Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../os/utils.c:1108:9:
warning[-Wanalyzer-possible-null-dereference]:
dereference of possibly-NULL ‘result’
xwayland-24.1.6/redhat-linux-build/../os/utils.c:1108:9:
danger: ‘malloc((long unsigned int)len + 18)’ could be NULL:
unchecked value from (3)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2163>
The Render extension operates on PictFormats rather than GC, so it
bypasses the rootless layer's GC-based alpha protection
(ROOTLESS_PROTECT_ALPHA). Depth-24 windows use PICT_x8r8g8b8 where
the 'x' tells pixman the high byte is padding it may freely zero.
The macOS compositor needs this byte to be 0xFF (opaque).
Before each Render operation that targets a rootless window,
temporarily upgrade the destination Picture's format from
PICT_x8r8g8b8 to PICT_a8r8g8b8. This tells pixman that the alpha
channel is significant and must not be optimized away. The format
is restored after the operation completes.
This parallels how ROOTLESS_PROTECT_ALPHA handles GC operations (by
masking alpha out of the planemask) and how ROOTLESS_SAFEALPHA
handles PaintWindow (by forcing alpha in solid fills). The
save/restore approach is analogous to rootlessGC.c's GC_SAVE /
GC_RESTORE pattern.
Fixes [2/2]: https://github.com/XQuartz/XQuartz/issues/31
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
The Render extension's Trapezoids and Triangles operations
(fbTrapezoids, fbTriangles) render directly via pixman through
fbShapes without going through ps->Composite, so RootlessComposite
never fires for these operations. This means RootlessStartDrawing
is not called and the macOS compositor is not notified of changed
pixels.
Add RootlessTrapezoids and RootlessTriangles wrappers following the
same pattern as RootlessComposite: call RootlessStartDrawing before
the operation, then compute the bounding box via miTrapezoidBounds or
miTriangleBounds and call RootlessDamageBox after. The default
miTriStrip and miTriFan implementations decompose their input into
triangles and dispatch through ps->Triangles, so the RootlessTriangles
wrapper covers TriStrip and TriFan as well.
Also add a RootlessCompositeRects wrapper as defense-in-depth. The
current miCompositeRects implementation already has partial rootless
coverage: PictOpSrc/PictOpClear go through the GC layer, and other
ops route through CompositePicture -> RootlessComposite. Wrapping at
the PictureScreen level ensures robustness regardless of the underlying
implementation.
Fixes [1/2]: https://github.com/XQuartz/XQuartz/issues/31
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Only generate audit events for messages of the type avc (permission
denied) and error (e.g. invalid context).
For example avoid USER_SELINUX_ERR for policy load events:
audit[980]: USER_SELINUX_ERR pid=980 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xorg_t:s0 msg='avc: op=load_policy lsm=selinux seqno=8 res=1 exe="/usr/lib/xorg/Xorg" sauid=0 hostname=? addr=? terminal=?'
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/801>
Re-map the SELinux security classes on policy loads, as the mapping will
be desynchronized (see man:selinux_set_mapping(3)) and audit messages
will not show the actual class and permission names:
USER_AVC pid=24283 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xorg_t:s0 msg='avc: denied { 0x10 } for request=XFIXES:SelectSelectionInput comm=/usr/bin/python3 resid=6400001 restype=WINDOW scontext=xuser_u:xuser_r:systemd_user_instance_generic_bin_t:s0 tcontext=xuser_u:object_r:xorg_t:s0 tclass=(null) permissive=1
In addition use type-safe assignments.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/801>
Apparently the enum values cannot be checked during preprocessor phase.
Fix it with checking gbm version using meson and defining additional
symbols which are visible during compile time.
Signed-off-by: Tautvis <gtautvis@gmail.com>
The version requrement was increased twice for Xwayland:
5a742ab876588464332d
If we eventually add explicit sync support, we can increase the requirement again,
or add `ifdef`'s so we allow build with older libdrm
Signed-off-by: stefan11111 <stefan11111@shitposting.expert>
Fixes: 1530c7de53 (use-after-free)
The reason I moved this to PostCloseScreen is that glamor provides the function `glamor_egl_get_gbm_device`.
This function returns the gbm device that glamor creates.
Drivers (notably modesetting) can then use this gbm device to create bo's for whatever they need.
Since glamor's gbm device remains owned by glamor, it must only get freed
after the driver finishes freeing the bo's it created.
As such, glamor_egl's `closeScreen` must be called after the driver's `closeScreen`,
because otherwise, if we free the gbm device before freeing the bo's,
then when the bo's are freed, we will have an use-after-free.
Signed-off-by: stefan11111 <stefan11111@shitposting.expert>
We want drivers' close screen hooks to be called before glamor's close screen
hook, because they may have gbm bo's created with glamor's gbm device.
