwl_seat *xwl_seat)
!xwl_seat->cursor_confinement_window)
return FALSE;
+ if (!xwl_seat->focus_window)
+ return FALSE;
+
if (xwl_seat->confined_pointer)
xwl_seat_destroy_confined_pointer(xwl_seat);
commit 6f29c8375281c0337ab94f7919a70c20149b0fc6
Author: Michal Srb <msrb at suse.com>
Date: Fri Jul 7 17:21:46 2017 +0200
Xi: Test exact size of XIBarrierReleasePointer
Otherwise a client can send any value of num_barriers and cause reading or swapping of values on heap behind the receive buffer.
Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit 211e05ac85a294ef361b9f80d689047fa52b9076)
diff --git a/Xi/xibarriers.c b/Xi/xibarriers.c
index a8b92cc18..0bc5761f3 100644
--- a/Xi/xibarriers.c
+++ b/Xi/xibarriers.c
@@ -830,10 +830,13 @@ SProcXIBarrierReleasePointer(ClientPtr client)
REQUEST(xXIBarrierReleasePointerReq);
int i;
- info = (xXIBarrierReleasePointerInfo*) &stuff[1];
-
swaps(&stuff->length);
+ REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
+
swapl(&stuff->num_barriers);
+ REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
+
+ info = (xXIBarrierReleasePointerInfo*) &stuff[1];
for (i = 0; i < stuff->num_barriers; i++, info++) {
swaps(&info->deviceid);
swapl(&info->barrier);
@@ -853,7 +856,7 @@ ProcXIBarrierReleasePointer(ClientPtr client)
xXIBarrierReleasePointerInfo *info;
REQUEST(xXIBarrierReleasePointerReq);
- REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
+ REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
info = (xXIBarrierReleasePointerInfo*) &stuff[1];
for (i = 0; i < stuff->num_barriers; i++, info++) {
commit c8eb79c1834cef5657e227844111052e0dd78661
Author: Rodrigo Vivi <rodrigo.vivi at intel.com>
Date: Thu Jun 29 13:29:58 2017 -0700
dri2: Sync i965_pci_ids.h from Mesa.
Copied from Mesa with no modifications.
Gives us Coffee Lake and Cannon Lake PCI IDs.
Signed-off-by: Rodrigo Vivi <rodrigo.vivi at intel.com>
Acked-by: Kenneth Graunke <kenneth at whitecape.org>
(cherry picked from commit abb031e731f5c159add1b3351de9c4bb121bf00a)
diff --git a/hw/xfree86/dri2/pci_ids/i965_pci_ids.h b/hw/xfree86/dri2/pci_ids/i965_pci_ids.h
index 17504f5cb..57e70b7ae 100644
--- a/hw/xfree86/dri2/pci_ids/i965_pci_ids.h
+++ b/hw/xfree86/dri2/pci_ids/i965_pci_ids.h
@@ -165,3 +165,26 @@ CHIPSET(0x5927, kbl_gt3, "Intel(R) Iris Plus Graphics 650 (Kaby Lake GT3)")
CHIPSET(0x593B, kbl_gt4, "Intel(R) Kabylake GT4")
CHIPSET(0x3184, glk, "Intel(R) HD Graphics (Geminilake)")
CHIPSET(0x3185, glk_2x6, "Intel(R) HD Graphics (Geminilake 2x6)")
+CHIPSET(0x3E90, cfl_gt1, "Intel(R) HD Graphics (Coffeelake 2x6 GT1)")
+CHIPSET(0x3E93, cfl_gt1, "Intel(R) HD Graphics (Coffeelake 2x6 GT1)")
+CHIPSET(0x3E91, cfl_gt2, "Intel(R) HD Graphics (Coffeelake 3x8 GT2)")
+CHIPSET(0x3E92, cfl_gt2, "Intel(R) HD Graphics (Coffeelake 3x8 GT2)")
+CHIPSET(0x3E96, cfl_gt2, "Intel(R) HD Graphics (Coffeelake 3x8 GT2)")
+CHIPSET(0x3E9B, cfl_gt2, "Intel(R) HD Graphics (Coffeelake 3x8 GT2)")
+CHIPSET(0x3E94, cfl_gt2, "Intel(R) HD Graphics (Coffeelake 3x8 GT2)")
+CHIPSET(0x3EA6, cfl_gt3, "Intel(R) HD Graphics (Coffeelake 3x8 GT3)")
+CHIPSET(0x3EA7, cfl_gt3, "Intel(R) HD Graphics (Coffeelake 3x8 GT3)")
+CHIPSET(0x3EA8, cfl_gt3, "Intel(R) HD Graphics (Coffeelake 3x8 GT3)")
+CHIPSET(0x3EA5, cfl_gt3, "Intel(R) HD Graphics (Coffeelake 3x8 GT3)")
+CHIPSET(0x5A49, cnl_2x8, "Intel(R) HD Graphics (Cannonlake 2x8 GT0.5)")
+CHIPSET(0x5A4A, cnl_2x8, "Intel(R) HD Graphics (Cannonlake 2x8 GT0.5)")
+CHIPSET(0x5A41, cnl_3x8, "Intel(R) HD Graphics (Cannonlake 3x8 GT1)")
+CHIPSET(0x5A42, cnl_3x8, "Intel(R) HD Graphics (Cannonlake 3x8 GT1)")
+CHIPSET(0x5A44, cnl_3x8, "Intel(R) HD Graphics (Cannonlake 3x8 GT1)")
+CHIPSET(0x5A59, cnl_4x8, "Intel(R) HD Graphics (Cannonlake 4x8 GT1.5)")
+CHIPSET(0x5A5A, cnl_4x8, "Intel(R) HD Graphics (Cannonlake 4x8 GT1.5)")
+CHIPSET(0x5A5C, cnl_4x8, "Intel(R) HD Graphics (Cannonlake 4x8 GT1.5)")
+CHIPSET(0x5A50, cnl_5x8, "Intel(R) HD Graphics (Cannonlake 5x8 GT2)")
+CHIPSET(0x5A51, cnl_5x8, "Intel(R) HD Graphics (Cannonlake 5x8 GT2)")
+CHIPSET(0x5A52, cnl_5x8, "Intel(R) HD Graphics (Cannonlake 5x8 GT2)")
+CHIPSET(0x5A54, cnl_5x8, "Intel(R) HD Graphics (Cannonlake 5x8 GT2)")
commit 37815323721790c4311faff9743f4d2f902b5506
Author: Adam Jackson <ajax at redhat.com>
Date: Thu Jun 29 10:32:00 2017 -0400
wayland: Sync drm.xml with Mesa
... where it is named src/egl/wayland/wayland-drm/wayland-drm.xml and
has its requests sorted by protocol version number, avoiding a warning
from wayland-scanner.
Signed-off-by: Adam Jackson <ajax at redhat.com>
Reviewed-by: Daniel Stone <daniels at collabora.com>
(cherry picked from commit 04511a0476b5c860e7d157b01080dff94d935f74)
diff --git a/hw/xwayland/drm.xml b/hw/xwayland/drm.xml
index 8a3ad69b2..5e64622df 100644
--- a/hw/xwayland/drm.xml
+++ b/hw/xwayland/drm.xml
@@ -135,22 +135,6 @@
<arg name="stride2" type="int"/>
</request>
- <!-- Create a wayland buffer for the prime fd. Use for regular and planar
- buffers. Pass 0 for offset and stride for unused planes. -->
- <request name="create_prime_buffer" since="2">
- <arg name="id" type="new_id" interface="wl_buffer"/>
- <arg name="name" type="fd"/>
- <arg name="width" type="int"/>
- <arg name="height" type="int"/>
- <arg name="format" type="uint"/>
- <arg name="offset0" type="int"/>
- <arg name="stride0" type="int"/>
- <arg name="offset1" type="int"/>
- <arg name="stride1" type="int"/>
- <arg name="offset2" type="int"/>
- <arg name="stride2" type="int"/>
- </request>
-
<!-- Notification of the path of the drm device which is used by
the server. The client should use this device for creating
local buffers. Only buffers created from this device should
@@ -177,6 +161,25 @@
<event name="capabilities">
<arg name="value" type="uint"/>
</event>
+
+ <!-- Version 2 additions -->
+
+ <!-- Create a wayland buffer for the prime fd. Use for regular and planar
+ buffers. Pass 0 for offset and stride for unused planes. -->
+ <request name="create_prime_buffer" since="2">
+ <arg name="id" type="new_id" interface="wl_buffer"/>
+ <arg name="name" type="fd"/>
+ <arg name="width" type="int"/>
+ <arg name="height" type="int"/>
+ <arg name="format" type="uint"/>
+ <arg name="offset0" type="int"/>
+ <arg name="stride0" type="int"/>
+ <arg name="offset1" type="int"/>
+ <arg name="stride1" type="int"/>
+ <arg name="offset2" type="int"/>
+ <arg name="stride2" type="int"/>
+ </request>
+
</interface>
</protocol>
commit 0934d56dc804780f3e83ae0153c797d392e6faba
Author: Michel Dänzer <michel.daenzer at amd.com>
Date: Fri Jun 16 11:30:03 2017 +0900
xfree86/modes: Use RRTransformEqual in xf86RandR12CrtcSet
The memcmp didn't catch when e.g. only the filter changed. Tested by
alternately running
xrandr --output DVI-I-0 --scale-from 3840x2160 --filter bilinear
xrandr --output DVI-I-0 --scale-from 3840x2160 --filter nearest
Reviewed-by: Aaron Plattner <aplattner at nvidia.com>
(cherry picked from commit 4212c884c423e5ce2cd3b4d67c0d656475fddc79)
diff --git a/hw/xfree86/modes/xf86RandR12.c b/hw/xfree86/modes/xf86RandR12.c
index 6e6aa1b2a..aac02db43 100644
--- a/hw/xfree86/modes/xf86RandR12.c
+++ b/hw/xfree86/modes/xf86RandR12.c
@@ -1174,8 +1174,7 @@ xf86RandR12CrtcSet(ScreenPtr pScreen,
if ((transform != NULL) != crtc->transformPresent)
changed = TRUE;
else if (transform &&
- memcmp(&transform->transform, &crtc->transform.transform,
- sizeof(transform->transform)) != 0)
+ !RRTransformEqual(transform, &crtc->transform))
changed = TRUE;
if (x != crtc->x || y != crtc->y)
commit 358f0bcd4f6703302b8895e42e20d1cbdfff102e
Author: Aaron Plattner <aplattner at nvidia.com>
Date: Thu Jun 15 14:28:27 2017 -0700
randr: Use RRTransformEqual in RRCrtcPendingTransform
Currently, RRCrtcPendingTransform returns false unless the
transformation matrix itself is changing. This makes RRCrtcSet skip
doing anything if the only thing that is changing is the transform
filter.
There's already a function for comparing RRTransformPtrs, so use that
instead.
Tested by running
xrandr --output DP-1 --mode 1920x1080 --rate 144 --scale 0.5x0.5 --filter nearest
follwed by
xrandr --output DP-1 --mode 1920x1080 --rate 144 --scale 0.5x0.5 --filter bilinear
Signed-off-by: Aaron Plattner <aplattner at nvidia.com>
Reviewed-and-Tested-by: Michel Dänzer <michel.daenzer at amd.com>
(cherry picked from commit 091af80be48c37f16c679d35fc12ad33e6b0cd74)
diff --git a/randr/rrcrtc.c b/randr/rrcrtc.c
index d1a51f0aa..401a1c178 100644
--- a/randr/rrcrtc.c
+++ b/randr/rrcrtc.c
@@ -843,9 +843,8 @@ RRCrtcGetTransform(RRCrtcPtr crtc)
Bool
RRCrtcPendingTransform(RRCrtcPtr crtc)
{
- return memcmp(&crtc->client_current_transform.transform,
- &crtc->client_pending_transform.transform,
- sizeof(PictTransform)) != 0;
+ return !RRTransformEqual(&crtc->client_current_transform,
+ &crtc->client_pending_transform);
}
/*
commit ed8fbabacac3cd4c7798bd36713894a2068cee13
Author: Michal Srb <msrb at suse.com>
Date: Wed May 24 15:54:42 2017 +0300
Xi: Do not try to swap GenericEvent.
The SProcXSendExtensionEvent must not attempt to swap GenericEvent because
it is assuming that the event has fixed size and gives the swapping function
xEvent-sized buffer.
A GenericEvent would be later rejected by ProcXSendExtensionEvent anyway.
Signed-off-by: Michal Srb <msrb at suse.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit ba336b24052122b136486961c82deac76bbde455)
diff --git a/Xi/sendexev.c b/Xi/sendexev.c
index 365c791e8..5ecc228ee 100644
--- a/Xi/sendexev.c
+++ b/Xi/sendexev.c
@@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr client)
eventP = (xEvent *) &stuff[1];
for (i = 0; i < stuff->num_events; i++, eventP++) {
+ if (eventP->u.u.type == GenericEvent) {
+ client->errorValue = eventP->u.u.type;
+ return BadValue;
+ }
+
proc = EventSwapVector[eventP->u.u.type & 0177];
- if (proc == NotImplemented) /* no swapping proc; invalid event type? */
+ /* no swapping proc; invalid event type? */
+ if (proc == NotImplemented) {
+ client->errorValue = eventP->u.u.type;
return BadValue;
+ }
(*proc) (eventP, &eventT);
*eventP = eventT;
}
commit e8f6a1bb77cbd1bb30d8dc956c5fdc98e25a22aa
Author: Michal Srb <msrb at suse.com>
Date: Wed May 24 15:54:41 2017 +0300
Xi: Verify all events in ProcXSendExtensionEvent.
