rpms/xorg-x11-server
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: rpms:c8
Branches Tags
rpms:c8
rpms:c9
rpms:c9s
rpms:c8s
rpms:c9-beta
rpms:c10s
rpms:c8-beta
rpms:imports/c9/xorg-x11-server-1.20.11-31.el9_6
rpms:imports/c8/xorg-x11-server-1.20.11-26.el8_10
rpms:imports/c9-beta/xorg-x11-server-1.20.11-28.el9
rpms:imports/c8/xorg-x11-server-1.20.11-25.el8_10
rpms:imports/c9-beta/xorg-x11-server-1.20.11-26.el9
rpms:imports/c8/xorg-x11-server-1.20.11-24.el8_10
rpms:imports/c10s/xorg-x11-server-1.20.14-36.el10
rpms:imports/c8/xorg-x11-server-1.20.11-23.el8_10
rpms:imports/c9/xorg-x11-server-1.20.11-24.el9
rpms:imports/c8-beta/xorg-x11-server-1.20.11-17.el8
rpms:imports/c9-beta/xorg-x11-server-1.20.11-19.el9
rpms:imports/c8/xorg-x11-server-1.20.11-15.el8
rpms:imports/c9/xorg-x11-server-1.20.11-17.el9
rpms:imports/c9-beta/xorg-x11-server-1.20.11-17.el9
rpms:imports/c8-beta/xorg-x11-server-1.20.11-15.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-15.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-13.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-12.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-11.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-10.el8
rpms:imports/c9/xorg-x11-server-1.20.11-11.el9
rpms:imports/c8/xorg-x11-server-1.20.11-9.el8
rpms:imports/c9-beta/xorg-x11-server-1.20.11-11.el9
rpms:imports/c8-beta/xorg-x11-server-1.20.11-9.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-9.el8
rpms:imports/c8/xorg-x11-server-1.20.11-5.el8_6.2
rpms:imports/c8s/xorg-x11-server-1.20.11-8.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-5.el8_6.1
rpms:imports/c9/xorg-x11-server-1.20.11-10.el9
rpms:imports/c8/xorg-x11-server-1.20.11-5.el8
rpms:imports/c8-beta/xorg-x11-server-1.20.11-5.el8
rpms:imports/c9-beta/xorg-x11-server-1.20.11-10.el9
rpms:imports/c8s/xorg-x11-server-1.20.11-5.el8
rpms:imports/c9-beta/xorg-x11-server-1.20.11-7.el9
rpms:imports/c8s/xorg-x11-server-1.20.11-4.el8
rpms:imports/c9-beta/xorg-x11-server-1.20.11-6.el9
rpms:imports/c9-beta/xorg-x11-server-1.20.11-5.el9
rpms:imports/c9-beta/xorg-x11-server-1.20.11-4.el9_b
rpms:imports/c8/xorg-x11-server-1.20.11-2.el8
rpms:imports/c8-beta/xorg-x11-server-1.20.11-2.el8
rpms:imports/c8-beta/xorg-x11-server-1.20.10-1.el8
rpms:imports/c8-beta/xorg-x11-server-1.20.8-3.el8
rpms:imports/c8-beta/xorg-x11-server-1.20.6-2.el8
rpms:imports/c8-beta/xorg-x11-server-1.20.3-5.2.el8_0
rpms:imports/c8s/xorg-x11-server-1.20.11-2.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-1.el8
rpms:imports/c8s/xorg-x11-server-1.20.10-1.el8
rpms:imports/c8s/xorg-x11-server-1.20.8-9.el8
rpms:imports/c8s/xorg-x11-server-1.20.8-8.el8
rpms:imports/c8/xorg-x11-server-1.20.10-1.el8
rpms:imports/c8/xorg-x11-server-1.20.8-6.1.el8_3
rpms:imports/c8/xorg-x11-server-1.20.8-6.el8
rpms:imports/c8/xorg-x11-server-1.20.6-3.el8
rpms:imports/c8/xorg-x11-server-1.20.3-11.el8
..
compare: rpms:c9-beta
Branches Tags
rpms:c9
rpms:c8
rpms:c9s
rpms:c8s
rpms:c9-beta
rpms:c10s
rpms:c8-beta
rpms:imports/c9/xorg-x11-server-1.20.11-31.el9_6
rpms:imports/c8/xorg-x11-server-1.20.11-26.el8_10
rpms:imports/c9-beta/xorg-x11-server-1.20.11-28.el9
rpms:imports/c8/xorg-x11-server-1.20.11-25.el8_10
rpms:imports/c9-beta/xorg-x11-server-1.20.11-26.el9
rpms:imports/c8/xorg-x11-server-1.20.11-24.el8_10
rpms:imports/c10s/xorg-x11-server-1.20.14-36.el10
rpms:imports/c8/xorg-x11-server-1.20.11-23.el8_10
rpms:imports/c9/xorg-x11-server-1.20.11-24.el9
rpms:imports/c8-beta/xorg-x11-server-1.20.11-17.el8
rpms:imports/c9-beta/xorg-x11-server-1.20.11-19.el9
rpms:imports/c8/xorg-x11-server-1.20.11-15.el8
rpms:imports/c9/xorg-x11-server-1.20.11-17.el9
rpms:imports/c9-beta/xorg-x11-server-1.20.11-17.el9
rpms:imports/c8-beta/xorg-x11-server-1.20.11-15.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-15.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-13.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-12.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-11.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-10.el8
rpms:imports/c9/xorg-x11-server-1.20.11-11.el9
rpms:imports/c8/xorg-x11-server-1.20.11-9.el8
rpms:imports/c9-beta/xorg-x11-server-1.20.11-11.el9
rpms:imports/c8-beta/xorg-x11-server-1.20.11-9.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-9.el8
rpms:imports/c8/xorg-x11-server-1.20.11-5.el8_6.2
rpms:imports/c8s/xorg-x11-server-1.20.11-8.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-5.el8_6.1
rpms:imports/c9/xorg-x11-server-1.20.11-10.el9
rpms:imports/c8/xorg-x11-server-1.20.11-5.el8
rpms:imports/c8-beta/xorg-x11-server-1.20.11-5.el8
rpms:imports/c9-beta/xorg-x11-server-1.20.11-10.el9
rpms:imports/c8s/xorg-x11-server-1.20.11-5.el8
rpms:imports/c9-beta/xorg-x11-server-1.20.11-7.el9
rpms:imports/c8s/xorg-x11-server-1.20.11-4.el8
rpms:imports/c9-beta/xorg-x11-server-1.20.11-6.el9
rpms:imports/c9-beta/xorg-x11-server-1.20.11-5.el9
rpms:imports/c9-beta/xorg-x11-server-1.20.11-4.el9_b
rpms:imports/c8/xorg-x11-server-1.20.11-2.el8
rpms:imports/c8-beta/xorg-x11-server-1.20.11-2.el8
rpms:imports/c8-beta/xorg-x11-server-1.20.10-1.el8
rpms:imports/c8-beta/xorg-x11-server-1.20.8-3.el8
rpms:imports/c8-beta/xorg-x11-server-1.20.6-2.el8
rpms:imports/c8-beta/xorg-x11-server-1.20.3-5.2.el8_0
rpms:imports/c8s/xorg-x11-server-1.20.11-2.el8
rpms:imports/c8s/xorg-x11-server-1.20.11-1.el8
rpms:imports/c8s/xorg-x11-server-1.20.10-1.el8
rpms:imports/c8s/xorg-x11-server-1.20.8-9.el8
rpms:imports/c8s/xorg-x11-server-1.20.8-8.el8
rpms:imports/c8/xorg-x11-server-1.20.10-1.el8
rpms:imports/c8/xorg-x11-server-1.20.8-6.1.el8_3
rpms:imports/c8/xorg-x11-server-1.20.8-6.el8
rpms:imports/c8/xorg-x11-server-1.20.6-3.el8
rpms:imports/c8/xorg-x11-server-1.20.3-11.el8

No commits in common. "c8" and "c9-beta" have entirely different histories.
c8 ... c9-beta

58 changed files with 2570 additions and 2078 deletions
Show Stats Expand all files Collapse all files

37
SOURCES/0001-Always-install-vbe-and-int10-sdk-headers.patch
View File

@ -1,37 +0,0 @@
From e96a83d9b1b5a52a41213c7a4840dc96b4f5b06f Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Wed, 15 Aug 2012 12:35:21 -0400
Subject: [PATCH] Always install vbe and int10 sdk headers
Signed-off-by: Adam Jackson <ajax@redhat.com>
---
hw/xfree86/Makefile.am | 12 ++----------
1 file changed, 2 insertions(+), 10 deletions(-)
diff --git a/hw/xfree86/Makefile.am b/hw/xfree86/Makefile.am
index b876b79..a170b58 100644
--- a/hw/xfree86/Makefile.am
+++ b/hw/xfree86/Makefile.am
@@ -26,17 +26,9 @@ if VGAHW
VGAHW_SUBDIR = vgahw
endif
-if VBE
-VBE_SUBDIR = vbe
-endif
-
-if INT10MODULE
-INT10_SUBDIR = int10
-endif
-
-SUBDIRS = common ddc x86emu $(INT10_SUBDIR) os-support parser \
+SUBDIRS = common ddc x86emu int10 os-support parser \
ramdac $(VGAHW_SUBDIR) loader modes $(DRI_SUBDIR) \
- $(DRI2_SUBDIR) . $(VBE_SUBDIR) i2c dixmods xkb \
+ $(DRI2_SUBDIR) . vbe i2c dixmods xkb \
fbdevhw shadowfb exa $(XF86UTILS_SUBDIR) doc man \
$(GLAMOR_EGL_SUBDIR) drivers
--
2.13.6

55
SOURCES/0001-Cursor-Refuse-to-free-the-root-cursor.patch Normal file
View File

@ -0,0 +1,55 @@
From 42ec29c7fbf8dc797c369d5fe0e4f2e20725332b Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Wed, 27 Nov 2024 11:27:05 +0100
Subject: [PATCH xserver 01/13] Cursor: Refuse to free the root cursor
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If a cursor reference count drops to 0, the cursor is freed.
The root cursor however is referenced with a specific global variable,
and when the root cursor is freed, the global variable may still point
to freed memory.
Make sure to prevent the rootCursor from being explicitly freed by a
client.
CVE-2025-26594, ZDI-CAN-25544
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
v2: Explicitly forbid XFreeCursor() on the root cursor (Peter Hutterer
<peter.hutterer@who-t.net>)
v3: Return BadCursor instead of BadValue (Michel Dänzer
<michel@daenzer.net>)
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Suggested-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 01642f263f12becf803b19be4db95a4a83f94acc)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1831>
---
dix/dispatch.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/dix/dispatch.c b/dix/dispatch.c
index a33bfaa9e..9654c207e 100644
--- a/dix/dispatch.c
+++ b/dix/dispatch.c
@@ -3039,6 +3039,10 @@ ProcFreeCursor(ClientPtr client)
rc = dixLookupResourceByType((void **) &pCursor, stuff->id, RT_CURSOR,
client, DixDestroyAccess);
if (rc == Success) {
+ if (pCursor == rootCursor) {
+ client->errorValue = stuff->id;
+ return BadCursor;
+ }
FreeResource(stuff->id, RT_NONE);
return Success;
}
--
2.48.1

31
SOURCES/0001-Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch
View File

@ -1,31 +0,0 @@
From e50c85f4ebf559a3bac4817b41074c43d4691779 Mon Sep 17 00:00:00 2001
From: Eric Anholt <eric@anholt.net>
Date: Fri, 26 Oct 2018 17:47:30 -0700
Subject: [PATCH xserver] Fix segfault on probing a non-PCI platform device on
a system with PCI.
Some Broadcom set-top-box boards have PCI busses, but the GPU is still
probed through DT. We would dereference a null busid here in that
case.
Signed-off-by: Eric Anholt <eric@anholt.net>
---
hw/xfree86/common/xf86platformBus.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/xfree86/common/xf86platformBus.c b/hw/xfree86/common/xf86platformBus.c
index cef47da03..dadbac6c8 100644
--- a/hw/xfree86/common/xf86platformBus.c
+++ b/hw/xfree86/common/xf86platformBus.c
@@ -289,7 +289,7 @@ xf86platformProbe(void)
for (i = 0; i < xf86_num_platform_devices; i++) {
char *busid = xf86_platform_odev_attributes(i)->busid;
- if (pci && (strncmp(busid, "pci:", 4) == 0)) {
+ if (pci && busid && (strncmp(busid, "pci:", 4) == 0)) {
platform_find_pci_info(&xf86_platform_devices[i], busid);
}
--
2.14.4

5
SOURCES/0001-Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch
View File

@ -1,15 +1,16 @@
From 7150ba655c0cc08fa6ded309b81265bb672f2869 Mon Sep 17 00:00:00 2001 From 9ca7d3f61a88ae6cf47fdf139b6215d745db976b Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net> From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Wed, 25 Jan 2023 11:41:40 +1000 Date: Wed, 25 Jan 2023 11:41:40 +1000
Subject: [PATCH xserver] Xi: fix potential use-after-free in Subject: [PATCH xserver] Xi: fix potential use-after-free in
DeepCopyPointerClasses DeepCopyPointerClasses
CVE-2023-0494, ZDI-CAN 19596 CVE-2023-0494, ZDI-CAN-19596
This vulnerability was discovered by: This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 0ba6d8c37071131a49790243cdac55392ecf71ec)
--- ---
Xi/exevents.c | 4 +++- Xi/exevents.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-) 1 file changed, 3 insertions(+), 1 deletion(-)

2
SOURCES/0001-Xtest-disallow-GenericEvents-in-XTestSwapFakeInput.patch
View File

@ -1,4 +1,4 @@
From 8dba686dc277d6d262ad0c77b4632a5b276697ba Mon Sep 17 00:00:00 2001 From b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net> From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Tue, 29 Nov 2022 12:55:45 +1000 Date: Tue, 29 Nov 2022 12:55:45 +1000
Subject: [PATCH xserver 1/7] Xtest: disallow GenericEvents in Subject: [PATCH xserver 1/7] Xtest: disallow GenericEvents in

72
SOURCES/0001-configure.ac-search-for-the-fontrootdir-ourselves.patch Normal file
View File

@ -0,0 +1,72 @@
From e67e988730346c63d2f0cdf2531ed36b0c7ad5a6 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Wed, 23 Nov 2022 14:50:29 +1000
Subject: [PATCH xserver] configure.ac: search for the fontrootdir ourselves
This replaces the use of font-utils' .m4 macro set with a copy of the
only one we actually want: the bit for the fontrootpath.
We don't need configure options for every single subfont directory, so
let's hardcode those in the default font path. Like meson does upstream
too.
With this patch we no longer require the font-utils dependency.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
---
configure.ac | 28 +++++++++++++++++-----------
1 file changed, 17 insertions(+), 11 deletions(-)
diff --git a/configure.ac b/configure.ac
index 0909cc5b4d..2349320888 100644
--- a/configure.ac
+++ b/configure.ac
@@ -49,9 +49,6 @@ XORG_WITH_XSLTPROC
XORG_ENABLE_UNIT_TESTS
XORG_LD_WRAP([optional])
-m4_ifndef([XORG_FONT_MACROS_VERSION], [m4_fatal([must install font-util 1.1 or later before running autoconf/autogen])])
-XORG_FONT_MACROS_VERSION(1.1)
-
dnl this gets generated by autoheader, and thus contains all the defines. we
dnl don't ever actually use it, internally.
AC_CONFIG_HEADERS(include/do-not-use-config.h)
@@ -450,18 +447,27 @@ AC_MSG_RESULT([$FALLBACK_INPUT_DRIVER])
AC_DEFINE_UNQUOTED(FALLBACK_INPUT_DRIVER, ["$FALLBACK_INPUT_DRIVER"], [ Fallback input driver ])
dnl Determine font path
-XORG_FONTROOTDIR
-XORG_FONTSUBDIR(FONTMISCDIR, fontmiscdir, misc)
-XORG_FONTSUBDIR(FONTOTFDIR, fontotfdir, OTF)
-XORG_FONTSUBDIR(FONTTTFDIR, fontttfdir, TTF)
-XORG_FONTSUBDIR(FONTTYPE1DIR, fonttype1dir, Type1)
-XORG_FONTSUBDIR(FONT75DPIDIR, font75dpidir, 75dpi)
-XORG_FONTSUBDIR(FONT100DPIDIR, font100dpidir, 100dpi)
+dnl This is a copy of XORG_FONTROOTDIR from font-utils so we can drop the dependency
+AC_MSG_CHECKING([for root directory for font files])
+AC_ARG_WITH(fontrootdir,
+ AS_HELP_STRING([--with-fontrootdir=DIR],
+ [Path to root directory for font files]),
+ [FONTROOTDIR="$withval"])
+# if --with-fontrootdir not specified...
+if test "x${FONTROOTDIR}" = "x"; then
+ FONTROOTDIR=`$PKG_CONFIG --variable=fontrootdir fontutil`
+fi
+# ...and if pkg-config didn't find fontdir in fontutil.pc...
+if test "x${FONTROOTDIR}" = "x"; then
+ FONTROOTDIR="${datadir}/fonts/X11"
+fi
+AC_SUBST(FONTROOTDIR)
+AC_MSG_RESULT([${FONTROOTDIR}])
dnl Uses --with-default-font-path if set, otherwise uses standard
dnl subdirectories of FONTROOTDIR. Some distros set the default font path to
dnl "catalogue:/etc/X11/fontpath.d,built-ins"
-DEFAULT_FONT_PATH="${FONTMISCDIR}/,${FONTTTFDIR}/,${FONTOTFDIR}/,${FONTTYPE1DIR}/,${FONT100DPIDIR}/,${FONT75DPIDIR}/"
+DEFAULT_FONT_PATH="${FONTROOTDIR}/misc,${FONTROOTDIR}/OTF,${FONTROOTDIR}/TTF,${FONTROOTDIR}/Type1,${FONTROOTDIR}/75dpi,${FONTROOTDIR}/100dpi"
case $host_os in
darwin*) DEFAULT_FONT_PATH="${DEFAULT_FONT_PATH},/Library/Fonts,/System/Library/Fonts" ;;
esac
--
2.38.1

214
SOURCES/0001-link-with-z-now.patch
View File

@ -1,214 +0,0 @@
From e84d6f25015d36202fd524b8b8d85d2324348ddb Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Mon, 19 Nov 2018 11:27:09 -0500
Subject: [PATCH] link with -z now
Signed-off-by: Adam Jackson <ajax@redhat.com>
---
hw/dmx/Makefile.am | 2 +-
hw/kdrive/ephyr/Makefile.am | 2 +-
hw/vfb/Makefile.am | 2 +-
hw/xfree86/Makefile.am | 3 ++-
hw/xfree86/dixmods/Makefile.am | 6 +++---
hw/xfree86/exa/Makefile.am | 2 +-
hw/xfree86/fbdevhw/Makefile.am | 2 +-
hw/xfree86/int10/Makefile.am | 2 +-
hw/xfree86/shadowfb/Makefile.am | 2 +-
hw/xfree86/utils/cvt/Makefile.am | 1 +
hw/xfree86/utils/gtf/Makefile.am | 1 +
hw/xfree86/vgahw/Makefile.am | 2 +-
hw/xnest/Makefile.am | 2 +-
hw/xwayland/Makefile.am | 2 +-
14 files changed, 17 insertions(+), 14 deletions(-)
diff --git a/hw/dmx/Makefile.am b/hw/dmx/Makefile.am
index eef84cb..9ab20cc 100644
--- a/hw/dmx/Makefile.am
+++ b/hw/dmx/Makefile.am
@@ -78,7 +78,7 @@ XDMX_LIBS = \
input/libdmxinput.a \
config/libdmxconfig.a
-Xdmx_LDFLAGS = $(LD_EXPORT_SYMBOLS_FLAG)
+Xdmx_LDFLAGS = $(LD_EXPORT_SYMBOLS_FLAG) -Wl,-z,now -pie
Xdmx_DEPENDENCIES= $(XDMX_LIBS)
Xdmx_LDADD = $(XDMX_LIBS) $(XDMX_SYS_LIBS) $(XSERVER_SYS_LIBS)
diff --git a/hw/kdrive/ephyr/Makefile.am b/hw/kdrive/ephyr/Makefile.am
index d12559b..cc37add 100644
--- a/hw/kdrive/ephyr/Makefile.am
+++ b/hw/kdrive/ephyr/Makefile.am
@@ -78,7 +78,7 @@ Xephyr_LDADD = \
Xephyr_DEPENDENCIES = @KDRIVE_LOCAL_LIBS@ $(XEPHYR_GLAMOR_LIB)
-Xephyr_LDFLAGS = $(LD_EXPORT_SYMBOLS_FLAG)
+Xephyr_LDFLAGS = $(LD_EXPORT_SYMBOLS_FLAG) -W,-z,now -pie
relink:
$(AM_V_at)rm -f $(bin_PROGRAMS) && $(MAKE) $(bin_PROGRAMS)
diff --git a/hw/vfb/Makefile.am b/hw/vfb/Makefile.am
index 7033397..c09a9c9 100644
--- a/hw/vfb/Makefile.am
+++ b/hw/vfb/Makefile.am
@@ -20,7 +20,7 @@ XVFB_LIBS = \
Xvfb_LDADD = $(XVFB_LIBS) $(XVFB_SYS_LIBS) $(XSERVER_SYS_LIBS)
Xvfb_DEPENDENCIES = $(XVFB_LIBS)
-Xvfb_LDFLAGS = $(LD_EXPORT_SYMBOLS_FLAG)
+Xvfb_LDFLAGS = $(LD_EXPORT_SYMBOLS_FLAG) -Wl,-z,now -pie
relink:
$(AM_V_at)rm -f Xvfb$(EXEEXT) && $(MAKE) Xvfb$(EXEEXT)
diff --git a/hw/xfree86/Makefile.am b/hw/xfree86/Makefile.am
index 32f98b5..5955148 100644
--- a/hw/xfree86/Makefile.am
+++ b/hw/xfree86/Makefile.am
@@ -78,12 +78,13 @@ Xorg_LDADD = \
$(XSERVER_SYS_LIBS)
Xorg_DEPENDENCIES = $(LOCAL_LIBS)
-Xorg_LDFLAGS = $(LD_EXPORT_SYMBOLS_FLAG)
+Xorg_LDFLAGS = $(LD_EXPORT_SYMBOLS_FLAG) -Wl,-z,now -pie
if SUID_WRAPPER
wrapexecdir = $(SUID_WRAPPER_DIR)
wrapexec_PROGRAMS = Xorg.wrap
Xorg_wrap_SOURCES = xorg-wrapper.c
+Xorg_wrap_LDFLAGS = -Wl,-z,now -pie
endif
BUILT_SOURCES = xorg.conf.example
diff --git a/hw/xfree86/dixmods/Makefile.am b/hw/xfree86/dixmods/Makefile.am
index 856659f..6ab101b 100644
--- a/hw/xfree86/dixmods/Makefile.am
+++ b/hw/xfree86/dixmods/Makefile.am
@@ -17,17 +17,17 @@ AM_CPPFLAGS = @XORG_INCS@ \
-I$(top_srcdir)/miext/shadow \
-I$(top_srcdir)/glx
-libfb_la_LDFLAGS = -module -avoid-version $(LD_NO_UNDEFINED_FLAG)
+libfb_la_LDFLAGS = -module -avoid-version $(LD_NO_UNDEFINED_FLAG) -Wl,-z,now
libfb_la_LIBADD = $(top_builddir)/fb/libfb.la
libfb_la_SOURCES = fbmodule.c
libfb_la_CFLAGS = $(AM_CFLAGS)
-libwfb_la_LDFLAGS = -module -avoid-version $(LD_NO_UNDEFINED_FLAG)
+libwfb_la_LDFLAGS = -module -avoid-version $(LD_NO_UNDEFINED_FLAG) -Wl,-z,now
libwfb_la_LIBADD = $(top_builddir)/fb/libwfb.la
libwfb_la_SOURCES = fbmodule.c
libwfb_la_CFLAGS = $(AM_CFLAGS) -DFB_ACCESS_WRAPPER
-libglx_la_LDFLAGS = -module -avoid-version $(LD_NO_UNDEFINED_FLAG)
+libglx_la_LDFLAGS = -module -avoid-version $(LD_NO_UNDEFINED_FLAG) -Wl,-z,now
libglx_la_LIBADD = $(top_builddir)/glx/libglx.la $(GLX_SYS_LIBS)
if DRI2
libglx_la_LIBADD += $(top_builddir)/glx/libglxdri.la
diff --git a/hw/xfree86/exa/Makefile.am b/hw/xfree86/exa/Makefile.am
index ccbb305..7bf7137 100644
--- a/hw/xfree86/exa/Makefile.am
+++ b/hw/xfree86/exa/Makefile.am
@@ -2,7 +2,7 @@ SUBDIRS = man
module_LTLIBRARIES = libexa.la
-libexa_la_LDFLAGS = -module -avoid-version $(LD_NO_UNDEFINED_FLAG)
+libexa_la_LDFLAGS = -module -avoid-version $(LD_NO_UNDEFINED_FLAG) -Wl,-z,now
AM_CPPFLAGS = \
$(XORG_INCS) \
diff --git a/hw/xfree86/fbdevhw/Makefile.am b/hw/xfree86/fbdevhw/Makefile.am
index 37cd88c..895cfab 100644
--- a/hw/xfree86/fbdevhw/Makefile.am
+++ b/hw/xfree86/fbdevhw/Makefile.am
@@ -2,7 +2,7 @@ SUBDIRS = man
module_LTLIBRARIES = libfbdevhw.la
-libfbdevhw_la_LDFLAGS = -module -avoid-version $(LD_NO_UNDEFINED_FLAG)
+libfbdevhw_la_LDFLAGS = -module -avoid-version $(LD_NO_UNDEFINED_FLAG) -Wl,-z,now
if FBDEVHW
libfbdevhw_la_SOURCES = fbdevhw.c
diff --git a/hw/xfree86/int10/Makefile.am b/hw/xfree86/int10/Makefile.am
index 66cb14d..aad47a1 100644
--- a/hw/xfree86/int10/Makefile.am
+++ b/hw/xfree86/int10/Makefile.am
@@ -4,7 +4,7 @@ sdk_HEADERS = xf86int10.h
EXTRA_CFLAGS =
-libint10_la_LDFLAGS = -avoid-version
+libint10_la_LDFLAGS = -avoid-version -Wl,-z,now
libint10_la_LIBADD = $(PCIACCESS_LIBS)
COMMON_SOURCES = \
diff --git a/hw/xfree86/shadowfb/Makefile.am b/hw/xfree86/shadowfb/Makefile.am
index 67fb2e4..a8c2d59 100644
--- a/hw/xfree86/shadowfb/Makefile.am
+++ b/hw/xfree86/shadowfb/Makefile.am
@@ -1,5 +1,5 @@
module_LTLIBRARIES = libshadowfb.la
-libshadowfb_la_LDFLAGS = -module -avoid-version $(LD_NO_UNDEFINED_FLAG)
+libshadowfb_la_LDFLAGS = -module -avoid-version $(LD_NO_UNDEFINED_FLAG) -Wl,-z,now
libshadowfb_la_SOURCES = sfbmodule.c shadowfb.c
libshadowfb_la_LIBADD = $(PIXMAN_LIBS)
diff --git a/hw/xfree86/utils/cvt/Makefile.am b/hw/xfree86/utils/cvt/Makefile.am
index 26abeb4..19b0eba 100644
--- a/hw/xfree86/utils/cvt/Makefile.am
+++ b/hw/xfree86/utils/cvt/Makefile.am
@@ -33,3 +33,4 @@ cvt_SOURCES = cvt.c \
$(top_srcdir)/os/xprintf.c
cvt_CFLAGS = $(DIX_CFLAGS) $(XORG_CFLAGS)
+cvt_LDFLAGS = -Wl,-z,now -pie
diff --git a/hw/xfree86/utils/gtf/Makefile.am b/hw/xfree86/utils/gtf/Makefile.am
index f77bf60..f520fb9 100644
--- a/hw/xfree86/utils/gtf/Makefile.am
+++ b/hw/xfree86/utils/gtf/Makefile.am
@@ -25,3 +25,4 @@ bin_PROGRAMS = gtf
gtf_SOURCES = gtf.c
gtf_CFLAGS = $(XORG_CFLAGS)
gtf_LDADD = -lm
+gtf_LDFLAGS = -Wl,-z,now -pie
diff --git a/hw/xfree86/vgahw/Makefile.am b/hw/xfree86/vgahw/Makefile.am
index b8196a6..37ac499 100644
--- a/hw/xfree86/vgahw/Makefile.am
+++ b/hw/xfree86/vgahw/Makefile.am
@@ -1,5 +1,5 @@
module_LTLIBRARIES = libvgahw.la
-libvgahw_la_LDFLAGS = -avoid-version
+libvgahw_la_LDFLAGS = -avoid-version -Wl,-z,now
libvgahw_la_LIBADD = $(PCIACCESS_LIBS)
libvgahw_la_SOURCES = vgaHW.c vgaHWmodule.c
AM_CPPFLAGS = $(XORG_INCS) -I$(srcdir)/../ddc -I$(srcdir)/../i2c
diff --git a/hw/xnest/Makefile.am b/hw/xnest/Makefile.am
index c77da64..185803c 100644
--- a/hw/xnest/Makefile.am
+++ b/hw/xnest/Makefile.am
@@ -51,7 +51,7 @@ Xnest_SOURCES = $(SRCS)
Xnest_DEPENDENCIES = $(XNEST_LIBS)
Xnest_LDADD = $(XNEST_LIBS) $(XNEST_SYS_LIBS) $(XSERVER_SYS_LIBS)
-Xnest_LDFLAGS = $(LD_EXPORT_SYMBOLS_FLAG)
+Xnest_LDFLAGS = $(LD_EXPORT_SYMBOLS_FLAG) -Wl,-z,now -pie
EXTRA_DIST = icon \
screensaver
diff --git a/hw/xwayland/Makefile.am b/hw/xwayland/Makefile.am
index bc1cb85..2f70cd1 100644
--- a/hw/xwayland/Makefile.am
+++ b/hw/xwayland/Makefile.am
@@ -28,7 +28,7 @@ Xwayland_LDADD = \
$(XWAYLAND_SYS_LIBS) \
$(top_builddir)/Xext/libXvidmode.la \
$(XSERVER_SYS_LIBS)
-Xwayland_LDFLAGS = $(LD_EXPORT_SYMBOLS_FLAG)
+Xwayland_LDFLAGS = $(LD_EXPORT_SYMBOLS_FLAG) -Wl,-z,now -pie
Xwayland_built_sources =
--
2.19.1

