[Git][xorg-team/xserver/xorg-server][upstream-unstable] 7 commits: Fix RandR leasing for more than 1 simultaneously active lease.

["Timo Aaltonen (@tjaalton)" <tjaalton@debian.org>]

Title: GitLab

Timo Aaltonen pushed to branch upstream-unstable at X Strike Force / xserver / xorg-server

Commits:

• 574fe59e
  by Mario Kleiner at 2021-10-26T21:39:04+02:00

  Fix RandR leasing for more than 1 simultaneously active lease.
  
  Due to a switched order of parameters in the xorg_list_add()
  call inside ProcRRCreateLease(), adding a new lease for RandR
  output leasing does not actually add the new RRLeasePtr lease
  record to the list of existing leases for a X-Screen, but instead
  replaces the existing list with a new list that has the new lease
  as the only element, and probably leaks a bit of memory.
  
  Therefore the server "forgets" all active leases for a screen,
  except for the last added lease. If multiple leases are created
  in a session, then destruction of all leases but the last one
  will fail in many cases, e.g., during server shutdown in
  RRCloseScreen(), or resource destruction, e.g., in
  RRCrtcDestroyResource().
  
  Most importantly, it fails if a client simply close(fd)'es the
  DRM master descriptor to release a lease, quits, gets killed or
  crashes. In this case the kernel will destroy the lease and shut
  down the display output, then send a lease event via udev to the
  ddx, which e.g., in the modesetting-ddx will trigger a call to
  drmmode_validate_leases().
  
  That function is supposed to detect the released lease and tell
  the server to terminate the lease on the server side as well,
  via xf86CrtcLeaseTerminated(), but this doesn't happen for all
  the leases the server has forgotten. The end result is a dead
  video output, as the server won't reinitialize the crtc's
  corresponding to the terminated but forgotten lease.
  
  This bug was observed when using the amdvlk AMD OSS Vulkan
  driver and trying to lease multiple VKDisplay's, and also
  under Mesa radv, as both Mesa Vulkan/WSI/Display and amdvlk
  terminate leases by simply close()ing the lease fd, not by
  sending explicit RandR protocol requests to free leases.
  
  Leasing worked, but ending a session with multiple active
  leases ended in a lot of unpleasant darkness.
  
  Fixing the wrong argument order to xorg_list_add() fixes the
  problem. Tested on single-X-Screen and dual-X-Screen setups,
  with one, two or three active leases.
  
  Please merge this for the upcoming server 21.1 branch.
  Merging into server 1.20 would also make a lot of sense.
  
  Fixes: e4e3447603b5fd3a38a92c3f972396d1f81168ad
  Signed-off-by: Mario Kleiner <mario.kleiner.de@gmail.com>
  Reviewed-by: Keith Packard <keithp@keithp.com>
  (cherry picked from commit f467f85ca1f780d5c7cf3c20888e399708d761ac)
  

• 5ff3310b
  by Mario Kleiner at 2021-10-26T21:40:45+02:00

  modesetting: Allow Present flips with mismatched stride on atomic drivers.
  
  When using DRI3+Present with PRIME render offload, sometimes there is
  a mismatch between the stride of the to-be-presented Pixmap and the
  frontbuffer. The current code would reject a pageflip present in this
  case if atomic modesetting is not enabled, ie. always, as atomic
  modesetting is disabled by default due to brokeness in the current
  modesetting-ddx.
  
  Fullscreen presents without page flipping however trigger the copy
  path as fallback, which causes not only unreliable presentation timing
  and degraded performance, but also massive tearing artifacts due to
  rendering to the framebuffer without any hardware sync to vblank.
  Tearing is extra awful on modesetting-ddx because glamor afaics seems
  to use drawing of a textured triangle strip for the copy implementation,
  not a dedicated blitter engine. The rasterization pattern creates extra
  awful tearing artifacts.
  
  We can do better: According to a tip from Michel Daenzer (thanks!),
  at least atomic modesetting capable kms drivers should be able to
  reliably change scanout stride during a pageflip, even if atomic
  modesetting is not actually enabled for the modesetting client.
  
  This commit adds detection logic to find out if the underlying kms
  driver is atomic_modeset_capable, and if so, it no longer rejects
  page flip presents on mismatched stride between new Pixmap and
  frontbuffer.
  
  We (ab)use a call to drmSetClientCap(ms->fd, DRM_CLIENT_CAP_ATOMIC, 0);
  for this purpose. The call itself has no practical effect, as it
  requests disabling atomic mode, although atomic mode is disabled by
  default. However, the return value of drmSetClientCap() tells us if the
  underlying kms driver is atomic modesetting capable: An atomic driver
  will return 0 for success. A legacy non-atomic driver will return a
  non-zero error code, either -EINVAL for early atomic Linux versions
  4.0 - 4.19 (or for non-atomic Linux 3.x and earlier), or -EOPNOTSUPP
  for Linux 4.20 and later.
  
