rpms/xorg-x11-server
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8
Branches Tags
rpms:c8
rpms:c9
rpms:c9s
rpms:c8s
rpms:c9-beta
rpms:c10s
rpms:c8-beta
rpms:imports/c9/xorg-x11-server-1.20.11-34.el9_8.2
rpms:imports/c8/xorg-x11-server-1.20.11-28.el8_10.2
rpms:imports/c9/xorg-x11-server-1.20.11-34.el9_8
rpms:imports/c8/xorg-x11-server-1.20.11-28.el8_10
rpms:imports/c9/xorg-x11-server-1.20.11-33.el9_7
rpms:imports/c9-beta/xorg-x11-server-1.20.11-33.el9
rpms:imports/c9/xorg-x11-server-1.20.11-32.el9_7
rpms:imports/c9/xorg-x11-server-1.20.11-32.el9_6
rpms:imports/c8/xorg-x11-server-1.20.11-27.el8_10
rpms:imports/c9/xorg-x11-server-1.20.11-31.el9_6
rpms:imports/c8/xorg-x11-server-1.20.11-26.el8_10
rpms:imports/c9-beta/xorg-x11-server-1.20.11-28.el9
rpms:imports/c8/xorg-x11-server-1.20.11-25.el8_10
rpms:imports/c9-beta/xorg-x11-server-1.20.11-26.el9
rpms:imports/c8/xorg-x11-server-1.20.11-24.el8_10
rpms:imports/c10s/xorg-x11-server-1.20.14-36.el10
rpms:imports/c8/xorg-x11-server-1.20.11-23.el8_10
rpms:imports/c9/xorg-x11-server-1.20.11-24.el9
rpms:imports/c8-beta/xorg-x11-server-1.20.11-17.el8
rpms:imports/c9-beta/xorg-x11-server-1.20.11-19.el9
rpms:imports/c8/xorg-x11-server-1.20.11-15.el8
rpms:imports/c9/xorg-x11-server-1.20.11-17.el9
rpms:imports/c9-beta/xorg-x11-server-1.20.11-17.el9
rpms:imports/c8-beta/xorg-x11-server-1.20.11-15.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-15.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-13.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-12.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-11.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-10.el8
rpms:imports/c9/xorg-x11-server-1.20.11-11.el9
rpms:imports/c8/xorg-x11-server-1.20.11-9.el8
rpms:imports/c9-beta/xorg-x11-server-1.20.11-11.el9
rpms:imports/c8-beta/xorg-x11-server-1.20.11-9.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-9.el8
rpms:imports/c8/xorg-x11-server-1.20.11-5.el8_6.2
rpms:imports/c8s/xorg-x11-server-1.20.11-8.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-5.el8_6.1
rpms:imports/c9/xorg-x11-server-1.20.11-10.el9
rpms:imports/c8/xorg-x11-server-1.20.11-5.el8
rpms:imports/c8-beta/xorg-x11-server-1.20.11-5.el8
rpms:imports/c9-beta/xorg-x11-server-1.20.11-10.el9
rpms:imports/c8s/xorg-x11-server-1.20.11-5.el8
rpms:imports/c9-beta/xorg-x11-server-1.20.11-7.el9
rpms:imports/c8s/xorg-x11-server-1.20.11-4.el8
rpms:imports/c9-beta/xorg-x11-server-1.20.11-6.el9
rpms:imports/c9-beta/xorg-x11-server-1.20.11-5.el9
rpms:imports/c9-beta/xorg-x11-server-1.20.11-4.el9_b
rpms:imports/c8/xorg-x11-server-1.20.11-2.el8
rpms:imports/c8-beta/xorg-x11-server-1.20.11-2.el8
rpms:imports/c8-beta/xorg-x11-server-1.20.10-1.el8
rpms:imports/c8-beta/xorg-x11-server-1.20.8-3.el8
rpms:imports/c8-beta/xorg-x11-server-1.20.6-2.el8
rpms:imports/c8-beta/xorg-x11-server-1.20.3-5.2.el8_0
rpms:imports/c8s/xorg-x11-server-1.20.11-2.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-1.el8
rpms:imports/c8s/xorg-x11-server-1.20.10-1.el8
rpms:imports/c8s/xorg-x11-server-1.20.8-9.el8
rpms:imports/c8s/xorg-x11-server-1.20.8-8.el8
rpms:imports/c8/xorg-x11-server-1.20.10-1.el8
rpms:imports/c8/xorg-x11-server-1.20.8-6.1.el8_3
rpms:imports/c8/xorg-x11-server-1.20.8-6.el8
rpms:imports/c8/xorg-x11-server-1.20.6-3.el8
rpms:imports/c8/xorg-x11-server-1.20.3-11.el8
...
pull from: rpms:c9-beta
Branches Tags
rpms:c9
rpms:c9s
rpms:c8
rpms:c8s
rpms:c9-beta
rpms:c10s
rpms:c8-beta
rpms:imports/c9/xorg-x11-server-1.20.11-34.el9_8.2
rpms:imports/c8/xorg-x11-server-1.20.11-28.el8_10.2
rpms:imports/c9/xorg-x11-server-1.20.11-34.el9_8
rpms:imports/c8/xorg-x11-server-1.20.11-28.el8_10
rpms:imports/c9/xorg-x11-server-1.20.11-33.el9_7
rpms:imports/c9-beta/xorg-x11-server-1.20.11-33.el9
rpms:imports/c9/xorg-x11-server-1.20.11-32.el9_7
rpms:imports/c9/xorg-x11-server-1.20.11-32.el9_6
rpms:imports/c8/xorg-x11-server-1.20.11-27.el8_10
rpms:imports/c9/xorg-x11-server-1.20.11-31.el9_6
rpms:imports/c8/xorg-x11-server-1.20.11-26.el8_10
rpms:imports/c9-beta/xorg-x11-server-1.20.11-28.el9
rpms:imports/c8/xorg-x11-server-1.20.11-25.el8_10
rpms:imports/c9-beta/xorg-x11-server-1.20.11-26.el9
rpms:imports/c8/xorg-x11-server-1.20.11-24.el8_10
rpms:imports/c10s/xorg-x11-server-1.20.14-36.el10
rpms:imports/c8/xorg-x11-server-1.20.11-23.el8_10
rpms:imports/c9/xorg-x11-server-1.20.11-24.el9
rpms:imports/c8-beta/xorg-x11-server-1.20.11-17.el8
rpms:imports/c9-beta/xorg-x11-server-1.20.11-19.el9
rpms:imports/c8/xorg-x11-server-1.20.11-15.el8
rpms:imports/c9/xorg-x11-server-1.20.11-17.el9
rpms:imports/c9-beta/xorg-x11-server-1.20.11-17.el9
rpms:imports/c8-beta/xorg-x11-server-1.20.11-15.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-15.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-13.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-12.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-11.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-10.el8
rpms:imports/c9/xorg-x11-server-1.20.11-11.el9
rpms:imports/c8/xorg-x11-server-1.20.11-9.el8
rpms:imports/c9-beta/xorg-x11-server-1.20.11-11.el9
rpms:imports/c8-beta/xorg-x11-server-1.20.11-9.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-9.el8
rpms:imports/c8/xorg-x11-server-1.20.11-5.el8_6.2
rpms:imports/c8s/xorg-x11-server-1.20.11-8.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-5.el8_6.1
rpms:imports/c9/xorg-x11-server-1.20.11-10.el9
rpms:imports/c8/xorg-x11-server-1.20.11-5.el8
rpms:imports/c8-beta/xorg-x11-server-1.20.11-5.el8
rpms:imports/c9-beta/xorg-x11-server-1.20.11-10.el9
rpms:imports/c8s/xorg-x11-server-1.20.11-5.el8
rpms:imports/c9-beta/xorg-x11-server-1.20.11-7.el9
rpms:imports/c8s/xorg-x11-server-1.20.11-4.el8
rpms:imports/c9-beta/xorg-x11-server-1.20.11-6.el9
rpms:imports/c9-beta/xorg-x11-server-1.20.11-5.el9
rpms:imports/c9-beta/xorg-x11-server-1.20.11-4.el9_b
rpms:imports/c8/xorg-x11-server-1.20.11-2.el8
rpms:imports/c8-beta/xorg-x11-server-1.20.11-2.el8
rpms:imports/c8-beta/xorg-x11-server-1.20.10-1.el8
rpms:imports/c8-beta/xorg-x11-server-1.20.8-3.el8
rpms:imports/c8-beta/xorg-x11-server-1.20.6-2.el8
rpms:imports/c8-beta/xorg-x11-server-1.20.3-5.2.el8_0
rpms:imports/c8s/xorg-x11-server-1.20.11-2.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-1.el8
rpms:imports/c8s/xorg-x11-server-1.20.10-1.el8
rpms:imports/c8s/xorg-x11-server-1.20.8-9.el8
rpms:imports/c8s/xorg-x11-server-1.20.8-8.el8
rpms:imports/c8/xorg-x11-server-1.20.10-1.el8
rpms:imports/c8/xorg-x11-server-1.20.8-6.1.el8_3
rpms:imports/c8/xorg-x11-server-1.20.8-6.el8
rpms:imports/c8/xorg-x11-server-1.20.6-3.el8
rpms:imports/c8/xorg-x11-server-1.20.3-11.el8

No commits in common. "c8" and "c9-beta" have entirely different histories.
c8 ... c9-beta

120 changed files with 2767 additions and 5829 deletions
Show Stats Expand all files Collapse all files

37
SOURCES/0001-Always-install-vbe-and-int10-sdk-headers.patch
View File

@ -1,37 +0,0 @@
From e96a83d9b1b5a52a41213c7a4840dc96b4f5b06f Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Wed, 15 Aug 2012 12:35:21 -0400
Subject: [PATCH] Always install vbe and int10 sdk headers
Signed-off-by: Adam Jackson <ajax@redhat.com>
---
hw/xfree86/Makefile.am | 12 ++----------
1 file changed, 2 insertions(+), 10 deletions(-)
diff --git a/hw/xfree86/Makefile.am b/hw/xfree86/Makefile.am
index b876b79..a170b58 100644
--- a/hw/xfree86/Makefile.am
+++ b/hw/xfree86/Makefile.am
@@ -26,17 +26,9 @@ if VGAHW
VGAHW_SUBDIR = vgahw
endif
-if VBE
-VBE_SUBDIR = vbe
-endif
-
-if INT10MODULE
-INT10_SUBDIR = int10
-endif
-
-SUBDIRS = common ddc x86emu $(INT10_SUBDIR) os-support parser \
+SUBDIRS = common ddc x86emu int10 os-support parser \
ramdac $(VGAHW_SUBDIR) loader modes $(DRI_SUBDIR) \
- $(DRI2_SUBDIR) . $(VBE_SUBDIR) i2c dixmods xkb \
+ $(DRI2_SUBDIR) . vbe i2c dixmods xkb \
fbdevhw shadowfb exa $(XF86UTILS_SUBDIR) doc man \
$(GLAMOR_EGL_SUBDIR) drivers
--
2.13.6

55
SOURCES/0001-Cursor-Refuse-to-free-the-root-cursor.patch Normal file
View File

@ -0,0 +1,55 @@
From 42ec29c7fbf8dc797c369d5fe0e4f2e20725332b Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Wed, 27 Nov 2024 11:27:05 +0100
Subject: [PATCH xserver 01/13] Cursor: Refuse to free the root cursor
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If a cursor reference count drops to 0, the cursor is freed.
The root cursor however is referenced with a specific global variable,
and when the root cursor is freed, the global variable may still point
to freed memory.
Make sure to prevent the rootCursor from being explicitly freed by a
client.
CVE-2025-26594, ZDI-CAN-25544
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
v2: Explicitly forbid XFreeCursor() on the root cursor (Peter Hutterer
<peter.hutterer@who-t.net>)
v3: Return BadCursor instead of BadValue (Michel Dänzer
<michel@daenzer.net>)
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Suggested-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 01642f263f12becf803b19be4db95a4a83f94acc)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1831>
---
dix/dispatch.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/dix/dispatch.c b/dix/dispatch.c
index a33bfaa9e..9654c207e 100644
--- a/dix/dispatch.c
+++ b/dix/dispatch.c
@@ -3039,6 +3039,10 @@ ProcFreeCursor(ClientPtr client)
rc = dixLookupResourceByType((void **) &pCursor, stuff->id, RT_CURSOR,
client, DixDestroyAccess);
if (rc == Success) {
+ if (pCursor == rootCursor) {
+ client->errorValue = stuff->id;
+ return BadCursor;
+ }
FreeResource(stuff->id, RT_NONE);
return Success;
}
--
2.48.1

31
SOURCES/0001-Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch
View File

@ -1,31 +0,0 @@
From e50c85f4ebf559a3bac4817b41074c43d4691779 Mon Sep 17 00:00:00 2001
From: Eric Anholt <eric@anholt.net>
Date: Fri, 26 Oct 2018 17:47:30 -0700
Subject: [PATCH xserver] Fix segfault on probing a non-PCI platform device on
a system with PCI.
Some Broadcom set-top-box boards have PCI busses, but the GPU is still
probed through DT. We would dereference a null busid here in that
case.
Signed-off-by: Eric Anholt <eric@anholt.net>
---
hw/xfree86/common/xf86platformBus.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/xfree86/common/xf86platformBus.c b/hw/xfree86/common/xf86platformBus.c
index cef47da03..dadbac6c8 100644
--- a/hw/xfree86/common/xf86platformBus.c
+++ b/hw/xfree86/common/xf86platformBus.c
@@ -289,7 +289,7 @@ xf86platformProbe(void)
for (i = 0; i < xf86_num_platform_devices; i++) {
char *busid = xf86_platform_odev_attributes(i)->busid;
- if (pci && (strncmp(busid, "pci:", 4) == 0)) {
+ if (pci && busid && (strncmp(busid, "pci:", 4) == 0)) {
platform_find_pci_info(&xf86_platform_devices[i], busid);
}
--
2.14.4

5
SOURCES/0001-Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch
View File

@ -1,15 +1,16 @@
From 7150ba655c0cc08fa6ded309b81265bb672f2869 Mon Sep 17 00:00:00 2001
From 9ca7d3f61a88ae6cf47fdf139b6215d745db976b Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Wed, 25 Jan 2023 11:41:40 +1000
Subject: [PATCH xserver] Xi: fix potential use-after-free in
DeepCopyPointerClasses
CVE-2023-0494, ZDI-CAN 19596
CVE-2023-0494, ZDI-CAN-19596
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 0ba6d8c37071131a49790243cdac55392ecf71ec)
---
Xi/exevents.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

2
SOURCES/0001-Xtest-disallow-GenericEvents-in-XTestSwapFakeInput.patch
View File

@ -1,4 +1,4 @@
From 8dba686dc277d6d262ad0c77b4632a5b276697ba Mon Sep 17 00:00:00 2001
From b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Tue, 29 Nov 2022 12:55:45 +1000
Subject: [PATCH xserver 1/7] Xtest: disallow GenericEvents in

72
SOURCES/0001-configure.ac-search-for-the-fontrootdir-ourselves.patch Normal file
View File

@ -0,0 +1,72 @@
From e67e988730346c63d2f0cdf2531ed36b0c7ad5a6 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Wed, 23 Nov 2022 14:50:29 +1000
Subject: [PATCH xserver] configure.ac: search for the fontrootdir ourselves
This replaces the use of font-utils' .m4 macro set with a copy of the
only one we actually want: the bit for the fontrootpath.
We don't need configure options for every single subfont directory, so
let's hardcode those in the default font path. Like meson does upstream
too.
With this patch we no longer require the font-utils dependency.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
---
configure.ac | 28 +++++++++++++++++-----------
1 file changed, 17 insertions(+), 11 deletions(-)
diff --git a/configure.ac b/configure.ac
index 0909cc5b4d..2349320888 100644
--- a/configure.ac
+++ b/configure.ac
@@ -49,9 +49,6 @@ XORG_WITH_XSLTPROC
XORG_ENABLE_UNIT_TESTS
XORG_LD_WRAP([optional])
-m4_ifndef([XORG_FONT_MACROS_VERSION], [m4_fatal([must install font-util 1.1 or later before running autoconf/autogen])])
-XORG_FONT_MACROS_VERSION(1.1)
-
dnl this gets generated by autoheader, and thus contains all the defines. we
dnl don't ever actually use it, internally.
AC_CONFIG_HEADERS(include/do-not-use-config.h)
@@ -450,18 +447,27 @@ AC_MSG_RESULT([$FALLBACK_INPUT_DRIVER])
AC_DEFINE_UNQUOTED(FALLBACK_INPUT_DRIVER, ["$FALLBACK_INPUT_DRIVER"], [ Fallback input driver ])
dnl Determine font path
-XORG_FONTROOTDIR
-XORG_FONTSUBDIR(FONTMISCDIR, fontmiscdir, misc)
-XORG_FONTSUBDIR(FONTOTFDIR, fontotfdir, OTF)
-XORG_FONTSUBDIR(FONTTTFDIR, fontttfdir, TTF)
-XORG_FONTSUBDIR(FONTTYPE1DIR, fonttype1dir, Type1)
-XORG_FONTSUBDIR(FONT75DPIDIR, font75dpidir, 75dpi)
-XORG_FONTSUBDIR(FONT100DPIDIR, font100dpidir, 100dpi)
+dnl This is a copy of XORG_FONTROOTDIR from font-utils so we can drop the dependency
+AC_MSG_CHECKING([for root directory for font files])
+AC_ARG_WITH(fontrootdir,
+ AS_HELP_STRING([--with-fontrootdir=DIR],
+ [Path to root directory for font files]),
+ [FONTROOTDIR="$withval"])
+# if --with-fontrootdir not specified...
+if test "x${FONTROOTDIR}" = "x"; then
+ FONTROOTDIR=`$PKG_CONFIG --variable=fontrootdir fontutil`
+fi
+# ...and if pkg-config didn't find fontdir in fontutil.pc...
+if test "x${FONTROOTDIR}" = "x"; then
+ FONTROOTDIR="${datadir}/fonts/X11"
+fi
+AC_SUBST(FONTROOTDIR)
+AC_MSG_RESULT([${FONTROOTDIR}])
dnl Uses --with-default-font-path if set, otherwise uses standard
dnl subdirectories of FONTROOTDIR. Some distros set the default font path to
dnl "catalogue:/etc/X11/fontpath.d,built-ins"
-DEFAULT_FONT_PATH="${FONTMISCDIR}/,${FONTTTFDIR}/,${FONTOTFDIR}/,${FONTTYPE1DIR}/,${FONT100DPIDIR}/,${FONT75DPIDIR}/"
+DEFAULT_FONT_PATH="${FONTROOTDIR}/misc,${FONTROOTDIR}/OTF,${FONTROOTDIR}/TTF,${FONTROOTDIR}/Type1,${FONTROOTDIR}/75dpi,${FONTROOTDIR}/100dpi"
case $host_os in
darwin*) DEFAULT_FONT_PATH="${DEFAULT_FONT_PATH},/Library/Fonts,/System/Library/Fonts" ;;
esac
--
2.38.1

101
SOURCES/0001-dix-Force-update-LEDs-after-device-state-update-in-E.patch Normal file
View File

@ -0,0 +1,101 @@
From 9c27c756438a62fdd768147d753b4c5fc731247b Mon Sep 17 00:00:00 2001
From: Yao Wei <mwei@lxde.org>
Date: Tue, 21 Feb 2023 03:43:05 +0000
Subject: [PATCH xserver] dix: Force update LEDs after device state update in
EnableDevice
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This is to make sure the hardware gets the device states regardless
whether the internal state has changed or not, to overcome situations
that device LEDs are out of sync e.g. switching between VTs.
Signed-off-by: Yao Wei (魏銘廷) <yao.wei@canonical.com>
(cherry picked from commit 7ce57e179b257f35e447971f4fb6614e3360762a)
---
dix/devices.c | 4 ++++
include/xkbsrv.h | 2 ++
xkb/xkbLEDs.c | 38 ++++++++++++++++++++++++++++++++++++++
3 files changed, 44 insertions(+)
diff --git a/dix/devices.c b/dix/devices.c
index 00c453980..5629d9cf1 100644
--- a/dix/devices.c
+++ b/dix/devices.c
@@ -426,6 +426,10 @@ EnableDevice(DeviceIntPtr dev, BOOL sendevent)
if (!IsMaster(dev) && !IsFloating(dev))
XkbPushLockedStateToSlaves(GetMaster(dev, MASTER_KEYBOARD), 0, 0);
+
+ /* Now make sure our LEDs are in sync with the locked state */
+ XkbForceUpdateDeviceLEDs(dev);
+
RecalculateMasterButtons(dev);
/* initialise an idle timer for this device*/
diff --git a/include/xkbsrv.h b/include/xkbsrv.h
index fbb5427e1..90a5e5327 100644
--- a/include/xkbsrv.h
+++ b/include/xkbsrv.h
@@ -505,6 +505,8 @@ extern _X_EXPORT void XkbUpdateIndicators(DeviceIntPtr /* keybd */ ,
XkbEventCausePtr /* cause */
);
+extern void XkbForceUpdateDeviceLEDs(DeviceIntPtr /* keybd */);
+
extern _X_EXPORT void XkbUpdateAllDeviceIndicators(XkbChangesPtr /* changes */,
XkbEventCausePtr /* cause */
);
diff --git a/xkb/xkbLEDs.c b/xkb/xkbLEDs.c
index 5792d9fb7..3fb8fc526 100644
--- a/xkb/xkbLEDs.c
+++ b/xkb/xkbLEDs.c
@@ -435,6 +435,44 @@ XkbUpdateIndicators(DeviceIntPtr dev,
/***====================================================================***/
+ /*
+ * void
+ * XkbForceUpdateDeviceLEDs(DeviceIntPtr dev)
+ *
+ * Force update LED states to the hardware from the device state
+ * specified by 'dev'.
+ *
+ * If 'dev' is a master device, this function will also force update
+ * its slave devices.
+ *
+ * Used if the actual LED state was externally set and need to push
+ * current state to the hardware e.g. switching between VTs.
+ */
+
+void
+XkbForceUpdateDeviceLEDs(DeviceIntPtr dev)
+{
+ DeviceIntPtr master;
+ XkbSrvLedInfoPtr sli;
+
+ if (!dev->key)
+ return;
+
+ sli = XkbFindSrvLedInfo(dev, XkbDfltXIClass, XkbDfltXIId, 0);
+ XkbDDXUpdateDeviceIndicators(dev, sli, sli->effectiveState);
+
+ if (IsMaster(dev)) {
+ master = dev;
+ nt_list_for_each_entry(dev, inputInfo.devices, next) {
+ if (!dev->key || GetMaster(dev, MASTER_KEYBOARD) != master)
+ continue;
+
+ sli = XkbFindSrvLedInfo(dev, XkbDfltXIClass, XkbDfltXIId, 0);
+ XkbDDXUpdateDeviceIndicators(dev, sli, sli->effectiveState);
+ }
+ }
+}
+
/***====================================================================***/
/*
--
2.48.1

45
SOURCES/0001-dix-Silence-a-compiler-warning-in-doListFontsAndAlia.patch
View File

@ -1,45 +0,0 @@
From e710e570b1709d100072a8ab7d05c2aefaf41a1b Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 15 Jun 2026 14:00:19 +0200
Subject: [PATCH xserver] dix: Silence a compiler warning in
doListFontsAndAliases()
Compiler complains that "resolvedlen" might be uninitialized:
| dix/dixfonts.c:559:5: var_decl: Declaring variable "resolvedlen" without initializer.
| dix/dixfonts.c:674:17: uninit_use: Using uninitialized value "resolvedlen".
| 672| * is complete.
| 673| */
| 674|-> if (resolvedlen > XLFDMAXFONTNAMELEN) {
| 675| err = BadFontName;
| 676| goto ContBadFontName;
Most likely a false positive, while immediately after the (newly added)
test, there was a memcpy() using "resolvedlen" and the compiler did not
choke on that before.
Either way, initializing "resolvedlen" to 0 is a small price to pay to
silence the compiler warning and keep us on the safe side.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2237>
---
dix/dixfonts.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dix/dixfonts.c b/dix/dixfonts.c
index 3c6c9d594..cf2b45d4f 100644
--- a/dix/dixfonts.c
+++ b/dix/dixfonts.c
@@ -556,7 +556,7 @@ doListFontsAndAliases(ClientPtr client, LFclosurePtr c)
int err = Successful;
FontNamesPtr names = NULL;
char *name, *resolved = NULL;
- int namelen, resolvedlen;
+ int namelen, resolvedlen = 0;
int nnames;
int stringLens;
int i;
--
2.54.0

214
SOURCES/0001-link-with-z-now.patch
View File

@ -1,214 +0,0 @@
From e84d6f25015d36202fd524b8b8d85d2324348ddb Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Mon, 19 Nov 2018 11:27:09 -0500
Subject: [PATCH] link with -z now
Signed-off-by: Adam Jackson <ajax@redhat.com>
---
hw/dmx/Makefile.am | 2 +-
hw/kdrive/ephyr/Makefile.am | 2 +-
hw/vfb/Makefile.am | 2 +-
hw/xfree86/Makefile.am | 3 ++-
hw/xfree86/dixmods/Makefile.am | 6 +++---
hw/xfree86/exa/Makefile.am | 2 +-
hw/xfree86/fbdevhw/Makefile.am | 2 +-
hw/xfree86/int10/Makefile.am | 2 +-
hw/xfree86/shadowfb/Makefile.am | 2 +-
hw/xfree86/utils/cvt/Makefile.am | 1 +
hw/xfree86/utils/gtf/Makefile.am | 1 +
hw/xfree86/vgahw/Makefile.am | 2 +-
hw/xnest/Makefile.am | 2 +-
hw/xwayland/Makefile.am | 2 +-
14 files changed, 17 insertions(+), 14 deletions(-)
diff --git a/hw/dmx/Makefile.am b/hw/dmx/Makefile.am
index eef84cb..9ab20cc 100644
--- a/hw/dmx/Makefile.am
+++ b/hw/dmx/Makefile.am
@@ -78,7 +78,7 @@ XDMX_LIBS = \
input/libdmxinput.a \
config/libdmxconfig.a
-Xdmx_LDFLAGS = $(LD_EXPORT_SYMBOLS_FLAG)
+Xdmx_LDFLAGS = $(LD_EXPORT_SYMBOLS_FLAG) -Wl,-z,now -pie
Xdmx_DEPENDENCIES= $(XDMX_LIBS)
Xdmx_LDADD = $(XDMX_LIBS) $(XDMX_SYS_LIBS) $(XSERVER_SYS_LIBS)
diff --git a/hw/kdrive/ephyr/Makefile.am b/hw/kdrive/ephyr/Makefile.am
index d12559b..cc37add 100644
--- a/hw/kdrive/ephyr/Makefile.am
+++ b/hw/kdrive/ephyr/Makefile.am
@@ -78,7 +78,7 @@ Xephyr_LDADD = \
Xephyr_DEPENDENCIES = @KDRIVE_LOCAL_LIBS@ $(XEPHYR_GLAMOR_LIB)
-Xephyr_LDFLAGS = $(LD_EXPORT_SYMBOLS_FLAG)
+Xephyr_LDFLAGS = $(LD_EXPORT_SYMBOLS_FLAG) -W,-z,now -pie
relink:
$(AM_V_at)rm -f $(bin_PROGRAMS) && $(MAKE) $(bin_PROGRAMS)
diff --git a/hw/vfb/Makefile.am b/hw/vfb/Makefile.am
index 7033397..c09a9c9 100644
--- a/hw/vfb/Makefile.am
+++ b/hw/vfb/Makefile.am
@@ -20,7 +20,7 @@ XVFB_LIBS = \
Xvfb_LDADD = $(XVFB_LIBS) $(XVFB_SYS_LIBS) $(XSERVER_SYS_LIBS)
Xvfb_DEPENDENCIES = $(XVFB_LIBS)
-Xvfb_LDFLAGS = $(LD_EXPORT_SYMBOLS_FLAG)
+Xvfb_LDFLAGS = $(LD_EXPORT_SYMBOLS_FLAG) -Wl,-z,now -pie
relink:
$(AM_V_at)rm -f Xvfb$(EXEEXT) && $(MAKE) Xvfb$(EXEEXT)
diff --git a/hw/xfree86/Makefile.am b/hw/xfree86/Makefile.am
index 32f98b5..5955148 100644
--- a/hw/xfree86/Makefile.am
+++ b/hw/xfree86/Makefile.am
@@ -78,12 +78,13 @@ Xorg_LDADD = \
$(XSERVER_SYS_LIBS)
Xorg_DEPENDENCIES = $(LOCAL_LIBS)
-Xorg_LDFLAGS = $(LD_EXPORT_SYMBOLS_FLAG)
+Xorg_LDFLAGS = $(LD_EXPORT_SYMBOLS_FLAG) -Wl,-z,now -pie
if SUID_WRAPPER
wrapexecdir = $(SUID_WRAPPER_DIR)
wrapexec_PROGRAMS = Xorg.wrap
Xorg_wrap_SOURCES = xorg-wrapper.c
+Xorg_wrap_LDFLAGS = -Wl,-z,now -pie
endif
BUILT_SOURCES = xorg.conf.example
diff --git a/hw/xfree86/dixmods/Makefile.am b/hw/xfree86/dixmods/Makefile.am
index 856659f..6ab101b 100644
--- a/hw/xfree86/dixmods/Makefile.am
+++ b/hw/xfree86/dixmods/Makefile.am
@@ -17,17 +17,17 @@ AM_CPPFLAGS = @XORG_INCS@ \
-I$(top_srcdir)/miext/shadow \
-I$(top_srcdir)/glx
-libfb_la_LDFLAGS = -module -avoid-version $(LD_NO_UNDEFINED_FLAG)
+libfb_la_LDFLAGS = -module -avoid-version $(LD_NO_UNDEFINED_FLAG) -Wl,-z,now
libfb_la_LIBADD = $(top_builddir)/fb/libfb.la
libfb_la_SOURCES = fbmodule.c
libfb_la_CFLAGS = $(AM_CFLAGS)
-libwfb_la_LDFLAGS = -module -avoid-version $(LD_NO_UNDEFINED_FLAG)
+libwfb_la_LDFLAGS = -module -avoid-version $(LD_NO_UNDEFINED_FLAG) -Wl,-z,now
libwfb_la_LIBADD = $(top_builddir)/fb/libwfb.la
libwfb_la_SOURCES = fbmodule.c
libwfb_la_CFLAGS = $(AM_CFLAGS) -DFB_ACCESS_WRAPPER
-libglx_la_LDFLAGS = -module -avoid-version $(LD_NO_UNDEFINED_FLAG)
+libglx_la_LDFLAGS = -module -avoid-version $(LD_NO_UNDEFINED_FLAG) -Wl,-z,now
libglx_la_LIBADD = $(top_builddir)/glx/libglx.la $(GLX_SYS_LIBS)
if DRI2
libglx_la_LIBADD += $(top_builddir)/glx/libglxdri.la
diff --git a/hw/xfree86/exa/Makefile.am b/hw/xfree86/exa/Makefile.am
index ccbb305..7bf7137 100644
--- a/hw/xfree86/exa/Makefile.am
+++ b/hw/xfree86/exa/Makefile.am
@@ -2,7 +2,7 @@ SUBDIRS = man
module_LTLIBRARIES = libexa.la
-libexa_la_LDFLAGS = -module -avoid-version $(LD_NO_UNDEFINED_FLAG)
+libexa_la_LDFLAGS = -module -avoid-version $(LD_NO_UNDEFINED_FLAG) -Wl,-z,now
AM_CPPFLAGS = \
$(XORG_INCS) \
diff --git a/hw/xfree86/fbdevhw/Makefile.am b/hw/xfree86/fbdevhw/Makefile.am
index 37cd88c..895cfab 100644
--- a/hw/xfree86/fbdevhw/Makefile.am
+++ b/hw/xfree86/fbdevhw/Makefile.am
@@ -2,7 +2,7 @@ SUBDIRS = man
module_LTLIBRARIES = libfbdevhw.la
-libfbdevhw_la_LDFLAGS = -module -avoid-version $(LD_NO_UNDEFINED_FLAG)
+libfbdevhw_la_LDFLAGS = -module -avoid-version $(LD_NO_UNDEFINED_FLAG) -Wl,-z,now
if FBDEVHW
libfbdevhw_la_SOURCES = fbdevhw.c
diff --git a/hw/xfree86/int10/Makefile.am b/hw/xfree86/int10/Makefile.am
index 66cb14d..aad47a1 100644
--- a/hw/xfree86/int10/Makefile.am
+++ b/hw/xfree86/int10/Makefile.am
@@ -4,7 +4,7 @@ sdk_HEADERS = xf86int10.h
EXTRA_CFLAGS =
-libint10_la_LDFLAGS = -avoid-version
+libint10_la_LDFLAGS = -avoid-version -Wl,-z,now
libint10_la_LIBADD = $(PCIACCESS_LIBS)
COMMON_SOURCES = \
diff --git a/hw/xfree86/shadowfb/Makefile.am b/hw/xfree86/shadowfb/Makefile.am
index 67fb2e4..a8c2d59 100644
--- a/hw/xfree86/shadowfb/Makefile.am
+++ b/hw/xfree86/shadowfb/Makefile.am
@@ -1,5 +1,5 @@
module_LTLIBRARIES = libshadowfb.la
-libshadowfb_la_LDFLAGS = -module -avoid-version $(LD_NO_UNDEFINED_FLAG)
+libshadowfb_la_LDFLAGS = -module -avoid-version $(LD_NO_UNDEFINED_FLAG) -Wl,-z,now
libshadowfb_la_SOURCES = sfbmodule.c shadowfb.c
libshadowfb_la_LIBADD = $(PIXMAN_LIBS)
diff --git a/hw/xfree86/utils/cvt/Makefile.am b/hw/xfree86/utils/cvt/Makefile.am
index 26abeb4..19b0eba 100644
--- a/hw/xfree86/utils/cvt/Makefile.am
+++ b/hw/xfree86/utils/cvt/Makefile.am
@@ -33,3 +33,4 @@ cvt_SOURCES = cvt.c \
$(top_srcdir)/os/xprintf.c
cvt_CFLAGS = $(DIX_CFLAGS) $(XORG_CFLAGS)
+cvt_LDFLAGS = -Wl,-z,now -pie
diff --git a/hw/xfree86/utils/gtf/Makefile.am b/hw/xfree86/utils/gtf/Makefile.am
index f77bf60..f520fb9 100644
--- a/hw/xfree86/utils/gtf/Makefile.am
+++ b/hw/xfree86/utils/gtf/Makefile.am
@@ -25,3 +25,4 @@ bin_PROGRAMS = gtf
gtf_SOURCES = gtf.c
gtf_CFLAGS = $(XORG_CFLAGS)
gtf_LDADD = -lm
+gtf_LDFLAGS = -Wl,-z,now -pie
diff --git a/hw/xfree86/vgahw/Makefile.am b/hw/xfree86/vgahw/Makefile.am
index b8196a6..37ac499 100644
--- a/hw/xfree86/vgahw/Makefile.am
+++ b/hw/xfree86/vgahw/Makefile.am
@@ -1,5 +1,5 @@
module_LTLIBRARIES = libvgahw.la
-libvgahw_la_LDFLAGS = -avoid-version
+libvgahw_la_LDFLAGS = -avoid-version -Wl,-z,now
libvgahw_la_LIBADD = $(PCIACCESS_LIBS)
libvgahw_la_SOURCES = vgaHW.c vgaHWmodule.c
AM_CPPFLAGS = $(XORG_INCS) -I$(srcdir)/../ddc -I$(srcdir)/../i2c
diff --git a/hw/xnest/Makefile.am b/hw/xnest/Makefile.am
index c77da64..185803c 100644
--- a/hw/xnest/Makefile.am
+++ b/hw/xnest/Makefile.am
@@ -51,7 +51,7 @@ Xnest_SOURCES = $(SRCS)
Xnest_DEPENDENCIES = $(XNEST_LIBS)
Xnest_LDADD = $(XNEST_LIBS) $(XNEST_SYS_LIBS) $(XSERVER_SYS_LIBS)
-Xnest_LDFLAGS = $(LD_EXPORT_SYMBOLS_FLAG)
+Xnest_LDFLAGS = $(LD_EXPORT_SYMBOLS_FLAG) -Wl,-z,now -pie
EXTRA_DIST = icon \
screensaver
diff --git a/hw/xwayland/Makefile.am b/hw/xwayland/Makefile.am
index bc1cb85..2f70cd1 100644
--- a/hw/xwayland/Makefile.am
+++ b/hw/xwayland/Makefile.am
@@ -28,7 +28,7 @@ Xwayland_LDADD = \
$(XWAYLAND_SYS_LIBS) \
$(top_builddir)/Xext/libXvidmode.la \
$(XSERVER_SYS_LIBS)
-Xwayland_LDFLAGS = $(LD_EXPORT_SYMBOLS_FLAG)
+Xwayland_LDFLAGS = $(LD_EXPORT_SYMBOLS_FLAG) -Wl,-z,now -pie
Xwayland_built_sources =
--
2.19.1

