Timo Aaltonen pushed to branch debian-unstable at X Strike Force / xserver / xorg-server
Commits: 574fe59e by Mario Kleiner at 2021-10-26T21:39:04+02:00 Fix RandR leasing for more than 1 simultaneously active lease. Due to a switched order of parameters in the xorg_list_add() call inside ProcRRCreateLease(), adding a new lease for RandR output leasing does not actually add the new RRLeasePtr lease record to the list of existing leases for a X-Screen, but instead replaces the existing list with a new list that has the new lease as the only element, and probably leaks a bit of memory. Therefore the server "forgets" all active leases for a screen, except for the last added lease. If multiple leases are created in a session, then destruction of all leases but the last one will fail in many cases, e.g., during server shutdown in RRCloseScreen(), or resource destruction, e.g., in RRCrtcDestroyResource(). Most importantly, it fails if a client simply close(fd)'es the DRM master descriptor to release a lease, quits, gets killed or crashes. In this case the kernel will destroy the lease and shut down the display output, then send a lease event via udev to the ddx, which e.g., in the modesetting-ddx will trigger a call to drmmode_validate_leases(). That function is supposed to detect the released lease and tell the server to terminate the lease on the server side as well, via xf86CrtcLeaseTerminated(), but this doesn't happen for all the leases the server has forgotten. The end result is a dead video output, as the server won't reinitialize the crtc's corresponding to the terminated but forgotten lease. This bug was observed when using the amdvlk AMD OSS Vulkan driver and trying to lease multiple VKDisplay's, and also under Mesa radv, as both Mesa Vulkan/WSI/Display and amdvlk terminate leases by simply close()ing the lease fd, not by sending explicit RandR protocol requests to free leases. Leasing worked, but ending a session with multiple active leases ended in a lot of unpleasant darkness. Fixing the wrong argument order to xorg_list_add() fixes the problem. Tested on single-X-Screen and dual-X-Screen setups, with one, two or three active leases. Please merge this for the upcoming server 21.1 branch. Merging into server 1.20 would also make a lot of sense. Fixes: e4e3447603b5fd3a38a92c3f972396d1f81168ad Signed-off-by: Mario Kleiner <[email protected]> Reviewed-by: Keith Packard <[email protected]> (cherry picked from commit f467f85ca1f780d5c7cf3c20888e399708d761ac) - - - - - 5ff3310b by Mario Kleiner at 2021-10-26T21:40:45+02:00 modesetting: Allow Present flips with mismatched stride on atomic drivers. When using DRI3+Present with PRIME render offload, sometimes there is a mismatch between the stride of the to-be-presented Pixmap and the frontbuffer. The current code would reject a pageflip present in this case if atomic modesetting is not enabled, ie. always, as atomic modesetting is disabled by default due to brokeness in the current modesetting-ddx. Fullscreen presents without page flipping however trigger the copy path as fallback, which causes not only unreliable presentation timing and degraded performance, but also massive tearing artifacts due to rendering to the framebuffer without any hardware sync to vblank. Tearing is extra awful on modesetting-ddx because glamor afaics seems to use drawing of a textured triangle strip for the copy implementation, not a dedicated blitter engine. The rasterization pattern creates extra awful tearing artifacts. We can do better: According to a tip from Michel Daenzer (thanks!), at least atomic modesetting capable kms drivers should be able to reliably change scanout stride during a pageflip, even if atomic modesetting is not actually enabled for the modesetting client. This commit adds detection logic to find out if the underlying kms driver is atomic_modeset_capable, and if so, it no longer rejects page flip presents on mismatched stride between new Pixmap and frontbuffer. We (ab)use a call to drmSetClientCap(ms->fd, DRM_CLIENT_CAP_ATOMIC, 0); for this purpose. The call itself has no practical effect, as it requests disabling atomic mode, although atomic mode is disabled by default. However, the return value of drmSetClientCap() tells us if the underlying kms driver is atomic modesetting capable: An atomic driver will return 0 for success. A legacy non-atomic driver will return a non-zero error code, either -EINVAL for early atomic Linux versions 4.0 - 4.19 (or for non-atomic Linux 3.x and earlier), or -EOPNOTSUPP for Linux 4.20 and later. Testing on a MacBookPro 2017 with Intel Kabylake display server gpu + AMD Polaris11 as prime renderoffload gpu, X-Server master + Mesa 21.0.3 show improvement from unbearable tearing to perfect, despite a stride mismatch between display gpu and Pixmap of 11776 Bytes vs. 11520 Bytes. That this is correct behaviour was also confirmed by comparing the behaviour and .check_flip implementation of the patched modesetting-ddx against the current intel-ddx SNA Present implementation. Please consider merging this patch before the server-1.21 branch point. This patch could also be cherry-picked into the server 1.20 branch to fix the same limitation. Signed-off-by: Mario Kleiner <[email protected]> (cherry picked from commit 8f8ebf870b55c9875b7cfd8ef69c1df02d589b4a) - - - - - acc50e60 by Povilas Kanapickas at 2021-12-15T18:43:01+00:00 record: Fix out of bounds access in SwapCreateRegister() ZDI-CAN-14952, CVE-2021-4011 