The requirement is that events have type in range
EXTENSION_EVENT_BASE..lastEvent, but it was tested
only for first event of all.
Signed-off-by: Michal Srb <msrb at suse.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit 8caed4df36b1f802b4992edcfd282cbeeec35d9d)
diff --git a/Xi/sendexev.c b/Xi/sendexev.c
index c9b7dde7c..365c791e8 100644
--- a/Xi/sendexev.c
+++ b/Xi/sendexev.c
@@ -117,7 +117,7 @@ SProcXSendExtensionEvent(ClientPtr client)
int
ProcXSendExtensionEvent(ClientPtr client)
{
- int ret;
+ int ret, i;
DeviceIntPtr dev;
xEvent *first;
XEventClass *list;
@@ -141,10 +141,12 @@ ProcXSendExtensionEvent(ClientPtr client)
/* The client's event type must be one defined by an extension. */
first = ((xEvent *) &stuff[1]);
- if (!((EXTENSION_EVENT_BASE <= first->u.u.type) &&
- (first->u.u.type < lastEvent))) {
- client->errorValue = first->u.u.type;
- return BadValue;
+ for (i = 0; i < stuff->num_events; i++) {
+ if (!((EXTENSION_EVENT_BASE <= first[i].u.u.type) &&
+ (first[i].u.u.type < lastEvent))) {
+ client->errorValue = first[i].u.u.type;
+ return BadValue;
+ }
}
list = (XEventClass *) (first + stuff->num_events);
commit 21f559038c8776acc6439faadbdcab7df4300c66
Author: Michal Srb <msrb at suse.com>
Date: Wed May 24 15:54:40 2017 +0300
dix: Disallow GenericEvent in SendEvent request.
The SendEvent request holds xEvent which is exactly 32 bytes long, no more,
no less. Both ProcSendEvent and SProcSendEvent verify that the received data
exactly match the request size. However nothing stops the client from passing
in event with xEvent::type = GenericEvent and any value of
xGenericEvent::length.
In the case of ProcSendEvent, the event will be eventually passed to
WriteEventsToClient which will see that it is Generic event and copy the
arbitrary length from the receive buffer (and possibly past it) and send it to
the other client. This allows clients to copy unitialized heap memory out of X
server or to crash it.
In case of SProcSendEvent, it will attempt to swap the incoming event by
calling a swapping function from the EventSwapVector array. The swapped event
is written to target buffer, which in this case is local xEvent variable. The
xEvent variable is 32 bytes long, but the swapping functions for GenericEvents
expect that the target buffer has size matching the size of the source
GenericEvent. This allows clients to cause stack buffer overflows.
Signed-off-by: Michal Srb <msrb at suse.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit 215f894965df5fb0bb45b107d84524e700d2073c)
diff --git a/dix/events.c b/dix/events.c
index cc26ba5db..3faad53a8 100644
--- a/dix/events.c
+++ b/dix/events.c
@@ -5366,6 +5366,12 @@ ProcSendEvent(ClientPtr client)
client->errorValue = stuff->event.u.u.type;
return BadValue;
}
+ /* Generic events can have variable size, but SendEvent request holds
+ exactly 32B of event data. */
+ if (stuff->event.u.u.type == GenericEvent) {
+ client->errorValue = stuff->event.u.u.type;
+ return BadValue;
+ }
if (stuff->event.u.u.type == ClientMessage &&
stuff->event.u.u.detail != 8 &&
stuff->event.u.u.detail != 16 && stuff->event.u.u.detail != 32) {
diff --git a/dix/swapreq.c b/dix/swapreq.c
index 61d3ce0f4..8cc64b6ed 100644
--- a/dix/swapreq.c
+++ b/dix/swapreq.c
@@ -292,6 +292,13 @@ SProcSendEvent(ClientPtr client)
swapl(&stuff->destination);
swapl(&stuff->eventMask);
+ /* Generic events can have variable size, but SendEvent request holds
+ exactly 32B of event data. */
+ if (stuff->event.u.u.type == GenericEvent) {
+ client->errorValue = stuff->event.u.u.type;
+ return BadValue;
+ }
+
/* Swap event */
proc = EventSwapVector[stuff->event.u.u.type & 0177];
if (!proc || proc == NotImplemented) /* no swapping proc; invalid event type? */
commit cdf15ab8f94d54bce72f37653fc46daf482b1671
Author: Michal Srb <msrb at suse.com>
Date: Wed May 24 15:54:39 2017 +0300
Xi: Zero target buffer in SProcXSendExtensionEvent.
Make sure that the xEvent eventT is initialized with zeros, the same way as
in SProcSendEvent.
Some event swapping functions do not overwrite all 32 bytes of xEvent
structure, for example XSecurityAuthorizationRevoked. Two cooperating
clients, one swapped and the other not, can send
XSecurityAuthorizationRevoked event to each other to retrieve old stack data
from X server. This can be potentialy misused to go around ASLR or
stack-protector.
Signed-off-by: Michal Srb <msrb at suse.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit 05442de962d3dc624f79fc1a00eca3ffc5489ced)
diff --git a/Xi/sendexev.c b/Xi/sendexev.c
index 183f88dae..c9b7dde7c 100644
--- a/Xi/sendexev.c
+++ b/Xi/sendexev.c
@@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr client)
{
CARD32 *p;
int i;
- xEvent eventT;
+ xEvent eventT = { .u.u.type = 0 };
xEvent *eventP;
EventSwapPtr proc;
commit 3a53e4407fb9e0c0e0dbf8d147b67f6e36aea5ae
Author: Michel Dänzer <michel.daenzer at amd.com>
Date: Tue Jun 6 18:42:06 2017 +0900
glamor: Fix temporary pixmap coordinate offsets
The previous values happened to work in basic cases, but not in general
if the destination is a subwindow or has a border.
Fixes crash with xli, which moves a large subwindow inside a smaller
parent window for scrolling.
No regressions with xterm, x11perf -copyplane or the xscreensaver
phosphor hack.
Bug: https://bugs.debian.org/857983
Reviewed-by: Keith Packard <keithp at keithp.com>
(cherry picked from commit ffda82ed04d28feae2e001dbd0c32d6c795d90b1)
diff --git a/glamor/glamor_copy.c b/glamor/glamor_copy.c
index ff8f44ef1..ed96b2b1e 100644
--- a/glamor/glamor_copy.c
+++ b/glamor/glamor_copy.c
@@ -230,8 +230,8 @@ glamor_copy_cpu_fbo(DrawablePtr src,
goto bail;
}
- src_pix->drawable.x = -dst->x;
- src_pix->drawable.y = -dst->y;
+ src_pix->drawable.x = dst_xoff;
+ src_pix->drawable.y = dst_yoff;
fbGetDrawable(&src_pix->drawable, src_bits, src_stride, src_bpp, src_xoff,
src_yoff);
commit 87a7393799ab5d1ea4a19ae7687cd50ac0dceeb4
Author: Adam Jackson <ajax at redhat.com>
Date: Mon Jun 12 14:43:23 2017 -0400
modesetting: Validate the atom for enum properties
The client could have said anything here, and if what they said doesn't
actually name an atom NameForAtom() will return NULL, and strcmp() will
be unhappy about that.
Signed-off-by: Adam Jackson <ajax at redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit d4995a3936ae283b9080fdaa0905daa669ebacfc)
diff --git a/hw/xfree86/drivers/modesetting/drmmode_display.c b/hw/xfree86/drivers/modesetting/drmmode_display.c
index 6e755e948..415c1b38d 100644
--- a/hw/xfree86/drivers/modesetting/drmmode_display.c
+++ b/hw/xfree86/drivers/modesetting/drmmode_display.c
@@ -1566,7 +1566,8 @@ drmmode_output_set_property(xf86OutputPtr output, Atom property,
value->size != 1)
return FALSE;
memcpy(&atom, value->data, 4);
- name = NameForAtom(atom);
+ if (!(name = NameForAtom(atom)))
+ return FALSE;
/* search for matching name string, then set its value down */
for (j = 0; j < p->mode_prop->count_enums; j++) {
commit faeee7646695261e60ea03d934a0c496a429f31b
Author: Carlos Garnacho <carlosg at gnome.org>
Date: Sun May 28 15:56:21 2017 +0200
Xi: Use WarpPointerProc hook on XI pointer warping implementation
Just like we do with XWarpPointer's.
Signed-off-by: Carlos Garnacho <carlosg at gnome.org>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit 95febc42cadf392a888104ad6d5cf4f34fdde7d5)
diff --git a/Xi/xiwarppointer.c b/Xi/xiwarppointer.c
index 780758a9e..8426443fa 100644
--- a/Xi/xiwarppointer.c
+++ b/Xi/xiwarppointer.c
@@ -186,6 +186,10 @@ ProcXIWarpPointer(ClientPtr client)
pDev->last.valuators[1] = y;
miPointerUpdateSprite(pDev);
+ if (*newScreen->CursorWarpedTo)
+ (*newScreen->CursorWarpedTo) (pDev, newScreen, client,
+ dest, pSprite, x, y);
+
/* FIXME: XWarpPointer is supposed to generate an event. It doesn't do it
here though. */
return Success;
commit c6df0d03de22b57d5faa77b19ac1ec0311f4f3a5
Author: Carlos Garnacho <carlosg at gnome.org>
Date: Sun May 28 15:56:20 2017 +0200
xwayland: Lock the pointer if it is confined and has no cursor
In the typical pattern in games of "hide cursor, grab with a confineTo,
warp constantly the pointer to the middle of the window" the last warping
step is actually rather optional. Some games may choose to just set up a
grab with confineTo argument, and trust that they'll get correct relative
X/Y axis values despite the hidden cursor hitting the confinement window
edge.
To cater for these cases, lock the pointer whenever there is a pointer
confinement and the cursor is hidden. This ensures the pointer position
is in sync with the compositor's when it's next shown again, and more
importantly resorts to the relative pointer for event delivery.
Signed-off-by: Carlos Garnacho <carlosg at gnome.org>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit ca17f3e9fd3b59fdc5ffd0e5d78e4db6ddc87aa1)
diff --git a/hw/xwayland/xwayland-input.c b/hw/xwayland/xwayland-input.c
index f06e88aa5..add76f547 100644
--- a/hw/xwayland/xwayland-input.c
+++ b/hw/xwayland/xwayland-input.c
@@ -1524,11 +1524,35 @@ xwl_seat_emulate_pointer_warp(struct xwl_seat *xwl_seat,
x, y);
}
+static Bool
+xwl_seat_maybe_lock_on_hidden_cursor(struct xwl_seat *xwl_seat)
+{
+ /* Some clients use hidden cursor+confineTo+relative motion
+ * to implement infinite panning (eg. 3D views), lock the
+ * pointer for so the relative pointer is used.
+ */
+ if (xwl_seat->x_cursor ||
+ !xwl_seat->cursor_confinement_window)
+ return FALSE;
+
+ if (xwl_seat->confined_pointer)
+ xwl_seat_destroy_confined_pointer(xwl_seat);
+
+ xwl_seat_create_pointer_warp_emulator(xwl_seat);
+ xwl_pointer_warp_emulator_lock(xwl_seat->pointer_warp_emulator);
+ return TRUE;
+}
+
void
xwl_seat_cursor_visibility_changed(struct xwl_seat *xwl_seat)
{
- if (xwl_seat->pointer_warp_emulator && xwl_seat->x_cursor != NULL)
+ if (xwl_seat->pointer_warp_emulator && xwl_seat->x_cursor != NULL) {
xwl_seat_destroy_pointer_warp_emulator(xwl_seat);
+ } else if (!xwl_seat->x_cursor && xwl_seat->cursor_confinement_window) {
+ /* If the cursor goes hidden as is confined, lock it for
+ * relative motion to work. */
+ xwl_seat_maybe_lock_on_hidden_cursor(xwl_seat);
+ }
}
void
@@ -1567,6 +1591,9 @@ xwl_seat_confine_pointer(struct xwl_seat *xwl_seat,
if (xwl_seat->pointer_warp_emulator)
return;
+ if (xwl_seat_maybe_lock_on_hidden_cursor(xwl_seat))
+ return;
+
xwl_seat->confined_pointer =
zwp_pointer_constraints_v1_confine_pointer(pointer_constraints,
xwl_window->surface,
commit 2ccea152c091e25474a83588e18475567471e7c8
Author: Carlos Garnacho <carlosg at gnome.org>
Date: Sun May 28 15:56:19 2017 +0200
xwayland: Update root window size when desktop size changes
This fixes grabs on InputOnly windows whose parent is the root window
failing with GrabNotViewable. This is due to window->borderSize/windowSize
being computed as clipped by its parent, resulting in a null region.
Setting up the right size on the root window makes the InputOnly size
correct too, so the GrabNotViewable paths aren't hit anymore.
