Timo Aaltonen pushed to branch debian-unstable at X Strike Force / xserver / xorg-server
Commits: 271934db by Samuel Thibault at 2020-04-15T13:29:19+02:00 dix: do not send focus event when grab actually does not change c67f2eac5651 ("dix: always send focus event on grab change") made dix always sent events when it's a NotifyGrab or NotifyUngrab, even if from == to, because 'from' can just come from a previous XSetInputFocus call. However, when an application calls XGrabKeyboard several times on the same window, we are now sending spurious FocusOut+FocusIn with NotifyGrab, even if the grab does not actually change. This makes screen readers for blind people spuriously emit activity events which disturb screen reading workflow when e.g. switching between menus. This commit avoids calling DoFocusEvents in that precise case, i.e. when oldWin is a previous grab and the new grab is the same window. Signed-off-by: Samuel Thibault <[email protected]> Reviewed-by: Adam Jackson <[email protected]> (cherry picked from commit 364d64981549544213e2bca8de6ff8a5b2b5a69e) - - - - - b8b10e29 by Hans de Goede at 2020-05-22T08:07:56+02:00 modesetting: Disable pageflipping when using a swcursor The miPointerSpriteFunc swcursor code expects there to only be a single framebuffer and when the cursor moves it will undo the damage of the previous draw, potentially overwriting what ever is there in a new framebuffer installed after a flip. This leads to all kind of artifacts, so we need to disable pageflipping when a swcursor is used. The code for this has shamelessly been copied from the xf86-video-amdgpu code. Fixes: https://gitlab.freedesktop.org/xorg/xserver/issues/828 Reviewed-by: Michel Dänzer <[email protected]> Signed-off-by: Hans de Goede <[email protected]> (cherry picked from commit 0aaac8d783e78c040a70a55ba8d67809abd7e625) Signed-off-by: Łukasz Spintzyk <[email protected]> - - - - - 0430d13c by Olivier Fourdan at 2020-05-29T09:24:11+00:00 xwayland: Fix infinite loop at startup Mutter recently added headless tests, and when running those tests the Wayland compositor runs for a very short time. Xwayland is spawned by the Wayland compositor and upon startup will query the various Wayland protocol supported by the compositor. To do so, it will do a roundtrip to the Wayland server waiting for events it expects. If the Wayland compositor terminates before Xwayland has got the replies it expects, it will loop indefinitely calling `wl_display_roundtrip()` continuously. To avoid that issue, add a new `xwl_screen_roundtrip()` that checks for the returned value from `wl_display_roundtrip()` and fails if it is negative. Signed-off-by: Olivier Fourdan <[email protected]> Reviewed-by: Roman Gilg <[email protected]> Reviewed-by: Jonas Ådahl <[email protected]> (cherry picked from commit 785e59060c00129e47da6c0877604a56d7e0e32f) - - - - - fc297c87 by Simon Ser at 2020-07-03T10:51:36+00:00 xwayland: import DMA-BUFs with GBM_BO_USE_RENDERING only Drop GBM_BO_USE_SCANOUT from the GBM_BO_IMPORT_FD import, add GBM_BO_USE_RENDERING to the GBM_BO_IMPORT_FD_MODIFIER import. If the DMA-BUF cannot be scanned out, gbm_bo_import with GBM_BO_USE_SCANOUT will fail. However Xwayland doesn't need to scan-out the buffer and can work fine without scanout. Glamor only needs GBM_BO_USE_RENDERING. Signed-off-by: Simon Ser <[email protected]> Reviewed-by: Michel Dänzer <[email protected]> Reviewed-by: Daniel Stone <[email protected]> (cherry picked from commit 421ce458f1d295015c108eb32f9611e527649cf8) - - - - - b3310ed5 by Michel Dänzer at 2020-07-20T13:22:20+00:00 present/wnmd: Keep pixmap pointer in