45
SOURCES/0001-linux-Fix-platform-device-PCI-detection-for-complex-.patch
View File

@ -1,45 +0,0 @@
From b6e18eb57f3dd104704d0a5ec3d2f051645b9068 Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Wed, 19 Jun 2019 14:23:56 -0400
Subject: [PATCH xserver] linux: Fix platform device PCI detection for complex
bus topologies
Suppose you're in a Hyper-V guest and are trying to use PCI passthrough.
The ID_PATH that udev will construct for that looks something like
"acpi-VMBUS:00-pci-b8c8:00:00.0", and obviously looking for "pci-" in
the first four characters of that is going to not work.
Instead, strstr. I suppose it's possible you could have _multiple_ PCI
buses in the path, in which case you'd want strrstr, if that were a
thing.
---
config/udev.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/config/udev.c b/config/udev.c
index 314acba6ce..6e11aa3b88 100644
--- a/config/udev.c
+++ b/config/udev.c
@@ -474,7 +474,7 @@ config_udev_odev_setup_attribs(struct udev_device *udev_device, const char *path
config_odev_probe_proc_ptr probe_callback)
{
struct OdevAttributes *attribs = config_odev_allocate_attributes();
- const char *value;
+ const char *value, *str;
attribs->path = XNFstrdup(path);
attribs->syspath = XNFstrdup(syspath);
@@ -482,8 +482,8 @@ config_udev_odev_setup_attribs(struct udev_device *udev_device, const char *path
attribs->minor = minor;
value = udev_device_get_property_value(udev_device, "ID_PATH");
- if (value && !strncmp(value, "pci-", 4)) {
- attribs->busid = XNFstrdup(value);
+ if (value && (str = strstr(value, "pci-"))) {
+ attribs->busid = XNFstrdup(str);
attribs->busid[3] = ':';
}
--
2.21.0

129
SOURCES/0001-linux-Make-platform-device-probe-less-fragile.patch
View File

@ -1,129 +0,0 @@
From 28320833d61af76dc3b77b985c69706f3e021836 Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Tue, 18 Sep 2018 14:37:51 -0400
Subject: [PATCH xserver] linux: Make platform device probe less fragile
At the point where xf86BusProbe runs we haven't yet taken our own VT,
which means we can't perform drm "master" operations on the device. This
is tragic, because we need master to fish the bus id string out of the
kernel, which we can only do after drmSetInterfaceVersion, which for
some reason stores that string on the device not the file handle and
thus needs master access.
Fortunately we know the format of the busid string, and it happens to
almost be the same as the ID_PATH variable from udev. Use that instead
and stop calling drmSetInterfaceVersion.
Signed-off-by: Adam Jackson <ajax@redhat.com>
---
config/udev.c | 17 ++++++++++++-----
hw/xfree86/os-support/linux/lnx_platform.c | 13 ++-----------
2 files changed, 14 insertions(+), 16 deletions(-)
diff --git a/config/udev.c b/config/udev.c
index 3a73189e25..8c6c4b6665 100644
--- a/config/udev.c
+++ b/config/udev.c
@@ -56,7 +56,7 @@ static struct udev_monitor *udev_monitor;
#ifdef CONFIG_UDEV_KMS
static void
-config_udev_odev_setup_attribs(const char *path, const char *syspath,
+config_udev_odev_setup_attribs(struct udev_device *udev_device, const char *path, const char *syspath,
int major, int minor,
config_odev_probe_proc_ptr probe_callback);
#endif
@@ -128,7 +128,7 @@ device_added(struct udev_device *udev_device)
LogMessage(X_INFO, "config/udev: Adding drm device (%s)\n", path);
- config_udev_odev_setup_attribs(path, syspath, major(devnum),
+ config_udev_odev_setup_attribs(udev_device, path, syspath, major(devnum),
minor(devnum), NewGPUDeviceRequest);
return;
}
@@ -322,7 +322,7 @@ device_removed(struct udev_device *device)
LogMessage(X_INFO, "config/udev: removing GPU device %s %s\n",
syspath, path);
- config_udev_odev_setup_attribs(path, syspath, major(devnum),
+ config_udev_odev_setup_attribs(device, path, syspath, major(devnum),
minor(devnum), DeleteGPUDeviceRequest);
/* Retry vtenter after a drm node removal */
systemd_logind_vtenter();
@@ -465,17 +465,24 @@ config_udev_fini(void)
#ifdef CONFIG_UDEV_KMS
static void
-config_udev_odev_setup_attribs(const char *path, const char *syspath,
+config_udev_odev_setup_attribs(struct udev_device *udev_device, const char *path, const char *syspath,
int major, int minor,
config_odev_probe_proc_ptr probe_callback)
{
struct OdevAttributes *attribs = config_odev_allocate_attributes();
+ const char *value;
attribs->path = XNFstrdup(path);
attribs->syspath = XNFstrdup(syspath);
attribs->major = major;
attribs->minor = minor;
+ value = udev_device_get_property_value(udev_device, "ID_PATH");
+ if (value && !strncmp(value, "pci-", 4)) {
+ attribs->busid = XNFstrdup(value);
+ attribs->busid[3] = ':';
+ }
+
/* ownership of attribs is passed to probe layer */
probe_callback(attribs);
}
@@ -516,7 +523,7 @@ config_udev_odev_probe(config_odev_probe_proc_ptr probe_callback)
else if (!check_seat(udev_device))
goto no_probe;
- config_udev_odev_setup_attribs(path, syspath, major(devnum),
+ config_udev_odev_setup_attribs(udev_device, path, syspath, major(devnum),
minor(devnum), probe_callback);
no_probe:
udev_device_unref(udev_device);
diff --git a/hw/xfree86/os-support/linux/lnx_platform.c b/hw/xfree86/os-support/linux/lnx_platform.c
index 70374ace88..0eb6d22875 100644
--- a/hw/xfree86/os-support/linux/lnx_platform.c
+++ b/hw/xfree86/os-support/linux/lnx_platform.c
@@ -30,6 +30,8 @@ get_drm_info(struct OdevAttributes *attribs, char *path, int delayed_index)
int err = 0;
Bool paused, server_fd = FALSE;
+ LogMessage(X_INFO, "Platform probe for %s\n", attribs->syspath);
+
fd = systemd_logind_take_fd(attribs->major, attribs->minor, path, &paused);
if (fd != -1) {
if (paused) {
@@ -53,13 +55,6 @@ get_drm_info(struct OdevAttributes *attribs, char *path, int delayed_index)
sv.drm_dd_major = -1; /* Don't care */
sv.drm_dd_minor = -1; /* Don't care */
- err = drmSetInterfaceVersion(fd, &sv);
- if (err) {
- xf86Msg(X_ERROR, "%s: failed to set DRM interface version 1.4: %s\n",
- path, strerror(-err));
- goto out;
- }
-
/* for a delayed probe we've already added the device */
if (delayed_index == -1) {
xf86_add_platform_device(attribs, FALSE);
@@ -69,10 +64,6 @@ get_drm_info(struct OdevAttributes *attribs, char *path, int delayed_index)
if (server_fd)
xf86_platform_devices[delayed_index].flags |= XF86_PDEV_SERVER_FD;
- buf = drmGetBusid(fd);
- xf86_platform_odev_attributes(delayed_index)->busid = XNFstrdup(buf);
- drmFreeBusid(buf);
-
v = drmGetVersion(fd);
if (!v) {
xf86Msg(X_ERROR, "%s: failed to query DRM version\n", path);
--
2.19.0

49
SOURCES/0001-modesetting-Fix-msSharePixmapBacking-Segfault-Regres.patch Normal file
View File

@ -0,0 +1,49 @@
From 88f0787f93f097a125a0aa156eb9a5628adfc2c2 Mon Sep 17 00:00:00 2001
From: Alex Goins <agoins@nvidia.com>
Date: Thu, 12 Dec 2019 20:18:53 -0600
Subject: [PATCH xserver] modesetting: Fix msSharePixmapBacking Segfault
Regression
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Commit cb1b1e184 modified msSharePixmapBacking() to derive modesettingPtr from
the 'screen' argument. Unfortunately, the name of the argument is misleading --
the screen is the slave screen. If the master is modesetting,
and the slave is not modesetting, it will segfault.
To fix the problem, this change derives modesettingPtr from
ppix->drawable.pScreen. This method is already used when calling
ms->glamor.shareable_fd_from_pixmap() later in the function.
To avoid future issues, this change also renames the 'screen' argument to
'slave'.
Signed-off-by: Alex Goins <agoins@nvidia.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
(cherry picked from commit 456dff1bf890459840718339279dcb84d36531eb)
---
hw/xfree86/drivers/modesetting/driver.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/hw/xfree86/drivers/modesetting/driver.c b/hw/xfree86/drivers/modesetting/driver.c
index ce8bac9f5..0817fa470 100644
--- a/hw/xfree86/drivers/modesetting/driver.c
+++ b/hw/xfree86/drivers/modesetting/driver.c
@@ -1454,10 +1454,11 @@ CreateScreenResources(ScreenPtr pScreen)
}
static Bool
-msSharePixmapBacking(PixmapPtr ppix, ScreenPtr screen, void **handle)
+msSharePixmapBacking(PixmapPtr ppix, ScreenPtr slave, void **handle)
{
#ifdef GLAMOR_HAS_GBM
- modesettingPtr ms = modesettingPTR(xf86ScreenToScrn(screen));
+ modesettingPtr ms =
+ modesettingPTR(xf86ScreenToScrn(ppix->drawable.pScreen));
int ret;
CARD16 stride;
CARD32 size;
--
2.34.1

37
SOURCES/0001-modesetting-Reduce-glamor-initialization-failed-mess.patch
View File

@ -1,37 +0,0 @@
From 41e265988a0b6ec456ddd562253e0f82a7c2ede2 Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Fri, 27 Sep 2019 11:43:52 -0400
Subject: [PATCH xserver] modesetting: Reduce "glamor initialization failed"
message to X_INFO
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This might be an error or not, for example refusing to work on llvmpipe
is normal and expected. glamor_egl_init() will print X_ERROR messages if
appropriate, so we don't need to here.
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
(cherry picked from commit cbdde938cbaf604741cd057fac743859ada342ec)
Signed-off-by: Michel Dänzer <mdaenzer@redhat.com>
---
hw/xfree86/drivers/modesetting/driver.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/xfree86/drivers/modesetting/driver.c b/hw/xfree86/drivers/modesetting/driver.c
index 2aaea5f7d..783d53eaa 100644
--- a/hw/xfree86/drivers/modesetting/driver.c
+++ b/hw/xfree86/drivers/modesetting/driver.c
@@ -772,7 +772,7 @@ try_enable_glamor(ScrnInfoPtr pScrn)
xf86DrvMsg(pScrn->scrnIndex, X_INFO, "glamor initialized\n");
ms->drmmode.glamor = TRUE;
} else {
- xf86DrvMsg(pScrn->scrnIndex, X_ERROR,
+ xf86DrvMsg(pScrn->scrnIndex, X_INFO,
"glamor initialization failed\n");
}
} else {
--
2.26.2

28
SOURCES/0001-mustard-Add-DRI2-fallback-driver-mappings-for-i965-a.patch
View File

@ -1,28 +0,0 @@
From efb4bc5b3da511d128144840d7eb3cf3c7cfa0ae Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Tue, 3 Sep 2019 12:10:37 -0400
Subject: [PATCH] mustard: Add DRI2 fallback driver mappings for i965 and
radeonsi
---
hw/xfree86/dri2/pci_ids/pci_id_driver_map.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/hw/xfree86/dri2/pci_ids/pci_id_driver_map.h b/hw/xfree86/dri2/pci_ids/pci_id_driver_map.h
index 689a570..3825f52 100644
--- a/hw/xfree86/dri2/pci_ids/pci_id_driver_map.h
+++ b/hw/xfree86/dri2/pci_ids/pci_id_driver_map.h
@@ -45,8 +45,10 @@ static const struct {
int num_chips_ids;
} driver_map[] = {
{ 0x8086, "i965", "va_gl", i965_chip_ids, ARRAY_SIZE(i965_chip_ids) },
+ { 0x8086, "i965", "va_gl", NULL, -1 },
{ 0x1002, "r600","r600", r600_chip_ids, ARRAY_SIZE(r600_chip_ids) },
{ 0x1002, "radeonsi", "radeonsi", radeonsi_chip_ids, ARRAY_SIZE(radeonsi_chip_ids) },
+ { 0x1002, "radeonsi", "radeonsi", NULL, -1 },
{ 0x10de, "nouveau", "nouveau", NULL, -1 },
{ 0x1af4, "virtio_gpu", "virtio_gpu", virtio_gpu_chip_ids, ARRAY_SIZE(virtio_gpu_chip_ids) },
{ 0x15ad, "vmwgfx", "vmwgfx", vmwgfx_chip_ids, ARRAY_SIZE(vmwgfx_chip_ids) },
--
2.23.0

278
SOURCES/0001-mustard-Don-t-probe-for-drivers-not-shipped-in-RHEL8.patch
View File

@ -1,278 +0,0 @@
From b6e50ece375b6b1fbe053b30b52fc40dde5c682b Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Tue, 13 Nov 2018 10:11:36 -0500
Subject: [PATCH] mustard: Don't probe for drivers not shipped in RHEL8
As with RHEL7, this is mostly to keep spurious probe messages out of the
X log and prevent questions like "why isn't it loading mga on my
G200SE" or "why isn't it loading radeon_dri.so on my RN50".
---
hw/xfree86/common/xf86pciBus.c | 162 --------------------
hw/xfree86/dri2/pci_ids/pci_id_driver_map.h | 32 ----
2 files changed, 194 deletions(-)
diff --git a/hw/xfree86/common/xf86pciBus.c b/hw/xfree86/common/xf86pciBus.c
index b7f9999..398ed45 100644
--- a/hw/xfree86/common/xf86pciBus.c
+++ b/hw/xfree86/common/xf86pciBus.c
@@ -1074,107 +1074,12 @@ xf86VideoPtrToDriverList(struct pci_device *dev, XF86MatchedDrivers *md)
const char *driverList[5] = { NULL, NULL, NULL, NULL, NULL };
switch (dev->vendor_id) {
- /* AMD Geode LX */
- case 0x1022:
- if (dev->device_id == 0x2081)
- driverList[0] = "geode";
- break;
- /* older Geode products acquired by AMD still carry an NSC vendor_id */
- case 0x100b:
- if (dev->device_id == 0x0030) {
- /* NSC Geode GX2 specifically */
- driverList[0] = "geode";
- /* GX2 support started its life in the NSC tree and was later
- forked by AMD for GEODE so we keep it as a backup */
- driverList[1] = "nsc";
- }
- else
- /* other NSC variant e.g. 0x0104 (SC1400), 0x0504 (SCx200) */
- driverList[0] = "nsc";
- break;
- /* Cyrix Geode GX1 */
- case 0x1078:
- if (dev->device_id == 0x0104)
- driverList[0] = "cyrix";
- break;
- case 0x1142:
- driverList[0] = "apm";
- break;
- case 0xedd8:
- driverList[0] = "ark";
- break;
- case 0x1a03:
- driverList[0] = "ast";
- break;
case 0x1002:
driverList[0] = "ati";
break;
- case 0x102c:
- driverList[0] = "chips";
- break;
- case 0x1013:
- driverList[0] = "cirrus";
- break;
- case 0x3d3d:
- driverList[0] = "glint";
- break;
- case 0x105d:
- driverList[0] = "i128";
- break;
case 0x8086:
switch (dev->device_id)
{
- /* Intel i740 */
- case 0x00d1:
- case 0x7800:
- driverList[0] = "i740";
- break;
- /* GMA500/Poulsbo */
- case 0x8108:
- case 0x8109:
- /* Try psb driver on Poulsbo - if available */
- driverList[0] = "psb";
- driverList[1] = "psb_drv";
- break;
- /* GMA600/Oaktrail */
- case 0x4100:
- case 0x4101:
- case 0x4102:
- case 0x4103:
- case 0x4104:
- case 0x4105:
- case 0x4106:
- case 0x4107:
- /* Atom E620/Oaktrail */
- case 0x4108:
- /* Medfield */
- case 0x0130:
- case 0x0131:
- case 0x0132:
- case 0x0133:
- case 0x0134:
- case 0x0135:
- case 0x0136:
- case 0x0137:
- /* GMA 3600/CDV */
- case 0x0be0:
- case 0x0be1:
- case 0x0be2:
- case 0x0be3:
- case 0x0be4:
- case 0x0be5:
- case 0x0be6:
- case 0x0be7:
- case 0x0be8:
- case 0x0be9:
- case 0x0bea:
- case 0x0beb:
- case 0x0bec:
- case 0x0bed:
- case 0x0bee:
- case 0x0bef:
- /* Use fbdev/vesa driver on Oaktrail, Medfield, CDV */
- break;
/* Default to intel only on pre-gen4 chips */
case 0x3577:
case 0x2562:
@@ -1196,14 +1101,7 @@ xf86VideoPtrToDriverList(struct pci_device *dev, XF86MatchedDrivers *md)
break;
}
break;
- case 0x102b:
- driverList[0] = "mga";
- break;
- case 0x10c8:
- driverList[0] = "neomagic";
- break;
case 0x10de:
- case 0x12d2:
{
int idx = 0;
@@ -1229,77 +1127,17 @@ xf86VideoPtrToDriverList(struct pci_device *dev, XF86MatchedDrivers *md)
driverList[idx++] = "nouveau";
#endif
- driverList[idx++] = "nv";
break;
}
- case 0x1106:
- driverList[0] = "openchrome";
- break;
case 0x1b36:
driverList[0] = "qxl";
break;
- case 0x1163:
- driverList[0] = "rendition";
- break;
- case 0x5333:
- switch (dev->device_id) {
- case 0x88d0:
- case 0x88d1:
- case 0x88f0:
- case 0x8811:
- case 0x8812:
- case 0x8814:
- case 0x8901:
- driverList[0] = "s3";
- break;
- case 0x5631:
- case 0x883d:
- case 0x8a01:
- case 0x8a10:
- case 0x8c01:
- case 0x8c03:
- case 0x8904:
- case 0x8a13:
- driverList[0] = "s3virge";
- break;
- default:
- driverList[0] = "savage";
- break;
- }
- break;
- case 0x1039:
- driverList[0] = "sis";
- break;
- case 0x126f:
- driverList[0] = "siliconmotion";
- break;
- case 0x121a:
- if (dev->device_id < 0x0003)
- driverList[0] = "voodoo";
- else
- driverList[0] = "tdfx";
- break;
- case 0x1011:
- driverList[0] = "tga";
- break;
- case 0x1023:
- driverList[0] = "trident";
- break;
- case 0x100c:
- driverList[0] = "tseng";
- break;
case 0x80ee:
driverList[0] = "vboxvideo";
break;
case 0x15ad:
driverList[0] = "vmware";
break;
- case 0x18ca:
- if (dev->device_id == 0x47)
- driverList[0] = "xgixp";
- else
- driverList[0] = "xgi";
- break;
default:
break;
}
diff --git a/hw/xfree86/dri2/pci_ids/pci_id_driver_map.h b/hw/xfree86/dri2/pci_ids/pci_id_driver_map.h
index 7036d10..689a570 100644
--- a/hw/xfree86/dri2/pci_ids/pci_id_driver_map.h
+++ b/hw/xfree86/dri2/pci_ids/pci_id_driver_map.h
@@ -7,38 +7,12 @@
#define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
#endif
-static const int i915_chip_ids[] = {
-#define CHIPSET(chip, desc, name) chip,
-#include "pci_ids/i915_pci_ids.h"
-#undef CHIPSET
-};
-
static const int i965_chip_ids[] = {
#define CHIPSET(chip, family, name) chip,
#include "pci_ids/i965_pci_ids.h"
#undef CHIPSET
};
-#ifndef DRIVER_MAP_GALLIUM_ONLY
-static const int r100_chip_ids[] = {
-#define CHIPSET(chip, name, family) chip,
-#include "pci_ids/radeon_pci_ids.h"
-#undef CHIPSET
-};
-
-static const int r200_chip_ids[] = {
-#define CHIPSET(chip, name, family) chip,
-#include "pci_ids/r200_pci_ids.h"
-#undef CHIPSET
-};
-#endif
-
-static const int r300_chip_ids[] = {
-#define CHIPSET(chip, name, family) chip,
-#include "pci_ids/r300_pci_ids.h"
-#undef CHIPSET
-};
-
static const int r600_chip_ids[] = {
#define CHIPSET(chip, name, family) chip,
#include "pci_ids/r600_pci_ids.h"
@@ -70,13 +44,7 @@ static const struct {
const int *chip_ids;
int num_chips_ids;
} driver_map[] = {
- { 0x8086, "i915", "i915", i915_chip_ids, ARRAY_SIZE(i915_chip_ids) },
{ 0x8086, "i965", "va_gl", i965_chip_ids, ARRAY_SIZE(i965_chip_ids) },
-#ifndef DRIVER_MAP_GALLIUM_ONLY
- { 0x1002, "radeon", "radeon", r100_chip_ids, ARRAY_SIZE(r100_chip_ids) },
- { 0x1002, "r200", "r200", r200_chip_ids, ARRAY_SIZE(r200_chip_ids) },
-#endif
- { 0x1002, "r300", "r300", r300_chip_ids, ARRAY_SIZE(r300_chip_ids) },
{ 0x1002, "r600","r600", r600_chip_ids, ARRAY_SIZE(r600_chip_ids) },
{ 0x1002, "radeonsi", "radeonsi", radeonsi_chip_ids, ARRAY_SIZE(radeonsi_chip_ids) },
{ 0x10de, "nouveau", "nouveau", NULL, -1 },
--
2.19.1

34
SOURCES/0001-mustard-Work-around-broken-fbdev-headers.patch
View File

@ -1,34 +0,0 @@
From a4fc2f3a55776018eda20e09c11b3710f8f0e542 Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Fri, 26 Oct 2018 14:16:17 -0400
Subject: [PATCH xserver] mustard: Work around broken fbdev headers
This configure check is somewhat pointless as we have our own copy of
the fbdev ioctl declarations. There's also a bug in the version of the
kernel headers I happen to want to build against, where an IS_ENABLED()
escaped into uapi like it oughtn't.
Nerf the test so we build the right fbdevhw code.
Signed-off-by: Adam Jackson <ajax@redhat.com>
---
configure.ac | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/configure.ac b/configure.ac
index 57a2331024..2b8477ed61 100644
--- a/configure.ac
+++ b/configure.ac
@@ -197,8 +197,7 @@ AC_CHECK_HEADERS([linux/agpgart.h sys/agpio.h sys/agpgart.h], AGP=yes)
AM_CONDITIONAL(AGP, [test "x$AGP" = xyes])
dnl fbdev header
-AC_CHECK_HEADERS([linux/fb.h], FBDEV=yes)
-AM_CONDITIONAL(FBDEVHW, [test "x$FBDEV" = xyes])
+AM_CONDITIONAL(FBDEVHW, true)
dnl FreeBSD kldload support (sys/linker.h)
AC_CHECK_HEADERS([sys/linker.h],
--
2.19.1

83
SOURCES/0001-mustard-xfree86-Disable-the-PCI-probe-path.patch Normal file
View File

@ -0,0 +1,83 @@
From b3afd9ccefe156ab2dee993118fcdba40341f66e Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Fri, 1 Oct 2021 11:47:21 -0400
Subject: [PATCH xserver] mustard: xfree86: Disable the PCI probe path
RHEL 9 does not support userspace modesetting drivers for Xorg. Ideally
it would only support DRM drivers, but there are some fallback paths
(efifb mainly) that still require fbdev support. Since the primary use
of the PCI probe path is devices _without_ kernel support, we can safely
disable it. And indeed we want to, because there are some devices
(hyperv v1 e.g.) with both a platform and a PCI presentation, which the
PCI probe code fails to handle such that the server fails to start.
Thus: we #if 0 out the PCI probe in xf86CallDriverProbe.
It might be nice if the platform code knew about fbdev devices, but it
does not, and teaching it would be a large change for little benefit
given we do intend to sunset the fbdev path as well. Since the fbdev
path exists solely for cases where we have only the rudimentary firmare
framebuffer, we should only use it if _no_ platform driver is available.
Thus: we only call the legacy probe method if xf86ProbeIgnorePrimary.
Having done this, we need to go back into fbdevhw and undo fc78bcca:
commit fc78bcca21e767697de6ad4d8e03b6728856f613 (merge-requests/38)
Author: Adam Jackson <ajax@redhat.com>
Date: Wed Oct 10 14:09:11 2018 -0400
fbdevhw: Refuse to touch PCI devices on the fallback probe path
Which was well intentioned, but given the above changes we know by the
time we're trying to probe fbdev we really do want it, either because of
the above fallback path or because xorg.conf asked for it. In either
case we shouldn't spuriously fail just because it happens to be PCI.
Thus: We if (0) out the code added in fc78bcca.
Any one of the above might be questionable upstream, hence the mustard
nature of this patch.
---
hw/xfree86/common/xf86Bus.c | 4 ++--
hw/xfree86/fbdevhw/fbdevhw.c | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/hw/xfree86/common/xf86Bus.c b/hw/xfree86/common/xf86Bus.c
index fd144dbe7a..844ce5a890 100644
--- a/hw/xfree86/common/xf86Bus.c
+++ b/hw/xfree86/common/xf86Bus.c
@@ -84,7 +84,7 @@ xf86CallDriverProbe(DriverPtr drv, Bool detect_only)
}
#endif
-#ifdef XSERVER_LIBPCIACCESS
+#if 0
if (!foundScreen && (drv->PciProbe != NULL)) {
if (xf86DoConfigure && xf86DoConfigurePass1) {
assert(detect_only);
@@ -96,7 +96,7 @@ xf86CallDriverProbe(DriverPtr drv, Bool detect_only)
}
}
#endif
- if (!foundScreen && (drv->Probe != NULL)) {
+ if (!foundScreen && xf86ProbeIgnorePrimary && (drv->Probe != NULL)) {
xf86Msg(X_WARNING, "Falling back to old probe method for %s\n",
drv->driverName);
foundScreen = (*drv->Probe) (drv, (detect_only) ? PROBE_DETECT
diff --git a/hw/xfree86/fbdevhw/fbdevhw.c b/hw/xfree86/fbdevhw/fbdevhw.c
index 3d8b92e669..171038f46d 100644
--- a/hw/xfree86/fbdevhw/fbdevhw.c
+++ b/hw/xfree86/fbdevhw/fbdevhw.c
@@ -330,7 +330,7 @@ fbdev_open(int scrnIndex, const char *dev, char **namep)
}
/* only touch non-PCI devices on this path */
- {
+ if (0) {
char buf[PATH_MAX];
char *sysfs_path = NULL;
char *node = strrchr(dev, '/') + 1;
--
2.31.1

40
SOURCES/0001-os-avoid-potential-out-of-bounds-access-at-logVHdrMe.patch
View File

@ -1,40 +0,0 @@
From 5a3926455d74fe167af612ee11399c0f8cd896b5 Mon Sep 17 00:00:00 2001
From: Mikhail Dmitrichenko <mdmitrichenko@astralinux.ru>
Date: Wed, 17 Sep 2025 17:29:49 +0300
Subject: [PATCH xserver 01/51] os: avoid potential out-of-bounds access at
logVHdrMessageVerb
The LogVHdrMessageVerb function may access an array out of bounds in a
specific edge case. Specifically, the line:
newline = (buf[len - 1] == '\n');
can result in accessing buf[-1] if len == 0, which is undefined behavior.
Commit adds check to avoid access out of bounds at pointed line.
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1841
Signed-off-by: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
(cherry picked from commit 8d25a8914346824f820490ba7090175dea9428cd)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
os/log.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/os/log.c b/os/log.c
index cc8219129..71210aee8 100644
--- a/os/log.c
+++ b/os/log.c
@@ -827,7 +827,7 @@ LogVHdrMessageVerb(MessageType type, int verb, const char *msg_format,
if (size - len == 1)
buf[len - 1] = '\n';
- newline = (buf[len - 1] == '\n');
+ newline = (len > 0 && buf[len - 1] == '\n');
LogSWrite(verb, buf, len, newline);
}
--
2.54.0

122
SOURCES/0001-sync-fix-deletion-of-counters-and-fences.patch
View File

@ -1,122 +0,0 @@
From 2b60d9c28c98f6d2c924c69c0dcbb2aa64b861eb Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Mon, 20 Apr 2026 11:16:13 +1000
Subject: [PATCH xserver 1/9] sync: fix deletion of counters and fences
Both FreeCounter() and miSyncDestroyFence() iterate over the trigger list
and invoke the CounterDestroyed callback on each trigger.
The CounterDestroyed callback (e.g. SyncAwaitTriggerFired) may call
FreeResource/FreeAwait, which frees the SyncAwaitUnion containing all
SyncAwait structs in the same Await group.
When multiple conditions in a single Await reference the same sync
object (counter or fence), the first callback frees all SyncAwait
structs while subsequent trigger list nodes still reference them. On the
next iteration, reading ptl->next or ptl->pTrigger dereferences freed
memory, leading to a use-after-free.
We need separate fixes for separate issues here to fix this in one go
- use our null-terminated list macro to make sure our next pointer stays
valid (the code accessed ptl->next after freeing it)
- update the list head before deleting the trigger, eventually this ends
up being NULL anyway but meanwhile the list head is a valid list
during CounterDestroyed
- check if we actually do have a trigger before dereferencing the
callback
- Set all triggers to NULL if they are shared so we don't dereference
potentially freed memory
This vulnerability was discovered by:
Anonymous working with TrendAI Zero Day Initiative
ZDI-CAN-30159 (miSyncDestroyFence), ZDI-CAN-30163 (FreeCounter)
Assisted-by: Claude:claude-opus-4-6
(cherry picked from commit f5abfb61994471023d8c6470428c8e30c411cc0b)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2229>
---
Xext/sync.c | 32 +++++++++++++++++++++++++-------
miext/sync/misync.c | 12 ++++++++----
2 files changed, 33 insertions(+), 11 deletions(-)
diff --git a/Xext/sync.c b/Xext/sync.c
index fd2ceb042..0079e85ed 100644
--- a/Xext/sync.c
+++ b/Xext/sync.c
@@ -1148,9 +1148,12 @@ FreeCounter(void *env, XID id)
SyncTriggerList *ptl, *pnext;
/* tell all the counter's triggers that counter has been destroyed */
- for (ptl = pCounter->sync.pTriglist; ptl; ptl = pnext) {
- (*ptl->pTrigger->CounterDestroyed) (ptl->pTrigger);
- pnext = ptl->next;
+ nt_list_for_each_entry_safe(ptl, pnext, pCounter->sync.pTriglist, next) {
+ /* Remove it from the list first so CounterDestroyed
+ * callbacks have a valid list to iterate */
+ pCounter->sync.pTriglist = pnext;
+ if (ptl->pTrigger)
+ (*ptl->pTrigger->CounterDestroyed) (ptl->pTrigger);
free(ptl); /* destroy the trigger list as we go */
}
if (IsSystemCounter(pCounter)) {
@@ -1182,13 +1185,28 @@ FreeAwait(void *addr, XID id)
for (numwaits = pAwaitUnion->header.num_waitconditions; numwaits;
numwaits--, pAwait++) {
- /* If the counter is being destroyed, FreeCounter will delete
- * the trigger list itself, so don't do it here.
+ /* If the counter is being destroyed, FreeCounter/miSyncDestroyFence
+ * will delete the trigger list itself, so don't do it here.
+ * However, we must NULL out the pTrigger pointer in the trigger list
+ * node so the destroy loop knows not to dereference it - the backing
+ * SyncAwait memory is about to be freed below.
*/
SyncObject *pSync = pAwait->trigger.pSync;
- if (pSync && !pSync->beingDestroyed)
- SyncDeleteTriggerFromSyncObject(&pAwait->trigger);
+ if (pSync) {
+ if (!pSync->beingDestroyed) {
+ SyncDeleteTriggerFromSyncObject(&pAwait->trigger);
+ } else {
+ SyncTriggerList *ptl;
+
+ nt_list_for_each_entry(ptl, pSync->pTriglist, next) {
+ if (ptl->pTrigger == &pAwait->trigger) {
+ ptl->pTrigger = NULL;
+ break;
+ }
+ }
+ }
+ }
}
free(pAwaitUnion);
return Success;
diff --git a/miext/sync/misync.c b/miext/sync/misync.c
index 0931803f6..6a47d1cdd 100644
--- a/miext/sync/misync.c
+++ b/miext/sync/misync.c
@@ -115,10 +115,14 @@ miSyncDestroyFence(SyncFence * pFence)
SyncScreenPrivPtr pScreenPriv = SYNC_SCREEN_PRIV(pScreen);
SyncTriggerList *ptl, *pNext;
- /* tell all the fence's triggers that the counter has been destroyed */
- for (ptl = pFence->sync.pTriglist; ptl; ptl = pNext) {
- (*ptl->pTrigger->CounterDestroyed) (ptl->pTrigger);
- pNext = ptl->next;
+ /* tell all the fence's triggers that the fence has been destroyed.
+ * Update pTriglist before each callback and free so that FreeAwait
+ * sees a valid list head when scanning for triggers to NULL out.
+ */
+ nt_list_for_each_entry_safe(ptl, pNext, pFence->sync.pTriglist, next) {
+ pFence->sync.pTriglist = pNext;
+ if (ptl->pTrigger)
+ (*ptl->pTrigger->CounterDestroyed) (ptl->pTrigger);
free(ptl); /* destroy the trigger list as we go */
}
--
2.54.0

167
SOURCES/0001-xf86-logind-Fix-drm_drop_master-before-vt_reldisp.patch
View File

@ -1,167 +0,0 @@
From dafe5f6358edd557d89bb63265d6df2e1249f106 Mon Sep 17 00:00:00 2001
From: Jocelyn Falempe <jfalempe@redhat.com>
Date: Thu, 18 Nov 2021 14:45:42 +0100
Subject: [PATCH] xf86/logind: fix call systemd_logind_vtenter after receiving
drm device resume
logind send the resume event for input devices and drm device,
in any order. if we call vt_enter before logind resume the drm device,
it leads to a driver error, because logind has not done the
DRM_IOCTL_SET_MASTER on it.
Keep the old workaround to make sure we call systemd_logind_vtenter at
least once if there are no platform device
Signed-off-by: Jocelyn Falempe <jfalempe@redhat.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
xf86/logind: Fix drm_drop_master before vt_reldisp
When switching to VT, the ioctl DRM_DROP_MASTER must be done before
the ioctl VT_RELDISP. Otherwise the kernel can't change the modesetting
reliably, and this leads to the console not showing up in some cases, like
after unplugging a docking station with a DP or HDMI monitor.
Before doing the VT_RELDISP, send a dbus message to logind, to
pause the drm device, so logind will do the ioctl DRM_DROP_MASTER.
With this patch, it changes the order logind will send the resume
event, and drm will be sent last instead of first.
so there is a also fix to call systemd_logind_vtenter() at the right time.
Signed-off-by: Jocelyn Falempe <jfalempe@redhat.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
xf86/logind: Fix compilation error when built without logind/platform bus
This was introduced by commit 8eb1396d
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1269
Fixes: da9d012a9 - xf86/logind: Fix drm_drop_master before vt_reldisp
Signed-off-by: Jocelyn Falempe <jfalempe@redhat.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
xf86/logind: fix missing call to vtenter if the platform device is not paused
If there is one platform device, which is not paused nor resumed,
systemd_logind_vtenter() will never get called.
This break suspend/resume, and switching to VT on system with Nvidia
proprietary driver.
This is a regression introduced by f5bd039633fa83
So now call systemd_logind_vtenter() if there are no paused
platform devices.
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1271
Fixes: f5bd0396 - xf86/logind: fix call systemd_logind_vtenter after receiving drm device resume
Signed-off-by: Jocelyn Falempe <jfalempe@redhat.com>
Tested-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
---
hw/xfree86/common/xf86Events.c | 4 ++
hw/xfree86/os-support/linux/systemd-logind.c | 41 +++++++++++++++++---
include/systemd-logind.h | 2 +
3 files changed, 42 insertions(+), 5 deletions(-)
diff --git a/hw/xfree86/common/xf86Events.c b/hw/xfree86/common/xf86Events.c
index 8a800bd8f..b683d233b 100644
--- a/hw/xfree86/common/xf86Events.c
+++ b/hw/xfree86/common/xf86Events.c
@@ -393,6 +393,10 @@ xf86VTLeave(void)
for (i = 0; i < xf86NumGPUScreens; i++)
xf86GPUScreens[i]->LeaveVT(xf86GPUScreens[i]);
+ if (systemd_logind_controls_session()) {
+ systemd_logind_drop_master();
+ }
+
if (!xf86VTSwitchAway())
goto switch_failed;
diff --git a/hw/xfree86/os-support/linux/systemd-logind.c b/hw/xfree86/os-support/linux/systemd-logind.c
index 13784d15c..bd7a341f0 100644
--- a/hw/xfree86/os-support/linux/systemd-logind.c
+++ b/hw/xfree86/os-support/linux/systemd-logind.c
@@ -302,6 +302,37 @@ cleanup:
dbus_error_free(&error);
}
+/*
+ * Send a message to logind, to pause the drm device
+ * and ensure the drm_drop_master is done before
+ * VT_RELDISP when switching VT
+ */
+void systemd_logind_drop_master(void)
+{
+ int i;
+ for (i = 0; i < xf86_num_platform_devices; i++) {
+ if (xf86_platform_devices[i].flags & XF86_PDEV_SERVER_FD) {
+ dbus_int32_t major, minor;
+ struct systemd_logind_info *info = &logind_info;
+
+ xf86_platform_devices[i].flags |= XF86_PDEV_PAUSED;
+ major = xf86_platform_odev_attributes(i)->major;
+ minor = xf86_platform_odev_attributes(i)->minor;
+ systemd_logind_ack_pause(info, minor, major);
+ }
+ }
+}
+
+static Bool are_platform_devices_resumed(void) {
+ int i;
+ for (i = 0; i < xf86_num_platform_devices; i++) {
+ if (xf86_platform_devices[i].flags & XF86_PDEV_PAUSED) {
+ return FALSE;
+ }
+ }
+ return TRUE;
+}
+
static DBusHandlerResult
message_filter(DBusConnection * connection, DBusMessage * message, void *data)
{
@@ -417,14 +448,14 @@ message_filter(DBusConnection * connection, DBusMessage * message, void *data)
/* info->vt_active gets set by systemd_logind_vtenter() */
info->active = TRUE;
- if (pdev)
+ if (pdev) {
pdev->flags &= ~XF86_PDEV_PAUSED;
- else
+ } else
systemd_logind_set_input_fd_for_all_devs(major, minor, fd,
info->vt_active);
-
- /* Always call vtenter(), in case there are only legacy video devs */
- systemd_logind_vtenter();
+ /* Call vtenter if all platform devices are resumed, or if there are no platform device */
+ if (are_platform_devices_resumed())
+ systemd_logind_vtenter();
}
return DBUS_HANDLER_RESULT_HANDLED;
}
diff --git a/include/systemd-logind.h b/include/systemd-logind.h
index a4067d097..5c04d0130 100644
--- a/include/systemd-logind.h
+++ b/include/systemd-logind.h
@@ -33,6 +33,7 @@ int systemd_logind_take_fd(int major, int minor, const char *path, Bool *paus);
void systemd_logind_release_fd(int major, int minor, int fd);
int systemd_logind_controls_session(void);
void systemd_logind_vtenter(void);
+void systemd_logind_drop_master(void);
#else
#define systemd_logind_init()
#define systemd_logind_fini()
@@ -40,6 +41,7 @@ void systemd_logind_vtenter(void);
#define systemd_logind_release_fd(major, minor, fd) close(fd)
#define systemd_logind_controls_session() 0
#define systemd_logind_vtenter()
+#define systemd_logind_drop_master()
#endif
#endif
--
2.33.1

