configure.ac | 8 ++---
debian/changelog | 6 ++++
dix/pixmap.c | 16 ++---------
glamor/glamor_dash.c | 1
hw/xwayland/xwayland-cursor.c | 14 ++++++++-
hw/xwayland/xwayland-glamor.c | 60 ++++++++++++++++++++++++++++++++++++------
os/busfault.c | 13 ++++-----
present/present.c | 16 +++++++++++
render/render.c | 4 ++
9 files changed, 106 insertions(+), 32 deletions(-)
New commits:
commit b5485e32b1651b42911a5de8fe47bee890500938
Author: Emilio Pozuelo Monfort <po...@debian.org>
Date: Wed Mar 15 20:53:48 2017 +0100
Release to unstable
diff --git a/debian/changelog b/debian/changelog
index 1d204ca..4414ff8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,8 @@
-xorg-server (2:1.19.3-1) UNRELEASED; urgency=medium
+xorg-server (2:1.19.3-1) unstable; urgency=medium
* New upstream release.
- -- Emilio Pozuelo Monfort <po...@debian.org> Wed, 15 Mar 2017 20:23:26 +0100
+ -- Emilio Pozuelo Monfort <po...@debian.org> Wed, 15 Mar 2017 20:53:42 +0100
xorg-server (2:1.19.2-1) unstable; urgency=medium
commit a958fe0d10e2041bcd1602f0a28a1712148e0b40
Author: Emilio Pozuelo Monfort <po...@debian.org>
Date: Wed Mar 15 20:23:39 2017 +0100
New upstream release
diff --git a/debian/changelog b/debian/changelog
index 8b216c9..1d204ca 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+xorg-server (2:1.19.3-1) UNRELEASED; urgency=medium
+
+ * New upstream release.
+
+ -- Emilio Pozuelo Monfort <po...@debian.org> Wed, 15 Mar 2017 20:23:26 +0100
+
xorg-server (2:1.19.2-1) unstable; urgency=medium
[ Andreas Boll ]
commit d88937ba8354d6a4e0be2a398037443146701ddc
Author: Adam Jackson <a...@redhat.com>
Date: Wed Mar 15 13:44:05 2017 -0400
xserver 1.19.3
Signed-off-by: Adam Jackson <a...@redhat.com>
diff --git a/configure.ac b/configure.ac
index e9fa1c7..e6c5b35 100644
--- a/configure.ac
+++ b/configure.ac
@@ -26,9 +26,9 @@ dnl
dnl Process this file with autoconf to create configure.
AC_PREREQ(2.60)
-AC_INIT([xorg-server], 1.19.2,
[https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server)
-RELEASE_DATE="2017-03-02"
-RELEASE_NAME="Clam Chowder"
+AC_INIT([xorg-server], 1.19.3,
[https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server)
+RELEASE_DATE="2017-03-15"
+RELEASE_NAME="Lobster Bisque"
AC_CONFIG_SRCDIR([Makefile.am])
AC_CONFIG_MACRO_DIR([m4])
AM_INIT_AUTOMAKE([foreign dist-bzip2])
commit b258ed457d8f22cfba8a45b35a9be9b53fd37e1e
Author: Chris Wilson <ch...@chris-wilson.co.uk>
Date: Fri Feb 17 08:18:52 2017 +0000
os: Fix iteration over busfaults
Fixes a regression from
commit 41da295eb50fa08eaacd0ecde99f43a716fcb41a
Author: Keith Packard <kei...@keithp.com>
Date: Sun Nov 3 13:12:40 2013 -0800
Trap SIGBUS to handle truncated shared memory segments
that causes the SIGBUS handler to fail to chain up correctly and
corrupts nearby memory instead.