present_wnmd_clear_window_flip The comment was incorrect: Any reference held by the window (see present_wnmd_execute) is in addition to the one in struct present_vblank (see present_vblank_create). So if we don't drop the latter, the pixmap will be leaked. Reviewed-by: Dave Airlie <[email protected]> (cherry picked from commit bc9dd1c71c3722284ffaa7183f4119151b25a44f) - - - - - ba52e5eb by Michel Dänzer at 2020-07-20T13:22:20+00:00 present/wnmd: Free flip_queue entries in present_wnmd_clear_window_flip When present_wnmd_clear_window_flip is done, present_destroy_window frees struct present_window_priv, and the events in the flip queue become unreachable. So if we don't free them first, they're leaked. Also drop the call to present_wnmd_set_abort_flip, which just sets a flag in struct present_window_priv and thus can't have any observable effect after present_destroy_window. Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1042 Reviewed-by: Dave Airlie <[email protected]> (cherry picked from commit 1bdedc8dbb9d035b85444c2558a137470ff52113) - - - - - 37779d7f by Michel Dänzer at 2020-07-20T13:22:21+00:00 xwayland: Always use xwl_present_free_event for freeing Present events Minor cleanup, and will make the next change simpler. No functional change intended. Reviewed-by: Dave Airlie <[email protected]> (cherry picked from commit 1beffba699e2cc3f23039d2177c025bc127966de) - - - - - 22c0808a by Michel Dänzer at 2020-07-20T13:22:21+00:00 xwayland: Free all remaining events in xwl_present_cleanup At the end of xwl_present_cleanup, these events aren't reachable anymore, so if we don't free them first, they're leaked. (cherry picked from commit 64565ea344fef0171497952ef75f019cb420fe3b) v2: * Simpler backport, no need to keep a reference to the pixmap on the 1.20 branch. - - - - - 3aa31823 by Olivier Fourdan at 2020-07-20T15:54:39+02:00 xwayland: Clear private on device removal Xwayland uses the device private to point to the `xwl_seat`. Device may be removed at any time, including on suspend. On resume, if the DIX code ends up calling a function that requires the `xwl_seat` such as `xwl_set_cursor()` we may end up pointing at random data. Make sure the clear the device private data on removal so that we don't try to use it and crash later. Signed-off-by: Olivier Fourdan <[email protected]> Reviewed-by: Peter Hutterer <[email protected]> https://gitlab.freedesktop.org/xorg/xserver/issues/709 (cherry picked from commit 4195e8035645007be313ade79032b8d561ceec6c) - - - - - 533cc6ca by Sjoerd Simons at 2020-07-20T15:54:39+02:00 xwayland: Fix crashes when there is no pointer When running with a weston session without a pointer device (thus with the wl_seat not having a pointer) xwayland pointer warping and pointer confining should simply be ignored to avoid crashes. Signed-off-by: Sjoerd Simons <[email protected]> (cherry picked from commit d35f68336b0a462dc660797d1779581f348af04e) - - - - - cc361355 by SimonP at 2020-07-20T15:54:39+02:00 xwayland: Initialise values in xwlVidModeGetGamma() ProcVidModeGetGamma() relies on GetGamma() to initialise values if it returns TRUE. Without this, we're sending uninitialised values to clients. Fixes: xorg/xserver#1040 (cherry picked from commit 6748a4094158d2bde1630b915a5318f9f22c8e0a) - - - - - ccbcf083 by Lyude Paul at 2020-07-20T15:54:39+02:00 xwayland: Store xwl_tablet_pad in its own private key When a slave device causes the master virtual pointer device to change device types, the device's private data pointer (device->public.devicePrivate) is also changed to match the type of the slave device. This can be a problem though, as