Signed-off-by: Carlos Garnacho <carlosg at gnome.org>
Acked-by: Peter Hutterer <peter.hutterer at who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit 513e3bd3870fdb8a8e0e2e52c0fa93872300bc8b)
diff --git a/hw/xwayland/xwayland-output.c b/hw/xwayland/xwayland-output.c
index a4bc185da..5a0f739f3 100644
--- a/hw/xwayland/xwayland-output.c
+++ b/hw/xwayland/xwayland-output.c
@@ -187,8 +187,11 @@ update_screen_size(struct xwl_output *xwl_output, int width, int height)
SetRootClip(xwl_screen->screen, xwl_screen->root_clip_mode);
if (xwl_screen->screen->root) {
+ BoxRec box = { 0, 0, width, height };
+
xwl_screen->screen->root->drawable.width = width;
xwl_screen->screen->root->drawable.height = height;
+ RegionReset(&xwl_screen->screen->root->winSize, &box);
RRScreenSizeNotify(xwl_screen->screen);
}
diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c
index 4ccea1a1f..939f3392c 100644
--- a/hw/xwayland/xwayland.c
+++ b/hw/xwayland/xwayland.c
@@ -334,9 +334,11 @@ xwl_realize_window(WindowPtr window)
screen->RealizeWindow = xwl_realize_window;
if (xwl_screen->rootless && !window->parent) {
+ BoxRec box = { 0, 0, xwl_screen->width, xwl_screen->height };
+
+ RegionReset(&window->winSize, &box);
RegionNull(&window->clipList);
RegionNull(&window->borderClip);
- RegionNull(&window->winSize);
}
if (xwl_screen->rootless) {
commit 0e5b08f2eef946e9d9d071f0a79ead379419d8a7
Author: Carlos Garnacho <carlosg at gnome.org>
Date: Sun May 28 15:56:18 2017 +0200
xwayland: "Accept" confineTo on InputOnly windows
Of sorts, actually make it confine to the pointer focus, as the
InputOnly window is entirely invisible to xwayland accounting,
we don't have a xwl_window for it.
Signed-off-by: Carlos Garnacho <carlosg at gnome.org>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit fafdb0cc9697eb53635ed1e78bec1d4cd87ab3a2)
diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c
index 33c784fd6..4ccea1a1f 100644
--- a/hw/xwayland/xwayland.c
+++ b/hw/xwayland/xwayland.c
@@ -224,6 +224,15 @@ xwl_cursor_confined_to(DeviceIntPtr device,
}
xwl_window = xwl_window_from_window(window);
+ if (!xwl_window && xwl_seat->focus_window) {
+ /* Allow confining on InputOnly windows, but only if the geometry
+ * is the same than the focus window.
+ */
+ if (window->drawable.class == InputOnly) {
+ DebugF("Confine on InputOnly window, assuming pointer focus\n");
+ xwl_window = xwl_seat->focus_window;
+ }
+ }
if (!xwl_window)
return;
commit 420f77a1ba8bfbbf8c06f6dd57e9ee36124b7360
Author: Carlos Garnacho <carlosg at gnome.org>
Date: Sun May 28 15:56:17 2017 +0200
xwayland: Allow pointer warp on root/None window
Of sorts, as we can't honor pointer warping across the whole root window
coordinates, peek the pointer focus in these cases.
Signed-off-by: Carlos Garnacho <carlosg at gnome.org>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit c217fcb4c4640ffd2fefee63c6fcd7ea5e64b942)
diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c
index 97b5b58d7..33c784fd6 100644
--- a/hw/xwayland/xwayland.c
+++ b/hw/xwayland/xwayland.c
@@ -175,11 +175,31 @@ xwl_cursor_warped_to(DeviceIntPtr device,
struct xwl_screen *xwl_screen = xwl_screen_get(screen);
struct xwl_seat *xwl_seat = device->public.devicePrivate;
struct xwl_window *xwl_window;
+ WindowPtr focus;
if (!xwl_seat)
xwl_seat = xwl_screen_get_default_seat(xwl_screen);
xwl_window = xwl_window_from_window(window);
+ if (!xwl_window && xwl_seat->focus_window) {
+ focus = xwl_seat->focus_window->window;
+
+ /* Warps on non wl_surface backed Windows are only allowed
+ * as long as the pointer stays within the focus window.
+ */
+ if (x >= focus->drawable.x &&
+ y >= focus->drawable.y &&
+ x < focus->drawable.x + focus->drawable.width &&
+ y < focus->drawable.y + focus->drawable.height) {
+ if (!window) {
+ DebugF("Warp relative to pointer, assuming pointer focus\n");
+ xwl_window = xwl_seat->focus_window;
+ } else if (window == screen->root) {
+ DebugF("Warp on root window, assuming pointer focus\n");
+ xwl_window = xwl_seat->focus_window;
+ }
+ }
+ }
if (!xwl_window)
return;
commit 40edd409bfc527223dfae89c7f84fea0721dec49
Author: Michel Dänzer <michel.daenzer at amd.com>
Date: Fri May 26 12:30:13 2017 +0900
glamor: Store the actual EGL/GLX context pointer in lastGLContext
Fixes subtle breakage which could sometimes trigger after a server reset
with multiple screens using glamor:
Screen A enters glamor_close_screen last and calls various cleanup
functions, which at some point call glamor_make_current to make sure
screen A's GL context is current. This sets lastGLContext to screen A's
&glamor_priv->ctx. Finally, glamor_close_screen calls
glamor_release_screen_priv, which calls free(glamor_priv).
Later, screen B enters glamor_init, which allocates a new glamor_priv.
With bad luck, this can return the same pointer which was previously
used for screen A's glamor_priv. So when screen B's glamor_init calls
glamor_make_current, lastGLContext == &glamor_priv->ctx, so MakeCurrent
isn't called for screen B's GL context, and the following OpenGL API
calls triggered by glamor_init mess up screen A's GL context.
The observed end result of this was a crash in glamor_get_vbo_space
because glamor_priv->vbo didn't match the GL context, though there might
be other possible outcomes.
Assigning the actual GL context pointer to lastGLContext prevents this
by preventing the false negative test in glamor_make_current.
Reviewed-by: Keith Packard <keithp at keithp.com>
Reviewed-by: Eric Anholt <eric at anholt.net>
(cherry picked from commit 7c88977d338a01aca866e52c9e736f8857fb9ae4)
diff --git a/glamor/glamor_utils.h b/glamor/glamor_utils.h
index 6b88527e6..a35917c37 100644
--- a/glamor/glamor_utils.h
+++ b/glamor/glamor_utils.h
@@ -723,8 +723,8 @@ glamor_is_large_pixmap(PixmapPtr pixmap)
static inline void
glamor_make_current(glamor_screen_private *glamor_priv)
{
- if (lastGLContext != &glamor_priv->ctx) {
- lastGLContext = &glamor_priv->ctx;
+ if (lastGLContext != glamor_priv->ctx.ctx) {
+ lastGLContext = glamor_priv->ctx.ctx;
glamor_priv->ctx.make_current(&glamor_priv->ctx);
}
}
commit 7c4f7b3a49a43984ab90788b85b35078feadf42a
Author: Lyude <lyude at redhat.com>
Date: Tue May 30 16:39:49 2017 -0400
xwayland: Don't load extension list more than once
When running an Xwayland server from the command line, we end up
resetting the server every time all of the clients connected to the
server leave. This would be fine, except that xwayland makes the mistake
of unconditionally calling LoadExtensionList(). This causes us to setup
the glxExtension twice in a row which means that when we lose our last
client on the second server generation, we end up trying to call the glx
destructors twice in a row resulting in a segfault:
(EE)
(EE) Backtrace:
(EE) 0: Xwayland (OsSigHandler+0x3b) [0x4982f9]
(EE) 1: /lib64/libpthread.so.0 (__restore_rt+0x0) [0x70845bf]
(EE) 2: /usr/lib64/dri/swrast_dri.so (__driDriverGetExtensions_virtio_gpu+0x32897d) [0x1196e5bd]
(EE) 3: /usr/lib64/dri/swrast_dri.so (__driDriverGetExtensions_virtio_gpu+0x328a45) [0x1196e745]
(EE) 4: /usr/lib64/dri/swrast_dri.so (__driDriverGetExtensions_virtio_gpu+0x32665f) [0x11969f7f]
(EE) 5: Xwayland (__glXDRIscreenDestroy+0x30) [0x54686e]
(EE) 6: Xwayland (glxCloseScreen+0x3f) [0x5473db]
(EE) 7: Xwayland (glxCloseScreen+0x53) [0x5473ef]
(EE) 8: Xwayland (dix_main+0x7b6) [0x44c8c9]
(EE) 9: Xwayland (main+0x28) [0x61c503]
(EE) 10: /lib64/libc.so.6 (__libc_start_main+0xf1) [0x72b1401]
(EE) 11: Xwayland (_start+0x2a) [0x4208fa]
(EE) 12: ? (?+0x2a) [0x2a]
(EE)
(EE) Segmentation fault at address 0x18
(EE)
Fatal server error:
(EE) Caught signal 11 (Segmentation fault). Server aborting
(EE)
Easy reproduction recipe:
- Start an Xwayland session with the default settings
- Open a window
- Close that window
- Open another window
- Close that window
- Total annihilation occurs
Signed-off-by: Lyude <lyude at redhat.com>
Reviewed-by: Michel Dänzer <michel.daenzer at amd.com>
Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit 4f29366f1e5678505fb882143c9b4a892d5b8273)
diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c
index c27787018..97b5b58d7 100644
--- a/hw/xwayland/xwayland.c
+++ b/hw/xwayland/xwayland.c
@@ -880,8 +880,9 @@ InitOutput(ScreenInfo * screen_info, int argc, char **argv)
screen_info->bitmapBitOrder = BITMAP_BIT_ORDER;
screen_info->numPixmapFormats = ARRAY_SIZE(depths);
- LoadExtensionList(xwayland_extensions,
- ARRAY_SIZE(xwayland_extensions), FALSE);
+ if (serverGeneration == 1)
+ LoadExtensionList(xwayland_extensions,
+ ARRAY_SIZE(xwayland_extensions), FALSE);
/* Cast away warning from missing printf annotation for
* wl_log_func_t. Wayland 1.5 will have the annotation, so we can
commit d8f63717e05ae8d820ceae74216916ebd180441d
Author: Jason Gerecke <killertofu at gmail.com>
Date: Fri May 26 14:27:19 2017 -0700
xfree86: Fix interpretation of xf86WaitForInput timeout
Commit aa6717ce2 switched xf86WaitForInput from using select(2) to using
poll(2). Before this change, the timeout was interpreted as being in
microseconds; afterwards it is fed directly to xorg_poll which interprets
it as being in milliseconds. This results in the function potentially
blocking 1000x longer than intended. This commit scales down the timeout
argument before passing it to xorg_poll, being careful to ensure the result
is not rounded down due to integer division.
Signed-off-by: Jason Gerecke <jason.gerecke at wacom.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit 2fbf62b2fb3dcb29551251d09aa695715bb754f4)
diff --git a/hw/xfree86/os-support/shared/posix_tty.c b/hw/xfree86/os-support/shared/posix_tty.c
index 6249a625c..a795ae19d 100644
--- a/hw/xfree86/os-support/shared/posix_tty.c
+++ b/hw/xfree86/os-support/shared/posix_tty.c
@@ -394,6 +394,9 @@ xf86WaitForInput(int fd, int timeout)
poll_fd.fd = fd;
poll_fd.events = POLLIN;
+ /* convert microseconds to milliseconds */
+ timeout = (timeout + 999) / 1000;
+
if (fd >= 0) {
SYSCALL(r = xserver_poll(&poll_fd, 1, timeout));
}
commit 444929b446a0ef5873d6346c3f3091adb8fbe6bb
Author: Keith Packard <keithp at keithp.com>
Date: Wed May 10 21:50:45 2017 -0700
dix: Remove clients from input and output ready queues after closing
Delay removing the client from these two queues until all potential
I/O has completed in case we mark the client as ready for reading or
with pending output during the close operation.
Bugzilla: https://bugs.freedesktop.org/100957
Signed-off-by: Keith Packard <keithp at keithp.com>
Tested-by: Nick Sarnie <commendsarnex at gmail.com>
Reviewed-by: Michel Dänzer <michel.daenzer at amd.com>
(cherry picked from commit d9e23ea4228575344e3b4c0443cecc5eb75356e4)
diff --git a/dix/dispatch.c b/dix/dispatch.c
index 78ac095b1..0da431bf9 100644
--- a/dix/dispatch.c
+++ b/dix/dispatch.c
@@ -3415,7 +3415,6 @@ CloseDownClient(ClientPtr client)
if (grabState != GrabNone && grabClient == client) {
UngrabServer(client);
}
- mark_client_not_ready(client);
BITCLEAR(grabWaiters, client->index);
DeleteClientFromAnySelections(client);
ReleaseActiveGrabs(client);
@@ -3444,8 +3443,9 @@ CloseDownClient(ClientPtr client)
if (ClientIsAsleep(client))
ClientSignal(client);
ProcessWorkQueueZombies();
- output_pending_clear(client);
CloseDownConnection(client);
+ output_pending_clear(client);
+ mark_client_not_ready(client);
/* If the client made it to the Running stage, nClients has
* been incremented on its behalf, so we need to decrement it
commit d808b573992ae1fc7706d8897a92783b847040e3
Author: Keith Packard <keithp at keithp.com>
Date: Sat Apr 29 00:26:10 2017 -0700
os: Mark client as ready to read when closing due to write failure [100863]
This makes sure the server will go look at the client again, notice
that the FD is no longer valid and close the client down.