27
SOURCES/0001-xfree86-Don-t-autoconfigure-vesa-or-fbdev.patch
View File

@ -1,27 +0,0 @@
From e4dce2bfaf4a61dd8a8ac099638489d4fdff9024 Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Tue, 29 May 2018 15:05:10 -0400
Subject: [PATCH] xfree86: Don't autoconfigure vesa or fbdev
Signed-off-by: Adam Jackson <ajax@redhat.com>
---
hw/xfree86/loader/loadmod.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/xfree86/loader/loadmod.c b/hw/xfree86/loader/loadmod.c
index a6356bd..1c1c2b1 100644
--- a/hw/xfree86/loader/loadmod.c
+++ b/hw/xfree86/loader/loadmod.c
@@ -383,6 +383,9 @@ LoaderListDir(const char *subdir, const char **patternlist)
strcpy(fp, dp->d_name);
if (!(stat(buf, &stat_buf) == 0 && S_ISREG(stat_buf.st_mode)))
continue;
+ if (!strcmp(subdir, "drivers") &&
+ (strstr(dp->d_name, "vesa") || strstr(dp->d_name, "fbdev")))
+ continue;
for (p = patterns; p->pattern; p++) {
if (regexec(&p->rex, dp->d_name, 2, match, 0) == 0 &&
match[1].rm_so != -1) {
--
2.17.0

63
SOURCES/0001-xfree86-Fix-potentially-NULL-reference-to-platform-d.patch Normal file
View File

@ -0,0 +1,63 @@
From 0d93bbfa2cfacbb73741f8bed0e32fa1a656b928 Mon Sep 17 00:00:00 2001
From: Povilas Kanapickas <povilas@radix.lt>
Date: Fri, 26 Mar 2021 00:51:02 +0200
Subject: [PATCH xserver] xfree86: Fix potentially NULL reference to platform
device's PCI device
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
xf86_platform_devices[i].pdev may be NULL in cases we fail to parse the
busid in config_udev_odev_setup_attribs() (see also [1], [2]) such as
when udev does not give use ID_PATH. This in turn leads to
platform_find_pci_info() being not called and pdev being NULL.
[1]: https://gitlab.freedesktop.org/xorg/xserver/-/issues/993
[2]: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1076
Reviewed-by: Zoltán Böszörményi <zboszor@gmail.com>
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
Signed-off-by: Michel Dänzer <michel@daenzer.net>
---
hw/xfree86/common/xf86platformBus.c | 10 ++++++----
hw/xfree86/os-support/linux/lnx_platform.c | 3 +++
2 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/hw/xfree86/common/xf86platformBus.c b/hw/xfree86/common/xf86platformBus.c
index ee2f3f86a..e43ff69af 100644
--- a/hw/xfree86/common/xf86platformBus.c
+++ b/hw/xfree86/common/xf86platformBus.c
@@ -365,10 +365,12 @@ xf86MergeOutputClassOptions(int entityIndex, void **options)
break;
case BUS_PCI:
for (i = 0; i < xf86_num_platform_devices; i++) {
- if (MATCH_PCI_DEVICES(xf86_platform_devices[i].pdev,
- entity->bus.id.pci)) {
- dev = &xf86_platform_devices[i];
- break;
+ if (xf86_platform_devices[i].pdev) {
+ if (MATCH_PCI_DEVICES(xf86_platform_devices[i].pdev,
+ entity->bus.id.pci)) {
+ dev = &xf86_platform_devices[i];
+ break;
+ }
}
}
break;
diff --git a/hw/xfree86/os-support/linux/lnx_platform.c b/hw/xfree86/os-support/linux/lnx_platform.c
index fe2142182..8a6be97aa 100644
--- a/hw/xfree86/os-support/linux/lnx_platform.c
+++ b/hw/xfree86/os-support/linux/lnx_platform.c
@@ -85,6 +85,9 @@ xf86PlatformDeviceCheckBusID(struct xf86_platform_device *device, const char *bu
bustype = StringToBusType(busid, &id);
if (bustype == BUS_PCI) {
struct pci_device *pPci = device->pdev;
+ if (!pPci)
+ return FALSE;
+
if (xf86ComparePciBusString(busid,
((pPci->domain << 8)
| pPci->bus),
--
2.49.0

27
SOURCES/0001-xfree86-LeaveVT-from-xf86CrtcCloseScreen.patch
View File

@ -1,27 +0,0 @@
From 1070ffa0953e9200688fc8fae11e3ab0680b86f2 Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Tue, 9 Oct 2018 12:28:48 -0400
Subject: [PATCH xserver] xfree86: LeaveVT from xf86CrtcCloseScreen
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
---
hw/xfree86/modes/xf86Crtc.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/hw/xfree86/modes/xf86Crtc.c b/hw/xfree86/modes/xf86Crtc.c
index 37a45bb3af..45d325f4d2 100644
--- a/hw/xfree86/modes/xf86Crtc.c
+++ b/hw/xfree86/modes/xf86Crtc.c
@@ -776,6 +776,8 @@ xf86CrtcCloseScreen(ScreenPtr screen)
crtc->randr_crtc = NULL;
}
+ scrn->LeaveVT(scrn);
+
screen->CloseScreen = config->CloseScreen;
xf86RotateCloseScreen(screen);
--
2.19.0

136
SOURCES/0001-xfree86-Only-switch-to-original-VT-if-it-is-active.patch
View File

@ -1,136 +0,0 @@
From ff91c696ff8f5f56da40e107cb5c321539758a81 Mon Sep 17 00:00:00 2001
From: Michal Srb <msrb@suse.com>
Date: Tue, 16 Oct 2018 09:32:13 +0200
Subject: [PATCH xserver] xfree86: Only switch to original VT if it is active.
If the X server is terminated while its VT is not active, it should
not change the current VT.
v2: Query current state in xf86CloseConsole using VT_GETSTATE instead of
keeping track in xf86VTEnter/xf86VTLeave/etc.
---
hw/xfree86/os-support/linux/lnx_init.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/hw/xfree86/os-support/linux/lnx_init.c b/hw/xfree86/os-support/linux/lnx_init.c
index 039dc4a4d..358d89f0f 100644
--- a/hw/xfree86/os-support/linux/lnx_init.c
+++ b/hw/xfree86/os-support/linux/lnx_init.c
@@ -272,101 +272,111 @@ xf86OpenConsole(void)
xf86SetConsoleHandler(drain_console, NULL);
}
nTty = tty_attr;
nTty.c_iflag = (IGNPAR | IGNBRK) & (~PARMRK) & (~ISTRIP);
nTty.c_oflag = 0;
nTty.c_cflag = CREAD | CS8;
nTty.c_lflag = 0;
nTty.c_cc[VTIME] = 0;
nTty.c_cc[VMIN] = 1;
cfsetispeed(&nTty, 9600);
cfsetospeed(&nTty, 9600);
tcsetattr(xf86Info.consoleFd, TCSANOW, &nTty);
}
}
else { /* serverGeneration != 1 */
if (!xf86Info.ShareVTs && xf86Info.autoVTSwitch) {
/* now get the VT */
if (!switch_to(xf86Info.vtno, "xf86OpenConsole"))
FatalError("xf86OpenConsole: Switching VT failed\n");
}
}
}
#pragma GCC diagnostic pop
void
xf86CloseConsole(void)
{
struct vt_mode VT;
+ struct vt_stat vts;
int ret;
if (xf86Info.ShareVTs) {
close(xf86Info.consoleFd);
return;
}
/*
* unregister the drain_console handler
* - what to do if someone else changed it in the meantime?
*/
xf86SetConsoleHandler(NULL, NULL);
/* Back to text mode ... */
SYSCALL(ret = ioctl(xf86Info.consoleFd, KDSETMODE, KD_TEXT));
if (ret < 0)
xf86Msg(X_WARNING, "xf86CloseConsole: KDSETMODE failed: %s\n",
strerror(errno));
SYSCALL(ioctl(xf86Info.consoleFd, KDSKBMODE, tty_mode));
tcsetattr(xf86Info.consoleFd, TCSANOW, &tty_attr);
SYSCALL(ret = ioctl(xf86Info.consoleFd, VT_GETMODE, &VT));
if (ret < 0)
xf86Msg(X_WARNING, "xf86CloseConsole: VT_GETMODE failed: %s\n",
strerror(errno));
else {
/* set dflt vt handling */
VT.mode = VT_AUTO;
SYSCALL(ret = ioctl(xf86Info.consoleFd, VT_SETMODE, &VT));
if (ret < 0)
xf86Msg(X_WARNING, "xf86CloseConsole: VT_SETMODE failed: %s\n",
strerror(errno));
}
if (xf86Info.autoVTSwitch) {
/*
- * Perform a switch back to the active VT when we were started
- */
+ * Perform a switch back to the active VT when we were started if our
+ * vt is active now.
+ */
if (activeVT >= 0) {
- switch_to(activeVT, "xf86CloseConsole");
+ SYSCALL(ret = ioctl(xf86Info.consoleFd, VT_GETSTATE, &vts));
+ if (ret < 0) {
+ xf86Msg(X_WARNING, "xf86OpenConsole: VT_GETSTATE failed: %s\n",
+ strerror(errno));
+ } else {
+ if (vts.v_active == xf86Info.vtno) {
+ switch_to(activeVT, "xf86CloseConsole");
+ }
+ }
activeVT = -1;
}
}
close(xf86Info.consoleFd); /* make the vt-manager happy */
}
#define CHECK_FOR_REQUIRED_ARGUMENT() \
if (((i + 1) >= argc) || (!argv[i + 1])) { \
ErrorF("Required argument to %s not specified\n", argv[i]); \
UseMsg(); \
FatalError("Required argument to %s not specified\n", argv[i]); \
}
int
xf86ProcessArgument(int argc, char *argv[], int i)
{
/*
* Keep server from detaching from controlling tty. This is useful
* when debugging (so the server can receive keyboard signals.
*/
if (!strcmp(argv[i], "-keeptty")) {
KeepTty = TRUE;
return 1;
}
if ((argv[i][0] == 'v') && (argv[i][1] == 't')) {
if (sscanf(argv[i], "vt%2d", &xf86Info.vtno) == 0) {
UseMsg();
xf86Info.vtno = -1;
return 0;
--
2.18.4

34
SOURCES/0001-xfree86-ensure-the-readlink-buffer-is-null-terminate.patch
View File

@ -1,34 +0,0 @@
From 71703e4e8bd00719eefad53c2ed6c604079f87ea Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 17 Oct 2018 09:00:59 +1000
Subject: [PATCH xserver] xfree86: ensure the readlink buffer is
null-terminated
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Dave Airlie <airlied@redhat.com>
---
hw/xfree86/fbdevhw/fbdevhw.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/xfree86/fbdevhw/fbdevhw.c b/hw/xfree86/fbdevhw/fbdevhw.c
index 95089515c..f146ff4a4 100644
--- a/hw/xfree86/fbdevhw/fbdevhw.c
+++ b/hw/xfree86/fbdevhw/fbdevhw.c
@@ -331,12 +331,12 @@ fbdev_open(int scrnIndex, const char *dev, char **namep)
/* only touch non-PCI devices on this path */
{
- char buf[PATH_MAX];
+ char buf[PATH_MAX] = {0};
char *sysfs_path = NULL;
char *node = strrchr(dev, '/') + 1;
if (asprintf(&sysfs_path, "/sys/class/graphics/%s", node) < 0 ||
- readlink(sysfs_path, buf, sizeof(buf)) < 0 ||
+ readlink(sysfs_path, buf, sizeof(buf) - 1) < 0 ||
strstr(buf, "devices/pci")) {
free(sysfs_path);
close(fd);
--
2.19.1

190
SOURCES/0001-xfree86-try-harder-to-span-on-multihead.patch
View File

@ -1,190 +0,0 @@
From 326f992a90dae7a747da45626e588fa3c1dfa5dc Mon Sep 17 00:00:00 2001
From: Ray Strode <rstrode@redhat.com>
Date: Fri, 21 Sep 2018 14:38:31 -0400
Subject: [PATCH xserver] xfree86: try harder to span on multihead
right now if one of the monitors can't give
it's native resolution because of bandwidth limitations,
X decides to avoid spanning and instead clone.
That's suboptimal, spanning is normally the right
thing to do (with the exception of some projector
use cases and other edge cases)
This commit tries harder to make spanning work.
---
hw/xfree86/modes/xf86Crtc.c | 33 +++++++++++++++++++++++++++++----
1 file changed, 29 insertions(+), 4 deletions(-)
diff --git a/hw/xfree86/modes/xf86Crtc.c b/hw/xfree86/modes/xf86Crtc.c
index 37a45bb3a..686cb51b8 100644
--- a/hw/xfree86/modes/xf86Crtc.c
+++ b/hw/xfree86/modes/xf86Crtc.c
@@ -2132,135 +2132,160 @@ bestModeForAspect(xf86CrtcConfigPtr config, Bool *enabled, float aspect)
if (test->HDisplay != mode->HDisplay ||
test->VDisplay != mode->VDisplay) {
test = NULL;
break;
}
}
/* if we didn't match it on all outputs, try the next one */
if (!test)
continue;
/* if it's bigger than the last one, save it */
if (!match || (test->HDisplay > match->HDisplay))
match = test;
}
/* return the biggest one found */
return match;
}
static int
numEnabledOutputs(xf86CrtcConfigPtr config, Bool *enabled)
{
int i = 0, p;
for (i = 0, p = -1; nextEnabledOutput(config, enabled, &p); i++) ;
return i;
}
+static DisplayModePtr
+findReasonableMode(xf86CrtcConfigPtr config, xf86OutputPtr output, Bool *enabled, int width, int height)
+{
+ DisplayModePtr mode =
+ xf86OutputHasPreferredMode(output, width, height);
+
+ /* if there's no preferred mode, just try to find a reasonable one */
+ if (!mode) {
+ float aspect = 0.0;
+ DisplayModePtr a = NULL, b = NULL;
+
+ if (output->mm_height)
+ aspect = (float) output->mm_width /
+ (float) output->mm_height;
+
+ a = bestModeForAspect(config, enabled, 4.0/3.0);
+ if (aspect)
+ b = bestModeForAspect(config, enabled, aspect);
+
+ mode = biggestMode(a, b);
+ }
+
+ return mode;
+}
+
static Bool
xf86TargetRightOf(ScrnInfoPtr scrn, xf86CrtcConfigPtr config,
DisplayModePtr *modes, Bool *enabled,
int width, int height)
{
int o;
int w = 0;
Bool has_tile = FALSE;
uint32_t configured_outputs;
xf86GetOptValBool(config->options, OPTION_PREFER_CLONEMODE,
&scrn->preferClone);
if (scrn->preferClone)
return FALSE;
if (numEnabledOutputs(config, enabled) < 2)
return FALSE;
for (o = -1; nextEnabledOutput(config, enabled, &o); ) {
DisplayModePtr mode =
- xf86OutputHasPreferredMode(config->output[o], width, height);
+ findReasonableMode(config, config->output[o], enabled, width, height);
if (!mode)
return FALSE;
w += mode->HDisplay;
}
if (w > width)
return FALSE;
w = 0;
configured_outputs = 0;
for (o = -1; nextEnabledOutput(config, enabled, &o); ) {
DisplayModePtr mode =
- xf86OutputHasPreferredMode(config->output[o], width, height);
+ findReasonableMode(config, config->output[o], enabled, width, height);
if (configured_outputs & (1 << o))
continue;
if (config->output[o]->tile_info.group_id) {
has_tile = TRUE;
continue;
}
config->output[o]->initial_x = w;
w += mode->HDisplay;
configured_outputs |= (1 << o);
modes[o] = mode;
}
if (has_tile) {
for (o = -1; nextEnabledOutput(config, enabled, &o); ) {
int ht, vt, ot;
int add_x, cur_x = w;
struct xf86CrtcTileInfo *tile_info = &config->output[o]->tile_info, *this_tile;
if (configured_outputs & (1 << o))
continue;
if (!tile_info->group_id)
continue;
if (tile_info->tile_h_loc != 0 && tile_info->tile_v_loc != 0)
continue;
for (ht = 0; ht < tile_info->num_h_tile; ht++) {
int cur_y = 0;
add_x = 0;
for (vt = 0; vt < tile_info->num_v_tile; vt++) {
for (ot = -1; nextEnabledOutput(config, enabled, &ot); ) {
-
DisplayModePtr mode =
- xf86OutputHasPreferredMode(config->output[ot], width, height);
+ findReasonableMode(config, config->output[ot], enabled, width, height);
+
if (!config->output[ot]->tile_info.group_id)
continue;
this_tile = &config->output[ot]->tile_info;
if (this_tile->group_id != tile_info->group_id)
continue;
if (this_tile->tile_h_loc != ht ||
this_tile->tile_v_loc != vt)
continue;
config->output[ot]->initial_x = cur_x;
config->output[ot]->initial_y = cur_y;
if (vt == 0)
add_x = this_tile->tile_h_size;
cur_y += this_tile->tile_v_size;
configured_outputs |= (1 << ot);
modes[ot] = mode;
}
}
cur_x += add_x;
}
w = cur_x;
}
}
return TRUE;
}
static Bool
--
2.17.1

118
SOURCES/0001-xkb-Drop-check-for-XkbSetMapResizeTypes.patch Normal file
View File

@ -0,0 +1,118 @@
From 36bcef5e5fd175e95ed4e0a014f6b1d8598b719d Mon Sep 17 00:00:00 2001
From: Ray Strode <rstrode@redhat.com>
Date: Mon, 4 Oct 2021 14:27:54 -0400
Subject: [PATCH] xkb: Drop check for XkbSetMapResizeTypes
Commit 446ff2d3177087b8173fa779fa5b77a2a128988b added checks to
prevalidate the size of incoming SetMap requests.
That commit checks for the XkbSetMapResizeTypes flag to be set before
allowing key types data to be processed.
key types data can be changed or even just sent wholesale unchanged
without the number of key types changing, however. The check for
XkbSetMapResizeTypes rejects those legitimate requests. In particular,
XkbChangeMap never sets XkbSetMapResizeTypes and so always fails now
any time XkbKeyTypesMask is in the changed mask.
This commit drops the check for XkbSetMapResizeTypes in flags when
prevalidating the request length.
---
xkb/xkb.c | 26 ++++++++++++--------------
1 file changed, 12 insertions(+), 14 deletions(-)
diff --git a/xkb/xkb.c b/xkb/xkb.c
index 183d6ffa1..62dee9cb6 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -2378,75 +2378,73 @@ SetVirtualModMap(XkbSrvInfoPtr xkbi,
}
changes->map.first_vmodmap_key = first;
changes->map.num_vmodmap_keys = (last - first) + 1;
}
return (char *) wire;
}
#define _add_check_len(new) \
if (len > UINT32_MAX - (new) || len > req_len - (new)) goto bad; \
else len += new
/**
* Check the length of the SetMap request
*/
static int
_XkbSetMapCheckLength(xkbSetMapReq *req)
{
size_t len = sz_xkbSetMapReq, req_len = req->length << 2;
xkbKeyTypeWireDesc *keytype;
xkbSymMapWireDesc *symmap;
BOOL preserve;
int i, map_count, nSyms;
if (req_len < len)
goto bad;
/* types */
if (req->present & XkbKeyTypesMask) {
keytype = (xkbKeyTypeWireDesc *)(req + 1);
for (i = 0; i < req->nTypes; i++) {
_add_check_len(XkbPaddedSize(sz_xkbKeyTypeWireDesc));
- if (req->flags & XkbSetMapResizeTypes) {
- _add_check_len(keytype->nMapEntries
- * sz_xkbKTSetMapEntryWireDesc);
- preserve = keytype->preserve;
- map_count = keytype->nMapEntries;
- if (preserve) {
- _add_check_len(map_count * sz_xkbModsWireDesc);
- }
- keytype += 1;
- keytype = (xkbKeyTypeWireDesc *)
- ((xkbKTSetMapEntryWireDesc *)keytype + map_count);
- if (preserve)
- keytype = (xkbKeyTypeWireDesc *)
- ((xkbModsWireDesc *)keytype + map_count);
+ _add_check_len(keytype->nMapEntries
+ * sz_xkbKTSetMapEntryWireDesc);
+ preserve = keytype->preserve;
+ map_count = keytype->nMapEntries;
+ if (preserve) {
+ _add_check_len(map_count * sz_xkbModsWireDesc);
}
+ keytype += 1;
+ keytype = (xkbKeyTypeWireDesc *)
+ ((xkbKTSetMapEntryWireDesc *)keytype + map_count);
+ if (preserve)
+ keytype = (xkbKeyTypeWireDesc *)
+ ((xkbModsWireDesc *)keytype + map_count);
}
}
/* syms */
if (req->present & XkbKeySymsMask) {
symmap = (xkbSymMapWireDesc *)((char *)req + len);
for (i = 0; i < req->nKeySyms; i++) {
_add_check_len(sz_xkbSymMapWireDesc);
nSyms = symmap->nSyms;
_add_check_len(nSyms*sizeof(CARD32));
symmap += 1;
symmap = (xkbSymMapWireDesc *)((CARD32 *)symmap + nSyms);
}
}
/* actions */
if (req->present & XkbKeyActionsMask) {
_add_check_len(req->totalActs * sz_xkbActionWireDesc
+ XkbPaddedSize(req->nKeyActs));
}
/* behaviours */
if (req->present & XkbKeyBehaviorsMask) {
_add_check_len(req->totalKeyBehaviors * sz_xkbBehaviorWireDesc);
}
/* vmods */
if (req->present & XkbVirtualModsMask) {
_add_check_len(XkbPaddedSize(Ones(req->virtualMods)));
}
/* explicit */
if (req->present & XkbExplicitComponentsMask) {
/* two bytes per non-zero explicit componen */
_add_check_len(XkbPaddedSize(req->totalKeyExplicit * sizeof(CARD16)));
--
2.32.0

47
SOURCES/0001-xkb-fix-buffer-re-use-in-_XkbSetCompatMap.patch
View File

@ -1,47 +0,0 @@
From 750205e2a8ba90ce532b19a953e8dba221e62648 Mon Sep 17 00:00:00 2001
From: Peter Harris <pharris2@rocketsoftware.com>
Date: Thu, 15 Jan 2026 15:54:09 -0500
Subject: [PATCH xserver 1/6] xkb: fix buffer re-use in _XkbSetCompatMap
If the "compat" buffer has previously been truncated, there will be
unused space in the buffer. The code uses this space, but does not
update the number of valid entries in the buffer.
In the best case, this leads to the new compat entries being ignored. In the
worst case, if there are any "skipped" compat entries, the number of
valid entries will be corrupted, potentially leading to a buffer read
overrun when processing a future request.
Set the number of used "compat" entries when re-using previously
allocated space in the buffer.
CVE-2026-33999, ZDI-CAN-28593
This vulnerability was discovered by:
Jan-Niklas Sohn working with TrendAI Zero Day Initiative
Signed-off-by: Peter Harris <pharris2@rocketsoftware.com>
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
(cherry picked from commit b024ae1749ee58c6fbf863b9a1f5dc440fee2e1b)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2178>
---
xkb/xkb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/xkb/xkb.c b/xkb/xkb.c
index d5f790338..b002da5bc 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -3003,7 +3003,7 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev,
return BadAlloc;
}
}
- else if (req->truncateSI) {
+ else if (req->truncateSI || req->firstSI + req->nSI > compat->num_si) {
compat->num_si = req->firstSI + req->nSI;
}
sym = &compat->sym_interpret[req->firstSI];
--
2.53.0

56
SOURCES/0001-xkb-fix-int-size-mismatch.patch
View File

@ -1,56 +0,0 @@
From de8df5f72f7f1673fc1bb7a9c84ba0e7f1d5e562 Mon Sep 17 00:00:00 2001
From: "Enrico Weigelt, metux IT consult" <info@metux.net>
Date: Wed, 24 Jan 2024 17:18:16 +0100
Subject: [PATCH xserver] xkb: fix int size mismatch
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
GCC reports:
../xkb/xkb.c: In function _XkbSetMapCheckLength:
../xkb/xkb.c:2464:54: warning: format %ld expects argument of type long int, but argument 2 has type size_t {aka unsigned int} [-Wformat=]
2464 | ErrorF("[xkb] BOGUS LENGTH in SetMap: expected %ld got %ld\n",
| ~~^
| |
| long int
| %d
2465 | len, req_len);
| ~~~
| |
| size_t {aka unsigned int}
../xkb/xkb.c:2464:62: warning: format %ld expects argument of type long int, but argument 3 has type size_t {aka unsigned int} [-Wformat=]
2464 | ErrorF("[xkb] BOGUS LENGTH in SetMap: expected %ld got %ld\n",
| ~~^
| |
| long int
| %d
2465 | len, req_len);
| ~~~~~~~
| |
| size_t {aka unsigned int}
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1257>
(cherry picked from commit bc90c44e60c309564a7feec5d288ecafcbb2a62b)
---
xkb/xkb.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/xkb/xkb.c b/xkb/xkb.c
index b240b6f6c..8d52e25df 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -2460,8 +2460,7 @@ _XkbSetMapCheckLength(xkbSetMapReq *req)
if (len == req_len)
return Success;
bad:
- ErrorF("[xkb] BOGUS LENGTH in SetMap: expected %ld got %ld\n",
- len, req_len);
+ ErrorF("[xkb] BOGUS LENGTH in SetMap: expected %zd got %zd\n", len, req_len);
return BadLength;
}
--
2.54.0

30
SOURCES/0001-xquartz-Remove-invalid-Unicode-sequence.patch Normal file
View File

@ -0,0 +1,30 @@
From a7ba1e9fe41019296a0f3ddff3d681f77e041ad7 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Tue, 7 May 2024 18:04:02 +0200
Subject: [PATCH] xquartz: Remove invalid Unicode sequence
This is flagged by the automatic scanning tools.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1673
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1524>
---
hw/xquartz/bundle/Resources/he.lproj/main.nib/designable.nib | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/xquartz/bundle/Resources/he.lproj/main.nib/designable.nib b/hw/xquartz/bundle/Resources/he.lproj/main.nib/designable.nib
index e56c1adbc..42042a18d 100644
--- a/hw/xquartz/bundle/Resources/he.lproj/main.nib/designable.nib
+++ b/hw/xquartz/bundle/Resources/he.lproj/main.nib/designable.nib
@@ -438,7 +438,7 @@
<menu key="menu" title="OtherViews" id="380">
<items>
<menuItem title="מהצג" state="on" tag="-1" id="384"/>
- <menuItem title="?256 ‬צבעים" tag="8" id="435"/>
+ <menuItem title="‭‬צבעים" tag="8" id="435"/>
<menuItem title="‏אלפים" tag="15" id="383"/>
<menuItem title="‏מיליונים" tag="24" id="381"/>
</items>
--
2.45.0

2
SOURCES/0002-Xi-return-an-error-from-XI-property-changes-if-verif.patch
View File

@ -1,4 +1,4 @@
From c5ff57676698f19ed3a1402aef58a15552e32d27 Mon Sep 17 00:00:00 2001
From cb260ba95d2bb1ae98b05e289d1b7947ac409230 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Tue, 29 Nov 2022 13:24:00 +1000
Subject: [PATCH xserver 2/7] Xi: return an error from XI property changes if

47
SOURCES/0002-dix-avoid-null-ptr-deref-at-doListFontsWithInfo.patch
View File

@ -1,47 +0,0 @@
From 27d924f41a04f37ee8a16ba2419a703174c5026c Mon Sep 17 00:00:00 2001
From: Mikhail Dmitrichenko <mdmitrichenko@astralinux.ru>
Date: Wed, 17 Sep 2025 17:25:40 +0300
Subject: [PATCH xserver 02/51] dix: avoid null ptr deref at
doListFontsWithInfo
In the doListFontsWithInfo function in dixfonts.c, when a font alias is
encountered (err == FontNameAlias), the code saves the current state
and allocates memory for c->savedName.
If the malloc(namelen + 1) call fails, c->savedName remains NULL,
but c->haveSaved is still set to TRUE. Later, when a font is
successfully resolved (err == Successful), the code uses c->savedName
without checking if it is NULL, so there is potential null ptr
dereference. XNFalloc will check result of malloc and stop
program execution if allocation was failed.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1842
Signed-off-by: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
(cherry picked from commit dd5c2595a42d3ff0c4f18d9b53d1f6c3fd934fd4)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
dix/dixfonts.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/dix/dixfonts.c b/dix/dixfonts.c
index 386c38686..b079dcf67 100644
--- a/dix/dixfonts.c
+++ b/dix/dixfonts.c
@@ -933,9 +933,8 @@ doListFontsWithInfo(ClientPtr client, LFWIclosurePtr c)
c->haveSaved = TRUE;
c->savedNumFonts = numFonts;
free(c->savedName);
- c->savedName = malloc(namelen + 1);
- if (c->savedName)
- memmove(c->savedName, name, namelen + 1);
+ c->savedName = XNFalloc(namelen + 1);
+ memcpy(c->savedName, name, namelen + 1);
aliascount = 20;
}
if (namelen > XLFDMAXFONTNAMELEN) {
--
2.54.0

49
SOURCES/0002-dix-keep-a-ref-to-the-rootCursor.patch Normal file
View File

@ -0,0 +1,49 @@
From 9dc8beff846a127cc8754212fb654e5f66dacff4 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Wed, 4 Dec 2024 15:49:43 +1000
Subject: [PATCH xserver 02/13] dix: keep a ref to the rootCursor
CreateCursor returns a cursor with refcount 1 - that refcount is used by
the resource system, any caller needs to call RefCursor to get their own
reference. That happens correctly for normal cursors but for our
rootCursor we keep a variable to the cursor despite not having a ref for
ourselves.
Fix this by reffing/unreffing the rootCursor to ensure our pointer is
valid.
Related to CVE-2025-26594, ZDI-CAN-25544
Reviewed-by: Olivier Fourdan <ofourdan@redhat.com>
(cherry picked from commit b0a09ba6020147961acc62d9c73d807b4cccd9f7)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1831>
---
dix/main.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/dix/main.c b/dix/main.c
index b228d9c28..f2606d3d6 100644
--- a/dix/main.c
+++ b/dix/main.c
@@ -235,6 +235,8 @@ dix_main(int argc, char *argv[], char *envp[])
defaultCursorFont);
}
+ rootCursor = RefCursor(rootCursor);
+
#ifdef PANORAMIX
/*
* Consolidate window and colourmap information for each screen
@@ -275,6 +277,8 @@ dix_main(int argc, char *argv[], char *envp[])
Dispatch();
+ UnrefCursor(rootCursor);
+
UndisplayDevices();
DisableAllDevices();
--
2.48.1

71
SOURCES/0002-sync-restart-trigger-list-iteration-in-SyncChangeCou.patch
View File

@ -1,71 +0,0 @@
From 513d92540e8edba52a08f53c461e4e366bb8b385 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Mon, 20 Apr 2026 11:17:08 +1000
Subject: [PATCH xserver 2/9] sync: restart trigger list iteration in
SyncChangeCounter after TriggerFired
This is the equivalent check to miSyncTriggerFence() from
commit f19ab94ba9c8 ("miext/sync: Fix use-after-free in miSyncTriggerFence()")
When a trigger fires via SyncAwaitTriggerFired, the resulting
FreeResource/FreeAwait call invokes SyncDeleteTriggerFromSyncObject for
every trigger in the same Await group. This unlinks and frees the
corresponding trigger list nodes - potentially including the node pnext
points to.
Fix by restarting iteration from the list head after a trigger fires, since
TriggerFired may have arbitrarily mutated the list. Triggers that have fired
are removed from the list by FreeAwait, so restarting cannot cause infinite
loops.
This vulnerability was discovered by:
Anonymous working with TrendAI Zero Day Initiative
ZDI-CAN-30164
Assisted-by: Claude:claude-opus-4-6
(cherry picked from commit bdd7bf57af208b1ddf57d4683d67104443b44812)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2229>
---
Xext/sync.c | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
diff --git a/Xext/sync.c b/Xext/sync.c
index 0079e85ed..69a28ec14 100644
--- a/Xext/sync.c
+++ b/Xext/sync.c
@@ -718,8 +718,29 @@ SyncChangeCounter(SyncCounter * pCounter, int64_t newval)
/* run through triggers to see if any become true */
for (ptl = pCounter->sync.pTriglist; ptl; ptl = pnext) {
pnext = ptl->next;
- if ((*ptl->pTrigger->CheckTrigger) (ptl->pTrigger, oldval))
+ if ((*ptl->pTrigger->CheckTrigger) (ptl->pTrigger, oldval)) {
(*ptl->pTrigger->TriggerFired) (ptl->pTrigger);
+ /* TriggerFired may have called SyncDeleteTriggerFromSyncObject
+ * for sibling triggers in the same Await group, freeing their
+ * trigger list nodes - potentially including pnext. Verify
+ * pnext is still on the counter's trigger list; if not,
+ * restart from the list head.
+ *
+ * Unlike miSyncTriggerFence() we cannot use a do/while
+ * restart loop here: counter trigger lists may contain alarm
+ * triggers which are not removed after firing and would cause
+ * an infinite loop when delta is 0.
+ */
+ if (pnext) {
+ SyncTriggerList *tmp;
+ for (tmp = pCounter->sync.pTriglist; tmp; tmp = tmp->next) {
+ if (tmp == pnext)
+ break;
+ }
+ if (!tmp)
+ pnext = pCounter->sync.pTriglist;
+ }
+ }
}
if (IsSystemCounter(pCounter)) {
--
2.54.0