45
SOURCES/0001-linux-Fix-platform-device-PCI-detection-for-complex-.patch
View File

@ -1,45 +0,0 @@
From b6e18eb57f3dd104704d0a5ec3d2f051645b9068 Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Wed, 19 Jun 2019 14:23:56 -0400
Subject: [PATCH xserver] linux: Fix platform device PCI detection for complex
bus topologies
Suppose you're in a Hyper-V guest and are trying to use PCI passthrough.
The ID_PATH that udev will construct for that looks something like
"acpi-VMBUS:00-pci-b8c8:00:00.0", and obviously looking for "pci-" in
the first four characters of that is going to not work.
Instead, strstr. I suppose it's possible you could have _multiple_ PCI
buses in the path, in which case you'd want strrstr, if that were a
thing.
---
config/udev.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/config/udev.c b/config/udev.c
index 314acba6ce..6e11aa3b88 100644
--- a/config/udev.c
+++ b/config/udev.c
@@ -474,7 +474,7 @@ config_udev_odev_setup_attribs(struct udev_device *udev_device, const char *path
config_odev_probe_proc_ptr probe_callback)
{
struct OdevAttributes *attribs = config_odev_allocate_attributes();
- const char *value;
+ const char *value, *str;
attribs->path = XNFstrdup(path);
attribs->syspath = XNFstrdup(syspath);
@@ -482,8 +482,8 @@ config_udev_odev_setup_attribs(struct udev_device *udev_device, const char *path
attribs->minor = minor;
value = udev_device_get_property_value(udev_device, "ID_PATH");
- if (value && !strncmp(value, "pci-", 4)) {
- attribs->busid = XNFstrdup(value);
+ if (value && (str = strstr(value, "pci-"))) {
+ attribs->busid = XNFstrdup(str);
attribs->busid[3] = ':';
}
--
2.21.0

129
SOURCES/0001-linux-Make-platform-device-probe-less-fragile.patch
View File

@ -1,129 +0,0 @@
From 28320833d61af76dc3b77b985c69706f3e021836 Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Tue, 18 Sep 2018 14:37:51 -0400
Subject: [PATCH xserver] linux: Make platform device probe less fragile
At the point where xf86BusProbe runs we haven't yet taken our own VT,
which means we can't perform drm "master" operations on the device. This
is tragic, because we need master to fish the bus id string out of the
kernel, which we can only do after drmSetInterfaceVersion, which for
some reason stores that string on the device not the file handle and
thus needs master access.
Fortunately we know the format of the busid string, and it happens to
almost be the same as the ID_PATH variable from udev. Use that instead
and stop calling drmSetInterfaceVersion.
Signed-off-by: Adam Jackson <ajax@redhat.com>
---
config/udev.c | 17 ++++++++++++-----
hw/xfree86/os-support/linux/lnx_platform.c | 13 ++-----------
2 files changed, 14 insertions(+), 16 deletions(-)
diff --git a/config/udev.c b/config/udev.c
index 3a73189e25..8c6c4b6665 100644
--- a/config/udev.c
+++ b/config/udev.c
@@ -56,7 +56,7 @@ static struct udev_monitor *udev_monitor;
#ifdef CONFIG_UDEV_KMS
static void
-config_udev_odev_setup_attribs(const char *path, const char *syspath,
+config_udev_odev_setup_attribs(struct udev_device *udev_device, const char *path, const char *syspath,
int major, int minor,
config_odev_probe_proc_ptr probe_callback);
#endif
@@ -128,7 +128,7 @@ device_added(struct udev_device *udev_device)
LogMessage(X_INFO, "config/udev: Adding drm device (%s)\n", path);
- config_udev_odev_setup_attribs(path, syspath, major(devnum),
+ config_udev_odev_setup_attribs(udev_device, path, syspath, major(devnum),
minor(devnum), NewGPUDeviceRequest);
return;
}
@@ -322,7 +322,7 @@ device_removed(struct udev_device *device)
LogMessage(X_INFO, "config/udev: removing GPU device %s %s\n",
syspath, path);
- config_udev_odev_setup_attribs(path, syspath, major(devnum),
+ config_udev_odev_setup_attribs(device, path, syspath, major(devnum),
minor(devnum), DeleteGPUDeviceRequest);
/* Retry vtenter after a drm node removal */
systemd_logind_vtenter();
@@ -465,17 +465,24 @@ config_udev_fini(void)
#ifdef CONFIG_UDEV_KMS
static void
-config_udev_odev_setup_attribs(const char *path, const char *syspath,
+config_udev_odev_setup_attribs(struct udev_device *udev_device, const char *path, const char *syspath,
int major, int minor,
config_odev_probe_proc_ptr probe_callback)
{
struct OdevAttributes *attribs = config_odev_allocate_attributes();
+ const char *value;
attribs->path = XNFstrdup(path);
attribs->syspath = XNFstrdup(syspath);
attribs->major = major;
attribs->minor = minor;
+ value = udev_device_get_property_value(udev_device, "ID_PATH");
+ if (value && !strncmp(value, "pci-", 4)) {
+ attribs->busid = XNFstrdup(value);
+ attribs->busid[3] = ':';
+ }
+
/* ownership of attribs is passed to probe layer */
probe_callback(attribs);
}
@@ -516,7 +523,7 @@ config_udev_odev_probe(config_odev_probe_proc_ptr probe_callback)
else if (!check_seat(udev_device))
goto no_probe;
- config_udev_odev_setup_attribs(path, syspath, major(devnum),
+ config_udev_odev_setup_attribs(udev_device, path, syspath, major(devnum),
minor(devnum), probe_callback);
no_probe:
udev_device_unref(udev_device);
diff --git a/hw/xfree86/os-support/linux/lnx_platform.c b/hw/xfree86/os-support/linux/lnx_platform.c
index 70374ace88..0eb6d22875 100644
--- a/hw/xfree86/os-support/linux/lnx_platform.c
+++ b/hw/xfree86/os-support/linux/lnx_platform.c
@@ -30,6 +30,8 @@ get_drm_info(struct OdevAttributes *attribs, char *path, int delayed_index)
int err = 0;
Bool paused, server_fd = FALSE;
+ LogMessage(X_INFO, "Platform probe for %s\n", attribs->syspath);
+
fd = systemd_logind_take_fd(attribs->major, attribs->minor, path, &paused);
if (fd != -1) {
if (paused) {
@@ -53,13 +55,6 @@ get_drm_info(struct OdevAttributes *attribs, char *path, int delayed_index)
sv.drm_dd_major = -1; /* Don't care */
sv.drm_dd_minor = -1; /* Don't care */
- err = drmSetInterfaceVersion(fd, &sv);
- if (err) {
- xf86Msg(X_ERROR, "%s: failed to set DRM interface version 1.4: %s\n",
- path, strerror(-err));
- goto out;
- }
-
/* for a delayed probe we've already added the device */
if (delayed_index == -1) {
xf86_add_platform_device(attribs, FALSE);
@@ -69,10 +64,6 @@ get_drm_info(struct OdevAttributes *attribs, char *path, int delayed_index)
if (server_fd)
xf86_platform_devices[delayed_index].flags |= XF86_PDEV_SERVER_FD;
- buf = drmGetBusid(fd);
- xf86_platform_odev_attributes(delayed_index)->busid = XNFstrdup(buf);
- drmFreeBusid(buf);
-
v = drmGetVersion(fd);
if (!v) {
xf86Msg(X_ERROR, "%s: failed to query DRM version\n", path);
--
2.19.0

49
SOURCES/0001-modesetting-Fix-msSharePixmapBacking-Segfault-Regres.patch Normal file
View File

@ -0,0 +1,49 @@
From 88f0787f93f097a125a0aa156eb9a5628adfc2c2 Mon Sep 17 00:00:00 2001
From: Alex Goins <agoins@nvidia.com>
Date: Thu, 12 Dec 2019 20:18:53 -0600
Subject: [PATCH xserver] modesetting: Fix msSharePixmapBacking Segfault
Regression
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Commit cb1b1e184 modified msSharePixmapBacking() to derive modesettingPtr from
the 'screen' argument. Unfortunately, the name of the argument is misleading --
the screen is the slave screen. If the master is modesetting,
and the slave is not modesetting, it will segfault.
To fix the problem, this change derives modesettingPtr from
ppix->drawable.pScreen. This method is already used when calling
ms->glamor.shareable_fd_from_pixmap() later in the function.
To avoid future issues, this change also renames the 'screen' argument to
'slave'.
Signed-off-by: Alex Goins <agoins@nvidia.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
(cherry picked from commit 456dff1bf890459840718339279dcb84d36531eb)
---
hw/xfree86/drivers/modesetting/driver.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/hw/xfree86/drivers/modesetting/driver.c b/hw/xfree86/drivers/modesetting/driver.c
index ce8bac9f5..0817fa470 100644
--- a/hw/xfree86/drivers/modesetting/driver.c
+++ b/hw/xfree86/drivers/modesetting/driver.c
@@ -1454,10 +1454,11 @@ CreateScreenResources(ScreenPtr pScreen)
}
static Bool
-msSharePixmapBacking(PixmapPtr ppix, ScreenPtr screen, void **handle)
+msSharePixmapBacking(PixmapPtr ppix, ScreenPtr slave, void **handle)
{
#ifdef GLAMOR_HAS_GBM
- modesettingPtr ms = modesettingPTR(xf86ScreenToScrn(screen));
+ modesettingPtr ms =
+ modesettingPTR(xf86ScreenToScrn(ppix->drawable.pScreen));
int ret;
CARD16 stride;
CARD32 size;
--
2.34.1

37
SOURCES/0001-modesetting-Reduce-glamor-initialization-failed-mess.patch
View File

@ -1,37 +0,0 @@
From 41e265988a0b6ec456ddd562253e0f82a7c2ede2 Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Fri, 27 Sep 2019 11:43:52 -0400
Subject: [PATCH xserver] modesetting: Reduce "glamor initialization failed"
message to X_INFO
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This might be an error or not, for example refusing to work on llvmpipe
is normal and expected. glamor_egl_init() will print X_ERROR messages if
appropriate, so we don't need to here.
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
(cherry picked from commit cbdde938cbaf604741cd057fac743859ada342ec)
Signed-off-by: Michel Dänzer <mdaenzer@redhat.com>
---
hw/xfree86/drivers/modesetting/driver.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/xfree86/drivers/modesetting/driver.c b/hw/xfree86/drivers/modesetting/driver.c
index 2aaea5f7d..783d53eaa 100644
--- a/hw/xfree86/drivers/modesetting/driver.c
+++ b/hw/xfree86/drivers/modesetting/driver.c
@@ -772,7 +772,7 @@ try_enable_glamor(ScrnInfoPtr pScrn)
xf86DrvMsg(pScrn->scrnIndex, X_INFO, "glamor initialized\n");
ms->drmmode.glamor = TRUE;
} else {
- xf86DrvMsg(pScrn->scrnIndex, X_ERROR,
+ xf86DrvMsg(pScrn->scrnIndex, X_INFO,
"glamor initialization failed\n");
}
} else {
--
2.26.2

28
SOURCES/0001-mustard-Add-DRI2-fallback-driver-mappings-for-i965-a.patch
View File

@ -1,28 +0,0 @@
From efb4bc5b3da511d128144840d7eb3cf3c7cfa0ae Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Tue, 3 Sep 2019 12:10:37 -0400
Subject: [PATCH] mustard: Add DRI2 fallback driver mappings for i965 and
radeonsi
---
hw/xfree86/dri2/pci_ids/pci_id_driver_map.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/hw/xfree86/dri2/pci_ids/pci_id_driver_map.h b/hw/xfree86/dri2/pci_ids/pci_id_driver_map.h
index 689a570..3825f52 100644
--- a/hw/xfree86/dri2/pci_ids/pci_id_driver_map.h
+++ b/hw/xfree86/dri2/pci_ids/pci_id_driver_map.h
@@ -45,8 +45,10 @@ static const struct {
int num_chips_ids;
} driver_map[] = {
{ 0x8086, "i965", "va_gl", i965_chip_ids, ARRAY_SIZE(i965_chip_ids) },
+ { 0x8086, "i965", "va_gl", NULL, -1 },
{ 0x1002, "r600","r600", r600_chip_ids, ARRAY_SIZE(r600_chip_ids) },
{ 0x1002, "radeonsi", "radeonsi", radeonsi_chip_ids, ARRAY_SIZE(radeonsi_chip_ids) },
+ { 0x1002, "radeonsi", "radeonsi", NULL, -1 },
{ 0x10de, "nouveau", "nouveau", NULL, -1 },
{ 0x1af4, "virtio_gpu", "virtio_gpu", virtio_gpu_chip_ids, ARRAY_SIZE(virtio_gpu_chip_ids) },
{ 0x15ad, "vmwgfx", "vmwgfx", vmwgfx_chip_ids, ARRAY_SIZE(vmwgfx_chip_ids) },
--
2.23.0

278
SOURCES/0001-mustard-Don-t-probe-for-drivers-not-shipped-in-RHEL8.patch
View File

@ -1,278 +0,0 @@
From b6e50ece375b6b1fbe053b30b52fc40dde5c682b Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Tue, 13 Nov 2018 10:11:36 -0500
Subject: [PATCH] mustard: Don't probe for drivers not shipped in RHEL8
As with RHEL7, this is mostly to keep spurious probe messages out of the
X log and prevent questions like "why isn't it loading mga on my
G200SE" or "why isn't it loading radeon_dri.so on my RN50".
---
hw/xfree86/common/xf86pciBus.c | 162 --------------------
hw/xfree86/dri2/pci_ids/pci_id_driver_map.h | 32 ----
2 files changed, 194 deletions(-)
diff --git a/hw/xfree86/common/xf86pciBus.c b/hw/xfree86/common/xf86pciBus.c
index b7f9999..398ed45 100644
--- a/hw/xfree86/common/xf86pciBus.c
+++ b/hw/xfree86/common/xf86pciBus.c
@@ -1074,107 +1074,12 @@ xf86VideoPtrToDriverList(struct pci_device *dev, XF86MatchedDrivers *md)
const char *driverList[5] = { NULL, NULL, NULL, NULL, NULL };
switch (dev->vendor_id) {
- /* AMD Geode LX */
- case 0x1022:
- if (dev->device_id == 0x2081)
- driverList[0] = "geode";
- break;
- /* older Geode products acquired by AMD still carry an NSC vendor_id */
- case 0x100b:
- if (dev->device_id == 0x0030) {
- /* NSC Geode GX2 specifically */
- driverList[0] = "geode";
- /* GX2 support started its life in the NSC tree and was later
- forked by AMD for GEODE so we keep it as a backup */
- driverList[1] = "nsc";
- }
- else
- /* other NSC variant e.g. 0x0104 (SC1400), 0x0504 (SCx200) */
- driverList[0] = "nsc";
- break;
- /* Cyrix Geode GX1 */
- case 0x1078:
- if (dev->device_id == 0x0104)
- driverList[0] = "cyrix";
- break;
- case 0x1142:
- driverList[0] = "apm";
- break;
- case 0xedd8:
- driverList[0] = "ark";
- break;
- case 0x1a03:
- driverList[0] = "ast";
- break;
case 0x1002:
driverList[0] = "ati";
break;
- case 0x102c:
- driverList[0] = "chips";
- break;
- case 0x1013:
- driverList[0] = "cirrus";
- break;
- case 0x3d3d:
- driverList[0] = "glint";
- break;
- case 0x105d:
- driverList[0] = "i128";
- break;
case 0x8086:
switch (dev->device_id)
{
- /* Intel i740 */
- case 0x00d1:
- case 0x7800:
- driverList[0] = "i740";
- break;
- /* GMA500/Poulsbo */
- case 0x8108:
- case 0x8109:
- /* Try psb driver on Poulsbo - if available */
- driverList[0] = "psb";
- driverList[1] = "psb_drv";
- break;
- /* GMA600/Oaktrail */
- case 0x4100:
- case 0x4101:
- case 0x4102:
- case 0x4103:
- case 0x4104:
- case 0x4105:
- case 0x4106:
- case 0x4107:
- /* Atom E620/Oaktrail */
- case 0x4108:
- /* Medfield */
- case 0x0130:
- case 0x0131:
- case 0x0132:
- case 0x0133:
- case 0x0134:
- case 0x0135:
- case 0x0136:
- case 0x0137:
- /* GMA 3600/CDV */
- case 0x0be0:
- case 0x0be1:
- case 0x0be2:
- case 0x0be3:
- case 0x0be4:
- case 0x0be5:
- case 0x0be6:
- case 0x0be7:
- case 0x0be8:
- case 0x0be9:
- case 0x0bea:
- case 0x0beb:
- case 0x0bec:
- case 0x0bed:
- case 0x0bee:
- case 0x0bef:
- /* Use fbdev/vesa driver on Oaktrail, Medfield, CDV */
- break;
/* Default to intel only on pre-gen4 chips */
case 0x3577:
case 0x2562:
@@ -1196,14 +1101,7 @@ xf86VideoPtrToDriverList(struct pci_device *dev, XF86MatchedDrivers *md)
break;
}
break;
- case 0x102b:
- driverList[0] = "mga";
- break;
- case 0x10c8:
- driverList[0] = "neomagic";
- break;
case 0x10de:
- case 0x12d2:
{
int idx = 0;
@@ -1229,77 +1127,17 @@ xf86VideoPtrToDriverList(struct pci_device *dev, XF86MatchedDrivers *md)
driverList[idx++] = "nouveau";
#endif
- driverList[idx++] = "nv";
break;
}
- case 0x1106:
- driverList[0] = "openchrome";
- break;
case 0x1b36:
driverList[0] = "qxl";
break;
- case 0x1163:
- driverList[0] = "rendition";
- break;
- case 0x5333:
- switch (dev->device_id) {
- case 0x88d0:
- case 0x88d1:
- case 0x88f0:
- case 0x8811:
- case 0x8812:
- case 0x8814:
- case 0x8901:
- driverList[0] = "s3";
- break;
- case 0x5631:
- case 0x883d:
- case 0x8a01:
- case 0x8a10:
- case 0x8c01:
- case 0x8c03:
- case 0x8904:
- case 0x8a13:
- driverList[0] = "s3virge";
- break;
- default:
- driverList[0] = "savage";
- break;
- }
- break;
- case 0x1039:
- driverList[0] = "sis";
- break;
- case 0x126f:
- driverList[0] = "siliconmotion";
- break;
- case 0x121a:
- if (dev->device_id < 0x0003)
- driverList[0] = "voodoo";
- else
- driverList[0] = "tdfx";
- break;
- case 0x1011:
- driverList[0] = "tga";
- break;
- case 0x1023:
- driverList[0] = "trident";
- break;
- case 0x100c:
- driverList[0] = "tseng";
- break;
case 0x80ee:
driverList[0] = "vboxvideo";
break;
case 0x15ad:
driverList[0] = "vmware";
break;
- case 0x18ca:
- if (dev->device_id == 0x47)
- driverList[0] = "xgixp";
- else
- driverList[0] = "xgi";
- break;
default:
break;
}
diff --git a/hw/xfree86/dri2/pci_ids/pci_id_driver_map.h b/hw/xfree86/dri2/pci_ids/pci_id_driver_map.h
index 7036d10..689a570 100644
--- a/hw/xfree86/dri2/pci_ids/pci_id_driver_map.h
+++ b/hw/xfree86/dri2/pci_ids/pci_id_driver_map.h
@@ -7,38 +7,12 @@
#define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
#endif
-static const int i915_chip_ids[] = {
-#define CHIPSET(chip, desc, name) chip,
-#include "pci_ids/i915_pci_ids.h"
-#undef CHIPSET
-};
-
static const int i965_chip_ids[] = {
#define CHIPSET(chip, family, name) chip,
#include "pci_ids/i965_pci_ids.h"
#undef CHIPSET
};
-#ifndef DRIVER_MAP_GALLIUM_ONLY
-static const int r100_chip_ids[] = {
-#define CHIPSET(chip, name, family) chip,
-#include "pci_ids/radeon_pci_ids.h"
-#undef CHIPSET
-};
-
-static const int r200_chip_ids[] = {
-#define CHIPSET(chip, name, family) chip,
-#include "pci_ids/r200_pci_ids.h"
-#undef CHIPSET
-};
-#endif
-
-static const int r300_chip_ids[] = {
-#define CHIPSET(chip, name, family) chip,
-#include "pci_ids/r300_pci_ids.h"
-#undef CHIPSET
-};
-
static const int r600_chip_ids[] = {
#define CHIPSET(chip, name, family) chip,
#include "pci_ids/r600_pci_ids.h"
@@ -70,13 +44,7 @@ static const struct {
const int *chip_ids;
int num_chips_ids;
} driver_map[] = {
- { 0x8086, "i915", "i915", i915_chip_ids, ARRAY_SIZE(i915_chip_ids) },
{ 0x8086, "i965", "va_gl", i965_chip_ids, ARRAY_SIZE(i965_chip_ids) },
-#ifndef DRIVER_MAP_GALLIUM_ONLY
- { 0x1002, "radeon", "radeon", r100_chip_ids, ARRAY_SIZE(r100_chip_ids) },
- { 0x1002, "r200", "r200", r200_chip_ids, ARRAY_SIZE(r200_chip_ids) },
-#endif
- { 0x1002, "r300", "r300", r300_chip_ids, ARRAY_SIZE(r300_chip_ids) },
{ 0x1002, "r600","r600", r600_chip_ids, ARRAY_SIZE(r600_chip_ids) },
{ 0x1002, "radeonsi", "radeonsi", radeonsi_chip_ids, ARRAY_SIZE(radeonsi_chip_ids) },
{ 0x10de, "nouveau", "nouveau", NULL, -1 },
--
2.19.1

34
SOURCES/0001-mustard-Work-around-broken-fbdev-headers.patch
View File

@ -1,34 +0,0 @@
From a4fc2f3a55776018eda20e09c11b3710f8f0e542 Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Fri, 26 Oct 2018 14:16:17 -0400
Subject: [PATCH xserver] mustard: Work around broken fbdev headers
This configure check is somewhat pointless as we have our own copy of
the fbdev ioctl declarations. There's also a bug in the version of the
kernel headers I happen to want to build against, where an IS_ENABLED()
escaped into uapi like it oughtn't.
Nerf the test so we build the right fbdevhw code.
Signed-off-by: Adam Jackson <ajax@redhat.com>
---
configure.ac | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/configure.ac b/configure.ac
index 57a2331024..2b8477ed61 100644
--- a/configure.ac
+++ b/configure.ac
@@ -197,8 +197,7 @@ AC_CHECK_HEADERS([linux/agpgart.h sys/agpio.h sys/agpgart.h], AGP=yes)
AM_CONDITIONAL(AGP, [test "x$AGP" = xyes])
dnl fbdev header
-AC_CHECK_HEADERS([linux/fb.h], FBDEV=yes)
-AM_CONDITIONAL(FBDEVHW, [test "x$FBDEV" = xyes])
+AM_CONDITIONAL(FBDEVHW, true)
dnl FreeBSD kldload support (sys/linker.h)
AC_CHECK_HEADERS([sys/linker.h],
--
2.19.1

83
SOURCES/0001-mustard-xfree86-Disable-the-PCI-probe-path.patch Normal file
View File

@ -0,0 +1,83 @@
From b3afd9ccefe156ab2dee993118fcdba40341f66e Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Fri, 1 Oct 2021 11:47:21 -0400
Subject: [PATCH xserver] mustard: xfree86: Disable the PCI probe path
RHEL 9 does not support userspace modesetting drivers for Xorg. Ideally
it would only support DRM drivers, but there are some fallback paths
(efifb mainly) that still require fbdev support. Since the primary use
of the PCI probe path is devices _without_ kernel support, we can safely
disable it. And indeed we want to, because there are some devices
(hyperv v1 e.g.) with both a platform and a PCI presentation, which the
PCI probe code fails to handle such that the server fails to start.
Thus: we #if 0 out the PCI probe in xf86CallDriverProbe.
It might be nice if the platform code knew about fbdev devices, but it
does not, and teaching it would be a large change for little benefit
given we do intend to sunset the fbdev path as well. Since the fbdev
path exists solely for cases where we have only the rudimentary firmare
framebuffer, we should only use it if _no_ platform driver is available.
Thus: we only call the legacy probe method if xf86ProbeIgnorePrimary.
Having done this, we need to go back into fbdevhw and undo fc78bcca:
commit fc78bcca21e767697de6ad4d8e03b6728856f613 (merge-requests/38)
Author: Adam Jackson <ajax@redhat.com>
Date: Wed Oct 10 14:09:11 2018 -0400
fbdevhw: Refuse to touch PCI devices on the fallback probe path
Which was well intentioned, but given the above changes we know by the
time we're trying to probe fbdev we really do want it, either because of
the above fallback path or because xorg.conf asked for it. In either
case we shouldn't spuriously fail just because it happens to be PCI.
Thus: We if (0) out the code added in fc78bcca.
Any one of the above might be questionable upstream, hence the mustard
nature of this patch.
---
hw/xfree86/common/xf86Bus.c | 4 ++--
hw/xfree86/fbdevhw/fbdevhw.c | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/hw/xfree86/common/xf86Bus.c b/hw/xfree86/common/xf86Bus.c
index fd144dbe7a..844ce5a890 100644
--- a/hw/xfree86/common/xf86Bus.c
+++ b/hw/xfree86/common/xf86Bus.c
@@ -84,7 +84,7 @@ xf86CallDriverProbe(DriverPtr drv, Bool detect_only)
}
#endif
-#ifdef XSERVER_LIBPCIACCESS
+#if 0
if (!foundScreen && (drv->PciProbe != NULL)) {
if (xf86DoConfigure && xf86DoConfigurePass1) {
assert(detect_only);
@@ -96,7 +96,7 @@ xf86CallDriverProbe(DriverPtr drv, Bool detect_only)
}
}
#endif
- if (!foundScreen && (drv->Probe != NULL)) {
+ if (!foundScreen && xf86ProbeIgnorePrimary && (drv->Probe != NULL)) {
xf86Msg(X_WARNING, "Falling back to old probe method for %s\n",
drv->driverName);
foundScreen = (*drv->Probe) (drv, (detect_only) ? PROBE_DETECT
diff --git a/hw/xfree86/fbdevhw/fbdevhw.c b/hw/xfree86/fbdevhw/fbdevhw.c
index 3d8b92e669..171038f46d 100644
--- a/hw/xfree86/fbdevhw/fbdevhw.c
+++ b/hw/xfree86/fbdevhw/fbdevhw.c
@@ -330,7 +330,7 @@ fbdev_open(int scrnIndex, const char *dev, char **namep)
}
/* only touch non-PCI devices on this path */
- {
+ if (0) {
char buf[PATH_MAX];
char *sysfs_path = NULL;
char *node = strrchr(dev, '/') + 1;
--
2.31.1

