Commit Graph

21971 Commits

Author SHA1 Message Date
stefan11111
32f0c01c14 loader: Tell users to give the modesetting DDX a try
if they are using the proprietary nvidia DDX

Signed-off-by: stefan11111 <stefan11111@shitposting.expert>
2025-11-05 17:47:45 +01:00
stefan11111
c7fa008f68 loader: Print instructions about using old nvidia proprietary ddx drivers
Signed-off-by: stefan11111 <stefan11111@shitposting.expert>
2025-11-05 17:47:45 +01:00
Enrico Weigelt, metux IT consult
03dcb626fe dix: UngrabServer(): clear grabClient pointer
When ungrabbing, clear the grab pointer, so no stale data left
in here.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-11-05 17:16:42 +01:00
Enrico Weigelt, metux IT consult
21db844ea1 dix: MakeRootTile(): constify from field
It's assigned a const char* value and not writing into it,
so it should be const, too (compiler correctly warning about that)

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-11-05 12:16:06 +01:00
Enrico Weigelt, metux IT consult
624ec5d226 os: utils: unexport PanoramiXExtensionDisabledHack
This variable is only used in os layer and PanoramiX, nowhere else,
and shouldn't be visible to drivers at all.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-11-04 15:09:45 +01:00
stefan11111
6073de4461 glamor: fix Option "GlxVendorLibrary"
The old code tried to use a screen pointer that was uninitialized and set to NULL.
This caused it to segfault when this option was set.

Signed-off-by: stefan11111 <stefan11111@shitposting.expert>
2025-11-04 15:08:28 +01:00
Tautvis
16a1be1939 modesetting: call xf86_cursors_fini during CloseScreen
Add matching call for xf86_cursors_init to clean memory, as during
initialization it allocates memory (depends, but is something like ~256Kb)
and it leaks when XServer resets.

Signed-off-by: Tautvis <gtautvis@gmail.com>
2025-11-04 12:12:58 +01:00
Enrico Weigelt, metux IT consult
92e6c75bfc include: globals: add missing includes
Headers should always be self-consistent, thus including anything they need.
Not relying on those already included before by somebody else.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-11-04 11:25:20 +01:00
stefan11111
0e851b9710 xfree86/loader: Apply unloadsubmodule gentoo patch
See: https://github.com/gentoo/gentoo/blob/master/x11-base/xorg-server/files/xorg-server-1.12-unloadsubmodule.patch
See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686152#14

Verbatim copy of https://github.com/X11Libre/xserver/issues/319#issuecomment-3033729517 ,which gives more context for this patch:

I took a closer look at that patch.
It is logically equivalent to:
```
diff --git a/hw/xfree86/loader/loadmod.c b/hw/xfree86/loader/loadmod.c
index 2cdf91fd2..49785fdc8 100644
--- a/hw/xfree86/loader/loadmod.c
+++ b/hw/xfree86/loader/loadmod.c
@@ -885,6 +885,7 @@ RemoveChild(ModuleDescPtr child)
     parent = child->parent;
     if (parent->child == child) {
         parent->child = child->sib;
+        child->sib = NULL;
         return;
     }
```
RemoveChild is a static function that is only called in UnloadSubModule:
```
void
UnloadSubModule(ModuleDescPtr mod)
{
    /* Some drivers are calling us on built-in submodules, ignore them */
    if (mod == (ModuleDescPtr) 1)
        return;
    RemoveChild(mod);
    UnloadModule(mod);
}
```
Whether or not child->sib is NULL tells UnloadModule if it should recursively unload child->sib or not:
```
    if (mod->child)
        UnloadModule(mod->child);
    if (mod->sib)
        UnloadModule(mod->sib);
    free(mod);
```
Looking at the source, the module loader uses some weird kind of tree-like structure,
where every node has at most one child and one sibling (but then, if foo has child bar, and bar has sibling baz, shouldn't baz also be foo's child?).
```
typedef struct module_desc {
    struct module_desc *child;
    struct module_desc *sib;
    struct module_desc *parent;
    void *handle;
    ModuleSetupProc SetupProc;
    ModuleTearDownProc TearDownProc;
    void *TearDownData;         /* returned from SetupProc */
    const XF86ModuleVersionInfo *VersionInfo;
} ModuleDesc, *ModuleDescPtr;
```

All in all, this patch makes UnloadSubModule to never unload the sibling of the unloaded module, whereas
as it is now, UnloadSubModule would also unload the module's sibling if `child->parent == child->parent->child`
(master child?).