This vulnerability was discovered and the fix was suggested by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Povilas Kanapickas <[email protected]> (cherry picked from commit e56f61c79fc3cee26d83cda0f84ae56d5979f768) - - - - - 6bb8aeb3 by Povilas Kanapickas at 2021-12-15T18:43:01+00:00 xfixes: Fix out of bounds access in *ProcXFixesCreatePointerBarrier() ZDI-CAN-14950, CVE-2021-4009 This vulnerability was discovered and the fix was suggested by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Povilas Kanapickas <[email protected]> (cherry picked from commit b5196750099ae6ae582e1f46bd0a6dad29550e02) - - - - - 67425fca by Povilas Kanapickas at 2021-12-15T18:43:01+00:00 Xext: Fix out of bounds access in SProcScreenSaverSuspend() ZDI-CAN-14951, CVE-2021-4010 This vulnerability was discovered and the fix was suggested by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Povilas Kanapickas <[email protected]> (cherry picked from commit 6c4c53010772e3cb4cb8acd54950c8eec9c00d21) - - - - - 35b4681c by Povilas Kanapickas at 2021-12-15T18:43:01+00:00 render: Fix out of bounds access in SProcRenderCompositeGlyphs() ZDI-CAN-14192, CVE-2021-4008 This vulnerability was discovered and the fix was suggested by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Povilas Kanapickas <[email protected]> (cherry picked from commit ebce7e2d80e7c80e1dda60f2f0bc886f1106ba60) - - - - - 97c5b777 by Matt Turner at 2021-12-15T18:43:01+00:00 xserver 1.20.14 Signed-off-by: Matt Turner <[email protected]> - - - - - 5d6d5596 by Timo Aaltonen at 2022-01-11T16:01:27+02:00 Merge branch 'upstream-unstable' into debian-unstable - - - - - 7664e628 by Timo Aaltonen at 2022-01-11T16:03:07+02:00 version bump - - - - - a3fe7f65 by Timo Aaltonen at 2022-01-11T16:26:18+02:00 release to sid - - - - - 7 changed files: - configure.ac - debian/changelog - hw/xfree86/drivers/modesetting/driver.c - hw/xfree86/drivers/modesetting/driver.h - hw/xfree86/drivers/modesetting/present.c - meson.build - randr/rrlease.c Changes: ===================================== configure.ac ===================================== @@ -26,8 +26,8 @@ dnl dnl Process this file with autoconf to create configure. AC_PREREQ(2.60) -AC_INIT([xorg-server], 1.20.13, [https://gitlab.freedesktop.org/xorg/xserver/issues], xorg-server) -RELEASE_DATE="2021-07-29" +AC_INIT([xorg-server], 1.20.14, [https://gitlab.freedesktop.org/xorg/xserver/issues], xorg-server) +RELEASE_DATE="2021-12-15" RELEASE_NAME="Lemon Pepper Chicken" AC_CONFIG_SRCDIR([Makefile.am]) AC_CONFIG_MACRO_DIR([m4]) ===================================== debian/changelog ===================================== @@ -1,3 +1,9 @@ +xorg-server (2:1.20.14-1) unstable; urgency=medium + + * New upstream release. + + -- Timo Aaltonen <[email protected]> Tue, 11 Jan 2022 16:21:08 +0200 + xorg-server (2:1.20.13-3) unstable; urgency=high * Team upload. ===================================== hw/xfree86/drivers/modesetting/driver.c ===================================== @@ -1040,6 +1040,14 @@ PreInit(ScrnInfoPtr pScrn, int flags) #endif } + /* + * Use "atomic modesetting disable" request to detect if the kms driver is + * atomic capable, regardless if we will actually use atomic modesetting. + * This is effectively a no-op, we only care about the return status code. + */ + ret = drmSetClientCap(ms->fd, DRM_CLIENT_CAP_ATOMIC, 0); + ms->atomic_modeset_capable = (ret == 0); + if (xf86ReturnOptValBool(ms->drmmode.Options, OPTION_ATOMIC, FALSE)) { ret = drmSetClientCap(ms->fd, DRM_CLIENT_CAP_ATOMIC, 1); ms->atomic_modeset = (ret == 0); ===================================== hw/xfree86/drivers/modesetting/driver.h ===================================== @@ -108,6 +108,7 @@ typedef struct _modesettingRec { * Page flipping stuff. * @{ */ + Bool atomic_modeset_capable; Bool atomic_modeset; Bool pending_modeset; /** @} */ ===================================== hw/xfree86/drivers/modesetting/present.c ===================================== @@ -252,8 +252,11 @@ ms_present_check_unflip(RRCrtcPtr crtc, if (num_crtcs_on == 0) return FALSE; - /* Check stride, can't change that on flip */ - if (!ms->atomic_modeset && + /* + * Check stride, can't change that reliably on flip on some drivers, unless + * the kms driver is atomic_modeset_capable. + */ + if (!ms->atomic_modeset_capable && pixmap->devKind != drmmode_bo_get_pitch(&ms->drmmode.front_bo)) return FALSE; ===================================== meson.build ===================================== @@ -3,7 +3,7 @@ project('xserver', 'c', 'buildtype=debugoptimized', 'c_std=gnu99', ], - version: '1.20.13', + version: '1.20.14', meson_version: '>= 0.42.0', ) add_project_arguments('-DHAVE_DIX_CONFIG_H', language: 'c') ===================================== randr/rrlease.c ===================================== @@ -295,7 +295,7 @@ ProcRRCreateLease(ClientPtr client) if (rc != Success) goto bail_lease; - xorg_list_add(&scr_priv->leases, &lease->list); + xorg_list_add(&lease->list, &scr_priv->leases); if (!AddResource(stuff->lid, RRLeaseType, lease)) { close(fd); View it on GitLab: https://salsa.debian.org/xorg-team/xserver/xorg-server/-/compare/40a2a9bdf9c731d1eb3ede7d896a2ea478b54598...a3fe7f659a7e7d52f40edc30a2f4131e368e9891 -- View it on GitLab: https://salsa.debian.org/xorg-team/xserver/xorg-server/-/compare/40a2a9bdf9c731d1eb3ede7d896a2ea478b54598...a3fe7f659a7e7d52f40edc30a2f4131e368e9891 You're receiving this email because of your account on salsa.debian.org.