153
SOURCES/0002-xfree86-Link-fb-statically.patch Normal file
View File

@ -0,0 +1,153 @@
From c2eb1e2eac99ef0b8e6cf47ab0a94371cf47e939 Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Tue, 23 Jul 2019 11:54:15 -0400
Subject: [PATCH xserver 02/11] xfree86: Link fb statically
There's no real benefit to leaving this loadable, virtually every driver
is going to load it.
Reviewed-by: Jon Turney <jon.turney@dronecode.org.uk>
(cherry picked from commit c1703cdf3b0d6663fcac68598eefe324ae4e1e71)
---
hw/xfree86/Makefile.am | 1 +
hw/xfree86/dixmods/Makefile.am | 8 +-------
hw/xfree86/dixmods/meson.build | 14 --------------
hw/xfree86/drivers/modesetting/meson.build | 1 -
hw/xfree86/loader/loadmod.c | 1 +
hw/xfree86/meson.build | 1 +
hw/xfree86/sdksyms.sh | 6 +++---
test/Makefile.am | 1 +
8 files changed, 8 insertions(+), 25 deletions(-)
diff --git a/hw/xfree86/Makefile.am b/hw/xfree86/Makefile.am
index 9aeaea1a6..1d494cd0f 100644
--- a/hw/xfree86/Makefile.am
+++ b/hw/xfree86/Makefile.am
@@ -75,6 +75,7 @@ LOCAL_LIBS = \
$(DRI2_LIB) \
$(DRI3_LIB) \
$(GLXVND_LIB) \
+ $(top_builddir)/fb/libfb.la \
$(top_builddir)/miext/sync/libsync.la \
$(top_builddir)/mi/libmi.la \
$(top_builddir)/os/libos.la \
diff --git a/hw/xfree86/dixmods/Makefile.am b/hw/xfree86/dixmods/Makefile.am
index 856659f98..a1f97056a 100644
--- a/hw/xfree86/dixmods/Makefile.am
+++ b/hw/xfree86/dixmods/Makefile.am
@@ -4,8 +4,7 @@ if GLX
GLXMODS = libglx.la
endif
-module_LTLIBRARIES = libfb.la \
- libwfb.la \
+module_LTLIBRARIES = libwfb.la \
libshadow.la
extsmoduledir = $(moduledir)/extensions
@@ -17,11 +16,6 @@ AM_CPPFLAGS = @XORG_INCS@ \
-I$(top_srcdir)/miext/shadow \
-I$(top_srcdir)/glx
-libfb_la_LDFLAGS = -module -avoid-version $(LD_NO_UNDEFINED_FLAG)
-libfb_la_LIBADD = $(top_builddir)/fb/libfb.la
-libfb_la_SOURCES = fbmodule.c
-libfb_la_CFLAGS = $(AM_CFLAGS)
-
libwfb_la_LDFLAGS = -module -avoid-version $(LD_NO_UNDEFINED_FLAG)
libwfb_la_LIBADD = $(top_builddir)/fb/libwfb.la
libwfb_la_SOURCES = fbmodule.c
diff --git a/hw/xfree86/dixmods/meson.build b/hw/xfree86/dixmods/meson.build
index 0562b630f..e4ac02228 100644
--- a/hw/xfree86/dixmods/meson.build
+++ b/hw/xfree86/dixmods/meson.build
@@ -1,17 +1,3 @@
-fb = shared_module(
- 'fb',
- 'fbmodule.c',
-
- include_directories: [inc, xorg_inc],
- c_args: xorg_c_args,
- dependencies: common_dep,
- link_whole: libxserver_fb,
- link_with: e,
-
- install: true,
- install_dir: module_dir,
-)
-
shared_module(
'wfb',
'fbmodule.c',
diff --git a/hw/xfree86/drivers/modesetting/meson.build b/hw/xfree86/drivers/modesetting/meson.build
index 5e13f1a53..02852a716 100644
--- a/hw/xfree86/drivers/modesetting/meson.build
+++ b/hw/xfree86/drivers/modesetting/meson.build
@@ -30,7 +30,6 @@ shared_module(
xorg_build_root = join_paths(meson.build_root(), 'hw', 'xfree86')
symbol_test_args = []
symbol_test_args += join_paths(xorg_build_root, 'libxorgserver.so')
-symbol_test_args += join_paths(xorg_build_root, 'dixmods', 'libfb.so')
symbol_test_args += join_paths(xorg_build_root, 'dixmods', 'libshadow.so')
if gbm_dep.found()
symbol_test_args += join_paths(xorg_build_root, 'glamor_egl', 'libglamoregl.so')
diff --git a/hw/xfree86/loader/loadmod.c b/hw/xfree86/loader/loadmod.c
index a6356bd8f..f0983b2f8 100644
--- a/hw/xfree86/loader/loadmod.c
+++ b/hw/xfree86/loader/loadmod.c
@@ -621,6 +621,7 @@ DuplicateModule(ModuleDescPtr mod, ModuleDescPtr parent)
static const char *compiled_in_modules[] = {
"ddc",
+ "fb",
"i2c",
"ramdac",
"dbe",
diff --git a/hw/xfree86/meson.build b/hw/xfree86/meson.build
index cacf56d4c..c80964ea4 100644
--- a/hw/xfree86/meson.build
+++ b/hw/xfree86/meson.build
@@ -61,6 +61,7 @@ xorg_link = [
xorg_os_support,
xorg_parser,
xorg_ramdac,
+ libxserver_fb,
libxserver_xext_vidmode,
libxserver_main,
libxserver_config,
diff --git a/hw/xfree86/sdksyms.sh b/hw/xfree86/sdksyms.sh
index 7897aae22..2ebc4c019 100755
--- a/hw/xfree86/sdksyms.sh
+++ b/hw/xfree86/sdksyms.sh
@@ -21,13 +21,13 @@ cat > sdksyms.c << EOF
#include "picturestr.h"
-/* fb/Makefile.am -- module */
-/*
+/* fb/Makefile.am */
#include "fb.h"
#include "fbrop.h"
#include "fboverlay.h"
-#include "wfbrename.h"
#include "fbpict.h"
+/* wfb is still a module
+#include "wfbrename.h"
*/
diff --git a/test/Makefile.am b/test/Makefile.am
index 12ac327a3..ce07c3551 100644
--- a/test/Makefile.am
+++ b/test/Makefile.am
@@ -146,6 +146,7 @@ tests_LDADD += \
$(top_builddir)/hw/xfree86/i2c/libi2c.la \
$(top_builddir)/hw/xfree86/xkb/libxorgxkb.la \
$(top_builddir)/Xext/libXvidmode.la \
+ $(top_builddir)/fb/libfb.la \
$(XSERVER_LIBS) \
$(XORG_LIBS)
--
2.33.1

70
SOURCES/0002-xkb-Fix-bounds-check-in-_CheckSetGeom.patch
View File

@ -1,70 +0,0 @@
From 229b7ab7ee48cf9640d635d7db7e32ce00fcb8be Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Wed, 18 Feb 2026 16:03:11 +0100
Subject: [PATCH xserver 2/6] xkb: Fix bounds check in _CheckSetGeom()
As reported by valgrind:
== Conditional jump or move depends on uninitialised value(s)
== at 0x5CBE66: SrvXkbAddGeomKeyAlias (XKBGAlloc.c:585)
== by 0x5AC7D5: _CheckSetGeom (xkb.c:5607)
== by 0x5AC952: _XkbSetGeometry (xkb.c:5643)
== by 0x5ACB58: ProcXkbSetGeometry (xkb.c:5684)
== by 0x5B0DAC: ProcXkbDispatch (xkb.c:7070)
== by 0x4A28C5: Dispatch (dispatch.c:553)
== by 0x4B0B24: dix_main (main.c:274)
== by 0x42915E: main (stubmain.c:34)
== Uninitialised value was created by a heap allocation
== at 0x4840B26: malloc (vg_replace_malloc.c:447)
== by 0x5E13B0: AllocateInputBuffer (io.c:981)
== by 0x5E05CD: InsertFakeRequest (io.c:516)
== by 0x4AA860: NextAvailableClient (dispatch.c:3629)
== by 0x5DE0D7: AllocNewConnection (connection.c:628)
== by 0x5DE2C6: EstablishNewConnections (connection.c:692)
== by 0x5DE600: HandleNotifyFd (connection.c:809)
== by 0x5E2598: ospoll_wait (ospoll.c:660)
== by 0x5DA00C: WaitForSomething (WaitFor.c:208)
== by 0x4A26E5: Dispatch (dispatch.c:493)
== by 0x4B0B24: dix_main (main.c:274)
== by 0x42915E: main (stubmain.c:34)
Each key alias entry contains two key names (the alias and the real key
name), each of size XkbKeyNameLength.
The current bounds check only validates the first name, allowing
XkbAddGeomKeyAlias to potentially read uninitialized memory when
accessing the second name at &wire[XkbKeyNameLength].
To fix this, change the value to check to use 2 * XkbKeyNameLength to
validate the bounds.
CVE-2026-34000, ZDI-CAN-28679
This vulnerability was discovered by:
Jan-Niklas Sohn working with TrendAI Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 81b6a34f90b28c32ad499a78a4f391b7c06daea2)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2178>
---
xkb/xkb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/xkb/xkb.c b/xkb/xkb.c
index b002da5bc..9cd2afdb8 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -5602,7 +5602,7 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client)
}
for (i = 0; i < req->nKeyAliases; i++) {
- if (!_XkbCheckRequestBounds(client, req, wire, wire + XkbKeyNameLength))
+ if (!_XkbCheckRequestBounds(client, req, wire, wire + 2 * XkbKeyNameLength))
return BadLength;
if (XkbAddGeomKeyAlias(geom, &wire[XkbKeyNameLength], wire) == NULL)
--
2.53.0

2
SOURCES/0003-Xi-avoid-integer-truncation-in-length-check-of-ProcX.patch
View File

@ -1,4 +1,4 @@
From f9c435822c852659e3926502829f1b13ce6efc37 Mon Sep 17 00:00:00 2001
From a16f2b9693d248b81703821fd22fba8b5ba83e1a Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Tue, 29 Nov 2022 13:26:57 +1000
Subject: [PATCH xserver 3/7] Xi: avoid integer truncation in length check of

103
SOURCES/0003-miext-sync-Fix-use-after-free-in-miSyncTriggerFence.patch
View File

@ -1,103 +0,0 @@
From f6638d751790ee3f5ca672a9db303bbf5b66d020 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Wed, 18 Feb 2026 16:23:23 +0100
Subject: [PATCH xserver 3/6] miext/sync: Fix use-after-free in
miSyncTriggerFence()
As reported by valgrind:
== Invalid read of size 8
== at 0x568C14: miSyncTriggerFence (misync.c:140)
== by 0x540688: ProcSyncTriggerFence (sync.c:1957)
== by 0x540CCC: ProcSyncDispatch (sync.c:2152)
== by 0x4A28C5: Dispatch (dispatch.c:553)
== by 0x4B0B24: dix_main (main.c:274)
== by 0x42915E: main (stubmain.c:34)
== Address 0x17e35488 is 8 bytes inside a block of size 16 free'd
== at 0x4843E43: free (vg_replace_malloc.c:990)
== by 0x53D683: SyncDeleteTriggerFromSyncObject (sync.c:169)
== by 0x53F14D: FreeAwait (sync.c:1208)
== by 0x4DFB06: doFreeResource (resource.c:888)
== by 0x4DFC59: FreeResource (resource.c:918)
== by 0x53E349: SyncAwaitTriggerFired (sync.c:701)
== by 0x568C52: miSyncTriggerFence (misync.c:142)
== by 0x540688: ProcSyncTriggerFence (sync.c:1957)
== by 0x540CCC: ProcSyncDispatch (sync.c:2152)
== by 0x4A28C5: Dispatch (dispatch.c:553)
== by 0x4B0B24: dix_main (main.c:274)
== by 0x42915E: main (stubmain.c:34)
== Block was alloc'd at
== at 0x4840B26: malloc (vg_replace_malloc.c:447)
== by 0x5E50E1: XNFalloc (utils.c:1129)
== by 0x53D772: SyncAddTriggerToSyncObject (sync.c:206)
== by 0x53DCA8: SyncInitTrigger (sync.c:414)
== by 0x5409C7: ProcSyncAwaitFence (sync.c:2089)
== by 0x540D04: ProcSyncDispatch (sync.c:2160)
== by 0x4A28C5: Dispatch (dispatch.c:553)
== by 0x4B0B24: dix_main (main.c:274)
== by 0x42915E: main (stubmain.c:34)
When walking the list of fences to trigger, miSyncTriggerFence() may
call TriggerFence() for the current trigger, which end up calling the
function SyncAwaitTriggerFired().
SyncAwaitTriggerFired() frees the entire await resource, which removes
all triggers from that await - including pNext which may be another
trigger from the same await attached to the same fence.
On the next iteration, ptl = pNext points to freed memory...
To avoid the issue, we need to restart the iteration from the beginning
of the list each time a trigger fires, since the callback can modify the
list.
CVE-2026-34001, ZDI-CAN-28706
This vulnerability was discovered by:
Jan-Niklas Sohn working with TrendAI Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit f19ab94ba9c891d801231654267556dc7f32b5e0)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2178>
---
miext/sync/misync.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/miext/sync/misync.c b/miext/sync/misync.c
index 0931803f6..9a6fbbd4a 100644
--- a/miext/sync/misync.c
+++ b/miext/sync/misync.c
@@ -131,16 +131,22 @@ miSyncDestroyFence(SyncFence * pFence)
void
miSyncTriggerFence(SyncFence * pFence)
{
- SyncTriggerList *ptl, *pNext;
+ SyncTriggerList *ptl;
+ Bool triggered;
pFence->funcs.SetTriggered(pFence);
/* run through triggers to see if any fired */
- for (ptl = pFence->sync.pTriglist; ptl; ptl = pNext) {
- pNext = ptl->next;
- if ((*ptl->pTrigger->CheckTrigger) (ptl->pTrigger, 0))
- (*ptl->pTrigger->TriggerFired) (ptl->pTrigger);
- }
+ do {
+ triggered = FALSE;
+ for (ptl = pFence->sync.pTriglist; ptl; ptl = ptl->next) {
+ if ((*ptl->pTrigger->CheckTrigger) (ptl->pTrigger, 0)) {
+ (*ptl->pTrigger->TriggerFired) (ptl->pTrigger);
+ triggered = TRUE;
+ break;
+ }
+ }
+ } while (triggered);
}
SyncScreenFuncsPtr
--
2.53.0

49
SOURCES/0003-panoramix-avoid-null-dereference-in-PanoramiXMaybeAd.patch
View File

@ -1,49 +0,0 @@
From 5e657943933a79166d2020ee978abd8afa5fccfe Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 20 Sep 2025 16:35:46 -0700
Subject: [PATCH xserver 03/51] panoramix: avoid null dereference in
PanoramiXMaybeAddDepth()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reported in #1817:
Error: GCC_ANALYZER_WARNING (CWE-476): [#def4]
xwayland-24.1.6/redhat-linux-build/../Xext/panoramiX.c:748:5: warning[-Wanalyzer-possible-null-dereference]: dereference of possibly-NULL PanoramiXDepths
xwayland-24.1.6/redhat-linux-build/../Xext/panoramiX.c:802:1: enter_function: entry to PanoramiXConsolidate
xwayland-24.1.6/redhat-linux-build/../Xext/panoramiX.c:813:17: branch_true: following true branch...
xwayland-24.1.6/redhat-linux-build/../Xext/panoramiX.c:814:9: branch_true: ...to here
xwayland-24.1.6/redhat-linux-build/../Xext/panoramiX.c:814:9: call_function: calling PanoramiXMaybeAddDepth from PanoramiXConsolidate
746| PanoramiXDepths = reallocarray(PanoramiXDepths,
747| PanoramiXNumDepths, sizeof(DepthRec));
748|-> PanoramiXDepths[j].depth = pDepth->depth;
749| PanoramiXDepths[j].numVids = 0;
750| PanoramiXDepths[j].vids = NULL;
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 537b56cccaf1759f9beef9396463b1f412614003)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
Xext/panoramiX.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/Xext/panoramiX.c b/Xext/panoramiX.c
index bd9c45b03..00585e3f6 100644
--- a/Xext/panoramiX.c
+++ b/Xext/panoramiX.c
@@ -747,8 +747,8 @@ PanoramiXMaybeAddDepth(DepthPtr pDepth)
j = PanoramiXNumDepths;
PanoramiXNumDepths++;
- PanoramiXDepths = reallocarray(PanoramiXDepths,
- PanoramiXNumDepths, sizeof(DepthRec));
+ PanoramiXDepths = XNFreallocarray(PanoramiXDepths,
+ PanoramiXNumDepths, sizeof(DepthRec));
PanoramiXDepths[j].depth = pDepth->depth;
PanoramiXDepths[j].numVids = 0;
PanoramiXDepths[j].vids = NULL;
--
2.54.0

63
SOURCES/0003-xkb-Fix-buffer-overflow-in-XkbVModMaskText.patch Normal file
View File

@ -0,0 +1,63 @@
From c0e295af1adca6a0258bb405c535fe04969cc178 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Wed, 27 Nov 2024 14:41:45 +0100
Subject: [PATCH xserver 03/13] xkb: Fix buffer overflow in XkbVModMaskText()
The code in XkbVModMaskText() allocates a fixed sized buffer on the
stack and copies the virtual mod name.
There's actually two issues in the code that can lead to a buffer
overflow.
First, the bound check mixes pointers and integers using misplaced
parenthesis, defeating the bound check.
But even though, if the check fails, the data is still copied, so the
stack overflow will occur regardless.
Change the logic to skip the copy entirely if the bound check fails.
CVE-2025-26595, ZDI-CAN-25545
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 11fcda8753e994e15eb915d28cf487660ec8e722)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1831>
---
xkb/xkbtext.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/xkb/xkbtext.c b/xkb/xkbtext.c
index d2a2567fc..002626450 100644
--- a/xkb/xkbtext.c
+++ b/xkb/xkbtext.c
@@ -175,14 +175,14 @@ XkbVModMaskText(XkbDescPtr xkb,
len = strlen(tmp) + 1 + (str == buf ? 0 : 1);
if (format == XkbCFile)
len += 4;
- if ((str - (buf + len)) <= VMOD_BUFFER_SIZE) {
- if (str != buf) {
- if (format == XkbCFile)
- *str++ = '|';
- else
- *str++ = '+';
- len--;
- }
+ if ((str - buf) + len > VMOD_BUFFER_SIZE)
+ continue; /* Skip */
+ if (str != buf) {
+ if (format == XkbCFile)
+ *str++ = '|';
+ else
+ *str++ = '+';
+ len--;
}
if (format == XkbCFile)
sprintf(str, "%sMask", tmp);
--
2.48.1

50
SOURCES/0003-xkb-reject-key-types-with-num_levels-exceeding-XkbMa.patch
View File

@ -1,50 +0,0 @@
From 7841780e7b1d0e0f5f9bb98691eaffece19d06e1 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Mon, 20 Apr 2026 11:17:41 +1000
Subject: [PATCH xserver 3/9] xkb: reject key types with num_levels exceeding
XkbMaxShiftLevel
CheckKeyTypes validates incoming key type definitions from XkbSetMap
requests but does not enforce an upper bound on numLevels. A client can set
numLevels up to 255 on a non-canonical key type, which is stored in the
server's type table.
When ChangeKeyboardMapping later triggers XkbUpdateKeyTypesFromCore, the
function XkbKeyTypesForCoreSymbols computes groupsWidth from num_levels and
uses the XKB_OFFSET(g, l) = (g * groupsWidth) + l macro to index into
tsyms[], a stack-allocated buffer of XkbMaxSymsPerKey (252) entries. With
num_levels=255, groupsWidth=255, and indices reach up to 3*255+254 = 1019,
overflowing the 252-element stack buffer by 767 KeySym-sized entries.
Fix by rejecting numLevels values greater than XkbMaxShiftLevel (63) in
CheckKeyTypes, alongside the existing lower-bound check for numLevels < 1.
This vulnerability was discovered by:
Anonymous working with TrendAI Zero Day Initiative
ZDI-CAN-30160
Assisted-by: Claude:claude-opus-4-6
(cherry picked from commit 543e108516428fc8c3bea91d6563ad266f9a801e)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2229>
---
xkb/xkb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/xkb/xkb.c b/xkb/xkb.c
index 2139da7ee..f190be5eb 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -1644,7 +1644,7 @@ CheckKeyTypes(ClientPtr client,
}
n = i + req->firstType;
width = wire->numLevels;
- if (width < 1) {
+ if (width < 1 || width > XkbMaxShiftLevel) {
*nMapsRtrn = _XkbErrCode3(0x04, n, width);
return 0;
}
--
2.54.0

29
SOURCES/0004-Xi-disallow-passive-grabs-with-a-detail-255.patch
View File

@ -1,4 +1,4 @@
From 0dab0b527ac5c4fe0272ea679522bd87238a733b Mon Sep 17 00:00:00 2001
From be6bcbfa3f388ca0705db8baf10fa5c2d29b7d36 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Tue, 29 Nov 2022 13:55:32 +1000
Subject: [PATCH xserver 4/7] Xi: disallow passive grabs with a detail > 255
@ -27,14 +27,14 @@ Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
---
Xi/xipassivegrab.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
Xi/xipassivegrab.c | 22 ++++++++++++++--------
1 file changed, 14 insertions(+), 8 deletions(-)
diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
index 65d5870f6f..89a591098a 100644
index 2769fb7c94..c9ac2f8553 100644
--- a/Xi/xipassivegrab.c
+++ b/Xi/xipassivegrab.c
@@ -133,6 +133,12 @@ ProcXIPassiveGrabDevice(ClientPtr client)
@@ -137,6 +137,12 @@ ProcXIPassiveGrabDevice(ClientPtr client)
return BadValue;
}
@ -47,7 +47,24 @@ index 65d5870f6f..89a591098a 100644
if (XICheckInvalidMaskBits(client, (unsigned char *) &stuff[1],
stuff->mask_len * 4) != Success)
return BadValue;
@@ -313,6 +319,12 @@ ProcXIPassiveUngrabDevice(ClientPtr client)
@@ -207,14 +213,8 @@ ProcXIPassiveGrabDevice(ClientPtr client)
&param, XI2, &mask);
break;
case XIGrabtypeKeycode:
- /* XI2 allows 32-bit keycodes but thanks to XKB we can never
- * implement this. Just return an error for all keycodes that
- * cannot work anyway */
- if (stuff->detail > 255)
- status = XIAlreadyGrabbed;
- else
- status = GrabKey(client, dev, mod_dev, stuff->detail,
- &param, XI2, &mask);
+ status = GrabKey(client, dev, mod_dev, stuff->detail,
+ &param, XI2, &mask);
break;
case XIGrabtypeEnter:
case XIGrabtypeFocusIn:
@@ -334,6 +334,12 @@ ProcXIPassiveUngrabDevice(ClientPtr client)
return BadValue;
}

42
SOURCES/0004-loader-Move-LoaderSymbolFromModule-to-public-API.patch Normal file
View File

@ -0,0 +1,42 @@
From e763a4fa114ba6c0abddf2b43a7297b8b9054855 Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Tue, 8 Oct 2019 13:29:22 -0400
Subject: [PATCH xserver 04/11] loader: Move LoaderSymbolFromModule() to public
API
Bare LoaderSymbol() isn't really a great API, this is more of a direct
map to dlsym like you want.
Gitlab: https://gitlab.freedesktop.org/xorg/xserver/issues/692
(cherry picked from commit 8760fab0a15805bdd12bb8f12bb1c665fde86cc2)
---
hw/xfree86/common/xf86Module.h | 1 +
hw/xfree86/loader/loader.h | 1 -
2 files changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/xfree86/common/xf86Module.h b/hw/xfree86/common/xf86Module.h
index 00aa84ae2..fab8842c4 100644
--- a/hw/xfree86/common/xf86Module.h
+++ b/hw/xfree86/common/xf86Module.h
@@ -156,6 +156,7 @@ extern _X_EXPORT void *LoadSubModule(void *, const char *, const char **,
extern _X_EXPORT void UnloadSubModule(void *);
extern _X_EXPORT void UnloadModule(void *);
extern _X_EXPORT void *LoaderSymbol(const char *);
+extern _X_EXPORT void *LoaderSymbolFromModule(void *, const char *);
extern _X_EXPORT void LoaderErrorMsg(const char *, const char *, int, int);
extern _X_EXPORT Bool LoaderShouldIgnoreABI(void);
extern _X_EXPORT int LoaderGetABIVersion(const char *abiclass);
diff --git a/hw/xfree86/loader/loader.h b/hw/xfree86/loader/loader.h
index 5a2fe6c60..4e83730a2 100644
--- a/hw/xfree86/loader/loader.h
+++ b/hw/xfree86/loader/loader.h
@@ -72,6 +72,5 @@ extern unsigned long LoaderOptions;
/* Internal Functions */
void *LoaderOpen(const char *, int *);
-void *LoaderSymbolFromModule(void *, const char *);
#endif /* _LOADER_H */
--
2.33.1

71
SOURCES/0004-panoramix-avoid-null-dereference-in-PanoramiXConsoli.patch
View File

@ -1,71 +0,0 @@
From bd7f4a48a5187dd32d3a0791a407432933af0c1d Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 20 Sep 2025 16:45:59 -0700
Subject: [PATCH xserver 04/51] panoramix: avoid null dereference in
PanoramiXConsolidate()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reported in #1817:
Error: GCC_ANALYZER_WARNING (CWE-476): [#def5]
xwayland-24.1.6/redhat-linux-build/../Xext/panoramiX.c:820:5: warning[-Wanalyzer-possible-null-dereference]: dereference of possibly-NULL root
xwayland-24.1.6/redhat-linux-build/../Xext/panoramiX.c:819:12: acquire_memory: this call could return NULL
xwayland-24.1.6/redhat-linux-build/../Xext/panoramiX.c:820:5: danger: root could be NULL: unchecked value from (1)
818|
819| root = malloc(sizeof(PanoramiXRes));
820|-> root->type = XRT_WINDOW;
821| defmap = malloc(sizeof(PanoramiXRes));
822| defmap->type = XRT_COLORMAP;
Error: GCC_ANALYZER_WARNING (CWE-476): [#def6]
xwayland-24.1.6/redhat-linux-build/../Xext/panoramiX.c:822:5: warning[-Wanalyzer-possible-null-dereference]: dereference of possibly-NULL defmap
xwayland-24.1.6/redhat-linux-build/../Xext/panoramiX.c:821:14: acquire_memory: this call could return NULL
xwayland-24.1.6/redhat-linux-build/../Xext/panoramiX.c:822:5: danger: defmap could be NULL: unchecked value from (1)
820| root->type = XRT_WINDOW;
821| defmap = malloc(sizeof(PanoramiXRes));
822|-> defmap->type = XRT_COLORMAP;
823| saver = malloc(sizeof(PanoramiXRes));
824| saver->type = XRT_WINDOW;
Error: GCC_ANALYZER_WARNING (CWE-476): [#def7]
xwayland-24.1.6/redhat-linux-build/../Xext/panoramiX.c:824:5: warning[-Wanalyzer-possible-null-dereference]: dereference of possibly-NULL saver
xwayland-24.1.6/redhat-linux-build/../Xext/panoramiX.c:823:13: acquire_memory: this call could return NULL
xwayland-24.1.6/redhat-linux-build/../Xext/panoramiX.c:824:5: danger: saver could be NULL: unchecked value from (1)
822| defmap->type = XRT_COLORMAP;
823| saver = malloc(sizeof(PanoramiXRes));
824|-> saver->type = XRT_WINDOW;
825|
826| FOR_NSCREENS(i) {
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 23c103d41f35cc030b0c0e973f7f3bcb8d9902a0)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
Xext/panoramiX.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/Xext/panoramiX.c b/Xext/panoramiX.c
index 00585e3f6..2029b353d 100644
--- a/Xext/panoramiX.c
+++ b/Xext/panoramiX.c
@@ -820,11 +820,11 @@ PanoramiXConsolidate(void)
for (i = 0; i < pScreen->numVisuals; i++)
PanoramiXMaybeAddVisual(pVisual++);
- root = malloc(sizeof(PanoramiXRes));
+ root = XNFcallocarray(1, sizeof(PanoramiXRes));
root->type = XRT_WINDOW;
- defmap = malloc(sizeof(PanoramiXRes));
+ defmap = XNFcallocarray(1, sizeof(PanoramiXRes));
defmap->type = XRT_COLORMAP;
- saver = malloc(sizeof(PanoramiXRes));
+ saver = XNFcallocarray(1, sizeof(PanoramiXRes));
saver->type = XRT_WINDOW;
FOR_NSCREENS(i) {
--
2.54.0

47
SOURCES/0004-xkb-Fix-computation-of-XkbSizeKeySyms.patch Normal file
View File

@ -0,0 +1,47 @@
From ddf9500846982402250114803b28180036a54cac Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Thu, 28 Nov 2024 11:49:34 +0100
Subject: [PATCH xserver 04/13] xkb: Fix computation of XkbSizeKeySyms
The computation of the length in XkbSizeKeySyms() differs from what is
actually written in XkbWriteKeySyms(), leading to a heap overflow.
Fix the calculation in XkbSizeKeySyms() to match what kbWriteKeySyms()
does.
CVE-2025-26596, ZDI-CAN-25543
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 80d69f01423fc065c950e1ff4e8ddf9f675df773)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1831>
---
xkb/xkb.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/xkb/xkb.c b/xkb/xkb.c
index 68c59df02..175a81bf7 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -1093,10 +1093,10 @@ XkbSizeKeySyms(XkbDescPtr xkb, xkbGetMapReply * rep)
len = rep->nKeySyms * SIZEOF(xkbSymMapWireDesc);
symMap = &xkb->map->key_sym_map[rep->firstKeySym];
for (i = nSyms = 0; i < rep->nKeySyms; i++, symMap++) {
- if (symMap->offset != 0) {
- nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width;
- nSyms += nSymsThisKey;
- }
+ nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width;
+ if (nSymsThisKey == 0)
+ continue;
+ nSyms += nSymsThisKey;
}
len += nSyms * 4;
rep->totalSyms = nSyms;
--
2.48.1

91
SOURCES/0004-xkb-Fix-out-of-bounds-read-in-CheckModifierMap.patch
View File

@ -1,91 +0,0 @@
From 5842fd1fcce48ec98bdcce75b804210584ea35e2 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Wed, 18 Feb 2026 17:02:09 +0100
Subject: [PATCH xserver 4/6] xkb: Fix out-of-bounds read in CheckModifierMap()
As reported by valgrind:
== Conditional jump or move depends on uninitialised value(s)
== at 0x547E5B: CheckModifierMap (xkb.c:1972)
== by 0x54A086: _XkbSetMapChecks (xkb.c:2574)
== by 0x54A845: ProcXkbSetMap (xkb.c:2741)
== by 0x556EF4: ProcXkbDispatch (xkb.c:7048)
== by 0x454A8C: Dispatch (dispatch.c:553)
== by 0x462CEB: dix_main (main.c:274)
== by 0x405EA7: main (stubmain.c:34)
== Uninitialised value was created by a heap allocation
== at 0x4840B26: malloc (vg_replace_malloc.c:447)
== by 0x592D5A: AllocateInputBuffer (io.c:981)
== by 0x591F77: InsertFakeRequest (io.c:516)
== by 0x45CA27: NextAvailableClient (dispatch.c:3629)
== by 0x58FA81: AllocNewConnection (connection.c:628)
== by 0x58FC70: EstablishNewConnections (connection.c:692)
== by 0x58FFAA: HandleNotifyFd (connection.c:809)
== by 0x593F42: ospoll_wait (ospoll.c:660)
== by 0x58B9B6: WaitForSomething (WaitFor.c:208)
== by 0x4548AC: Dispatch (dispatch.c:493)
== by 0x462CEB: dix_main (main.c:274)
== by 0x405EA7: main (stubmain.c:34)
The issue is that the loop in CheckModifierMap() reads from wire without
verifying that the data is within the request bounds.
The req->totalModMapKeys value could exceed the actual data provided,
causing reads of uninitialized memory.
To fix that issue, we add a bounds check using _XkbCheckRequestBounds,
but for that, we need to also pass a ClientPtr parameter, which is not
a problem since CheckModifierMap() is a private, static function.
CVE-2026-34002, ZDI-CAN-28737
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit f056ce1cc96ed9261052c31524162c78e458f98c)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2178>
---
xkb/xkb.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/xkb/xkb.c b/xkb/xkb.c
index 9cd2afdb8..f47ffbc5d 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -1940,8 +1940,8 @@ CheckKeyExplicit(XkbDescPtr xkb,
}
static int
-CheckModifierMap(XkbDescPtr xkb, xkbSetMapReq * req, CARD8 **wireRtrn,
- int *errRtrn)
+CheckModifierMap(ClientPtr client, XkbDescPtr xkb, xkbSetMapReq * req,
+ CARD8 **wireRtrn, int *errRtrn)
{
register CARD8 *wire = *wireRtrn;
CARD8 *start;
@@ -1965,6 +1965,10 @@ CheckModifierMap(XkbDescPtr xkb, xkbSetMapReq * req, CARD8 **wireRtrn,
}
start = wire;
for (i = 0; i < req->totalModMapKeys; i++, wire += 2) {
+ if (!_XkbCheckRequestBounds(client, req, wire, wire + 2)) {
+ *errRtrn = _XkbErrCode3(0x64, req->totalModMapKeys, i);
+ return 0;
+ }
if ((wire[0] < first) || (wire[0] > last)) {
*errRtrn = _XkbErrCode4(0x63, first, last, wire[0]);
return 0;
@@ -2567,7 +2571,7 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev, xkbSetMapReq * req,
return BadValue;
}
if ((req->present & XkbModifierMapMask) &&
- (!CheckModifierMap(xkb, req, (CARD8 **) &values, &error))) {
+ (!CheckModifierMap(client, xkb, req, (CARD8 **) &values, &error))) {
client->errorValue = error;
return BadValue;
}
--
2.53.0

53
SOURCES/0004-xkb-clamp-nMaps-to-mapWidths-buffer-size-in-CheckKey.patch
View File

@ -1,53 +0,0 @@
From 50b6eeda460f0badea82f689442461fea7f7af2a Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Mon, 20 Apr 2026 11:18:13 +1000
Subject: [PATCH xserver 4/9] xkb: clamp nMaps to mapWidths buffer size in
CheckKeyTypes
CheckKeyTypes computes nMaps = firstType + nTypes from client-controlled
request fields when XkbSetMapResizeTypes is set. This value is used to
index mapWidths[], a stack-allocated CARD8 array of XkbMaxLegalKeyCode + 1
(256) elements. No upper bound is enforced on nMaps.
An attacker can first send SetMap(firstType=0, nTypes=255, ResizeTypes) to
set the server's num_types to 255, then send SetMap(firstType=255,
nTypes=10, ResizeTypes). The firstType > num_types check passes because
255 > 255 is false (the check uses > rather than >=). nMaps is then
computed as 265, and the loop writes mapWidths[255..264], overflowing 9
bytes past the stack buffer into adjacent stack variables (symsPerKey[]).
Fix by rejecting requests where firstType + nTypes would exceed the
mapWidths buffer size (XkbMaxLegalKeyCode + 1).
This vulnerability was discovered by:
Anonymous working with TrendAI Zero Day Initiative
ZDI-CAN-30161
Assisted-by: Claude:claude-opus-4-6
(cherry picked from commit 867b59b33bee669cb412f1314e47c52eacf6e00b)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2229>
---
xkb/xkb.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/xkb/xkb.c b/xkb/xkb.c
index f190be5eb..f92ba9c3d 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -1617,6 +1617,11 @@ CheckKeyTypes(ClientPtr client,
*nMapsRtrn = _XkbErrCode4(0x02, req->firstType, req->nTypes, 4);
return 0;
}
+ if (nMaps > XkbMaxLegalKeyCode + 1) {
+ *nMapsRtrn = _XkbErrCode4(0x02, req->firstType, req->nTypes,
+ XkbMaxLegalKeyCode + 1);
+ return 0;
+ }
}
else if (req->present & XkbKeyTypesMask) {
nMaps = xkb->map->num_types;
--
2.54.0

2
SOURCES/0005-Xext-free-the-screen-saver-resource-when-replacing-i.patch
View File

@ -1,4 +1,4 @@
From 94f6fe99d87cf6ba0adadd95c595158c345b7d29 Mon Sep 17 00:00:00 2001
From 6b59bdddf30dde413c4e0391cf84f3b94d4b4e31 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Tue, 29 Nov 2022 14:53:07 +1000
Subject: [PATCH xserver 5/7] Xext: free the screen saver resource when

43
SOURCES/0005-Xext-shm-avoid-null-dereference-in-ShmInitScreenPriv.patch
View File

@ -1,43 +0,0 @@
From 70c8842c14764e0cfb343cbe4c29acfedb4b0bc3 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 4 Oct 2025 12:18:49 -0700
Subject: [PATCH xserver 05/51] Xext/shm: avoid null dereference in
ShmInitScreenPriv()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../Xext/shm.c:213:23: acquire_memory: this call could return NULL
xwayland-24.1.6/redhat-linux-build/../Xext/shm.c:214:9: danger: screen_priv could be NULL: unchecked value from [(19)](sarif:/runs/0/results/0/codeFlows/0/threadFlows/0/locations/18)
# 212| if (!screen_priv) {
# 213| screen_priv = calloc(1, sizeof(ShmScrPrivateRec));
# 214|-> screen_priv->CloseScreen = pScreen->CloseScreen;
# 215| dixSetPrivate(&pScreen->devPrivates, shmScrPrivateKey, screen_priv);
# 216| pScreen->CloseScreen = ShmCloseScreen;
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 87e53afd9c7f52a8fa3d1fed22db5380742cc7b7)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
Xext/shm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Xext/shm.c b/Xext/shm.c
index 24c6b1087..2b23a15fe 100644
--- a/Xext/shm.c
+++ b/Xext/shm.c
@@ -210,7 +210,7 @@ ShmInitScreenPriv(ScreenPtr pScreen)
ShmScrPrivateRec *screen_priv = ShmGetScreenPriv(pScreen);
if (!screen_priv) {
- screen_priv = calloc(1, sizeof(ShmScrPrivateRec));
+ screen_priv = XNFcallocarray(1, sizeof(ShmScrPrivateRec));
screen_priv->CloseScreen = pScreen->CloseScreen;
dixSetPrivate(&pScreen->devPrivates, shmScrPrivateKey, screen_priv);
pScreen->CloseScreen = ShmCloseScreen;
--
2.54.0