  Testing on a MacBookPro 2017 with Intel Kabylake display server gpu +
  AMD Polaris11 as prime renderoffload gpu, X-Server master + Mesa 21.0.3
  show improvement from unbearable tearing to perfect, despite a stride
  mismatch between display gpu and Pixmap of 11776 Bytes vs. 11520
  Bytes. That this is correct behaviour was also confirmed by comparing the
  behaviour and .check_flip implementation of the patched modesetting-ddx
  against the current intel-ddx SNA Present implementation.
  
  Please consider merging this patch before the server-1.21 branch point.
  This patch could also be cherry-picked into the server 1.20 branch to
  fix the same limitation.
  
  Signed-off-by: Mario Kleiner <mario.kleiner.de@gmail.com>
  (cherry picked from commit 8f8ebf870b55c9875b7cfd8ef69c1df02d589b4a)
  

• acc50e60
  by Povilas Kanapickas at 2021-12-15T18:43:01+00:00

  record: Fix out of bounds access in SwapCreateRegister()
  
  ZDI-CAN-14952, CVE-2021-4011
  
  This vulnerability was discovered and the fix was suggested by:
  Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
  
  Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
  (cherry picked from commit e56f61c79fc3cee26d83cda0f84ae56d5979f768)
  

• 6bb8aeb3
  by Povilas Kanapickas at 2021-12-15T18:43:01+00:00

  xfixes: Fix out of bounds access in *ProcXFixesCreatePointerBarrier()
  
  ZDI-CAN-14950, CVE-2021-4009
  
  This vulnerability was discovered and the fix was suggested by:
  Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
  
  Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
  (cherry picked from commit b5196750099ae6ae582e1f46bd0a6dad29550e02)
  

• 67425fca
  by Povilas Kanapickas at 2021-12-15T18:43:01+00:00

  Xext: Fix out of bounds access in SProcScreenSaverSuspend()
  
  ZDI-CAN-14951, CVE-2021-4010
  
  This vulnerability was discovered and the fix was suggested by:
  Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
  
  Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
  (cherry picked from commit 6c4c53010772e3cb4cb8acd54950c8eec9c00d21)
  

• 35b4681c
  by Povilas Kanapickas at 2021-12-15T18:43:01+00:00

  render: Fix out of bounds access in SProcRenderCompositeGlyphs()
  
  ZDI-CAN-14192, CVE-2021-4008
  
  This vulnerability was discovered and the fix was suggested by:
  Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
  
  Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
  (cherry picked from commit ebce7e2d80e7c80e1dda60f2f0bc886f1106ba60)
  

• 97c5b777
  by Matt Turner at 2021-12-15T18:43:01+00:00

  xserver 1.20.14
  
  Signed-off-by: Matt Turner <mattst88@gmail.com>
  

10 changed files:

• Xext/saver.c
• configure.ac
• hw/xfree86/drivers/modesetting/driver.c
• hw/xfree86/drivers/modesetting/driver.h
• hw/xfree86/drivers/modesetting/present.c
• meson.build
• randr/rrlease.c
• record/record.c
• render/render.c
• xfixes/cursor.c

Changes:

Xext/saver.c

---

...	...	@@ -1351,8 +1351,8 @@ SProcScreenSaverSuspend(ClientPtr client)
1351	1351	REQUEST(xScreenSaverSuspendReq);
1352	1352
1353	1353	swaps(&stuff->length);
1354		- swapl(&stuff->suspend);
1355	1354	REQUEST_SIZE_MATCH(xScreenSaverSuspendReq);
	1355	+ swapl(&stuff->suspend);
1356	1356	return ProcScreenSaverSuspend(client);
1357	1357	}
1358	1358

configure.ac

---

...	...	@@ -26,8 +26,8 @@ dnl
26	26	dnl Process this file with autoconf to create configure.
27	27
28	28	AC_PREREQ(2.60)
29		-AC_INIT([xorg-server], 1.20.13, [https://gitlab.freedesktop.org/xorg/xserver/issues], xorg-server)
30		-RELEASE_DATE="2021-07-29"
	29	+AC_INIT([xorg-server], 1.20.14, [https://gitlab.freedesktop.org/xorg/xserver/issues], xorg-server)
	30	+RELEASE_DATE="2021-12-15"
31	31	RELEASE_NAME="Lemon Pepper Chicken"
32	32	AC_CONFIG_SRCDIR([Makefile.am])
33	33	AC_CONFIG_MACRO_DIR([m4])

hw/xfree86/drivers/modesetting/driver.c

---

...	...	@@ -1040,6 +1040,14 @@ PreInit(ScrnInfoPtr pScrn, int flags)
1040	1040	#endif
1041	1041	}
1042	1042
	1043	+ /*
	1044	+ * Use "atomic modesetting disable" request to detect if the kms driver is
	1045	+ * atomic capable, regardless if we will actually use atomic modesetting.
	1046	+ * This is effectively a no-op, we only care about the return status code.
	1047	+ */
	1048	+ ret = drmSetClientCap(ms->fd, DRM_CLIENT_CAP_ATOMIC, 0);
	1049	+ ms->atomic_modeset_capable = (ret == 0);
	1050	+
1043	1051	if (xf86ReturnOptValBool(ms->drmmode.Options, OPTION_ATOMIC, FALSE)) {
1044	1052	ret = drmSetClientCap(ms->fd, DRM_CLIENT_CAP_ATOMIC, 1);
1045	1053	ms->atomic_modeset = (ret == 0);