tablet pad devices will set the device's private data pointer to their own xwl_tablet_pad struct. This can cause us to dereference the pointer as the wrong type, and result in a segfault: Thread 1 "Xwayland" received signal SIGSEGV, Segmentation fault.. wl_proxy_marshal (proxy=0x51, opcode=opcode@entry=0) at src/wayland-client.c:792 792 va_start(ap, opcode); (gdb) bt 0 wl_proxy_marshal (proxy=0x51, opcode=opcode@entry=0) at src/wayland-client.c:792 1 0x00005610b27b6c55 in wl_pointer_set_cursor (hotspot_y=0, hotspot_x=0, surface=0x0, serial=<optimized out>, wl_pointer=<optimized out>) at /usr/include/wayland-client-protocol.h:4610 2 xwl_seat_set_cursor (xwl_seat=xwl_seat@entry=0x5610b46d5d10) at xwayland-cursor.c:137 3 0x00005610b27b6ecd in xwl_set_cursor (device=<optimized out>, screen=<optimized out>, cursor=<optimized out>, x=<optimized out>, y=<optimized out>) at xwayland-cursor.c:249 4 0x00005610b2800b46 in miPointerUpdateSprite (pDev=0x5610b4501a30) at mipointer.c:468 5 miPointerUpdateSprite (pDev=0x5610b4501a30) at mipointer.c:410 6 0x00005610b2800e56 in miPointerDisplayCursor (pCursor=0x5610b4b35740, pScreen=0x5610b3d54410, pDev=0x5610b4501a30) at mipointer.c:206 7 miPointerDisplayCursor (pDev=0x5610b4501a30, pScreen=0x5610b3d54410, pCursor=0x5610b4b35740) at mipointer.c:194 8 0x00005610b27ed62b in CursorDisplayCursor (pDev=<optimized out>, pScreen=0x5610b3d54410, pCursor=0x5610b4b35740) at cursor.c:168 9 0x00005610b28773ee in AnimCurDisplayCursor (pDev=0x5610b4501a30, pScreen=0x5610b3d54410, pCursor=0x5610b4b35740) at animcur.c:197 10 0x00005610b28eb4ca in ChangeToCursor (pDev=0x5610b4501a30, cursor=0x5610b4b35740) at events.c:938 11 0x00005610b28ec99f in WindowHasNewCursor (pWin=pWin@entry=0x5610b4b2e0c0) at events.c:3362 12 0x00005610b291102d in ChangeWindowAttributes (pWin=0x5610b4b2e0c0, vmask=<optimized out>, vlist=vlist@entry=0x5610b4c41dcc, client=client@entry=0x5610b4b2c900) at window.c:1561 13 0x00005610b28db8e3 in ProcChangeWindowAttributes (client=0x5610b4b2c900) at dispatch.c:746 14 0x00005610b28e1e5b in Dispatch () at dispatch.c:497 15 0x00005610b28e5f34 in dix_main (argc=16, argv=0x7ffc7a601b68, envp=<optimized out>) at main.c:276 16 0x00007f8828cde042 in __libc_start_main (main=0x5610b27ae930 <main>, argc=16, argv=0x7ffc7a601b68, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffc7a601b58) at ../csu/libc-start.c:308 17 0x00005610b27ae96e in _start () at cursor.c:1064 Simple reproducer in gnome-shell: open up an Xwayland window, press some tablet buttons, lock and unlock the screen. Repeat if it doesn't crash the first time. So, let's fix this by registering our own device-specific private key for storing a backpointer to xwl_tablet_pad, so that all input devices have their private data pointers set to their respective xwl_seat. Reviewed-by: Peter Hutterer <[email protected]> Signed-off-by: Lyude Paul <[email protected]> (cherry picked from commit ba0e789b912671c724a21b3a30291247718bcf7d) - - - - - 4912f693 by Jose Maria Casanova Crespo at 2020-07-21T15:22:48+00:00 modesetting: Fix front_bo leak at drmmode_xf86crtc_resize on XRandR rotation Since the introduction of "modesetting: Remove unnecessary fb addition from drmmode_xf86crtc_resize" the fb_id isn't initialited at drmmode_xf86crtc_resize. Rotate operation of XRandR uses rotate_bo. So in this case the fb_id associated to the front_bo is not initialized at drmmode_set_mode_major. So fd_id remains 0. As every call to drmmode_xf86crtc_resize allocates a new front_bo we should destroy unconditionally the old_front_bo if operation success. So we free the allocated GBM handles. This