154
SOURCES/0005-glx-fix-reversed-length-check-in-ChangeDrawableAttri.patch
View File

@ -1,154 +0,0 @@
From f7f8b663c7d19cfbd29c8ea16ca6475d6a5f0af0 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Mon, 20 Apr 2026 11:18:48 +1000
Subject: [PATCH xserver 5/9] glx: fix reversed length check in
ChangeDrawableAttributes
The request length validation in __glXDisp_ChangeDrawableAttributes and
__glXDispSwap_ChangeDrawableAttributes uses the wrong comparison direction.
The check tests whether the computed request size is LESS THAN
client->req_len, but should test whether it is GREATER THAN. With the
reversed operator, an undersized request (where numAttribs claims more
attribute pairs than the request actually contains) passes validation.
DoChangeDrawableAttributes then iterates numAttribs attribute pairs starting
from the end of the request header, reading past the actual request data
into adjacent memory. This is an out-of-bounds read that can also cause
an out-of-bounds write when a GLX_EVENT_MASK attribute key is found in the
overread data and its corresponding value is written to pGlxDraw->eventMask.
This patch effectively reverts commit 402b329c3aa8 ("glx: Work around
wrong request lengths sent by mesa"). This was fixed in mesa commit
4324d6fdfbba1 in 2011 (mesa 7.11).
Fixes: 402b329c3aa8 ("glx: Work around wrong request lengths sent by mesa")
This vulnerability was discovered by:
Anonymous working with TrendAI Zero Day Initiative
ZDI-CAN-30165
Assisted-by: Claude:claude-opus-4-6
(cherry picked from commit 6d459e4daf715bea8abdafa8fb130be2f8a1d145)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2229>
---
glx/glxcmds.c | 21 +++++----------------
glx/glxcmdsswap.c | 12 +++++-------
2 files changed, 10 insertions(+), 23 deletions(-)
diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index 75e42823c..758308432 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -1122,8 +1122,7 @@ __glXDisp_GetFBConfigsSGIX(__GLXclientState * cl, GLbyte * pc)
ClientPtr client = cl->client;
xGLXGetFBConfigsSGIXReq *req = (xGLXGetFBConfigsSGIXReq *) pc;
- /* work around mesa bug, don't use REQUEST_SIZE_MATCH */
- REQUEST_AT_LEAST_SIZE(xGLXGetFBConfigsSGIXReq);
+ REQUEST_SIZE_MATCH(xGLXGetFBConfigsSGIXReq);
return DoGetFBConfigs(cl, req->screen);
}
@@ -1344,9 +1343,7 @@ __glXDisp_DestroyPixmap(__GLXclientState * cl, GLbyte * pc)
ClientPtr client = cl->client;
xGLXDestroyPixmapReq *req = (xGLXDestroyPixmapReq *) pc;
- /* should be REQUEST_SIZE_MATCH, but mesa's glXDestroyPixmap used to set
- * length to 3 instead of 2 */
- REQUEST_AT_LEAST_SIZE(xGLXDestroyPixmapReq);
+ REQUEST_SIZE_MATCH(xGLXDestroyPixmapReq);
return DoDestroyDrawable(cl, req->glxpixmap, GLX_DRAWABLE_PIXMAP);
}
@@ -1495,14 +1492,8 @@ __glXDisp_ChangeDrawableAttributes(__GLXclientState * cl, GLbyte * pc)
client->errorValue = req->numAttribs;
return BadValue;
}
-#if 0
- /* mesa sends an additional 8 bytes */
+
REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
-#else
- if (((sizeof(xGLXChangeDrawableAttributesReq) +
- (req->numAttribs << 3)) >> 2) < client->req_len)
- return BadLength;
-#endif
return DoChangeDrawableAttributes(cl->client, req->drawable,
req->numAttribs, (CARD32 *) (req + 1));
@@ -1569,8 +1560,7 @@ __glXDisp_DestroyWindow(__GLXclientState * cl, GLbyte * pc)
ClientPtr client = cl->client;
xGLXDestroyWindowReq *req = (xGLXDestroyWindowReq *) pc;
- /* mesa's glXDestroyWindow used to set length to 3 instead of 2 */
- REQUEST_AT_LEAST_SIZE(xGLXDestroyWindowReq);
+ REQUEST_SIZE_MATCH(xGLXDestroyWindowReq);
return DoDestroyDrawable(cl, req->glxwindow, GLX_DRAWABLE_WINDOW);
}
@@ -1923,8 +1913,7 @@ __glXDisp_GetDrawableAttributes(__GLXclientState * cl, GLbyte * pc)
ClientPtr client = cl->client;
xGLXGetDrawableAttributesReq *req = (xGLXGetDrawableAttributesReq *) pc;
- /* this should be REQUEST_SIZE_MATCH, but mesa sends an additional 4 bytes */
- REQUEST_AT_LEAST_SIZE(xGLXGetDrawableAttributesReq);
+ REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesReq);
return DoGetDrawableAttributes(cl, req->drawable);
}
diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c
index 7d6674470..96382672a 100644
--- a/glx/glxcmdsswap.c
+++ b/glx/glxcmdsswap.c
@@ -235,7 +235,7 @@ __glXDispSwap_GetFBConfigsSGIX(__GLXclientState * cl, GLbyte * pc)
__GLX_DECLARE_SWAP_VARIABLES;
- REQUEST_AT_LEAST_SIZE(xGLXGetFBConfigsSGIXReq);
+ REQUEST_SIZE_MATCH(xGLXGetFBConfigsSGIXReq);
__GLX_SWAP_INT(&req->screen);
return __glXDisp_GetFBConfigsSGIX(cl, pc);
@@ -327,7 +327,7 @@ __glXDispSwap_DestroyPixmap(__GLXclientState * cl, GLbyte * pc)
__GLX_DECLARE_SWAP_VARIABLES;
- REQUEST_AT_LEAST_SIZE(xGLXDestroyGLXPixmapReq);
+ REQUEST_SIZE_MATCH(xGLXDestroyGLXPixmapReq);
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->glxpixmap);
@@ -440,9 +440,7 @@ __glXDispSwap_ChangeDrawableAttributes(__GLXclientState * cl, GLbyte * pc)
client->errorValue = req->numAttribs;
return BadValue;
}
- if (((sizeof(xGLXChangeDrawableAttributesReq) +
- (req->numAttribs << 3)) >> 2) < client->req_len)
- return BadLength;
+ REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
attribs = (CARD32 *) (req + 1);
__GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
@@ -514,7 +512,7 @@ __glXDispSwap_DestroyWindow(__GLXclientState * cl, GLbyte * pc)
__GLX_DECLARE_SWAP_VARIABLES;
- REQUEST_AT_LEAST_SIZE(xGLXDestroyWindowReq);
+ REQUEST_SIZE_MATCH(xGLXDestroyWindowReq);
__GLX_SWAP_INT(&req->glxwindow);
@@ -723,7 +721,7 @@ __glXDispSwap_GetDrawableAttributes(__GLXclientState * cl, GLbyte * pc)
__GLX_DECLARE_SWAP_VARIABLES;
- REQUEST_AT_LEAST_SIZE(xGLXGetDrawableAttributesReq);
+ REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesReq);
__GLX_SWAP_SHORT(&req->length);
__GLX_SWAP_INT(&req->drawable);
--
2.54.0

50
SOURCES/0005-loader-Make-LoaderSymbolFromModule-take-a-ModuleDesc.patch Normal file
View File

@ -0,0 +1,50 @@
From b01ca791b9ba62e25e3533ba35f8e825f02f0f80 Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Mon, 18 Nov 2019 16:43:50 -0500
Subject: [PATCH xserver 05/11] loader: Make LoaderSymbolFromModule take a
ModuleDescPtr
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The thing you get back from xf86LoadSubModule is a ModuleDescPtr, not a
dlsym handle. We don't expose ModuleDescPtr to the drivers, so change
LoaderSymbolFromModule to cast its void * argument to a ModuleDescPtr.
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
(cherry picked from commit ab61c16ef07fde6eb7110c63c344c54eb2a2d117)
---
hw/xfree86/loader/loader.c | 3 ++-
hw/xfree86/loader/loadmod.c | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/hw/xfree86/loader/loader.c b/hw/xfree86/loader/loader.c
index 503c47e3a..2580e93d9 100644
--- a/hw/xfree86/loader/loader.c
+++ b/hw/xfree86/loader/loader.c
@@ -135,7 +135,8 @@ LoaderSymbol(const char *name)
void *
LoaderSymbolFromModule(void *handle, const char *name)
{
- return dlsym(handle, name);
+ ModuleDescPtr mod = handle;
+ return dlsym(mod->handle, name);
}
void
diff --git a/hw/xfree86/loader/loadmod.c b/hw/xfree86/loader/loadmod.c
index a93a76aa9..81a3a1dd9 100644
--- a/hw/xfree86/loader/loadmod.c
+++ b/hw/xfree86/loader/loadmod.c
@@ -776,7 +776,7 @@ LoadModule(const char *module, void *options, const XF86ModReqInfo *modreq,
*errmaj = LDR_NOMEM;
goto LoadModule_fail;
}
- initdata = LoaderSymbolFromModule(ret->handle, p);
+ initdata = LoaderSymbolFromModule(ret, p);
if (initdata) {
ModuleSetupProc setup;
ModuleTearDownProc teardown;
--
2.33.1

112
SOURCES/0005-xkb-Add-additional-bound-checking-in-CheckKeyTypes.patch
View File

@ -1,112 +0,0 @@
From 5d6f378904ec5c7ae22e9ba4afd15e889a0a1df5 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 23 Feb 2026 15:52:49 +0100
Subject: [PATCH xserver 5/6] xkb: Add additional bound checking in
CheckKeyTypes()
The function CheckKeyTypes() will loop over the client's request but
won't perform any additional bound checking to ensure that the data
read remains within the request bounds.
As a result, a specifically crafted request may cause CheckKeyTypes() to
read past the request data, as reported by valgrind:
== Invalid read of size 2
== at 0x5A3D1D: CheckKeyTypes (xkb.c:1694)
== by 0x5A6A9C: _XkbSetMapChecks (xkb.c:2515)
== by 0x5A759E: ProcXkbSetMap (xkb.c:2736)
== by 0x5BF832: SProcXkbSetMap (xkbSwap.c:245)
== by 0x5C05ED: SProcXkbDispatch (xkbSwap.c:501)
== by 0x4A20DF: Dispatch (dispatch.c:551)
== by 0x4B03B4: dix_main (main.c:277)
== by 0x428941: main (stubmain.c:34)
== Address is 30 bytes after a block of size 28,672 in arena "client"
==
== Invalid read of size 2
== at 0x5A3AB6: CheckKeyTypes (xkb.c:1669)
== by 0x5A6A9C: _XkbSetMapChecks (xkb.c:2515)
== by 0x5A759E: ProcXkbSetMap (xkb.c:2736)
== by 0x5BF832: SProcXkbSetMap (xkbSwap.c:245)
== by 0x5C05ED: SProcXkbDispatch (xkbSwap.c:501)
== by 0x4A20DF: Dispatch (dispatch.c:551)
== by 0x4B03B4: dix_main (main.c:277)
== by 0x428941: main (stubmain.c:34)
== Address is 2 bytes after a block of size 28,672 alloc'd
== at 0x4848897: realloc (vg_replace_malloc.c:1804)
== by 0x5E357A: ReadRequestFromClient (io.c:336)
== by 0x4A1FAB: Dispatch (dispatch.c:519)
== by 0x4B03B4: dix_main (main.c:277)
== by 0x428941: main (stubmain.c:34)
==
== Invalid write of size 2
== at 0x5A3AD7: CheckKeyTypes (xkb.c:1669)
== by 0x5A6A9C: _XkbSetMapChecks (xkb.c:2515)
== by 0x5A759E: ProcXkbSetMap (xkb.c:2736)
== by 0x5BF832: SProcXkbSetMap (xkbSwap.c:245)
== by 0x5C05ED: SProcXkbDispatch (xkbSwap.c:501)
== by 0x4A20DF: Dispatch (dispatch.c:551)
== by 0x4B03B4: dix_main (main.c:277)
== by 0x428941: main (stubmain.c:34)
== Address is 2 bytes after a block of size 28,672 alloc'd
== at 0x4848897: realloc (vg_replace_malloc.c:1804)
== by 0x5E357A: ReadRequestFromClient (io.c:336)
== by 0x4A1FAB: Dispatch (dispatch.c:519)
== by 0x4B03B4: dix_main (main.c:277)
== by 0x428941: main (stubmain.c:34)
==
To avoid that issue, add additional bounds checking within the loops by
calling _XkbCheckRequestBounds() and report an error if we are to read
past the client's request.
CVE-2026-34003, ZDI-CAN-28736
This vulnerability was discovered by:
Jan-Niklas Sohn working with TrendAI Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit b85b00dd7b9eee05e3c12e7ad1fce4fc6671507b)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2178>
---
xkb/xkb.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/xkb/xkb.c b/xkb/xkb.c
index f47ffbc5d..1ee9cfb6f 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -1639,6 +1639,10 @@ CheckKeyTypes(ClientPtr client,
for (i = 0; i < req->nTypes; i++) {
unsigned width;
+ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) {
+ *nMapsRtrn = _XkbErrCode3(0x0b, req->nTypes, i);
+ return 0;
+ }
if (client->swapped) {
swaps(&wire->virtualMods);
}
@@ -1664,7 +1668,18 @@ CheckKeyTypes(ClientPtr client,
xkbModsWireDesc *preWire;
mapWire = (xkbKTSetMapEntryWireDesc *) &wire[1];
+ if (!_XkbCheckRequestBounds(client, req, mapWire,
+ &mapWire[wire->nMapEntries])) {
+ *nMapsRtrn = _XkbErrCode3(0x0c, i, wire->nMapEntries);
+ return 0;
+ }
preWire = (xkbModsWireDesc *) &mapWire[wire->nMapEntries];
+ if (wire->preserve &&
+ !_XkbCheckRequestBounds(client, req, preWire,
+ &preWire[wire->nMapEntries])) {
+ *nMapsRtrn = _XkbErrCode3(0x0d, i, wire->nMapEntries);
+ return 0;
+ }
for (n = 0; n < wire->nMapEntries; n++) {
if (client->swapped) {
swaps(&mapWire[n].virtualMods);
--
2.53.0

45
SOURCES/0005-xkb-Fix-buffer-overflow-in-XkbChangeTypesOfKey.patch Normal file
View File

@ -0,0 +1,45 @@
From 33dfc78a0f67f4db5558c2374f5a73d262e43671 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Thu, 28 Nov 2024 14:09:04 +0100
Subject: [PATCH xserver 05/13] xkb: Fix buffer overflow in
XkbChangeTypesOfKey()
If XkbChangeTypesOfKey() is called with nGroups == 0, it will resize the
key syms to 0 but leave the key actions unchanged.
If later, the same function is called with a non-zero value for nGroups,
this will cause a buffer overflow because the key actions are of the wrong
size.
To avoid the issue, make sure to resize both the key syms and key actions
when nGroups is 0.
CVE-2025-26597, ZDI-CAN-25683
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 0e4ed94952b255c04fe910f6a1d9c852878dcd64)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1831>
---
xkb/XKBMisc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/xkb/XKBMisc.c b/xkb/XKBMisc.c
index f17194528..c45471686 100644
--- a/xkb/XKBMisc.c
+++ b/xkb/XKBMisc.c
@@ -553,6 +553,7 @@ XkbChangeTypesOfKey(XkbDescPtr xkb,
i = XkbSetNumGroups(i, 0);
xkb->map->key_sym_map[key].group_info = i;
XkbResizeKeySyms(xkb, key, 0);
+ XkbResizeKeyActions(xkb, key, 0);
return Success;
}
--
2.48.1

2
SOURCES/0006-Xext-free-the-XvRTVideoNotify-when-turning-off-from-.patch
View File

@ -1,4 +1,4 @@
From a42635ee3c01f71a49052d83a372933504c9db04 Mon Sep 17 00:00:00 2001
From 40f06ae1bd12f4416df59382324a0d31ab2ba704 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Wed, 30 Nov 2022 11:20:40 +1000
Subject: [PATCH xserver 6/7] Xext: free the XvRTVideoNotify when turning off

90
SOURCES/0006-Xext-sync-avoid-null-dereference-if-SysCounterGetPri.patch
View File

@ -1,90 +0,0 @@
From 03aeaee358fc6a34a851f875d37df405240879c1 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 4 Oct 2025 15:26:19 -0700
Subject: [PATCH xserver 06/51] Xext/sync: avoid null dereference if
SysCounterGetPrivate() returns NULL
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../Xext/sync.c:2664:9: danger: dereference of NULL SysCounterGetPrivate(pCounter)
# 2662| SyncCounter *counter = pCounter;
# 2663| IdleCounterPriv *priv = SysCounterGetPrivate(counter);
# 2664|-> deviceid = priv->deviceid;
# 2665| }
# 2666| else
xwayland-24.1.6/redhat-linux-build/../Xext/sync.c:2677:14: danger: dereference of NULL SysCounterGetPrivate(pCounter)
# 2675| SyncCounter *counter = pCounter;
# 2676| IdleCounterPriv *priv = SysCounterGetPrivate(counter);
# 2677|-> int64_t *less = priv->value_less;
# 2678| int64_t *greater = priv->value_greater;
# 2679| int64_t idle, old_idle;
xwayland-24.1.6/redhat-linux-build/../Xext/sync.c:2767:14: danger: dereference of NULL SysCounterGetPrivate(pCounter)
# 2765| SyncCounter *counter = pCounter;
# 2766| IdleCounterPriv *priv = SysCounterGetPrivate(counter);
# 2767|-> int64_t *less = priv->value_less;
# 2768| int64_t *greater = priv->value_greater;
# 2769| int64_t idle;
xwayland-24.1.6/redhat-linux-build/../Xext/sync.c:2800:14: danger: dereference of NULL SysCounterGetPrivate(pCounter)
# 2798| SyncCounter *counter = pCounter;
# 2799| IdleCounterPriv *priv = SysCounterGetPrivate(counter);
# 2800|-> int64_t *less = priv->value_less;
# 2801| int64_t *greater = priv->value_greater;
# 2802| Bool registered = (less || greater);
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 0211de37b340eccfc0bad6a3ea13b27810b11a30)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
Xext/sync.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/Xext/sync.c b/Xext/sync.c
index c3d160327..09a14ac3c 100644
--- a/Xext/sync.c
+++ b/Xext/sync.c
@@ -2695,9 +2695,11 @@ IdleTimeQueryValue(void *pCounter, int64_t *pValue_return)
int deviceid;
CARD32 idle;
+ *pValue_return = 0;
if (pCounter) {
SyncCounter *counter = pCounter;
IdleCounterPriv *priv = SysCounterGetPrivate(counter);
+ BUG_RETURN(priv == NULL);
deviceid = priv->deviceid;
}
else
@@ -2711,6 +2713,7 @@ IdleTimeBlockHandler(void *pCounter, void *wt)
{
SyncCounter *counter = pCounter;
IdleCounterPriv *priv = SysCounterGetPrivate(counter);
+ BUG_RETURN(priv == NULL);
int64_t *less = priv->value_less;
int64_t *greater = priv->value_greater;
int64_t idle, old_idle;
@@ -2801,6 +2804,7 @@ IdleTimeWakeupHandler(void *pCounter, int rc)
{
SyncCounter *counter = pCounter;
IdleCounterPriv *priv = SysCounterGetPrivate(counter);
+ BUG_RETURN(priv == NULL);
int64_t *less = priv->value_less;
int64_t *greater = priv->value_greater;
int64_t idle;
@@ -2834,6 +2838,7 @@ IdleTimeBracketValues(void *pCounter, int64_t *pbracket_less,
{
SyncCounter *counter = pCounter;
IdleCounterPriv *priv = SysCounterGetPrivate(counter);
+ BUG_RETURN(priv == NULL);
int64_t *less = priv->value_less;
int64_t *greater = priv->value_greater;
Bool registered = (less || greater);
--
2.54.0

118
SOURCES/0006-Xi-Fix-barrier-device-search.patch Normal file
View File

@ -0,0 +1,118 @@
From 475a856c919c8648aaefac9388a7788eed5725fa Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 16 Dec 2024 11:25:11 +0100
Subject: [PATCH xserver 06/13] Xi: Fix barrier device search
The function GetBarrierDevice() would search for the pointer device
based on its device id and return the matching value, or supposedly NULL
if no match was found.
Unfortunately, as written, it would return the last element of the list
if no matching device id was found which can lead to out of bounds
memory access.
Fix the search function to return NULL if not matching device is found,
and adjust the callers to handle the case where the device cannot be
found.
CVE-2025-26598, ZDI-CAN-25740
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit bba9df1a9d57234c76c0b93f88dacb143d01bca2)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1831>
---
Xi/xibarriers.c | 27 +++++++++++++++++++++++----
1 file changed, 23 insertions(+), 4 deletions(-)
diff --git a/Xi/xibarriers.c b/Xi/xibarriers.c
index 1926762ad..cb336f22b 100644
--- a/Xi/xibarriers.c
+++ b/Xi/xibarriers.c
@@ -129,14 +129,15 @@ static void FreePointerBarrierClient(struct PointerBarrierClient *c)
static struct PointerBarrierDevice *GetBarrierDevice(struct PointerBarrierClient *c, int deviceid)
{
- struct PointerBarrierDevice *pbd = NULL;
+ struct PointerBarrierDevice *p, *pbd = NULL;
- xorg_list_for_each_entry(pbd, &c->per_device, entry) {
- if (pbd->deviceid == deviceid)
+ xorg_list_for_each_entry(p, &c->per_device, entry) {
+ if (p->deviceid == deviceid) {
+ pbd = p;
break;
+ }
}
- BUG_WARN(!pbd);
return pbd;
}
@@ -337,6 +338,9 @@ barrier_find_nearest(BarrierScreenPtr cs, DeviceIntPtr dev,
double distance;
pbd = GetBarrierDevice(c, dev->id);
+ if (!pbd)
+ continue;
+
if (pbd->seen)
continue;
@@ -445,6 +449,9 @@ input_constrain_cursor(DeviceIntPtr dev, ScreenPtr screen,
nearest = &c->barrier;
pbd = GetBarrierDevice(c, master->id);
+ if (!pbd)
+ continue;
+
new_sequence = !pbd->hit;
pbd->seen = TRUE;
@@ -485,6 +492,9 @@ input_constrain_cursor(DeviceIntPtr dev, ScreenPtr screen,
int flags = 0;
pbd = GetBarrierDevice(c, master->id);
+ if (!pbd)
+ continue;
+
pbd->seen = FALSE;
if (!pbd->hit)
continue;
@@ -679,6 +689,9 @@ BarrierFreeBarrier(void *data, XID id)
continue;
pbd = GetBarrierDevice(c, dev->id);
+ if (!pbd)
+ continue;
+
if (!pbd->hit)
continue;
@@ -738,6 +751,8 @@ static void remove_master_func(void *res, XID id, void *devid)
barrier = container_of(b, struct PointerBarrierClient, barrier);
pbd = GetBarrierDevice(barrier, *deviceid);
+ if (!pbd)
+ return;
if (pbd->hit) {
BarrierEvent ev = {
@@ -903,6 +918,10 @@ ProcXIBarrierReleasePointer(ClientPtr client)
barrier = container_of(b, struct PointerBarrierClient, barrier);
pbd = GetBarrierDevice(barrier, dev->id);
+ if (!pbd) {
+ client->errorValue = dev->id;
+ return BadDevice;
+ }
if (pbd->barrier_event_id == event_id)
pbd->release_event_id = event_id;
--
2.48.1

144
SOURCES/0006-modesetting-Indirect-the-shadow-API-through-LoaderSy.patch Normal file
View File

@ -0,0 +1,144 @@
From 13d3bc7a05eb7500c8987358c68c20a4bfe18079 Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Tue, 8 Oct 2019 12:52:28 -0400
Subject: [PATCH xserver 06/11] modesetting: Indirect the shadow API through
LoaderSymbol
Prerequisite for building all of xserver with -z now.
Gitlab: https://gitlab.freedesktop.org/xorg/xserver/issues/692
(cherry picked from commit 45f35a0c6666c5f35df482948e0c8e91167429ef)
---
hw/xfree86/drivers/modesetting/driver.c | 34 +++++++++++--------------
hw/xfree86/drivers/modesetting/driver.h | 12 ++++++++-
2 files changed, 26 insertions(+), 20 deletions(-)
diff --git a/hw/xfree86/drivers/modesetting/driver.c b/hw/xfree86/drivers/modesetting/driver.c
index ec4189a2c..a385e7ee2 100644
--- a/hw/xfree86/drivers/modesetting/driver.c
+++ b/hw/xfree86/drivers/modesetting/driver.c
@@ -50,7 +50,6 @@
#include "xf86Crtc.h"
#include "miscstruct.h"
#include "dixstruct.h"
-#include "shadow.h"
#include "xf86xv.h"
#include <X11/extensions/Xv.h>
#include <xorg-config.h>
@@ -60,7 +59,6 @@
#ifdef XSERVER_LIBPCIACCESS
#include <pciaccess.h>
#endif
-
#include "driver.h"
static void AdjustFrame(ScrnInfoPtr pScrn, int x, int y);
@@ -1084,9 +1082,16 @@ PreInit(ScrnInfoPtr pScrn, int flags)
}
if (ms->drmmode.shadow_enable) {
- if (!xf86LoadSubModule(pScrn, "shadow")) {
+ void *mod = xf86LoadSubModule(pScrn, "shadow");
+
+ if (!mod)
return FALSE;
- }
+
+ ms->shadow.Setup = LoaderSymbolFromModule(mod, "shadowSetup");
+ ms->shadow.Add = LoaderSymbolFromModule(mod, "shadowAdd");
+ ms->shadow.Remove = LoaderSymbolFromModule(mod, "shadowRemove");
+ ms->shadow.Update32to24 = LoaderSymbolFromModule(mod, "shadowUpdate32to24");
+ ms->shadow.UpdatePacked = LoaderSymbolFromModule(mod, "shadowUpdatePacked");
}
return TRUE;
@@ -1191,9 +1196,9 @@ msUpdatePacked(ScreenPtr pScreen, shadowBufPtr pBuf)
} while (0);
if (use_3224)
- shadowUpdate32to24(pScreen, pBuf);
+ ms->shadow.Update32to24(pScreen, pBuf);
else
- shadowUpdatePacked(pScreen, pBuf);
+ ms->shadow.UpdatePacked(pScreen, pBuf);
}
static Bool
@@ -1380,8 +1385,8 @@ CreateScreenResources(ScreenPtr pScreen)
FatalError("Couldn't adjust screen pixmap\n");
if (ms->drmmode.shadow_enable) {
- if (!shadowAdd(pScreen, rootPixmap, msUpdatePacked, msShadowWindow,
- 0, 0))
+ if (!ms->shadow.Add(pScreen, rootPixmap, msUpdatePacked, msShadowWindow,
+ 0, 0))
return FALSE;
}
@@ -1415,15 +1420,6 @@ CreateScreenResources(ScreenPtr pScreen)
return ret;
}
-static Bool
-msShadowInit(ScreenPtr pScreen)
-{
- if (!shadowSetup(pScreen)) {
- return FALSE;
- }
- return TRUE;
-}
-
static Bool
msSharePixmapBacking(PixmapPtr ppix, ScreenPtr screen, void **handle)
{
@@ -1643,7 +1639,7 @@ ScreenInit(ScreenPtr pScreen, int argc, char **argv)
return FALSE;
}
- if (ms->drmmode.shadow_enable && !msShadowInit(pScreen)) {
+ if (ms->drmmode.shadow_enable && !ms->shadow.Setup(pScreen)) {
xf86DrvMsg(pScrn->scrnIndex, X_ERROR, "shadow fb init failed\n");
return FALSE;
}
@@ -1887,7 +1883,7 @@ CloseScreen(ScreenPtr pScreen)
}
if (ms->drmmode.shadow_enable) {
- shadowRemove(pScreen, pScreen->GetScreenPixmap(pScreen));
+ ms->shadow.Remove(pScreen, pScreen->GetScreenPixmap(pScreen));
free(ms->drmmode.shadow_fb);
ms->drmmode.shadow_fb = NULL;
free(ms->drmmode.shadow_fb2);
diff --git a/hw/xfree86/drivers/modesetting/driver.h b/hw/xfree86/drivers/modesetting/driver.h
index a99f37871..394a20fc1 100644
--- a/hw/xfree86/drivers/modesetting/driver.h
+++ b/hw/xfree86/drivers/modesetting/driver.h
@@ -33,7 +33,7 @@
#include <xf86Crtc.h>
#include <damage.h>
#include <X11/extensions/dpmsconst.h>
-
+#include <shadow.h>
#ifdef GLAMOR_HAS_GBM
#define GLAMOR_FOR_XORG 1
#include "glamor.h"
@@ -122,6 +122,16 @@ typedef struct _modesettingRec {
Bool kms_has_modifiers;
+ /* shadow API */
+ struct {
+ Bool (*Setup)(ScreenPtr);
+ Bool (*Add)(ScreenPtr, PixmapPtr, ShadowUpdateProc, ShadowWindowProc,
+ int, void *);
+ void (*Remove)(ScreenPtr, PixmapPtr);
+ void (*Update32to24)(ScreenPtr, shadowBufPtr);
+ void (*UpdatePacked)(ScreenPtr, shadowBufPtr);
+ } shadow;
+
} modesettingRec, *modesettingPtr;
#define modesettingPTR(p) ((modesettingPtr)((p)->driverPrivate))
--
2.33.1

74
SOURCES/0006-saver-re-fetch-screen-private-after-CheckScreenPriva.patch
View File

@ -1,74 +0,0 @@
From 637343690922ccd44bedf4e524357b0593067fa2 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Mon, 20 Apr 2026 11:19:20 +1000
Subject: [PATCH xserver 6/9] saver: re-fetch screen private after
CheckScreenPrivate in CreateSaverWindow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CreateSaverWindow stores pPriv (the ScreenSaverScreenPrivatePtr) in a local
variable via the SetupScreen macro at function entry. When an existing saver
window is being replaced, the function sets pPriv->hasWindow = FALSE and
calls CheckScreenPrivate(). If at this point pPriv->attr is NULL (cleared
by a prior UnsetAttributes call), pPriv->events is NULL, and
pPriv->installedMap is None, then CheckScreenPrivate determines the screen
private is unused, frees it, and sets the screen private pointer to NULL.
The function then continues to dereference the now-freed pPriv on the very
next line (pPriv->attr), resulting in a use-after-free. On glibc 2.34+,
the tcache key at offset 8 within the freed block makes pPriv->attr appear
non-NULL, causing the function to continue operating on garbage data and
eventually crash.
The attack sequence is:
1. SetAttributes (creates pPriv with pPriv->attr set)
2. ForceScreenSaver(Active) (creates saver window, pPriv->hasWindow=TRUE)
3. UnsetAttributes (sets pPriv->attr = NULL)
4. ForceScreenSaver(Active) (re-enters CreateSaverWindow → UAF)
Fix by re-fetching pPriv from the screen private after CheckScreenPrivate
returns, so the subsequent NULL check correctly detects the freed state.
ScreenSaverFreeAttr has the same pattern, force pPriv to NULL there too
even though it has no real effect.
This vulnerability was discovered by:
Anonymous working with TrendAI Zero Day Initiative
ZDI-CAN-30168
Assisted-by: Claude:claude-opus-4-6
(cherry picked from commit ecc634f1b2f7aa473d3a267eada98c4918bf9e05)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2229>
---
Xext/saver.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/Xext/saver.c b/Xext/saver.c
index c27a66c80..f750ef4cd 100644
--- a/Xext/saver.c
+++ b/Xext/saver.c
@@ -348,6 +348,9 @@ ScreenSaverFreeAttr(void *value, XID id)
dixSaveScreens(serverClient, SCREEN_SAVER_FORCER, ScreenSaverActive);
}
CheckScreenPrivate(pScreen);
+ /* CheckScreenPrivate may have freed pPriv (same pattern as
+ * CreateSaverWindow fix for ZDI-CAN-30168). */
+ pPriv = NULL;
return TRUE;
}
@@ -479,6 +482,8 @@ CreateSaverWindow(ScreenPtr pScreen)
UninstallSaverColormap(pScreen);
pPriv->hasWindow = FALSE;
CheckScreenPrivate(pScreen);
+ /* Re-fetch pPriv since CheckScreenPrivate may have freed it */
+ pPriv = GetScreenPrivate(pScreen);
}
}
--
2.54.0