Signed-off-by: Chris Wilson <ch...@chris-wilson.co.uk>
Reviewed-by: Peter Hutterer <peter.hutte...@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutte...@who-t.net>
(cherry picked from commit acdb5bf2de57c0080d2a6e730c788a0a428e13dc)
diff --git a/os/busfault.c b/os/busfault.c
index d4afa6d..a2d433a 100644
--- a/os/busfault.c
+++ b/os/busfault.c
@@ -98,15 +98,16 @@ static void
busfault_sigaction(int sig, siginfo_t *info, void *param)
{
void *fault = info->si_addr;
- struct busfault *busfault = NULL;
+ struct busfault *iter, *busfault = NULL;
void *new_addr;
/* Locate the faulting address in our list of shared segments
*/
- xorg_list_for_each_entry(busfault, &busfaults, list) {
- if ((char *) busfault->addr <= (char *) fault && (char *) fault <
(char *) busfault->addr + busfault->size) {
- break;
- }
+ xorg_list_for_each_entry(iter, &busfaults, list) {
+ if ((char *) iter->addr <= (char *) fault && (char *) fault < (char *)
iter->addr + iter->size) {
+ busfault = iter;
+ break;
+ }
}
if (!busfault)
goto panic;
@@ -132,7 +133,7 @@ panic:
if (previous_busfault_sigaction)
(*previous_busfault_sigaction)(sig, info, param);
else
- FatalError("bus error");
+ FatalError("bus error\n");
}
Bool
commit 7c4fab2f1f411b6f7d7adc76271fca7c29365ac4
Author: Tobias Stoeckmann <tob...@stoeckmann.org>
Date: Mon Mar 13 19:13:14 2017 +0100
render: Fix out of boundary heap access
ProcRenderCreateRadialGradient and ProcRenderCreateConicalGradient must
be protected against an integer overflow during length check. This is
already included in ProcRenderCreateLinearGradient since the fix for
CVE-2008-2362.
This can only be successfully exploited on a 32 bit system for an
out of boundary read later on. Validated by using ASAN.
Reviewed-by: Adam Jackson <a...@redhat.com>
(cherry picked from commit ac15d4cecca377c5c31ab852c39bbd554ca48fe2)
diff --git a/render/render.c b/render/render.c
index b9a932e..bfacaa0 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1908,6 +1908,8 @@ ProcRenderCreateRadialGradient(ClientPtr client)
LEGAL_NEW_RESOURCE(stuff->pid, client);
len = (client->req_len << 2) - sizeof(xRenderCreateRadialGradientReq);
+ if (stuff->nStops > UINT32_MAX / (sizeof(xFixed) + sizeof(xRenderColor)))
+ return BadLength;
if (len != stuff->nStops * (sizeof(xFixed) + sizeof(xRenderColor)))
return BadLength;
@@ -1946,6 +1948,8 @@ ProcRenderCreateConicalGradient(ClientPtr client)
LEGAL_NEW_RESOURCE(stuff->pid, client);
len = (client->req_len << 2) - sizeof(xRenderCreateConicalGradientReq);
+ if (stuff->nStops > UINT32_MAX / (sizeof(xFixed) + sizeof(xRenderColor)))
+ return BadLength;
if (len != stuff->nStops * (sizeof(xFixed) + sizeof(xRenderColor)))
return BadLength;
commit fbb46e0be897ffe78b731a2456673b4cbb73b2be
Author: Dr.-Ing. Dieter Jurzitza <dieter.jurzi...@t-online.de>
Date: Thu Feb 23 12:57:26 2017 -0500
glamor: Fix missing declaration in dash vertex shader
Fixes a GLSL compilation error:
Failed to compile VS: 0:13(43): error: `pos' undeclared
0:13(14): error: operands to arithmetic operators must be numeric
0:13(13): error: operands to arithmetic operators must be numeric
[1.19: Squash in Michel's typo fix from 0c1574d9]
Tested-by: Stefan Dirsch <sndir...@suse.com>
Reviewed-by: Adam Jackson <a...@redhat.com>
(cherry picked from commit d8161aeb50891ae10c5656487ce8f982deed5f9f)
(cherry picked from commit 0c1574d9882a91b2c1a046bf4ac5a9b138a37965)
diff --git a/glamor/glamor_dash.c b/glamor/glamor_dash.c
index 3c19dba..78a4fa3 100644
--- a/glamor/glamor_dash.c
+++ b/glamor/glamor_dash.c
@@ -32,6 +32,7 @@ static const char dash_vs_vars[] =
static const char dash_vs_exec[] =
" dash_offset = primitive.z / dash_length;\n"
+ " vec2 pos = vec2(0,0);\n"
GLAMOR_POS(gl_Position, primitive.xy);
static const char dash_fs_vars[] =
commit 18fcb66688057f5676952e2535d4bb9942371199
Author: Olivier Fourdan <ofour...@redhat.com>
Date: Thu Mar 2 10:19:26 2017 +0100
xwayland: Monitor client states to destroy callbacks
In XWayland, dri3_send_open_reply() is called from a sync callback, so
there is a possibility that the client might be gone when we get to the
callback eventually, which leads to a crash in _XSERVTransSendFd() from
WriteFdToClient() .