avoids crashing xserver with a OOM in the RPI4 1Gb at 4k resolution after 3 series xrandr rotations from normal to left and vice versa reported at https://github.com/raspberrypi/firmware/issues/1345 Signed-off-by: Jose Maria Casanova Crespo <[email protected]> Reviewed-by: Keith Packard <[email protected]> Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1024 Fixes: 8774532121 "modesetting: Remove unnecessary fb addition from drmmode_xf86crtc_resize" (cherry picked from commit 73480f172aeced074dd9301ae4d97f7d2f3a9a45) - - - - - 1179938c by Alex Goins at 2020-07-21T16:48:37-05:00 randr: Check rrPrivKey in RRHasScanoutPixmap() RRHasScanoutPixmap() is called from xf86CheckHWCursor(), regardless of whether or not RandR has been initialized. As mentioned in commit 4226c6d, it's possible that RandR has not been initialized if the server is configured with Xinerama and there is more than one X screen. Calling rrGetScrPriv when RandR isn't initialized causes an assertion failure that aborts the server: Xorg: ../include/privates.h:121: dixGetPrivateAddr: Assertion key->initialized' failed. Just as in commit 4226c6d, fix the problem by checking dixPrivateKeyRegistered(rrPrivKey) before calling rrGetScrPriv. Signed-off-by: Alex Goins <[email protected]> Acked-by: Olivier Fourdan <[email protected]> (cherry picked from commit 8eeff5d7880c6885ee6f206355599f13d739afa7) - - - - - 23c55ec3 by Michel Dänzer at 2020-07-22T16:39:33+00:00 xwayland: Hold a pixmap reference in struct xwl_present_event In the log of the commit below, I claimed this wasn't necessary on the 1.20 branch, but this turned out to be wrong: It meant that event->buffer could already be destroyed in xwl_present_free_event, resulting in use-after-free and likely a crash. Fixes: 22c0808ac88f "xwayland: Free all remaining events in xwl_present_cleanup" - - - - - 3059a2e6 by Olivier Fourdan at 2020-08-12T16:55:58+02:00 xwayland: Disable the MIT-SCREEN-SAVER extension when rootless Xwayland is just a Wayland client, no X11 screensaver should be expected to work reliably on Xwayland when running rootless because Xwayland cannot grab the input devices so it has no way to actually lock the screen managed by the Wayland compositor. Turn off the screensaver on Xwayland when running rootless by setting the screensaver timeout and interval and their default values to zero and disable the MIT-SCREEN-SAVER extension. Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1051 Signed-off-by: Olivier Fourdan <[email protected]> Reviewed-by: Michel Dänzer <[email protected]> Reviewed-by: Peter Hutterer <[email protected]> (cherry picked from commit 5c20e4b834145f590c68dbc98e33c7d3d710001a) - - - - - 0679d466 by Alan Coopersmith at 2020-08-18T04:12:08+00:00 Update URL's in man pages Mostly http->https conversions, but also replaces gitweb.fd.o with gitlab.fd.o, and xquartz.macosforge.org with xquartz.org. Signed-off-by: Alan Coopersmith <[email protected]> (cherry picked from commit a5151f58cf98d1696d60a3577dc50851f159da8a) - - - - - c726ceac by Martin Weber at 2020-08-18T04:12:09+00:00 hw/xfree86: Avoid cursor use after free During a VT-Switch a raw pointer to the shared cursor object is saved which is then freed (in case of low refcount) by a call to xf86CursorSetCursor with argument pCurs = NullCursor. This leads to a dangling pointer which can follow in a use after free. This fix ensures that there is a shared handle saved for the VT-Switch cycle. Reviewed-by: Michel Dänzer <[email protected]> (cherry picked from commit 7ae221ad5774756766dc78a73d71f4163ac7b1c6) - - - - - d4e8c462 by Simon Ser at 2020-08-18T04:12:09+00:00 