221
SOURCES/0006-xkb-Add-more-_XkbCheckRequestBounds.patch
View File

@ -1,221 +0,0 @@
From 7c03d504c2b6ca498e0ff3761b000d77788f0c23 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 2 Mar 2026 14:09:57 +0100
Subject: [PATCH xserver 6/6] xkb: Add more _XkbCheckRequestBounds()
Similar to the recent fixes, add more _XkbCheckRequestBounds() to the
functions that loop over the request data, i.e.:
* CheckKeySyms()
* CheckKeyActions()
* CheckKeyBehaviors()
* CheckVirtualMods()
* CheckKeyExplicit()
* CheckVirtualModMap()
* _XkbSetMapChecks()
All these are static functions so we can add the client to the parameters
without breaking any API.
See also:
CVE-2026-34003, ZDI-CAN-28736, CVE-2026-34002, ZDI-CAN-28737
v2: Check for "nSyms != 0" in CheckKeySyms() to avoid false positives.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit d38c563fab5c4a554e0939da39e4d1dadef7cbae)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2178>
---
xkb/xkb.c | 69 ++++++++++++++++++++++++++++++++++++++++++++-----------
1 file changed, 55 insertions(+), 14 deletions(-)
diff --git a/xkb/xkb.c b/xkb/xkb.c
index 1ee9cfb6f..f81d20655 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -1752,6 +1752,11 @@ CheckKeySyms(ClientPtr client,
KeySym *pSyms;
register unsigned nG;
+ /* Check we received enough data to read the next xkbSymMapWireDesc */
+ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) {
+ *errorRtrn = _XkbErrCode3(0x18, i + req->firstKeySym, i);
+ return 0;
+ }
if (client->swapped) {
swaps(&wire->nSyms);
}
@@ -1790,6 +1795,12 @@ CheckKeySyms(ClientPtr client,
return 0;
}
pSyms = (KeySym *) &wire[1];
+ if (wire->nSyms != 0) {
+ if (!_XkbCheckRequestBounds(client, req, pSyms, &pSyms[wire->nSyms])) {
+ *errorRtrn = _XkbErrCode3(0x19, i + req->firstKeySym, wire->nSyms);
+ return 0;
+ }
+ }
wire = (xkbSymMapWireDesc *) &pSyms[wire->nSyms];
}
@@ -1813,11 +1824,12 @@ CheckKeySyms(ClientPtr client,
}
static int
-CheckKeyActions(XkbDescPtr xkb,
- xkbSetMapReq * req,
- int nTypes,
- CARD8 *mapWidths,
- CARD16 *symsPerKey, CARD8 **wireRtrn, int *nActsRtrn)
+CheckKeyActions(ClientPtr client,
+ XkbDescPtr xkb,
+ xkbSetMapReq * req,
+ int nTypes,
+ CARD8 *mapWidths,
+ CARD16 *symsPerKey, CARD8 **wireRtrn, int *nActsRtrn)
{
int nActs;
CARD8 *wire = *wireRtrn;
@@ -1828,6 +1840,11 @@ CheckKeyActions(XkbDescPtr xkb,
CHK_REQ_KEY_RANGE2(0x21, req->firstKeyAct, req->nKeyActs, req, (*nActsRtrn),
0);
for (nActs = i = 0; i < req->nKeyActs; i++) {
+ /* Check we received enough data to read the next byte on the wire */
+ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) {
+ *nActsRtrn = _XkbErrCode3(0x24, i + req->firstKeyAct, i);
+ return 0;
+ }
if (wire[0] != 0) {
if (wire[0] == symsPerKey[i + req->firstKeyAct])
nActs += wire[0];
@@ -1846,7 +1863,8 @@ CheckKeyActions(XkbDescPtr xkb,
}
static int
-CheckKeyBehaviors(XkbDescPtr xkb,
+CheckKeyBehaviors(ClientPtr client,
+ XkbDescPtr xkb,
xkbSetMapReq * req,
xkbBehaviorWireDesc ** wireRtrn, int *errorRtrn)
{
@@ -1872,6 +1890,11 @@ CheckKeyBehaviors(XkbDescPtr xkb,
}
for (i = 0; i < req->totalKeyBehaviors; i++, wire++) {
+ /* Check we received enough data to read the next behavior */
+ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) {
+ *errorRtrn = _XkbErrCode3(0x36, first, i);
+ return 0;
+ }
if ((wire->key < first) || (wire->key > last)) {
*errorRtrn = _XkbErrCode4(0x33, first, last, wire->key);
return 0;
@@ -1897,7 +1920,8 @@ CheckKeyBehaviors(XkbDescPtr xkb,
}
static int
-CheckVirtualMods(XkbDescRec * xkb,
+CheckVirtualMods(ClientPtr client,
+ XkbDescRec * xkb,
xkbSetMapReq * req, CARD8 **wireRtrn, int *errorRtrn)
{
register CARD8 *wire = *wireRtrn;
@@ -1909,12 +1933,18 @@ CheckVirtualMods(XkbDescRec * xkb,
if (req->virtualMods & bit)
nMods++;
}
+ /* Check we received enough data for the number of virtual mods expected */
+ if (!_XkbCheckRequestBounds(client, req, wire, wire + XkbPaddedSize(nMods))) {
+ *errorRtrn = _XkbErrCode3(0x37, nMods, i);
+ return 0;
+ }
*wireRtrn = (wire + XkbPaddedSize(nMods));
return 1;
}
static int
-CheckKeyExplicit(XkbDescPtr xkb,
+CheckKeyExplicit(ClientPtr client,
+ XkbDescPtr xkb,
xkbSetMapReq * req, CARD8 **wireRtrn, int *errorRtrn)
{
register CARD8 *wire = *wireRtrn;
@@ -1940,6 +1970,11 @@ CheckKeyExplicit(XkbDescPtr xkb,
}
start = wire;
for (i = 0; i < req->totalKeyExplicit; i++, wire += 2) {
+ /* Check we received enough data to read the next two bytes */
+ if (!_XkbCheckRequestBounds(client, req, wire, wire + 2)) {
+ *errorRtrn = _XkbErrCode4(0x54, first, last, i);
+ return 0;
+ }
if ((wire[0] < first) || (wire[0] > last)) {
*errorRtrn = _XkbErrCode4(0x53, first, last, wire[0]);
return 0;
@@ -1995,7 +2030,8 @@ CheckModifierMap(ClientPtr client, XkbDescPtr xkb, xkbSetMapReq * req,
}
static int
-CheckVirtualModMap(XkbDescPtr xkb,
+CheckVirtualModMap(ClientPtr client,
+ XkbDescPtr xkb,
xkbSetMapReq * req,
xkbVModMapWireDesc ** wireRtrn, int *errRtrn)
{
@@ -2019,6 +2055,11 @@ CheckVirtualModMap(XkbDescPtr xkb,
return 0;
}
for (i = 0; i < req->totalVModMapKeys; i++, wire++) {
+ /* Check we received enough data to read the next virtual mod map key */
+ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) {
+ *errRtrn = _XkbErrCode3(0x74, first, i);
+ return 0;
+ }
if ((wire->key < first) || (wire->key > last)) {
*errRtrn = _XkbErrCode4(0x73, first, last, wire->key);
return 0;
@@ -2562,7 +2603,7 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev, xkbSetMapReq * req,
}
if ((req->present & XkbKeyActionsMask) &&
- (!CheckKeyActions(xkb, req, nTypes, mapWidths, symsPerKey,
+ (!CheckKeyActions(client, xkb, req, nTypes, mapWidths, symsPerKey,
(CARD8 **) &values, &nActions))) {
client->errorValue = nActions;
return BadValue;
@@ -2570,18 +2611,18 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev, xkbSetMapReq * req,
if ((req->present & XkbKeyBehaviorsMask) &&
(!CheckKeyBehaviors
- (xkb, req, (xkbBehaviorWireDesc **) &values, &error))) {
+ (client, xkb, req, (xkbBehaviorWireDesc **) &values, &error))) {
client->errorValue = error;
return BadValue;
}
if ((req->present & XkbVirtualModsMask) &&
- (!CheckVirtualMods(xkb, req, (CARD8 **) &values, &error))) {
+ (!CheckVirtualMods(client, xkb, req, (CARD8 **) &values, &error))) {
client->errorValue = error;
return BadValue;
}
if ((req->present & XkbExplicitComponentsMask) &&
- (!CheckKeyExplicit(xkb, req, (CARD8 **) &values, &error))) {
+ (!CheckKeyExplicit(client, xkb, req, (CARD8 **) &values, &error))) {
client->errorValue = error;
return BadValue;
}
@@ -2592,7 +2633,7 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev, xkbSetMapReq * req,
}
if ((req->present & XkbVirtualModMapMask) &&
(!CheckVirtualModMap
- (xkb, req, (xkbVModMapWireDesc **) &values, &error))) {
+ (client, xkb, req, (xkbVModMapWireDesc **) &values, &error))) {
client->errorValue = error;
return BadValue;
}
--
2.53.0

47
SOURCES/0007-Xext-sync-avoid-null-dereference-in-init_system_idle.patch
View File

@ -1,47 +0,0 @@
From 2d2fcd6c83bbc174d1ae178388e7ae0d8297da56 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 4 Oct 2025 15:40:22 -0700
Subject: [PATCH xserver 07/51] Xext/sync: avoid null dereference in
init_system_idle_counter()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../Xext/sync.c:2835:33: acquire_memory: this call could return NULL
xwayland-24.1.6/redhat-linux-build/../Xext/sync.c:2837:28: danger: priv could be NULL: unchecked value from [(30)](sarif:/runs/0/results/4/codeFlows/0/threadFlows/0/locations/29)
# 2835| IdleCounterPriv *priv = malloc(sizeof(IdleCounterPriv));
# 2836|
# 2837|-> priv->value_less = priv->value_greater = NULL;
# 2838| priv->deviceid = deviceid;
# 2839|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 304d21854d349b21dd8deb8a8f319637f17bd4a8)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
Xext/sync.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/Xext/sync.c b/Xext/sync.c
index 09a14ac3c..8fd7e947e 100644
--- a/Xext/sync.c
+++ b/Xext/sync.c
@@ -2876,8 +2876,10 @@ init_system_idle_counter(const char *name, int deviceid)
if (idle_time_counter != NULL) {
IdleCounterPriv *priv = malloc(sizeof(IdleCounterPriv));
- priv->value_less = priv->value_greater = NULL;
- priv->deviceid = deviceid;
+ if (priv) {
+ priv->value_less = priv->value_greater = NULL;
+ priv->deviceid = deviceid;
+ }
idle_time_counter->pSysCounterInfo->private = priv;
}
--
2.54.0

65
SOURCES/0007-composite-Handle-failure-to-redirect-in-compRedirect.patch Normal file
View File

@ -0,0 +1,65 @@
From 04d8041534d40e975d11a8a58ea7e8b1f09b519d Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Tue, 17 Dec 2024 15:19:45 +0100
Subject: [PATCH xserver 07/13] composite: Handle failure to redirect in
compRedirectWindow()
The function compCheckRedirect() may fail if it cannot allocate the
backing pixmap.
In that case, compRedirectWindow() will return a BadAlloc error.
However that failure code path will shortcut the validation of the
window tree marked just before, which leaves the validate data partly
initialized.
That causes a use of uninitialized pointer later.
The fix is to not shortcut the call to compHandleMarkedWindows() even in
the case of compCheckRedirect() returning an error.
CVE-2025-26599, ZDI-CAN-25851
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit c1ff84bef2569b4ba4be59323cf575d1798ba9be)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1831>
---
composite/compalloc.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/composite/compalloc.c b/composite/compalloc.c
index 3e2f14fb0..55a1b725a 100644
--- a/composite/compalloc.c
+++ b/composite/compalloc.c
@@ -138,6 +138,7 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update)
CompScreenPtr cs = GetCompScreen(pWin->drawable.pScreen);
WindowPtr pLayerWin;
Bool anyMarked = FALSE;
+ int status = Success;
if (pWin == cs->pOverlayWin) {
return Success;
@@ -216,13 +217,13 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update)
if (!compCheckRedirect(pWin)) {
FreeResource(ccw->id, RT_NONE);
- return BadAlloc;
+ status = BadAlloc;
}
if (anyMarked)
compHandleMarkedWindows(pWin, pLayerWin);
- return Success;
+ return status;
}
void
--
2.48.1

90
SOURCES/0007-dix-increase-XLFDMAXFONTNAMELEN-to-match-libXfont2-s.patch
View File

@ -1,90 +0,0 @@
From 574f2e975aa8f2942f33b7fa35a33d20f27cdc02 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Wed, 29 Apr 2026 05:40:33 +0000
Subject: [PATCH xserver 7/9] dix: increase XLFDMAXFONTNAMELEN to match
libXfont2's MAXFONTNAMELEN
XLFDMAXFONTNAMELEN was 256 bytes, but libXfont2 defines MAXFONTNAMELEN
as 1024 and allows font names and alias targets up to that length in
fonts.alias files.
doListFontsAndAliases copies the resolved alias target into a
stack-allocated tmp_pattern[XLFDMAXFONTNAMELEN] and then into
c->current.pattern[XLFDMAXFONTNAMELEN] (defined in LFWIstateRec).
doListFontsWithInfo has the same pattern, copying the resolved name into
c->current.pattern[]. With the old 256-byte limit, a fonts.alias entry
with a target name between 257 and 1023 bytes would overflow both
buffers.
An attacker can exploit this by:
1. Creating a font directory with a fonts.alias containing an alias
whose target name exceeds 256 bytes
2. Using SetFontPath to add the malicious directory
3. Calling ListFonts with the alias name to trigger alias resolution
4. The oversized resolved name overflows the 256-byte stack buffer
Increase XLFDMAXFONTNAMELEN from 256 to 1024 to match libXfont2's
MAXFONTNAMELEN, ensuring the server can handle any name the font library
produces.
This vulnerability was discovered by:
Anonymous working with TrendAI Zero Day Initiative
ZDI-CAN-30136
Assisted-by: Claude:claude-opus-4-6
(cherry picked from commit bb5158f962dc935e58ef8b4b5fcb31be201a6e07)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2229>
---
dix/dixfonts.c | 8 ++++++++
include/closestr.h | 7 ++++++-
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/dix/dixfonts.c b/dix/dixfonts.c
index 0ea8678bb..386c38686 100644
--- a/dix/dixfonts.c
+++ b/dix/dixfonts.c
@@ -671,6 +671,10 @@ doListFontsAndAliases(ClientPtr client, LFclosurePtr c)
* is BadFontName, indicating the alias resolution
* is complete.
*/
+ if (resolvedlen > XLFDMAXFONTNAMELEN) {
+ err = BadFontName;
+ goto ContBadFontName;
+ }
memmove(tmp_pattern, resolved, resolvedlen);
if (c->haveSaved) {
char *tmpname;
@@ -934,6 +938,10 @@ doListFontsWithInfo(ClientPtr client, LFWIclosurePtr c)
memmove(c->savedName, name, namelen + 1);
aliascount = 20;
}
+ if (namelen > XLFDMAXFONTNAMELEN) {
+ err = BadFontName;
+ goto ContBadFontName;
+ }
memmove(c->current.pattern, name, namelen);
c->current.patlen = namelen;
c->current.max_names = 1;
diff --git a/include/closestr.h b/include/closestr.h
index 60e6f09bc..7567ac6ea 100644
--- a/include/closestr.h
+++ b/include/closestr.h
@@ -57,7 +57,12 @@ typedef struct _OFclosure {
/* ListFontsWithInfo */
-#define XLFDMAXFONTNAMELEN 256
+/* libXfont2 allows font names/aliases up to MAXFONTNAMELEN (1024) bytes in
+ * fonts.alias files. The server's pattern buffers must be large enough to
+ * hold resolved alias targets returned by the font library.
+ * ZDI-CAN-30136
+ */
+#define XLFDMAXFONTNAMELEN 1024
typedef struct _LFWIstate {
char pattern[XLFDMAXFONTNAMELEN];
int patlen;
--
2.54.0

332
SOURCES/0007-modesetting-Indirect-the-glamor-API-through-LoaderSy.patch Normal file
View File

@ -0,0 +1,332 @@
From 94612044171975466f605d5f01769d1c2b9acc5d Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Tue, 8 Oct 2019 13:11:09 -0400
Subject: [PATCH xserver 07/11] modesetting: Indirect the glamor API through
LoaderSymbol
Prerequisite for building all of xserver with -z now.
Gitlab: https://gitlab.freedesktop.org/xorg/xserver/issues/692
(cherry picked from commit dd63f717fe8636315343f421f4f2ee299258f079)
---
hw/xfree86/drivers/modesetting/dri2.c | 10 ++--
hw/xfree86/drivers/modesetting/driver.c | 49 ++++++++++++++-----
hw/xfree86/drivers/modesetting/driver.h | 24 +++++++++
.../drivers/modesetting/drmmode_display.c | 17 ++++---
hw/xfree86/drivers/modesetting/pageflip.c | 4 +-
hw/xfree86/drivers/modesetting/present.c | 4 +-
6 files changed, 82 insertions(+), 26 deletions(-)
diff --git a/hw/xfree86/drivers/modesetting/dri2.c b/hw/xfree86/drivers/modesetting/dri2.c
index d89904b53..724d9d34c 100644
--- a/hw/xfree86/drivers/modesetting/dri2.c
+++ b/hw/xfree86/drivers/modesetting/dri2.c
@@ -123,6 +123,7 @@ ms_dri2_create_buffer2(ScreenPtr screen, DrawablePtr drawable,
unsigned int attachment, unsigned int format)
{
ScrnInfoPtr scrn = xf86ScreenToScrn(screen);
+ modesettingPtr ms = modesettingPTR(scrn);
DRI2Buffer2Ptr buffer;
PixmapPtr pixmap;
CARD32 size;
@@ -200,7 +201,7 @@ ms_dri2_create_buffer2(ScreenPtr screen, DrawablePtr drawable,
*/
buffer->flags = 0;
- buffer->name = glamor_name_from_pixmap(pixmap, &pitch, &size);
+ buffer->name = ms->glamor.name_from_pixmap(pixmap, &pitch, &size);
buffer->pitch = pitch;
if (buffer->name == -1) {
xf86DrvMsg(scrn->scrnIndex, X_ERROR,
@@ -509,11 +510,12 @@ update_front(DrawablePtr draw, DRI2BufferPtr front)
ScreenPtr screen = draw->pScreen;
PixmapPtr pixmap = get_drawable_pixmap(draw);
ms_dri2_buffer_private_ptr priv = front->driverPrivate;
+ modesettingPtr ms = modesettingPTR(xf86ScreenToScrn(screen));
CARD32 size;
CARD16 pitch;
int name;
- name = glamor_name_from_pixmap(pixmap, &pitch, &size);
+ name = ms->glamor.name_from_pixmap(pixmap, &pitch, &size);
if (name < 0)
return FALSE;
@@ -617,7 +619,7 @@ ms_dri2_exchange_buffers(DrawablePtr draw, DRI2BufferPtr front,
*front_pix = *back_pix;
*back_pix = tmp_pix;
- glamor_egl_exchange_buffers(front_priv->pixmap, back_priv->pixmap);
+ ms->glamor.egl_exchange_buffers(front_priv->pixmap, back_priv->pixmap);
/* Post damage on the front buffer so that listeners, such
* as DisplayLink know take a copy and shove it over the USB.
@@ -1036,7 +1038,7 @@ ms_dri2_screen_init(ScreenPtr screen)
DRI2InfoRec info;
const char *driver_names[2] = { NULL, NULL };
- if (!glamor_supports_pixmap_import_export(screen)) {
+ if (!ms->glamor.supports_pixmap_import_export(screen)) {
xf86DrvMsg(scrn->scrnIndex, X_WARNING,
"DRI2: glamor lacks support for pixmap import/export\n");
}
diff --git a/hw/xfree86/drivers/modesetting/driver.c b/hw/xfree86/drivers/modesetting/driver.c
index a385e7ee2..4f4db67b7 100644
--- a/hw/xfree86/drivers/modesetting/driver.c
+++ b/hw/xfree86/drivers/modesetting/driver.c
@@ -615,7 +615,7 @@ redisplay_dirty(ScreenPtr screen, PixmapDirtyUpdatePtr dirty, int *timeout)
* the shared pixmap, but not all).
*/
if (ms->drmmode.glamor)
- glamor_finish(screen);
+ ms->glamor.finish(screen);
#endif
/* Ensure the slave processes the damage immediately */
if (timeout)
@@ -743,6 +743,26 @@ FreeRec(ScrnInfoPtr pScrn)
}
+static void
+bind_glamor_api(void *mod, modesettingPtr ms)
+{
+ ms->glamor.back_pixmap_from_fd = LoaderSymbolFromModule(mod, "glamor_back_pixmap_from_fd");
+ ms->glamor.block_handler = LoaderSymbolFromModule(mod, "glamor_block_handler");
+ ms->glamor.egl_create_textured_pixmap = LoaderSymbolFromModule(mod, "glamor_egl_create_textured_pixmap");
+ ms->glamor.egl_create_textured_pixmap_from_gbm_bo = LoaderSymbolFromModule(mod, "glamor_egl_create_textured_pixmap_from_gbm_bo");
+ ms->glamor.egl_exchange_buffers = LoaderSymbolFromModule(mod, "glamor_egl_exchange_buffers");
+ ms->glamor.egl_get_gbm_device = LoaderSymbolFromModule(mod, "glamor_egl_get_gbm_device");
+ ms->glamor.egl_init = LoaderSymbolFromModule(mod, "glamor_egl_init");
+ ms->glamor.finish = LoaderSymbolFromModule(mod, "glamor_finish");
+ ms->glamor.gbm_bo_from_pixmap = LoaderSymbolFromModule(mod, "glamor_gbm_bo_from_pixmap");
+ ms->glamor.init = LoaderSymbolFromModule(mod, "glamor_init");
+ ms->glamor.name_from_pixmap = LoaderSymbolFromModule(mod, "glamor_name_from_pixmap");
+ ms->glamor.set_drawable_modifiers_func = LoaderSymbolFromModule(mod, "glamor_set_drawable_modifiers_func");
+ ms->glamor.shareable_fd_from_pixmap = LoaderSymbolFromModule(mod, "glamor_shareable_fd_from_pixmap");
+ ms->glamor.supports_pixmap_import_export = LoaderSymbolFromModule(mod, "glamor_supports_pixmap_import_export");
+ ms->glamor.xv_init = LoaderSymbolFromModule(mod, "glamor_xv_init");
+}
+
static void
try_enable_glamor(ScrnInfoPtr pScrn)
{
@@ -751,6 +771,7 @@ try_enable_glamor(ScrnInfoPtr pScrn)
OPTION_ACCEL_METHOD);
Bool do_glamor = (!accel_method_str ||
strcmp(accel_method_str, "glamor") == 0);
+ void *mod;
ms->drmmode.glamor = FALSE;
@@ -765,8 +786,10 @@ try_enable_glamor(ScrnInfoPtr pScrn)
return;
}
- if (xf86LoadSubModule(pScrn, GLAMOR_EGL_MODULE_NAME)) {
- if (glamor_egl_init(pScrn, ms->fd)) {
+ mod = xf86LoadSubModule(pScrn, GLAMOR_EGL_MODULE_NAME);
+ if (mod) {
+ bind_glamor_api(mod, ms);
+ if (ms->glamor.egl_init(pScrn, ms->fd)) {
xf86DrvMsg(pScrn->scrnIndex, X_INFO, "glamor initialized\n");
ms->drmmode.glamor = TRUE;
} else {
@@ -1424,11 +1447,12 @@ static Bool
msSharePixmapBacking(PixmapPtr ppix, ScreenPtr screen, void **handle)
{
#ifdef GLAMOR_HAS_GBM
+ modesettingPtr ms = modesettingPTR(xf86ScreenToScrn(screen));
int ret;
CARD16 stride;
CARD32 size;
- ret = glamor_shareable_fd_from_pixmap(ppix->drawable.pScreen, ppix,
- &stride, &size);
+ ret = ms->glamor.shareable_fd_from_pixmap(ppix->drawable.pScreen, ppix,
+ &stride, &size);
if (ret == -1)
return FALSE;
@@ -1453,11 +1477,12 @@ msSetSharedPixmapBacking(PixmapPtr ppix, void *fd_handle)
return drmmode_SetSlaveBO(ppix, &ms->drmmode, ihandle, 0, 0);
if (ms->drmmode.reverse_prime_offload_mode) {
- ret = glamor_back_pixmap_from_fd(ppix, ihandle,
- ppix->drawable.width,
- ppix->drawable.height,
- ppix->devKind, ppix->drawable.depth,
- ppix->drawable.bitsPerPixel);
+ ret = ms->glamor.back_pixmap_from_fd(ppix, ihandle,
+ ppix->drawable.width,
+ ppix->drawable.height,
+ ppix->devKind,
+ ppix->drawable.depth,
+ ppix->drawable.bitsPerPixel);
} else {
int size = ppix->devKind * ppix->drawable.height;
ret = drmmode_SetSlaveBO(ppix, &ms->drmmode, ihandle, ppix->devKind, size);
@@ -1574,7 +1599,7 @@ ScreenInit(ScreenPtr pScreen, int argc, char **argv)
#ifdef GLAMOR_HAS_GBM
if (ms->drmmode.glamor)
- ms->drmmode.gbm = glamor_egl_get_gbm_device(pScreen);
+ ms->drmmode.gbm = ms->glamor.egl_get_gbm_device(pScreen);
#endif
/* HW dependent - FIXME */
@@ -1718,7 +1743,7 @@ ScreenInit(ScreenPtr pScreen, int argc, char **argv)
if (ms->drmmode.glamor) {
XF86VideoAdaptorPtr glamor_adaptor;
- glamor_adaptor = glamor_xv_init(pScreen, 16);
+ glamor_adaptor = ms->glamor.xv_init(pScreen, 16);
if (glamor_adaptor != NULL)
xf86XVScreenInit(pScreen, &glamor_adaptor, 1);
else
diff --git a/hw/xfree86/drivers/modesetting/driver.h b/hw/xfree86/drivers/modesetting/driver.h
index 394a20fc1..5e4d2509a 100644
--- a/hw/xfree86/drivers/modesetting/driver.h
+++ b/hw/xfree86/drivers/modesetting/driver.h
@@ -132,6 +132,30 @@ typedef struct _modesettingRec {
void (*UpdatePacked)(ScreenPtr, shadowBufPtr);
} shadow;
+ /* glamor API */
+ struct {
+ Bool (*back_pixmap_from_fd)(PixmapPtr, int, CARD16, CARD16, CARD16,
+ CARD8, CARD8);
+ void (*block_handler)(ScreenPtr);
+ Bool (*egl_create_textured_pixmap)(PixmapPtr, int, int);
+ Bool (*egl_create_textured_pixmap_from_gbm_bo)(PixmapPtr,
+ struct gbm_bo *,
+ Bool);
+ void (*egl_exchange_buffers)(PixmapPtr, PixmapPtr);
+ struct gbm_device *(*egl_get_gbm_device)(ScreenPtr);
+ Bool (*egl_init)(ScrnInfoPtr, int);
+ void (*finish)(ScreenPtr);
+ struct gbm_bo *(*gbm_bo_from_pixmap)(ScreenPtr, PixmapPtr);
+ Bool (*init)(ScreenPtr, unsigned int);
+ int (*name_from_pixmap)(PixmapPtr, CARD16 *, CARD32 *);
+ void (*set_drawable_modifiers_func)(ScreenPtr,
+ GetDrawableModifiersFuncPtr);
+ int (*shareable_fd_from_pixmap)(ScreenPtr, PixmapPtr, CARD16 *,
+ CARD32 *);
+ Bool (*supports_pixmap_import_export)(ScreenPtr);
+ XF86VideoAdaptorPtr (*xv_init)(ScreenPtr, int);
+ } glamor;
+
} modesettingRec, *modesettingPtr;
#define modesettingPTR(p) ((modesettingPtr)((p)->driverPrivate))
diff --git a/hw/xfree86/drivers/modesetting/drmmode_display.c b/hw/xfree86/drivers/modesetting/drmmode_display.c
index 6f5f8caf6..28609db7c 100644
--- a/hw/xfree86/drivers/modesetting/drmmode_display.c
+++ b/hw/xfree86/drivers/modesetting/drmmode_display.c
@@ -770,7 +770,7 @@ drmmode_crtc_set_mode(xf86CrtcPtr crtc, Bool test_only)
#ifdef GLAMOR_HAS_GBM
/* Make sure any pending drawing will be visible in a new scanout buffer */
if (drmmode->glamor)
- glamor_finish(screen);
+ ms->glamor.finish(screen);
#endif
if (ms->atomic_modeset) {
@@ -1385,6 +1385,7 @@ create_pixmap_for_fbcon(drmmode_ptr drmmode, ScrnInfoPtr pScrn, int fbcon_id)
PixmapPtr pixmap = drmmode->fbcon_pixmap;
drmModeFBPtr fbcon;
ScreenPtr pScreen = xf86ScrnToScreen(pScrn);
+ modesettingPtr ms = modesettingPTR(pScrn);
Bool ret;
if (pixmap)
@@ -1405,7 +1406,8 @@ create_pixmap_for_fbcon(drmmode_ptr drmmode, ScrnInfoPtr pScrn, int fbcon_id)
if (!pixmap)
goto out_free_fb;
- ret = glamor_egl_create_textured_pixmap(pixmap, fbcon->handle, fbcon->pitch);
+ ret = ms->glamor.egl_create_textured_pixmap(pixmap, fbcon->handle,
+ fbcon->pitch);
if (!ret) {
FreePixmap(pixmap);
pixmap = NULL;
@@ -1424,6 +1426,7 @@ drmmode_copy_fb(ScrnInfoPtr pScrn, drmmode_ptr drmmode)
#ifdef GLAMOR_HAS_GBM
xf86CrtcConfigPtr xf86_config = XF86_CRTC_CONFIG_PTR(pScrn);
ScreenPtr pScreen = xf86ScrnToScreen(pScrn);
+ modesettingPtr ms = modesettingPTR(pScrn);
PixmapPtr src, dst;
int fbcon_id = 0;
GCPtr gc;
@@ -3108,12 +3111,13 @@ drmmode_set_pixmap_bo(drmmode_ptr drmmode, PixmapPtr pixmap, drmmode_bo *bo)
{
#ifdef GLAMOR_HAS_GBM
ScrnInfoPtr scrn = drmmode->scrn;
+ modesettingPtr ms = modesettingPTR(scrn);
if (!drmmode->glamor)
return TRUE;
- if (!glamor_egl_create_textured_pixmap_from_gbm_bo(pixmap, bo->gbm,
- bo->used_modifiers)) {
+ if (!ms->glamor.egl_create_textured_pixmap_from_gbm_bo(pixmap, bo->gbm,
+ bo->used_modifiers)) {
xf86DrvMsg(scrn->scrnIndex, X_ERROR, "Failed to create pixmap\n");
return FALSE;
}
@@ -3436,13 +3440,14 @@ drmmode_init(ScrnInfoPtr pScrn, drmmode_ptr drmmode)
{
#ifdef GLAMOR_HAS_GBM
ScreenPtr pScreen = xf86ScrnToScreen(pScrn);
+ modesettingPtr ms = modesettingPTR(pScrn);
if (drmmode->glamor) {
- if (!glamor_init(pScreen, GLAMOR_USE_EGL_SCREEN)) {
+ if (!ms->glamor.init(pScreen, GLAMOR_USE_EGL_SCREEN)) {
return FALSE;
}
#ifdef GBM_BO_WITH_MODIFIERS
- glamor_set_drawable_modifiers_func(pScreen, get_drawable_modifiers);
+ ms->glamor.set_drawable_modifiers_func(pScreen, get_drawable_modifiers);
#endif
}
#endif
diff --git a/hw/xfree86/drivers/modesetting/pageflip.c b/hw/xfree86/drivers/modesetting/pageflip.c
index 1d54816e2..841fa917c 100644
--- a/hw/xfree86/drivers/modesetting/pageflip.c
+++ b/hw/xfree86/drivers/modesetting/pageflip.c
@@ -243,9 +243,9 @@ ms_do_pageflip(ScreenPtr screen,
uint32_t flags;
int i;
struct ms_flipdata *flipdata;
- glamor_block_handler(screen);
+ ms->glamor.block_handler(screen);
- new_front_bo.gbm = glamor_gbm_bo_from_pixmap(screen, new_front);
+ new_front_bo.gbm = ms->glamor.gbm_bo_from_pixmap(screen, new_front);
new_front_bo.dumb = NULL;
if (!new_front_bo.gbm) {
diff --git a/hw/xfree86/drivers/modesetting/present.c b/hw/xfree86/drivers/modesetting/present.c
index 186309a29..c700cf116 100644
--- a/hw/xfree86/drivers/modesetting/present.c
+++ b/hw/xfree86/drivers/modesetting/present.c
@@ -166,7 +166,7 @@ ms_present_flush(WindowPtr window)
modesettingPtr ms = modesettingPTR(scrn);
if (ms->drmmode.glamor)
- glamor_block_handler(screen);
+ ms->glamor.block_handler(screen);
#endif
}
@@ -262,7 +262,7 @@ ms_present_check_unflip(RRCrtcPtr crtc,
#ifdef GBM_BO_WITH_MODIFIERS
/* Check if buffer format/modifier is supported by all active CRTCs */
- gbm = glamor_gbm_bo_from_pixmap(screen, pixmap);
+ gbm = ms->glamor.gbm_bo_from_pixmap(screen, pixmap);
if (gbm) {
uint32_t format;
uint64_t modifier;
--
2.33.1

2
SOURCES/0007-xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch
View File

@ -1,4 +1,4 @@
From 774260dbae1fa505cd2848c786baed9a8db5179d Mon Sep 17 00:00:00 2001
From 9c70f90b24ba5de5eeb8a854c25f72a38d497fb7 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Mon, 5 Dec 2022 15:55:54 +1000
Subject: [PATCH xserver 7/7] xkb: reset the radio_groups pointer to NULL after

43
SOURCES/0008-Xext-sync-Avoid-dereference-of-invalid-pointer-if-ma.patch
View File

@ -1,43 +0,0 @@
From 010a613e860e2ff47665535cd4821e3b5e03548a Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 4 Oct 2025 16:04:50 -0700
Subject: [PATCH xserver 08/51] Xext/sync: Avoid dereference of invalid pointer
if malloc() failed
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reported incorrectly in #1817 as:
xwayland-24.1.6/redhat-linux-build/../Xext/sync.c:2835:33: acquire_memory: allocated here
xwayland-24.1.6/redhat-linux-build/../Xext/sync.c:2843:12: danger: priv leaks here; was allocated at [(30)](sarif:/runs/0/results/5/codeFlows/0/threadFlows/0/locations/29)
but the "leak" is really saving the pointer in an uninitalized pointer in
a structure that was already freed when the malloc of the SysCounterInfo
struct failed in SyncCreateSystemCounter(), because it returned the address
of the freed struct instead of NULL to indicate failure.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 6034ce11b6cd31d42df0f5781f70d3073d91f95b)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
Xext/sync.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Xext/sync.c b/Xext/sync.c
index 8fd7e947e..89a1af13b 100644
--- a/Xext/sync.c
+++ b/Xext/sync.c
@@ -1025,7 +1025,7 @@ SyncCreateSystemCounter(const char *name,
psci = malloc(sizeof(SysCounterInfo));
if (!psci) {
FreeResource(pCounter->sync.id, RT_NONE);
- return pCounter;
+ return NULL;
}
pCounter->pSysCounterInfo = psci;
psci->pCounter = pCounter;
--
2.54.0

127
SOURCES/0008-composite-initialize-border-clip-even-when-pixmap-al.patch Normal file
View File

@ -0,0 +1,127 @@
From 9a5a5b2972539ba5ef16dbc802c4eb87c9226d4e Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 13 Jan 2025 16:09:43 +0100
Subject: [PATCH xserver 08/13] composite: initialize border clip even when
pixmap alloc fails
If it fails to allocate the pixmap, the function compAllocPixmap() would
return early and leave the borderClip region uninitialized, which may
lead to the use of uninitialized value as reported by valgrind:
Conditional jump or move depends on uninitialised value(s)
at 0x4F9B33: compClipNotify (compwindow.c:317)
by 0x484FC9: miComputeClips (mivaltree.c:476)
by 0x48559A: miValidateTree (mivaltree.c:679)
by 0x4F0685: MapWindow (window.c:2693)
by 0x4A344A: ProcMapWindow (dispatch.c:922)
by 0x4A25B5: Dispatch (dispatch.c:560)
by 0x4B082A: dix_main (main.c:282)
by 0x429233: main (stubmain.c:34)
Uninitialised value was created by a heap allocation
at 0x4841866: malloc (vg_replace_malloc.c:446)
by 0x4F47BC: compRedirectWindow (compalloc.c:171)
by 0x4FA8AD: compCreateWindow (compwindow.c:592)
by 0x4EBB89: CreateWindow (window.c:925)
by 0x4A2E6E: ProcCreateWindow (dispatch.c:768)
by 0x4A25B5: Dispatch (dispatch.c:560)
by 0x4B082A: dix_main (main.c:282)
by 0x429233: main (stubmain.c:34)
Conditional jump or move depends on uninitialised value(s)
at 0x48EEDBC: pixman_region_translate (pixman-region.c:2233)
by 0x4F9255: RegionTranslate (regionstr.h:312)
by 0x4F9B7E: compClipNotify (compwindow.c:319)
by 0x484FC9: miComputeClips (mivaltree.c:476)
by 0x48559A: miValidateTree (mivaltree.c:679)
by 0x4F0685: MapWindow (window.c:2693)
by 0x4A344A: ProcMapWindow (dispatch.c:922)
by 0x4A25B5: Dispatch (dispatch.c:560)
by 0x4B082A: dix_main (main.c:282)
by 0x429233: main (stubmain.c:34)
Uninitialised value was created by a heap allocation
at 0x4841866: malloc (vg_replace_malloc.c:446)
by 0x4F47BC: compRedirectWindow (compalloc.c:171)
by 0x4FA8AD: compCreateWindow (compwindow.c:592)
by 0x4EBB89: CreateWindow (window.c:925)
by 0x4A2E6E: ProcCreateWindow (dispatch.c:768)
by 0x4A25B5: Dispatch (dispatch.c:560)
by 0x4B082A: dix_main (main.c:282)
by 0x429233: main (stubmain.c:34)
Conditional jump or move depends on uninitialised value(s)
at 0x48EEE33: UnknownInlinedFun (pixman-region.c:2241)
by 0x48EEE33: pixman_region_translate (pixman-region.c:2225)
by 0x4F9255: RegionTranslate (regionstr.h:312)
by 0x4F9B7E: compClipNotify (compwindow.c:319)
by 0x484FC9: miComputeClips (mivaltree.c:476)
by 0x48559A: miValidateTree (mivaltree.c:679)
by 0x4F0685: MapWindow (window.c:2693)
by 0x4A344A: ProcMapWindow (dispatch.c:922)
by 0x4A25B5: Dispatch (dispatch.c:560)
by 0x4B082A: dix_main (main.c:282)
by 0x429233: main (stubmain.c:34)
Uninitialised value was created by a heap allocation
at 0x4841866: malloc (vg_replace_malloc.c:446)
by 0x4F47BC: compRedirectWindow (compalloc.c:171)
by 0x4FA8AD: compCreateWindow (compwindow.c:592)
by 0x4EBB89: CreateWindow (window.c:925)
by 0x4A2E6E: ProcCreateWindow (dispatch.c:768)
by 0x4A25B5: Dispatch (dispatch.c:560)
by 0x4B082A: dix_main (main.c:282)
by 0x429233: main (stubmain.c:34)
Fix compAllocPixmap() to initialize the border clip even if the creation
of the backing pixmap has failed, to avoid depending later on
uninitialized border clip values.
Related to CVE-2025-26599, ZDI-CAN-25851
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit b07192a8bedb90b039dc0f70ae69daf047ff9598)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1831>
---
composite/compalloc.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/composite/compalloc.c b/composite/compalloc.c
index 55a1b725a..d1c205ca0 100644
--- a/composite/compalloc.c
+++ b/composite/compalloc.c
@@ -604,9 +604,12 @@ compAllocPixmap(WindowPtr pWin)
int h = pWin->drawable.height + (bw << 1);
PixmapPtr pPixmap = compNewPixmap(pWin, x, y, w, h);
CompWindowPtr cw = GetCompWindow(pWin);
+ Bool status;
- if (!pPixmap)
- return FALSE;
+ if (!pPixmap) {
+ status = FALSE;
+ goto out;
+ }
if (cw->update == CompositeRedirectAutomatic)
pWin->redirectDraw = RedirectDrawAutomatic;
else
@@ -620,14 +623,16 @@ compAllocPixmap(WindowPtr pWin)
DamageRegister(&pWin->drawable, cw->damage);
cw->damageRegistered = TRUE;
}
+ status = TRUE;
+out:
/* Make sure our borderClip is up to date */
RegionUninit(&cw->borderClip);
RegionCopy(&cw->borderClip, &pWin->borderClip);
cw->borderClipX = pWin->drawable.x;
cw->borderClipY = pWin->drawable.y;
- return TRUE;
+ return status;
}
void
--
2.48.1