Bugzilla: https://bugs.freedesktop.org/100863
Signed-off-by: Keith Packard <keithp at keithp.com>
Reviewed-and-Tested-by: Michel Dänzer <michel.daenzer at amd.com>
(cherry picked from commit e2f68296ffb8e40035c0ebd949b67d1e2e424e11)
diff --git a/os/io.c b/os/io.c
index 714516ee3..f80580cfc 100644
--- a/os/io.c
+++ b/os/io.c
@@ -636,7 +636,10 @@ SetCriticalOutputPending(void)
/*****************
* AbortClient:
* When a write error occurs to a client, close
- * the connection and clean things up.
+ * the connection and clean things up. Mark
+ * the client as 'ready' so that the server will
+ * try to read from it again, notice that the fd is
+ * closed and clean up from there.
*****************/
static void
@@ -648,6 +651,7 @@ AbortClient(ClientPtr client)
_XSERVTransDisconnect(oc->trans_conn);
_XSERVTransClose(oc->trans_conn);
oc->trans_conn = NULL;
+ mark_client_ready(client);
}
}
commit 7a2525fba60a04a95a4a8b26c2b628dc8fdfdeff
Author: Keith Packard <keithp at keithp.com>
Date: Sat Apr 29 00:21:47 2017 -0700
os: un-duplicate code to close client on write failure
There are three copies of the same short sequence of operations to
close down a client when a write error occurs. Create a new function,
AbortClient, which performs these operations and then call it from the
three places.
Signed-off-by: Keith Packard <keithp at keithp.com>
Reviewed-and-Tested-by: Michel Dänzer <michel.daenzer at amd.com>
(cherry picked from commit a82971b07035ee9a4e3ed01326e7c1eab34b5a19)
diff --git a/os/io.c b/os/io.c
index 234c0f33f..714516ee3 100644
--- a/os/io.c
+++ b/os/io.c
@@ -634,6 +634,24 @@ SetCriticalOutputPending(void)
}
/*****************
+ * AbortClient:
+ * When a write error occurs to a client, close
+ * the connection and clean things up.
+ *****************/
+
+static void
+AbortClient(ClientPtr client)
+{
+ OsCommPtr oc = client->osPrivate;
+
+ if (oc->trans_conn) {
+ _XSERVTransDisconnect(oc->trans_conn);
+ _XSERVTransClose(oc->trans_conn);
+ oc->trans_conn = NULL;
+ }
+}
+
+/*****************
* WriteToClient
* Copies buf into ClientPtr.buf if it fits (with padding), else
* flushes ClientPtr.buf and buf to client. As of this writing,
@@ -708,11 +726,7 @@ WriteToClient(ClientPtr who, int count, const void *__buf)
FreeOutputs = oco->next;
}
else if (!(oco = AllocateOutputBuffer())) {
- if (oc->trans_conn) {
- _XSERVTransDisconnect(oc->trans_conn);
- _XSERVTransClose(oc->trans_conn);
- oc->trans_conn = NULL;
- }
+ AbortClient(who);
MarkClientException(who);
return -1;
}
@@ -893,9 +907,7 @@ FlushClient(ClientPtr who, OsCommPtr oc, const void *__extraBuf, int extraCount)
obuf = realloc(oco->buf, notWritten + BUFSIZE);
}
if (!obuf) {
- _XSERVTransDisconnect(oc->trans_conn);
- _XSERVTransClose(oc->trans_conn);
- oc->trans_conn = NULL;
+ AbortClient(who);
MarkClientException(who);
oco->count = 0;
return -1;
@@ -922,11 +934,7 @@ FlushClient(ClientPtr who, OsCommPtr oc, const void *__extraBuf, int extraCount)
}
#endif
else {
- if (oc->trans_conn) {
- _XSERVTransDisconnect(oc->trans_conn);
- _XSERVTransClose(oc->trans_conn);
- oc->trans_conn = NULL;
- }
+ AbortClient(who);
MarkClientException(who);
oco->count = 0;
return -1;
commit b3de3ebcf450fd4ab1543dd2f133e45e9c0b9e7e
Author: Michel Dänzer <michel.daenzer at amd.com>
Date: Wed Apr 26 18:31:08 2017 +0900
os: Handle SIGABRT
Without this, assertion failures can make life hard for users and those
trying to help them.
v2:
* Change commit log wording slightly to "can make life hard", since
apparently e.g. logind can alleviate that somewhat.
* Set default handler for SIGABRT in
hw/xfree86/common/xf86Init.c:InstallSignalHandlers() and
hw/xquartz/quartz.c:QuartzInitOutput() (Eric Anholt)
Reviewed-by: Eric Anholt <eric at anholt.net>
Signed-off-by: Michel Dänzer <michel.daenzer at amd.com>
(cherry picked from commit 27a6b9f7c84c914d0f5909ec1069d72f5035bc04)
diff --git a/hw/xfree86/common/xf86Init.c b/hw/xfree86/common/xf86Init.c
index a544b6543..d59c224d5 100644
--- a/hw/xfree86/common/xf86Init.c
+++ b/hw/xfree86/common/xf86Init.c
@@ -309,6 +309,7 @@ InstallSignalHandlers(void)
}
else {
OsSignal(SIGSEGV, SIG_DFL);
+ OsSignal(SIGABRT, SIG_DFL);
OsSignal(SIGILL, SIG_DFL);
#ifdef SIGEMT
OsSignal(SIGEMT, SIG_DFL);
diff --git a/hw/xquartz/quartz.c b/hw/xquartz/quartz.c
index c8b6f966d..c8ea3bf8b 100644
--- a/hw/xquartz/quartz.c
+++ b/hw/xquartz/quartz.c
@@ -178,6 +178,7 @@ QuartzInitOutput(int argc,
{
/* For XQuartz, we want to just use the default signal handler to work better with CrashTracer */
signal(SIGSEGV, SIG_DFL);
+ signal(SIGABRT, SIG_DFL);
signal(SIGILL, SIG_DFL);
#ifdef SIGEMT
signal(SIGEMT, SIG_DFL);
diff --git a/os/osinit.c b/os/osinit.c
index 5b2f6b546..cd769d181 100644
--- a/os/osinit.c
+++ b/os/osinit.c
@@ -173,6 +173,7 @@ OsInit(void)
int i;
int siglist[] = { SIGSEGV, SIGQUIT, SIGILL, SIGFPE, SIGBUS,
+ SIGABRT,
SIGSYS,
SIGXCPU,
SIGXFSZ,
diff --git a/os/utils.c b/os/utils.c
index ac55cd79f..7379121b5 100644
--- a/os/utils.c
+++ b/os/utils.c
@@ -1352,6 +1352,12 @@ OsAbort(void)
#ifndef __APPLE__
OsBlockSignals();
#endif
+#if !defined(WIN32) || defined(__CYGWIN__)
+ /* abort() raises SIGABRT, so we have to stop handling that to prevent
+ * recursion
+ */
+ OsSignal(SIGABRT, SIG_DFL);
+#endif
abort();
}
commit e59a32c897c9f093f54ce4b695e9aff1ba20bda2
Author: Olivier Fourdan <ofourdan at redhat.com>
Date: Fri Apr 21 09:05:51 2017 +0200
glamor: an FBO is not needed for Xv pixmaps
It appears that on some hardware/diver combo such as nv30/nouveau, using
GL_ALPHA as format for 8-bit depth will cause an incomplete attachment
error (GL_FRAMEBUFFER_INCOMPLETE_ATTACHMENT) when trying to bind the
texture.
As a result, the FBO is NULL and glamor segfaults when trying to access
the FBO width/height in pixmap_priv_get_scale() in glamor_xv_render().
This happens with glamor-xv which uses 8-bit pixmaps, meaning that on
such hardware/driver, trying to play a video using Xv will lead to a
crash of the Xserver. This affects Xwayland, Xephyr, modesetting driver
with glamor accel.
But the use of an FBO is not actually needed for glamox-xv, so by
disabling FBO at pixmap creation, we can avoid the issue entirely.
Fix suggested by Eric Anholt <eric at anholt.net>
Signed-off-by: Olivier Fourdan <ofourdan at redhat.com>
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=100710
Fixes: https://bugzilla.redhat.com/1412814
Reviewed-by: Eric Anholt <eric at anholt.net>
(cherry picked from commit 7bfb87a2137853295ecc9e544a15626cfd773a02)
diff --git a/glamor/glamor_xv.c b/glamor/glamor_xv.c
index 3bcf909b0..31320d124 100644
--- a/glamor/glamor_xv.c
+++ b/glamor/glamor_xv.c
@@ -430,11 +430,14 @@ glamor_xv_put_image(glamor_port_private *port_priv,
glamor_destroy_pixmap(port_priv->src_pix[i]);
port_priv->src_pix[0] =
- glamor_create_pixmap(pScreen, width, height, 8, 0);
+ glamor_create_pixmap(pScreen, width, height, 8,
+ GLAMOR_CREATE_FBO_NO_FBO);
port_priv->src_pix[1] =
- glamor_create_pixmap(pScreen, width >> 1, height >> 1, 8, 0);
+ glamor_create_pixmap(pScreen, width >> 1, height >> 1, 8,
+ GLAMOR_CREATE_FBO_NO_FBO);
port_priv->src_pix[2] =
- glamor_create_pixmap(pScreen, width >> 1, height >> 1, 8, 0);
+ glamor_create_pixmap(pScreen, width >> 1, height >> 1, 8,
+ GLAMOR_CREATE_FBO_NO_FBO);
port_priv->src_pix_w = width;
port_priv->src_pix_h = height;
commit 6a6bf1ae046124a9d8a6f3f53f02707951c85c43
Author: Michel Dänzer <michel.daenzer at amd.com>
Date: Wed Apr 12 17:58:05 2017 +0900
xfree86/modes: Make colormap/gamma glue code work with RandR disabled
E.g. because Xinerama is enabled.
Fixes crash on startup and wrong colours in that case.
