| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
GetHosts saves the pointer to allocated memory in *data, and then
wants to bounds-check writes to that region, but was mistakenly using
a bare 'data' instead of '*data'. Also, data is declared as void **,
so we need a cast to turn it into a byte pointer so we can actually do
pointer comparisons.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 1559a94395258fd73e369f1a2c98a44bfe21a486)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
The 'n' parameter must be surrounded by parens in both places to
prevent precedence from mis-computing things.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 9802a0162f738de03585ca3f3b8a8266494f7d45)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
We're using compiler compatibility settings which generate warnings
when a variable is declared after the first statement.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 61b17c0f10307e25e51e30e6fb1d3e3127f82d86)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
[CVE-2014-8097 pt. 2]
When the local types used to walk the DBE request were changed, this
changed the type of the parameter passed to the DDX SwapBuffers API,
but there wasn't a matching change in the API definition.
At this point, with the API frozen, I just stuck a new variable in
with the correct type. Because we've already bounds-checked nStuff to
be smaller than UINT32_MAX / sizeof(DbeSwapInfoRec), we know it will
fit in a signed int without overflow.
Signed-off-by: Keith Packard <keithp@keithp.com
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit b20912c3d45cbbde3c443e6c3d9e189092fe65e1)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
On a system where sizeof(unsigned) != sizeof(intptr_t), the unary
bitwise not operation will result in a mask that clears all high bits
from temp_buf in the expression:
temp_buf = (temp_buf + mask) & ~mask;
Signed-off-by: Robert Morell <rmorell@nvidia.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 7e7630bbb775573eea2a2335adb9d190c3e1e971)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
v2: Handle more multiplies in indirect_reqsize.c (Julien Cristau)
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit e883c170c15493ab3637c0a01890f5a7ca4e16a5)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
v2:
Fix single versus vendor-private length checking for ARB_imaging subset
extensions. (Julien Cristau)
v3:
Fix single versus vendor-private length checking for ARB_imaging subset
extensions. (Julien Cristau)
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 984583a497c813df5827ae22483133e704fee79c)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
[CVE-2014-8098 6/8]
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 44ba149f28ece93c2fbfc9cc980588de5322dd4b)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit afe177020d1fb776c6163f21eddc82cb185b95ca)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
[CVE-2014-8098 4/8]
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit c91e4abc3b892f42802efa20fef7ada442c2d3f5)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
This is a half-measure until we start passing request length into the
varsize function, but it's better than the nothing we had before.
v2: Verify that there's at least a large render header's worth of
dataBytes (Julien Cristau)
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit a33a939e6abb255b14d8dbc85fcbd2c55b958bae)
Signed-off-by: Julien Cristau <jcristau@debian.org>
Conflicts:
glx/glxcmds.c
|
|
[CVE-2014-8093 5/6]
v2:
Fix constants in __glXMap2fReqSize (Michal Srb)
Validate w/h/d for proxy targets too (Keith Packard)
v3:
Fix Map[12]Size to correctly reject order == 0 (Julien Cristau)
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 698888e6671d54c7ae41e9d456f7f5483a3459d2)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
v2:
Remove can't-happen comparison for cmdlen < 0 (Michal Srb)
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit be09e0c988ffdb0371293af49fb4ea8f49ed324a)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
These are paranoid about integer overflow, and will return -1 if their
operation would overflow a (signed) integer or if either argument is
negative.
Note that RenderLarge requests are sized with a uint32_t so in principle
this could be sketchy there, but dix limits bigreqs to 128M so you
shouldn't ever notice, and honestly if you're sending more than 2G of
rendering commands you're already doing something very wrong.
v2: Use INT_MAX for consistency with the rest of the server (jcristau)
v3: Reject negative arguments (anholt)
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 2a5cbc17fc72185bf0fa06fef26d1f782de72595)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
Without this we'd reject the request with BadLength. Note that some old
versions of Mesa had a bug in the same place, and would _send_ zero
bytes of image data; these will now be rejected, correctly.
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 13d36923e0ddb077f4854e354c3d5c80590b5d9d)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
(v2) [CVE-2014-8093 3/6]
If the computed reply size is negative, something went wrong, treat it
as an error.
v2: Be more careful about size_t being unsigned (Matthieu Herrb)
v3: SIZE_MAX not SIZE_T_MAX (Alan Coopersmith)
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 717a1b37767b41e14859e5022ae9e679152821a9)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
Before this we'd just clamp the image size to 0, which was just
hideously stupid; if the parameters were such that they'd overflow an
integer, you'd allocate a small buffer, then pass huge values into (say)
ReadPixels, and now you're scribbling over arbitrary server memory.