89
SOURCES/0001-render-Avoid-0-or-less-animated-cursors.patch
View File

@ -1,89 +0,0 @@
From 4c8e10312a721aa2f36048388284a2fd4ad97043 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Fri, 28 Mar 2025 09:43:52 +0100
Subject: [PATCH xserver 1/7] render: Avoid 0 or less animated cursors
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Animated cursors use a series of cursors that the client can set.
By default, the Xserver assumes at least one cursor is specified
while a client may actually pass no cursor at all.
That causes an out-of-bound read creating the animated cursor and a
crash of the Xserver:
| Invalid read of size 8
| at 0x5323F4: AnimCursorCreate (animcur.c:325)
| by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817)
| by 0x52DC80: ProcRenderDispatch (render.c:1999)
| by 0x4A1E9D: Dispatch (dispatch.c:560)
| by 0x4B0169: dix_main (main.c:284)
| by 0x4287F5: main (stubmain.c:34)
| Address 0x59aa010 is 0 bytes after a block of size 0 alloc'd
| at 0x48468D3: reallocarray (vg_replace_malloc.c:1803)
| by 0x52D3DA: ProcRenderCreateAnimCursor (render.c:1802)
| by 0x52DC80: ProcRenderDispatch (render.c:1999)
| by 0x4A1E9D: Dispatch (dispatch.c:560)
| by 0x4B0169: dix_main (main.c:284)
| by 0x4287F5: main (stubmain.c:34)
|
| Invalid read of size 2
| at 0x5323F7: AnimCursorCreate (animcur.c:325)
| by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817)
| by 0x52DC80: ProcRenderDispatch (render.c:1999)
| by 0x4A1E9D: Dispatch (dispatch.c:560)
| by 0x4B0169: dix_main (main.c:284)
| by 0x4287F5: main (stubmain.c:34)
| Address 0x8 is not stack'd, malloc'd or (recently) free'd
To avoid the issue, check the number of cursors specified and return a
BadValue error in both the proc handler (early) and the animated cursor
creation (as this is a public function) if there is 0 or less cursor.
CVE-2025-49175
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
reported by Julian Suleder via ERNW Vulnerability Disclosure.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: José Expósito <jexposit@redhat.com>
(cherry picked from commit 0885e0b26225c90534642fe911632ec0779eebee)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2025>
---
render/animcur.c | 3 +++
render/render.c | 2 ++
2 files changed, 5 insertions(+)
diff --git a/render/animcur.c b/render/animcur.c
index ef27bda27..77942d846 100644
--- a/render/animcur.c
+++ b/render/animcur.c
@@ -304,6 +304,9 @@ AnimCursorCreate(CursorPtr *cursors, CARD32 *deltas, int ncursor,
int rc = BadAlloc, i;
AnimCurPtr ac;
+ if (ncursor <= 0)
+ return BadValue;
+
for (i = 0; i < screenInfo.numScreens; i++)
if (!GetAnimCurScreen(screenInfo.screens[i]))
return BadImplementation;
diff --git a/render/render.c b/render/render.c
index 456f156d4..e9bbac62d 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1788,6 +1788,8 @@ ProcRenderCreateAnimCursor(ClientPtr client)
ncursor =
(client->req_len -
(bytes_to_int32(sizeof(xRenderCreateAnimCursorReq)))) >> 1;
+ if (ncursor <= 0)
+ return BadValue;
cursors = xallocarray(ncursor, sizeof(CursorPtr) + sizeof(CARD32));
if (!cursors)
return BadAlloc;
--
2.49.0

167
SOURCES/0001-xf86-logind-Fix-drm_drop_master-before-vt_reldisp.patch
View File

@ -1,167 +0,0 @@
From dafe5f6358edd557d89bb63265d6df2e1249f106 Mon Sep 17 00:00:00 2001
From: Jocelyn Falempe <jfalempe@redhat.com>
Date: Thu, 18 Nov 2021 14:45:42 +0100
Subject: [PATCH] xf86/logind: fix call systemd_logind_vtenter after receiving
drm device resume
logind send the resume event for input devices and drm device,
in any order. if we call vt_enter before logind resume the drm device,
it leads to a driver error, because logind has not done the
DRM_IOCTL_SET_MASTER on it.
Keep the old workaround to make sure we call systemd_logind_vtenter at
least once if there are no platform device
Signed-off-by: Jocelyn Falempe <jfalempe@redhat.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
xf86/logind: Fix drm_drop_master before vt_reldisp
When switching to VT, the ioctl DRM_DROP_MASTER must be done before
the ioctl VT_RELDISP. Otherwise the kernel can't change the modesetting
reliably, and this leads to the console not showing up in some cases, like
after unplugging a docking station with a DP or HDMI monitor.
Before doing the VT_RELDISP, send a dbus message to logind, to
pause the drm device, so logind will do the ioctl DRM_DROP_MASTER.
With this patch, it changes the order logind will send the resume
event, and drm will be sent last instead of first.
so there is a also fix to call systemd_logind_vtenter() at the right time.
Signed-off-by: Jocelyn Falempe <jfalempe@redhat.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
xf86/logind: Fix compilation error when built without logind/platform bus
This was introduced by commit 8eb1396d
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1269
Fixes: da9d012a9 - xf86/logind: Fix drm_drop_master before vt_reldisp
Signed-off-by: Jocelyn Falempe <jfalempe@redhat.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
xf86/logind: fix missing call to vtenter if the platform device is not paused
If there is one platform device, which is not paused nor resumed,
systemd_logind_vtenter() will never get called.
This break suspend/resume, and switching to VT on system with Nvidia
proprietary driver.
This is a regression introduced by f5bd039633fa83
So now call systemd_logind_vtenter() if there are no paused
platform devices.
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1271
Fixes: f5bd0396 - xf86/logind: fix call systemd_logind_vtenter after receiving drm device resume
Signed-off-by: Jocelyn Falempe <jfalempe@redhat.com>
Tested-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
---
hw/xfree86/common/xf86Events.c | 4 ++
hw/xfree86/os-support/linux/systemd-logind.c | 41 +++++++++++++++++---
include/systemd-logind.h | 2 +
3 files changed, 42 insertions(+), 5 deletions(-)
diff --git a/hw/xfree86/common/xf86Events.c b/hw/xfree86/common/xf86Events.c
index 8a800bd8f..b683d233b 100644
--- a/hw/xfree86/common/xf86Events.c
+++ b/hw/xfree86/common/xf86Events.c
@@ -393,6 +393,10 @@ xf86VTLeave(void)
for (i = 0; i < xf86NumGPUScreens; i++)
xf86GPUScreens[i]->LeaveVT(xf86GPUScreens[i]);
+ if (systemd_logind_controls_session()) {
+ systemd_logind_drop_master();
+ }
+
if (!xf86VTSwitchAway())
goto switch_failed;
diff --git a/hw/xfree86/os-support/linux/systemd-logind.c b/hw/xfree86/os-support/linux/systemd-logind.c
index 13784d15c..bd7a341f0 100644
--- a/hw/xfree86/os-support/linux/systemd-logind.c
+++ b/hw/xfree86/os-support/linux/systemd-logind.c
@@ -302,6 +302,37 @@ cleanup:
dbus_error_free(&error);
}
+/*
+ * Send a message to logind, to pause the drm device
+ * and ensure the drm_drop_master is done before
+ * VT_RELDISP when switching VT
+ */
+void systemd_logind_drop_master(void)
+{
+ int i;
+ for (i = 0; i < xf86_num_platform_devices; i++) {
+ if (xf86_platform_devices[i].flags & XF86_PDEV_SERVER_FD) {
+ dbus_int32_t major, minor;
+ struct systemd_logind_info *info = &logind_info;
+
+ xf86_platform_devices[i].flags |= XF86_PDEV_PAUSED;
+ major = xf86_platform_odev_attributes(i)->major;
+ minor = xf86_platform_odev_attributes(i)->minor;
+ systemd_logind_ack_pause(info, minor, major);
+ }
+ }
+}
+
+static Bool are_platform_devices_resumed(void) {
+ int i;
+ for (i = 0; i < xf86_num_platform_devices; i++) {
+ if (xf86_platform_devices[i].flags & XF86_PDEV_PAUSED) {
+ return FALSE;
+ }
+ }
+ return TRUE;
+}
+
static DBusHandlerResult
message_filter(DBusConnection * connection, DBusMessage * message, void *data)
{
@@ -417,14 +448,14 @@ message_filter(DBusConnection * connection, DBusMessage * message, void *data)
/* info->vt_active gets set by systemd_logind_vtenter() */
info->active = TRUE;
- if (pdev)
+ if (pdev) {
pdev->flags &= ~XF86_PDEV_PAUSED;
- else
+ } else
systemd_logind_set_input_fd_for_all_devs(major, minor, fd,
info->vt_active);
-
- /* Always call vtenter(), in case there are only legacy video devs */
- systemd_logind_vtenter();
+ /* Call vtenter if all platform devices are resumed, or if there are no platform device */
+ if (are_platform_devices_resumed())
+ systemd_logind_vtenter();
}
return DBUS_HANDLER_RESULT_HANDLED;
}
diff --git a/include/systemd-logind.h b/include/systemd-logind.h
index a4067d097..5c04d0130 100644
--- a/include/systemd-logind.h
+++ b/include/systemd-logind.h
@@ -33,6 +33,7 @@ int systemd_logind_take_fd(int major, int minor, const char *path, Bool *paus);
void systemd_logind_release_fd(int major, int minor, int fd);
int systemd_logind_controls_session(void);
void systemd_logind_vtenter(void);
+void systemd_logind_drop_master(void);
#else
#define systemd_logind_init()
#define systemd_logind_fini()
@@ -40,6 +41,7 @@ void systemd_logind_vtenter(void);
#define systemd_logind_release_fd(major, minor, fd) close(fd)
#define systemd_logind_controls_session() 0
#define systemd_logind_vtenter()
+#define systemd_logind_drop_master()
#endif
#endif
--
2.33.1

27
SOURCES/0001-xfree86-Don-t-autoconfigure-vesa-or-fbdev.patch
View File

@ -1,27 +0,0 @@
From e4dce2bfaf4a61dd8a8ac099638489d4fdff9024 Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Tue, 29 May 2018 15:05:10 -0400
Subject: [PATCH] xfree86: Don't autoconfigure vesa or fbdev
Signed-off-by: Adam Jackson <ajax@redhat.com>
---
hw/xfree86/loader/loadmod.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/xfree86/loader/loadmod.c b/hw/xfree86/loader/loadmod.c
index a6356bd..1c1c2b1 100644
--- a/hw/xfree86/loader/loadmod.c
+++ b/hw/xfree86/loader/loadmod.c
@@ -383,6 +383,9 @@ LoaderListDir(const char *subdir, const char **patternlist)
strcpy(fp, dp->d_name);
if (!(stat(buf, &stat_buf) == 0 && S_ISREG(stat_buf.st_mode)))
continue;
+ if (!strcmp(subdir, "drivers") &&
+ (strstr(dp->d_name, "vesa") || strstr(dp->d_name, "fbdev")))
+ continue;
for (p = patterns; p->pattern; p++) {
if (regexec(&p->rex, dp->d_name, 2, match, 0) == 0 &&
match[1].rm_so != -1) {
--
2.17.0

27
SOURCES/0001-xfree86-LeaveVT-from-xf86CrtcCloseScreen.patch
View File

@ -1,27 +0,0 @@
From 1070ffa0953e9200688fc8fae11e3ab0680b86f2 Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Tue, 9 Oct 2018 12:28:48 -0400
Subject: [PATCH xserver] xfree86: LeaveVT from xf86CrtcCloseScreen
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
---
hw/xfree86/modes/xf86Crtc.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/hw/xfree86/modes/xf86Crtc.c b/hw/xfree86/modes/xf86Crtc.c
index 37a45bb3af..45d325f4d2 100644
--- a/hw/xfree86/modes/xf86Crtc.c
+++ b/hw/xfree86/modes/xf86Crtc.c
@@ -776,6 +776,8 @@ xf86CrtcCloseScreen(ScreenPtr screen)
crtc->randr_crtc = NULL;
}
+ scrn->LeaveVT(scrn);
+
screen->CloseScreen = config->CloseScreen;
xf86RotateCloseScreen(screen);
--
2.19.0

136
SOURCES/0001-xfree86-Only-switch-to-original-VT-if-it-is-active.patch
View File

@ -1,136 +0,0 @@
From ff91c696ff8f5f56da40e107cb5c321539758a81 Mon Sep 17 00:00:00 2001
From: Michal Srb <msrb@suse.com>
Date: Tue, 16 Oct 2018 09:32:13 +0200
Subject: [PATCH xserver] xfree86: Only switch to original VT if it is active.
If the X server is terminated while its VT is not active, it should
not change the current VT.
v2: Query current state in xf86CloseConsole using VT_GETSTATE instead of
keeping track in xf86VTEnter/xf86VTLeave/etc.
---
hw/xfree86/os-support/linux/lnx_init.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/hw/xfree86/os-support/linux/lnx_init.c b/hw/xfree86/os-support/linux/lnx_init.c
index 039dc4a4d..358d89f0f 100644
--- a/hw/xfree86/os-support/linux/lnx_init.c
+++ b/hw/xfree86/os-support/linux/lnx_init.c
@@ -272,101 +272,111 @@ xf86OpenConsole(void)
xf86SetConsoleHandler(drain_console, NULL);
}
nTty = tty_attr;
nTty.c_iflag = (IGNPAR | IGNBRK) & (~PARMRK) & (~ISTRIP);
nTty.c_oflag = 0;
nTty.c_cflag = CREAD | CS8;
nTty.c_lflag = 0;
nTty.c_cc[VTIME] = 0;
nTty.c_cc[VMIN] = 1;
cfsetispeed(&nTty, 9600);
cfsetospeed(&nTty, 9600);
tcsetattr(xf86Info.consoleFd, TCSANOW, &nTty);
}
}
else { /* serverGeneration != 1 */
if (!xf86Info.ShareVTs && xf86Info.autoVTSwitch) {
/* now get the VT */
if (!switch_to(xf86Info.vtno, "xf86OpenConsole"))
FatalError("xf86OpenConsole: Switching VT failed\n");
}
}
}
#pragma GCC diagnostic pop
void
xf86CloseConsole(void)
{
struct vt_mode VT;
+ struct vt_stat vts;
int ret;
if (xf86Info.ShareVTs) {
close(xf86Info.consoleFd);
return;
}
/*
* unregister the drain_console handler
* - what to do if someone else changed it in the meantime?
*/
xf86SetConsoleHandler(NULL, NULL);
/* Back to text mode ... */
SYSCALL(ret = ioctl(xf86Info.consoleFd, KDSETMODE, KD_TEXT));
if (ret < 0)
xf86Msg(X_WARNING, "xf86CloseConsole: KDSETMODE failed: %s\n",
strerror(errno));
SYSCALL(ioctl(xf86Info.consoleFd, KDSKBMODE, tty_mode));
tcsetattr(xf86Info.consoleFd, TCSANOW, &tty_attr);
SYSCALL(ret = ioctl(xf86Info.consoleFd, VT_GETMODE, &VT));
if (ret < 0)
xf86Msg(X_WARNING, "xf86CloseConsole: VT_GETMODE failed: %s\n",
strerror(errno));
else {
/* set dflt vt handling */
VT.mode = VT_AUTO;
SYSCALL(ret = ioctl(xf86Info.consoleFd, VT_SETMODE, &VT));
if (ret < 0)
xf86Msg(X_WARNING, "xf86CloseConsole: VT_SETMODE failed: %s\n",
strerror(errno));
}
if (xf86Info.autoVTSwitch) {
/*
- * Perform a switch back to the active VT when we were started
- */
+ * Perform a switch back to the active VT when we were started if our
+ * vt is active now.
+ */
if (activeVT >= 0) {
- switch_to(activeVT, "xf86CloseConsole");
+ SYSCALL(ret = ioctl(xf86Info.consoleFd, VT_GETSTATE, &vts));
+ if (ret < 0) {
+ xf86Msg(X_WARNING, "xf86OpenConsole: VT_GETSTATE failed: %s\n",
+ strerror(errno));
+ } else {
+ if (vts.v_active == xf86Info.vtno) {
+ switch_to(activeVT, "xf86CloseConsole");
+ }
+ }
activeVT = -1;
}
}
close(xf86Info.consoleFd); /* make the vt-manager happy */
}
#define CHECK_FOR_REQUIRED_ARGUMENT() \
if (((i + 1) >= argc) || (!argv[i + 1])) { \
ErrorF("Required argument to %s not specified\n", argv[i]); \
UseMsg(); \
FatalError("Required argument to %s not specified\n", argv[i]); \
}
int
xf86ProcessArgument(int argc, char *argv[], int i)
{
/*
* Keep server from detaching from controlling tty. This is useful
* when debugging (so the server can receive keyboard signals.
*/
if (!strcmp(argv[i], "-keeptty")) {
KeepTty = TRUE;
return 1;
}
if ((argv[i][0] == 'v') && (argv[i][1] == 't')) {
if (sscanf(argv[i], "vt%2d", &xf86Info.vtno) == 0) {
UseMsg();
xf86Info.vtno = -1;
return 0;
--
2.18.4

34
SOURCES/0001-xfree86-ensure-the-readlink-buffer-is-null-terminate.patch
View File

@ -1,34 +0,0 @@
From 71703e4e8bd00719eefad53c2ed6c604079f87ea Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 17 Oct 2018 09:00:59 +1000
Subject: [PATCH xserver] xfree86: ensure the readlink buffer is
null-terminated
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Dave Airlie <airlied@redhat.com>
---
hw/xfree86/fbdevhw/fbdevhw.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/xfree86/fbdevhw/fbdevhw.c b/hw/xfree86/fbdevhw/fbdevhw.c
index 95089515c..f146ff4a4 100644
--- a/hw/xfree86/fbdevhw/fbdevhw.c
+++ b/hw/xfree86/fbdevhw/fbdevhw.c
@@ -331,12 +331,12 @@ fbdev_open(int scrnIndex, const char *dev, char **namep)
/* only touch non-PCI devices on this path */
{
- char buf[PATH_MAX];
+ char buf[PATH_MAX] = {0};
char *sysfs_path = NULL;
char *node = strrchr(dev, '/') + 1;
if (asprintf(&sysfs_path, "/sys/class/graphics/%s", node) < 0 ||
- readlink(sysfs_path, buf, sizeof(buf)) < 0 ||
+ readlink(sysfs_path, buf, sizeof(buf) - 1) < 0 ||
strstr(buf, "devices/pci")) {
free(sysfs_path);
close(fd);
--
2.19.1

190
SOURCES/0001-xfree86-try-harder-to-span-on-multihead.patch
View File

@ -1,190 +0,0 @@
From 326f992a90dae7a747da45626e588fa3c1dfa5dc Mon Sep 17 00:00:00 2001
From: Ray Strode <rstrode@redhat.com>
Date: Fri, 21 Sep 2018 14:38:31 -0400
Subject: [PATCH xserver] xfree86: try harder to span on multihead
right now if one of the monitors can't give
it's native resolution because of bandwidth limitations,
X decides to avoid spanning and instead clone.
That's suboptimal, spanning is normally the right
thing to do (with the exception of some projector
use cases and other edge cases)
This commit tries harder to make spanning work.
---
hw/xfree86/modes/xf86Crtc.c | 33 +++++++++++++++++++++++++++++----
1 file changed, 29 insertions(+), 4 deletions(-)
diff --git a/hw/xfree86/modes/xf86Crtc.c b/hw/xfree86/modes/xf86Crtc.c
index 37a45bb3a..686cb51b8 100644
--- a/hw/xfree86/modes/xf86Crtc.c
+++ b/hw/xfree86/modes/xf86Crtc.c
@@ -2132,135 +2132,160 @@ bestModeForAspect(xf86CrtcConfigPtr config, Bool *enabled, float aspect)
if (test->HDisplay != mode->HDisplay ||
test->VDisplay != mode->VDisplay) {
test = NULL;
break;
}
}
/* if we didn't match it on all outputs, try the next one */
if (!test)
continue;
/* if it's bigger than the last one, save it */
if (!match || (test->HDisplay > match->HDisplay))
match = test;
}
/* return the biggest one found */
return match;
}
static int
numEnabledOutputs(xf86CrtcConfigPtr config, Bool *enabled)
{
int i = 0, p;
for (i = 0, p = -1; nextEnabledOutput(config, enabled, &p); i++) ;
return i;
}
+static DisplayModePtr
+findReasonableMode(xf86CrtcConfigPtr config, xf86OutputPtr output, Bool *enabled, int width, int height)
+{
+ DisplayModePtr mode =
+ xf86OutputHasPreferredMode(output, width, height);
+
+ /* if there's no preferred mode, just try to find a reasonable one */
+ if (!mode) {
+ float aspect = 0.0;
+ DisplayModePtr a = NULL, b = NULL;
+
+ if (output->mm_height)
+ aspect = (float) output->mm_width /
+ (float) output->mm_height;
+
+ a = bestModeForAspect(config, enabled, 4.0/3.0);
+ if (aspect)
+ b = bestModeForAspect(config, enabled, aspect);
+
+ mode = biggestMode(a, b);
+ }
+
+ return mode;
+}
+
static Bool
xf86TargetRightOf(ScrnInfoPtr scrn, xf86CrtcConfigPtr config,
DisplayModePtr *modes, Bool *enabled,
int width, int height)
{
int o;
int w = 0;
Bool has_tile = FALSE;
uint32_t configured_outputs;
xf86GetOptValBool(config->options, OPTION_PREFER_CLONEMODE,
&scrn->preferClone);
if (scrn->preferClone)
return FALSE;
if (numEnabledOutputs(config, enabled) < 2)
return FALSE;
for (o = -1; nextEnabledOutput(config, enabled, &o); ) {
DisplayModePtr mode =
- xf86OutputHasPreferredMode(config->output[o], width, height);
+ findReasonableMode(config, config->output[o], enabled, width, height);
if (!mode)
return FALSE;
w += mode->HDisplay;
}
if (w > width)
return FALSE;
w = 0;
configured_outputs = 0;
for (o = -1; nextEnabledOutput(config, enabled, &o); ) {
DisplayModePtr mode =
- xf86OutputHasPreferredMode(config->output[o], width, height);
+ findReasonableMode(config, config->output[o], enabled, width, height);
if (configured_outputs & (1 << o))
continue;
if (config->output[o]->tile_info.group_id) {
has_tile = TRUE;
continue;
}
config->output[o]->initial_x = w;
w += mode->HDisplay;
configured_outputs |= (1 << o);
modes[o] = mode;
}
if (has_tile) {
for (o = -1; nextEnabledOutput(config, enabled, &o); ) {
int ht, vt, ot;
int add_x, cur_x = w;
struct xf86CrtcTileInfo *tile_info = &config->output[o]->tile_info, *this_tile;
if (configured_outputs & (1 << o))
continue;
if (!tile_info->group_id)
continue;
if (tile_info->tile_h_loc != 0 && tile_info->tile_v_loc != 0)
continue;
for (ht = 0; ht < tile_info->num_h_tile; ht++) {
int cur_y = 0;
add_x = 0;
for (vt = 0; vt < tile_info->num_v_tile; vt++) {
for (ot = -1; nextEnabledOutput(config, enabled, &ot); ) {
-
DisplayModePtr mode =
- xf86OutputHasPreferredMode(config->output[ot], width, height);
+ findReasonableMode(config, config->output[ot], enabled, width, height);
+
if (!config->output[ot]->tile_info.group_id)
continue;
this_tile = &config->output[ot]->tile_info;
if (this_tile->group_id != tile_info->group_id)
continue;
if (this_tile->tile_h_loc != ht ||
this_tile->tile_v_loc != vt)
continue;
config->output[ot]->initial_x = cur_x;
config->output[ot]->initial_y = cur_y;
if (vt == 0)
add_x = this_tile->tile_h_size;
cur_y += this_tile->tile_v_size;
configured_outputs |= (1 << ot);
modes[ot] = mode;
}
}
cur_x += add_x;
}
w = cur_x;
}
}
return TRUE;
}
static Bool
--
2.17.1

118
SOURCES/0001-xkb-Drop-check-for-XkbSetMapResizeTypes.patch Normal file
View File

@ -0,0 +1,118 @@
From 36bcef5e5fd175e95ed4e0a014f6b1d8598b719d Mon Sep 17 00:00:00 2001
From: Ray Strode <rstrode@redhat.com>
Date: Mon, 4 Oct 2021 14:27:54 -0400
Subject: [PATCH] xkb: Drop check for XkbSetMapResizeTypes
Commit 446ff2d3177087b8173fa779fa5b77a2a128988b added checks to
prevalidate the size of incoming SetMap requests.
That commit checks for the XkbSetMapResizeTypes flag to be set before
allowing key types data to be processed.
key types data can be changed or even just sent wholesale unchanged
without the number of key types changing, however. The check for
XkbSetMapResizeTypes rejects those legitimate requests. In particular,
XkbChangeMap never sets XkbSetMapResizeTypes and so always fails now
any time XkbKeyTypesMask is in the changed mask.
This commit drops the check for XkbSetMapResizeTypes in flags when
prevalidating the request length.
---
xkb/xkb.c | 26 ++++++++++++--------------
1 file changed, 12 insertions(+), 14 deletions(-)
diff --git a/xkb/xkb.c b/xkb/xkb.c
index 183d6ffa1..62dee9cb6 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -2378,75 +2378,73 @@ SetVirtualModMap(XkbSrvInfoPtr xkbi,
}
changes->map.first_vmodmap_key = first;
changes->map.num_vmodmap_keys = (last - first) + 1;
}
return (char *) wire;
}
#define _add_check_len(new) \
if (len > UINT32_MAX - (new) || len > req_len - (new)) goto bad; \
else len += new
/**
* Check the length of the SetMap request
*/
static int
_XkbSetMapCheckLength(xkbSetMapReq *req)
{
size_t len = sz_xkbSetMapReq, req_len = req->length << 2;
xkbKeyTypeWireDesc *keytype;
xkbSymMapWireDesc *symmap;
BOOL preserve;
int i, map_count, nSyms;
if (req_len < len)
goto bad;
/* types */
if (req->present & XkbKeyTypesMask) {
keytype = (xkbKeyTypeWireDesc *)(req + 1);
for (i = 0; i < req->nTypes; i++) {
_add_check_len(XkbPaddedSize(sz_xkbKeyTypeWireDesc));
- if (req->flags & XkbSetMapResizeTypes) {
- _add_check_len(keytype->nMapEntries
- * sz_xkbKTSetMapEntryWireDesc);
- preserve = keytype->preserve;
- map_count = keytype->nMapEntries;
- if (preserve) {
- _add_check_len(map_count * sz_xkbModsWireDesc);
- }
- keytype += 1;
- keytype = (xkbKeyTypeWireDesc *)
- ((xkbKTSetMapEntryWireDesc *)keytype + map_count);
- if (preserve)
- keytype = (xkbKeyTypeWireDesc *)
- ((xkbModsWireDesc *)keytype + map_count);
+ _add_check_len(keytype->nMapEntries
+ * sz_xkbKTSetMapEntryWireDesc);
+ preserve = keytype->preserve;
+ map_count = keytype->nMapEntries;
+ if (preserve) {
+ _add_check_len(map_count * sz_xkbModsWireDesc);
}
+ keytype += 1;
+ keytype = (xkbKeyTypeWireDesc *)
+ ((xkbKTSetMapEntryWireDesc *)keytype + map_count);
+ if (preserve)
+ keytype = (xkbKeyTypeWireDesc *)
+ ((xkbModsWireDesc *)keytype + map_count);
}
}
/* syms */
if (req->present & XkbKeySymsMask) {
symmap = (xkbSymMapWireDesc *)((char *)req + len);
for (i = 0; i < req->nKeySyms; i++) {
_add_check_len(sz_xkbSymMapWireDesc);
nSyms = symmap->nSyms;
_add_check_len(nSyms*sizeof(CARD32));
symmap += 1;
symmap = (xkbSymMapWireDesc *)((CARD32 *)symmap + nSyms);
}
}
/* actions */
if (req->present & XkbKeyActionsMask) {
_add_check_len(req->totalActs * sz_xkbActionWireDesc
+ XkbPaddedSize(req->nKeyActs));
}
/* behaviours */
if (req->present & XkbKeyBehaviorsMask) {
_add_check_len(req->totalKeyBehaviors * sz_xkbBehaviorWireDesc);
}
/* vmods */
if (req->present & XkbVirtualModsMask) {
_add_check_len(XkbPaddedSize(Ones(req->virtualMods)));
}
/* explicit */
if (req->present & XkbExplicitComponentsMask) {
/* two bytes per non-zero explicit componen */
_add_check_len(XkbPaddedSize(req->totalKeyExplicit * sizeof(CARD16)));
--
2.32.0