Client resources can survive the client itself, in which case we
may end up in our sync callback trying to access client's data after
it's been freed/reclaimed.
Add a ClientStateCallback handler to monitor the client state changes
and clear the sync callback set up by the glamor drm code if any.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1416553
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=100040
Tested-by: Mark B <mark.blake...@bullet-systems.net>
Signed-off-by: Olivier Fourdan <ofour...@redhat.com>
Reviewed-by: Michel Dänzer <michel.daen...@amd.com>
(cherry picked from commit 937527f9798d573ec82c2c508821899c229c018f)
diff --git a/hw/xwayland/xwayland-glamor.c b/hw/xwayland/xwayland-glamor.c
index b3d0aab..63f2303 100644
--- a/hw/xwayland/xwayland-glamor.c
+++ b/hw/xwayland/xwayland-glamor.c
@@ -38,6 +38,8 @@
#include <dri3.h>
#include "drm-client-protocol.h"
+static DevPrivateKeyRec xwl_auth_state_private_key;
+
struct xwl_pixmap {
struct wl_buffer *buffer;
struct gbm_bo *bo;
@@ -429,17 +431,49 @@ glamor_egl_dri3_fd_name_from_tex(ScreenPtr screen,
struct xwl_auth_state {
int fd;
ClientPtr client;
+ struct wl_callback *callback;
};
static void
+free_xwl_auth_state(ClientPtr pClient, struct xwl_auth_state *state)
+{
+ dixSetPrivate(&pClient->devPrivates, &xwl_auth_state_private_key, NULL);
+ if (state) {
+ wl_callback_destroy(state->callback);
+ free(state);
+ }
+}
+
+static void
+xwl_auth_state_client_callback(CallbackListPtr *pcbl, void *unused, void *data)
+{
+ NewClientInfoRec *clientinfo = (NewClientInfoRec *) data;
+ ClientPtr pClient = clientinfo->client;
+ struct xwl_auth_state *state;
+
+ switch (pClient->clientState) {
+ case ClientStateGone:
+ case ClientStateRetained:
+ state = dixLookupPrivate(&pClient->devPrivates,
&xwl_auth_state_private_key);
+ free_xwl_auth_state(pClient, state);
+ break;
+ default:
+ break;
+ }
+}
+
+static void
sync_callback(void *data, struct wl_callback *callback, uint32_t serial)
{
struct xwl_auth_state *state = data;
-
- dri3_send_open_reply(state->client, state->fd);
- AttendClient(state->client);
- free(state);
- wl_callback_destroy(callback);
+ ClientPtr client = state->client;
+
+ /* if the client is gone, the callback is cancelled so it's safe to
+ * assume the client is still in ClientStateRunning at this point...