Bugzilla: https://bugs.freedesktop.org/100293
Bugzilla: https://bugs.freedesktop.org/100294
Fixes: 62f44052573b ("xfree86/modes: Move gamma initialization to
xf86RandR12Init12 v2")
Tested-by: Mariusz Bialonczyk <manio at skyboo.net>
Reviewed-by: Alex Deucher <alexander.deucher at amd.com>
(cherry picked from commit 41dafcc2a2942fc4c94ce3cbafc4a1b413c460c3)
diff --git a/hw/xfree86/modes/xf86RandR12.c b/hw/xfree86/modes/xf86RandR12.c
index d83461997..6e6aa1b2a 100644
--- a/hw/xfree86/modes/xf86RandR12.c
+++ b/hw/xfree86/modes/xf86RandR12.c
@@ -1250,33 +1250,50 @@ xf86RandR12CrtcSet(ScreenPtr pScreen,
}
static void
-xf86RandR12CrtcComputeGamma(ScreenPtr pScreen, RRCrtcPtr randr_crtc)
+xf86RandR12CrtcComputeGamma(xf86CrtcPtr crtc, LOCO *palette,
+ int palette_red_size, int palette_green_size,
+ int palette_blue_size, CARD16 *gamma_red,
+ CARD16 *gamma_green, CARD16 *gamma_blue,
+ int gamma_size)
{
- XF86RandRInfoPtr randrp = XF86RANDRINFO(pScreen);
- xf86CrtcPtr crtc = randr_crtc->devPrivate;
int gamma_slots;
- CARD16 value;
+ unsigned shift;
+ CARD32 value;
int i, j;
- gamma_slots = crtc->gamma_size / randrp->palette_red_size;
- for (i = 0; i < randrp->palette_red_size; i++) {
- value = randr_crtc->gammaRed[randrp->palette[i].red];
+ for (shift = 0; (gamma_size << shift) < (1 << 16); shift++);
+
+ gamma_slots = crtc->gamma_size / palette_red_size;
+ for (i = 0; i < palette_red_size; i++) {
+ value = palette[i].red;
+ if (gamma_red)
+ value = gamma_red[value];
+ else
+ value <<= shift;
for (j = 0; j < gamma_slots; j++)
crtc->gamma_red[i * gamma_slots + j] = value;
}
- gamma_slots = crtc->gamma_size / randrp->palette_green_size;
- for (i = 0; i < randrp->palette_green_size; i++) {
- value = randr_crtc->gammaGreen[randrp->palette[i].green];
+ gamma_slots = crtc->gamma_size / palette_green_size;
+ for (i = 0; i < palette_green_size; i++) {
+ value = palette[i].green;
+ if (gamma_green)
+ value = gamma_green[value];
+ else
+ value <<= shift;
for (j = 0; j < gamma_slots; j++)
crtc->gamma_green[i * gamma_slots + j] = value;
}
- gamma_slots = crtc->gamma_size / randrp->palette_blue_size;
- for (i = 0; i < randrp->palette_blue_size; i++) {
- value = randr_crtc->gammaBlue[randrp->palette[i].blue];
+ gamma_slots = crtc->gamma_size / palette_blue_size;
+ for (i = 0; i < palette_blue_size; i++) {
+ value = palette[i].blue;
+ if (gamma_blue)
+ value = gamma_blue[value];
+ else
+ value <<= shift;
for (j = 0; j < gamma_slots; j++)
crtc->gamma_blue[i * gamma_slots + j] = value;
@@ -1284,10 +1301,8 @@ xf86RandR12CrtcComputeGamma(ScreenPtr pScreen, RRCrtcPtr randr_crtc)
}
static void
-xf86RandR12CrtcReloadGamma(RRCrtcPtr randr_crtc)
+xf86RandR12CrtcReloadGamma(xf86CrtcPtr crtc)
{
- xf86CrtcPtr crtc = randr_crtc->devPrivate;
-
if (!crtc->scrn->vtSema || !crtc->funcs->gamma_set)
return;
@@ -1309,7 +1324,14 @@ xf86RandR12CrtcSetGamma(ScreenPtr pScreen, RRCrtcPtr randr_crtc)
return FALSE;
if (randrp->palette_size) {
- xf86RandR12CrtcComputeGamma(pScreen, randr_crtc);
+ xf86RandR12CrtcComputeGamma(crtc, randrp->palette,
+ randrp->palette_red_size,
+ randrp->palette_green_size,
+ randrp->palette_blue_size,
+ randr_crtc->gammaRed,
+ randr_crtc->gammaGreen,
+ randr_crtc->gammaBlue,
+ randr_crtc->gammaSize);
} else {
memcpy(crtc->gamma_red, randr_crtc->gammaRed,
crtc->gamma_size * sizeof(crtc->gamma_red[0]));
@@ -1319,7 +1341,7 @@ xf86RandR12CrtcSetGamma(ScreenPtr pScreen, RRCrtcPtr randr_crtc)
crtc->gamma_size * sizeof(crtc->gamma_blue[0]));
}
- xf86RandR12CrtcReloadGamma(randr_crtc);
+ xf86RandR12CrtcReloadGamma(crtc);
return TRUE;
}
@@ -1394,6 +1416,13 @@ xf86RandR12OutputInitGamma(xf86OutputPtr output)
* different gamma
*/
if (gamma_red != 1.0 || gamma_green != 1.0 || gamma_blue != 1.0) {
+ if (!output->crtc->randr_crtc) {
+ xf86DrvMsg(output->scrn->scrnIndex, X_WARNING,
+ "Gamma correction for output %s not possible because "
+ "RandR is disabled\n", output->name);
+ return TRUE;
+ }
+
xf86DrvMsg(output->scrn->scrnIndex, X_INFO,
"Output %s wants gamma correction (%.1f, %.1f, %.1f)\n",
output->name, gamma_red, gamma_green, gamma_blue);
@@ -1415,6 +1444,9 @@ xf86RandR12InitGamma(ScrnInfoPtr pScrn, unsigned gammaSize) {
for (c = 0; c < config->num_crtc; c++) {
xf86CrtcPtr crtc = config->crtc[c];
+ if (!crtc->randr_crtc)
+ continue;
+
if (!RRCrtcGammaSetSize(crtc->randr_crtc, gammaSize) ||
!xf86RandR12CrtcInitGamma(crtc, 1.0f, 1.0f, 1.0f))
return FALSE;
@@ -1876,7 +1908,6 @@ xf86RandR12LoadPalette(ScrnInfoPtr pScrn, int numColors, int *indices,
LOCO *colors, VisualPtr pVisual)
{
ScreenPtr pScreen = pScrn->pScreen;
- XF86RandRInfoPtr randrp = XF86RANDRINFO(pScreen);
xf86CrtcConfigPtr config = XF86_CRTC_CONFIG_PTR(pScrn);
int reds, greens, blues, index, palette_size;
int c, i;
@@ -1891,36 +1922,51 @@ xf86RandR12LoadPalette(ScrnInfoPtr pScrn, int numColors, int *indices,
palette_size = max(reds, max(greens, blues));
- if (randrp->palette_size != palette_size) {
- randrp->palette = reallocarray(randrp->palette, palette_size,
- sizeof(colors[0]));
- if (!randrp->palette) {
- randrp->palette_size = 0;
- return;
- }
-
- randrp->palette_size = palette_size;
- }
- randrp->palette_red_size = reds;
- randrp->palette_green_size = greens;
- randrp->palette_blue_size = blues;
+ if (dixPrivateKeyRegistered(rrPrivKey)) {
+ XF86RandRInfoPtr randrp = XF86RANDRINFO(pScreen);
- for (i = 0; i < numColors; i++) {
- index = indices[i];
+ if (randrp->palette_size != palette_size) {
+ randrp->palette = reallocarray(randrp->palette, palette_size,
+ sizeof(colors[0]));
+ if (!randrp->palette) {
+ randrp->palette_size = 0;
+ return;
+ }
- if (index < reds)
- randrp->palette[index].red = colors[index].red;
- if (index < greens)
- randrp->palette[index].green = colors[index].green;
- if (index < blues)
- randrp->palette[index].blue = colors[index].blue;
+ randrp->palette_size = palette_size;
+ }
+ randrp->palette_red_size = reds;
+ randrp->palette_green_size = greens;
+ randrp->palette_blue_size = blues;
+
+ for (i = 0; i < numColors; i++) {
+ index = indices[i];
+
+ if (index < reds)
+ randrp->palette[index].red = colors[index].red;
+ if (index < greens)
+ randrp->palette[index].green = colors[index].green;
+ if (index < blues)
+ randrp->palette[index].blue = colors[index].blue;
+ }
}
for (c = 0; c < config->num_crtc; c++) {
- RRCrtcPtr randr_crtc = config->crtc[c]->randr_crtc;
-
- xf86RandR12CrtcComputeGamma(pScreen, randr_crtc);
- xf86RandR12CrtcReloadGamma(randr_crtc);
+ xf86CrtcPtr crtc = config->crtc[c];
+ RRCrtcPtr randr_crtc = crtc->randr_crtc;
+
+ if (randr_crtc) {
+ xf86RandR12CrtcComputeGamma(crtc, colors, reds, greens, blues,
+ randr_crtc->gammaRed,
+ randr_crtc->gammaGreen,
+ randr_crtc->gammaBlue,
+ randr_crtc->gammaSize);
+ } else {
+ xf86RandR12CrtcComputeGamma(crtc, colors, reds, greens, blues,
+ NULL, NULL, NULL,
+ xf86GetGammaRampSize(pScreen));
+ }
+ xf86RandR12CrtcReloadGamma(crtc);
}
}
@@ -1973,7 +2019,7 @@ xf86RandR12EnterVT(ScrnInfoPtr pScrn)
/* reload gamma */
for (i = 0; i < rp->numCrtcs; i++)
- xf86RandR12CrtcReloadGamma(rp->crtcs[i]);
+ xf86RandR12CrtcReloadGamma(rp->crtcs[i]->devPrivate);
return RRGetInfo(pScreen, TRUE); /* force a re-probe of outputs and notify clients about changes */
}
commit 74126530c0c22cf3e5f8bd2dd2740fded2df098f
Author: Adam Jackson <ajax at redhat.com>
Date: Fri Apr 7 10:24:54 2017 -0400
xephyr: Check for host XVideo support before trying to use it
Otherwise xcb will treat our attempt to send xv requests as a connection
error (quite reasonably: we're asking it to emit a request for which
there is no defined major opcode), and we'll die quietly the first time
we hit KdBlockhandler.
Signed-off-by: Adam Jackson <ajax at redhat.com>
Reviewed-by: Eric Anholt <eric at anholt.net>
(cherry picked from commit 14d2fe74f4e51c5b37eab4b7475c804a0340b530)
diff --git a/hw/kdrive/ephyr/ephyrvideo.c b/hw/kdrive/ephyr/ephyrvideo.c
index 31b1eee31..17336ab2b 100644
--- a/hw/kdrive/ephyr/ephyrvideo.c
+++ b/hw/kdrive/ephyr/ephyrvideo.c
@@ -226,6 +226,11 @@ ephyrInitVideo(ScreenPtr pScreen)
return FALSE;
}
+ if (!hostx_has_extension(&xcb_xv_id)) {
+ EPHYR_LOG_ERROR("Host has no XVideo extension\n");
+ return FALSE;
+ }
+
if (!xv_priv) {
xv_priv = ephyrXVPrivNew();
}
commit 60ae865a703cb2c51c0b00cd768a46a20d79f0f1
Author: Daniel Stone <daniels at collabora.com>
Date: Fri Apr 7 14:27:58 2017 +0100
modesetting: Set correct DRM event context version
DRM_EVENT_CONTEXT_VERSION is the latest context version supported by
whatever version of libdrm is present. modesetting was blindly asserting
it supported whatever version that may be, even if it actually didn't.
With libdrm 2.4.78, setting a higher context version than 2 will attempt
to call the page_flip_handler2 vfunc if it was non-NULL, which being a
random chunk of stack memory, it might well have been.
Set the version as 2, which should be bumped only with the appropriate
version checks.
Reviewed-by: Adam Jackson <ajax at redhat.com>
Signed-off-by: Daniel Stone <daniels at collabora.com>
(cherry picked from commit 0c8e6ed85810e96d84173a52d628863802a78d82)
diff --git a/hw/xfree86/drivers/modesetting/vblank.c b/hw/xfree86/drivers/modesetting/vblank.c
index 04a895269..8682f4d91 100644
--- a/hw/xfree86/drivers/modesetting/vblank.c
+++ b/hw/xfree86/drivers/modesetting/vblank.c
@@ -402,7 +402,7 @@ ms_vblank_screen_init(ScreenPtr screen)
modesettingEntPtr ms_ent = ms_ent_priv(scrn);
xorg_list_init(&ms_drm_queue);
- ms->event_context.version = DRM_EVENT_CONTEXT_VERSION;
+ ms->event_context.version = 2;
ms->event_context.vblank_handler = ms_drm_handler;
ms->event_context.page_flip_handler = ms_drm_handler;
commit df4d01e6aa957ec8eb2814832de2f78ca42ee238
Author: Tobias Stoeckmann <tobias at stoeckmann.org>
Date: Sun Mar 12 14:21:38 2017 +0100
dmx: Fix null pointer dereference
A null pointer dereference can occur in dmxSync, because TimerForce
does not handle a null pointer.
dmxSyncTimer is set to NULL a few lines above on a certain condition,
which happened on my machine. The explicit NULL check allowed me to
start Xdmx again without a segmentation fault.
Reviewed-by: Adam Jackson <ajax at redhat.com>
(cherry picked from commit 21eda7464d0e13ac6558edaf6531c3d3251e05df)
diff --git a/hw/dmx/dmxsync.c b/hw/dmx/dmxsync.c
index 1bc242343..b55c9ddf3 100644
--- a/hw/dmx/dmxsync.c
+++ b/hw/dmx/dmxsync.c
@@ -182,7 +182,7 @@ dmxSync(DMXScreenInfo * dmxScreen, Bool now)
/* Do sync or set time for later */
if (now || !dmxScreen) {
- if (!TimerForce(dmxSyncTimer))
+ if (dmxSyncTimer == NULL || !TimerForce(dmxSyncTimer))
dmxSyncCallback(NULL, 0, NULL);
/* At this point, dmxSyncPending == 0 because
* dmxSyncCallback must have been called. */
commit e23000d83f8dbab4effd9f344f3d776634a1d56e
Author: Tobias Stoeckmann <tobias at stoeckmann.org>
Date: Sun Mar 19 17:55:07 2017 +0100
record: Fix OOB access in ProcRecordUnregisterClients
If a client sends a RecordUnregisterClients request with an nClients
field larger than INT_MAX / 4, an integer overflow leads to an
out of boundary access in RecordSanityCheckClientSpecifiers.
An example line with libXtst would be:
XRecordUnregisterClients(dpy, rc, clients, 0x40000001);
Reviewed-by: Adam Jackson <ajax at redhat.com>
(cherry picked from commit 40c12a76c2ae57adefd3b1d412387ebbfe2fb784)
diff --git a/record/record.c b/record/record.c
index 82bb0607e..600d55f53 100644
--- a/record/record.c
+++ b/record/record.c
@@ -1910,7 +1910,8 @@ ProcRecordUnregisterClients(ClientPtr client)
int i;
REQUEST_AT_LEAST_SIZE(xRecordUnregisterClientsReq);
- if ((client->req_len << 2) - SIZEOF(xRecordUnregisterClientsReq) !=
+ if (INT_MAX / 4 < stuff->nClients ||
+ (client->req_len << 2) - SIZEOF(xRecordUnregisterClientsReq) !=
4 * stuff->nClients)
return BadLength;
VERIFY_CONTEXT(pContext, stuff->context, client);
commit 3166138ea681537dbe164e2888ccb96bb022220b
Author: Kenneth Graunke <kenneth at whitecape.org>
Date: Fri Mar 17 13:45:04 2017 -0700
dri2: Sync i965_pci_ids.h from Mesa.