109
SOURCES/0008-dri2-Use-booleans-for-fake-front-buffer-tracking-in-.patch
View File

@ -1,109 +0,0 @@
From 8cb12cc50d0b1592294ad46594731dc088b493f5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <mdaenzer@redhat.com>
Date: Wed, 13 May 2026 14:29:26 +0200
Subject: [PATCH xserver 8/9] dri2: Use booleans for (fake) front buffer
tracking in do_get_buffers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This works as intended — the (fake) front buffer needs to be added
only if the client didn't request it in the first place — even if the
client requests the same attachment multiple times. This ensures we
never try to access more than (count + 1) entries of the buffers array.
Fixes: ff6c7764c290 ("DRI2: Implement protocol for DRI2GetBuffersWithFormat")
Signed-off-by: Michel Dänzer <mdaenzer@redhat.com>
(cherry picked from commit b7aa65cc3bb11b792ce2a3f511ba9b863acb11c8)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2229>
---
hw/xfree86/dri2/dri2.c | 37 ++++++++++++++++++-------------------
1 file changed, 18 insertions(+), 19 deletions(-)
diff --git a/hw/xfree86/dri2/dri2.c b/hw/xfree86/dri2/dri2.c
index 6619e3aa7..fdf15d9a1 100644
--- a/hw/xfree86/dri2/dri2.c
+++ b/hw/xfree86/dri2/dri2.c
@@ -560,9 +560,10 @@ do_get_buffers(DrawablePtr pDraw, int *width, int *height,
DRI2DrawablePtr pPriv = DRI2GetDrawable(pDraw);
DRI2ScreenPtr ds;
DRI2BufferPtr *buffers;
- int need_real_front = 0;
- int need_fake_front = 0;
- int have_fake_front = 0;
+ Bool need_real_front = FALSE;
+ Bool have_real_front = FALSE;
+ Bool need_fake_front = FALSE;
+ Bool have_fake_front = FALSE;
int front_format = 0;
int dimensions_match;
int buffers_changed = 0;
@@ -595,34 +596,32 @@ do_get_buffers(DrawablePtr pDraw, int *width, int *height,
if (buffers[i] == NULL)
goto err_out;
- /* If the drawable is a window and the front-buffer is requested,
- * silently add the fake front-buffer to the list of requested
- * attachments. The counting logic in the loop accounts for the case
- * where the client requests both the fake and real front-buffer.
+ /* In certain cases the (fake) front buffer is always needed, so return
+ * it even if the client failed to request it.
+ * The logic in & after the loop accounts for the case where the client
+ * does request the (fake) front buffer, to avoid returning it multiple
+ * times.
*/
if (attachment == DRI2BufferBackLeft) {
- need_real_front++;
+ need_real_front = TRUE;
front_format = format;
}
if (attachment == DRI2BufferFrontLeft) {
- need_real_front--;
+ have_real_front = TRUE;
front_format = format;
- if (pDraw->type == DRAWABLE_WINDOW) {
- need_fake_front++;
- }
+ if (pDraw->type == DRAWABLE_WINDOW)
+ need_fake_front = TRUE;
}
if (pDraw->type == DRAWABLE_WINDOW) {
- if (attachment == DRI2BufferFakeFrontLeft) {
- need_fake_front--;
- have_fake_front = 1;
- }
+ if (attachment == DRI2BufferFakeFrontLeft)
+ have_fake_front = TRUE;
}
}
- if (need_real_front > 0) {
+ if (need_real_front && !have_real_front) {
if (allocate_or_reuse_buffer(pDraw, ds, pPriv, DRI2BufferFrontLeft,
front_format, dimensions_match,
&buffers[i]))
@@ -633,7 +632,7 @@ do_get_buffers(DrawablePtr pDraw, int *width, int *height,
i++;
}
- if (need_fake_front > 0) {
+ if (need_fake_front && !have_fake_front) {
if (allocate_or_reuse_buffer(pDraw, ds, pPriv, DRI2BufferFakeFrontLeft,
front_format, dimensions_match,
&buffers[i]))
@@ -643,7 +642,7 @@ do_get_buffers(DrawablePtr pDraw, int *width, int *height,
goto err_out;
i++;
- have_fake_front = 1;
+ have_fake_front = TRUE;
}
*out_count = i;
--
2.54.0

58
SOURCES/0008-modesetting-Add-glamor_finish-convenience-macro.patch Normal file
View File

@ -0,0 +1,58 @@
From 7f1bedcf27cfd09162544ff1b18c21c8e5695a9d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <mdaenzer@redhat.com>
Date: Fri, 22 Nov 2019 18:05:04 +0100
Subject: [PATCH xserver 08/11] modesetting: Add glamor_finish() convenience
macro
This will simplify backporting the following fix to the 1.20 branch.
Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit 06ef320e9bc1f1098df9cd5581f072528f28128e)
---
hw/xfree86/drivers/modesetting/driver.c | 2 +-
hw/xfree86/drivers/modesetting/driver.h | 2 ++
hw/xfree86/drivers/modesetting/drmmode_display.c | 2 +-
3 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/hw/xfree86/drivers/modesetting/driver.c b/hw/xfree86/drivers/modesetting/driver.c
index 4f4db67b7..afba8538a 100644
--- a/hw/xfree86/drivers/modesetting/driver.c
+++ b/hw/xfree86/drivers/modesetting/driver.c
@@ -615,7 +615,7 @@ redisplay_dirty(ScreenPtr screen, PixmapDirtyUpdatePtr dirty, int *timeout)
* the shared pixmap, but not all).
*/
if (ms->drmmode.glamor)
- ms->glamor.finish(screen);
+ glamor_finish(screen);
#endif
/* Ensure the slave processes the damage immediately */
if (timeout)
diff --git a/hw/xfree86/drivers/modesetting/driver.h b/hw/xfree86/drivers/modesetting/driver.h
index 5e4d2509a..c6e7cd0c8 100644
--- a/hw/xfree86/drivers/modesetting/driver.h
+++ b/hw/xfree86/drivers/modesetting/driver.h
@@ -158,6 +158,8 @@ typedef struct _modesettingRec {
} modesettingRec, *modesettingPtr;
+#define glamor_finish(screen) ms->glamor.finish(screen)
+
#define modesettingPTR(p) ((modesettingPtr)((p)->driverPrivate))
modesettingEntPtr ms_ent_priv(ScrnInfoPtr scrn);
diff --git a/hw/xfree86/drivers/modesetting/drmmode_display.c b/hw/xfree86/drivers/modesetting/drmmode_display.c
index 28609db7c..6516fac5f 100644
--- a/hw/xfree86/drivers/modesetting/drmmode_display.c
+++ b/hw/xfree86/drivers/modesetting/drmmode_display.c
@@ -770,7 +770,7 @@ drmmode_crtc_set_mode(xf86CrtcPtr crtc, Bool test_only)
#ifdef GLAMOR_HAS_GBM
/* Make sure any pending drawing will be visible in a new scanout buffer */
if (drmmode->glamor)
- ms->glamor.finish(screen);
+ glamor_finish(screen);
#endif
if (ms->atomic_modeset) {
--
2.33.1

45
SOURCES/0009-Xext-vidmode-avoid-null-dereference-if-VidModeCreate.patch
View File

@ -1,45 +0,0 @@
From 0e8e24610bd8135ec0855c8a25b903f012eaad1a Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 4 Oct 2025 16:20:37 -0700
Subject: [PATCH xserver 09/51] Xext/vidmode: avoid null dereference if
VidModeCreateMode() allocation fails
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../Xext/vidmode.c:96:5: warning[-Wanalyzer-null-argument]: use of NULL VidModeCreateMode() where non-null expected
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 5e62aaaf57b18136969699fd073e123edfb1aa70)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
Xext/vidmode.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/Xext/vidmode.c b/Xext/vidmode.c
index 6e4a7c709..2f996e9e9 100644
--- a/Xext/vidmode.c
+++ b/Xext/vidmode.c
@@ -808,6 +808,8 @@ ProcVidModeModModeLine(ClientPtr client)
return BadValue;
modetmp = VidModeCreateMode();
+ if (modetmp == NULL)
+ return BadAlloc;
VidModeCopyMode(mode, modetmp);
VidModeSetModeValue(modetmp, VIDMODE_H_DISPLAY, stuff->hdisplay);
@@ -951,6 +953,8 @@ ProcVidModeValidateModeLine(ClientPtr client)
return BadValue;
modetmp = VidModeCreateMode();
+ if (modetmp == NULL)
+ return BadAlloc;
VidModeCopyMode(mode, modetmp);
VidModeSetModeValue(modetmp, VIDMODE_H_DISPLAY, stuff->hdisplay);
--
2.54.0

67
SOURCES/0009-dix-Dequeue-pending-events-on-frozen-device-on-remov.patch Normal file
View File

@ -0,0 +1,67 @@
From 470c77ae761a36c71494285009bc37b2abbefe97 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 16 Dec 2024 16:18:04 +0100
Subject: [PATCH xserver 09/13] dix: Dequeue pending events on frozen device on
removal
When a device is removed while still frozen, the events queued for that
device remain while the device itself is freed.
As a result, replaying the events will cause a use after free.
To avoid the issue, make sure to dequeue and free any pending events on
a frozen device when removed.
CVE-2025-26600, ZDI-CAN-25871
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 6e0f332ba4c8b8c9a9945dc9d7989bfe06f80e14)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1831>
---
dix/devices.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/dix/devices.c b/dix/devices.c
index e7c74d7b7..11120b70b 100644
--- a/dix/devices.c
+++ b/dix/devices.c
@@ -949,6 +949,23 @@ FreeAllDeviceClasses(ClassesPtr classes)
}
+static void
+FreePendingFrozenDeviceEvents(DeviceIntPtr dev)
+{
+ QdEventPtr qe, tmp;
+
+ if (!dev->deviceGrab.sync.frozen)
+ return;
+
+ /* Dequeue any frozen pending events */
+ xorg_list_for_each_entry_safe(qe, tmp, &syncEvents.pending, next) {
+ if (qe->device == dev) {
+ xorg_list_del(&qe->next);
+ free(qe);
+ }
+ }
+}
+
/**
* Close down a device and free all resources.
* Once closed down, the driver will probably not expect you that you'll ever
@@ -1013,6 +1030,7 @@ CloseDevice(DeviceIntPtr dev)
free(dev->last.touches[j].valuators);
free(dev->last.touches);
dev->config_info = NULL;
+ FreePendingFrozenDeviceEvents(dev);
dixFreePrivates(dev->devPrivates, PRIVATE_DEVICE);
free(dev);
}
--
2.48.1

140
SOURCES/0009-dri2-Deduplicate-attachments-in-do_get_buffer.patch
View File

@ -1,140 +0,0 @@
From e674fb65a6662d1951c9d9fba2df429a04b54881 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <mdaenzer@redhat.com>
Date: Fri, 15 May 2026 17:47:51 +0200
Subject: [PATCH xserver 9/9] dri2: Deduplicate attachments in do_get_buffer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
It was always the intention of the DRI2 protocol that there's at most
one instance of each attachment, and that's how it was implemented in
Mesa.
Since that wasn't enforced though, there might be other clients in the
wild which (e.g. accidentally) request the same attachment multiple
times. So starting to a raise a protocol error in this case now risks
breaking such clients.
Instead, just deduplicate the attachments using a bit-set.
This has a couple of desirable side effects:
* destroy_buffer cannot be called multiple times for the same
DRI2BufferPtr.
* The client cannot cause the server to allocate a buffers array with
more entries than there are attachments (currently 11).
Signed-off-by: Michel Dänzer <mdaenzer@redhat.com>
(cherry picked from commit 339c279514326134b0878fc23ce6e9520440ce7f)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2229>
---
hw/xfree86/dri2/dri2.c | 36 ++++++++++++++++++++++--------------
1 file changed, 22 insertions(+), 14 deletions(-)
diff --git a/hw/xfree86/dri2/dri2.c b/hw/xfree86/dri2/dri2.c
index fdf15d9a1..6b6a2b9ef 100644
--- a/hw/xfree86/dri2/dri2.c
+++ b/hw/xfree86/dri2/dri2.c
@@ -560,16 +560,16 @@ do_get_buffers(DrawablePtr pDraw, int *width, int *height,
DRI2DrawablePtr pPriv = DRI2GetDrawable(pDraw);
DRI2ScreenPtr ds;
DRI2BufferPtr *buffers;
+ unsigned attachments_bitset = 0;
Bool need_real_front = FALSE;
- Bool have_real_front = FALSE;
Bool need_fake_front = FALSE;
- Bool have_fake_front = FALSE;
int front_format = 0;
int dimensions_match;
int buffers_changed = 0;
int i;
- if (!pPriv) {
+ if (!pPriv ||
+ count > DRI2BufferHiz + 1) {
*width = pDraw->width;
*height = pDraw->height;
*out_count = 0;
@@ -581,7 +581,10 @@ do_get_buffers(DrawablePtr pDraw, int *width, int *height,
dimensions_match = (pDraw->width == pPriv->width)
&& (pDraw->height == pPriv->height);
- buffers = calloc((count + 1), sizeof(buffers[0]));
+ /* Since we deduplicate attachments in the buffers array, there cannot be
+ * more entries than there are attachments.
+ */
+ buffers = calloc((min(count, DRI2BufferHiz) + 1), sizeof(buffers[0]));
if (!buffers)
goto err_out;
@@ -589,6 +592,14 @@ do_get_buffers(DrawablePtr pDraw, int *width, int *height,
const unsigned attachment = *(attachments++);
const unsigned format = (has_format) ? *(attachments++) : 0;
+ if (attachment > DRI2BufferHiz)
+ goto err_out;
+
+ if (attachments_bitset & (1u << attachment))
+ continue;
+
+ attachments_bitset |= 1u << attachment;
+
if (allocate_or_reuse_buffer(pDraw, ds, pPriv, attachment,
format, dimensions_match, &buffers[i]))
buffers_changed = 1;
@@ -608,20 +619,15 @@ do_get_buffers(DrawablePtr pDraw, int *width, int *height,
}
if (attachment == DRI2BufferFrontLeft) {
- have_real_front = TRUE;
front_format = format;
if (pDraw->type == DRAWABLE_WINDOW)
need_fake_front = TRUE;
}
-
- if (pDraw->type == DRAWABLE_WINDOW) {
- if (attachment == DRI2BufferFakeFrontLeft)
- have_fake_front = TRUE;
- }
}
- if (need_real_front && !have_real_front) {
+ if (need_real_front &&
+ !(attachments_bitset & (1u << DRI2BufferFrontLeft))) {
if (allocate_or_reuse_buffer(pDraw, ds, pPriv, DRI2BufferFrontLeft,
front_format, dimensions_match,
&buffers[i]))
@@ -632,7 +638,8 @@ do_get_buffers(DrawablePtr pDraw, int *width, int *height,
i++;
}
- if (need_fake_front && !have_fake_front) {
+ if (need_fake_front &&
+ !(attachments_bitset & (1u << DRI2BufferFakeFrontLeft))) {
if (allocate_or_reuse_buffer(pDraw, ds, pPriv, DRI2BufferFakeFrontLeft,
front_format, dimensions_match,
&buffers[i]))
@@ -642,7 +649,7 @@ do_get_buffers(DrawablePtr pDraw, int *width, int *height,
goto err_out;
i++;
- have_fake_front = TRUE;
+ attachments_bitset |= 1u << DRI2BufferFakeFrontLeft;
}
*out_count = i;
@@ -654,7 +661,8 @@ do_get_buffers(DrawablePtr pDraw, int *width, int *height,
* contents of the real front-buffer. This ensures correct operation of
* applications that call glXWaitX before calling glDrawBuffer.
*/
- if (have_fake_front && buffers_changed) {
+ if (buffers_changed &&
+ (attachments_bitset & (1u << DRI2BufferFakeFrontLeft))) {
BoxRec box;
RegionRec region;
--
2.54.0

63
SOURCES/0009-modesetting-Use-EGL_MESA_query_driver-to-select-DRI-.patch Normal file
View File

@ -0,0 +1,63 @@
From ae40c508fbd88869157412a1b159c0d71eb1e708 Mon Sep 17 00:00:00 2001
From: Kenneth Graunke <kenneth@whitecape.org>
Date: Thu, 21 Nov 2019 23:03:50 -0800
Subject: [PATCH xserver 09/11] modesetting: Use EGL_MESA_query_driver to
select DRI driver if possible
New now ask Glamor to use EGL_MESA_query_driver to obtain the DRI driver
name; if successful, we use that as the DRI driver name. Following the
existing dri2.c logic, we also use the same name for the VDPAU driver,
except for i965 (and now iris), where we switch to the "va_gl" fallback.
This allows us to bypass the PCI ID lists in xserver and centralize the
driver selection mechanism inside Mesa. The hope is that we no longer
have to update these lists for any future hardware.
(cherry picked from commit 8d4be7f6c4f7c673d7ec1a6bfdef944907a3916e)
---
hw/xfree86/drivers/modesetting/dri2.c | 3 ++-
hw/xfree86/drivers/modesetting/driver.c | 1 +
hw/xfree86/drivers/modesetting/driver.h | 1 +
3 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/hw/xfree86/drivers/modesetting/dri2.c b/hw/xfree86/drivers/modesetting/dri2.c
index 724d9d34c..255c72cac 100644
--- a/hw/xfree86/drivers/modesetting/dri2.c
+++ b/hw/xfree86/drivers/modesetting/dri2.c
@@ -1076,7 +1076,8 @@ ms_dri2_screen_init(ScreenPtr screen)
info.CopyRegion2 = ms_dri2_copy_region2;
/* Ask Glamor to obtain the DRI driver name via EGL_MESA_query_driver. */
- driver_names[0] = glamor_egl_get_driver_name(screen);
+ if (ms->glamor.egl_get_driver_name)
+ driver_names[0] = ms->glamor.egl_get_driver_name(screen);
if (driver_names[0]) {
/* There is no VDPAU driver for Intel, fallback to the generic
diff --git a/hw/xfree86/drivers/modesetting/driver.c b/hw/xfree86/drivers/modesetting/driver.c
index afba8538a..08cf6a1b4 100644
--- a/hw/xfree86/drivers/modesetting/driver.c
+++ b/hw/xfree86/drivers/modesetting/driver.c
@@ -761,6 +761,7 @@ bind_glamor_api(void *mod, modesettingPtr ms)
ms->glamor.shareable_fd_from_pixmap = LoaderSymbolFromModule(mod, "glamor_shareable_fd_from_pixmap");
ms->glamor.supports_pixmap_import_export = LoaderSymbolFromModule(mod, "glamor_supports_pixmap_import_export");
ms->glamor.xv_init = LoaderSymbolFromModule(mod, "glamor_xv_init");
+ ms->glamor.egl_get_driver_name = LoaderSymbolFromModule(mod, "glamor_egl_get_driver_name");
}
static void
diff --git a/hw/xfree86/drivers/modesetting/driver.h b/hw/xfree86/drivers/modesetting/driver.h
index c6e7cd0c8..328a97de1 100644
--- a/hw/xfree86/drivers/modesetting/driver.h
+++ b/hw/xfree86/drivers/modesetting/driver.h
@@ -154,6 +154,7 @@ typedef struct _modesettingRec {
CARD32 *);
Bool (*supports_pixmap_import_export)(ScreenPtr);
XF86VideoAdaptorPtr (*xv_init)(ScreenPtr, int);
+ const char *(*egl_get_driver_name)(ScreenPtr);
} glamor;
} modesettingRec, *modesettingPtr;
--
2.33.1

38
SOURCES/0010-Xext-xres-avoid-null-dereference-in-ProcXResQueryCli.patch
View File

@ -1,38 +0,0 @@
From ae00a059dcfdc8c1de23f8e9310bd140679aba09 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 4 Oct 2025 17:10:20 -0700
Subject: [PATCH xserver 10/51] Xext/xres: avoid null dereference in
ProcXResQueryClients()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../Xext/xres.c:233:13: warning[-Wanalyzer-possible-null-dereference]: dereference of possibly-NULL current_clients
xwayland-24.1.6/redhat-linux-build/../Xext/xres.c:228:23: acquire_memory: this call could return NULL
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 3da60c96a9c3ea26404313eb490e46847b04949c)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
Xext/xres.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/Xext/xres.c b/Xext/xres.c
index 7a7aabc9b..4ef8aa04f 100644
--- a/Xext/xres.c
+++ b/Xext/xres.c
@@ -224,6 +224,8 @@ ProcXResQueryClients(ClientPtr client)
REQUEST_SIZE_MATCH(xXResQueryClientsReq);
current_clients = xallocarray(currentMaxClients, sizeof(int));
+ if (current_clients == NULL)
+ return BadAlloc;
num_clients = 0;
for (i = 0; i < currentMaxClients; i++) {
--
2.54.0

94
SOURCES/0010-modesetting-Fix-build-with-glamor-disabled.patch Normal file
View File

@ -0,0 +1,94 @@
From d8271417a5986240f1f81cbe269e0cd07a9104d1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <mdaenzer@redhat.com>
Date: Mon, 10 Feb 2020 18:41:44 +0100
Subject: [PATCH xserver 10/11] modesetting: Fix build with glamor disabled
Fixes: cb1b1e184723 "modesetting: Indirect the glamor API through
LoaderSymbol"
Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit 0cb9fa7949d6c5398de220fbdbe1e262e943fcbb)
---
hw/xfree86/drivers/modesetting/driver.c | 21 +++++++++++++++------
hw/xfree86/drivers/modesetting/driver.h | 3 ++-
2 files changed, 17 insertions(+), 7 deletions(-)
diff --git a/hw/xfree86/drivers/modesetting/driver.c b/hw/xfree86/drivers/modesetting/driver.c
index 08cf6a1b4..ce8bac9f5 100644
--- a/hw/xfree86/drivers/modesetting/driver.c
+++ b/hw/xfree86/drivers/modesetting/driver.c
@@ -743,9 +743,17 @@ FreeRec(ScrnInfoPtr pScrn)
}
-static void
-bind_glamor_api(void *mod, modesettingPtr ms)
+#ifdef GLAMOR_HAS_GBM
+
+static Bool
+load_glamor(ScrnInfoPtr pScrn)
{
+ void *mod = xf86LoadSubModule(pScrn, GLAMOR_EGL_MODULE_NAME);
+ modesettingPtr ms = modesettingPTR(pScrn);
+
+ if (!mod)
+ return FALSE;
+
ms->glamor.back_pixmap_from_fd = LoaderSymbolFromModule(mod, "glamor_back_pixmap_from_fd");
ms->glamor.block_handler = LoaderSymbolFromModule(mod, "glamor_block_handler");
ms->glamor.egl_create_textured_pixmap = LoaderSymbolFromModule(mod, "glamor_egl_create_textured_pixmap");
@@ -762,8 +770,12 @@ bind_glamor_api(void *mod, modesettingPtr ms)
ms->glamor.supports_pixmap_import_export = LoaderSymbolFromModule(mod, "glamor_supports_pixmap_import_export");
ms->glamor.xv_init = LoaderSymbolFromModule(mod, "glamor_xv_init");
ms->glamor.egl_get_driver_name = LoaderSymbolFromModule(mod, "glamor_egl_get_driver_name");
+
+ return TRUE;
}
+#endif
+
static void
try_enable_glamor(ScrnInfoPtr pScrn)
{
@@ -772,7 +784,6 @@ try_enable_glamor(ScrnInfoPtr pScrn)
OPTION_ACCEL_METHOD);
Bool do_glamor = (!accel_method_str ||
strcmp(accel_method_str, "glamor") == 0);
- void *mod;
ms->drmmode.glamor = FALSE;
@@ -787,9 +798,7 @@ try_enable_glamor(ScrnInfoPtr pScrn)
return;
}
- mod = xf86LoadSubModule(pScrn, GLAMOR_EGL_MODULE_NAME);
- if (mod) {
- bind_glamor_api(mod, ms);
+ if (load_glamor(pScrn)) {
if (ms->glamor.egl_init(pScrn, ms->fd)) {
xf86DrvMsg(pScrn->scrnIndex, X_INFO, "glamor initialized\n");
ms->drmmode.glamor = TRUE;
diff --git a/hw/xfree86/drivers/modesetting/driver.h b/hw/xfree86/drivers/modesetting/driver.h
index 328a97de1..261f1aac4 100644
--- a/hw/xfree86/drivers/modesetting/driver.h
+++ b/hw/xfree86/drivers/modesetting/driver.h
@@ -132,6 +132,7 @@ typedef struct _modesettingRec {
void (*UpdatePacked)(ScreenPtr, shadowBufPtr);
} shadow;
+#ifdef GLAMOR_HAS_GBM
/* glamor API */
struct {
Bool (*back_pixmap_from_fd)(PixmapPtr, int, CARD16, CARD16, CARD16,
@@ -156,7 +157,7 @@ typedef struct _modesettingRec {
XF86VideoAdaptorPtr (*xv_init)(ScreenPtr, int);
const char *(*egl_get_driver_name)(ScreenPtr);
} glamor;
-
+#endif
} modesettingRec, *modesettingPtr;
#define glamor_finish(screen) ms->glamor.finish(screen)
--
2.33.1

69
SOURCES/0010-sync-Do-not-let-sync-objects-uninitialized.patch Normal file
View File

@ -0,0 +1,69 @@
From 7f7f51e8907b14c6654944e0e321f15e256b34e7 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 20 Jan 2025 16:52:01 +0100
Subject: [PATCH xserver 10/13] sync: Do not let sync objects uninitialized
When changing an alarm, the change mask values are evaluated one after
the other, changing the trigger values as requested and eventually,
SyncInitTrigger() is called.
SyncInitTrigger() will evaluate the XSyncCACounter first and may free
the existing sync object.
Other changes are then evaluated and may trigger an error and an early
return, not adding the new sync object.
This can be used to cause a use after free when the alarm eventually
triggers.
To avoid the issue, delete the existing sync object as late as possible
only once we are sure that no further error will cause an early exit.
CVE-2025-26601, ZDI-CAN-25870
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 16a1242d0ffc7f45ed3c595ee7564b5c04287e0b)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1831>
---
Xext/sync.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/Xext/sync.c b/Xext/sync.c
index fd2ceb042..e55295904 100644
--- a/Xext/sync.c
+++ b/Xext/sync.c
@@ -329,11 +329,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
client->errorValue = syncObject;
return rc;
}
- if (pSync != pTrigger->pSync) { /* new counter for trigger */
- SyncDeleteTriggerFromSyncObject(pTrigger);
- pTrigger->pSync = pSync;
- newSyncObject = TRUE;
- }
}
/* if system counter, ask it what the current value is */
@@ -401,6 +396,14 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
}
}
+ if (changes & XSyncCACounter) {
+ if (pSync != pTrigger->pSync) { /* new counter for trigger */
+ SyncDeleteTriggerFromSyncObject(pTrigger);
+ pTrigger->pSync = pSync;
+ newSyncObject = TRUE;
+ }
+ }
+
/* we wait until we're sure there are no errors before registering
* a new counter on a trigger
*/
--
2.48.1

38
SOURCES/0011-Xext-xselinux-add-fast-path-to-ProcSELinuxListSelect.patch
View File

@ -1,38 +0,0 @@
From 63511dd097c5ff8e57f34c4f8b0af8e441c0ac3c Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 4 Oct 2025 17:19:05 -0700
Subject: [PATCH xserver 11/51] Xext/xselinux: add fast path to
ProcSELinuxListSelections()
If there's nothing to send, skip over a bunch of code to make a list
that won't be used, and hopefully make the code path clearer to both
humans and static analyzers, who raise errors as seen in #1817 of
dereferencing NULL pointers when count == 0.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit d34243606c8d7a01108827ad1ca3216bf81a119d)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
Xext/xselinux_ext.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/Xext/xselinux_ext.c b/Xext/xselinux_ext.c
index 1395a563b..9784dca4e 100644
--- a/Xext/xselinux_ext.c
+++ b/Xext/xselinux_ext.c
@@ -452,8 +452,10 @@ ProcSELinuxListSelections(ClientPtr client)
count = 0;
for (pSel = CurrentSelections; pSel; pSel = pSel->next)
count++;
+ if (count == 0)
+ return SELinuxSendItemsToClient(client, NULL, 0, 0);
items = calloc(count, sizeof(SELinuxListItemRec));
- if (count && !items)
+ if (!items)
return BadAlloc;
/* Fill in the items and calculate size */
--
2.54.0

33
SOURCES/0011-modesetting-set-gbm-as-dependency-for-autotools.patch Normal file
View File

@ -0,0 +1,33 @@
From 55fb707d037004e001623a0d066f748d8ba48d48 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Tue, 23 Nov 2021 12:19:48 +0100
Subject: [PATCH xserver 11/11] modesetting: set gbm as dependency for
autotools
Same as commit 9d628ee5f for automake.
Modifiers support needs gbm as a dependency. Without setting the dependency
included headers are not found reliably and the build might fail if the
headers are not placed in the default system include paths.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
---
hw/xfree86/drivers/modesetting/Makefile.am | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/xfree86/drivers/modesetting/Makefile.am b/hw/xfree86/drivers/modesetting/Makefile.am
index 961c57408..ac5091be3 100644
--- a/hw/xfree86/drivers/modesetting/Makefile.am
+++ b/hw/xfree86/drivers/modesetting/Makefile.am
@@ -41,7 +41,7 @@ AM_CPPFLAGS = \
modesetting_drv_la_LTLIBRARIES = modesetting_drv.la
modesetting_drv_la_LDFLAGS = -module -avoid-version
-modesetting_drv_la_LIBADD = $(UDEV_LIBS) $(DRM_LIBS)
+modesetting_drv_la_LIBADD = $(UDEV_LIBS) $(DRM_LIBS) $(GBM_LIBS)
modesetting_drv_ladir = @moduledir@/drivers
modesetting_drv_la_SOURCES = \
--
2.33.1

83
SOURCES/0011-sync-Check-values-before-applying-changes.patch Normal file
View File

@ -0,0 +1,83 @@
From a4c19259fca5af558fb27d8fa98f2ad4a3689d56 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 20 Jan 2025 16:54:30 +0100
Subject: [PATCH xserver 11/13] sync: Check values before applying changes
In SyncInitTrigger(), we would set the CheckTrigger function before
validating the counter value.
As a result, if the counter value overflowed, we would leave the
function SyncInitTrigger() with the CheckTrigger applied but without
updating the trigger object.
To avoid that issue, move the portion of code checking for the trigger
check value before updating the CheckTrigger function.
Related to CVE-2025-26601, ZDI-CAN-25870
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit f52cea2f93a0c891494eb3334894442a92368030)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1831>
---
Xext/sync.c | 36 ++++++++++++++++++------------------
1 file changed, 18 insertions(+), 18 deletions(-)
diff --git a/Xext/sync.c b/Xext/sync.c
index e55295904..66a52283d 100644
--- a/Xext/sync.c
+++ b/Xext/sync.c
@@ -350,6 +350,24 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
}
}
+ if (changes & (XSyncCAValueType | XSyncCAValue)) {
+ if (pTrigger->value_type == XSyncAbsolute)
+ pTrigger->test_value = pTrigger->wait_value;
+ else { /* relative */
+ Bool overflow;
+
+ if (pCounter == NULL)
+ return BadMatch;
+
+ overflow = checked_int64_add(&pTrigger->test_value,
+ pCounter->value, pTrigger->wait_value);
+ if (overflow) {
+ client->errorValue = pTrigger->wait_value >> 32;
+ return BadValue;
+ }
+ }
+ }
+
if (changes & XSyncCATestType) {
if (pSync && SYNC_FENCE == pSync->type) {
@@ -378,24 +396,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
}
}
- if (changes & (XSyncCAValueType | XSyncCAValue)) {
- if (pTrigger->value_type == XSyncAbsolute)
- pTrigger->test_value = pTrigger->wait_value;
- else { /* relative */
- Bool overflow;
-
- if (pCounter == NULL)
- return BadMatch;
-
- overflow = checked_int64_add(&pTrigger->test_value,
- pCounter->value, pTrigger->wait_value);
- if (overflow) {
- client->errorValue = pTrigger->wait_value >> 32;
- return BadValue;
- }
- }
- }
-
if (changes & XSyncCACounter) {
if (pSync != pTrigger->pSync) { /* new counter for trigger */
SyncDeleteTriggerFromSyncObject(pTrigger);
--
2.48.1

51
SOURCES/0012-Xext-xselinux-avoid-memory-leak-in-SELinuxAtomToSID.patch
View File

@ -1,51 +0,0 @@
From 50aa84b64bb9c38b4b67a00221ca6ae5e00808cc Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 4 Oct 2025 17:26:47 -0700
Subject: [PATCH xserver 12/51] Xext/xselinux: avoid memory leak in
SELinuxAtomToSID()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../Xext/xselinux_label.c:142:13: warning[-Wanalyzer-malloc-leak]: leak of rec
xwayland-24.1.6/redhat-linux-build/../Xext/xselinux_label.c:133:1: enter_function: entry to SELinuxAtomToSID
xwayland-24.1.6/redhat-linux-build/../Xext/xselinux_label.c:141:15: acquire_memory: allocated here
xwayland-24.1.6/redhat-linux-build/../Xext/xselinux_label.c:69:12: branch_true: following true branch...
xwayland-24.1.6/redhat-linux-build/../Xext/xselinux_label.c:142:13: danger: rec leaks here; was allocated at [(2)](sarif:/runs/0/results/0/codeFlows/0/threadFlows/0/locations/1)
# 140| if (!rec) {
# 141| rec = calloc(1, sizeof(SELinuxAtomRec));
# 142|-> if (!rec || !SELinuxArraySet(&arr_atoms, atom, rec))
# 143| return BadAlloc;
# 144| }
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 21cbc56c43af04a72ee2d77023194f436027eb4d)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
Xext/xselinux_label.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/Xext/xselinux_label.c b/Xext/xselinux_label.c
index 8559385b9..774f1d9cc 100644
--- a/Xext/xselinux_label.c
+++ b/Xext/xselinux_label.c
@@ -138,8 +138,12 @@ SELinuxAtomToSID(Atom atom, int prop, SELinuxObjectRec ** obj_rtn)
rec = SELinuxArrayGet(&arr_atoms, atom);
if (!rec) {
rec = calloc(1, sizeof(SELinuxAtomRec));
- if (!rec || !SELinuxArraySet(&arr_atoms, atom, rec))
+ if (!rec)
return BadAlloc;
+ if (!SELinuxArraySet(&arr_atoms, atom, rec)) {
+ free(rec);
+ return BadAlloc;
+ }
}
if (prop) {
--
2.54.0

50
SOURCES/0012-sync-Do-not-fail-SyncAddTriggerToSyncObject.patch Normal file
View File

@ -0,0 +1,50 @@
From 7537745b5fe63d7e43d692bfa86f93259d522c80 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 20 Jan 2025 17:06:07 +0100
Subject: [PATCH xserver 12/13] sync: Do not fail SyncAddTriggerToSyncObject()
We do not want to return a failure at the very last step in
SyncInitTrigger() after having all changes applied.
SyncAddTriggerToSyncObject() must not fail on memory allocation, if the
allocation of the SyncTriggerList fails, trigger a FatalError() instead.
Related to CVE-2025-26601, ZDI-CAN-25870
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 8cbc90c8817306af75a60f494ec9dbb1061e50db)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1831>
---
Xext/sync.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/Xext/sync.c b/Xext/sync.c
index 66a52283d..8def4adbf 100644
--- a/Xext/sync.c
+++ b/Xext/sync.c
@@ -199,8 +199,8 @@ SyncAddTriggerToSyncObject(SyncTrigger * pTrigger)
return Success;
}
- if (!(pCur = malloc(sizeof(SyncTriggerList))))
- return BadAlloc;
+ /* Failure is not an option, it's succeed or burst! */
+ pCur = XNFalloc(sizeof(SyncTriggerList));
pCur->pTrigger = pTrigger;
pCur->next = pTrigger->pSync->pTriglist;
@@ -408,8 +408,7 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
* a new counter on a trigger
*/
if (newSyncObject) {
- if ((rc = SyncAddTriggerToSyncObject(pTrigger)) != Success)
- return rc;
+ SyncAddTriggerToSyncObject(pTrigger);
}
else if (pCounter && IsSystemCounter(pCounter)) {
SyncComputeBracketValues(pCounter);
--
2.48.1

