rpms/xorg-x11-server
5
0
Fork 0
Code Issues Pull Requests Releases Activity

More Xwayland/Present fixes from upstream

Browse Source
This commit is contained in:
Olivier Fourdan 2019-01-11 13:24:07 +01:00
parent e625aaaade
commit 914938e968
4 changed files with 188 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
0001-present-wnmd-Fix-use-after-free-on-CRTC-removal.patch Normal file
View File

@ -0,0 +1,69 @@
From f89518e17f7d507734af212785e0b3e47954f603 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 22 Oct 2018 11:48:25 +0200
Subject: [PATCH xserver] present/wnmd: Fix use after free on CRTC removal
Xwayland will add and remove CRTCs as Wayland outputs are added or
removed.
If there is a pending flip when this occurs, the
`xwl_present_sync_callback()` will be triggered after the Xwayland
output's RRCtrcPtr has been destroyed, hence causing a crash in Xwayland
while trying to use freed memory:
#1 abort ()
#2 OsAbort () at utils.c:1350
#3 AbortServer () at log.c:877
#4 FatalError () at log.c:1015
#5 OsSigHandler () at osinit.c:156
#6 <signal handler called>
#7 dixGetPrivate () at ../include/privates.h:122
#8 dixLookupPrivate () at ../include/privates.h:166
#9 present_screen_priv () at present_priv.h:198
#10 present_wnmd_flip () at present_wnmd.c:358
#11 present_wnmd_execute () at present_wnmd.c:466
#12 present_wnmd_re_execute () at present_wnmd.c:80
#13 xwl_present_sync_callback () at xwayland-present.c:287
#14 ffi_call_unix64 () from /lib64/libffi.so.6
#15 ffi_call () from /lib64/libffi.so.6
#16 wl_closure_invoke () at src/connection.c:1006
#17 dispatch_event () at src/wayland-client.c:1427
#18 dispatch_queue () at src/wayland-client.c:1573
#19 wl_display_dispatch_queue_pending () at src/wayland-client.c:1815
#20 wl_display_dispatch_pending () at src/wayland-client.c:1878
#21 xwl_read_events () at xwayland.c:814
#22 ospoll_wait () at ospoll.c:651
#23 WaitForSomething () at WaitFor.c:208
#24 Dispatch () at ../include/list.h:220
#25 dix_main () at main.c:276
To avoid the issue, get the `ScreenPtr` from the window instead of the
CRTC that might have been just freed, `xwl_present_flip()` has no use
for the CRTC anyway.
Bugzilla: https://bugs.freedesktop.org/108249
Suggested-by: Michel Daenzer <michel.daenzer@amd.com>
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Daenzer <michel.daenzer@amd.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit b768b7d6cec41b8b320c468ec41aab5a8b49b27b)
---
present/present_wnmd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/present/present_wnmd.c b/present/present_wnmd.c
index 8f3836440..2c6412a72 100644
--- a/present/present_wnmd.c
+++ b/present/present_wnmd.c
@@ -354,7 +354,7 @@ present_wnmd_flip(WindowPtr window,
Bool sync_flip,
RegionPtr damage)
{
- ScreenPtr screen = crtc->pScreen;
+ ScreenPtr screen = window->drawable.pScreen;
present_screen_priv_ptr screen_priv = present_screen_priv(screen);
return (*screen_priv->wnmd_info->flip) (window,
--
2.20.1

48
0001-xwayland-Plug-leaks-in-xwl_present_sync_callback.patch Normal file
View File

@ -0,0 +1,48 @@
From 64f5e6ec2d297f90e9b9785a1cb7285d609a1877 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <michel.daenzer@amd.com>
Date: Fri, 19 Oct 2018 18:27:37 +0200
Subject: [PATCH xserver] xwayland: Plug leaks in xwl_present_sync_callback
xwl_present_window->sync_callback was leaked.
The event memory was leaked if the corresponding buffer had already been
released.
(cherry picked from commit cb0de153bf0c486da7e968ab0f258c9c0c9ed34a)
---
hw/xwayland/xwayland-present.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/hw/xwayland/xwayland-present.c b/hw/xwayland/xwayland-present.c
index 316e04443..fb5c6499e 100644
--- a/hw/xwayland/xwayland-present.c
+++ b/hw/xwayland/xwayland-present.c
@@ -274,6 +274,9 @@ xwl_present_sync_callback(void *data,
struct xwl_present_event *event = data;
struct xwl_present_window *xwl_present_window = event->xwl_present_window;
+ wl_callback_destroy(xwl_present_window->sync_callback);
+ xwl_present_window->sync_callback = NULL;
+
event->pending = FALSE;
if (event->abort) {
@@ -289,12 +292,14 @@ xwl_present_sync_callback(void *data,
xwl_present_window->ust,
xwl_present_window->msc);
- if (event->buffer_released)
+ if (event->buffer_released) {
/* If the buffer was already released, send the event now again */
present_wnmd_event_notify(xwl_present_window->window,
event->event_id,
xwl_present_window->ust,
xwl_present_window->msc);
+ xwl_present_free_event(event);
+ }
}
static const struct wl_callback_listener xwl_present_sync_listener = {
--
2.20.1