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit ab2ba9338aa5e85b4487bc7fbe69985c76483e01)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
If the size computation routine returns -1 we should just reject the
request outright. Clamping it to zero could give an attacker the
opportunity to also mangle cmdlen in such a way that the subsequent
length check passes, and the request would get executed, thus passing
data we wanted to reject to the renderer.
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 23fe7718bb171e71db2d1a30505c2ca2988799d9)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit f4afd53f2aeaddf509bf9f71d1716dd273fd6e14)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 2df83bb122debc3c20cfc3d3b0edc85cd0270f79)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit d153a85f7478a7a67ccb02fbca6390b0ab1732ee)
Signed-off-by: Julien Cristau <jcristau@debian.org>
Conflicts:
test/Makefile.am
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit a0ece23a8bd300c8be10812d368dc8058c97c63e)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 5d3a788aeb2fbd3ca2812747dc18c94a8b981c63)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
Otherwise we may be reading outside of the client request.
Signed-off-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit b5f9ef03df6a650571b29d3d1c1d2b67c6e84336)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 3df2fcf12499ebdb26b9b67419ea485a42041f33)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit d155b7a8e38e74aee96bf52c20c8b6a330d7d462)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 0a6085aaf3581cca558d960ea176ddf3a41a2213)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 32a95fb7c7dbe22c9441c62762dfa4a8ec54d6c3)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 7553082b9b883b5f130044f3d53bce2f0b660e52)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
Multiple functions in the Xinput extension handling of requests from
clients failed to check that the length of the request sent by the
client was large enough to perform all the required operations and
thus could read or write to memory outside the bounds of the request
buffer.
This commit includes the creation of a new REQUEST_AT_LEAST_EXTRA_SIZE
macro in include/dix.h for the common case of needing to ensure a
request is large enough to include both the request itself and a
minimum amount of extra data following the request header.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 73c63afb93c0af1bfd1969bf6e71c9edca586c77)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
ProcDbeSwapBuffers() has a 32bit (n) length value that it uses to read
from a buffer. The length is never validated, which can lead to out of
bound reads, and possibly returning the data read from out of bounds to
the misbehaving client via an X Error packet.
SProcDbeSwapBuffers() swaps data (for correct endianness) before
handing it off to the real proc. While doing the swapping, the
length field is not validated, which can cause memory corruption.
v2: reorder checks to avoid compilers optimizing out checks for overflow
that happen after we'd already have done the overflowing multiplications.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 2ef42519c41e793579c9cea699c866fee3d9321f)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
ProcDRI2GetBuffers() tries to validate a length field (count).
There is an integer overflow in the validation. This can cause
out of bound reads and memory corruption later on.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit 6692670fde081bbfe9313f17d84037ae9116702a)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
Force use of 64-bit integers when evaluating data provided by clients
in 32-bit fields which can overflow when added or multiplied during
checks.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit e0e11644622a589129a01e11e5d105dc74a098de)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
RegionSizeof contains several integer overflows if a large length
value is passed in. Once we fix it to return 0 on overflow, we
also have to fix the callers to handle this error condition
v2: Fixed limit calculation in RegionSizeof as pointed out by jcristau.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit 97015a07b9e15d8ec5608b95d95ec0eb51202acb)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
GetHosts() iterates over all the hosts it has in memory, and copies
them to a buffer. The buffer length is calculated by iterating over
all the hosts and adding up all of their combined length. There is a
potential integer overflow, if there are lots and lots of hosts (with
a combined length of > ~4 gig). This should be possible by repeatedly
calling ProcChangeHosts() on 64bit machines with enough memory.
This patch caps the list at 1mb, because multi-megabyte hostname
lists for X access control are insane.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit bc8e20430b6f6378daf6ce4329029248a88af08b)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
ProcPutImage() calculates a length field from a width, left pad and depth
specified by the client (if the specified format is XYPixmap).
The calculations for the total amount of memory the server needs for the
pixmap can overflow a 32-bit number, causing out-of-bounds memory writes
on 32-bit systems (since the length is stored in a long int variable).
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit eeae42d60bf3d5663ea088581f6c28a82cd17829)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
authdes_ezdecode() calls malloc() using a length provided by the
connection handshake sent by a newly connected client in order
to authenticate to the server, so should be treated as untrusted.
It didn't check if malloc() failed before writing to the newly
allocated buffer, so could lead to a server crash if the server
fails to allocate memory (up to UINT16_MAX bytes, since the len
field is a CARD16 in the X protocol).
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 90cc925c5991fcb203f72d00b04419cd754a9b2c)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
This function can return NULL; make sure every caller tests for that.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 61a292adf45405641de1c522a04c148e0a152acd)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
Pageflips for Pixmap presents were not synchronized to vblank on
drivers with support for PresentCapabilityAsync, due to some
missing init for vblank->sync_flips. The PresentOptionAsync
flag was completely ignored for pageflipped presents.