54
SOURCES/0013-Xext-xtest-avoid-null-dereference-in-ProcXTestFakeIn.patch
View File

@ -1,54 +0,0 @@
From 3612d6af9cb75895137e89302b633e730171a4d6 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 4 Oct 2025 17:38:32 -0700
Subject: [PATCH xserver 13/51] Xext/xtest: avoid null dereference in
ProcXTestFakeInput()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../Xext/xtest.c:383:14: warning[-Wanalyzer-null-dereference]: dereference of NULL dev
xwayland-24.1.6/redhat-linux-build/../Xext/xtest.c:348:9: release_memory: dev is NULL
xwayland-24.1.6/redhat-linux-build/../Xext/xtest.c:383:14: danger: dereference of NULL dev
xwayland-24.1.6/redhat-linux-build/../Xext/xtest.c:395:14: warning[-Wanalyzer-null-dereference]: dereference of NULL dev
xwayland-24.1.6/redhat-linux-build/../Xext/xtest.c:348:9: release_memory: dev is NULL
xwayland-24.1.6/redhat-linux-build/../Xext/xtest.c:395:14: danger: dereference of NULL dev
xwayland-24.1.6/redhat-linux-build/../Xext/xtest.c:426:14: warning[-Wanalyzer-null-dereference]: dereference of NULL dev
xwayland-24.1.6/redhat-linux-build/../Xext
/xtest.c:348:9: release_memory: dev is NULL
xwayland-24.1.6/redhat-linux-build/../Xext/xtest.c:426:14: danger: dereference of NULL dev
xwayland-24.1.6/redhat-linux-build/../Xext/xtest.c:440:9: warning[-Wanalyzer-null-dereference]: dereference of NULL dev
xwayland-24.1.6/redhat-linux-build/../Xext/xtest.c:348:9: release_memory: dev is NULL
xwayland-24.1.6/redhat-linux-build/../Xext/xtest.c:440:9: danger: dereference of NULL dev
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 04ef51dae63dc9ef3d28f7d0b78b4504dbb01f66)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
Xext/xtest.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/Xext/xtest.c b/Xext/xtest.c
index 3b66224be..fe3a868a4 100644
--- a/Xext/xtest.c
+++ b/Xext/xtest.c
@@ -318,6 +318,10 @@ ProcXTestFakeInput(ClientPtr client)
return BadAccess;
dev = GetXTestDevice(dev);
+
+ /* This can only happen if we passed a slave to GetXTestDevice() */
+ if (!dev)
+ return BadAccess;
}
--
2.54.0

131
SOURCES/0013-sync-Apply-changes-last-in-SyncChangeAlarmAttributes.patch Normal file
View File

@ -0,0 +1,131 @@
From e7bca6a0933b6f0c1568cbe770740c48626f30be Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 20 Jan 2025 17:10:31 +0100
Subject: [PATCH xserver 13/13] sync: Apply changes last in
SyncChangeAlarmAttributes()
SyncChangeAlarmAttributes() would apply the various changes while
checking for errors.
If one of the changes triggers an error, the changes for the trigger,
counter or delta value would remain, possibly leading to inconsistent
changes.
Postpone the actual changes until we're sure nothing else can go wrong.
Related to CVE-2025-26601, ZDI-CAN-25870
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit c285798984c6bb99e454a33772cde23d394d3dcd)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1831>
---
Xext/sync.c | 42 +++++++++++++++++++++++++++---------------
1 file changed, 27 insertions(+), 15 deletions(-)
diff --git a/Xext/sync.c b/Xext/sync.c
index 8def4adbf..e2f2c2774 100644
--- a/Xext/sync.c
+++ b/Xext/sync.c
@@ -799,8 +799,14 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask,
int status;
XSyncCounter counter;
Mask origmask = mask;
+ SyncTrigger trigger;
+ Bool select_events_changed = FALSE;
+ Bool select_events_value = FALSE;
+ int64_t delta;
- counter = pAlarm->trigger.pSync ? pAlarm->trigger.pSync->id : None;
+ trigger = pAlarm->trigger;
+ delta = pAlarm->delta;
+ counter = trigger.pSync ? trigger.pSync->id : None;
while (mask) {
int index2 = lowbit(mask);
@@ -816,24 +822,24 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask,
case XSyncCAValueType:
mask &= ~XSyncCAValueType;
/* sanity check in SyncInitTrigger */
- pAlarm->trigger.value_type = *values++;
+ trigger.value_type = *values++;
break;
case XSyncCAValue:
mask &= ~XSyncCAValue;
- pAlarm->trigger.wait_value = ((int64_t)values[0] << 32) | values[1];
+ trigger.wait_value = ((int64_t)values[0] << 32) | values[1];
values += 2;
break;
case XSyncCATestType:
mask &= ~XSyncCATestType;
/* sanity check in SyncInitTrigger */
- pAlarm->trigger.test_type = *values++;
+ trigger.test_type = *values++;
break;
case XSyncCADelta:
mask &= ~XSyncCADelta;
- pAlarm->delta = ((int64_t)values[0] << 32) | values[1];
+ delta = ((int64_t)values[0] << 32) | values[1];
values += 2;
break;
@@ -843,10 +849,8 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask,
client->errorValue = *values;
return BadValue;
}
- status = SyncEventSelectForAlarm(pAlarm, client,
- (Bool) (*values++));
- if (status != Success)
- return status;
+ select_events_value = (Bool) (*values++);
+ select_events_changed = TRUE;
break;
default:
@@ -855,25 +859,33 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask,
}
}
+ if (select_events_changed) {
+ status = SyncEventSelectForAlarm(pAlarm, client, select_events_value);
+ if (status != Success)
+ return status;
+ }
+
/* "If the test-type is PositiveComparison or PositiveTransition
* and delta is less than zero, or if the test-type is
* NegativeComparison or NegativeTransition and delta is
* greater than zero, a Match error is generated."
*/
if (origmask & (XSyncCADelta | XSyncCATestType)) {
- if ((((pAlarm->trigger.test_type == XSyncPositiveComparison) ||
- (pAlarm->trigger.test_type == XSyncPositiveTransition))
- && pAlarm->delta < 0)
+ if ((((trigger.test_type == XSyncPositiveComparison) ||
+ (trigger.test_type == XSyncPositiveTransition))
+ && delta < 0)
||
- (((pAlarm->trigger.test_type == XSyncNegativeComparison) ||
- (pAlarm->trigger.test_type == XSyncNegativeTransition))
- && pAlarm->delta > 0)
+ (((trigger.test_type == XSyncNegativeComparison) ||
+ (trigger.test_type == XSyncNegativeTransition))
+ && delta > 0)
) {
return BadMatch;
}
}
/* postpone this until now, when we're sure nothing else can go wrong */
+ pAlarm->delta = delta;
+ pAlarm->trigger = trigger;
if ((status = SyncInitTrigger(client, &pAlarm->trigger, counter, RTCounter,
origmask & XSyncCAAllTrigger)) != Success)
return status;
--
2.48.1

91
SOURCES/0014-Xi-avoid-null-dereference-if-wOtherInputMasks-return.patch
View File

@ -1,91 +0,0 @@
From 826550e2cfd8a033c4a16dffdd852f2115e7331f Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 5 Oct 2025 15:38:35 -0700
Subject: [PATCH xserver 14/51] Xi: avoid null dereference if
wOtherInputMasks() returns NULL
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The wOtherInputMasks(win) macro will return NULL if
win->optional is NULL.
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../Xi/exevents.c:1390:13:
warning[-Wanalyzer-null-dereference]: dereference of NULL 0
xwayland-24.1.6/redhat-linux-build/../Xi/exevents.c:1404:13:
warning[-Wanalyzer-null-dereference]: dereference of NULL 0
xwayland-24.1.6/redhat-linux-build/../Xi/exevents.c:2293:9:
warning[-Wanalyzer-null-dereference]: dereference of NULL 0
xwayland-24.1.6/redhat-linux-build/../Xi/exevents.c:3244:22:
warning[-Wanalyzer-null-dereference]: dereference of NULL inputMasks
xwayland-24.1.6/redhat-linux-build/../Xi/exevents.c:3338:9:
warning[-Wanalyzer-null-dereference]: dereference of NULL 0
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 7b7bcf92311db87a0292474dcf2ed9767f4a9abd)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
Xi/exevents.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/Xi/exevents.c b/Xi/exevents.c
index 1930089d3..7249f492c 100644
--- a/Xi/exevents.c
+++ b/Xi/exevents.c
@@ -1331,6 +1331,7 @@ RetrieveTouchDeliveryData(DeviceIntPtr dev, TouchPointInfoPtr ti,
else
evtype = GetXI2Type(ev->any.type);
+ BUG_RETURN_VAL(!wOtherInputMasks(*win), FALSE);
nt_list_for_each_entry(iclients,
wOtherInputMasks(*win)->inputClients, next)
if (xi2mask_isset(iclients->xi2mask, dev, evtype))
@@ -1345,6 +1346,7 @@ RetrieveTouchDeliveryData(DeviceIntPtr dev, TouchPointInfoPtr ti,
int xi_type = GetXIType(TouchGetPointerEventType(ev));
Mask xi_filter = event_get_filter_from_type(dev, xi_type);
+ BUG_RETURN_VAL(!wOtherInputMasks(*win), FALSE);
nt_list_for_each_entry(iclients,
wOtherInputMasks(*win)->inputClients, next)
if (iclients->mask[dev->id] & xi_filter)
@@ -2974,13 +2976,18 @@ DeviceEventSuppressForWindow(WindowPtr pWin, ClientPtr client, Mask mask,
inputMasks->dontPropagateMask[maskndx] = mask;
}
else {
- if (!inputMasks)
- AddExtensionClient(pWin, client, 0, 0);
- inputMasks = wOtherInputMasks(pWin);
+ if (!inputMasks) {
+ int ret = AddExtensionClient(pWin, client, 0, 0);
+
+ if (ret != Success)
+ return ret;
+ inputMasks = wOtherInputMasks(pWin);
+ BUG_RETURN_VAL(!inputMasks, BadAlloc);
+ }
inputMasks->dontPropagateMask[maskndx] = mask;
}
RecalculateDeviceDeliverableEvents(pWin);
- if (ShouldFreeInputMasks(pWin, FALSE))
+ if (inputMasks && ShouldFreeInputMasks(pWin, FALSE))
FreeResource(inputMasks->inputClients->resource, RT_NONE);
return Success;
}
@@ -3075,6 +3082,7 @@ XISetEventMask(DeviceIntPtr dev, WindowPtr win, ClientPtr client,
if (len && !others) {
if (AddExtensionClient(win, client, 0, 0) != Success)
return BadAlloc;
+ BUG_RETURN_VAL(!wOtherInputMasks(win), BadAlloc);
others = wOtherInputMasks(win)->inputClients;
}
--
2.54.0

43
SOURCES/0015-Xi-set-value-for-led_values-in-CopySwapKbdFeedback.patch
View File

@ -1,43 +0,0 @@
From 5eeb67f1d806c25ef31d2110b21644a59de83815 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 5 Oct 2025 17:12:29 -0700
Subject: [PATCH xserver 15/51] Xi: set value for led_values in
CopySwapKbdFeedback()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
(The existing setting of led_mask is probably wrong, but has been set
like this since X11R5 and going back as far as the first version in
the X Consortium source control archives.)
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../Xi/getfctl.c:108:9:
warning[-Wanalyzer-use-of-uninitialized-value]:
use of uninitialized value *k2.led_values
108|-> swapl(&k2->led_values);
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 90c8429d3509894f8834ead3b15f2e76657e57a6)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
Xi/getfctl.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/Xi/getfctl.c b/Xi/getfctl.c
index eea0113c1..61f14c5ea 100644
--- a/Xi/getfctl.c
+++ b/Xi/getfctl.c
@@ -97,6 +97,7 @@ CopySwapKbdFeedback(ClientPtr client, KbdFeedbackPtr k, char **buf)
k2->pitch = k->ctrl.bell_pitch;
k2->duration = k->ctrl.bell_duration;
k2->led_mask = k->ctrl.leds;
+ k2->led_values = k->ctrl.leds;
k2->global_auto_repeat = k->ctrl.autoRepeat;
for (i = 0; i < 32; i++)
k2->auto_repeats[i] = k->ctrl.autoRepeats[i];
--
2.54.0

41
SOURCES/0016-Xi-handle-allocation-failure-in-ProcXGetDeviceDontPr.patch
View File

@ -1,41 +0,0 @@
From f9d3537883522255d5fa91ea8b63c745286232ee Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 5 Oct 2025 17:32:45 -0700
Subject: [PATCH xserver 16/51] Xi: handle allocation failure in
ProcXGetDeviceDontPropagateList()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../Xi/getprop.c:163:25:
warning[-Wanalyzer-possible-null-dereference]:
dereference of possibly-NULL buf
xwayland-24.1.6/redhat-linux-build/../Xi/getprop.c:121:19:
acquire_memory: this call could return NULL
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 7b18313e2a9d0409ac7465d2f313153013fdf5a3)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
Xi/getprop.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/Xi/getprop.c b/Xi/getprop.c
index b744f35cb..b53db7306 100644
--- a/Xi/getprop.c
+++ b/Xi/getprop.c
@@ -119,6 +119,8 @@ ProcXGetDeviceDontPropagateList(ClientPtr client)
if (count) {
rep.count = count;
buf = xallocarray(rep.count, sizeof(XEventClass));
+ if (buf == NULL)
+ return BadAlloc;
rep.length = bytes_to_int32(rep.count * sizeof(XEventClass));
tbuf = buf;
--
2.54.0

43
SOURCES/0017-Xi-handle-allocation-failure-in-ProcXListInputDevice.patch
View File

@ -1,43 +0,0 @@
From 4c5a0e203feaae43134264bb3a999453d6f09a2c Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 5 Oct 2025 17:37:48 -0700
Subject: [PATCH xserver 17/51] Xi: handle allocation failure in
ProcXListInputDevices()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../Xi/listdev.c:171:5:
warning[-Wanalyzer-possible-null-dereference]:
dereference of possibly-NULL dev
xwayland-24.1.6/redhat-linux-build/../Xi/listdev.c:379:23:
acquire_memory: this call could return NULL
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 19c6195e711d9f9fabbde1bea7a6393c4a4c3cd3)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
Xi/listdev.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/Xi/listdev.c b/Xi/listdev.c
index c15e61b37..5b860e92c 100644
--- a/Xi/listdev.c
+++ b/Xi/listdev.c
@@ -377,6 +377,10 @@ ProcXListInputDevices(ClientPtr client)
/* allocate space for reply */
total_length = numdevs * sizeof(xDeviceInfo) + size + namesize;
devbuf = (char *) calloc(1, total_length);
+ if (!devbuf) {
+ free(skip);
+ return BadAlloc;
+ }
classbuf = devbuf + (numdevs * sizeof(xDeviceInfo));
namebuf = classbuf + size;
savbuf = devbuf;
--
2.54.0

39
SOURCES/0018-Xi-handle-allocation-failure-in-add_master_func.patch
View File

@ -1,39 +0,0 @@
From d3db315eb5fff0933c16e772081754ee02b48938 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 5 Oct 2025 17:52:39 -0700
Subject: [PATCH xserver 18/51] Xi: handle allocation failure in
add_master_func()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../Xi/xibarriers.c:729:5:
warning[-Wanalyzer-null-dereference]:
dereference of NULL AllocBarrierDevice()
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 0ee603905387e00a2e3d83ead1de99ca61d641fb)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
Xi/xibarriers.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/Xi/xibarriers.c b/Xi/xibarriers.c
index cb336f22b..ad82852fe 100644
--- a/Xi/xibarriers.c
+++ b/Xi/xibarriers.c
@@ -726,6 +726,8 @@ static void add_master_func(void *res, XID id, void *devid)
pbd = AllocBarrierDevice();
+ if (!pbd)
+ return;
pbd->deviceid = *deviceid;
input_lock();
--
2.54.0

39
SOURCES/0019-dix-handle-allocation-failure-in-DeviceFocusEvent.patch
View File

@ -1,39 +0,0 @@
From 4f68278ca74892098c6600adc3e6d8901682793e Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 11 Oct 2025 12:59:04 -0700
Subject: [PATCH xserver 19/51] dix: handle allocation failure in
DeviceFocusEvent()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../dix/enterleave.c:786:5:
warning[-Wanalyzer-possible-null-dereference]:
dereference of possibly-NULL xi2event
Fixes: 3f37923a7 ("Xi: send XI2 focus events." in Xorg 1.10.0)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit dedceb52bcbba2431368b53acbbba490ac8ee485)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
dix/enterleave.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/dix/enterleave.c b/dix/enterleave.c
index 78a7dab39..df3ffd224 100644
--- a/dix/enterleave.c
+++ b/dix/enterleave.c
@@ -774,6 +774,7 @@ DeviceFocusEvent(DeviceIntPtr dev, int type, int mode, int detail,
len = sizeof(xXIFocusInEvent) + btlen * 4;
xi2event = calloc(1, len);
+ BUG_RETURN(xi2event == NULL);
xi2event->type = GenericEvent;
xi2event->extension = IReqCode;
xi2event->evtype = type;
--
2.54.0

54
SOURCES/0020-dix-avoid-null-dereference-if-wOtherInputMasks-retur.patch
View File

@ -1,54 +0,0 @@
From 69599f57afd64ff1289dbbd29e5e108435b7ffc2 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 11 Oct 2025 16:16:12 -0700
Subject: [PATCH xserver 20/51] dix: avoid null dereference if
wOtherInputMasks() returns NULL
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The wOtherInputMasks(win) macro will return NULL if
win->optional is NULL.
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../dix/gestures.c:242:9:
warning[-Wanalyzer-null-dereference]: dereference of NULL inputMasks
xwayland-24.1.6/redhat-linux-build/../dix/touch.c:765:9:
warning[-Wanalyzer-null-dereference]: dereference of NULL inputMasks
xwayland-24.1.6/redhat-linux-build/../dix/touch.c:782:9:
warning[-Wanalyzer-null-dereference]: dereference of NULL inputMasks
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 15496a5e3d5407a2b480d8c726b012455f7898bb)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
dix/touch.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/dix/touch.c b/dix/touch.c
index 37902bd05..5c5c21303 100644
--- a/dix/touch.c
+++ b/dix/touch.c
@@ -797,6 +797,8 @@ TouchAddRegularListener(DeviceIntPtr dev, TouchPointInfoPtr ti,
inputMasks = wOtherInputMasks(win);
if (mask & EVENT_XI2_MASK) {
+ BUG_RETURN_VAL(!inputMasks, FALSE);
+
nt_list_for_each_entry(iclients, inputMasks->inputClients, next) {
if (!xi2mask_isset(iclients->xi2mask, dev, evtype))
continue;
@@ -814,6 +816,8 @@ TouchAddRegularListener(DeviceIntPtr dev, TouchPointInfoPtr ti,
int xitype = GetXIType(TouchGetPointerEventType(ev));
Mask xi_filter = event_get_filter_from_type(dev, xitype);
+ BUG_RETURN_VAL(!inputMasks, FALSE);
+
nt_list_for_each_entry(iclients, inputMasks->inputClients, next) {
if (!(iclients->mask[dev->id] & xi_filter))
continue;
--
2.54.0

62
SOURCES/0021-dix-assert-that-size-of-buffers-to-swap-is-a-multipl.patch
View File

@ -1,62 +0,0 @@
From 98988e606948fb88290fe51ab8aed599c2dc7b42 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 11 Oct 2025 18:26:55 -0700
Subject: [PATCH xserver 21/51] dix: assert that size of buffers to swap is a
multiple of the swap size
If we're swapping 4-byte integers or 2-byte integers, make sure the size
of the buffer doesn't have any bytes left over, since we won't correctly
handle those bytes.
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../dix/swaprep.c:99:22:
warning[-Wanalyzer-allocation-size]:
allocated buffer size is not a multiple of the pointee's size
xwayland-24.1.6/redhat-linux-build/../dix/swaprep.c:146:22:
warning[-Wanalyzer-allocation-size]:
allocated buffer size is not a multiple of the pointee's size
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit cf49354b6060b71ae41febe67327278fbcb7c74a)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
dix/swaprep.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/dix/swaprep.c b/dix/swaprep.c
index 08344d7f7..04279e5f4 100644
--- a/dix/swaprep.c
+++ b/dix/swaprep.c
@@ -48,6 +48,8 @@ SOFTWARE.
#include <dix-config.h>
#endif
+#include <assert.h>
+
#include <X11/X.h>
#include <X11/Xproto.h>
#include "misc.h"
@@ -95,6 +97,8 @@ CopySwap32Write(ClientPtr pClient, int size, CARD32 *pbuf)
CARD32 *from, *to, *fromLast, *toLast;
CARD32 tmpbuf[1];
+ assert((bufsize % sizeof(CARD32)) == 0);
+
/* Allocate as big a buffer as we can... */
while (!(pbufT = malloc(bufsize))) {
bufsize >>= 1;
@@ -142,6 +146,8 @@ CopySwap16Write(ClientPtr pClient, int size, short *pbuf)
short *from, *to, *fromLast, *toLast;
short tmpbuf[2];
+ assert((bufsize % sizeof(short)) == 0);
+
/* Allocate as big a buffer as we can... */
while (!(pbufT = malloc(bufsize))) {
bufsize >>= 1;
--
2.54.0

42
SOURCES/0022-dix-handle-allocation-failure-in-ChangeWindowDeviceC.patch
View File

@ -1,42 +0,0 @@
From 28c7d5470a1d4241594d2629952427767e3b88ce Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 12 Oct 2025 09:48:15 -0700
Subject: [PATCH xserver 22/51] dix: handle allocation failure in
ChangeWindowDeviceCursor()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../dix/window.c:3495:9:
warning[-Wanalyzer-possible-null-dereference]:
dereference of possibly-NULL pNewNode
xwayland-24.1.6/redhat-linux-build/../dix/window.c:3494:20:
acquire_memory: this call could return NULL
Fixes: 95e1a8805 ("Xi: Adding ChangeDeviceCursor request" in xorg 1.10.0)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit c9fa8a8da161e1c37058a342ba5495ce627d0985)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
---
dix/window.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/dix/window.c b/dix/window.c
index 8789a5ece..219e8c470 100644
--- a/dix/window.c
+++ b/dix/window.c
@@ -3510,6 +3510,8 @@ ChangeWindowDeviceCursor(WindowPtr pWin, DeviceIntPtr pDev, CursorPtr pCursor)
return Success;
pNewNode = malloc(sizeof(DevCursNodeRec));
+ if (!pNewNode)
+ return BadAlloc;
pNewNode->dev = pDev;
pNewNode->next = pWin->optional->deviceCursors;
pWin->optional->deviceCursors = pNewNode;
--
2.54.0

42
SOURCES/0023-xfree86-Fix-builds-with-gcc-Wpedantic.patch
View File

@ -1,42 +0,0 @@
From 6fda4afcb9f5ebcaa7ebb91a4e55a19c4a64cf4d Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 10 Aug 2025 11:20:01 -0700
Subject: [PATCH xserver 23/51] xfree86: Fix builds with gcc -Wpedantic
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
../hw/xfree86/loader/loadmod.c:85:33: warning: ISO C forbids empty
initializer braces before C23 [-Wpedantic]
85 | static int ModuleDuplicated[] = { };
| ^
../hw/xfree86/loader/loadmod.c:85:12: error: zero or negative size array
ModuleDuplicated
85 | static int ModuleDuplicated[] = { };
| ^~~~~~~~~~~~~~~~
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit d03c84b57f1455b20518781026777b938194b2a4)
(cherry picked from commit 3e0f37c95c92829e338a910379440ba9b4f4170d)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2146>
---
hw/xfree86/loader/loadmod.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/xfree86/loader/loadmod.c b/hw/xfree86/loader/loadmod.c
index 342c7b800..6f7c6d93c 100644
--- a/hw/xfree86/loader/loadmod.c
+++ b/hw/xfree86/loader/loadmod.c
@@ -82,7 +82,7 @@ const ModuleVersions LoaderVersionInfo = {
ABI_EXTENSION_VERSION,
};
-static int ModuleDuplicated[] = { };
+static int ModuleDuplicated[] = { 0 };
static void
FreeStringList(char **paths)
--
2.54.0

52
SOURCES/0024-dix-set-errorValue-correctly-when-XID-lookup-fails-i.patch
View File

@ -1,52 +0,0 @@
From 82a58016e202f10e87b2d629f6ae3a6bcfca80cb Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 7 Dec 2025 15:57:53 -0800
Subject: [PATCH xserver 24/51] dix: set errorValue correctly when XID lookup
fails in ChangeGCXIDs()
dixLookupResourceByType always overwrites the pointer passed in as the
first arg, so we shouldn't use the union it's in after that to get the
requested XID value to put in the errorValue.
Closes: #1857
Fixes: 2d7eb4a19 ("Pre-validate ChangeGC XIDs.")
Reported-by: Mouse <mouse@Rodents-Montreal.ORG>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit ac42c39145849588544ad10812e5a8ae76bf1114)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2146>
---
dix/gc.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/dix/gc.c b/dix/gc.c
index 4ccbd3b54..717998cfd 100644
--- a/dix/gc.c
+++ b/dix/gc.c
@@ -441,6 +441,7 @@ ChangeGCXIDs(ClientPtr client, GC * pGC, BITS32 mask, CARD32 *pC32)
vals[i].val = pC32[i];
for (i = 0; i < ARRAY_SIZE(xidfields); ++i) {
int offset, rc;
+ XID id;
if (!(mask & xidfields[i].mask))
continue;
@@ -449,11 +450,13 @@ ChangeGCXIDs(ClientPtr client, GC * pGC, BITS32 mask, CARD32 *pC32)
vals[offset].ptr = NullPixmap;
continue;
}
- rc = dixLookupResourceByType(&vals[offset].ptr, vals[offset].val,
+ /* save the id, since dixLookupResourceByType overwrites &vals[offset] */
+ id = vals[offset].val;
+ rc = dixLookupResourceByType(&vals[offset].ptr, id,
xidfields[i].type, client,
xidfields[i].access_mode);
if (rc != Success) {
- client->errorValue = vals[offset].val;
+ client->errorValue = id;
return rc;
}
}
--
2.54.0

40
SOURCES/0025-os-avoid-closing-null-fd-at-Fopen.patch
View File

@ -1,40 +0,0 @@
From 1542f1bb8de1d4ccd32047a15740c8dd1002502b Mon Sep 17 00:00:00 2001
From: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
Date: Wed, 17 Dec 2025 11:52:16 +0300
Subject: [PATCH xserver 25/51] os: avoid closing null fd at Fopen
In `Fopen` function variable `iop` may store NULL as a result of `fopen`
call. In this case, if later privileges couldn't be restored (`seteuid`
call fails), further `fclose(iop)` call will cause runtime error.
This commit adds check `iop` for NULL before calling `fclose` to prevent
potential NULL pointer dereference.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
(cherry picked from commit f83807647e171def9244a7f1d8d9af8e8e79f847)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2146>
---
os/utils.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/os/utils.c b/os/utils.c
index 2ba1c8013..0a9f36fcd 100644
--- a/os/utils.c
+++ b/os/utils.c
@@ -1589,7 +1589,9 @@ Fopen(const char *file, const char *type)
iop = fopen(file, type);
if (seteuid(euid) == -1) {
- fclose(iop);
+ if (iop) {
+ fclose(iop);
+ }
return NULL;
}
return iop;
--
2.54.0

50
SOURCES/0026-render-fix-multiple-mem-leaks-on-err-paths.patch
View File

@ -1,50 +0,0 @@
From 7ad37a32bc5ad5d385bfd65755d58f10f1c10013 Mon Sep 17 00:00:00 2001
From: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
Date: Thu, 5 Feb 2026 16:07:43 +0300
Subject: [PATCH xserver 26/51] render: fix multiple mem leaks on err paths
Free nested allocations when initialization fails.
Several code paths returned early on error without releasing
memory owned by embedded structures, leading to leaks.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
(cherry picked from commit 809402414e4b84ad5c084221c7b4da9bd2c5d55d)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2146>
---
render/picture.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/render/picture.c b/render/picture.c
index a53f3b560..f6729eaef 100644
--- a/render/picture.c
+++ b/render/picture.c
@@ -911,6 +911,7 @@ CreateLinearGradientPicture(Picture pid, xPointFixed * p1, xPointFixed * p2,
initGradient(pPicture->pSourcePict, nStops, stops, colors, error);
if (*error) {
+ free(pPicture->pSourcePict);
free(pPicture);
return 0;
}
@@ -956,6 +957,7 @@ CreateRadialGradientPicture(Picture pid, xPointFixed * inner,
initGradient(pPicture->pSourcePict, nStops, stops, colors, error);
if (*error) {
+ free(pPicture->pSourcePict);
free(pPicture);
return 0;
}
@@ -994,6 +996,7 @@ CreateConicalGradientPicture(Picture pid, xPointFixed * center, xFixed angle,
initGradient(pPicture->pSourcePict, nStops, stops, colors, error);
if (*error) {
+ free(pPicture->pSourcePict);
free(pPicture);
return 0;
}
--
2.54.0

52
SOURCES/0027-dix-avoid-null-ptr-deref-at-doListFontsAndAliases.patch
View File

@ -1,52 +0,0 @@
From d977ac58df2837014b4b1745113d03937cf6bf2f Mon Sep 17 00:00:00 2001
From: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
Date: Wed, 17 Dec 2025 11:15:27 +0300
Subject: [PATCH xserver 27/51] dix: avoid null ptr deref at
doListFontsAndAliases
In the `doListFontsAndAliases` function in dixfonts.c, when a font alias
is encountered (`err == FontNameAlias`) as a result of
`list_next_font_or_alias` call, the code allocates memory for
`resolved` variable (`resolvedlen + 1` bytes) for storing target font
name. In this case, if the `malloc(resolvedlen + 1)` call fails,
`resolved` remains NULL.
Later, when check (`else if (err == FontNameAlias)`) is TRUE, the code
uses `memcpy` to copy nullable `resolved` into `tmp_pattern` without
checking if `resolved` is NULL, so there is a potential null ptr
dereference.
This commit replaces `malloc` with `XNFalloc` for allocating memory for
`resolved`. `XNFalloc` will internally check result of `malloc` and stop
program execution if allocation was failed, preventing potential NULL
dereferencing.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
(cherry picked from commit 0237462d326c78868c83b6eda35a9d35725f3b33)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2146>
---
dix/dixfonts.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/dix/dixfonts.c b/dix/dixfonts.c
index b079dcf67..553f4d7d4 100644
--- a/dix/dixfonts.c
+++ b/dix/dixfonts.c
@@ -639,9 +639,8 @@ doListFontsAndAliases(ClientPtr client, LFclosurePtr c)
}
if (err == FontNameAlias) {
free(resolved);
- resolved = malloc(resolvedlen + 1);
- if (resolved)
- memmove(resolved, tmpname, resolvedlen + 1);
+ resolved = XNFalloc(resolvedlen + 1);
+ memcpy(resolved, tmpname, resolvedlen + 1);
}
}
--
2.54.0

59
SOURCES/0028-randr-clear-primary-screen-s-primaryOutput-when-the-.patch
View File

@ -1,59 +0,0 @@
From 361a7e40f294e471d4b2f9bfb7a250fb84d8564b Mon Sep 17 00:00:00 2001
From: hongao <hongao@uniontech.com>
Date: Wed, 15 May 2024 14:35:23 +0800
Subject: [PATCH xserver 28/51] randr: clear primary screen's primaryOutput
when the output is deleted
This fix use after free when a pluggable gpu screen (such as displaylink)
was set as primary screen and unpluged.
gdb backtrace:
#0 OssigHandler (signo=11, sip=0x7fff2e0a50f0, unused=0x7fff2e0a4fc0) at ../../../../os/osinit.c:138
#1 <signal handler called>
#2 rrGetscreenResources (client=0x3195160, query=0) at ../../../../randr/rrscreen.c:577
#3 0x0000000000562bae in ProcRRGetscreenResourcesCurrent (client=0x3195160) at ../../../../randr/rrscreen.c:652
#4 OxOOOOB0000054de63 in ProcRRDispatch (client=0x3195160) at ../../../../randr/randr.c:717
#5 0x00000000004322c6 in Dispatch () at ../../../../dix/dispatch.c:485
#6 0x0900900990443139 in dix_main (argc=12, argv=0x7fff2e0a5f78, envp=0x7fff2e0a5fe0) at ../../../../dix/main.c:276
#7 0X0000000000421d9a in main (argc=12, argv=0x7fff2e0a5f78, envp=0x7fff2e0a5fe0) at ../../../../dix/stubmain.c:34
Signed-off-by: hongao <hongao@uniontech.com>
(cherry picked from commit 1443fd34ea37e8c7cedfac446e4a34205c5fbbb0)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2146>
---
randr/rroutput.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/randr/rroutput.c b/randr/rroutput.c
index e52ad7671..d98446ab1 100644
--- a/randr/rroutput.c
+++ b/randr/rroutput.c
@@ -374,6 +374,8 @@ RROutputDestroyResource(void *value, XID pid)
{
RROutputPtr output = (RROutputPtr) value;
ScreenPtr pScreen = output->pScreen;
+ ScreenPtr primary;
+ rrScrPrivPtr primarysp;
int m;
if (pScreen) {
@@ -394,6 +396,15 @@ RROutputDestroyResource(void *value, XID pid)
if (pScrPriv->primaryOutput == output)
pScrPriv->primaryOutput = NULL;
+ if (pScreen->isGPU) {
+ primary = pScreen->current_master;
+ if (primary) {
+ primarysp = rrGetScrPriv(primary);
+ if (primarysp->primaryOutput == output)
+ primarysp->primaryOutput = NULL;
+ }
+ }
+
for (i = 0; i < pScrPriv->numOutputs; i++) {
if (pScrPriv->outputs[i] == output) {
memmove(pScrPriv->outputs + i, pScrPriv->outputs + i + 1,
--
2.54.0

31
SOURCES/0029-Make-xf86CompatOutput-return-NULL-when-there-are-no-.patch
View File

@ -1,31 +0,0 @@
From 8b532c093256aea097867ec12afab459076f28a3 Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu.herrb@laas.fr>
Date: Sun, 31 Oct 2021 11:28:28 +0100
Subject: [PATCH xserver 29/51] Make xf86CompatOutput() return NULL when there
are no privates
Some drivers (mach64 w/o DRI for instance) don't initialize privates.
Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr>
(cherry picked from commit 80eeff3ebac772e25c9107199989e677457dbe06)
---
hw/xfree86/modes/xf86Crtc.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/xfree86/modes/xf86Crtc.h b/hw/xfree86/modes/xf86Crtc.h
index 1d1124a1b..2ab16322b 100644
--- a/hw/xfree86/modes/xf86Crtc.h
+++ b/hw/xfree86/modes/xf86Crtc.h
@@ -839,6 +839,9 @@ xf86CompatOutput(ScrnInfoPtr pScrn)
{
xf86CrtcConfigPtr config = XF86_CRTC_CONFIG_PTR(pScrn);
+ if (xf86CrtcConfigPrivateIndex == -1)
+ return NULL;
+
if (config->compat_output < 0)
return NULL;
return config->output[config->compat_output];
--
2.54.0

37
SOURCES/0030-Better-fix-for-xf86CompatOut-when-there-are-no-priva.patch
View File

@ -1,37 +0,0 @@
From c739165b8d2782ea9059494c482aa1854dfb74f3 Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu@herrb.eu>
Date: Sun, 5 Dec 2021 21:59:12 +0100
Subject: [PATCH xserver 30/51] Better fix for xf86CompatOut() when there are
no privates
XF86_CRTC_CONFIG_PTR() will derefence privates[-1] in this case.
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
(cherry picked from commit 75d70612888f18339703315549db781a22c0cb23)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2146>
---
hw/xfree86/modes/xf86Crtc.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/xfree86/modes/xf86Crtc.h b/hw/xfree86/modes/xf86Crtc.h
index 2ab16322b..2b0fb687c 100644
--- a/hw/xfree86/modes/xf86Crtc.h
+++ b/hw/xfree86/modes/xf86Crtc.h
@@ -837,11 +837,11 @@ extern _X_EXPORT int xf86CrtcConfigPrivateIndex;
static _X_INLINE xf86OutputPtr
xf86CompatOutput(ScrnInfoPtr pScrn)
{
- xf86CrtcConfigPtr config = XF86_CRTC_CONFIG_PTR(pScrn);
+ xf86CrtcConfigPtr config;
if (xf86CrtcConfigPrivateIndex == -1)
return NULL;
-
+ config = XF86_CRTC_CONFIG_PTR(pScrn);
if (config->compat_output < 0)
return NULL;
return config->output[config->compat_output];
--
2.54.0

35
SOURCES/0031-xf86-check-return-value-of-XF86_CRTC_CONFIG_PTR-in-x.patch
View File

@ -1,35 +0,0 @@
From 33ce204fd96b7f46f97da73f3144eca384584513 Mon Sep 17 00:00:00 2001
From: Benjamin Valentin <benjamin.valentin@ml-pa.com>
Date: Mon, 27 Dec 2021 14:53:22 +0100
Subject: [PATCH xserver 31/51] xf86: check return value of
XF86_CRTC_CONFIG_PTR in xf86CompatOutput()
If privates[xf86CrtcConfigPrivateIndex].ptr is NULL, this will cause
a segfault.
Possible fix for !1241
Signed-off-by: Benjamin Valentin <benjamin.valentin@ml-pa.com>
(cherry picked from commit 907c501926775fdbc9a8bfcfd3d64ac3d5502775)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2146>
---
hw/xfree86/modes/xf86Crtc.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/xfree86/modes/xf86Crtc.h b/hw/xfree86/modes/xf86Crtc.h
index 2b0fb687c..d8cba59fd 100644
--- a/hw/xfree86/modes/xf86Crtc.h
+++ b/hw/xfree86/modes/xf86Crtc.h
@@ -842,7 +842,7 @@ xf86CompatOutput(ScrnInfoPtr pScrn)
if (xf86CrtcConfigPrivateIndex == -1)
return NULL;
config = XF86_CRTC_CONFIG_PTR(pScrn);
- if (config->compat_output < 0)
+ if ((config == NULL) || (config->compat_output < 0))
return NULL;
return config->output[config->compat_output];
}
--
2.54.0

Some files were not shown because too many files have changed in this diff Show More