62
0001-xwayland-handle-case-without-any-crtc.patch Normal file
View File

@ -0,0 +1,62 @@
From a352f979545723054b0a74862a56dc53b1be93fb Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Tue, 8 Jan 2019 12:48:53 +0100
Subject: [PATCH xserver] xwayland: handle case without any crtc
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Xwayland creates and destroys the CRTC along with the Wayland outputs,
so there is possibly a case where the number of CRTC drops to 0.
However, `xwl_present_get_crtc()` always return `crtcs[0]` which is
invalid when `numCrtcs` is 0.
That leads to crash if a client queries the Present capabilities when
there is no CRTC, the backtrace looks like:
#0 raise() from libc.so
#1 abort() from libc.so
#2 OsAbort() at utils.c:1350
#3 AbortServer() at log.c:879
#4 FatalError() at log.c:1017
#5 OsSigHandler() at osinit.c:156
#6 OsSigHandler() at osinit.c:110
#7 <signal handler called>
#8 main_arena() from libc.so
#9 proc_present_query_capabilities() at present_request.c:236
#10 Dispatch() at dispatch.c:478
#11 dix_main() at main.c:276
To avoid returning an invalid pointer (`crtcs[0]`) in that case, simply
check for `numCrtcs` being 0 and return `NULL` in that case.
Thanks to Michel Dänzer <michel.daenzer@amd.com> for pointing this as a
possible cause of the crash.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
Bugzilla: https://bugzilla.redhat.com/1609181
(cherry picked from commit e8295c50209f2963fa2823e8de7e8363a38cd2d1)
---
hw/xwayland/xwayland-present.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/hw/xwayland/xwayland-present.c b/hw/xwayland/xwayland-present.c
index 980034db4..74fe84672 100644
--- a/hw/xwayland/xwayland-present.c
+++ b/hw/xwayland/xwayland-present.c
@@ -323,6 +323,10 @@ xwl_present_get_crtc(WindowPtr present_window)
return NULL;
rr_private = rrGetScrPriv(present_window->drawable.pScreen);
+
+ if (rr_private->numCrtcs == 0)
+ return NULL;
+
return rr_private->crtcs[0];
}
--
2.20.1

10
xorg-x11-server.spec
View File

@ -46,7 +46,7 @@
Summary: X.Org X11 X server
Name: xorg-x11-server
Version: 1.20.3
Release: 2%{?gitdate:.%{gitdate}}%{?dist}
Release: 3%{?gitdate:.%{gitdate}}%{?dist}
URL: http://www.x.org
License: MIT
Group: User Interface/X
@ -106,6 +106,11 @@ Patch14: 0004-xwayland-Replace-xwl_window-present_window-with-pres.patch
Patch15: 0005-xwayland-Add-xwl_present_unrealize_window.patch
Patch16: 0006-xwayland-Don-t-need-xwl_window-anymore-in-xwl_presen.patch
Patch17: 0007-xwayland-Don-t-take-buffer-release-queue-into-accoun.patch
Patch18: 0001-xwayland-Plug-leaks-in-xwl_present_sync_callback.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1609181
Patch19: 0001-xwayland-handle-case-without-any-crtc.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1661748
Patch20: 0001-present-wnmd-Fix-use-after-free-on-CRTC-removal.patch
BuildRequires: systemtap-sdt-devel
BuildRequires: git
@ -540,6 +545,9 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete
%changelog
* Fri Jan 11 2019 Olivier Fourdan <ofourdan@redhat.com> - 1.20.3-3
- More Xwayland/Present fixes from upstream (rhbz#1609181, rhbz#1661748)
* Thu Dec 06 2018 Olivier Fourdan <ofourdan@redhat.com> - 1.20.3-2
- Xwayland/Present fixes from master upstream