30
SOURCES/0001-xquartz-Remove-invalid-Unicode-sequence.patch Normal file
View File

@ -0,0 +1,30 @@
From a7ba1e9fe41019296a0f3ddff3d681f77e041ad7 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Tue, 7 May 2024 18:04:02 +0200
Subject: [PATCH] xquartz: Remove invalid Unicode sequence
This is flagged by the automatic scanning tools.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1673
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1524>
---
hw/xquartz/bundle/Resources/he.lproj/main.nib/designable.nib | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/xquartz/bundle/Resources/he.lproj/main.nib/designable.nib b/hw/xquartz/bundle/Resources/he.lproj/main.nib/designable.nib
index e56c1adbc..42042a18d 100644
--- a/hw/xquartz/bundle/Resources/he.lproj/main.nib/designable.nib
+++ b/hw/xquartz/bundle/Resources/he.lproj/main.nib/designable.nib
@@ -438,7 +438,7 @@
<menu key="menu" title="OtherViews" id="380">
<items>
<menuItem title="מהצג" state="on" tag="-1" id="384"/>
- <menuItem title="?256 ‬צבעים" tag="8" id="435"/>
+ <menuItem title="‭‬צבעים" tag="8" id="435"/>
<menuItem title="‏אלפים" tag="15" id="383"/>
<menuItem title="‏מיליונים" tag="24" id="381"/>
</items>
--
2.45.0

2
SOURCES/0002-Xi-return-an-error-from-XI-property-changes-if-verif.patch
View File

@ -1,4 +1,4 @@
From c5ff57676698f19ed3a1402aef58a15552e32d27 Mon Sep 17 00:00:00 2001 From cb260ba95d2bb1ae98b05e289d1b7947ac409230 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net> From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Tue, 29 Nov 2022 13:24:00 +1000 Date: Tue, 29 Nov 2022 13:24:00 +1000
Subject: [PATCH xserver 2/7] Xi: return an error from XI property changes if Subject: [PATCH xserver 2/7] Xi: return an error from XI property changes if

49
SOURCES/0002-dix-keep-a-ref-to-the-rootCursor.patch Normal file
View File

@ -0,0 +1,49 @@
From 9dc8beff846a127cc8754212fb654e5f66dacff4 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Wed, 4 Dec 2024 15:49:43 +1000
Subject: [PATCH xserver 02/13] dix: keep a ref to the rootCursor
CreateCursor returns a cursor with refcount 1 - that refcount is used by
the resource system, any caller needs to call RefCursor to get their own
reference. That happens correctly for normal cursors but for our
rootCursor we keep a variable to the cursor despite not having a ref for
ourselves.
Fix this by reffing/unreffing the rootCursor to ensure our pointer is
valid.
Related to CVE-2025-26594, ZDI-CAN-25544
Reviewed-by: Olivier Fourdan <ofourdan@redhat.com>
(cherry picked from commit b0a09ba6020147961acc62d9c73d807b4cccd9f7)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1831>
---
dix/main.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/dix/main.c b/dix/main.c
index b228d9c28..f2606d3d6 100644
--- a/dix/main.c
+++ b/dix/main.c
@@ -235,6 +235,8 @@ dix_main(int argc, char *argv[], char *envp[])
defaultCursorFont);
}
+ rootCursor = RefCursor(rootCursor);
+
#ifdef PANORAMIX
/*
* Consolidate window and colourmap information for each screen
@@ -275,6 +277,8 @@ dix_main(int argc, char *argv[], char *envp[])
Dispatch();
+ UnrefCursor(rootCursor);
+
UndisplayDevices();
DisableAllDevices();
--
2.48.1

91
SOURCES/0002-os-Do-not-overflow-the-integer-size-with-BigRequest.patch
View File

@ -1,91 +0,0 @@
From a99c927aec4563101f574d0a65cd451dcdd7e012 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 7 Apr 2025 16:13:34 +0200
Subject: [PATCH xserver 2/7] os: Do not overflow the integer size with
BigRequest
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The BigRequest extension allows requests larger than the 16-bit length
limit.
It uses integers for the request length and checks for the size not to
exceed the maxBigRequestSize limit, but does so after translating the
length to integer by multiplying the given size in bytes by 4.
In doing so, it might overflow the integer size limit before actually
checking for the overflow, defeating the purpose of the test.
To avoid the issue, make sure to check that the request size does not
overflow the maxBigRequestSize limit prior to any conversion.
The caller Dispatch() function however expects the return value to be in
bytes, so we cannot just return the converted value in case of error, as
that would also overflow the integer size.
To preserve the existing API, we use a negative value for the X11 error
code BadLength as the function only return positive values, 0 or -1 and
update the caller Dispatch() function to take that case into account to
return the error code to the offending client.
CVE-2025-49176
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
reported by Julian Suleder via ERNW Vulnerability Disclosure.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
(cherry picked from commit 03731b326a80b582e48d939fe62cb1e2b10400d9)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2025>
---
dix/dispatch.c | 9 +++++----
os/io.c | 4 ++++
2 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/dix/dispatch.c b/dix/dispatch.c
index a33bfaa9e..14ccdc57a 100644
--- a/dix/dispatch.c
+++ b/dix/dispatch.c
@@ -447,9 +447,10 @@ Dispatch(void)
/* now, finally, deal with client requests */
result = ReadRequestFromClient(client);
- if (result <= 0) {
- if (result < 0)
- CloseDownClient(client);
+ if (result == 0)
+ break;
+ else if (result == -1) {
+ CloseDownClient(client);
break;
}
@@ -470,7 +471,7 @@ Dispatch(void)
client->index,
client->requestBuffer);
#endif
- if (result > (maxBigRequestSize << 2))
+ if (result < 0 || result > (maxBigRequestSize << 2))
result = BadLength;
else {
result = XaceHookDispatch(client, client->majorOp);
diff --git a/os/io.c b/os/io.c
index 939f51743..a05300869 100644
--- a/os/io.c
+++ b/os/io.c
@@ -296,6 +296,10 @@ ReadRequestFromClient(ClientPtr client)
needed = get_big_req_len(request, client);
}
client->req_len = needed;
+ if (needed > MAXINT >> 2) {
+ /* Check for potential integer overflow */
+ return -(BadLength);
+ }
needed <<= 2; /* needed is in bytes now */
}
if (gotnow < needed) {
--
2.49.0

153
SOURCES/0002-xfree86-Link-fb-statically.patch Normal file
View File

@ -0,0 +1,153 @@
From c2eb1e2eac99ef0b8e6cf47ab0a94371cf47e939 Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Tue, 23 Jul 2019 11:54:15 -0400
Subject: [PATCH xserver 02/11] xfree86: Link fb statically
There's no real benefit to leaving this loadable, virtually every driver
is going to load it.
Reviewed-by: Jon Turney <jon.turney@dronecode.org.uk>
(cherry picked from commit c1703cdf3b0d6663fcac68598eefe324ae4e1e71)
---
hw/xfree86/Makefile.am | 1 +
hw/xfree86/dixmods/Makefile.am | 8 +-------
hw/xfree86/dixmods/meson.build | 14 --------------
hw/xfree86/drivers/modesetting/meson.build | 1 -
hw/xfree86/loader/loadmod.c | 1 +
hw/xfree86/meson.build | 1 +
hw/xfree86/sdksyms.sh | 6 +++---
test/Makefile.am | 1 +
8 files changed, 8 insertions(+), 25 deletions(-)
diff --git a/hw/xfree86/Makefile.am b/hw/xfree86/Makefile.am
index 9aeaea1a6..1d494cd0f 100644
--- a/hw/xfree86/Makefile.am
+++ b/hw/xfree86/Makefile.am
@@ -75,6 +75,7 @@ LOCAL_LIBS = \
$(DRI2_LIB) \
$(DRI3_LIB) \
$(GLXVND_LIB) \
+ $(top_builddir)/fb/libfb.la \
$(top_builddir)/miext/sync/libsync.la \
$(top_builddir)/mi/libmi.la \
$(top_builddir)/os/libos.la \
diff --git a/hw/xfree86/dixmods/Makefile.am b/hw/xfree86/dixmods/Makefile.am
index 856659f98..a1f97056a 100644
--- a/hw/xfree86/dixmods/Makefile.am
+++ b/hw/xfree86/dixmods/Makefile.am
@@ -4,8 +4,7 @@ if GLX
GLXMODS = libglx.la
endif
-module_LTLIBRARIES = libfb.la \
- libwfb.la \
+module_LTLIBRARIES = libwfb.la \
libshadow.la
extsmoduledir = $(moduledir)/extensions
@@ -17,11 +16,6 @@ AM_CPPFLAGS = @XORG_INCS@ \
-I$(top_srcdir)/miext/shadow \
-I$(top_srcdir)/glx
-libfb_la_LDFLAGS = -module -avoid-version $(LD_NO_UNDEFINED_FLAG)
-libfb_la_LIBADD = $(top_builddir)/fb/libfb.la
-libfb_la_SOURCES = fbmodule.c
-libfb_la_CFLAGS = $(AM_CFLAGS)
-
libwfb_la_LDFLAGS = -module -avoid-version $(LD_NO_UNDEFINED_FLAG)
libwfb_la_LIBADD = $(top_builddir)/fb/libwfb.la
libwfb_la_SOURCES = fbmodule.c
diff --git a/hw/xfree86/dixmods/meson.build b/hw/xfree86/dixmods/meson.build
index 0562b630f..e4ac02228 100644
--- a/hw/xfree86/dixmods/meson.build
+++ b/hw/xfree86/dixmods/meson.build
@@ -1,17 +1,3 @@
-fb = shared_module(
- 'fb',
- 'fbmodule.c',
-
- include_directories: [inc, xorg_inc],
- c_args: xorg_c_args,
- dependencies: common_dep,
- link_whole: libxserver_fb,
- link_with: e,
-
- install: true,
- install_dir: module_dir,
-)
-
shared_module(
'wfb',
'fbmodule.c',
diff --git a/hw/xfree86/drivers/modesetting/meson.build b/hw/xfree86/drivers/modesetting/meson.build
index 5e13f1a53..02852a716 100644
--- a/hw/xfree86/drivers/modesetting/meson.build
+++ b/hw/xfree86/drivers/modesetting/meson.build
@@ -30,7 +30,6 @@ shared_module(
xorg_build_root = join_paths(meson.build_root(), 'hw', 'xfree86')
symbol_test_args = []
symbol_test_args += join_paths(xorg_build_root, 'libxorgserver.so')
-symbol_test_args += join_paths(xorg_build_root, 'dixmods', 'libfb.so')
symbol_test_args += join_paths(xorg_build_root, 'dixmods', 'libshadow.so')
if gbm_dep.found()
symbol_test_args += join_paths(xorg_build_root, 'glamor_egl', 'libglamoregl.so')
diff --git a/hw/xfree86/loader/loadmod.c b/hw/xfree86/loader/loadmod.c
index a6356bd8f..f0983b2f8 100644
--- a/hw/xfree86/loader/loadmod.c
+++ b/hw/xfree86/loader/loadmod.c
@@ -621,6 +621,7 @@ DuplicateModule(ModuleDescPtr mod, ModuleDescPtr parent)
static const char *compiled_in_modules[] = {
"ddc",
+ "fb",
"i2c",
"ramdac",
"dbe",
diff --git a/hw/xfree86/meson.build b/hw/xfree86/meson.build
index cacf56d4c..c80964ea4 100644
--- a/hw/xfree86/meson.build
+++ b/hw/xfree86/meson.build
@@ -61,6 +61,7 @@ xorg_link = [
xorg_os_support,
xorg_parser,
xorg_ramdac,
+ libxserver_fb,
libxserver_xext_vidmode,
libxserver_main,
libxserver_config,
diff --git a/hw/xfree86/sdksyms.sh b/hw/xfree86/sdksyms.sh
index 7897aae22..2ebc4c019 100755
--- a/hw/xfree86/sdksyms.sh
+++ b/hw/xfree86/sdksyms.sh
@@ -21,13 +21,13 @@ cat > sdksyms.c << EOF
#include "picturestr.h"
-/* fb/Makefile.am -- module */
-/*
+/* fb/Makefile.am */
#include "fb.h"
#include "fbrop.h"
#include "fboverlay.h"
-#include "wfbrename.h"
#include "fbpict.h"
+/* wfb is still a module
+#include "wfbrename.h"
*/
diff --git a/test/Makefile.am b/test/Makefile.am
index 12ac327a3..ce07c3551 100644
--- a/test/Makefile.am
+++ b/test/Makefile.am
@@ -146,6 +146,7 @@ tests_LDADD += \
$(top_builddir)/hw/xfree86/i2c/libi2c.la \
$(top_builddir)/hw/xfree86/xkb/libxorgxkb.la \
$(top_builddir)/Xext/libXvidmode.la \
+ $(top_builddir)/fb/libfb.la \
$(XSERVER_LIBS) \
$(XORG_LIBS)
--
2.33.1

2
SOURCES/0003-Xi-avoid-integer-truncation-in-length-check-of-ProcX.patch
View File

@ -1,4 +1,4 @@
From f9c435822c852659e3926502829f1b13ce6efc37 Mon Sep 17 00:00:00 2001 From a16f2b9693d248b81703821fd22fba8b5ba83e1a Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net> From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Tue, 29 Nov 2022 13:26:57 +1000 Date: Tue, 29 Nov 2022 13:26:57 +1000
Subject: [PATCH xserver 3/7] Xi: avoid integer truncation in length check of Subject: [PATCH xserver 3/7] Xi: avoid integer truncation in length check of

35
SOURCES/0003-os-Check-for-integer-overflow-on-BigRequest-length.patch
View File

@ -1,35 +0,0 @@
From d5b66f2b1f3d9a322261d150e0da4e707a337334 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Wed, 18 Jun 2025 08:39:02 +0200
Subject: [PATCH xserver 3/7] os: Check for integer overflow on BigRequest
length
Check for another possible integer overflow once we get a complete xReq
with BigRequest.
Related to CVE-2025-49176
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Suggested-by: Peter Harris <pharris2@rocketsoftware.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2028>
(cherry picked from commit 4fc4d76b2c7aaed61ed2653f997783a3714c4fe1)
---
os/io.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/os/io.c b/os/io.c
index a05300869..de5b3c921 100644
--- a/os/io.c
+++ b/os/io.c
@@ -395,6 +395,8 @@ ReadRequestFromClient(ClientPtr client)
needed = get_big_req_len(request, client);
}
client->req_len = needed;
+ if (needed > MAXINT >> 2)
+ return -(BadLength);
needed <<= 2;
}
if (gotnow < needed) {
--
2.49.0

63
SOURCES/0003-xkb-Fix-buffer-overflow-in-XkbVModMaskText.patch Normal file
View File

@ -0,0 +1,63 @@
From c0e295af1adca6a0258bb405c535fe04969cc178 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Wed, 27 Nov 2024 14:41:45 +0100
Subject: [PATCH xserver 03/13] xkb: Fix buffer overflow in XkbVModMaskText()
The code in XkbVModMaskText() allocates a fixed sized buffer on the
stack and copies the virtual mod name.
There's actually two issues in the code that can lead to a buffer
overflow.
First, the bound check mixes pointers and integers using misplaced
parenthesis, defeating the bound check.
But even though, if the check fails, the data is still copied, so the
stack overflow will occur regardless.
Change the logic to skip the copy entirely if the bound check fails.
CVE-2025-26595, ZDI-CAN-25545
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 11fcda8753e994e15eb915d28cf487660ec8e722)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1831>
---
xkb/xkbtext.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/xkb/xkbtext.c b/xkb/xkbtext.c
index d2a2567fc..002626450 100644
--- a/xkb/xkbtext.c
+++ b/xkb/xkbtext.c
@@ -175,14 +175,14 @@ XkbVModMaskText(XkbDescPtr xkb,
len = strlen(tmp) + 1 + (str == buf ? 0 : 1);
if (format == XkbCFile)
len += 4;
- if ((str - (buf + len)) <= VMOD_BUFFER_SIZE) {
- if (str != buf) {
- if (format == XkbCFile)
- *str++ = '|';
- else
- *str++ = '+';
- len--;
- }
+ if ((str - buf) + len > VMOD_BUFFER_SIZE)
+ continue; /* Skip */
+ if (str != buf) {
+ if (format == XkbCFile)
+ *str++ = '|';
+ else
+ *str++ = '+';
+ len--;
}
if (format == XkbCFile)
sprintf(str, "%sMask", tmp);
--
2.48.1

29
SOURCES/0004-Xi-disallow-passive-grabs-with-a-detail-255.patch
View File

@ -1,4 +1,4 @@
From 0dab0b527ac5c4fe0272ea679522bd87238a733b Mon Sep 17 00:00:00 2001 From be6bcbfa3f388ca0705db8baf10fa5c2d29b7d36 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net> From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Tue, 29 Nov 2022 13:55:32 +1000 Date: Tue, 29 Nov 2022 13:55:32 +1000
Subject: [PATCH xserver 4/7] Xi: disallow passive grabs with a detail > 255 Subject: [PATCH xserver 4/7] Xi: disallow passive grabs with a detail > 255
@ -27,14 +27,14 @@ Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Acked-by: Olivier Fourdan <ofourdan@redhat.com> Acked-by: Olivier Fourdan <ofourdan@redhat.com>
--- ---
Xi/xipassivegrab.c | 12 ++++++++++++ Xi/xipassivegrab.c | 22 ++++++++++++++--------
1 file changed, 12 insertions(+) 1 file changed, 14 insertions(+), 8 deletions(-)
diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
index 65d5870f6f..89a591098a 100644 index 2769fb7c94..c9ac2f8553 100644
--- a/Xi/xipassivegrab.c --- a/Xi/xipassivegrab.c
+++ b/Xi/xipassivegrab.c +++ b/Xi/xipassivegrab.c
@@ -133,6 +133,12 @@ ProcXIPassiveGrabDevice(ClientPtr client) @@ -137,6 +137,12 @@ ProcXIPassiveGrabDevice(ClientPtr client)
return BadValue; return BadValue;
} }
@ -47,7 +47,24 @@ index 65d5870f6f..89a591098a 100644
if (XICheckInvalidMaskBits(client, (unsigned char *) &stuff[1], if (XICheckInvalidMaskBits(client, (unsigned char *) &stuff[1],
stuff->mask_len * 4) != Success) stuff->mask_len * 4) != Success)
return BadValue; return BadValue;
@@ -313,6 +319,12 @@ ProcXIPassiveUngrabDevice(ClientPtr client) @@ -207,14 +213,8 @@ ProcXIPassiveGrabDevice(ClientPtr client)
&param, XI2, &mask);
break;
case XIGrabtypeKeycode:
- /* XI2 allows 32-bit keycodes but thanks to XKB we can never
- * implement this. Just return an error for all keycodes that
- * cannot work anyway */
- if (stuff->detail > 255)
- status = XIAlreadyGrabbed;
- else
- status = GrabKey(client, dev, mod_dev, stuff->detail,
- &param, XI2, &mask);
+ status = GrabKey(client, dev, mod_dev, stuff->detail,
+ &param, XI2, &mask);
break;
case XIGrabtypeEnter:
case XIGrabtypeFocusIn:
@@ -334,6 +334,12 @@ ProcXIPassiveUngrabDevice(ClientPtr client)
return BadValue; return BadValue;
} }

42
SOURCES/0004-loader-Move-LoaderSymbolFromModule-to-public-API.patch Normal file
View File

@ -0,0 +1,42 @@
From e763a4fa114ba6c0abddf2b43a7297b8b9054855 Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Tue, 8 Oct 2019 13:29:22 -0400
Subject: [PATCH xserver 04/11] loader: Move LoaderSymbolFromModule() to public
API
Bare LoaderSymbol() isn't really a great API, this is more of a direct
map to dlsym like you want.
Gitlab: https://gitlab.freedesktop.org/xorg/xserver/issues/692
(cherry picked from commit 8760fab0a15805bdd12bb8f12bb1c665fde86cc2)
---
hw/xfree86/common/xf86Module.h | 1 +
hw/xfree86/loader/loader.h | 1 -
2 files changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/xfree86/common/xf86Module.h b/hw/xfree86/common/xf86Module.h
index 00aa84ae2..fab8842c4 100644
--- a/hw/xfree86/common/xf86Module.h
+++ b/hw/xfree86/common/xf86Module.h
@@ -156,6 +156,7 @@ extern _X_EXPORT void *LoadSubModule(void *, const char *, const char **,
extern _X_EXPORT void UnloadSubModule(void *);
extern _X_EXPORT void UnloadModule(void *);
extern _X_EXPORT void *LoaderSymbol(const char *);
+extern _X_EXPORT void *LoaderSymbolFromModule(void *, const char *);
extern _X_EXPORT void LoaderErrorMsg(const char *, const char *, int, int);
extern _X_EXPORT Bool LoaderShouldIgnoreABI(void);
extern _X_EXPORT int LoaderGetABIVersion(const char *abiclass);
diff --git a/hw/xfree86/loader/loader.h b/hw/xfree86/loader/loader.h
index 5a2fe6c60..4e83730a2 100644
--- a/hw/xfree86/loader/loader.h
+++ b/hw/xfree86/loader/loader.h
@@ -72,6 +72,5 @@ extern unsigned long LoaderOptions;
/* Internal Functions */
void *LoaderOpen(const char *, int *);
-void *LoaderSymbolFromModule(void *, const char *);
#endif /* _LOADER_H */
--
2.33.1

48
SOURCES/0004-os-Account-for-bytes-to-ignore-when-sharing-input-bu.patch
View File

@ -1,48 +0,0 @@
From b4f63879f2a5cf0578101591f26471238f944e9c Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 28 Apr 2025 10:46:03 +0200
Subject: [PATCH xserver 4/7] os: Account for bytes to ignore when sharing
input buffer
When reading requests from the clients, the input buffer might be shared
and used between different clients.
If a given client sends a full request with non-zero bytes to ignore,
the bytes to ignore may still be non-zero even though the request is
full, in which case the buffer could be shared with another client who's
request will not be processed because of those bytes to ignore, leading
to a possible hang of the other client request.
To avoid the issue, make sure we have zero bytes to ignore left in the
input request when sharing the input buffer with another client.
CVE-2025-49178
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
reported by Julian Suleder via ERNW Vulnerability Disclosure.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit d55c54cecb5e83eaa2d56bed5cc4461f9ba318c2)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2025>
---
os/io.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/os/io.c b/os/io.c
index de5b3c921..b7f2750b5 100644
--- a/os/io.c
+++ b/os/io.c
@@ -444,7 +444,7 @@ ReadRequestFromClient(ClientPtr client)
*/
gotnow -= needed;
- if (!gotnow)
+ if (!gotnow && !oci->ignoreBytes)
AvailableInput = oc;
if (move_header) {
if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) {
--
2.49.0

47
SOURCES/0004-xkb-Fix-computation-of-XkbSizeKeySyms.patch Normal file
View File

@ -0,0 +1,47 @@
From ddf9500846982402250114803b28180036a54cac Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Thu, 28 Nov 2024 11:49:34 +0100
Subject: [PATCH xserver 04/13] xkb: Fix computation of XkbSizeKeySyms
The computation of the length in XkbSizeKeySyms() differs from what is
actually written in XkbWriteKeySyms(), leading to a heap overflow.
Fix the calculation in XkbSizeKeySyms() to match what kbWriteKeySyms()
does.
CVE-2025-26596, ZDI-CAN-25543
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 80d69f01423fc065c950e1ff4e8ddf9f675df773)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1831>
---
xkb/xkb.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/xkb/xkb.c b/xkb/xkb.c
index 68c59df02..175a81bf7 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -1093,10 +1093,10 @@ XkbSizeKeySyms(XkbDescPtr xkb, xkbGetMapReply * rep)
len = rep->nKeySyms * SIZEOF(xkbSymMapWireDesc);
symMap = &xkb->map->key_sym_map[rep->firstKeySym];
for (i = nSyms = 0; i < rep->nKeySyms; i++, symMap++) {
- if (symMap->offset != 0) {
- nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width;
- nSyms += nSymsThisKey;
- }
+ nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width;
+ if (nSymsThisKey == 0)
+ continue;
+ nSyms += nSymsThisKey;
}
len += nSyms * 4;
rep->totalSyms = nSyms;
--
2.48.1

2
SOURCES/0005-Xext-free-the-screen-saver-resource-when-replacing-i.patch
View File

@ -1,4 +1,4 @@
From 94f6fe99d87cf6ba0adadd95c595158c345b7d29 Mon Sep 17 00:00:00 2001 From 6b59bdddf30dde413c4e0391cf84f3b94d4b4e31 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net> From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Tue, 29 Nov 2022 14:53:07 +1000 Date: Tue, 29 Nov 2022 14:53:07 +1000
Subject: [PATCH xserver 5/7] Xext: free the screen saver resource when Subject: [PATCH xserver 5/7] Xext: free the screen saver resource when

50
SOURCES/0005-loader-Make-LoaderSymbolFromModule-take-a-ModuleDesc.patch Normal file
View File

@ -0,0 +1,50 @@
From b01ca791b9ba62e25e3533ba35f8e825f02f0f80 Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Mon, 18 Nov 2019 16:43:50 -0500
Subject: [PATCH xserver 05/11] loader: Make LoaderSymbolFromModule take a
ModuleDescPtr
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The thing you get back from xf86LoadSubModule is a ModuleDescPtr, not a
dlsym handle. We don't expose ModuleDescPtr to the drivers, so change
LoaderSymbolFromModule to cast its void * argument to a ModuleDescPtr.
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
(cherry picked from commit ab61c16ef07fde6eb7110c63c344c54eb2a2d117)
---
hw/xfree86/loader/loader.c | 3 ++-
hw/xfree86/loader/loadmod.c | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/hw/xfree86/loader/loader.c b/hw/xfree86/loader/loader.c
index 503c47e3a..2580e93d9 100644
--- a/hw/xfree86/loader/loader.c
+++ b/hw/xfree86/loader/loader.c
@@ -135,7 +135,8 @@ LoaderSymbol(const char *name)
void *
LoaderSymbolFromModule(void *handle, const char *name)
{
- return dlsym(handle, name);
+ ModuleDescPtr mod = handle;
+ return dlsym(mod->handle, name);
}
void
diff --git a/hw/xfree86/loader/loadmod.c b/hw/xfree86/loader/loadmod.c
index a93a76aa9..81a3a1dd9 100644
--- a/hw/xfree86/loader/loadmod.c
+++ b/hw/xfree86/loader/loadmod.c
@@ -776,7 +776,7 @@ LoadModule(const char *module, void *options, const XF86ModReqInfo *modreq,
*errmaj = LDR_NOMEM;
goto LoadModule_fail;
}
- initdata = LoaderSymbolFromModule(ret->handle, p);
+ initdata = LoaderSymbolFromModule(ret, p);
if (initdata) {
ModuleSetupProc setup;
ModuleTearDownProc teardown;
--
2.33.1