I don't see how this patch changed the behavior on ia64, or any other arch.

@metux Could you tell me what kind of data structure this is, and whether or not this patch is right?

Fixes: https://github.com/X11Libre/xserver/issues/319

Signed-off-by: stefan11111 <stefan11111@shitposting.expert>
2025-11-04 10:53:42 +01:00
clhin
7468cd4ee0 dispatch.c: const correctness 2025-11-04 10:48:52 +01:00
clhin
b47576420f window.c: const correctness 2025-11-04 10:48:52 +01:00
Enrico Weigelt, metux IT consult
a18480ef84 Xi: drop redundant SProcIDispatch()
Now that all individual swapping request handlers have been merged into the
actual ones, there's no need for a separate dispatcher anymore.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-11-04 10:45:04 +01:00
stefan11111
09d35f1e0d glamor: use GBM_BO_USE_RENDERING for importing gbm bo's
Inspired by 421ce458f1

Glamor should use GBM_BO_USE_RENDERING, since they are image buffers.
This change is mostly cosmetic, as mesa doesn't do anything with
this flag, other than a sanity check.
See: https://gitlab.freedesktop.org/mesa/mesa/-/issues/14130

Signed-off-by: stefan11111 <stefan11111@shitposting.expert>
2025-11-03 17:25:52 +01:00
Enrico Weigelt, metux IT consult
cf105bc990 dix/Xinerama: untwist X_AllocColor request handling
Instead of internally faking requests, factor out the actual logic
into separate function, which is getting everything it needs as
parameters, so no need to fiddle with request buffer anymore.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-11-03 17:24:24 +01:00
Enrico Weigelt, metux IT consult
9b2d3ba167 render: consolidate byte-swapping in ProcRenderCreateConicalGradient()
No need for extra functions and call tables for the few trivial lines.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-11-03 17:24:07 +01:00
kohnish
05524df68b Build without XINERAMA failing 2025-11-03 17:23:50 +01:00
stefan11111
585810fb13 modesetting: Handle bo allocation failure
Signed-off-by: stefan11111 <stefan11111@shitposting.expert>
2025-11-03 17:15:14 +01:00
Enrico Weigelt, metux IT consult
4c4fb5f5f1 render: consolidate byte-swapping in ProcRenderCreateRadialGradient()
No need for extra functions and call tables for the few trivial lines.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-10-31 13:06:31 +01:00
Enrico Weigelt, metux IT consult
45aa28d4d2 dix: inline SProcChangeProperty()
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-10-31 13:06:11 +01:00
stefan11111
cf4b49ac84 modesetting: Create the largest possible cursor image buffer.
Since https://github.com/X11Libre/xserver/pull/1234 landed,
the user has a way to set the hw cursor size to the size they want.

The fallback probe works around driver bugs by probing very late,
so it initializes the cursor image buffer with the largest size the driver supports.

With this change, the SIZE_HINTS probe will also initialize
the cursor image buffer with the largest size it finds,
which is what @notbabaisyou 's code originally did.

Signed-off-by: stefan11111 <stefan11111@shitposting.expert>
2025-10-30 12:34:52 +01:00
stefan11111
7f7462cb14 CI: build xf86-input-{keyboard,mouse} in CI
These drivers build on linux, so we should test them.

Signed-off-by: stefan11111 <stefan11111@shitposting.expert>
2025-10-30 09:51:20 +01:00
Enrico Weigelt, metux IT consult
6057540a6c render: consolidate byte-swapping in ProcRenderCreateLinearGradient()
No need for extra functions and call tables for the few trivial lines.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-10-30 09:44:56 +01:00
Enrico Weigelt, metux IT consult
d7eac08a22 Xi: inline SProcXISelectEvents() and SProcXIGetSelectedEvents()
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-10-30 09:44:41 +01:00
Enrico Weigelt, metux IT consult
0fbb681fce treewide: use helper dixGetScreenPtr() for retrieving ScreenPtr's
Instead of directly accessing the global screenInfo.screens[] array,
let everybody go through a little inline helper. This one also checks
for array bounds - if the screen doesn't exist, return NULL.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-10-30 09:44:24 +01:00
stefan11111
d2fcf85214 ramdac: Don't read/write oob if the cursor size is not aligned to the mask interleave
This doesn't mean the unaligned cursor sizes are recommended now,
just that they will no longer segfault.