hw/xfree86/drivers/modesetting/driver.h

---

...	...	@@ -108,6 +108,7 @@ typedef struct _modesettingRec {
108	108	* Page flipping stuff.
109	109	* @{
110	110	*/
	111	+ Bool atomic_modeset_capable;
111	112	Bool atomic_modeset;
112	113	Bool pending_modeset;
113	114	/** @} */

hw/xfree86/drivers/modesetting/present.c

---

...	...	@@ -252,8 +252,11 @@ ms_present_check_unflip(RRCrtcPtr crtc,
252	252	if (num_crtcs_on == 0)
253	253	return FALSE;
254	254
255		- /* Check stride, can't change that on flip */
256		- if (!ms->atomic_modeset &&
	255	+ /*
	256	+ * Check stride, can't change that reliably on flip on some drivers, unless
	257	+ * the kms driver is atomic_modeset_capable.
	258	+ */
	259	+ if (!ms->atomic_modeset_capable &&
257	260	pixmap->devKind != drmmode_bo_get_pitch(&ms->drmmode.front_bo))
258	261	return FALSE;
259	262

meson.build

---

...	...	@@ -3,7 +3,7 @@ project('xserver', 'c',
3	3	'buildtype=debugoptimized',
4	4	'c_std=gnu99',
5	5	],
6		- version: '1.20.13',
	6	+ version: '1.20.14',
7	7	meson_version: '>= 0.42.0',
8	8	)
9	9	add_project_arguments('-DHAVE_DIX_CONFIG_H', language: 'c')

randr/rrlease.c

---

...	...	@@ -295,7 +295,7 @@ ProcRRCreateLease(ClientPtr client)
295	295	if (rc != Success)
296	296	goto bail_lease;
297	297
298		- xorg_list_add(&scr_priv->leases, &lease->list);
	298	+ xorg_list_add(&lease->list, &scr_priv->leases);
299	299
300	300	if (!AddResource(stuff->lid, RRLeaseType, lease)) {
301	301	close(fd);

record/record.c

---

...	...	@@ -2515,8 +2515,8 @@ SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
2515	2515	swapl(pClientID);
2516	2516	}
2517	2517	if (stuff->nRanges >
2518		- client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
2519		- - stuff->nClients)
	2518	+ (client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
	2519	+ - stuff->nClients) / bytes_to_int32(sz_xRecordRange))
2520	2520	return BadLength;
2521	2521	RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
2522	2522	return Success;

render/render.c

---

...	...	@@ -2309,6 +2309,9 @@ SProcRenderCompositeGlyphs(ClientPtr client)
2309	2309
2310	2310	i = elt->len;
2311	2311	if (i == 0xff) {
	2312	+ if (buffer + 4 > end) {
	2313	+ return BadLength;
	2314	+ }
2312	2315	swapl((int *) buffer);
2313	2316	buffer += 4;
2314	2317	}
...	...	@@ -2319,12 +2322,18 @@ SProcRenderCompositeGlyphs(ClientPtr client)
2319	2322	buffer += i;
2320	2323	break;
2321	2324	case 2:
	2325	+ if (buffer + i * 2 > end) {
	2326	+ return BadLength;
	2327	+ }
2322	2328	while (i--) {
2323	2329	swaps((short *) buffer);
2324	2330	buffer += 2;
2325	2331	}
2326	2332	break;
2327	2333	case 4:
	2334	+ if (buffer + i * 4 > end) {
	2335	+ return BadLength;
	2336	+ }
2328	2337	while (i--) {
2329	2338	swapl((int *) buffer);
2330	2339	buffer += 4;

xfixes/cursor.c

---

...	...	@@ -1010,7 +1010,8 @@ ProcXFixesCreatePointerBarrier(ClientPtr client)
1010	1010	{
1011	1011	REQUEST(xXFixesCreatePointerBarrierReq);
1012	1012
1013		- REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
	1013	+ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
	1014	+ pad_to_int32(stuff->num_devices * sizeof(CARD16)));
1014	1015	LEGAL_NEW_RESOURCE(stuff->barrier, client);
1015	1016
1016	1017	return XICreatePointerBarrier(client, stuff);
...	...	@@ -1027,7 +1028,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client)
1027	1028
1028	1029	swaps(&stuff->length);
1029	1030	swaps(&stuff->num_devices);
1030		- REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
	1031	+ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
	1032	+ pad_to_int32(stuff->num_devices * sizeof(CARD16)));
1031	1033
1032	1034	swapl(&stuff->barrier);
1033	1035	swapl(&stuff->window);

—
View it on GitLab.
You're receiving this email because of your account on salsa.debian.org. If you'd like to receive fewer emails, you can adjust your notification settings.