64
SOURCES/0005-record-Check-for-overflow-in-RecordSanityCheckRegist.patch
View File

@ -1,64 +0,0 @@
From d943eaa6b8584e7ceebd73ee59bd84e99b09be5d Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 28 Apr 2025 11:47:15 +0200
Subject: [PATCH xserver 5/7] record: Check for overflow in
RecordSanityCheckRegisterClients()
The RecordSanityCheckRegisterClients() checks for the request length,
but does not check for integer overflow.
A client might send a very large value for either the number of clients
or the number of protocol ranges that will cause an integer overflow in
the request length computation, defeating the check for request length.
To avoid the issue, explicitly check the number of clients against the
limit of clients (which is much lower than an maximum integer value) and
the number of protocol ranges (multiplied by the record length) do not
exceed the maximum integer value.
This way, we ensure that the final computation for the request length
will not overflow the maximum integer limit.
CVE-2025-49179
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
reported by Julian Suleder via ERNW Vulnerability Disclosure.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 2bde9ca49a8fd9a1e6697d5e7ef837870d66f5d4)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2025>
---
record/record.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/record/record.c b/record/record.c
index a8aec23bd..afaceb55c 100644
--- a/record/record.c
+++ b/record/record.c
@@ -45,6 +45,7 @@ and Jim Haggerty of Metheus.
#include "inputstr.h"
#include "eventconvert.h"
#include "scrnintstr.h"
+#include "opaque.h"
#include <stdio.h>
#include <assert.h>
@@ -1298,6 +1299,13 @@ RecordSanityCheckRegisterClients(RecordContextPtr pContext, ClientPtr client,
int i;
XID recordingClient;
+ /* LimitClients is 2048 at max, way less that MAXINT */
+ if (stuff->nClients > LimitClients)
+ return BadValue;
+
+ if (stuff->nRanges > (MAXINT - 4 * stuff->nClients) / SIZEOF(xRecordRange))
+ return BadValue;
+
if (((client->req_len << 2) - SIZEOF(xRecordRegisterClientsReq)) !=
4 * stuff->nClients + SIZEOF(xRecordRange) * stuff->nRanges)
return BadLength;
--
2.49.0

45
SOURCES/0005-xkb-Fix-buffer-overflow-in-XkbChangeTypesOfKey.patch Normal file
View File

@ -0,0 +1,45 @@
From 33dfc78a0f67f4db5558c2374f5a73d262e43671 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Thu, 28 Nov 2024 14:09:04 +0100
Subject: [PATCH xserver 05/13] xkb: Fix buffer overflow in
XkbChangeTypesOfKey()
If XkbChangeTypesOfKey() is called with nGroups == 0, it will resize the
key syms to 0 but leave the key actions unchanged.
If later, the same function is called with a non-zero value for nGroups,
this will cause a buffer overflow because the key actions are of the wrong
size.
To avoid the issue, make sure to resize both the key syms and key actions
when nGroups is 0.
CVE-2025-26597, ZDI-CAN-25683
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 0e4ed94952b255c04fe910f6a1d9c852878dcd64)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1831>
---
xkb/XKBMisc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/xkb/XKBMisc.c b/xkb/XKBMisc.c
index f17194528..c45471686 100644
--- a/xkb/XKBMisc.c
+++ b/xkb/XKBMisc.c
@@ -553,6 +553,7 @@ XkbChangeTypesOfKey(XkbDescPtr xkb,
i = XkbSetNumGroups(i, 0);
xkb->map->key_sym_map[key].group_info = i;
XkbResizeKeySyms(xkb, key, 0);
+ XkbResizeKeyActions(xkb, key, 0);
return Success;
}
--
2.48.1

2
SOURCES/0006-Xext-free-the-XvRTVideoNotify-when-turning-off-from-.patch
View File

@ -1,4 +1,4 @@
From a42635ee3c01f71a49052d83a372933504c9db04 Mon Sep 17 00:00:00 2001 From 40f06ae1bd12f4416df59382324a0d31ab2ba704 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net> From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Wed, 30 Nov 2022 11:20:40 +1000 Date: Wed, 30 Nov 2022 11:20:40 +1000
Subject: [PATCH xserver 6/7] Xext: free the XvRTVideoNotify when turning off Subject: [PATCH xserver 6/7] Xext: free the XvRTVideoNotify when turning off

118
SOURCES/0006-Xi-Fix-barrier-device-search.patch Normal file
View File

@ -0,0 +1,118 @@
From 475a856c919c8648aaefac9388a7788eed5725fa Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 16 Dec 2024 11:25:11 +0100
Subject: [PATCH xserver 06/13] Xi: Fix barrier device search
The function GetBarrierDevice() would search for the pointer device
based on its device id and return the matching value, or supposedly NULL
if no match was found.
Unfortunately, as written, it would return the last element of the list
if no matching device id was found which can lead to out of bounds
memory access.
Fix the search function to return NULL if not matching device is found,
and adjust the callers to handle the case where the device cannot be
found.
CVE-2025-26598, ZDI-CAN-25740
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit bba9df1a9d57234c76c0b93f88dacb143d01bca2)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1831>
---
Xi/xibarriers.c | 27 +++++++++++++++++++++++----
1 file changed, 23 insertions(+), 4 deletions(-)
diff --git a/Xi/xibarriers.c b/Xi/xibarriers.c
index 1926762ad..cb336f22b 100644
--- a/Xi/xibarriers.c
+++ b/Xi/xibarriers.c
@@ -129,14 +129,15 @@ static void FreePointerBarrierClient(struct PointerBarrierClient *c)
static struct PointerBarrierDevice *GetBarrierDevice(struct PointerBarrierClient *c, int deviceid)
{
- struct PointerBarrierDevice *pbd = NULL;
+ struct PointerBarrierDevice *p, *pbd = NULL;
- xorg_list_for_each_entry(pbd, &c->per_device, entry) {
- if (pbd->deviceid == deviceid)
+ xorg_list_for_each_entry(p, &c->per_device, entry) {
+ if (p->deviceid == deviceid) {
+ pbd = p;
break;
+ }
}
- BUG_WARN(!pbd);
return pbd;
}
@@ -337,6 +338,9 @@ barrier_find_nearest(BarrierScreenPtr cs, DeviceIntPtr dev,
double distance;
pbd = GetBarrierDevice(c, dev->id);
+ if (!pbd)
+ continue;
+
if (pbd->seen)
continue;
@@ -445,6 +449,9 @@ input_constrain_cursor(DeviceIntPtr dev, ScreenPtr screen,
nearest = &c->barrier;
pbd = GetBarrierDevice(c, master->id);
+ if (!pbd)
+ continue;
+
new_sequence = !pbd->hit;
pbd->seen = TRUE;
@@ -485,6 +492,9 @@ input_constrain_cursor(DeviceIntPtr dev, ScreenPtr screen,
int flags = 0;
pbd = GetBarrierDevice(c, master->id);
+ if (!pbd)
+ continue;
+
pbd->seen = FALSE;
if (!pbd->hit)
continue;
@@ -679,6 +689,9 @@ BarrierFreeBarrier(void *data, XID id)
continue;
pbd = GetBarrierDevice(c, dev->id);
+ if (!pbd)
+ continue;
+
if (!pbd->hit)
continue;
@@ -738,6 +751,8 @@ static void remove_master_func(void *res, XID id, void *devid)
barrier = container_of(b, struct PointerBarrierClient, barrier);
pbd = GetBarrierDevice(barrier, *deviceid);
+ if (!pbd)
+ return;
if (pbd->hit) {
BarrierEvent ev = {
@@ -903,6 +918,10 @@ ProcXIBarrierReleasePointer(ClientPtr client)
barrier = container_of(b, struct PointerBarrierClient, barrier);
pbd = GetBarrierDevice(barrier, dev->id);
+ if (!pbd) {
+ client->errorValue = dev->id;
+ return BadDevice;
+ }
if (pbd->barrier_event_id == event_id)
pbd->release_event_id = event_id;
--
2.48.1

144
SOURCES/0006-modesetting-Indirect-the-shadow-API-through-LoaderSy.patch Normal file
View File

@ -0,0 +1,144 @@
From 13d3bc7a05eb7500c8987358c68c20a4bfe18079 Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Tue, 8 Oct 2019 12:52:28 -0400
Subject: [PATCH xserver 06/11] modesetting: Indirect the shadow API through
LoaderSymbol
Prerequisite for building all of xserver with -z now.
Gitlab: https://gitlab.freedesktop.org/xorg/xserver/issues/692
(cherry picked from commit 45f35a0c6666c5f35df482948e0c8e91167429ef)
---
hw/xfree86/drivers/modesetting/driver.c | 34 +++++++++++--------------
hw/xfree86/drivers/modesetting/driver.h | 12 ++++++++-
2 files changed, 26 insertions(+), 20 deletions(-)
diff --git a/hw/xfree86/drivers/modesetting/driver.c b/hw/xfree86/drivers/modesetting/driver.c
index ec4189a2c..a385e7ee2 100644
--- a/hw/xfree86/drivers/modesetting/driver.c
+++ b/hw/xfree86/drivers/modesetting/driver.c
@@ -50,7 +50,6 @@
#include "xf86Crtc.h"
#include "miscstruct.h"
#include "dixstruct.h"
-#include "shadow.h"
#include "xf86xv.h"
#include <X11/extensions/Xv.h>
#include <xorg-config.h>
@@ -60,7 +59,6 @@
#ifdef XSERVER_LIBPCIACCESS
#include <pciaccess.h>
#endif
-
#include "driver.h"
static void AdjustFrame(ScrnInfoPtr pScrn, int x, int y);
@@ -1084,9 +1082,16 @@ PreInit(ScrnInfoPtr pScrn, int flags)
}
if (ms->drmmode.shadow_enable) {
- if (!xf86LoadSubModule(pScrn, "shadow")) {
+ void *mod = xf86LoadSubModule(pScrn, "shadow");
+
+ if (!mod)
return FALSE;
- }
+
+ ms->shadow.Setup = LoaderSymbolFromModule(mod, "shadowSetup");
+ ms->shadow.Add = LoaderSymbolFromModule(mod, "shadowAdd");
+ ms->shadow.Remove = LoaderSymbolFromModule(mod, "shadowRemove");
+ ms->shadow.Update32to24 = LoaderSymbolFromModule(mod, "shadowUpdate32to24");
+ ms->shadow.UpdatePacked = LoaderSymbolFromModule(mod, "shadowUpdatePacked");
}
return TRUE;
@@ -1191,9 +1196,9 @@ msUpdatePacked(ScreenPtr pScreen, shadowBufPtr pBuf)
} while (0);
if (use_3224)
- shadowUpdate32to24(pScreen, pBuf);
+ ms->shadow.Update32to24(pScreen, pBuf);
else
- shadowUpdatePacked(pScreen, pBuf);
+ ms->shadow.UpdatePacked(pScreen, pBuf);
}
static Bool
@@ -1380,8 +1385,8 @@ CreateScreenResources(ScreenPtr pScreen)
FatalError("Couldn't adjust screen pixmap\n");
if (ms->drmmode.shadow_enable) {
- if (!shadowAdd(pScreen, rootPixmap, msUpdatePacked, msShadowWindow,
- 0, 0))
+ if (!ms->shadow.Add(pScreen, rootPixmap, msUpdatePacked, msShadowWindow,
+ 0, 0))
return FALSE;
}
@@ -1415,15 +1420,6 @@ CreateScreenResources(ScreenPtr pScreen)
return ret;
}
-static Bool
-msShadowInit(ScreenPtr pScreen)
-{
- if (!shadowSetup(pScreen)) {
- return FALSE;
- }
- return TRUE;
-}
-
static Bool
msSharePixmapBacking(PixmapPtr ppix, ScreenPtr screen, void **handle)
{
@@ -1643,7 +1639,7 @@ ScreenInit(ScreenPtr pScreen, int argc, char **argv)
return FALSE;
}
- if (ms->drmmode.shadow_enable && !msShadowInit(pScreen)) {
+ if (ms->drmmode.shadow_enable && !ms->shadow.Setup(pScreen)) {
xf86DrvMsg(pScrn->scrnIndex, X_ERROR, "shadow fb init failed\n");
return FALSE;
}
@@ -1887,7 +1883,7 @@ CloseScreen(ScreenPtr pScreen)
}
if (ms->drmmode.shadow_enable) {
- shadowRemove(pScreen, pScreen->GetScreenPixmap(pScreen));
+ ms->shadow.Remove(pScreen, pScreen->GetScreenPixmap(pScreen));
free(ms->drmmode.shadow_fb);
ms->drmmode.shadow_fb = NULL;
free(ms->drmmode.shadow_fb2);
diff --git a/hw/xfree86/drivers/modesetting/driver.h b/hw/xfree86/drivers/modesetting/driver.h
index a99f37871..394a20fc1 100644
--- a/hw/xfree86/drivers/modesetting/driver.h
+++ b/hw/xfree86/drivers/modesetting/driver.h
@@ -33,7 +33,7 @@
#include <xf86Crtc.h>
#include <damage.h>
#include <X11/extensions/dpmsconst.h>
-
+#include <shadow.h>
#ifdef GLAMOR_HAS_GBM
#define GLAMOR_FOR_XORG 1
#include "glamor.h"
@@ -122,6 +122,16 @@ typedef struct _modesettingRec {
Bool kms_has_modifiers;
+ /* shadow API */
+ struct {
+ Bool (*Setup)(ScreenPtr);
+ Bool (*Add)(ScreenPtr, PixmapPtr, ShadowUpdateProc, ShadowWindowProc,
+ int, void *);
+ void (*Remove)(ScreenPtr, PixmapPtr);
+ void (*Update32to24)(ScreenPtr, shadowBufPtr);
+ void (*UpdatePacked)(ScreenPtr, shadowBufPtr);
+ } shadow;
+
} modesettingRec, *modesettingPtr;
#define modesettingPTR(p) ((modesettingPtr)((p)->driverPrivate))
--
2.33.1

43
SOURCES/0006-randr-Check-for-overflow-in-RRChangeProviderProperty.patch
View File

@ -1,43 +0,0 @@
From 3d44c08d94e850769d7d16fce0596536370253b1 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Tue, 20 May 2025 15:18:19 +0200
Subject: [PATCH xserver 6/7] randr: Check for overflow in
RRChangeProviderProperty()
A client might send a request causing an integer overflow when computing
the total size to allocate in RRChangeProviderProperty().
To avoid the issue, check that total length in bytes won't exceed the
maximum integer value.
CVE-2025-49180
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
reported by Julian Suleder via ERNW Vulnerability Disclosure.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 3c3a4b767b16174d3213055947ea7f4f88e10ec6)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2025>
---
randr/rrproviderproperty.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
index b79c17f9b..7088570ee 100644
--- a/randr/rrproviderproperty.c
+++ b/randr/rrproviderproperty.c
@@ -179,7 +179,8 @@ RRChangeProviderProperty(RRProviderPtr provider, Atom property, Atom type,
if (mode == PropModeReplace || len > 0) {
void *new_data = NULL, *old_data = NULL;
-
+ if (total_len > MAXINT / size_in_bytes)
+ return BadValue;
total_size = total_len * size_in_bytes;
new_value.data = (void *) malloc(total_size);
if (!new_value.data && total_size) {
--
2.49.0

65
SOURCES/0007-composite-Handle-failure-to-redirect-in-compRedirect.patch Normal file
View File

@ -0,0 +1,65 @@
From 04d8041534d40e975d11a8a58ea7e8b1f09b519d Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Tue, 17 Dec 2024 15:19:45 +0100
Subject: [PATCH xserver 07/13] composite: Handle failure to redirect in
compRedirectWindow()
The function compCheckRedirect() may fail if it cannot allocate the
backing pixmap.
In that case, compRedirectWindow() will return a BadAlloc error.
However that failure code path will shortcut the validation of the
window tree marked just before, which leaves the validate data partly
initialized.
That causes a use of uninitialized pointer later.
The fix is to not shortcut the call to compHandleMarkedWindows() even in
the case of compCheckRedirect() returning an error.
CVE-2025-26599, ZDI-CAN-25851
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit c1ff84bef2569b4ba4be59323cf575d1798ba9be)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1831>
---
composite/compalloc.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/composite/compalloc.c b/composite/compalloc.c
index 3e2f14fb0..55a1b725a 100644
--- a/composite/compalloc.c
+++ b/composite/compalloc.c
@@ -138,6 +138,7 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update)
CompScreenPtr cs = GetCompScreen(pWin->drawable.pScreen);
WindowPtr pLayerWin;
Bool anyMarked = FALSE;
+ int status = Success;
if (pWin == cs->pOverlayWin) {
return Success;
@@ -216,13 +217,13 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update)
if (!compCheckRedirect(pWin)) {
FreeResource(ccw->id, RT_NONE);
- return BadAlloc;
+ status = BadAlloc;
}
if (anyMarked)
compHandleMarkedWindows(pWin, pLayerWin);
- return Success;
+ return status;
}
void
--
2.48.1

332
SOURCES/0007-modesetting-Indirect-the-glamor-API-through-LoaderSy.patch Normal file
View File

@ -0,0 +1,332 @@
From 94612044171975466f605d5f01769d1c2b9acc5d Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Tue, 8 Oct 2019 13:11:09 -0400
Subject: [PATCH xserver 07/11] modesetting: Indirect the glamor API through
LoaderSymbol
Prerequisite for building all of xserver with -z now.
Gitlab: https://gitlab.freedesktop.org/xorg/xserver/issues/692
(cherry picked from commit dd63f717fe8636315343f421f4f2ee299258f079)
---
hw/xfree86/drivers/modesetting/dri2.c | 10 ++--
hw/xfree86/drivers/modesetting/driver.c | 49 ++++++++++++++-----
hw/xfree86/drivers/modesetting/driver.h | 24 +++++++++
.../drivers/modesetting/drmmode_display.c | 17 ++++---
hw/xfree86/drivers/modesetting/pageflip.c | 4 +-
hw/xfree86/drivers/modesetting/present.c | 4 +-
6 files changed, 82 insertions(+), 26 deletions(-)
diff --git a/hw/xfree86/drivers/modesetting/dri2.c b/hw/xfree86/drivers/modesetting/dri2.c
index d89904b53..724d9d34c 100644
--- a/hw/xfree86/drivers/modesetting/dri2.c
+++ b/hw/xfree86/drivers/modesetting/dri2.c
@@ -123,6 +123,7 @@ ms_dri2_create_buffer2(ScreenPtr screen, DrawablePtr drawable,
unsigned int attachment, unsigned int format)
{
ScrnInfoPtr scrn = xf86ScreenToScrn(screen);
+ modesettingPtr ms = modesettingPTR(scrn);
DRI2Buffer2Ptr buffer;
PixmapPtr pixmap;
CARD32 size;
@@ -200,7 +201,7 @@ ms_dri2_create_buffer2(ScreenPtr screen, DrawablePtr drawable,
*/
buffer->flags = 0;
- buffer->name = glamor_name_from_pixmap(pixmap, &pitch, &size);
+ buffer->name = ms->glamor.name_from_pixmap(pixmap, &pitch, &size);
buffer->pitch = pitch;
if (buffer->name == -1) {
xf86DrvMsg(scrn->scrnIndex, X_ERROR,
@@ -509,11 +510,12 @@ update_front(DrawablePtr draw, DRI2BufferPtr front)
ScreenPtr screen = draw->pScreen;
PixmapPtr pixmap = get_drawable_pixmap(draw);
ms_dri2_buffer_private_ptr priv = front->driverPrivate;
+ modesettingPtr ms = modesettingPTR(xf86ScreenToScrn(screen));
CARD32 size;
CARD16 pitch;
int name;
- name = glamor_name_from_pixmap(pixmap, &pitch, &size);
+ name = ms->glamor.name_from_pixmap(pixmap, &pitch, &size);
if (name < 0)
return FALSE;
@@ -617,7 +619,7 @@ ms_dri2_exchange_buffers(DrawablePtr draw, DRI2BufferPtr front,
*front_pix = *back_pix;
*back_pix = tmp_pix;
- glamor_egl_exchange_buffers(front_priv->pixmap, back_priv->pixmap);
+ ms->glamor.egl_exchange_buffers(front_priv->pixmap, back_priv->pixmap);
/* Post damage on the front buffer so that listeners, such
* as DisplayLink know take a copy and shove it over the USB.
@@ -1036,7 +1038,7 @@ ms_dri2_screen_init(ScreenPtr screen)
DRI2InfoRec info;
const char *driver_names[2] = { NULL, NULL };
- if (!glamor_supports_pixmap_import_export(screen)) {
+ if (!ms->glamor.supports_pixmap_import_export(screen)) {
xf86DrvMsg(scrn->scrnIndex, X_WARNING,
"DRI2: glamor lacks support for pixmap import/export\n");
}
diff --git a/hw/xfree86/drivers/modesetting/driver.c b/hw/xfree86/drivers/modesetting/driver.c
index a385e7ee2..4f4db67b7 100644
--- a/hw/xfree86/drivers/modesetting/driver.c
+++ b/hw/xfree86/drivers/modesetting/driver.c
@@ -615,7 +615,7 @@ redisplay_dirty(ScreenPtr screen, PixmapDirtyUpdatePtr dirty, int *timeout)
* the shared pixmap, but not all).
*/
if (ms->drmmode.glamor)
- glamor_finish(screen);
+ ms->glamor.finish(screen);
#endif
/* Ensure the slave processes the damage immediately */
if (timeout)
@@ -743,6 +743,26 @@ FreeRec(ScrnInfoPtr pScrn)
}
+static void
+bind_glamor_api(void *mod, modesettingPtr ms)
+{
+ ms->glamor.back_pixmap_from_fd = LoaderSymbolFromModule(mod, "glamor_back_pixmap_from_fd");
+ ms->glamor.block_handler = LoaderSymbolFromModule(mod, "glamor_block_handler");
+ ms->glamor.egl_create_textured_pixmap = LoaderSymbolFromModule(mod, "glamor_egl_create_textured_pixmap");
+ ms->glamor.egl_create_textured_pixmap_from_gbm_bo = LoaderSymbolFromModule(mod, "glamor_egl_create_textured_pixmap_from_gbm_bo");
+ ms->glamor.egl_exchange_buffers = LoaderSymbolFromModule(mod, "glamor_egl_exchange_buffers");
+ ms->glamor.egl_get_gbm_device = LoaderSymbolFromModule(mod, "glamor_egl_get_gbm_device");
+ ms->glamor.egl_init = LoaderSymbolFromModule(mod, "glamor_egl_init");
+ ms->glamor.finish = LoaderSymbolFromModule(mod, "glamor_finish");
+ ms->glamor.gbm_bo_from_pixmap = LoaderSymbolFromModule(mod, "glamor_gbm_bo_from_pixmap");
+ ms->glamor.init = LoaderSymbolFromModule(mod, "glamor_init");
+ ms->glamor.name_from_pixmap = LoaderSymbolFromModule(mod, "glamor_name_from_pixmap");
+ ms->glamor.set_drawable_modifiers_func = LoaderSymbolFromModule(mod, "glamor_set_drawable_modifiers_func");
+ ms->glamor.shareable_fd_from_pixmap = LoaderSymbolFromModule(mod, "glamor_shareable_fd_from_pixmap");
+ ms->glamor.supports_pixmap_import_export = LoaderSymbolFromModule(mod, "glamor_supports_pixmap_import_export");
+ ms->glamor.xv_init = LoaderSymbolFromModule(mod, "glamor_xv_init");
+}
+
static void
try_enable_glamor(ScrnInfoPtr pScrn)
{
@@ -751,6 +771,7 @@ try_enable_glamor(ScrnInfoPtr pScrn)
OPTION_ACCEL_METHOD);
Bool do_glamor = (!accel_method_str ||
strcmp(accel_method_str, "glamor") == 0);
+ void *mod;
ms->drmmode.glamor = FALSE;
@@ -765,8 +786,10 @@ try_enable_glamor(ScrnInfoPtr pScrn)
return;
}
- if (xf86LoadSubModule(pScrn, GLAMOR_EGL_MODULE_NAME)) {
- if (glamor_egl_init(pScrn, ms->fd)) {
+ mod = xf86LoadSubModule(pScrn, GLAMOR_EGL_MODULE_NAME);
+ if (mod) {
+ bind_glamor_api(mod, ms);
+ if (ms->glamor.egl_init(pScrn, ms->fd)) {
xf86DrvMsg(pScrn->scrnIndex, X_INFO, "glamor initialized\n");
ms->drmmode.glamor = TRUE;
} else {
@@ -1424,11 +1447,12 @@ static Bool
msSharePixmapBacking(PixmapPtr ppix, ScreenPtr screen, void **handle)
{
#ifdef GLAMOR_HAS_GBM
+ modesettingPtr ms = modesettingPTR(xf86ScreenToScrn(screen));
int ret;
CARD16 stride;
CARD32 size;
- ret = glamor_shareable_fd_from_pixmap(ppix->drawable.pScreen, ppix,
- &stride, &size);
+ ret = ms->glamor.shareable_fd_from_pixmap(ppix->drawable.pScreen, ppix,
+ &stride, &size);
if (ret == -1)
return FALSE;
@@ -1453,11 +1477,12 @@ msSetSharedPixmapBacking(PixmapPtr ppix, void *fd_handle)
return drmmode_SetSlaveBO(ppix, &ms->drmmode, ihandle, 0, 0);
if (ms->drmmode.reverse_prime_offload_mode) {
- ret = glamor_back_pixmap_from_fd(ppix, ihandle,
- ppix->drawable.width,
- ppix->drawable.height,
- ppix->devKind, ppix->drawable.depth,
- ppix->drawable.bitsPerPixel);
+ ret = ms->glamor.back_pixmap_from_fd(ppix, ihandle,
+ ppix->drawable.width,
+ ppix->drawable.height,
+ ppix->devKind,
+ ppix->drawable.depth,
+ ppix->drawable.bitsPerPixel);
} else {
int size = ppix->devKind * ppix->drawable.height;
ret = drmmode_SetSlaveBO(ppix, &ms->drmmode, ihandle, ppix->devKind, size);
@@ -1574,7 +1599,7 @@ ScreenInit(ScreenPtr pScreen, int argc, char **argv)
#ifdef GLAMOR_HAS_GBM
if (ms->drmmode.glamor)
- ms->drmmode.gbm = glamor_egl_get_gbm_device(pScreen);
+ ms->drmmode.gbm = ms->glamor.egl_get_gbm_device(pScreen);
#endif
/* HW dependent - FIXME */
@@ -1718,7 +1743,7 @@ ScreenInit(ScreenPtr pScreen, int argc, char **argv)
if (ms->drmmode.glamor) {
XF86VideoAdaptorPtr glamor_adaptor;
- glamor_adaptor = glamor_xv_init(pScreen, 16);
+ glamor_adaptor = ms->glamor.xv_init(pScreen, 16);
if (glamor_adaptor != NULL)
xf86XVScreenInit(pScreen, &glamor_adaptor, 1);
else
diff --git a/hw/xfree86/drivers/modesetting/driver.h b/hw/xfree86/drivers/modesetting/driver.h
index 394a20fc1..5e4d2509a 100644
--- a/hw/xfree86/drivers/modesetting/driver.h
+++ b/hw/xfree86/drivers/modesetting/driver.h
@@ -132,6 +132,30 @@ typedef struct _modesettingRec {
void (*UpdatePacked)(ScreenPtr, shadowBufPtr);
} shadow;
+ /* glamor API */
+ struct {
+ Bool (*back_pixmap_from_fd)(PixmapPtr, int, CARD16, CARD16, CARD16,
+ CARD8, CARD8);
+ void (*block_handler)(ScreenPtr);
+ Bool (*egl_create_textured_pixmap)(PixmapPtr, int, int);
+ Bool (*egl_create_textured_pixmap_from_gbm_bo)(PixmapPtr,
+ struct gbm_bo *,
+ Bool);
+ void (*egl_exchange_buffers)(PixmapPtr, PixmapPtr);
+ struct gbm_device *(*egl_get_gbm_device)(ScreenPtr);
+ Bool (*egl_init)(ScrnInfoPtr, int);
+ void (*finish)(ScreenPtr);
+ struct gbm_bo *(*gbm_bo_from_pixmap)(ScreenPtr, PixmapPtr);
+ Bool (*init)(ScreenPtr, unsigned int);
+ int (*name_from_pixmap)(PixmapPtr, CARD16 *, CARD32 *);
+ void (*set_drawable_modifiers_func)(ScreenPtr,
+ GetDrawableModifiersFuncPtr);
+ int (*shareable_fd_from_pixmap)(ScreenPtr, PixmapPtr, CARD16 *,
+ CARD32 *);
+ Bool (*supports_pixmap_import_export)(ScreenPtr);
+ XF86VideoAdaptorPtr (*xv_init)(ScreenPtr, int);
+ } glamor;
+
} modesettingRec, *modesettingPtr;
#define modesettingPTR(p) ((modesettingPtr)((p)->driverPrivate))
diff --git a/hw/xfree86/drivers/modesetting/drmmode_display.c b/hw/xfree86/drivers/modesetting/drmmode_display.c
index 6f5f8caf6..28609db7c 100644
--- a/hw/xfree86/drivers/modesetting/drmmode_display.c
+++ b/hw/xfree86/drivers/modesetting/drmmode_display.c
@@ -770,7 +770,7 @@ drmmode_crtc_set_mode(xf86CrtcPtr crtc, Bool test_only)
#ifdef GLAMOR_HAS_GBM
/* Make sure any pending drawing will be visible in a new scanout buffer */
if (drmmode->glamor)
- glamor_finish(screen);
+ ms->glamor.finish(screen);
#endif
if (ms->atomic_modeset) {
@@ -1385,6 +1385,7 @@ create_pixmap_for_fbcon(drmmode_ptr drmmode, ScrnInfoPtr pScrn, int fbcon_id)
PixmapPtr pixmap = drmmode->fbcon_pixmap;
drmModeFBPtr fbcon;
ScreenPtr pScreen = xf86ScrnToScreen(pScrn);
+ modesettingPtr ms = modesettingPTR(pScrn);
Bool ret;
if (pixmap)
@@ -1405,7 +1406,8 @@ create_pixmap_for_fbcon(drmmode_ptr drmmode, ScrnInfoPtr pScrn, int fbcon_id)
if (!pixmap)
goto out_free_fb;
- ret = glamor_egl_create_textured_pixmap(pixmap, fbcon->handle, fbcon->pitch);
+ ret = ms->glamor.egl_create_textured_pixmap(pixmap, fbcon->handle,
+ fbcon->pitch);
if (!ret) {
FreePixmap(pixmap);
pixmap = NULL;
@@ -1424,6 +1426,7 @@ drmmode_copy_fb(ScrnInfoPtr pScrn, drmmode_ptr drmmode)
#ifdef GLAMOR_HAS_GBM
xf86CrtcConfigPtr xf86_config = XF86_CRTC_CONFIG_PTR(pScrn);
ScreenPtr pScreen = xf86ScrnToScreen(pScrn);
+ modesettingPtr ms = modesettingPTR(pScrn);
PixmapPtr src, dst;
int fbcon_id = 0;
GCPtr gc;
@@ -3108,12 +3111,13 @@ drmmode_set_pixmap_bo(drmmode_ptr drmmode, PixmapPtr pixmap, drmmode_bo *bo)
{
#ifdef GLAMOR_HAS_GBM
ScrnInfoPtr scrn = drmmode->scrn;
+ modesettingPtr ms = modesettingPTR(scrn);
if (!drmmode->glamor)
return TRUE;
- if (!glamor_egl_create_textured_pixmap_from_gbm_bo(pixmap, bo->gbm,
- bo->used_modifiers)) {
+ if (!ms->glamor.egl_create_textured_pixmap_from_gbm_bo(pixmap, bo->gbm,
+ bo->used_modifiers)) {
xf86DrvMsg(scrn->scrnIndex, X_ERROR, "Failed to create pixmap\n");
return FALSE;
}
@@ -3436,13 +3440,14 @@ drmmode_init(ScrnInfoPtr pScrn, drmmode_ptr drmmode)
{
#ifdef GLAMOR_HAS_GBM
ScreenPtr pScreen = xf86ScrnToScreen(pScrn);
+ modesettingPtr ms = modesettingPTR(pScrn);
if (drmmode->glamor) {
- if (!glamor_init(pScreen, GLAMOR_USE_EGL_SCREEN)) {
+ if (!ms->glamor.init(pScreen, GLAMOR_USE_EGL_SCREEN)) {
return FALSE;
}
#ifdef GBM_BO_WITH_MODIFIERS
- glamor_set_drawable_modifiers_func(pScreen, get_drawable_modifiers);
+ ms->glamor.set_drawable_modifiers_func(pScreen, get_drawable_modifiers);
#endif
}
#endif
diff --git a/hw/xfree86/drivers/modesetting/pageflip.c b/hw/xfree86/drivers/modesetting/pageflip.c
index 1d54816e2..841fa917c 100644
--- a/hw/xfree86/drivers/modesetting/pageflip.c
+++ b/hw/xfree86/drivers/modesetting/pageflip.c
@@ -243,9 +243,9 @@ ms_do_pageflip(ScreenPtr screen,
uint32_t flags;
int i;
struct ms_flipdata *flipdata;
- glamor_block_handler(screen);
+ ms->glamor.block_handler(screen);
- new_front_bo.gbm = glamor_gbm_bo_from_pixmap(screen, new_front);
+ new_front_bo.gbm = ms->glamor.gbm_bo_from_pixmap(screen, new_front);
new_front_bo.dumb = NULL;
if (!new_front_bo.gbm) {
diff --git a/hw/xfree86/drivers/modesetting/present.c b/hw/xfree86/drivers/modesetting/present.c
index 186309a29..c700cf116 100644
--- a/hw/xfree86/drivers/modesetting/present.c
+++ b/hw/xfree86/drivers/modesetting/present.c
@@ -166,7 +166,7 @@ ms_present_flush(WindowPtr window)
modesettingPtr ms = modesettingPTR(scrn);
if (ms->drmmode.glamor)
- glamor_block_handler(screen);
+ ms->glamor.block_handler(screen);
#endif
}
@@ -262,7 +262,7 @@ ms_present_check_unflip(RRCrtcPtr crtc,
#ifdef GBM_BO_WITH_MODIFIERS
/* Check if buffer format/modifier is supported by all active CRTCs */
- gbm = glamor_gbm_bo_from_pixmap(screen, pixmap);
+ gbm = ms->glamor.gbm_bo_from_pixmap(screen, pixmap);
if (gbm) {
uint32_t format;
uint64_t modifier;
--
2.33.1

