From f2737afa77ae3aaca764257daaba5510f48a7079 Mon Sep 17 00:00:00 2001 From: Peter Hutterer Date: Fri, 13 Aug 2010 17:02:28 +1000 Subject: [PATCH 1/2] xserver 1.8.99.906 xserver-1.8-enter-leave-woes.patch: drop, upstream. --- .gitignore | 1 + sources | 2 +- xorg-x11-server.spec | 13 ++-- xserver-1.8-enter-leave-woes.patch | 120 ----------------------------- 4 files changed, 9 insertions(+), 127 deletions(-) delete mode 100644 xserver-1.8-enter-leave-woes.patch diff --git a/.gitignore b/.gitignore index 7decd59..74001e1 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ xorg-server-20100716.tar.xz +xorg-server-1.8.99.906.tar.bz2 diff --git a/sources b/sources index a938be5..9edbba7 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -3dfe6f7d8a922d804bca4e3e85415d1c xorg-server-20100716.tar.xz +d4ab361cacc35e2ed4587019980b7e57 xorg-server-1.8.99.906.tar.bz2 diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 4f39cf8..a998bbc 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -25,12 +25,12 @@ %define extension_minor 0 %define pkgname xorg-server -%define gitdate 20100716 +#define gitdate 20100716 Summary: X.Org X11 X server Name: xorg-x11-server -Version: 1.8.99.905 -Release: 3%{?gitdate:.%{gitdate}}%{dist} +Version: 1.8.99.906 +Release: 1%{?gitdate:.%{gitdate}}%{dist} URL: http://www.x.org License: MIT Group: User Interface/X @@ -97,9 +97,6 @@ Patch6053: xserver-1.8-disable-vboxvideo.patch # https://bugs.freedesktop.org/show_bug.cgi?id=28672 Patch7000: xserver-1.8.0-no-xorg.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=538482 -# this patch needs some exposure for side-effects before upstreaming -Patch7001: xserver-1.8-enter-leave-woes.patch %define moduledir %{_libdir}/xorg/modules %define drimoduledir %{_libdir}/dri @@ -549,6 +546,10 @@ rm -rf $RPM_BUILD_ROOT %{xserver_source_dir} %changelog +* Fri Aug 13 2010 Peter Hutterer 1.8.99.906-1 +- xserver 1.8.99.906 +- xserver-1.8-enter-leave-woes.patch: drop, upstream. + * Mon Aug 02 2010 Adam Jackson 1.8.99.905-3 - Drop RANDR debugging patch, not useful. diff --git a/xserver-1.8-enter-leave-woes.patch b/xserver-1.8-enter-leave-woes.patch deleted file mode 100644 index 8af2c0b..0000000 --- a/xserver-1.8-enter-leave-woes.patch +++ /dev/null @@ -1,120 +0,0 @@ -From a4cf79ec4f1910e6c3f800eea851f95cd2bbabfa Mon Sep 17 00:00:00 2001 -From: Peter Hutterer -Date: Thu, 15 Jul 2010 13:24:14 +1000 -Subject: [PATCH] dix: hack around enter/leave event issues for grabbed devices (#27804) - -The current core enter/leave does not cater for device grabs during -enter/leave events. If a window W contains a pointer P1 and a client grabs a -pointer P2, this pointer will not generate enter/leave events inside this -window. - -Hack around this by assuming that a grabbed device will always send -enter/leave events. - -X.Org Bug 27804 - -Signed-off-by: Peter Hutterer ---- - dix/enterleave.c | 27 ++++++++++++++++++--------- - 1 files changed, 18 insertions(+), 9 deletions(-) - -diff --git a/dix/enterleave.c b/dix/enterleave.c -index eefa7ab..7a3ecf5 100644 ---- a/dix/enterleave.c -+++ b/dix/enterleave.c -@@ -78,10 +78,19 @@ static WindowPtr FocusWindows[MAXDEVICES]; - * window. - */ - static BOOL --HasPointer(WindowPtr win) -+HasPointer(DeviceIntPtr dev, WindowPtr win) - { - int i; - -+ /* FIXME: The enter/leave