+ */
+ dri3_send_open_reply(client, state->fd);
+ AttendClient(client);
+ free_xwl_auth_state(client, state);
}
static const struct wl_callback_listener sync_listener = {
@@ -454,7 +488,6 @@ xwl_dri3_open_client(ClientPtr client,
{
struct xwl_screen *xwl_screen = xwl_screen_get(screen);
struct xwl_auth_state *state;
- struct wl_callback *callback;
drm_magic_t magic;
int fd;
@@ -482,8 +515,9 @@ xwl_dri3_open_client(ClientPtr client,
}
wl_drm_authenticate(xwl_screen->drm, magic);
- callback = wl_display_sync(xwl_screen->display);
- wl_callback_add_listener(callback, &sync_listener, state);
+ state->callback = wl_display_sync(xwl_screen->display);
+ wl_callback_add_listener(state->callback, &sync_listener, state);
+ dixSetPrivate(&client->devPrivates, &xwl_auth_state_private_key, state);
IgnoreClient(client);
@@ -565,6 +599,16 @@ xwl_glamor_init(struct xwl_screen *xwl_screen)
return FALSE;
}
+ if (!dixRegisterPrivateKey(&xwl_auth_state_private_key, PRIVATE_CLIENT,
0)) {
+ ErrorF("Failed to register private key\n");
+ return FALSE;
+ }
+
+ if (!AddCallback(&ClientStateCallback, xwl_auth_state_client_callback,
NULL)) {
+ ErrorF("Failed to add client state callback\n");
+ return FALSE;
+ }
+
xwl_screen->CreateScreenResources = screen->CreateScreenResources;
screen->CreateScreenResources = xwl_glamor_create_screen_resources;
screen->CreatePixmap = xwl_glamor_create_pixmap;
commit d402b86b4561eb2580421de91d977a35abe88190
Author: Olivier Fourdan <ofour...@redhat.com>
Date: Tue Mar 7 10:28:35 2017 +0100
xwayland: clear cursor frame callback
After an X cursor is unrealized, the seat's corresponding x_cursor is
cleared, but if a frame callback was pending at the time, it will
remain and thus prevent any further cursor update, leaving the window
with no cursor.
Make sure to destroy the frame callback, if any, when that occurs, so
that next time a cursor needs to be set, it won't be ignored for a frame
callback that will never be triggered.
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1389327
Signed-off-by: Olivier Fourdan <ofour...@redhat.com>
Reviewed-by: Pekka Paalanen <pekka.paala...@collabora.co.uk>
Reviewed-by: Rui Matos <tiagoma...@gmail.com>
(cherry picked from commit d4b7e0eaa4b2e97ce1dec653a2ae7d9621fe1431)
diff --git a/hw/xwayland/xwayland-cursor.c b/hw/xwayland/xwayland-cursor.c
index 0c1cd34..f334f1c 100644
--- a/hw/xwayland/xwayland-cursor.c
+++ b/hw/xwayland/xwayland-cursor.c
@@ -96,14 +96,22 @@ xwl_unrealize_cursor(DeviceIntPtr device, ScreenPtr screen,
CursorPtr cursor)
}
static void
+clear_cursor_frame_callback(struct xwl_seat *xwl_seat)
+{
+ if (xwl_seat->cursor_frame_cb) {
+ wl_callback_destroy (xwl_seat->cursor_frame_cb);
+ xwl_seat->cursor_frame_cb = NULL;
+ }
+}
+
+static void
frame_callback(void *data,
struct wl_callback *callback,
uint32_t time)
{
struct xwl_seat *xwl_seat = data;
- wl_callback_destroy (xwl_seat->cursor_frame_cb);
- xwl_seat->cursor_frame_cb = NULL;
+ clear_cursor_frame_callback(xwl_seat);
if (xwl_seat->cursor_needs_update) {
xwl_seat->cursor_needs_update = FALSE;
xwl_seat_set_cursor(xwl_seat);
@@ -127,6 +135,8 @@ xwl_seat_set_cursor(struct xwl_seat *xwl_seat)
if (!xwl_seat->x_cursor) {
wl_pointer_set_cursor(xwl_seat->wl_pointer,
xwl_seat->pointer_enter_serial, NULL, 0, 0);
+ clear_cursor_frame_callback(xwl_seat);
+ xwl_seat->cursor_needs_update = FALSE;
return;
}
commit db1326cd6625747e4036e6cdc75bc7a0e1b0426b
Author: Qiang Yu <qiang...@amd.com>
Date: Thu Jan 26 18:13:53 2017 +0800
present: disable page flip only when a slave crtc is active
This prevents the tearing of moving window in a composite WM
desktop when output slave is attached but none of its crtc is
really active.