50
SOURCES/0007-xfree86-Check-for-RandR-provider-functions.patch
View File

@ -1,50 +0,0 @@
From 8de5a9b2be31d14dcce3795f919b353d62e56897 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 28 Apr 2025 14:59:46 +0200
Subject: [PATCH xserver 7/7] xfree86: Check for RandR provider functions
Changing XRandR provider properties if the driver has set no provider
function such as the modesetting driver will cause a NULL pointer
dereference and a crash of the Xorg server.
Related to CVE-2025-49180
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
reported by Julian Suleder via ERNW Vulnerability Disclosure.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 0235121c6a7a6eb247e2addb3b41ed6ef566853d)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2025>
---
hw/xfree86/modes/xf86RandR12.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/hw/xfree86/modes/xf86RandR12.c b/hw/xfree86/modes/xf86RandR12.c
index f220ef192..ccb7f629c 100644
--- a/hw/xfree86/modes/xf86RandR12.c
+++ b/hw/xfree86/modes/xf86RandR12.c
@@ -2133,7 +2133,8 @@ xf86RandR14ProviderSetProperty(ScreenPtr pScreen,
/* If we don't have any property handler, then we don't care what the
* user is setting properties to.
*/
- if (config->provider_funcs->set_property == NULL)
+ if (config->provider_funcs == NULL ||
+ config->provider_funcs->set_property == NULL)
return TRUE;
/*
@@ -2151,7 +2152,8 @@ xf86RandR14ProviderGetProperty(ScreenPtr pScreen,
ScrnInfoPtr pScrn = xf86ScreenToScrn(pScreen);
xf86CrtcConfigPtr config = XF86_CRTC_CONFIG_PTR(pScrn);
- if (config->provider_funcs->get_property == NULL)
+ if (config->provider_funcs == NULL ||
+ config->provider_funcs->get_property == NULL)
return TRUE;
/* Should be safe even w/o vtSema */
--
2.49.0

2
SOURCES/0007-xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch
View File

@ -1,4 +1,4 @@
From 774260dbae1fa505cd2848c786baed9a8db5179d Mon Sep 17 00:00:00 2001 From 9c70f90b24ba5de5eeb8a854c25f72a38d497fb7 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net> From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Mon, 5 Dec 2022 15:55:54 +1000 Date: Mon, 5 Dec 2022 15:55:54 +1000
Subject: [PATCH xserver 7/7] xkb: reset the radio_groups pointer to NULL after Subject: [PATCH xserver 7/7] xkb: reset the radio_groups pointer to NULL after

127
SOURCES/0008-composite-initialize-border-clip-even-when-pixmap-al.patch Normal file
View File

@ -0,0 +1,127 @@
From 9a5a5b2972539ba5ef16dbc802c4eb87c9226d4e Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 13 Jan 2025 16:09:43 +0100
Subject: [PATCH xserver 08/13] composite: initialize border clip even when
pixmap alloc fails
If it fails to allocate the pixmap, the function compAllocPixmap() would
return early and leave the borderClip region uninitialized, which may
lead to the use of uninitialized value as reported by valgrind:
Conditional jump or move depends on uninitialised value(s)
at 0x4F9B33: compClipNotify (compwindow.c:317)
by 0x484FC9: miComputeClips (mivaltree.c:476)
by 0x48559A: miValidateTree (mivaltree.c:679)
by 0x4F0685: MapWindow (window.c:2693)
by 0x4A344A: ProcMapWindow (dispatch.c:922)
by 0x4A25B5: Dispatch (dispatch.c:560)
by 0x4B082A: dix_main (main.c:282)
by 0x429233: main (stubmain.c:34)
Uninitialised value was created by a heap allocation
at 0x4841866: malloc (vg_replace_malloc.c:446)
by 0x4F47BC: compRedirectWindow (compalloc.c:171)
by 0x4FA8AD: compCreateWindow (compwindow.c:592)
by 0x4EBB89: CreateWindow (window.c:925)
by 0x4A2E6E: ProcCreateWindow (dispatch.c:768)
by 0x4A25B5: Dispatch (dispatch.c:560)
by 0x4B082A: dix_main (main.c:282)
by 0x429233: main (stubmain.c:34)
Conditional jump or move depends on uninitialised value(s)
at 0x48EEDBC: pixman_region_translate (pixman-region.c:2233)
by 0x4F9255: RegionTranslate (regionstr.h:312)
by 0x4F9B7E: compClipNotify (compwindow.c:319)
by 0x484FC9: miComputeClips (mivaltree.c:476)
by 0x48559A: miValidateTree (mivaltree.c:679)
by 0x4F0685: MapWindow (window.c:2693)
by 0x4A344A: ProcMapWindow (dispatch.c:922)
by 0x4A25B5: Dispatch (dispatch.c:560)
by 0x4B082A: dix_main (main.c:282)
by 0x429233: main (stubmain.c:34)
Uninitialised value was created by a heap allocation
at 0x4841866: malloc (vg_replace_malloc.c:446)
by 0x4F47BC: compRedirectWindow (compalloc.c:171)
by 0x4FA8AD: compCreateWindow (compwindow.c:592)
by 0x4EBB89: CreateWindow (window.c:925)
by 0x4A2E6E: ProcCreateWindow (dispatch.c:768)
by 0x4A25B5: Dispatch (dispatch.c:560)
by 0x4B082A: dix_main (main.c:282)
by 0x429233: main (stubmain.c:34)
Conditional jump or move depends on uninitialised value(s)
at 0x48EEE33: UnknownInlinedFun (pixman-region.c:2241)
by 0x48EEE33: pixman_region_translate (pixman-region.c:2225)
by 0x4F9255: RegionTranslate (regionstr.h:312)
by 0x4F9B7E: compClipNotify (compwindow.c:319)
by 0x484FC9: miComputeClips (mivaltree.c:476)
by 0x48559A: miValidateTree (mivaltree.c:679)
by 0x4F0685: MapWindow (window.c:2693)
by 0x4A344A: ProcMapWindow (dispatch.c:922)
by 0x4A25B5: Dispatch (dispatch.c:560)
by 0x4B082A: dix_main (main.c:282)
by 0x429233: main (stubmain.c:34)
Uninitialised value was created by a heap allocation
at 0x4841866: malloc (vg_replace_malloc.c:446)
by 0x4F47BC: compRedirectWindow (compalloc.c:171)
by 0x4FA8AD: compCreateWindow (compwindow.c:592)
by 0x4EBB89: CreateWindow (window.c:925)
by 0x4A2E6E: ProcCreateWindow (dispatch.c:768)
by 0x4A25B5: Dispatch (dispatch.c:560)
by 0x4B082A: dix_main (main.c:282)
by 0x429233: main (stubmain.c:34)
Fix compAllocPixmap() to initialize the border clip even if the creation
of the backing pixmap has failed, to avoid depending later on
uninitialized border clip values.
Related to CVE-2025-26599, ZDI-CAN-25851
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit b07192a8bedb90b039dc0f70ae69daf047ff9598)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1831>
---
composite/compalloc.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/composite/compalloc.c b/composite/compalloc.c
index 55a1b725a..d1c205ca0 100644
--- a/composite/compalloc.c
+++ b/composite/compalloc.c
@@ -604,9 +604,12 @@ compAllocPixmap(WindowPtr pWin)
int h = pWin->drawable.height + (bw << 1);
PixmapPtr pPixmap = compNewPixmap(pWin, x, y, w, h);
CompWindowPtr cw = GetCompWindow(pWin);
+ Bool status;
- if (!pPixmap)
- return FALSE;
+ if (!pPixmap) {
+ status = FALSE;
+ goto out;
+ }
if (cw->update == CompositeRedirectAutomatic)
pWin->redirectDraw = RedirectDrawAutomatic;
else
@@ -620,14 +623,16 @@ compAllocPixmap(WindowPtr pWin)
DamageRegister(&pWin->drawable, cw->damage);
cw->damageRegistered = TRUE;
}
+ status = TRUE;
+out:
/* Make sure our borderClip is up to date */
RegionUninit(&cw->borderClip);
RegionCopy(&cw->borderClip, &pWin->borderClip);
cw->borderClipX = pWin->drawable.x;
cw->borderClipY = pWin->drawable.y;
- return TRUE;
+ return status;
}
void
--
2.48.1

58
SOURCES/0008-modesetting-Add-glamor_finish-convenience-macro.patch Normal file
View File

@ -0,0 +1,58 @@
From 7f1bedcf27cfd09162544ff1b18c21c8e5695a9d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <mdaenzer@redhat.com>
Date: Fri, 22 Nov 2019 18:05:04 +0100
Subject: [PATCH xserver 08/11] modesetting: Add glamor_finish() convenience
macro
This will simplify backporting the following fix to the 1.20 branch.
Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit 06ef320e9bc1f1098df9cd5581f072528f28128e)
---
hw/xfree86/drivers/modesetting/driver.c | 2 +-
hw/xfree86/drivers/modesetting/driver.h | 2 ++
hw/xfree86/drivers/modesetting/drmmode_display.c | 2 +-
3 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/hw/xfree86/drivers/modesetting/driver.c b/hw/xfree86/drivers/modesetting/driver.c
index 4f4db67b7..afba8538a 100644
--- a/hw/xfree86/drivers/modesetting/driver.c
+++ b/hw/xfree86/drivers/modesetting/driver.c
@@ -615,7 +615,7 @@ redisplay_dirty(ScreenPtr screen, PixmapDirtyUpdatePtr dirty, int *timeout)
* the shared pixmap, but not all).
*/
if (ms->drmmode.glamor)
- ms->glamor.finish(screen);
+ glamor_finish(screen);
#endif
/* Ensure the slave processes the damage immediately */
if (timeout)
diff --git a/hw/xfree86/drivers/modesetting/driver.h b/hw/xfree86/drivers/modesetting/driver.h
index 5e4d2509a..c6e7cd0c8 100644
--- a/hw/xfree86/drivers/modesetting/driver.h
+++ b/hw/xfree86/drivers/modesetting/driver.h
@@ -158,6 +158,8 @@ typedef struct _modesettingRec {
} modesettingRec, *modesettingPtr;
+#define glamor_finish(screen) ms->glamor.finish(screen)
+
#define modesettingPTR(p) ((modesettingPtr)((p)->driverPrivate))
modesettingEntPtr ms_ent_priv(ScrnInfoPtr scrn);
diff --git a/hw/xfree86/drivers/modesetting/drmmode_display.c b/hw/xfree86/drivers/modesetting/drmmode_display.c
index 28609db7c..6516fac5f 100644
--- a/hw/xfree86/drivers/modesetting/drmmode_display.c
+++ b/hw/xfree86/drivers/modesetting/drmmode_display.c
@@ -770,7 +770,7 @@ drmmode_crtc_set_mode(xf86CrtcPtr crtc, Bool test_only)
#ifdef GLAMOR_HAS_GBM
/* Make sure any pending drawing will be visible in a new scanout buffer */
if (drmmode->glamor)
- ms->glamor.finish(screen);
+ glamor_finish(screen);
#endif
if (ms->atomic_modeset) {
--
2.33.1

67
SOURCES/0009-dix-Dequeue-pending-events-on-frozen-device-on-remov.patch Normal file
View File

@ -0,0 +1,67 @@
From 470c77ae761a36c71494285009bc37b2abbefe97 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 16 Dec 2024 16:18:04 +0100
Subject: [PATCH xserver 09/13] dix: Dequeue pending events on frozen device on
removal
When a device is removed while still frozen, the events queued for that
device remain while the device itself is freed.
As a result, replaying the events will cause a use after free.
To avoid the issue, make sure to dequeue and free any pending events on
a frozen device when removed.
CVE-2025-26600, ZDI-CAN-25871
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 6e0f332ba4c8b8c9a9945dc9d7989bfe06f80e14)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1831>
---
dix/devices.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/dix/devices.c b/dix/devices.c
index e7c74d7b7..11120b70b 100644
--- a/dix/devices.c
+++ b/dix/devices.c
@@ -949,6 +949,23 @@ FreeAllDeviceClasses(ClassesPtr classes)
}
+static void
+FreePendingFrozenDeviceEvents(DeviceIntPtr dev)
+{
+ QdEventPtr qe, tmp;
+
+ if (!dev->deviceGrab.sync.frozen)
+ return;
+
+ /* Dequeue any frozen pending events */
+ xorg_list_for_each_entry_safe(qe, tmp, &syncEvents.pending, next) {
+ if (qe->device == dev) {
+ xorg_list_del(&qe->next);
+ free(qe);
+ }
+ }
+}
+
/**
* Close down a device and free all resources.
* Once closed down, the driver will probably not expect you that you'll ever
@@ -1013,6 +1030,7 @@ CloseDevice(DeviceIntPtr dev)
free(dev->last.touches[j].valuators);
free(dev->last.touches);
dev->config_info = NULL;
+ FreePendingFrozenDeviceEvents(dev);
dixFreePrivates(dev->devPrivates, PRIVATE_DEVICE);
free(dev);
}
--
2.48.1

63
SOURCES/0009-modesetting-Use-EGL_MESA_query_driver-to-select-DRI-.patch Normal file
View File

@ -0,0 +1,63 @@
From ae40c508fbd88869157412a1b159c0d71eb1e708 Mon Sep 17 00:00:00 2001
From: Kenneth Graunke <kenneth@whitecape.org>
Date: Thu, 21 Nov 2019 23:03:50 -0800
Subject: [PATCH xserver 09/11] modesetting: Use EGL_MESA_query_driver to
select DRI driver if possible
New now ask Glamor to use EGL_MESA_query_driver to obtain the DRI driver
name; if successful, we use that as the DRI driver name. Following the
existing dri2.c logic, we also use the same name for the VDPAU driver,
except for i965 (and now iris), where we switch to the "va_gl" fallback.
This allows us to bypass the PCI ID lists in xserver and centralize the
driver selection mechanism inside Mesa. The hope is that we no longer
have to update these lists for any future hardware.
(cherry picked from commit 8d4be7f6c4f7c673d7ec1a6bfdef944907a3916e)
---
hw/xfree86/drivers/modesetting/dri2.c | 3 ++-
hw/xfree86/drivers/modesetting/driver.c | 1 +
hw/xfree86/drivers/modesetting/driver.h | 1 +
3 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/hw/xfree86/drivers/modesetting/dri2.c b/hw/xfree86/drivers/modesetting/dri2.c
index 724d9d34c..255c72cac 100644
--- a/hw/xfree86/drivers/modesetting/dri2.c
+++ b/hw/xfree86/drivers/modesetting/dri2.c
@@ -1076,7 +1076,8 @@ ms_dri2_screen_init(ScreenPtr screen)
info.CopyRegion2 = ms_dri2_copy_region2;
/* Ask Glamor to obtain the DRI driver name via EGL_MESA_query_driver. */
- driver_names[0] = glamor_egl_get_driver_name(screen);
+ if (ms->glamor.egl_get_driver_name)
+ driver_names[0] = ms->glamor.egl_get_driver_name(screen);
if (driver_names[0]) {
/* There is no VDPAU driver for Intel, fallback to the generic
diff --git a/hw/xfree86/drivers/modesetting/driver.c b/hw/xfree86/drivers/modesetting/driver.c
index afba8538a..08cf6a1b4 100644
--- a/hw/xfree86/drivers/modesetting/driver.c
+++ b/hw/xfree86/drivers/modesetting/driver.c
@@ -761,6 +761,7 @@ bind_glamor_api(void *mod, modesettingPtr ms)
ms->glamor.shareable_fd_from_pixmap = LoaderSymbolFromModule(mod, "glamor_shareable_fd_from_pixmap");
ms->glamor.supports_pixmap_import_export = LoaderSymbolFromModule(mod, "glamor_supports_pixmap_import_export");
ms->glamor.xv_init = LoaderSymbolFromModule(mod, "glamor_xv_init");
+ ms->glamor.egl_get_driver_name = LoaderSymbolFromModule(mod, "glamor_egl_get_driver_name");
}
static void
diff --git a/hw/xfree86/drivers/modesetting/driver.h b/hw/xfree86/drivers/modesetting/driver.h
index c6e7cd0c8..328a97de1 100644
--- a/hw/xfree86/drivers/modesetting/driver.h
+++ b/hw/xfree86/drivers/modesetting/driver.h
@@ -154,6 +154,7 @@ typedef struct _modesettingRec {
CARD32 *);
Bool (*supports_pixmap_import_export)(ScreenPtr);
XF86VideoAdaptorPtr (*xv_init)(ScreenPtr, int);
+ const char *(*egl_get_driver_name)(ScreenPtr);
} glamor;
} modesettingRec, *modesettingPtr;
--
2.33.1

94
SOURCES/0010-modesetting-Fix-build-with-glamor-disabled.patch Normal file
View File

@ -0,0 +1,94 @@
From d8271417a5986240f1f81cbe269e0cd07a9104d1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <mdaenzer@redhat.com>
Date: Mon, 10 Feb 2020 18:41:44 +0100
Subject: [PATCH xserver 10/11] modesetting: Fix build with glamor disabled
Fixes: cb1b1e184723 "modesetting: Indirect the glamor API through
LoaderSymbol"
Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit 0cb9fa7949d6c5398de220fbdbe1e262e943fcbb)
---
hw/xfree86/drivers/modesetting/driver.c | 21 +++++++++++++++------
hw/xfree86/drivers/modesetting/driver.h | 3 ++-
2 files changed, 17 insertions(+), 7 deletions(-)
diff --git a/hw/xfree86/drivers/modesetting/driver.c b/hw/xfree86/drivers/modesetting/driver.c
index 08cf6a1b4..ce8bac9f5 100644
--- a/hw/xfree86/drivers/modesetting/driver.c
+++ b/hw/xfree86/drivers/modesetting/driver.c
@@ -743,9 +743,17 @@ FreeRec(ScrnInfoPtr pScrn)
}
-static void
-bind_glamor_api(void *mod, modesettingPtr ms)
+#ifdef GLAMOR_HAS_GBM
+
+static Bool
+load_glamor(ScrnInfoPtr pScrn)
{
+ void *mod = xf86LoadSubModule(pScrn, GLAMOR_EGL_MODULE_NAME);
+ modesettingPtr ms = modesettingPTR(pScrn);
+
+ if (!mod)
+ return FALSE;
+
ms->glamor.back_pixmap_from_fd = LoaderSymbolFromModule(mod, "glamor_back_pixmap_from_fd");
ms->glamor.block_handler = LoaderSymbolFromModule(mod, "glamor_block_handler");
ms->glamor.egl_create_textured_pixmap = LoaderSymbolFromModule(mod, "glamor_egl_create_textured_pixmap");
@@ -762,8 +770,12 @@ bind_glamor_api(void *mod, modesettingPtr ms)
ms->glamor.supports_pixmap_import_export = LoaderSymbolFromModule(mod, "glamor_supports_pixmap_import_export");
ms->glamor.xv_init = LoaderSymbolFromModule(mod, "glamor_xv_init");
ms->glamor.egl_get_driver_name = LoaderSymbolFromModule(mod, "glamor_egl_get_driver_name");
+
+ return TRUE;
}
+#endif
+
static void
try_enable_glamor(ScrnInfoPtr pScrn)
{
@@ -772,7 +784,6 @@ try_enable_glamor(ScrnInfoPtr pScrn)
OPTION_ACCEL_METHOD);
Bool do_glamor = (!accel_method_str ||
strcmp(accel_method_str, "glamor") == 0);
- void *mod;
ms->drmmode.glamor = FALSE;
@@ -787,9 +798,7 @@ try_enable_glamor(ScrnInfoPtr pScrn)
return;
}
- mod = xf86LoadSubModule(pScrn, GLAMOR_EGL_MODULE_NAME);
- if (mod) {
- bind_glamor_api(mod, ms);
+ if (load_glamor(pScrn)) {
if (ms->glamor.egl_init(pScrn, ms->fd)) {
xf86DrvMsg(pScrn->scrnIndex, X_INFO, "glamor initialized\n");
ms->drmmode.glamor = TRUE;
diff --git a/hw/xfree86/drivers/modesetting/driver.h b/hw/xfree86/drivers/modesetting/driver.h
index 328a97de1..261f1aac4 100644
--- a/hw/xfree86/drivers/modesetting/driver.h
+++ b/hw/xfree86/drivers/modesetting/driver.h
@@ -132,6 +132,7 @@ typedef struct _modesettingRec {
void (*UpdatePacked)(ScreenPtr, shadowBufPtr);
} shadow;
+#ifdef GLAMOR_HAS_GBM
/* glamor API */
struct {
Bool (*back_pixmap_from_fd)(PixmapPtr, int, CARD16, CARD16, CARD16,
@@ -156,7 +157,7 @@ typedef struct _modesettingRec {
XF86VideoAdaptorPtr (*xv_init)(ScreenPtr, int);
const char *(*egl_get_driver_name)(ScreenPtr);
} glamor;
-
+#endif
} modesettingRec, *modesettingPtr;
#define glamor_finish(screen) ms->glamor.finish(screen)
--
2.33.1