If we free the gbm device before the driver frees all gbm bo's, then the
drivers could have an use-after-free when freeing the bo's.
This fixes a memory leak, since before this change, we were just
leaking everything glamor mapped to a screen, not freeing EGLImages,
gbm devices, etc.
Signed-off-by: stefan11111 <stefan11111@shitposting.expert>
If there is not even one (format, modifier) pair,
then dri/dmabuf-based glamor egl cannot function.
This allows drivers, notably modesetting, to detect early that
glamor cannot be used, and fall back to something else.
Signed-off-by: stefan11111 <stefan11111@shitposting.expert>
This change replaces the default "/dev/dri/card0" by a loop which
searches for the first compatible device.
This change avoids the error below which happens on some ARM boards:
(EE) No devices detected.
(EE)
Fatal server error:
(EE) no screens found(EE)
(EE)
Signed-off-by: Patrick Lerda <patrick9876@free.fr>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1496>
----------------------------------------------------------------------------
modesetting: Plug seatd suppport into the dynamic dri node detection
Extended dynamic detection to 32 /dev nodes
Signed-off-by: stefan11111 <stefan11111@shitposting.expert>
This version of the spec (latest as of 27.12.2021) adds a variable
`$XDG_STATE_HOME` that may be used for log files, as described:
```
...
$XDG_STATE_HOME defines the base directory relative to which user-specific
state files should be stored. If $XDG_STATE_HOME is either not set or
empty, a default equal to $HOME/.local/state should be used.
The $XDG_STATE_HOME contains state data that should persist between
(application) restarts, but that is not important or portable enough to
the user that it should be stored in $XDG_DATA_HOME. It may contain:
actions history (logs, history, recently used files, …)
...
```
- https://specifications.freedesktop.org/basedir/0.8/
Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/836>
It will take some time for a new libpciaccess to be released and
even then bumping the dependency for libpciaccess isn't attractive.
If an older libpciaccess is used just add a static inline define.
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2038>
Present calls drmmode_set_mode_major() as part of ms_present_unflip(),
which leads to a crash due to the recursive attempt to force present to
unflip when it already is.
Fix it by simply skipping the forced present unflip when present itself is
unflipping. This also speeds up drmmmode_prepare_modeset() when present
isn't even flipping to begin with.
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1791
Fixes: 899c87af1f ("modesetting: unflip before any setcrtc() calls")
Signed-off-by: Sultan Alsawaf <sultan@kerneltoast.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1793>
With this, X servers don't have to parse this option separately,
and can just use it after including dix-config.h
Linux kdrive servers (currently Xfbdev only) now support logging.
Signed-off-by: stefan11111 <stefan11111@shitposting.expert>
In the `doListFontsAndAliases` function in dixfonts.c, when a font alias
is encountered (`err == FontNameAlias`) as a result of
`list_next_font_or_alias` call, the code allocates memory for
`resolved` variable (`resolvedlen + 1` bytes) for storing target font
name. In this case, if the `malloc(resolvedlen + 1)` call fails,
`resolved` remains NULL.
Later, when check (`else if (err == FontNameAlias)`) is TRUE, the code
uses `memcpy` to copy nullable `resolved` into `tmp_pattern` without
checking if `resolved` is NULL, so there is a potential null ptr
dereference.
This commit replaces `malloc` with `XNFalloc` for allocating memory for
`resolved`. `XNFalloc` will internally check result of `malloc` and stop
program execution if allocation was failed, preventing potential NULL
dereferencing.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2114>
Free nested allocations when initialization fails.
Several code paths returned early on error without releasing
memory owned by embedded structures, leading to leaks.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2125>
the license notice comes from these files:
- dix/registry.c
- Xext/xselinuxint.h
- Xext/xselinux_label.c
- Xext/xselinux_hooks.c
- Xext/xselinux_ext.c
- Xext/xselinux.h
- Xext/xacestr.h
- Xext/xace.h
- Xext/xace.c
while this is not like the standard `Copyright (C)` lines I think it
still belongs to the license, even if just to make it more clearly
separate from the MIT license above
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2098>
This is needed by radeonsi to support multi plane modifier when
using modesetting DDX.
xserver reject any multi plane buffer (in DRI3PixmapFromBuffers)
without the dmabuf_capable debug option. It's OK for single plane
buffer as xserver will fallback to DRI3BufferFromPixmap path.
amdgpu DDX does not expose DRI3PixmapFromBuffers, mesa just use
the single plane path anyway, so amdgpu DDX does not have this
problem.
Reviewed-by: Sultan Alsawaf <sultan@kerneltoast.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2091>