model does not cater for grabbed devices. For -+ * now, a quickfix: if the device about to send an enter/leave event to -+ * a window is grabbed, assume there is no pointer in that window. -+ * Fixes fdo 27804. -+ * There isn't enough beer in my fridge to fix this properly. -+ */ -+ if (dev->deviceGrab.grab) -+ return FALSE; -+ - for (i = 0; i < MAXDEVICES; i++) - if (PointerWindows[i] == win) - return TRUE; -@@ -270,7 +279,7 @@ CoreEnterNotifies(DeviceIntPtr dev, - may need to be changed from Virtual to NonlinearVirtual depending - on the previous P(W). */ - -- if (!HasPointer(parent) && !FirstPointerChild(parent)) -+ if (!HasPointer(dev, parent) && !FirstPointerChild(parent)) - CoreEnterLeaveEvent(dev, EnterNotify, mode, detail, parent, - child->drawable.id); - } -@@ -309,7 +318,7 @@ CoreLeaveNotifies(DeviceIntPtr dev, - - /* If one window has a pointer or a child with a pointer, skip some - * work and exit. */ -- if (HasPointer(win) || FirstPointerChild(win)) -+ if (HasPointer(dev, win) || FirstPointerChild(win)) - return; - - CoreEnterLeaveEvent(dev, LeaveNotify, mode, detail, win, child->drawable.id); -@@ -373,7 +382,7 @@ CoreEnterLeaveNonLinear(DeviceIntPtr dev, - vice versa depending on the the new P(W) - */ - -- if (!HasPointer(A)) -+ if (!HasPointer(dev, A)) - { - WindowPtr child = FirstPointerChild(A); - if (child) -@@ -417,7 +426,7 @@ CoreEnterLeaveNonLinear(DeviceIntPtr dev, - The detail may need to be changed from Ancestor to Nonlinear - or vice-versa depending on the previous P(W). */ - -- if (!HasPointer(B)) -+ if (!HasPointer(dev, B)) - { - WindowPtr child = FirstPointerChild(B); - if (child) -@@ -455,7 +464,7 @@ CoreEnterLeaveToAncestor(DeviceIntPtr dev, - The detail may need to be changed from Ancestor to Nonlinear or - vice versa depending on the the new P(W) - */ -- if (!HasPointer(A)) -+ if (!HasPointer(dev, A)) - { - WindowPtr child = FirstPointerChild(A); - if (child) -@@ -479,7 +488,7 @@ CoreEnterLeaveToAncestor(DeviceIntPtr dev, - P(W) changes from a descendant to W itself. The subwindow - field should be set to the child containing the old P(W) <<< WRONG */ - -- if (!HasPointer(B)) -+ if (!HasPointer(dev, B)) - CoreEnterLeaveEvent(dev, EnterNotify, mode, NotifyInferior, B, None); - - } -@@ -507,7 +516,7 @@ CoreEnterLeaveToDescendant(DeviceIntPtr dev, - P(W) changes from W to a descendant of W. The subwindow field - is set to the child containing the new P(W) <<< THIS IS WRONG */ - -- if (!HasPointer(A)) -+ if (!HasPointer(dev, A)) - CoreEnterLeaveEvent(dev, LeaveNotify, mode, NotifyInferior, A, None); - - -@@ -531,7 +540,7 @@ CoreEnterLeaveToDescendant(DeviceIntPtr dev, - The detail may need to be changed from Ancestor to Nonlinear - or vice-versa depending on the previous P(W). */ - -- if (!HasPointer(B)) -+ if (!HasPointer(dev, B)) - { - WindowPtr child = FirstPointerChild(B); - if (child) --- -1.7.1 - From c913f837320adf05ae13f4840d9c936a9c659b9b Mon Sep 17 00:00:00 2001 From: Dave Airlie Date: Mon, 16 Aug 2010 12:25:21 +1000 Subject: [PATCH 2/2] xserver: fix use-after-free for root window - hopefully fix (#596985) --- xorg-x11-server.spec | 6 +++- xserver-1.9-reset-root-null.patch | 59 +++++++++++++++++++++++++++++++ 2 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 xserver-1.9-reset-root-null.patch diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index a998bbc..af2e324 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -30,7 +30,7 @@ Summary: X.Org X11 X server Name: xorg-x11-server Version: 1.8.99.906 -Release: 1%{?gitdate:.