69
SOURCES/0010-sync-Do-not-let-sync-objects-uninitialized.patch Normal file
View File

@ -0,0 +1,69 @@
From 7f7f51e8907b14c6654944e0e321f15e256b34e7 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 20 Jan 2025 16:52:01 +0100
Subject: [PATCH xserver 10/13] sync: Do not let sync objects uninitialized
When changing an alarm, the change mask values are evaluated one after
the other, changing the trigger values as requested and eventually,
SyncInitTrigger() is called.
SyncInitTrigger() will evaluate the XSyncCACounter first and may free
the existing sync object.
Other changes are then evaluated and may trigger an error and an early
return, not adding the new sync object.
This can be used to cause a use after free when the alarm eventually
triggers.
To avoid the issue, delete the existing sync object as late as possible
only once we are sure that no further error will cause an early exit.
CVE-2025-26601, ZDI-CAN-25870
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 16a1242d0ffc7f45ed3c595ee7564b5c04287e0b)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1831>
---
Xext/sync.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/Xext/sync.c b/Xext/sync.c
index fd2ceb042..e55295904 100644
--- a/Xext/sync.c
+++ b/Xext/sync.c
@@ -329,11 +329,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
client->errorValue = syncObject;
return rc;
}
- if (pSync != pTrigger->pSync) { /* new counter for trigger */
- SyncDeleteTriggerFromSyncObject(pTrigger);
- pTrigger->pSync = pSync;
- newSyncObject = TRUE;
- }
}
/* if system counter, ask it what the current value is */
@@ -401,6 +396,14 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
}
}
+ if (changes & XSyncCACounter) {
+ if (pSync != pTrigger->pSync) { /* new counter for trigger */
+ SyncDeleteTriggerFromSyncObject(pTrigger);
+ pTrigger->pSync = pSync;
+ newSyncObject = TRUE;
+ }
+ }
+
/* we wait until we're sure there are no errors before registering
* a new counter on a trigger
*/
--
2.48.1

33
SOURCES/0011-modesetting-set-gbm-as-dependency-for-autotools.patch Normal file
View File

@ -0,0 +1,33 @@
From 55fb707d037004e001623a0d066f748d8ba48d48 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Tue, 23 Nov 2021 12:19:48 +0100
Subject: [PATCH xserver 11/11] modesetting: set gbm as dependency for
autotools
Same as commit 9d628ee5f for automake.
Modifiers support needs gbm as a dependency. Without setting the dependency
included headers are not found reliably and the build might fail if the
headers are not placed in the default system include paths.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
---
hw/xfree86/drivers/modesetting/Makefile.am | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/xfree86/drivers/modesetting/Makefile.am b/hw/xfree86/drivers/modesetting/Makefile.am
index 961c57408..ac5091be3 100644
--- a/hw/xfree86/drivers/modesetting/Makefile.am
+++ b/hw/xfree86/drivers/modesetting/Makefile.am
@@ -41,7 +41,7 @@ AM_CPPFLAGS = \
modesetting_drv_la_LTLIBRARIES = modesetting_drv.la
modesetting_drv_la_LDFLAGS = -module -avoid-version
-modesetting_drv_la_LIBADD = $(UDEV_LIBS) $(DRM_LIBS)
+modesetting_drv_la_LIBADD = $(UDEV_LIBS) $(DRM_LIBS) $(GBM_LIBS)
modesetting_drv_ladir = @moduledir@/drivers
modesetting_drv_la_SOURCES = \
--
2.33.1

83
SOURCES/0011-sync-Check-values-before-applying-changes.patch Normal file
View File

@ -0,0 +1,83 @@
From a4c19259fca5af558fb27d8fa98f2ad4a3689d56 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 20 Jan 2025 16:54:30 +0100
Subject: [PATCH xserver 11/13] sync: Check values before applying changes
In SyncInitTrigger(), we would set the CheckTrigger function before
validating the counter value.
As a result, if the counter value overflowed, we would leave the
function SyncInitTrigger() with the CheckTrigger applied but without
updating the trigger object.
To avoid that issue, move the portion of code checking for the trigger
check value before updating the CheckTrigger function.
Related to CVE-2025-26601, ZDI-CAN-25870
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit f52cea2f93a0c891494eb3334894442a92368030)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1831>
---
Xext/sync.c | 36 ++++++++++++++++++------------------
1 file changed, 18 insertions(+), 18 deletions(-)
diff --git a/Xext/sync.c b/Xext/sync.c
index e55295904..66a52283d 100644
--- a/Xext/sync.c
+++ b/Xext/sync.c
@@ -350,6 +350,24 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
}
}
+ if (changes & (XSyncCAValueType | XSyncCAValue)) {
+ if (pTrigger->value_type == XSyncAbsolute)
+ pTrigger->test_value = pTrigger->wait_value;
+ else { /* relative */
+ Bool overflow;
+
+ if (pCounter == NULL)
+ return BadMatch;
+
+ overflow = checked_int64_add(&pTrigger->test_value,
+ pCounter->value, pTrigger->wait_value);
+ if (overflow) {
+ client->errorValue = pTrigger->wait_value >> 32;
+ return BadValue;
+ }
+ }
+ }
+
if (changes & XSyncCATestType) {
if (pSync && SYNC_FENCE == pSync->type) {
@@ -378,24 +396,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
}
}
- if (changes & (XSyncCAValueType | XSyncCAValue)) {
- if (pTrigger->value_type == XSyncAbsolute)
- pTrigger->test_value = pTrigger->wait_value;
- else { /* relative */
- Bool overflow;
-
- if (pCounter == NULL)
- return BadMatch;
-
- overflow = checked_int64_add(&pTrigger->test_value,
- pCounter->value, pTrigger->wait_value);
- if (overflow) {
- client->errorValue = pTrigger->wait_value >> 32;
- return BadValue;
- }
- }
- }
-
if (changes & XSyncCACounter) {
if (pSync != pTrigger->pSync) { /* new counter for trigger */
SyncDeleteTriggerFromSyncObject(pTrigger);
--
2.48.1

50
SOURCES/0012-sync-Do-not-fail-SyncAddTriggerToSyncObject.patch Normal file
View File

@ -0,0 +1,50 @@
From 7537745b5fe63d7e43d692bfa86f93259d522c80 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 20 Jan 2025 17:06:07 +0100
Subject: [PATCH xserver 12/13] sync: Do not fail SyncAddTriggerToSyncObject()
We do not want to return a failure at the very last step in
SyncInitTrigger() after having all changes applied.
SyncAddTriggerToSyncObject() must not fail on memory allocation, if the
allocation of the SyncTriggerList fails, trigger a FatalError() instead.
Related to CVE-2025-26601, ZDI-CAN-25870
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 8cbc90c8817306af75a60f494ec9dbb1061e50db)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1831>
---
Xext/sync.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/Xext/sync.c b/Xext/sync.c
index 66a52283d..8def4adbf 100644
--- a/Xext/sync.c
+++ b/Xext/sync.c
@@ -199,8 +199,8 @@ SyncAddTriggerToSyncObject(SyncTrigger * pTrigger)
return Success;
}
- if (!(pCur = malloc(sizeof(SyncTriggerList))))
- return BadAlloc;
+ /* Failure is not an option, it's succeed or burst! */
+ pCur = XNFalloc(sizeof(SyncTriggerList));
pCur->pTrigger = pTrigger;
pCur->next = pTrigger->pSync->pTriglist;
@@ -408,8 +408,7 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
* a new counter on a trigger
*/
if (newSyncObject) {
- if ((rc = SyncAddTriggerToSyncObject(pTrigger)) != Success)
- return rc;
+ SyncAddTriggerToSyncObject(pTrigger);
}
else if (pCounter && IsSystemCounter(pCounter)) {
SyncComputeBracketValues(pCounter);
--
2.48.1

131
SOURCES/0013-sync-Apply-changes-last-in-SyncChangeAlarmAttributes.patch Normal file
View File

@ -0,0 +1,131 @@
From e7bca6a0933b6f0c1568cbe770740c48626f30be Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 20 Jan 2025 17:10:31 +0100
Subject: [PATCH xserver 13/13] sync: Apply changes last in
SyncChangeAlarmAttributes()
SyncChangeAlarmAttributes() would apply the various changes while
checking for errors.
If one of the changes triggers an error, the changes for the trigger,
counter or delta value would remain, possibly leading to inconsistent
changes.
Postpone the actual changes until we're sure nothing else can go wrong.
Related to CVE-2025-26601, ZDI-CAN-25870
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit c285798984c6bb99e454a33772cde23d394d3dcd)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1831>
---
Xext/sync.c | 42 +++++++++++++++++++++++++++---------------
1 file changed, 27 insertions(+), 15 deletions(-)
diff --git a/Xext/sync.c b/Xext/sync.c
index 8def4adbf..e2f2c2774 100644
--- a/Xext/sync.c
+++ b/Xext/sync.c
@@ -799,8 +799,14 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask,
int status;
XSyncCounter counter;
Mask origmask = mask;
+ SyncTrigger trigger;
+ Bool select_events_changed = FALSE;
+ Bool select_events_value = FALSE;
+ int64_t delta;
- counter = pAlarm->trigger.pSync ? pAlarm->trigger.pSync->id : None;
+ trigger = pAlarm->trigger;
+ delta = pAlarm->delta;
+ counter = trigger.pSync ? trigger.pSync->id : None;
while (mask) {
int index2 = lowbit(mask);
@@ -816,24 +822,24 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask,
case XSyncCAValueType:
mask &= ~XSyncCAValueType;
/* sanity check in SyncInitTrigger */
- pAlarm->trigger.value_type = *values++;
+ trigger.value_type = *values++;
break;
case XSyncCAValue:
mask &= ~XSyncCAValue;
- pAlarm->trigger.wait_value = ((int64_t)values[0] << 32) | values[1];
+ trigger.wait_value = ((int64_t)values[0] << 32) | values[1];
values += 2;
break;
case XSyncCATestType:
mask &= ~XSyncCATestType;
/* sanity check in SyncInitTrigger */
- pAlarm->trigger.test_type = *values++;
+ trigger.test_type = *values++;
break;
case XSyncCADelta:
mask &= ~XSyncCADelta;
- pAlarm->delta = ((int64_t)values[0] << 32) | values[1];
+ delta = ((int64_t)values[0] << 32) | values[1];
values += 2;
break;
@@ -843,10 +849,8 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask,
client->errorValue = *values;
return BadValue;
}
- status = SyncEventSelectForAlarm(pAlarm, client,
- (Bool) (*values++));
- if (status != Success)
- return status;
+ select_events_value = (Bool) (*values++);
+ select_events_changed = TRUE;
break;
default:
@@ -855,25 +859,33 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask,
}
}
+ if (select_events_changed) {
+ status = SyncEventSelectForAlarm(pAlarm, client, select_events_value);
+ if (status != Success)
+ return status;
+ }
+
/* "If the test-type is PositiveComparison or PositiveTransition
* and delta is less than zero, or if the test-type is
* NegativeComparison or NegativeTransition and delta is
* greater than zero, a Match error is generated."
*/
if (origmask & (XSyncCADelta | XSyncCATestType)) {
- if ((((pAlarm->trigger.test_type == XSyncPositiveComparison) ||
- (pAlarm->trigger.test_type == XSyncPositiveTransition))
- && pAlarm->delta < 0)
+ if ((((trigger.test_type == XSyncPositiveComparison) ||
+ (trigger.test_type == XSyncPositiveTransition))
+ && delta < 0)
||
- (((pAlarm->trigger.test_type == XSyncNegativeComparison) ||
- (pAlarm->trigger.test_type == XSyncNegativeTransition))
- && pAlarm->delta > 0)
+ (((trigger.test_type == XSyncNegativeComparison) ||
+ (trigger.test_type == XSyncNegativeTransition))
+ && delta > 0)
) {
return BadMatch;
}
}
/* postpone this until now, when we're sure nothing else can go wrong */
+ pAlarm->delta = delta;
+ pAlarm->trigger = trigger;
if ((status = SyncInitTrigger(client, &pAlarm->trigger, counter, RTCounter,
origmask & XSyncCAAllTrigger)) != Success)
return status;
--
2.48.1