[1.19: Also fix DMX_LIBS= in configure.ac so it still links - ajax]
Signed-off-by: Qiang Yu <qiang...@amd.com>
Reviewed-by: Michel Dänzer <michel.daen...@amd.com>
(cherry picked from commit bb9128fdc86decd6f6e3b0e145011a8c08b1d2b5)
diff --git a/configure.ac b/configure.ac
index a265ab5..e9fa1c7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2334,7 +2334,7 @@ if test "x$DMX" = xyes; then
fi
DMX_INCLUDES="$XEXT_INC $RENDER_INC $RECORD_INC"
XDMX_CFLAGS="$DMXMODULES_CFLAGS"
- XDMX_LIBS="$FB_LIB $MI_LIB $XEXT_LIB $RENDER_LIB $RECORD_LIB $XI_LIB
$XKB_LIB $XKB_STUB_LIB $DRI3_LIB $PRESENT_LIB $MIEXT_SYNC_LIB $MIEXT_SHADOW_LIB
$MIEXT_DAMAGE_LIB $COMPOSITE_LIB $DAMAGE_LIB $MAIN_LIB $DIX_LIB $RANDR_LIB
$CONFIG_LIB $OS_LIB $FIXES_LIB"
+ XDMX_LIBS="$FB_LIB $MI_LIB $XEXT_LIB $PRESENT_LIB $RANDR_LIB
$RENDER_LIB $RECORD_LIB $XI_LIB $XKB_LIB $XKB_STUB_LIB $DRI3_LIB
$MIEXT_SYNC_LIB $MIEXT_SHADOW_LIB $MIEXT_DAMAGE_LIB $COMPOSITE_LIB $DAMAGE_LIB
$MAIN_LIB $DIX_LIB $CONFIG_LIB $OS_LIB $FIXES_LIB"
XDMX_SYS_LIBS="$DMXMODULES_LIBS"
AC_SUBST([XDMX_CFLAGS])
AC_SUBST([XDMX_LIBS])
diff --git a/present/present.c b/present/present.c
index ef89045..c9c68dc 100644
--- a/present/present.c
+++ b/present/present.c
@@ -118,6 +118,18 @@ present_flip_pending_pixmap(ScreenPtr screen)
}
static Bool
+present_check_output_slaves_active(ScreenPtr pScreen)
+{
+ ScreenPtr pSlave;
+
+ xorg_list_for_each_entry(pSlave, &pScreen->slave_list, slave_head) {
+ if (RRHasScanoutPixmap(pSlave))
+ return TRUE;
+ }
+ return FALSE;
+}
+
+static Bool
present_check_flip(RRCrtcPtr crtc,
WindowPtr window,
PixmapPtr pixmap,
@@ -145,7 +157,7 @@ present_check_flip(RRCrtcPtr crtc,
return FALSE;
/* Fail to flip if we have slave outputs */
- if (screen->output_slaves)
+ if (screen->output_slaves && present_check_output_slaves_active(screen))
return FALSE;
/* Make sure the window hasn't been redirected with Composite */
commit 1097bc9c184db4c722d5a8d2c5a4c0da9cdc70f5
Author: Chris Wilson <ch...@chris-wilson.co.uk>
Date: Thu Mar 9 11:25:34 2017 +0000
Revert "prime: Sync shared pixmap from root window instead of screen pixmap"
This reverts commit b5b292896f647c85f03f53b20b2f03c0e94de428.