xwayland: only use linux-dmabuf if format/modifier was advertised Previously, linux-dmabuf was used unconditionally if the buffer had a modifier. However creating a linux-dmabuf buffer with a format/modifier which hasn't been advertised will fail. Change xwl_glamor_gbm_get_wl_buffer_for_pixmap to use linux-dmabuf when the format/modifier has been advertised only. Signed-off-by: Simon Ser <[email protected]> Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1035 Tested-by: Emmanuel Gil Peyrot <[email protected]> Reviewed-by: Michel Dänzer <[email protected]> (cherry picked from commit c0e13cbf5a56e1fdd1e4ce58ebdefb6d2904e4b3) - - - - - 6cbd6a09 by Olivier Fourdan at 2020-08-18T04:12:09+00:00 xwayland: Use a fixed DPI value for core protocol The way Xwayland works (like all Wayland clients), it first queries the Wayland registry, set up all relevant protocols and then initializes its own structures. That means Xwayland will get the Wayland outputs from the Wayland compositor, compute the physical size of the combined outputs and set the corresponding Xwayland screen properties accordingly. Then it creates the X11 screen using fbScreenInit() but does so by using a default DPI value of 96. That value is used to set the physical size of the X11 screen, hence overriding the value computed from the actual physical size provided by the Wayland compositor. As a result, the DPI computed by tools such as xdpyinfo will always be 96 regardless of the actual screen size and resolution. However, if the Wayland outputs get reconfigured, or new outputs added, or existing outputs removed, Xwayland will recompute and update the physical size of the screen, leading to an unexpected change of DPI. To avoid that discrepancy, use a fixed size DPI (defaults to 96, and can be set using the standard command lime option "-dpi") and compute a physical screen size to match that DPI setting. Note that only affects legacy core protocols, X11 clients can still get the actual physical output size as reported by the Wayland compositor using the RandR protocol, which also allows for the size to be 0 if the size is unknown or meaningless. Signed-off-by: Olivier Fourdan <[email protected]> Reviewed-by: Simon Ser <[email protected]> Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/731 (cherry picked from commit b0413b6e99c6b5fbc04229ce64ddf1f41b08e63e) - - - - - 3b51978b by Alan Coopersmith at 2020-08-18T04:12:09+00:00 doc: Update URLs in Xserver-DTrace.xml Signed-off-by: Alan Coopersmith <[email protected]> (cherry picked from commit 0006aecba097b437f96a462075494d68bdad24c1) - - - - - 10cabe0b by Michel Dänzer at 2020-08-18T04:12:09+00:00 xwayland: Propagate damage x1/y1 coordinates in xwl_present_flip This couldn't have worked correctly for non-0 x1/y1. Noticed by inspection. Reviewed-by: Simon Ser <[email protected]> (cherry picked from commits 9141196d3104ab37385c3e385deaa70c002dd184) (cherry picked fixup from commit 85a6fd11c723888ca093785a3df43066fdca9c33) - - - - - 4a65b661 by Michel Dänzer at 2020-08-18T04:12:09+00:00 xwayland: Handle NULL xwl_seat in xwl_seat_can_emulate_pointer_warp This can happen e.g. with weston's headless backend. Reviewed-by: Olivier Fourdan <[email protected]> (cherry picked from commit e33453f9111b21e4814d628e6ae00bc7b200f404) - - - - - 7da8e7ba by Roman Gilg at 2020-08-18T04:12:09+00:00 present: Check valid region in window mode flips For Pixmap flips to have well defined outcomes the window must be contained by the valid region if such region was specified. The valid region is inserted as an argument to the check in window mode. Setting