Copied from Mesa with no modifications. Gives us Geminilake PCI IDs.
Signed-off-by: Kenneth Graunke <kenneth at whitecape.org>
Acked-by: Eric Anholt <eric at anholt.net>
(cherry picked from commit 368f60d461421fe5e2bbd90652d6ac858dbff8fe)
diff --git a/hw/xfree86/dri2/pci_ids/i965_pci_ids.h b/hw/xfree86/dri2/pci_ids/i965_pci_ids.h
index 1566afd65..17504f5cb 100644
--- a/hw/xfree86/dri2/pci_ids/i965_pci_ids.h
+++ b/hw/xfree86/dri2/pci_ids/i965_pci_ids.h
@@ -109,6 +109,10 @@ CHIPSET(0x162A, bdw_gt3, "Intel(R) Iris Pro P6300 (Broadwell GT3e)")
CHIPSET(0x162B, bdw_gt3, "Intel(R) Iris 6100 (Broadwell GT3)")
CHIPSET(0x162D, bdw_gt3, "Intel(R) Broadwell GT3")
CHIPSET(0x162E, bdw_gt3, "Intel(R) Broadwell GT3")
+CHIPSET(0x22B0, chv, "Intel(R) HD Graphics (Cherrytrail)")
+CHIPSET(0x22B1, chv, "Intel(R) HD Graphics XXX (Braswell)") /* Overridden in brw_get_renderer_string */
+CHIPSET(0x22B2, chv, "Intel(R) HD Graphics (Cherryview)")
+CHIPSET(0x22B3, chv, "Intel(R) HD Graphics (Cherryview)")
CHIPSET(0x1902, skl_gt1, "Intel(R) HD Graphics 510 (Skylake GT1)")
CHIPSET(0x1906, skl_gt1, "Intel(R) HD Graphics 510 (Skylake GT1)")
CHIPSET(0x190A, skl_gt1, "Intel(R) Skylake GT1")
@@ -134,8 +138,13 @@ CHIPSET(0x1932, skl_gt4, "Intel(R) Iris Pro Graphics 580 (Skylake GT4e)")
CHIPSET(0x193A, skl_gt4, "Intel(R) Iris Pro Graphics P580 (Skylake GT4e)")
CHIPSET(0x193B, skl_gt4, "Intel(R) Iris Pro Graphics 580 (Skylake GT4e)")
CHIPSET(0x193D, skl_gt4, "Intel(R) Iris Pro Graphics P580 (Skylake GT4e)")
-CHIPSET(0x5902, kbl_gt1, "Intel(R) Kabylake GT1")
-CHIPSET(0x5906, kbl_gt1, "Intel(R) Kabylake GT1")
+CHIPSET(0x0A84, bxt, "Intel(R) HD Graphics (Broxton)")
+CHIPSET(0x1A84, bxt, "Intel(R) HD Graphics (Broxton)")
+CHIPSET(0x1A85, bxt_2x6, "Intel(R) HD Graphics (Broxton 2x6)")
+CHIPSET(0x5A84, bxt, "Intel(R) HD Graphics 505 (Broxton)")
+CHIPSET(0x5A85, bxt_2x6, "Intel(R) HD Graphics 500 (Broxton 2x6)")
+CHIPSET(0x5902, kbl_gt1, "Intel(R) HD Graphics 610 (Kaby Lake GT1)")
+CHIPSET(0x5906, kbl_gt1, "Intel(R) HD Graphics 610 (Kaby Lake GT1)")
CHIPSET(0x590A, kbl_gt1, "Intel(R) Kabylake GT1")
CHIPSET(0x5908, kbl_gt1, "Intel(R) Kabylake GT1")
CHIPSET(0x590B, kbl_gt1, "Intel(R) Kabylake GT1")
@@ -143,23 +152,16 @@ CHIPSET(0x590E, kbl_gt1, "Intel(R) Kabylake GT1")
CHIPSET(0x5913, kbl_gt1_5, "Intel(R) Kabylake GT1.5")
CHIPSET(0x5915, kbl_gt1_5, "Intel(R) Kabylake GT1.5")
CHIPSET(0x5917, kbl_gt1_5, "Intel(R) Kabylake GT1.5")
-CHIPSET(0x5912, kbl_gt2, "Intel(R) Kabylake GT2")
-CHIPSET(0x5916, kbl_gt2, "Intel(R) Kabylake GT2")
-CHIPSET(0x591A, kbl_gt2, "Intel(R) Kabylake GT2")
-CHIPSET(0x591B, kbl_gt2, "Intel(R) Kabylake GT2")
-CHIPSET(0x591D, kbl_gt2, "Intel(R) Kabylake GT2")
-CHIPSET(0x591E, kbl_gt2, "Intel(R) Kabylake GT2")
+CHIPSET(0x5912, kbl_gt2, "Intel(R) HD Graphics 630 (Kaby Lake GT2)")
+CHIPSET(0x5916, kbl_gt2, "Intel(R) HD Graphics 620 (Kaby Lake GT2)")
+CHIPSET(0x591A, kbl_gt2, "Intel(R) HD Graphics P630 (Kaby Lake GT2)")
+CHIPSET(0x591B, kbl_gt2, "Intel(R) HD Graphics 630 (Kaby Lake GT2)")
+CHIPSET(0x591D, kbl_gt2, "Intel(R) HD Graphics P630 (Kaby Lake GT2)")
+CHIPSET(0x591E, kbl_gt2, "Intel(R) HD Graphics 615 (Kaby Lake GT2)")
CHIPSET(0x5921, kbl_gt2, "Intel(R) Kabylake GT2F")
CHIPSET(0x5923, kbl_gt3, "Intel(R) Kabylake GT3")
-CHIPSET(0x5926, kbl_gt3, "Intel(R) Kabylake GT3")
-CHIPSET(0x5927, kbl_gt3, "Intel(R) Kabylake GT3")
+CHIPSET(0x5926, kbl_gt3, "Intel(R) Iris Plus Graphics 640 (Kaby Lake GT3)")
+CHIPSET(0x5927, kbl_gt3, "Intel(R) Iris Plus Graphics 650 (Kaby Lake GT3)")
CHIPSET(0x593B, kbl_gt4, "Intel(R) Kabylake GT4")
-CHIPSET(0x22B0, chv, "Intel(R) HD Graphics (Cherrytrail)")
-CHIPSET(0x22B1, chv, "Intel(R) HD Graphics XXX (Braswell)") /* Overridden in brw_get_renderer_string */
-CHIPSET(0x22B2, chv, "Intel(R) HD Graphics (Cherryview)")
-CHIPSET(0x22B3, chv, "Intel(R) HD Graphics (Cherryview)")
-CHIPSET(0x0A84, bxt, "Intel(R) HD Graphics (Broxton)")
-CHIPSET(0x1A84, bxt, "Intel(R) HD Graphics (Broxton)")
-CHIPSET(0x1A85, bxt_2x6, "Intel(R) HD Graphics (Broxton 2x6)")
-CHIPSET(0x5A84, bxt, "Intel(R) HD Graphics (Broxton)")
-CHIPSET(0x5A85, bxt_2x6, "Intel(R) HD Graphics (Broxton 2x6)")
+CHIPSET(0x3184, glk, "Intel(R) HD Graphics (Geminilake)")
+CHIPSET(0x3185, glk_2x6, "Intel(R) HD Graphics (Geminilake 2x6)")
commit 2191f9b49e5e542e39f451d1819de00043a90e8f
Author: Olivier Fourdan <ofourdan at redhat.com>
Date: Fri Mar 17 15:58:26 2017 +0100
glamor: avoid a crash if texture allocation failed
Texture creation in _glamor_create_tex() can fail if a GL_OUT_OF_MEMORY
is raised, in which case the texture returned is zero.
But the texture value is not checked in glamor_create_fbo() and glamor
will abort in glamor_pixmap_ensure_fb() because the fbo->tex is 0:
Truncated backtrace:
Thread no. 1 (10 frames)
#4 glamor_pixmap_ensure_fb at glamor_fbo.c:57
#5 glamor_create_fbo_from_tex at glamor_fbo.c:112
#6 glamor_create_fbo at glamor_fbo.c:159
#7 glamor_create_fbo_array at glamor_fbo.c:210
#8 glamor_create_pixmap at glamor.c:226
#9 compNewPixmap at compalloc.c:536
#10 compAllocPixmap at compalloc.c:605
#11 compCheckRedirect at compwindow.c:167
#12 compRealizeWindow at compwindow.c:267
#13 RealizeTree at window.c:2617
Check the value returned by _glamor_create_tex() in glamor_create_fbo()
and return NULL in the texture is zero.
All callers of glamor_create_fbo() actually check the returned value and
will use a fallback code path if it's NULL.
Please cherry-pick this to active stable branches.
Bugzilla: https://bugzilla.redhat.com/1433305
Signed-off-by: Olivier Fourdan <ofourdan at redhat.com>
Reviewed-by: Eric Anholt <eric at anholt.net>
(cherry picked from commit 8805a48ed35afb2ca66315656c1575ae5a01c639)
diff --git a/glamor/glamor_fbo.c b/glamor/glamor_fbo.c
index 988bb585b..9f1288c60 100644
--- a/glamor/glamor_fbo.c
+++ b/glamor/glamor_fbo.c
@@ -156,6 +156,10 @@ glamor_create_fbo(glamor_screen_private *glamor_priv,
int w, int h, GLenum format, int flag)
{
GLint tex = _glamor_create_tex(glamor_priv, w, h, format);
+
+ if (!tex) /* Texture creation failed due to GL_OUT_OF_MEMORY */
+ return NULL;
+
return glamor_create_fbo_from_tex(glamor_priv, w, h, format, tex, flag);
}
commit 0f3196bf805b1d36b786852096dd86be290a2c9d
Author: Adam Jackson <ajax at redhat.com>
Date: Fri Mar 17 12:40:03 2017 -0400
ephyr: Don't clobber bitsPerPixel when using glamor
This ends up passing 0 as the bpp argument to fb screen setup, which is
not really the best plan.
Reviewed-by: Eric Anholt <eric at anholt.net>
Signed-off-by: Adam Jackson <ajax at redhat.com>
(cherry picked from commit 83c4297d2c4fd501a9d36bc0cb7d357a8d22394c)
diff --git a/hw/kdrive/ephyr/hostx.c b/hw/kdrive/ephyr/hostx.c
index a9ea3726d..d5578deaa 100644
--- a/hw/kdrive/ephyr/hostx.c
+++ b/hw/kdrive/ephyr/hostx.c
@@ -927,7 +927,6 @@ hostx_screen_init(KdScreenInfo *screen,
#ifdef GLAMOR
if (ephyr_glamor) {
*bytes_per_line = 0;
- *bits_per_pixel = 0;
ephyr_glamor_set_window_size(scrpriv->glamor,
scrpriv->win_width, scrpriv->win_height);
return NULL;
commit c58bff7e9601b3eeb0be95c0a60c6588d051e923
Author: Eric Anholt <eric at anholt.net>
Date: Wed Mar 15 17:51:46 2017 -0700
glamor: Fix dashed line rendering.
We were binding the screen pixmap as the dash and sampling its alpha,
which is usually just 1.0 (no dashing at all).
Please cherry-pick this to active stable branches.