This breaks the concept of the screen->pixmap_dirty_list as it no longer
tracks the relationship between the PixmapDirtyUpdate src and slave_dst,
for the supposed convenience of not tracking present flips.
Bugzilla: https://bugs.freedesktop.org/100086
Reviewed-by: Adam Jackson <a...@redhat.com>
diff --git a/dix/pixmap.c b/dix/pixmap.c
index b67a2e8..7a64024 100644
--- a/dix/pixmap.c
+++ b/dix/pixmap.c
@@ -241,8 +241,7 @@ PixmapStartDirtyTracking(PixmapPtr src,
RegionUnion(damageregion, damageregion, &dstregion);
RegionUninit(&dstregion);
- DamageRegister(screen->root ? &screen->root->drawable : &src->drawable,
- dirty_update->damage);
+ DamageRegister(&src->drawable, dirty_update->damage);
xorg_list_add(&dirty_update->ent, &screen->pixmap_dirty_list);
return TRUE;
}
@@ -270,7 +269,6 @@ PixmapDirtyCopyArea(PixmapPtr dst,
RegionPtr dirty_region)
{
ScreenPtr pScreen = dirty->src->drawable.pScreen;
- DrawablePtr src = pScreen->root ? &pScreen->root->drawable :
&dirty->src->drawable;
int n;
BoxPtr b;
GCPtr pGC;
@@ -278,13 +276,7 @@ PixmapDirtyCopyArea(PixmapPtr dst,
n = RegionNumRects(dirty_region);
b = RegionRects(dirty_region);
- pGC = GetScratchGC(src->depth, pScreen);
- if (pScreen->root) {
- ChangeGCVal subWindowMode;
-
- subWindowMode.val = IncludeInferiors;
- ChangeGC(NullClient, pGC, GCSubwindowMode, &subWindowMode);
- }
+ pGC = GetScratchGC(dirty->src->drawable.depth, pScreen);
ValidateGC(&dst->drawable, pGC);
while (n--) {
@@ -295,7 +287,7 @@ PixmapDirtyCopyArea(PixmapPtr dst,
w = dst_box.x2 - dst_box.x1;
h = dst_box.y2 - dst_box.y1;
- pGC->ops->CopyArea(src, &dst->drawable, pGC,
+ pGC->ops->CopyArea(&dirty->src->drawable, &dst->drawable, pGC,
dirty->x + dst_box.x1, dirty->y + dst_box.y1, w, h,
dirty->dst_x + dst_box.x1,
dirty->dst_y + dst_box.y1);
@@ -318,7 +310,7 @@ PixmapDirtyCompositeRotate(PixmapPtr dst_pixmap,
int error;
src = CreatePicture(None,
- &pScreen->root->drawable,
+ &dirty->src->drawable,
format,
CPSubwindowMode,
&include_inferiors, serverClient, &error);
commit 0ec92f06d4b3bad2e62da24ee7fb64fc88a75820
Author: Adam Jackson <a...@redhat.com>
Date: Fri Mar 10 10:54:17 2017 -0500
Revert "present: Allow flipping with PRIME slave outputs"
This reverts commit 5c1dd4eba833ecf4ea789c8319b4e25ea1e1fab9.
Bugzilla: https://bugs.freedesktop.org/100086
Reviewed-by: Adam Jackson <a...@redhat.com>
diff --git a/present/present.c b/present/present.c
index aa9c041..ef89045 100644
--- a/present/present.c
+++ b/present/present.c
@@ -144,6 +144,10 @@ present_check_flip(RRCrtcPtr crtc,
if (!screen_priv->info->flip)
return FALSE;
+ /* Fail to flip if we have slave outputs */
+ if (screen->output_slaves)
+ return FALSE;
+
/* Make sure the window hasn't been redirected with Composite */
window_pixmap = screen->GetWindowPixmap(window);
if (window_pixmap != screen->GetScreenPixmap(screen) &&