478
SPECS/xorg-x11-server.spec
View File

@ -8,10 +8,6 @@
# format, and add a PatchN: line. If you want to push something upstream, # format, and add a PatchN: line. If you want to push something upstream,
# check out the master branch, pull, cherry-pick, and push. # check out the master branch, pull, cherry-pick, and push.
# X.org requires lazy relocations to work.
%undefine _hardened_build
%undefine _strict_symbol_defs_build
#global gitdate 20161026 #global gitdate 20161026
%global stable_abi 1 %global stable_abi 1
@ -46,10 +42,9 @@
Summary: X.Org X11 X server Summary: X.Org X11 X server
Name: xorg-x11-server Name: xorg-x11-server
Version: 1.20.11 Version: 1.20.11
Release: 26%{?gitdate:.%{gitdate}}%{?dist} Release: 28%{?gitdate:.%{gitdate}}%{?dist}
URL: http://www.x.org URL: http://www.x.org
License: MIT License: MIT
Group: User Interface/X
#VCS: git:git://git.freedesktop.org/git/xorg/xserver #VCS: git:git://git.freedesktop.org/git/xorg/xserver
%if 0%{?gitdate} %if 0%{?gitdate}
@ -82,35 +77,50 @@ Source40: driver-abi-rebuild.sh
Patch1: 06_use-intel-only-on-pre-gen4.diff Patch1: 06_use-intel-only-on-pre-gen4.diff
# Default to xf86-video-modesetting on GeForce 8 and newer # Default to xf86-video-modesetting on GeForce 8 and newer
Patch2: 0001-xfree86-use-modesetting-driver-by-default-on-GeForce.patch Patch2: 0001-xfree86-use-modesetting-driver-by-default-on-GeForce.patch
# Default to va_gl on intel i965 as we use the modesetting drv there
# va_gl should probably just be the default everywhere ?
Patch3: 0001-xf86-dri2-Use-va_gl-as-vdpau_driver-for-Intel-i965-G.patch Patch3: 0001-xf86-dri2-Use-va_gl-as-vdpau_driver-for-Intel-i965-G.patch
Patch4: 0001-Always-install-vbe-and-int10-sdk-headers.patch
# Submitted upstream, but not going anywhere # Submitted upstream, but not going anywhere
Patch5: 0001-autobind-GPUs-to-the-screen.patch Patch5: 0001-autobind-GPUs-to-the-screen.patch
# because the display-managers are not ready yet, do not upstream # because the display-managers are not ready yet, do not upstream
Patch6: 0001-Fedora-hack-Make-the-suid-root-wrapper-always-start-.patch Patch6: 0001-Fedora-hack-Make-the-suid-root-wrapper-always-start-.patch
# RHEL mustard # https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/761
Patch10: 0001-mustard-Don-t-probe-for-drivers-not-shipped-in-RHEL8.patch Patch7: 0001-xkb-Drop-check-for-XkbSetMapResizeTypes.patch
Patch11: 0001-mustard-Add-DRI2-fallback-driver-mappings-for-i965-a.patch
#Patch11: 0001-Enable-PAM-support.patch
Patch12: 0001-link-with-z-now.patch
Patch14: 0001-xfree86-Don-t-autoconfigure-vesa-or-fbdev.patch
Patch15: 0001-xfree86-LeaveVT-from-xf86CrtcCloseScreen.patch
Patch16: 0001-xfree86-try-harder-to-span-on-multihead.patch
Patch18: 0001-mustard-Work-around-broken-fbdev-headers.patch
# fix to be upstreamed # 1988922 - [Hyper-V]Installation failed with: 'x or window manager startup failed' when the VM was created with GEN1
Patch100: 0001-linux-Make-platform-device-probe-less-fragile.patch # 2029769 - fbdev Xorg driver no longer works as a fallback with unsupported hardware
Patch102: 0001-xfree86-ensure-the-readlink-buffer-is-null-terminate.patch Patch8: 0001-mustard-xfree86-Disable-the-PCI-probe-path.patch
# fix already upstream # 2148292 - Drop dependency on xorg-x11-font-utils
Patch200: 0001-Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch # Upstream MR #1001 but that one is meson only
Patch201: 0001-linux-Fix-platform-device-PCI-detection-for-complex-.patch Patch9: 0001-configure.ac-search-for-the-fontrootdir-ourselves.patch
Patch202: 0001-modesetting-Reduce-glamor-initialization-failed-mess.patch
Patch203: 0001-xfree86-Only-switch-to-original-VT-if-it-is-active.patch # Backports from current stable "server-1.20-branch":
Patch204: 0001-xf86-logind-Fix-drm_drop_master-before-vt_reldisp.patch # <empty>
Patch205: 0001-present-Check-for-NULL-to-prevent-crash.patch
Patch206: 0001-present-Send-a-PresentConfigureNotify-event-for-dest.patch # Backports from "master" upstream:
Patch102: 0002-xfree86-Link-fb-statically.patch
Patch104: 0004-loader-Move-LoaderSymbolFromModule-to-public-API.patch
Patch105: 0005-loader-Make-LoaderSymbolFromModule-take-a-ModuleDesc.patch
Patch106: 0006-modesetting-Indirect-the-shadow-API-through-LoaderSy.patch
Patch107: 0007-modesetting-Indirect-the-glamor-API-through-LoaderSy.patch
Patch108: 0008-modesetting-Add-glamor_finish-convenience-macro.patch
Patch109: 0009-modesetting-Use-EGL_MESA_query_driver-to-select-DRI-.patch
Patch110: 0010-modesetting-Fix-build-with-glamor-disabled.patch
# Because we still use automake
Patch111: 0011-modesetting-set-gbm-as-dependency-for-autotools.patch
# Xorg crashes with NVIDIA proprietary driver when uisng Present
# https://bugzilla.redhat.com/show_bug.cgi?id=2046330
Patch112: 0001-present-Check-for-NULL-to-prevent-crash.patch
# Fix a regression with hybrid gfx and NVIDIA proprietary driver
# https://bugzilla.redhat.com/show_bug.cgi?id=2052605
Patch113: 0001-modesetting-Fix-msSharePixmapBacking-Segfault-Regres.patch
Patch114: 0001-present-Send-a-PresentConfigureNotify-event-for-dest.patch
Patch115: 0001-xquartz-Remove-invalid-Unicode-sequence.patch
# CVE-2021-4011 # CVE-2021-4011
Patch10009: 0001-record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch Patch10009: 0001-record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch
@ -140,7 +150,7 @@ Patch10021: 0004-Xi-disallow-passive-grabs-with-a-detail-255.patch
Patch10022: 0005-Xext-free-the-screen-saver-resource-when-replacing-i.patch Patch10022: 0005-Xext-free-the-screen-saver-resource-when-replacing-i.patch
# CVE-2022-46342 # CVE-2022-46342
Patch10023: 0006-Xext-free-the-XvRTVideoNotify-when-turning-off-from-.patch Patch10023: 0006-Xext-free-the-XvRTVideoNotify-when-turning-off-from-.patch
# CVE-2022-4283 # CVE-2022-46283
Patch10024: 0007-xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch Patch10024: 0007-xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch
# Follow-up to CVE-2022-46340 # Follow-up to CVE-2022-46340
Patch10025: 0008-Xext-fix-invalid-event-type-mask-in-XTestSwapFakeInp.patch Patch10025: 0008-Xext-fix-invalid-event-type-mask-in-XTestSwapFakeInp.patch
@ -190,27 +200,35 @@ Patch10048: 0004-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch
Patch10049: 0001-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch Patch10049: 0001-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch
# CVE-2024-9632 # CVE-2024-9632
Patch10050: 0001-xkb-Fix-buffer-overflow-in-_XkbSetCompatMap.patch Patch10050: 0001-xkb-Fix-buffer-overflow-in-_XkbSetCompatMap.patch
# CVE-2025-49175: Out-of-bounds access in X Rendering extension # CVE-2025-26594: Use-after-free of the root cursor
Patch10051: 0001-render-Avoid-0-or-less-animated-cursors.patch Patch10051: 0001-Cursor-Refuse-to-free-the-root-cursor.patch
# CVE-2025-49176: Integer overflow in Big Requests Extension Patch10052: 0002-dix-keep-a-ref-to-the-rootCursor.patch
Patch10052: 0002-os-Do-not-overflow-the-integer-size-with-BigRequest.patch # CVE-2025-26595: Buffer overflow in XkbVModMaskText()
Patch10053: 0003-os-Check-for-integer-overflow-on-BigRequest-length.patch Patch10053: 0003-xkb-Fix-buffer-overflow-in-XkbVModMaskText.patch
# CVE-2025-49178: Unprocessed client request via bytes to ignore # CVE-2025-26596: Heap overflow in XkbWriteKeySyms()
Patch10054: 0004-os-Account-for-bytes-to-ignore-when-sharing-input-bu.patch Patch10054: 0004-xkb-Fix-computation-of-XkbSizeKeySyms.patch
# CVE-2025-49179: Integer overflow in X Record extension # CVE-2025-26597: Buffer overflow in XkbChangeTypesOfKey()
Patch10055: 0005-record-Check-for-overflow-in-RecordSanityCheckRegist.patch Patch10055: 0005-xkb-Fix-buffer-overflow-in-XkbChangeTypesOfKey.patch
# CVE-2025-49180: Integer overflow in RandR extension # CVE-2025-26598: Out-of-bounds write in CreatePointerBarrierClient()
Patch10056: 0006-randr-Check-for-overflow-in-RRChangeProviderProperty.patch Patch10056: 0006-Xi-Fix-barrier-device-search.patch
Patch10057: 0007-xfree86-Check-for-RandR-provider-functions.patch # CVE-2025-26599: Use of uninitialized pointer in compRedirectWindow()
Patch10057: 0007-composite-Handle-failure-to-redirect-in-compRedirect.patch
Patch10058: 0008-composite-initialize-border-clip-even-when-pixmap-al.patch
# CVE-2025-26600: Use-after-free in PlayReleasedEvents()
Patch10059: 0009-dix-Dequeue-pending-events-on-frozen-device-on-remov.patch
# CVE-2025-26601: Use-after-free in SyncInitTrigger()
Patch10060: 0010-sync-Do-not-let-sync-objects-uninitialized.patch
Patch10061: 0011-sync-Check-values-before-applying-changes.patch
Patch10062: 0012-sync-Do-not-fail-SyncAddTriggerToSyncObject.patch
Patch10063: 0013-sync-Apply-changes-last-in-SyncChangeAlarmAttributes.patch
BuildRequires: make BuildRequires: make
BuildRequires: systemtap-sdt-devel BuildRequires: systemtap-sdt-devel
BuildRequires: git BuildRequires: git-core
BuildRequires: automake autoconf libtool pkgconfig BuildRequires: automake autoconf libtool pkgconfig
BuildRequires: xorg-x11-util-macros >= 1.17 BuildRequires: xorg-x11-util-macros >= 1.17
BuildRequires: xorg-x11-proto-devel >= 7.7-10 BuildRequires: xorg-x11-proto-devel >= 7.7-10
BuildRequires: xorg-x11-font-utils >= 7.2-11
BuildRequires: dbus-devel libepoxy-devel systemd-devel BuildRequires: dbus-devel libepoxy-devel systemd-devel
BuildRequires: xorg-x11-xtrans-devel >= 1.3.2 BuildRequires: xorg-x11-xtrans-devel >= 1.3.2
@ -227,13 +245,13 @@ BuildRequires: pkgconfig(epoxy)
BuildRequires: pkgconfig(xshmfence) >= 1.1 BuildRequires: pkgconfig(xshmfence) >= 1.1
BuildRequires: libXv-devel BuildRequires: libXv-devel
BuildRequires: pixman-devel >= 0.30.0 BuildRequires: pixman-devel >= 0.30.0
BuildRequires: libpciaccess-devel >= 0.13.1 openssl-devel bison flex flex-devel BuildRequires: libpciaccess-devel >= 0.13.1 openssl-devel bison flex
BuildRequires: mesa-libGL-devel >= 9.2 BuildRequires: mesa-libGL-devel >= 9.2
BuildRequires: mesa-libEGL-devel BuildRequires: mesa-libEGL-devel
BuildRequires: mesa-libgbm-devel BuildRequires: mesa-libgbm-devel
# XXX silly... # XXX silly...
BuildRequires: libdrm-devel >= 2.4.0 kernel-headers BuildRequires: libdrm-devel >= 2.4.0 kernel-headers
BuildRequires: pam-devel
BuildRequires: audit-libs-devel libselinux-devel >= 2.0.86-1 BuildRequires: audit-libs-devel libselinux-devel >= 2.0.86-1
BuildRequires: libudev-devel BuildRequires: libudev-devel
# libunwind is Exclusive for the following arches # libunwind is Exclusive for the following arches
@ -252,7 +270,6 @@ X.Org X11 X server
%package common %package common
Summary: Xorg server common files Summary: Xorg server common files
Group: User Interface/X
Requires: pixman >= 0.30.0 Requires: pixman >= 0.30.0
Requires: xkeyboard-config xkbcomp Requires: xkeyboard-config xkbcomp
@ -262,7 +279,6 @@ Common files shared among all X servers.
%package Xorg %package Xorg
Summary: Xorg X server Summary: Xorg X server
Group: User Interface/X
Provides: Xorg = %{version}-%{release} Provides: Xorg = %{version}-%{release}
Provides: Xserver Provides: Xserver
# HdG: This should be moved to the wrapper package once the wrapper gets # HdG: This should be moved to the wrapper package once the wrapper gets
@ -290,12 +306,6 @@ Obsoletes: xorg-x11-drv-vmmouse < 13.1.0-4
Requires: xorg-x11-server-common >= %{version}-%{release} Requires: xorg-x11-server-common >= %{version}-%{release}
Requires: system-setup-keyboard Requires: system-setup-keyboard
Requires: xorg-x11-drv-libinput Requires: xorg-x11-drv-libinput
%ifnarch s390 s390x
Requires: xorg-x11-drv-fbdev
%ifarch x86_64
Requires: xorg-x11-drv-vesa
%endif
%endif
Requires: libEGL Requires: libEGL
%description Xorg %description Xorg
@ -307,7 +317,6 @@ upon.
%package Xnest %package Xnest
Summary: A nested server Summary: A nested server
Group: User Interface/X
Requires: xorg-x11-server-common >= %{version}-%{release} Requires: xorg-x11-server-common >= %{version}-%{release}
Provides: Xnest Provides: Xnest
@ -321,7 +330,6 @@ applications without running them on their real X server.
%package Xdmx %package Xdmx
Summary: Distributed Multihead X Server and utilities Summary: Distributed Multihead X Server and utilities
Group: User Interface/X
Requires: xorg-x11-server-common >= %{version}-%{release} Requires: xorg-x11-server-common >= %{version}-%{release}
Provides: Xdmx Provides: Xdmx
@ -338,7 +346,6 @@ application for Xdmx would be to unify a 4 by 4 grid of 1280x1024 displays
%package Xvfb %package Xvfb
Summary: A X Windows System virtual framebuffer X server Summary: A X Windows System virtual framebuffer X server
Group: User Interface/X
# xvfb-run is GPLv2, rest is MIT # xvfb-run is GPLv2, rest is MIT
License: MIT and GPLv2 License: MIT and GPLv2
Requires: xorg-x11-server-common >= %{version}-%{release} Requires: xorg-x11-server-common >= %{version}-%{release}
@ -357,7 +364,6 @@ is normally used for testing servers.
%package Xephyr %package Xephyr
Summary: A nested server Summary: A nested server
Group: User Interface/X
Requires: xorg-x11-server-common >= %{version}-%{release} Requires: xorg-x11-server-common >= %{version}-%{release}
Provides: Xephyr Provides: Xephyr
@ -374,7 +380,6 @@ Render and Composite.
%package devel %package devel
Summary: SDK for X server driver module development Summary: SDK for X server driver module development
Group: User Interface/X
Requires: xorg-x11-util-macros Requires: xorg-x11-util-macros
Requires: xorg-x11-proto-devel Requires: xorg-x11-proto-devel
Requires: libXfont2-devel Requires: libXfont2-devel
@ -392,7 +397,6 @@ drivers, input drivers, or other X modules should install this package.
%package source %package source
Summary: Xserver source code required to build VNC server (Xvnc) Summary: Xserver source code required to build VNC server (Xvnc)
Group: Development/Libraries
BuildArch: noarch BuildArch: noarch
%description source %description source
@ -433,18 +437,20 @@ test `getminor extension` == %{extension_minor}
%build %build
export CFLAGS="$RPM_OPT_FLAGS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1" %if !0%{?rhel}
export CXXFLAGS="$RPM_OPT_FLAGS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1" %ifarch %{ix86} x86_64
export LDFLAGS="$RPM_LD_FLAGS -specs=/usr/lib/rpm/redhat/redhat-hardened-ld" %global int10_arch 1
%endif
%endif
%ifnarch %{ix86} x86_64 %if %{undefined int10_arch}
%global no_int10 --disable-vbe --disable-int10-module %global no_int10 --disable-vbe --disable-int10-module
%endif %endif
%global kdrive --enable-kdrive --enable-xephyr --disable-xfake --disable-xfbdev %global kdrive --enable-kdrive --enable-xephyr --disable-xfake --disable-xfbdev
%global xservers --enable-xvfb --enable-xnest %{kdrive} --enable-xorg %global xservers --enable-xvfb --enable-xnest %{kdrive} --enable-xorg
%global default_font_path "catalogue:/etc/X11/fontpath.d,built-ins" %global default_font_path "catalogue:/etc/X11/fontpath.d,built-ins"
%global dri_flags --enable-dri --enable-dri2 %{?!rhel:--enable-dri3} --enable-suid-wrapper --enable-glamor %global dri_flags --disable-dri --enable-dri2 %{?!rhel:--enable-dri3} --enable-suid-wrapper --enable-glamor
autoreconf -f -v --install || exit 1 autoreconf -f -v --install || exit 1
@ -452,7 +458,7 @@ autoreconf -f -v --install || exit 1
--enable-dependency-tracking \ --enable-dependency-tracking \
--disable-static \ --disable-static \
--with-pic \ --with-pic \
%{?no_int10} --with-int10=x86emu \ %{?no_int10} \
--with-default-font-path=%{default_font_path} \ --with-default-font-path=%{default_font_path} \
--with-module-dir=%{_libdir}/xorg/modules \ --with-module-dir=%{_libdir}/xorg/modules \
--with-builderstring="Build ID: %{name} %{version}-%{release}" \ --with-builderstring="Build ID: %{name} %{version}-%{release}" \
@ -466,7 +472,7 @@ autoreconf -f -v --install || exit 1
--disable-unit-tests \ --disable-unit-tests \
--enable-dmx \ --enable-dmx \
--disable-xwayland \ --disable-xwayland \
%{dri_flags} %{?bodhi_flags} \ %{dri_flags} \
${CONFIGURE} ${CONFIGURE}
make V=1 %{?_smp_mflags} make V=1 %{?_smp_mflags}
@ -479,9 +485,6 @@ mkdir -p $RPM_BUILD_ROOT%{_libdir}/xorg/modules/{drivers,input}
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pam.d mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pam.d
install -m 644 %{SOURCE10} $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/xserver install -m 644 %{SOURCE10} $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/xserver
# restore this if/when restoring the PAM patch
#mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/security/console.apps
#touch $RPM_BUILD_ROOT%{_sysconfdir}/security/console.apps/xserver
mkdir -p $RPM_BUILD_ROOT%{_datadir}/X11/xorg.conf.d mkdir -p $RPM_BUILD_ROOT%{_datadir}/X11/xorg.conf.d
install -m 644 %{SOURCE4} $RPM_BUILD_ROOT%{_datadir}/X11/xorg.conf.d install -m 644 %{SOURCE4} $RPM_BUILD_ROOT%{_datadir}/X11/xorg.conf.d
@ -522,6 +525,7 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete
# Remove unwanted files/dirs # Remove unwanted files/dirs
{ {
find $RPM_BUILD_ROOT -type f -name '*.la' | xargs rm -f -- || : find $RPM_BUILD_ROOT -type f -name '*.la' | xargs rm -f -- || :
# wtf
%ifnarch %{ix86} x86_64 %ifnarch %{ix86} x86_64
rm -f $RPM_BUILD_ROOT%{_libdir}/xorg/modules/lib{int10,vbe}.so rm -f $RPM_BUILD_ROOT%{_libdir}/xorg/modules/lib{int10,vbe}.so
%endif %endif
@ -542,10 +546,8 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete
%global Xorgperms %attr(0711,root,root) %caps(cap_sys_admin,cap_sys_rawio,cap_dac_override=pe) %global Xorgperms %attr(0711,root,root) %caps(cap_sys_admin,cap_sys_rawio,cap_dac_override=pe)
%endif %endif
# restore the missingok one if/when restoring the PAM patch
%files Xorg %files Xorg
%config %attr(0644,root,root) %{_sysconfdir}/pam.d/xserver %config %attr(0644,root,root) %{_sysconfdir}/pam.d/xserver
#config(missingok) /etc/security/console.apps/xserver
%{_bindir}/X %{_bindir}/X
%{_bindir}/Xorg %{_bindir}/Xorg
%{_libexecdir}/Xorg %{_libexecdir}/Xorg
@ -561,13 +563,12 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete
%dir %{_libdir}/xorg/modules/input %dir %{_libdir}/xorg/modules/input
%{_libdir}/xorg/modules/libfbdevhw.so %{_libdir}/xorg/modules/libfbdevhw.so
%{_libdir}/xorg/modules/libexa.so %{_libdir}/xorg/modules/libexa.so
%{_libdir}/xorg/modules/libfb.so
%{_libdir}/xorg/modules/libglamoregl.so %{_libdir}/xorg/modules/libglamoregl.so
%{_libdir}/xorg/modules/libshadow.so %{_libdir}/xorg/modules/libshadow.so
%{_libdir}/xorg/modules/libshadowfb.so %{_libdir}/xorg/modules/libshadowfb.so
%{_libdir}/xorg/modules/libvgahw.so %{_libdir}/xorg/modules/libvgahw.so
%{_libdir}/xorg/modules/libwfb.so %{_libdir}/xorg/modules/libwfb.so
%ifarch %{ix86} x86_64 %if %{defined int10_arch}
%{_libdir}/xorg/modules/libint10.so %{_libdir}/xorg/modules/libint10.so
%{_libdir}/xorg/modules/libvbe.so %{_libdir}/xorg/modules/libvbe.so
%endif %endif
@ -630,237 +631,254 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete
%changelog %changelog
* Wed Jun 18 2025 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-26 * Wed Feb 26 2025 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-28
- CVE fix for: CVE-2025-49175 (RHEL-97273), CVE-2025-49176 (RHEL-97329), - CVE fix for: CVE-2025-26594 (RHEL-80201), CVE-2025-26595 (RHEL-80186),
CVE-2025-49178 (RHEL-97369), CVE-2025-49179 (RHEL-97422), CVE-2025-26596 (RHEL-80188), CVE-2025-26597 (RHEL-80191),
CVE-2025-49180 (RHEL-97235) CVE-2025-26598 (RHEL-80192), CVE-2025-26599 (RHEL-80199),
CVE-2025-26600 (RHEL-80198), CVE-2025-26601 (RHEL-80200)
* Tue Oct 29 2024 José Expósito <jexposit@redhat.com> - 1.20.11-25 * Tue Oct 29 2024 José Expósito <jexposit@redhat.com> - 1.20.11-27
- CVE fix for CVE-2024-9632 - CVE fix for CVE-2024-9632
- Backport fix for invalid Unicode sequence
* Wed Apr 10 2024 José Expósito <jexposit@redhat.com> - 1.20.11-24 * Wed Apr 10 2024 José Expósito <jexposit@redhat.com> - 1.20.11-26
- Fix regression caused by the fix for CVE-2024-31083 - Fix regression caused by the fix for CVE-2024-31083
* Thu Apr 04 2024 José Expósito <jexposit@redhat.com> - 1.20.11-23 * Thu Apr 04 2024 José Expósito <jexposit@redhat.com> - 1.20.11-25
- CVE fix for: CVE-2024-31080, CVE-2024-31081, CVE-2024-31082 and - CVE fix for: CVE-2024-31080, CVE-2024-31081, CVE-2024-31082 and
CVE-2024-31083 CVE-2024-31083
- Add util-linux as a dependency of Xvfb - Add util-linux as a dependency of Xvfb
- Fix compilation error on i686 - Fix compilation error on i686
* Thu Jan 18 2024 José Expósito <jexposit@redhat.com> - 1.20.11-22 * Thu Jan 18 2024 José Expósito <jexposit@redhat.com> - 1.20.11-24
- Fix use after free related to CVE-2024-21886 - Fix use after free related to CVE-2024-21886
* Tue Jan 16 2024 José Expósito <jexposit@redhat.com> - 1.20.11-21 * Tue Jan 16 2024 José Expósito <jexposit@redhat.com> - 1.20.11-23
- CVE fix for: CVE-2023-6816, CVE-2024-0229, CVE-2024-21885, CVE-2024-21886, - CVE fix for: CVE-2023-6816, CVE-2024-0229, CVE-2024-21885, CVE-2024-21886,
CVE-2024-0408 and CVE-2024-0409 CVE-2024-0408 and CVE-2024-0409
Resolves: https://issues.redhat.com/browse/RHEL-21207 Resolves: https://issues.redhat.com/browse/RHEL-21203
Resolves: https://issues.redhat.com/browse/RHEL-20528 Resolves: https://issues.redhat.com/browse/RHEL-20531
Resolves: https://issues.redhat.com/browse/RHEL-20378 Resolves: https://issues.redhat.com/browse/RHEL-20380
Resolves: https://issues.redhat.com/browse/RHEL-20384 Resolves: https://issues.redhat.com/browse/RHEL-20386
Resolves: https://issues.redhat.com/browse/RHEL-21191 Resolves: https://issues.redhat.com/browse/RHEL-21193
Resolves: https://issues.redhat.com/browse/RHEL-21198 Resolves: https://issues.redhat.com/browse/RHEL-21200
* Thu Dec 14 2023 José Expósito <jexposit@redhat.com> - 1.20.11-20 * Thu Dec 14 2023 José Expósito <jexposit@redhat.com> - 1.20.11-22
- CVE fix for: CVE-2023-6377, CVE-2023-6478 - CVE fix for: CVE-2023-6377, CVE-2023-6478
Resolves: https://issues.redhat.com/browse/RHEL-18321 Resolves: https://issues.redhat.com/browse/RHEL-18322
Resolves: https://issues.redhat.com/browse/RHEL-18327 Resolves: https://issues.redhat.com/browse/RHEL-18329
* Wed Oct 25 2023 José Expósito <jexposit@redhat.com> - 1.20.11-19 * Wed Oct 25 2023 José Expósito <jexposit@redhat.com> - 1.20.11-20
- CVE fix for: CVE-2023-5380 - CVE fix for: CVE-2023-5380
Resolves: https://issues.redhat.com/browse/RHEL-14060 Resolves: https://issues.redhat.com/browse/RHEL-14062
* Wed Oct 25 2023 José Expósito <jexposit@redhat.com> - 1.20.11-18 * Wed Oct 25 2023 José Expósito <jexposit@redhat.com> - 1.20.11-20
- CVE fix for: CVE-2023-5367 - CVE fix for: CVE-2023-5367
Resolves: https://issues.redhat.com/browse/RHEL-13430 Resolves: https://issues.redhat.com/browse/RHEL-13430
* Tue Jun 6 2023 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-17 * Tue Jun 6 2023 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-19
- Backport fix for a deadlock with DRI3 - Backport fix for a deadlock with DRI3
Resolves: rhbz#2192556 Resolves: rhbz#2192550
* Fri Mar 31 2023 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-16 * Fri Mar 31 2023 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-18
- CVE fix for: CVE-2023-1393 - CVE fix for: CVE-2023-1393
Resolves: rhbz#2180296 Resolves: rhbz#2180297
* Wed Feb 22 2023 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-15 * Tue Feb 21 2023 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-17
- Rebuild for the missing debuginfo
Related: rhbz#2169522
* Tue Feb 21 2023 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-14
- Fix xvfb-run script with --listen-tcp - Fix xvfb-run script with --listen-tcp
Resolves: rhbz#2169522 Resolves: rhbz#2172116
* Fri Feb 03 2023 Peter Hutterer <peter.hutterer@redhat.com> - 1.20.11-13 * Wed Feb 08 2023 Peter Hutterer <peter.hutterer@redhat.com> - 1.20.11-16
- Fix CVE-2023-0494 (#2166977) - CVE-2023-0494 (#2166973)
* Mon Dec 19 2022 Peter Hutterer <peter.hutterer@redhat.com> - 1.20.11-12 * Mon Dec 19 2022 Peter Hutterer <peter.hutterer@redhat.com> - 1.20.11-15
- Follow-up fix for CVE-2022-46340 (#2151774) - Follow-up fix for CVE-2022-46340 (#2151776)
* Mon Dec 12 2022 Peter Hutterer <peter.hutterer@redhat.com> - 1.20.11-11 * Wed Dec 14 2022 Peter Hutterer <peter.hutterer@redhat.com> - 1.20.11-14
- CVE fix for: CVE-2022-4283 (#2151799), CVE-2022-46340 (#2151774), - CVE fix for: CVE-2022-4283 (#2151801), CVE-2022-46340 (#2151776),
CVE-2022-46341 (#2151779), CVE-2022-46342 (#2151784), CVE-2022-46341 (#2151781), CVE-2022-46342 (#2151788),
CVE-2022-46343 (#2151789), CVE-2022-46344 (#2151794) CVE-2022-46343 (#2151791), CVE-2022-46344 (#2151798)
* Mon Nov 14 2022 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-10 * Tue Nov 29 2022 Peter Hutterer <peter.hutterer@redhat.com> - 1.20.11-13
- Drop dependency on xorg-x11-font-utils, it was only there for one pkgconfig
query for a variable that never changes value (#2148292)
* Mon Nov 14 2022 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-12
- Fix CVE-2022-3550, CVE-2022-3551 - Fix CVE-2022-3550, CVE-2022-3551
Resolves: rhbz#2140766, rhbz#2140772 Resolves: rhbz#2140768, rhbz#2140773
* Fri Jul 29 2022 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-9 * Fri Jul 29 2022 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-11
- CVE fix for: CVE-2022-2319/ZDI-CAN-16062, CVE-2022-2320/ZDI-CAN-16070 - CVE fix for: CVE-2022-2319/ZDI-CAN-16062, CVE-2022-2320/ZDI-CAN-16070
Resolves: rhbz#2108156, rhbz#2108161 Resolves: rhbz#2108157, rhbz#2108162
* Thu Jun 09 2022 Ray Strode <rstrode@redhat.com> - 1.20.11-8 * Thu Feb 10 2022 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-10
- Rebuild again for ipv6 xtrans fix - Fix a regression with hybrid gfx and NVIDIA proprietary driver (#2052605)
Related: #2075132
* Tue May 24 2022 Ray Strode <rstrode@redhat.com> - 1.20.11-6 * Fri Jan 28 2022 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-9
- Rebuild for ipv6 xtrans fix - Fix crash with NVIDIA proprietary driver with Present (#2046330)
Related: #2075132
* Fri Jan 28 2022 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-5 * Wed Jan 26 2022 Adam Jackson <ajax@redhat.com> - 1.20.11-8
- Fix crash with NVIDIA proprietary driver with Present (#2046329) - Only disable the PCI-specific driver probe, since we do still want fallback
to fbdev to work.
Resolves: #2029769
* Thu Jan 6 2022 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-4 * Thu Jan 6 2022 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-7
- CVE fix for: CVE-2021-4008 (#2030162), CVE-2021-4009 (#2030172), - CVE fix for: CVE-2021-4008 (#2030160), CVE-2021-4009 (#2030170),
CVE-2021-4010 (#2030175), CVE-2021-4011 (#2030181) CVE-2021-4010 (#2030174), CVE-2021-4011 (#2030179)
* Mon Nov 29 2021 Jocelyn Falempe <jfalempe@redhat.com> - 1.20.11-3 * Tue Nov 23 2021 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-6
- xf86/logind Fix drm_drop_master before vt_reldis - Restore hardened builds
Resolves: #1771863 Resolves: #2024556
* Wed Jun 9 2021 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-2 * Tue Nov 9 2021 Adam Jackson <ajax@redhat.com> - 1.20.11-5
- Disable non-platform video driver probe, it should never be needed and the
PCI probe code interferes with the (default) platform path.
Resolves: #2000921
* Tue Oct 26 2021 Ray Strode <rstrode@redhat.com> - 1.20.11-4
- Fix XkbChangeMap
Resolves: #2009928
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1.20.11-3
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Tue Jun 22 2021 Mohan Boddu <mboddu@redhat.com> - 1.20.11-2
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Thu Jun 17 2021 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-1
- xserver 1.20.11 (#1952895)
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.20.10-6
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Wed Feb 03 2021 Peter Hutterer <peter.hutterer@redhat.com> 1.20.10-5
- Drop BuildRequires for flex-devel (#1871101)
* Mon Feb 1 2021 Olivier Fourdan <ofourdan@redhat.com> - 1.20.10-4
- Remove Xwayland from the xserver builds - Remove Xwayland from the xserver builds
Resolves: #1956838
* Tue Jun 1 2021 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-1 * Thu Jan 28 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.20.10-3
- xserver 1.20.11 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
Resolves: #1954260
* Thu Dec 10 2020 Adam Jackson <ajax@redhat.com> - 1.20.10-1 * Tue Jan 19 2021 Adam Jackson <ajax@redhat.com> - 1.20.10-2
- xserver 1.20.10 - Disable int10 and vbe on RHEL
Resolves: #1891871 - Disable DRI1
- Stop overriding the vendor name
* Wed Dec 9 2020 Michel Dänzer <mdaenzer@redhat.com> - 1.20.8-10 * Wed Dec 2 2020 Olivier Fourdan <ofourdan@redhat.com> - 1.20.10-1
- modesetting: keep going if a modeset fails on EnterVT - xserver 1.20.10 (CVE-2020-14360, CVE-2020-25712)
Resolves: #1838392
* Mon Nov 16 2020 Adam Jackson <ajax@redhat.com> - 1.20.8-9 * Thu Nov 5 10:35:09 AEST 2020 Peter Hutterer <peter.hutterer@redhat.com> - 1.20.9-3
- CVE fix for: CVE-2020-14347 (#1862320) - Add BuildRequires for make
* Thu Oct 29 2020 Michel Dänzer <mdaenzer@redhat.com> - 1.20.8-8 * Wed Nov 04 2020 Peter Hutterer <peter.hutterer@redhat.com> 1.20.9-2
- CVE fixes for: CVE-2020-14345 (#1872391), CVE-2020-14346 (#1872395), - Drop BuildRequires to git-core only
CVE-2020-14361 (#1872402), CVE-2020-14362 (#1872409)
* Tue Oct 27 2020 Adam Jackson <ajax@redhat.com> - 1.20.8-7 * Thu Oct 8 2020 Olivier Fourdan <ofourdan@redhat.com> - 1.20.9-1
- xserver 1.20.9 + all current fixes from upstream
* Wed Aug 12 2020 Adam Jackson <ajax@redhat.com> - 1.20.8-4
- Enable XC-SECURITY - Enable XC-SECURITY
Resolves: #1863142
* Thu Aug 20 2020 Michel Dänzer <mdaenzer@redhat.com> - 1.20.8-6 * Fri Jul 31 2020 Adam Jackson <ajax@redhat.com> - 1.20.8-3
- xfree86: add drm modes on non-GTF panels - Fix information disclosure bug in pixmap allocation (CVE-2020-14347)
Resolves: #1823461
* Tue Aug 4 2020 Michel Dänzer <mdaenzer@redhat.com> - 1.20.8-5 * Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.20.8-2
- xwayland: Hold a pixmap reference in struct xwl_present_event - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
Related: #1728684
- glamor: Fix glamor_poly_fill_rect_gl xRectangle::width/height handling
Resolves: #1740250
* Fri Jul 10 2020 Ray Strode <rstrode@redhat.com> - 1.20.8-4 * Mon Mar 30 2020 Olivier Fourdan <ofourdan@redhat.com> - 1.20.8-1
- Don't switch VTs in the exit path, if killed on inactive VT
Related: #1618481
* Fri Jun 26 2020 Michel Dänzer <mdaenzer@redhat.com> - 1.20.8-3
- Downgrade modesetting "glamor initialization failed" X_ERROR X_INFO
Resolves: #1724573
- Xwayland / Present leak fixes for #1728684
* Wed Jun 10 2020 Michel Dänzer <mdaenzer@redhat.com> - 1.20.8-2
- Re-enable Xwayland Present support
Resolves: #1728684, #1715676
- Remove unused patch
* Tue May 26 2020 Adam Jackson <ajax@redhat.com> - 1.20.8-1
- xserver 1.20.8 - xserver 1.20.8
- Backport latest Xwayland randr resolution change emulation support
patches.
* Tue Feb 11 2020 Michel Dänzer <mdaenzer@redhat.com> - 1.20.6-3 * Wed Mar 18 2020 Olivier Fourdan <ofourdan@redhat.com> - 1.20.7-2
- Add fix for crash with Option "Rotate" in xorg.conf - Fix a crash on closing a window using Present found upstream:
Resolves: #1795328 https://gitlab.freedesktop.org/xorg/xserver/issues/1000
* Wed Dec 11 2019 Michel Dänzer <mdaenzer@redhat.com> - 1.20.6-2 * Fri Mar 13 2020 Olivier Fourdan <ofourdan@redhat.com> - 1.20.7-1
- Add fixes for intermittent modesetting artifacts - xserver 1.20.7
Resolves: #1738670 - backport from stable "xserver-1.20-branch" up to commit ad7364d8d
(for mutter fullscreen unredirect on Wayland)
- Update videodrv minor ABI as 1.20.7 changed the minor ABI version
(backward compatible, API addition in glamor)
- Rebase Xwayland randr resolution change emulation support patches
* Mon Dec 9 2019 Olivier Fourdan <ofourdan@redhat.com> - 1.20.6-1 * Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.20.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Mon Nov 25 2019 Olivier Fourdan <ofourdan@redhat.com> - 1.20.6-1
- xserver 1.20.6 - xserver 1.20.6
* Tue Sep 03 2019 Adam Jackson <ajax@redhat.com> - 1.20.3-11 * Mon Nov 4 2019 Hans de Goede <hdegoede@redhat.com> - 1.20.5-9
- Add DRI2 fallback driver mappings for i965 and radeonsi - Fix building with new libglvnd-1.2.0 (E)GL headers and pkgconfig files
* Mon Aug 19 2019 Adam Jackson <ajax@redhat.com> - 1.20.3-10 * Mon Nov 4 2019 Hans de Goede <hdegoede@redhat.com> - 1.20.5-8
- Backport glvnd vendor selection for prime render offloading - Backport Xwayland randr resolution change emulation support
* Fri Jul 12 2019 Adam Jackson <ajax@redhat.com> - 1.20.3-8 * Thu Aug 29 2019 Olivier Fourdan <ofourdan@redhat.com> 1.20.5-7
- Fix platform device PCI detection for complex bus topologies - Pick latest fixes from xserver stable branch upstream (rhbz#1729925)
* Wed Apr 10 2019 Adam Jackson <ajax@redhat.com> - 1.20.3-7 * Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.20.5-6
- Don't require fbdev on s390x, where it doesn't exist - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Wed Apr 03 2019 Adam Jackson <ajax@redhat.com> - 1.20.3-6 * Mon Jul 8 2019 Olivier Fourdan <ofourdan@redhat.com> 1.20.5-5
- Add Requires: fbdev (and on x86_64, vesa) to Xorg subpackage - Do not include <sys/io.h> on ARM with glibc to avoid compilation failure.
- Do not force vbe and int10 sdk headers as this enables int10 which does
not build on ARM without <sys/io.h>
* Mon Jan 14 2019 Ben Crocker <bcrocker@redhat.com> - 1.20.3-5 * Mon Jul 8 2019 Olivier Fourdan <ofourdan@redhat.com> 1.20.5-4
- Add Eric Anholt's patch e50c85f4ebf559 from upstream: - Fix regression causing screen tearing with upstream xserver 1.20.5
- Fix segfault on probing a non-PCI platform device on a system with PCI (rhbz#1726419)
- NOTE: also pertains on a system with no PCI, e.g. s390x.
Resolves: #1652013
* Mon Jan 07 2019 Olivier Fourdan <ofourdan@redhat.com> - 1.20.3-4 * Fri Jun 28 2019 Olivier Fourdan <ofourdan@redhat.com> 1.20.5-3
- Move LeaveVT after resetting randr pointers in xf86CrtcCloseScreen - Remove atomic downstream patches causing regressions (#1714981, #1723715)
- Xwayland crashes (#1708119, #1691745)
- Cursor issue with tablet on Xwayland
- Xorg/modesetting issue with flipping pixmaps with Present (#1645553)
* Mon Nov 19 2018 Adam Jackson <ajax@redhat.com> - 1.20.3-3 * Thu Jun 06 2019 Peter Hutterer <peter.hutterer@redhat.com> 1.20.5-2
- Apply even more -z now and -pie - Return AlreadyGrabbed for keycodes > 255 (#1697804)
* Mon Nov 19 2018 Ray Strode <rstrode@redhat.com> - 1.20.3-2 * Thu May 30 2019 Adam Jackson <ajax@redhat.com> - 1.20.5-1
- Fix crash in Xephyr on server reset - xserver 1.20.5
Resolves: #1650168
* Tue Nov 13 2018 Adam Jackson <ajax@redhat.com> - 1.20.3-1 * Tue Apr 23 2019 Adam Jackson <ajax@redhat.com> - 1.20.4-4
- Fix some non-atomic modesetting calls to be atomic
* Wed Mar 27 2019 Peter Hutterer <peter.hutterer@redhat.com> 1.20.4-3
- Fix a Qt scrolling bug, don't reset the valuator on slave switch
* Thu Mar 21 2019 Adam Jackson <ajax@redhat.com> - 1.20.4-2
- Backport an Xwayland crash fix in the Present code
* Tue Feb 26 2019 Adam Jackson <ajax@redhat.com> - 1.20.4-1
- xserver 1.20.4
* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.20.3-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Fri Jan 11 2019 Olivier Fourdan <ofourdan@redhat.com> - 1.20.3-3
- More Xwayland/Present fixes from upstream (rhbz#1609181, rhbz#1661748)
* Thu Dec 06 2018 Olivier Fourdan <ofourdan@redhat.com> - 1.20.3-2
- Xwayland/Present fixes from master upstream
* Thu Nov 01 2018 Adam Jackson <ajax@redhat.com> - 1.20.3-1
- xserver 1.20.3 - xserver 1.20.3
- Also forget about DRI driver names for drivers we're not shipping
* Fri Oct 26 2018 Adam Jackson <ajax@redhat.com> - 1.20.2-5
- Work around broken fbdev headers
* Mon Oct 22 2018 Adam Jackson <ajax@redhat.com> - 1.20.2-4
- Back out the PAM patch, may not be necessary in 8
* Wed Oct 17 2018 Peter Hutterer <peter.hutterer@redhat.com> 1.20.2-3
- Backport fix for readlink call from master
* Tue Oct 16 2018 Adam Jackson <ajax@redhat.com> - 1.20.2-2
- Avoid drmSetInterfaceVersion in platform device probe
- Backport a misparenthesis fix from master
* Mon Oct 15 2018 Adam Jackson <ajax@redhat.com> - 1.20.2-1 * Mon Oct 15 2018 Adam Jackson <ajax@redhat.com> - 1.20.2-1
- xserver 1.20.2 - xserver 1.20.2
* Mon Oct 15 2018 Olivier Fourdan <ofourdan@redhat.com>> - 1.20.1-4 * Thu Oct 4 2018 Hans de Goede <hdegoede@redhat.com> - 1.20.1-4
- Some more RHEL mustard: - Rebase patch to use va_gl as vdpau driver on i965 GPUs, re-fix rhbz#1413733
- Disable Present support in Xwayland (rhbz#1638463)
* Fri Oct 12 2018 Adam Jackson <ajax@redhat.com> - 1.20.1-3 * Thu Sep 13 2018 Dave Airlie <airlied@redhat.com> - 1.20.1-3
- Assorted RHEL mustard: - Build with PIE enabled (this doesn't enable bind now)
- Don't probe for drivers we're not shipping
- Enable PAM
- Link Xorg with -z now
- Nerf modesetting's atomic ioctl support
- Don't autoconfigure vesa or fbdev from X -configure
- Call LeaveVT on RANDR's CloseScreen path so we drop drm master
- Try harder to get initial spanning desktop if the output's
preferred mode was filtered away
- Sync va_gl/vdpau patch from F29
* Thu Sep 13 2018 Dave Airlie <airlied@redhat.com> - 1.20.1-2 * Mon Sep 10 2018 Olivier Fourdan <ofourdan@redhat.com> - 1.20.1-2
- build with PIE flags - Include patches from upstream to fix Xwayland crashes
* Thu Aug 09 2018 Adam Jackson <ajax@redhat.com> - 1.20.1-1 * Thu Aug 09 2018 Adam Jackson <ajax@redhat.com> - 1.20.1-1
- xserver 1.20.1 - xserver 1.20.1