this argument is missing in screen mode as well but we ignore it for now and only add it to window mode. It seems there are none or only very few clients actually making use of valid regions at the moment. For simplicity we therefore just check if a valid region was set by the client and in this case do never flip, independently of the window being contained by the region or not. Signed-off-by: Roman Gilg <[email protected]> (cherry picked from commit 591916ea9e7a77f68f436b4a541402d9deadfe64) - - - - - 2720b871 by Aaron Ma at 2020-08-18T04:12:09+00:00 xfree86: add drm modes on non-GTF panels EDID1.4 replaced GTF Bit with Continuous or Non-Continuous Frequency Display. Check the "Display Range Limits Descriptor" for GTF support. If panel doesn't support GTF, then add gtf modes. Otherwise X will only show the modes in "Detailed Timing Descriptor". V2: Coding style changes. V3: Coding style changes, remove unused variate. V4: remove unused variate. BugLink: https://gitlab.freedesktop.org/drm/intel/issues/313 Signed-off-by: Aaron Ma <[email protected]> Reviewed-by: Adam Jackson <[email protected]> (cherry picked from commit 6a79a737e2c0bc730ee693b4ea4a1530c108be4e) - - - - - 4979ac8f by Matthieu Herrb at 2020-08-18T04:26:45+00:00 fix for ZDI-11426 Avoid leaking un-initalized memory to clients by zeroing the whole pixmap on initial allocation. This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Matthieu Herrb <[email protected]> Reviewed-by: Alan Coopersmith <[email protected]> (cherry picked from commit a6b2cbe91793ae4967cd21a7103d889248029553) - - - - - 74b7427c by Adam Jackson at 2020-08-18T17:20:09+00:00 linux: Make platform device probe less fragile At the point where xf86BusProbe runs we haven't yet taken our own VT, which means we can't perform drm "master" operations on the device. This is tragic, because we need master to fish the bus id string out of the kernel, which we can only do after drmSetInterfaceVersion, which for some reason stores that string on the device not the file handle and thus needs master access. Fortunately we know the format of the busid string, and it happens to almost be the same as the ID_PATH variable from udev. Use that instead and stop calling drmSetInterfaceVersion. (backported from commit 0816e8fca6194dfb4cc94c3a7fcb2c7f2a921386) Reviewed-by: Peter Hutterer <[email protected]> Signed-off-by: Adam Jackson <[email protected]> Signed-off-by: Huacai Chen <[email protected]> - - - - - 5c96eb5f by Adam Jackson at 2020-08-18T17:20:09+00:00 linux: Fix platform device PCI detection for complex bus topologies Suppose you're in a Hyper-V guest and are trying to use PCI passthrough. The ID_PATH that udev will construct for that looks something like "acpi-VMBUS:00-pci-b8c8:00:00.0", and obviously looking for "pci-" in the first four characters of that is going to not work. Instead, strstr. I suppose it's possible you could have _multiple_ PCI buses in the path, in which case you'd want strrstr, if that were a thing. (backported from commit 9acff309434a8029bcce1b22530043459bb71791) Signed-off-by: Adam Jackson <[email protected]> Signed-off-by: Huacai Chen <[email protected]> - - - - - 249a12c5 by Huacai Chen at 2020-08-18T17:20:09+00:00 linux: Fix platform device probe for DT-based PCI On a DT-base PCI platform, the sysfs path of vga device is like this: /sys/devices/platform/bus@10000000/1a000000.pci/pci0000:00/0000:00:11.0/0000:04:00.0. Then the ID_PATH from udev is platform-1a000000.pci-pci-0000:04:00.0 and the BusID will be pci-0000:04:00.0, which causes Xorg start fail. This is because config_udev_odev_setup_attribs() use