Vsynced flips only worked by accident on the intel-ddx, as that
driver doesn't have PresentCapabilityAsync support.
On nouveau-ddx, which supports PresentCapabilityAsync, this
always caused non-vsynced pageflips with pretty ugly tearing.
This patch fixes the problem, as tested on top of XOrg 1.16.2
on nouveau and intel.
v4: Add additional PresentCapabilityAsync caps check, as
suggested by Eric Anholt.
Please also apply to XOrg 1.17 and XOrg 1.16.2 stable.
Applying on top of XOrg 1.16.2 requires cherry-picking
commit 2051514652481a83bd7cf22e57cb0fcd40333f33
which trivially fixes lack of support for protocol option
PresentOptionCopy - get two bug fixes for the price of one!
Signed-off-by: Mario Kleiner <mario.kleiner.de@gmail.com>
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit aae6460694ac3667abb8c34fdf3a7dae524827a4)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
DebugPresent() crashed the server when a dri3 drawable
was closed while a pageflipped present was still pending,
due to vblank->window-> Null-Ptr deref, so debug builds
caused new problems to debug.
E.g.,
glXSwapBuffers(...);
glXDestroyWindow(...);
-> Pageflip for non-existent window completes -> boom.
Also often happens when switching desktop compositor on/off
due to Present unflips, or when logging out of session.
Also add info if a Present is queued for copyswap or pageflip,
if the present is vsynced, and the serial no of the Present
request, to aid debugging of pageflip and vsync issues. The
serial number is useful as Mesa's dri3/present backend encodes
its sendSBC in the serial number, so one can easily correlate
server debug output with Mesa and with the SBC values returned
to actual OpenGL client applications via OML_sync_control and
INTEL_swap_events extension, makes debugging quite a bit more
easy.
Please also cherry-pick this for a 1.16.x stable update.
Signed-off-by: Mario Kleiner <mario.kleiner.de@gmail.com>
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 32d3100bd78efe41d468f7d66861296aee468b6f)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
We added this option to the present protocol before 1.0 but somehow
never implemented it in the server. It's pretty simple; just don't
ever do flips if the application specifies Copy.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit 2051514652481a83bd7cf22e57cb0fcd40333f33)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
Covers the current state after commits 99f0365b1fbdfd9238b9f,
d0da0e9c3bb8fe0cd4879, & e3aa13b8d63ea2fba6eb4 were all applied.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: James Jones <jajones@nvidia.com>
Reviewed-by: Robert Morell <rmorell@nvidia.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit b09d59342804db7dbb8056dca43dd39f54e290aa)
[alanc: Modified for server-1.16-branch to show +iglx as default instead of
-iglx, to match code in os/utils.c in server-1.16-branch.]
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=54168
Fix errors introducted in 863d528a9f76d0e8f122aebf19f8564a4c67a938. Said
patch does indeed remove the problematic writes to bad memory, however
it also introduces errors in the algoritm. This patch has the effect of
reverting said patch and adding an if in the proper location to catch
the out of bounds memory write without causing problems to the overall
algorithm.
Signed-off-by: Alex Orange <crazycasta@gmail.com>
Reviewed-by: Peter Harris <pharris@opentext.com>
Tested-by: Peter Harris <pharris@opentext.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 1b94fd77792310c80b0a2bcf4bf6d4e4c4c23bca)
|
|
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
|
|
The GPU may still have a reference to the SHM segment which would only
be finally released when the Pixmap is destroy. So we can only detach
the SHM segment (and thereby making the memory unaccessible) after the
backend has had a chance to flush any remaining references.
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=85058
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Reported-and-tested-by: gedgon@gmail.com
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 9b29fa957a397664463c7c78fbcc2f34d1993271)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
When the target msc is past or is the current one, we want to get immediate
feedback. This patch fixes this behaviour.
Signed-off-by: Axel Davy <axel.davy@ens.fr>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 882f2d10d99a04a96afc0ce0c8937e16bec3afb5)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
Calling present_notify_msc could cancel a pending pixmap presentation.
Signed-off-by: Axel Davy <axel.davy@ens.fr>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 9bc01dfc7070a40f5948588895b3a11dd1636d0e)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
Introduced in 45fb3a934dc0db51584aba37c2f9d73deff9191d. When a device is
enabled, the master's locked state is pushed to the slave. If the device is
floating, no master exists and we triggered a NULL-pointer dereference
in XkbPushLockedStateToSlaves.
X.Org Bug 81885 <http://bugs.freedesktop.org/show_bug.cgi?id=81885>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 1e30fc1b99bda040038e4fd56d1b27c686b44c75)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