%{gitdate}}%{dist} +Release: 2%{?gitdate:.%{gitdate}}%{dist} URL: http://www.x.org License: MIT Group: User Interface/X @@ -97,6 +97,7 @@ Patch6053: xserver-1.8-disable-vboxvideo.patch # https://bugs.freedesktop.org/show_bug.cgi?id=28672 Patch7000: xserver-1.8.0-no-xorg.patch +Patch7001: xserver-1.9-reset-root-null.patch %define moduledir %{_libdir}/xorg/modules %define drimoduledir %{_libdir}/dri @@ -546,6 +547,9 @@ rm -rf $RPM_BUILD_ROOT %{xserver_source_dir} %changelog +* Mon Aug 16 2010 Dave Airlie 1.8.99.906-2 +- fix use-after-free for root window - hopefully fix (#596985) + * Fri Aug 13 2010 Peter Hutterer 1.8.99.906-1 - xserver 1.8.99.906 - xserver-1.8-enter-leave-woes.patch: drop, upstream. diff --git a/xserver-1.9-reset-root-null.patch b/xserver-1.9-reset-root-null.patch new file mode 100644 index 0000000..67e64a6 --- /dev/null +++ b/xserver-1.9-reset-root-null.patch @@ -0,0 +1,59 @@ +From d25c74c843b83e7c6acbeb52d4807559c83f98cb Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Mon, 16 Aug 2010 12:16:48 +1000 +Subject: [PATCH] dix: reset pScreen->root to NULL when root window is deleted. + +We were seeing a crash in the FreeAllResources codepath, +running valgrind revealed this, + +==12536== Invalid read of size 4 +==12536== at 0x810BCAB: DeliverPropertyEvent (rrproperty.c:33) +==12536== by 0x80958A4: TraverseTree (window.c:227) +==12536== by 0x809593E: WalkTree (window.c:255) +==12536== by 0x810BC66: RRDeliverPropertyEvent (rrproperty.c:53) +==12536== by 0x810BD5D: RRDeleteProperty.clone.0 (rrproperty.c:76) +==12536== by 0x810BD98: RRDeleteAllOutputProperties (rrproperty.c:88) +==12536== by 0x810A36E: RROutputDestroyResource (rroutput.c:407) +==12536== by 0x808DF4E: FreeClientResources (resource.c:859) +==12536== by 0x808E005: FreeAllResources (resource.c:876) +==12536== by 0x8062300: main (main.c:305) +==12536== Address 0x46ba8ac is 4 bytes inside a block of size 164 free'd +==12536== at 0x40057F6: free (vg_replace_malloc.c:325) +==12536== by 0x8087F1F: _dixFreeObjectWithPrivates (privates.c:357) +==12536== by 0x809832A: DeleteWindow (window.c:926) +==12536== by 0x808DF4E: FreeClientResources (resource.c:859) +==12536== by 0x808E005: FreeAllResources (resource.c:876) +==12536== by 0x8062300: main (main.c:305) + +Its a use after free on the root window, since we have already deleted it +at this point. This patch checks if the window we are destroying is the root +window and resets the pointer to NULL if it is. + +Signed-off-by: Dave Airlie +--- + dix/window.c | 5 +++++ + 1 files changed, 5 insertions(+), 0 deletions(-) + +diff --git a/dix/window.c b/dix/window.c +index 4a47dd5..33ef943 100644 +--- a/dix/window.c ++++ b/dix/window.c +@@ -895,10 +895,15 @@ DeleteWindow(pointer value, XID wid) + WindowPtr pParent; + WindowPtr pWin = (WindowPtr)value; + xEvent event; ++ ScreenPtr pScreen; ++ ++ pScreen = pWin->drawable.pScreen; + + UnmapWindow(pWin, FALSE); + + CrushTree(pWin); ++ if (pWin == pScreen->root) ++ pScreen->root = NULL; + + pParent = pWin->parent; + if (wid && pParent && SubStrSend(pWin, pParent)) +-- +1.7.2.1 +