Signed-off-by: stefan11111 <stefan11111@shitposting.expert>
2025-10-29 13:17:40 +01:00
Enrico Weigelt, metux IT consult
e23f70624f dix: privates: update docs on dixRegisterPrivateKey()
a) move to doxygen-style docs, inside the header instead of code
b) mention that the function can be called many times with the
   same parameters (already registered keys are silently tolerated)

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-10-29 11:45:04 +01:00
Tautvis
a581ba5964 dix: dixFreeScreen call hookPostCreateResources too
Call DeleteCallbackList(&pScreen->hookPostCreateResources) during
dixFreeScreen, because otherwise it will be heap-use-after-free during
DeleteCallbackManager call.

Signed-off-by: Tautvis <gtautvis@gmail.com>
2025-10-29 11:41:26 +01:00
stefan11111
5b8ab55702 shm: Don't mark the globally-initialized privates as uninitialized in a CloseScreen hook.
No need to mark anything, because duplicate dixRegisterPrivateKey() calls with same parameters are perfectly valid.
See: https://github.com/X11Libre/xserver/pull/1300

Fixes: https://github.com/X11Libre/xserver/commit/d220a0a9f0473c15d5001f4730613b482eb0e39

Signed-off-by: stefan11111 <stefan11111@shitposting.expert>
2025-10-29 11:23:33 +01:00
Enrico Weigelt, metux IT consult
04d4986004 dix: split ProcCreateWindow() into upper and lower half
In order to reduce complexity of wrapped core request handlers with PanoramiX,
split the ProcCreateWindow() function into two pieces: the upper half is the
usual (non-PanoramiX) handler, while the lower one is what's called by both
the usual handler, as well as the PanoramiX' one.

We're already passing in the request parameters as separate pointers, so
follow-up commits can easily change PanoramiX handler to not tweaking the
request buffer directly anymore. Another one is letting PanoramiXCreateWindow()
be called by ProcCreateWindow explicitly (when enabled), so we don't need to
wrap the core request proc vector anymore. Once that's done, the swapping can
also be moved into ProcCreateWindow().

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-10-29 11:03:19 +01:00
Enrico Weigelt, metux IT consult
0d4e48188a render: consolidate byte-swapping in ProcRenderCreateSolidFill()
No need for extra functions and call tables for the few trivial lines.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-10-29 10:59:12 +01:00
Enrico Weigelt, metux IT consult
f1c6f79819 xkb: inline remaining byte-swapping
The final one, SProcXkbSelectEvents(), is a bit more complex. Just moving
this into ProcXkbSelectEvents() for now, so we can drop also the swapped
dispatcher. There's still a lot of room for simplications, but leaving
this for follow-up work.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-10-29 10:58:37 +01:00
Enrico Weigelt, metux IT consult
8d46c06965 Xi: inline SProcXIQueryPointer()
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-10-29 10:57:52 +01:00
Enrico Weigelt, metux IT consult
e125d9badb Xi: inline SProcXIWarpPointer()
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-10-29 10:56:57 +01:00
Enrico Weigelt, metux IT consult
48123076f9 dix: inline SProcDeleteProperty()
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-10-29 10:56:22 +01:00
Enrico Weigelt, metux IT consult
8f42a071b7 dix: inline SProcSetSelectionOwner()
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-10-29 10:34:28 +01:00
Olivier Fourdan
99f32a2339 xkb: Prevent overflow in XkbSetCompatMap()
The XkbCompatMap structure stores its "num_si" and "size_si" fields
using an unsigned short.

However, the function _XkbSetCompatMap() will store the sum of the
input data "firstSI" and "nSI" in both XkbCompatMap's "num_si" and
"size_si" without first checking if the sum overflows the maximum
unsigned short value, leading to a possible overflow.

To avoid the issue, check whether the sum does not exceed the maximum
unsigned short value, or return a "BadValue" error otherwise.

CVE-2025-62231, ZDI-CAN-27560

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2086>
2025-10-28 19:36:27 +01:00
Olivier Fourdan
f74d828668 xkb: Free the XKB resource when freeing XkbInterest
XkbRemoveResourceClient() would free the XkbInterest data associated
with the device, but not the resource associated with it.