strstr() to search the first "pci-" in ID_PATH. To fix this, we implement a strrstr() function and use it to search the last "pci-" in ID_PATH, which can get a correct BusID. (backported from commit 9fbd3e43dd9e13700df96b508c3d97f77e2b9f7e) Reviewed-by: Dave Airlie <[email protected]> Signed-off-by: Huacai Chen <[email protected]> - - - - - 1d3a1092 by Matthieu Herrb at 2020-08-25T17:13:31+02:00 Correct bounds checking in XkbSetNames() CVE-2020-14345 / ZDI 11428 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Matthieu Herrb <[email protected]> (cherry picked from commit 11f22a3bf694d7061d552c99898d843bcdaf0cf1) - - - - - eff3f6cd by Matthieu Herrb at 2020-08-25T17:13:31+02:00 Fix XIChangeHierarchy() integer underflow CVE-2020-14346 / ZDI-CAN-11429 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Matthieu Herrb <[email protected]> (cherry picked from commit 1e3392b07923987c6c9d09cf75b24f397b59bd5e) - - - - - 5b384e76 by Matthieu Herrb at 2020-08-25T17:13:31+02:00 Fix XkbSelectEvents() integer underflow CVE-2020-14361 ZDI-CAN 11573 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Matthieu Herrb <[email protected]> (cherry picked from commit 90304b3c2018a6b8f4a79de86364d2af15cb9ad8) - - - - - 705d7213 by Matthieu Herrb at 2020-08-25T17:13:31+02:00 Fix XRecordRegisterClients() Integer underflow CVE-2020-14362 ZDI-CAN-11574 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Matthieu Herrb <[email protected]> (cherry picked from commit 24acad216aa0fc2ac451c67b2b86db057a032050) - - - - - afb77415 by Matt Turner at 2020-08-25T08:23:42-07:00 xserver 1.20.9 Signed-off-by: Matt Turner <[email protected]> - - - - - 0b3589a9 by Timo Aaltonen at 2020-08-31T13:30:13+03:00 Merge branch 'upstream-unstable' into debian-unstable - - - - - 395843be by Timo Aaltonen at 2020-08-31T13:31:34+03:00 bump the version - - - - - 22e8ea91 by Timo Aaltonen at 2020-08-31T13:47:10+03:00 fix-pci-probing-segfault.diff: Fix a regression in 1.20.9 when probing the GPU. - - - - - 561a6ff3 by Timo Aaltonen at 2020-08-31T13:50:02+03:00 revert-hw-xfree86-avoid-cursor-use-after-free.diff: Revert a commit which is causing server crashes. - - - - - 30 changed files: - Xi/xichangehierarchy.c - config/udev.c - configure.ac - debian/changelog - + debian/patches/fix-pci-probing-segfault.diff - + debian/patches/revert-hw-xfree86-avoid-cursor-use-after-free.diff - debian/patches/series - dix/events.c - dix/pixmap.c - doc/dtrace/Xserver-DTrace.xml - hw/dmx/man/Xdmx.man - hw/xfree86/ddc/edid.h - hw/xfree86/ddc/interpret_edid.c - hw/xfree86/ddc/xf86DDC.h - hw/xfree86/drivers/modesetting/dri2.c - hw/xfree86/drivers/modesetting/driver.c - hw/xfree86/drivers/modesetting/driver.h - hw/xfree86/drivers/modesetting/drmmode_display.c - hw/xfree86/drivers/modesetting/drmmode_display.h - hw/xfree86/drivers/modesetting/present.c - hw/xfree86/man/Xorg.man - hw/xfree86/man/xorg.conf.man - hw/xfree86/modes/xf86Crtc.c - hw/xfree86/os-support/linux/lnx_platform.c - hw/xfree86/ramdac/xf86CursorRD.c - hw/xquartz/man/Xquartz.man - hw/xwayland/xwayland-glamor-gbm.c - hw/xwayland/xwayland-input.c - hw/xwayland/xwayland-output.c - hw/xwayland/xwayland-present.c The diff was not included because it is too large. View it on GitLab: https://salsa.debian.org/xorg-team/xserver/xorg-server/-/compare/6ff26b8d4a9492ad4b1edf2577b16911a860440c...561a6ff3c99c64d699edeaecfceeaa184fc1b05e -- View it on GitLab: https://salsa.debian.org/xorg-team/xserver/xorg-server/-/compare/6ff26b8d4a9492ad4b1edf2577b16911a860440c...561a6ff3c99c64d699edeaecfceeaa184fc1b05e You're receiving this email because of your account on salsa.debian.org.