Signed-off-by: Eric Anholt <eric at anholt.net>
Reviewed-by: Keith Packard <keithp at keithp.com>
Reviewed-by: Michel Dänzer <michel.daenzer at amd.com>
(cherry picked from commit fe0b297420fc1de8a7fab28457d0864b3182e967)
diff --git a/glamor/glamor_dash.c b/glamor/glamor_dash.c
index 78a4fa37a..b53ce5c50 100644
--- a/glamor/glamor_dash.c
+++ b/glamor/glamor_dash.c
@@ -147,7 +147,7 @@ glamor_dash_setup(DrawablePtr drawable, GCPtr gc)
goto bail;
dash_pixmap = glamor_get_dash_pixmap(gc);
- dash_priv = glamor_get_pixmap_private(pixmap);
+ dash_priv = glamor_get_pixmap_private(dash_pixmap);
if (!GLAMOR_PIXMAP_PRIV_HAS_FBO(dash_priv))
goto bail;
commit 2f36c6faa0dac168cee6049d7dfac59a5e32edcd
Author: Adam Jackson <ajax at redhat.com>
Date: Wed Nov 2 12:49:25 2016 -0400
xinerama: Implement graphics exposures for window->pixmap copies (v4)
This code is using GetImage to accumulate a logical view of the window
image (since the windows will be clipped to their containing screen),
and then PutImage to load that back into the pixmap. What it wasn't
doing was constructing a region for the obscured areas of the window and
emitting graphics exposures for same.
v2: Fix coordinate translation when the source is the root window
v3: Create sourceBox with the right coordinates initially instead of
translating (Keith Packard)
v4: Clamp the region to 15 bits to avoid overflow (Keith Packard)
Signed-off-by: Adam Jackson <ajax at redhat.com>
(cherry picked from commit e337de2d488a124e5fee0fdcb882567b68f1767d)
diff --git a/Xext/panoramiXprocs.c b/Xext/panoramiXprocs.c
index 18f3ac715..f31b1e054 100644
--- a/Xext/panoramiXprocs.c
+++ b/Xext/panoramiXprocs.c
@@ -1050,7 +1050,7 @@ PanoramiXClearToBackground(ClientPtr client)
int
PanoramiXCopyArea(ClientPtr client)
{
- int j, result, srcx, srcy, dstx, dsty;
+ int j, result, srcx, srcy, dstx, dsty, width, height;
PanoramiXRes *gc, *src, *dst;
Bool srcIsRoot = FALSE;
Bool dstIsRoot = FALSE;
@@ -1091,6 +1091,8 @@ PanoramiXCopyArea(ClientPtr client)
srcy = stuff->srcY;
dstx = stuff->dstX;
dsty = stuff->dstY;
+ width = stuff->width;
+ height = stuff->height;
if ((dst->type == XRT_PIXMAP) && (src->type == XRT_WINDOW)) {
DrawablePtr drawables[MAXSCREENS];
DrawablePtr pDst;
@@ -1105,13 +1107,12 @@ PanoramiXCopyArea(ClientPtr client)
return rc;
}
- pitch = PixmapBytePad(stuff->width, drawables[0]->depth);
- if (!(data = calloc(stuff->height, pitch)))
+ pitch = PixmapBytePad(width, drawables[0]->depth);
+ if (!(data = calloc(height, pitch)))
return BadAlloc;
- XineramaGetImageData(drawables, srcx, srcy,
- stuff->width, stuff->height, ZPixmap, ~0, data,
- pitch, srcIsRoot);
+ XineramaGetImageData(drawables, srcx, srcy, width, height, ZPixmap, ~0,
+ data, pitch, srcIsRoot);
FOR_NSCREENS_BACKWARD(j) {
stuff->gc = gc->info[j].id;
@@ -1123,14 +1124,63 @@ PanoramiXCopyArea(ClientPtr client)
}
(*pGC->ops->PutImage) (pDst, pGC, pDst->depth, dstx, dsty,
- stuff->width, stuff->height,
- 0, ZPixmap, data);
-
+ width, height, 0, ZPixmap, data);
if (dstShared)
break;
}
-
free(data);
+
+ if (pGC->graphicsExposures) {
+ RegionRec rgn;
+ int dx, dy;
+ BoxRec sourceBox;
+
+ dx = drawables[0]->x;
+ dy = drawables[0]->y;
+ if (srcIsRoot) {
+ dx += screenInfo.screens[0]->x;
+ dy += screenInfo.screens[0]->y;
+ }
+
+ sourceBox.x1 = min(srcx + dx, 0);
+ sourceBox.y1 = min(srcy + dy, 0);
+ sourceBox.x2 = max(sourceBox.x1 + width, 32767);
+ sourceBox.y2 = max(sourceBox.y1 + height, 32767);
+
+ RegionInit(&rgn, &sourceBox, 1);
+
+ /* subtract the (screen-space) clips of the source drawables */
+ FOR_NSCREENS(j) {
+ ScreenPtr screen = screenInfo.screens[j];
+ RegionPtr sd;
+
+ if (pGC->subWindowMode == IncludeInferiors)
+ sd = NotClippedByChildren((WindowPtr)drawables[j]);
+ else
+ sd = &((WindowPtr)drawables[j])->clipList;
+
+ if (srcIsRoot)
+ RegionTranslate(&rgn, -screen->x, -screen->y);
+
+ RegionSubtract(&rgn, &rgn, sd);
+
+ if (srcIsRoot)
+ RegionTranslate(&rgn, screen->x, screen->y);
+
+ if (pGC->subWindowMode == IncludeInferiors)
+ RegionDestroy(sd);
+ }
+
+ /* -dx/-dy to get back to dest-relative, plus request offsets */
+ RegionTranslate(&rgn, -dx + dstx, -dy + dsty);
+
+ /* intersect with gc clip; just one screen is fine because pixmap */
+ RegionIntersect(&rgn, &rgn, pGC->pCompositeClip);
+
+ /* and expose */
+ SendGraphicsExpose(client, &rgn, dst->info[0].id, X_CopyArea, 0);
+ RegionUninit(&rgn);
+ }
}
else {
DrawablePtr pDst = NULL, pSrc = NULL;
commit 8c609764004560081bad23ac14e7d3975e83ce6b
Author: Adam Jackson <ajax at redhat.com>
Date: Mon Jan 23 11:31:36 2017 -0500
parser: Fix crash when xf86nameCompare(s1 = x, s2 = NULL)
Signed-off-by: Adam Jackson <ajax at redhat.com>
(cherry picked from commit f1f865e909090406841a9b9416ea6259a75c2086)
diff --git a/hw/xfree86/parser/scan.c b/hw/xfree86/parser/scan.c
index 81a454b23..3356224ce 100644
--- a/hw/xfree86/parser/scan.c
+++ b/hw/xfree86/parser/scan.c
@@ -1046,6 +1046,8 @@ xf86nameCompare(const char *s1, const char *s2)
return 0;
else
return 1;
+ } else if (!s2 || *s2 == 0) {
+ return -1;
}
while (*s1 == '_' || *s1 == ' ' || *s1 == '\t')
commit 9db3361b29396684122b3db056368e927e8de6d6
Author: Olivier Fourdan <ofourdan at redhat.com>
Date: Tue Mar 14 15:06:34 2017 +0100
glamor: Check glamor_set_destination_drawable() return value
Check the value returned by glamor_set_destination_drawable() and use
the fallback code path where possible.
Bugzilla: https://bugzilla.redhat.com/1417575
Signed-off-by: Olivier Fourdan <ofourdan at redhat.com>
(cherry picked from commit 455051a0f1d2bc84f605c325f647bd64d414c47d)
diff --git a/glamor/glamor_copy.c b/glamor/glamor_copy.c
index 3ca56fb09..ff8f44ef1 100644
--- a/glamor/glamor_copy.c
+++ b/glamor/glamor_copy.c
@@ -344,6 +344,7 @@ glamor_copy_fbo_fbo_draw(DrawablePtr src,
glamor_program *prog;
const glamor_facet *copy_facet;
int n;
+ Bool ret = FALSE;
glamor_make_current(glamor_priv);
@@ -410,9 +411,10 @@ glamor_copy_fbo_fbo_draw(DrawablePtr src,
goto bail_ctx;
glamor_pixmap_loop(dst_priv, dst_box_index) {
- glamor_set_destination_drawable(dst, dst_box_index, FALSE, FALSE,
- prog->matrix_uniform,
- &dst_off_x, &dst_off_y);
+ if (!glamor_set_destination_drawable(dst, dst_box_index, FALSE, FALSE,
+ prog->matrix_uniform,
+ &dst_off_x, &dst_off_y))
+ goto bail_ctx;
glScissor(dst_off_x - args.dx,
dst_off_y - args.dy,
@@ -422,13 +424,14 @@ glamor_copy_fbo_fbo_draw(DrawablePtr src,
glamor_glDrawArrays_GL_QUADS(glamor_priv, nbox);
}
}
- glDisable(GL_SCISSOR_TEST);
- glDisableVertexAttribArray(GLAMOR_VERTEX_POS);
- return TRUE;
+ ret = TRUE;
bail_ctx:
- return FALSE;
+ glDisable(GL_SCISSOR_TEST);
+ glDisableVertexAttribArray(GLAMOR_VERTEX_POS);
+
+ return ret;
}
/**
diff --git a/glamor/glamor_glyphblt.c b/glamor/glamor_glyphblt.c
index b21aa068e..78315ea9b 100644
--- a/glamor/glamor_glyphblt.c
+++ b/glamor/glamor_glyphblt.c
@@ -49,6 +49,7 @@ glamor_poly_glyph_blt_gl(DrawablePtr drawable, GCPtr gc,
glamor_program *prog;
RegionPtr clip = gc->pCompositeClip;
int box_index;
+ Bool ret = FALSE;
pixmap_priv = glamor_get_pixmap_private(pixmap);
if (!GLAMOR_PIXMAP_PRIV_HAS_FBO(pixmap_priv))
@@ -75,8 +76,9 @@ glamor_poly_glyph_blt_gl(DrawablePtr drawable, GCPtr gc,
int off_x, off_y;
char *vbo_offset;
- glamor_set_destination_drawable(drawable, box_index, FALSE, TRUE,
- prog->matrix_uniform, &off_x, &off_y);
+ if (!glamor_set_destination_drawable(drawable, box_index, FALSE, TRUE,
+ prog->matrix_uniform, &off_x, &off_y))
+ goto bail;
max_points = 500;
num_points = 0;
@@ -138,11 +140,12 @@ glamor_poly_glyph_blt_gl(DrawablePtr drawable, GCPtr gc,
}
}
- glDisableVertexAttribArray(GLAMOR_VERTEX_POS);
+ ret = TRUE;
- return TRUE;
bail:
- return FALSE;
+ glDisableVertexAttribArray(GLAMOR_VERTEX_POS);
+
+ return ret;
}
void
@@ -174,6 +177,7 @@ glamor_push_pixels_gl(GCPtr gc, PixmapPtr bitmap,
int num_points;
INT16 *points = NULL;
char *vbo_offset;
+ Bool ret = FALSE;
if (w * h > MAXINT / (2 * sizeof(float)))
goto bail;
@@ -221,17 +225,19 @@ glamor_push_pixels_gl(GCPtr gc, PixmapPtr bitmap,
glamor_put_vbo_space(screen);
glamor_pixmap_loop(pixmap_priv, box_index) {
- glamor_set_destination_drawable(drawable, box_index, FALSE, TRUE,
- prog->matrix_uniform, NULL, NULL);
+ if (!glamor_set_destination_drawable(drawable, box_index, FALSE, TRUE,
+ prog->matrix_uniform, NULL, NULL))
+ goto bail;
glDrawArrays(GL_POINTS, 0, num_points);
}
- glDisableVertexAttribArray(GLAMOR_VERTEX_POS);
- return TRUE;
+ ret = TRUE;
bail:
- return FALSE;
+ glDisableVertexAttribArray(GLAMOR_VERTEX_POS);
+
+ return ret;
}
void
diff --git a/glamor/glamor_lines.c b/glamor/glamor_lines.c
index a2c9b1fcc..5d95333fe 100644
--- a/glamor/glamor_lines.c
+++ b/glamor/glamor_lines.c
@@ -46,6 +46,7 @@ glamor_poly_lines_solid_gl(DrawablePtr drawable, GCPtr gc,
char *vbo_offset;
int box_index;
int add_last;
+ Bool ret = FALSE;
pixmap_priv = glamor_get_pixmap_private(pixmap);
if (!GLAMOR_PIXMAP_PRIV_HAS_FBO(pixmap_priv))
@@ -103,8 +104,9 @@ glamor_poly_lines_solid_gl(DrawablePtr drawable, GCPtr gc,
int nbox = RegionNumRects(gc->pCompositeClip);
BoxPtr box = RegionRects(gc->pCompositeClip);
- glamor_set_destination_drawable(drawable, box_index, TRUE, TRUE,
- prog->matrix_uniform, &off_x, &off_y);
+ if (!glamor_set_destination_drawable(drawable, box_index, TRUE, TRUE,
+ prog->matrix_uniform, &off_x, &off_y))
+ goto bail;
while (nbox--) {
glScissor(box->x1 + off_x,
@@ -116,12 +118,13 @@ glamor_poly_lines_solid_gl(DrawablePtr drawable, GCPtr gc,
}
}
+ ret = TRUE;
+
+bail:
glDisable(GL_SCISSOR_TEST);
glDisableVertexAttribArray(GLAMOR_VERTEX_POS);
- return TRUE;
-bail:
- return FALSE;
+ return ret;
}
static Bool
diff --git a/glamor/glamor_points.c b/glamor/glamor_points.c
index facfe8240..faf6f433b 100644
--- a/glamor/glamor_points.c
+++ b/glamor/glamor_points.c
@@ -47,6 +47,7 @@ glamor_poly_point_gl(DrawablePtr drawable, GCPtr gc, int mode, int npt, DDXPoint
GLshort *vbo_ppt;
char *vbo_offset;
int box_index;
+ Bool ret = FALSE;
pixmap_priv = glamor_get_pixmap_private(pixmap);
if (!GLAMOR_PIXMAP_PRIV_HAS_FBO(pixmap_priv))
@@ -90,8 +91,9 @@ glamor_poly_point_gl(DrawablePtr drawable, GCPtr gc, int mode, int npt, DDXPoint