As a result, when the client terminates, the resource delete function
gets called and accesses already freed memory:

 | Invalid read of size 8
 |   at 0x5BC0C0: XkbRemoveResourceClient (xkbEvents.c:1047)
 |   by 0x5B3391: XkbClientGone (xkb.c:7094)
 |   by 0x4DF138: doFreeResource (resource.c:890)
 |   by 0x4DFB50: FreeClientResources (resource.c:1156)
 |   by 0x4A9A59: CloseDownClient (dispatch.c:3550)
 |   by 0x5E0A53: ClientReady (connection.c:601)
 |   by 0x5E4FEF: ospoll_wait (ospoll.c:657)
 |   by 0x5DC834: WaitForSomething (WaitFor.c:206)
 |   by 0x4A1BA5: Dispatch (dispatch.c:491)
 |   by 0x4B0070: dix_main (main.c:277)
 |   by 0x4285E7: main (stubmain.c:34)
 | Address 0x1893e278 is 184 bytes inside a block of size 928 free'd
 |   at 0x4842E43: free (vg_replace_malloc.c:989)
 |   by 0x49C1A6: CloseDevice (devices.c:1067)
 |   by 0x49C522: CloseOneDevice (devices.c:1193)
 |   by 0x49C6E4: RemoveDevice (devices.c:1244)
 |   by 0x5873D4: remove_master (xichangehierarchy.c:348)
 |   by 0x587921: ProcXIChangeHierarchy (xichangehierarchy.c:504)
 |   by 0x579BF1: ProcIDispatch (extinit.c:390)
 |   by 0x4A1D85: Dispatch (dispatch.c:551)
 |   by 0x4B0070: dix_main (main.c:277)
 |   by 0x4285E7: main (stubmain.c:34)
 | Block was alloc'd at
 |   at 0x48473F3: calloc (vg_replace_malloc.c:1675)
 |   by 0x49A118: AddInputDevice (devices.c:262)
 |   by 0x4A0E58: AllocDevicePair (devices.c:2846)
 |   by 0x5866EE: add_master (xichangehierarchy.c:153)
 |   by 0x5878C2: ProcXIChangeHierarchy (xichangehierarchy.c:493)
 |   by 0x579BF1: ProcIDispatch (extinit.c:390)
 |   by 0x4A1D85: Dispatch (dispatch.c:551)
 |   by 0x4B0070: dix_main (main.c:277)
 |   by 0x4285E7: main (stubmain.c:34)

To avoid that issue, make sure to free the resources when freeing the
device XkbInterest data.

CVE-2025-62230, ZDI-CAN-27545

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2086>
2025-10-28 19:36:27 +01:00
Olivier Fourdan
d7344f366a xkb: Make the RT_XKBCLIENT resource private
Currently, the resource in only available to the xkb.c source file.

In preparation for the next commit, to be able to free the resources
from XkbRemoveResourceClient(), make that variable private instead.

This is related to:

CVE-2025-62230, ZDI-CAN-27545

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2086>
2025-10-28 19:36:27 +01:00
Olivier Fourdan
a073975fa3 present: Fix use-after-free in present_create_notifies()
Using the Present extension, if an error occurs while processing and
adding the notifications after presenting a pixmap, the function
present_create_notifies() will clean up and remove the notifications
it added.

However, there are two different code paths that can lead to an error
creating the notify, one being before the notify is being added to the
list, and another one after the notify is added.

When the error occurs before it's been added, it removes the elements up
to the last added element, instead of the actual number of elements
which were added.

As a result, in case of error, as with an invalid window for example, it
leaves a dangling pointer to the last element, leading to a use after
free case later:

 |  Invalid write of size 8
 |     at 0x5361D5: present_clear_window_notifies (present_notify.c:42)
 |     by 0x534A56: present_destroy_window (present_screen.c:107)
 |     by 0x41E441: xwl_destroy_window (xwayland-window.c:1959)
 |     by 0x4F9EC9: compDestroyWindow (compwindow.c:622)
 |     by 0x51EAC4: damageDestroyWindow (damage.c:1592)
 |     by 0x4FDC29: DbeDestroyWindow (dbe.c:1291)
 |     by 0x4EAC55: FreeWindowResources (window.c:1023)
 |     by 0x4EAF59: DeleteWindow (window.c:1091)
 |     by 0x4DE59A: doFreeResource (resource.c:890)
 |     by 0x4DEFB2: FreeClientResources (resource.c:1156)
 |     by 0x4A9AFB: CloseDownClient (dispatch.c:3567)
 |     by 0x5DCC78: ClientReady (connection.c:603)
 |   Address 0x16126200 is 16 bytes inside a block of size 2,048 free'd
 |     at 0x4841E43: free (vg_replace_malloc.c:989)
 |     by 0x5363DD: present_destroy_notifies (present_notify.c:111)
 |     by 0x53638D: present_create_notifies (present_notify.c:100)
 |     by 0x5368E9: proc_present_pixmap_common (present_request.c:164)
 |     by 0x536A7D: proc_present_pixmap (present_request.c:189)
 |     by 0x536FA9: proc_present_dispatch (present_request.c:337)
 |     by 0x4A1E4E: Dispatch (dispatch.c:561)
 |     by 0x4B00F1: dix_main (main.c:284)
 |     by 0x42879D: main (stubmain.c:34)
 |   Block was alloc'd at
 |     at 0x48463F3: calloc (vg_replace_malloc.c:1675)
 |     by 0x5362A1: present_create_notifies (present_notify.c:81)
 |     by 0x5368E9: proc_present_pixmap_common (present_request.c:164)
 |     by 0x536A7D: proc_present_pixmap (present_request.c:189)
 |     by 0x536FA9: proc_present_dispatch (present_request.c:337)
 |     by 0x4A1E4E: Dispatch (dispatch.c:561)
 |     by 0x4B00F1: dix_main (main.c:284)
 |     by 0x42879D: main (stubmain.c:34)

To fix the issue, count and remove the actual number of notify elements
added in case of error.

CVE-2025-62229, ZDI-CAN-27238

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2086>
2025-10-28 19:36:27 +01:00
Enrico Weigelt, metux IT consult
bf8c7d27fe xfree86: compat: re-add GEInitEvent() for proprietary nvidia driver
Yet another very internal function that the proprietary Nvidia driver
is using for unknown reasons. NVidia really needs a separate function
for just for some trivial struct initialization and don't manage to
add three simple lines to their code, so we have to make an extra
function for them.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-10-28 16:26:44 +01:00
Enrico Weigelt, metux IT consult
7ef8400df5 xfree86: compat: re-add TimeCheck() for proprietary nvidia driver
Yet another very internal function that the proprietary Nvidia driver
is using for unknown reasons.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-10-28 16:26:44 +01:00
Enrico Weigelt, metux IT consult
7f74632448 dix: rename DevScreenPrivateKey to DevScreenPrivateKeyPtr
Be a bit more consistent in naming. We call all our pointer-to-struct
types <xyz>Ptr.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-10-28 15:40:42 +01:00
stefan11111
011d7bfac3 modesetting: handle some allocation failures
Signed-off-by: stefan11111 <stefan11111@shitposting.expert>
2025-10-27 15:16:12 +01:00
stefan11111
d220a0a9f0 shm: Fix segfault when the last X client closes
Fixes: https://github.com/X11Libre/xserver/pull/1236

Signed-off-by: stefan11111 <stefan11111@shitposting.expert>
2025-10-27 09:27:52 +01:00
Enrico Weigelt, metux IT consult
8051613229 Xi: inline SProcXIQueryVersion()
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-10-26 13:59:05 +01:00
Enrico Weigelt, metux IT consult
7d9fb7b4a0 Xi: inline SProcXIPassiveGrabDevice() and SProcXIPassiveUngrabDevice()
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-10-26 13:58:17 +01:00
Enrico Weigelt, metux IT consult
7a0efe7da5 xv: use embedded private instead of pointer
The private struct is pretty small and it needs to be allocated anyways,
so save an extra allocation by directly embedding it.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-10-26 13:57:49 +01:00
Enrico Weigelt, metux IT consult
1119ccc9be render: consolidate byte-swapping in ProcRenderAddTraps()
No need for extra functions and call tables for the few trivial lines.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-10-26 13:57:30 +01:00
Enrico Weigelt, metux IT consult
c971a9d641 xkb: inline SProcXkbGetKbdByName()
No need to have whole extra functions for just a few LoC.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-10-26 13:57:12 +01:00
Enrico Weigelt, metux IT consult
25818f04c3 Xi: inline SProcXIGetClientPointer() and SProcXISetClientPointer()
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-10-26 13:56:58 +01:00