int nbox = RegionNumRects(gc->pCompositeClip);
BoxPtr box = RegionRects(gc->pCompositeClip);
- glamor_set_destination_drawable(drawable, box_index, TRUE, TRUE,
- prog->matrix_uniform, &off_x, &off_y);
+ if (!glamor_set_destination_drawable(drawable, box_index, TRUE, TRUE,
+ prog->matrix_uniform, &off_x, &off_y))
+ goto bail;
while (nbox--) {
glScissor(box->x1 + off_x,
@@ -103,13 +105,13 @@ glamor_poly_point_gl(DrawablePtr drawable, GCPtr gc, int mode, int npt, DDXPoint
}
}
+ ret = TRUE;
+
+bail:
glDisable(GL_SCISSOR_TEST);
glDisableVertexAttribArray(GLAMOR_VERTEX_POS);
- return TRUE;
-
-bail:
- return FALSE;
+ return ret;
}
void
diff --git a/glamor/glamor_rects.c b/glamor/glamor_rects.c
index e4473209d..cc029c8c0 100644
--- a/glamor/glamor_rects.c
+++ b/glamor/glamor_rects.c
@@ -52,6 +52,7 @@ glamor_poly_fill_rect_gl(DrawablePtr drawable,
GLshort *v;
char *vbo_offset;
int box_index;
+ Bool ret = FALSE;
pixmap_priv = glamor_get_pixmap_private(pixmap);
if (!GLAMOR_PIXMAP_PRIV_HAS_FBO(pixmap_priv))
@@ -115,8 +116,9 @@ glamor_poly_fill_rect_gl(DrawablePtr drawable,
int nbox = RegionNumRects(gc->pCompositeClip);
BoxPtr box = RegionRects(gc->pCompositeClip);
- glamor_set_destination_drawable(drawable, box_index, TRUE, FALSE,
- prog->matrix_uniform, &off_x, &off_y);
+ if (!glamor_set_destination_drawable(drawable, box_index, TRUE, FALSE,
+ prog->matrix_uniform, &off_x, &off_y))
+ goto bail;
while (nbox--) {
glScissor(box->x1 + off_x,
@@ -132,14 +134,15 @@ glamor_poly_fill_rect_gl(DrawablePtr drawable,
}
}
+ ret = TRUE;
+
+bail:
glDisable(GL_SCISSOR_TEST);
if (glamor_priv->glsl_version >= 130)
glVertexAttribDivisor(GLAMOR_VERTEX_POS, 0);
glDisableVertexAttribArray(GLAMOR_VERTEX_POS);
- return TRUE;
-bail:
- return FALSE;
+ return ret;
}
static void
diff --git a/glamor/glamor_segs.c b/glamor/glamor_segs.c
index 5fffa3b0f..4dfa6553b 100644
--- a/glamor/glamor_segs.c
+++ b/glamor/glamor_segs.c
@@ -46,6 +46,7 @@ glamor_poly_segment_solid_gl(DrawablePtr drawable, GCPtr gc,
char *vbo_offset;
int box_index;
int add_last;
+ Bool ret = FALSE;
pixmap_priv = glamor_get_pixmap_private(pixmap);
if (!GLAMOR_PIXMAP_PRIV_HAS_FBO(pixmap_priv))
@@ -62,7 +63,7 @@ glamor_poly_segment_solid_gl(DrawablePtr drawable, GCPtr gc,
&glamor_facet_poly_segment);
if (!prog)
- goto bail_ctx;
+ goto bail;
/* Set up the vertex buffers for the points */
@@ -95,8 +96,9 @@ glamor_poly_segment_solid_gl(DrawablePtr drawable, GCPtr gc,
int nbox = RegionNumRects(gc->pCompositeClip);
BoxPtr box = RegionRects(gc->pCompositeClip);
- glamor_set_destination_drawable(drawable, box_index, TRUE, TRUE,
- prog->matrix_uniform, &off_x, &off_y);
+ if (!glamor_set_destination_drawable(drawable, box_index, TRUE, TRUE,
+ prog->matrix_uniform, &off_x, &off_y))
+ goto bail;
while (nbox--) {
glScissor(box->x1 + off_x,
@@ -108,13 +110,13 @@ glamor_poly_segment_solid_gl(DrawablePtr drawable, GCPtr gc,
}
}
+ ret = TRUE;
+
glDisable(GL_SCISSOR_TEST);
glDisableVertexAttribArray(GLAMOR_VERTEX_POS);
- return TRUE;
-bail_ctx:
bail:
- return FALSE;
+ return ret;
}
static Bool
diff --git a/glamor/glamor_spans.c b/glamor/glamor_spans.c
index 9a2aecd9d..b3c028d67 100644
--- a/glamor/glamor_spans.c
+++ b/glamor/glamor_spans.c
@@ -56,6 +56,7 @@ glamor_fill_spans_gl(DrawablePtr drawable,
char *vbo_offset;
int c;
int box_index;
+ Bool ret = FALSE;
pixmap_priv = glamor_get_pixmap_private(pixmap);
if (!GLAMOR_PIXMAP_PRIV_HAS_FBO(pixmap_priv))
@@ -123,8 +124,9 @@ glamor_fill_spans_gl(DrawablePtr drawable,
int nbox = RegionNumRects(gc->pCompositeClip);
BoxPtr box = RegionRects(gc->pCompositeClip);
- glamor_set_destination_drawable(drawable, box_index, FALSE, FALSE,
- prog->matrix_uniform, &off_x, &off_y);
+ if (!glamor_set_destination_drawable(drawable, box_index, FALSE, FALSE,
+ prog->matrix_uniform, &off_x, &off_y))
+ goto bail;
while (nbox--) {
glScissor(box->x1 + off_x,
@@ -140,14 +142,15 @@ glamor_fill_spans_gl(DrawablePtr drawable,
}
}
+ ret = TRUE;
+
+bail:
glDisable(GL_SCISSOR_TEST);
if (glamor_priv->glsl_version >= 130)
glVertexAttribDivisor(GLAMOR_VERTEX_POS, 0);
glDisableVertexAttribArray(GLAMOR_VERTEX_POS);
- return TRUE;
-bail:
- return FALSE;
+ return ret;
}
static void
commit 703ba42ce658faadb3d8ad32ea03fa9c9f0c91b1
Author: Olivier Fourdan <ofourdan at redhat.com>
Date: Tue Mar 14 14:58:26 2017 +0100
glamor: glamor_set_destination_drawable() can fail
The fbo_array of a given glamor pixmap can be NULL in some cases, as
glamor_create_fbo_array() can fail to allocate the FBO array.
If this is the case, glamor_pixmap_fbo_at() will return NULL even though
the box index is valid, and glamor_set_destination_drawable() simply
assumes glamor_pixmap_fbo_at() will return an FBO prior to pass the
value to glamor_set_destination_pixmap_fbo(), which will segfault.
We need a way for glamor_set_destination_drawable() to fail safely and
let the caller know about the failure.
Add a boolean return value to glamor_set_destination_drawable() for that
purpose.
Bugzilla: https://bugzilla.redhat.com/1417575
Signed-off-by: Olivier Fourdan <ofourdan at redhat.com>
(cherry picked from commit 04b4bad7c048fd077fe839f10634c99ef1e488af)
diff --git a/glamor/glamor_transform.c b/glamor/glamor_transform.c
index eff500c6d..2d5a634a8 100644
--- a/glamor/glamor_transform.c
+++ b/glamor/glamor_transform.c
@@ -33,7 +33,7 @@
* clipping computations can be adjusted as appropriate
*/
-void
+Bool
glamor_set_destination_drawable(DrawablePtr drawable,
int box_index,
Bool do_drawable_translate,
@@ -53,6 +53,11 @@ glamor_set_destination_drawable(DrawablePtr drawable,
float scale_x = 2.0f / (float) w;
float scale_y = 2.0f / (float) h;
float center_adjust = 0.0f;
+ glamor_pixmap_fbo *pixmap_fbo;
+
+ pixmap_fbo = glamor_pixmap_fbo_at(pixmap_priv, box_index);
+ if (!pixmap_fbo)
+ return FALSE;
glamor_get_drawable_deltas(drawable, pixmap, &off_x, &off_y);
@@ -94,8 +99,10 @@ glamor_set_destination_drawable(DrawablePtr drawable,
scale_x, (off_x + center_adjust) * scale_x - 1.0f,
scale_y, (off_y + center_adjust) * scale_y - 1.0f);
- glamor_set_destination_pixmap_fbo(glamor_priv, glamor_pixmap_fbo_at(pixmap_priv, box_index),
+ glamor_set_destination_pixmap_fbo(glamor_priv, pixmap_fbo,
0, 0, w, h);
+
+ return TRUE;
}
/*
diff --git a/glamor/glamor_transform.h b/glamor/glamor_transform.h
index 70d2c1671..28855e3d3 100644
--- a/glamor/glamor_transform.h
+++ b/glamor/glamor_transform.h
@@ -23,7 +23,7 @@
#ifndef _GLAMOR_TRANSFORM_H_
#define _GLAMOR_TRANSFORM_H_
-void
+Bool
glamor_set_destination_drawable(DrawablePtr drawable,
int box_index,
Bool do_drawable_translate,
commit 52ab10aa9a98076227e7db40fcd4b19b55a66861
Author: Olivier Fourdan <ofourdan at redhat.com>
Date: Tue Mar 14 15:22:32 2017 +0100
Xephyr: Check screen resources creation success
If the screen pixmap or the corresponding texture creation with glamor
fails, exit cleanly with an error message instead of segfaulting.
Fixes: https://bugzilla.redhat.com/1431633
Reviewed-by: Michel Dänzer <michel.daenzer at amd.com>
Signed-off-by: Olivier Fourdan <ofourdan at redhat.com>
(cherry picked from commit b0ce1d088a863492f5de11e4dbde10af4261d892)
diff --git a/hw/kdrive/ephyr/ephyr.c b/hw/kdrive/ephyr/ephyr.c
index 4eec72af9..ef5350e18 100644
--- a/hw/kdrive/ephyr/ephyr.c
+++ b/hw/kdrive/ephyr/ephyr.c
@@ -725,8 +725,10 @@ ephyrCreateResources(ScreenPtr pScreen)
ephyrShadowUpdate, ephyrWindowLinear);
else {
#ifdef GLAMOR
- if (ephyr_glamor)
- ephyr_glamor_create_screen_resources(pScreen);
+ if (ephyr_glamor) {
+ if (!ephyr_glamor_create_screen_resources(pScreen))
+ return FALSE;
+ }
#endif
return ephyrSetInternalDamage(pScreen);
}
diff --git a/hw/kdrive/ephyr/hostx.c b/hw/kdrive/ephyr/hostx.c
index fe69f84ae..a9ea3726d 100644
--- a/hw/kdrive/ephyr/hostx.c
+++ b/hw/kdrive/ephyr/hostx.c
@@ -1559,6 +1559,8 @@ ephyr_glamor_create_screen_resources(ScreenPtr pScreen)
pScreen->height,
pScreen->rootDepth,
GLAMOR_CREATE_NO_LARGE);
+ if (!screen_pixmap)
+ return FALSE;
pScreen->SetScreenPixmap(screen_pixmap);
if (pScreen->root && pScreen->SetWindowPixmap)
@@ -1566,6 +1568,9 @@ ephyr_glamor_create_screen_resources(ScreenPtr pScreen)
/* Tell the GLX code what to GL texture to read from. */
tex = glamor_get_pixmap_texture(screen_pixmap);
+ if (!tex)
+ return FALSE;
+
ephyr_glamor_set_texture(scrpriv->glamor, tex);
return TRUE;
commit 2a47e328641c061d73b3fc4602343500d18500c1
Author: Olivier Fourdan <ofourdan at redhat.com>
Date: Tue Mar 14 15:22:31 2017 +0100
glamor: Check for NULL pixmap in glamor_get_pixmap_texture()
glamor_create_pixmap() would return a NullPixmap if the given size is
larger than the maximum size of a pixmap.
But glamor_get_pixmap_texture() won't check if the given pixmap is
non-null, leading to a segfault if glamor_create_pixmap() failed.
This can be reproduced by passing Xephyr a very large screen width,
e.g.:
$ Xephyr -glamor -screen 32768x1024 :10
(EE)
(EE) Backtrace:
(EE) 0: Xephyr (OsSigHandler+0x29)
(EE) 1: /lib64/libpthread.so.0 (__restore_rt+0x0)
(EE) 2: Xephyr (glamor_get_pixmap_texture+0x30)
(EE) 3: Xephyr (ephyr_glamor_create_screen_resources+0xc6)
(EE) 4: Xephyr (ephyrCreateResources+0x98)
(EE) 5: Xephyr (dix_main+0x275)
(EE) 6: /lib64/libc.so.6 (__libc_start_main+0xf1)
(EE) 7: Xephyr (_start+0x2a)
(EE) 8: ? (?+0x2a) [0x2a]
(EE)
(EE) Segmentation fault at address 0x0
(EE)
Fatal server error:
(EE) Caught signal 11 (Segmentation fault). Server aborting
(EE)
Aborted (core dumped)
Bugzilla: https://bugzilla.redhat.com/1431633
Reviewed-by: Michel Dänzer <michel.daenzer at amd.com>
Signed-off-by: Olivier Fourdan <ofourdan at redhat.com>
(cherry picked from commit f40ff18c96e02ff18a367bf53feeb4bd8ee952a0)
diff --git a/glamor/glamor.c b/glamor/glamor.c
index c54cf3b43..2467443e0 100644
--- a/glamor/glamor.c
+++ b/glamor/glamor.c
@@ -133,6 +133,9 @@ glamor_get_pixmap_texture(PixmapPtr pixmap)
{
glamor_pixmap_private *pixmap_priv = glamor_get_pixmap_private(pixmap);
+ if (!pixmap_priv)
+ return 0;
+
if (pixmap_priv->type != GLAMOR_TEXTURE_ONLY)
return 0;
More information about the xorg-commit
mailing list