The Linux version of xf86EnableIO calls a helper function called hwEnableIO().
Except on Alpha, this function reads /proc/ioports looking for the 'keyboard'
and 'timer' ports, extracts the port ranges, and enables access to them. It does
this by reading 4 bytes from the string for the start port number and 4 bytes
for the last port number, passing those to atoi(). However, it doesn't add a
fifth byte for a NUL terminator, so some implementations of atoi() read past the
end of this string, triggering an AddressSanitizer error:
==1383==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff71fd5b74 at pc 0x7fe1be0de3e0 bp 0x7fff71fd5ae0 sp 0x7fff71fd5288
READ of size 5 at 0x7fff71fd5b74 thread T0
#0 0x7fe1be0de3df in __interceptor_atoi /build/gcc/src/gcc/libsanitizer/asan/asan_interceptors.cpp:520
#1 0x564971adcc45 in hwEnableIO ../hw/xfree86/os-support/linux/lnx_video.c:138
#2 0x564971adce87 in xf86EnableIO ../hw/xfree86/os-support/linux/lnx_video.c:174
#3 0x5649719f6a30 in InitOutput ../hw/xfree86/common/xf86Init.c:439
#4 0x564971585924 in dix_main ../dix/main.c:190
#5 0x564971b6246e in main ../dix/stubmain.c:34
#6 0x7fe1bdab6b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
#7 0x564971490e9d in _start (/home/aaron/git/x/xserver/build.asan/hw/xfree86/Xorg+0xb2e9d)
Address 0x7fff71fd5b74 is located in stack of thread T0 at offset 100 in frame
#0 0x564971adc96a in hwEnableIO ../hw/xfree86/os-support/linux/lnx_video.c:118
This frame has 3 object(s):
[32, 40) 'n' (line 120)
[64, 72) 'buf' (line 122)
[96, 100) 'target' (line 122) <== Memory access at offset 100 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /build/gcc/src/gcc/libsanitizer/asan/asan_interceptors.cpp:520 in __interceptor_atoi
Shadow bytes around the buggy address:
0x10006e3f2b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006e3f2b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006e3f2b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006e3f2b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006e3f2b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10006e3f2b60: 00 00 f1 f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2[04]f3
0x10006e3f2b70: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006e3f2b80: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x10006e3f2b90: f1 f1 f8 f2 00 f2 f2 f2 f8 f3 f3 f3 00 00 00 00
0x10006e3f2ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
0x10006e3f2bb0: f1 f1 00 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1383==ABORTING
Fix this by NUL-terminating the string.
Fixes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1193#note_1053306
Signed-off-by: Aaron Plattner <aplattner@nvidia.com>
In commit 9db2af6f75 (xfree86: Remove xf86{Map,Unmap}VidMem) we
somehow stopped exporting xf86{Read,Write}Mmio{8,16,32}. Since the
function pointer indirection was intended to support dense vs sparse and
sparse support is now gone, we can just make the functions static inline
in compiler.h and avoid all of this.
Bugzilla: https://bugs.gentoo.org/548906
Tested-by: Christopher May-Townsend <chris@maytownsend.co.uk>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Matt Turner <mattst88@gmail.com>
Since the sparse stuff is gone none of these variables get used for
anything, they're just dead side-effect-less execution.
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Adam Jackson <ajax@redhat.com>
The only driver even pretending to check the result is mach64 anyway.
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Adam Jackson <ajax@redhat.com>
This API sucks. Fortunately it's mostly unused at this point. geode,
sis, and xgi need minor patches to use the corresponding pciaccess code,
neomagic will (more explicitly) lose its non-PCI support, and newport
will need to be ported to /dev/mem or the platform bus or something.
This should also make it pretty clear that alpha's sparse memory support
was basically not a thing anymore, very few tears shed.
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Non-barrier-emitting MMIO writes. They appear to be utterly unused,
burn it all down.
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
Xorg server could be built for and run on Synopsys DesignWare ARC cores.
These changes are required for successful building and execution of the server.
Both little-endian and big-endian flavors of ARC cores are supported.
Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
Acked-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Egbert Eich <eich@freedesktop.org>
Signed-off-by: Keith Packard <keithp@keithp.com>
asm/mtrr.h makes this an unsigned long on 32, but a u64 on 64. Cast
it to a long to win.
Signed-off-by: Eric Anholt <eric@anholt.net>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
This lets us stop using the 'pointer' typedef in Xdefs.h as 'pointer'
is used throughout the X server for other things, and having duplicate
names generates compiler warnings.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Andreas Schwab <schwab@suse.de>
Reviewed-by: Mark Kettenis <kettenis@openbsd.org>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
We load the driver list, then enable I/O, then call driver probe based
on whether I/O enable succeeded. That's bad, because the loaded
security policy might forbid port access. We happen to treat that as
fatal for some reason, which means even drivers that don't need I/O
access (like kms and fbdev) don't get the chance to run. Facepalm.
How about we just make that non-fatal instead, that sounds like a much
better plan.
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Simon Farnsworth <simon.farnsworth@onelan.co.uk>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Pull platform methods into their own sections for legibility, and
rewrite the ifdefs to be more concise.
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Simon Farnsworth <simon.farnsworth@onelan.co.uk>
Signed-off-by: Adam Jackson <ajax@redhat.com>
This is strictly the application of the script 'x-indent-all.sh'
from util/modular. Compared to the patch that Daniel posted in
January, I've added a few indent flags:
-bap
-psl
-T PrivatePtr
-T pmWait
-T _XFUNCPROTOBEGIN
-T _XFUNCPROTOEND
-T _X_EXPORT
The typedefs were needed to make the output of sdksyms.sh match the
previous output, otherwise, the code is formatted badly enough that
sdksyms.sh generates incorrect output.
The generated code was compared with the previous version and found to
be essentially identical -- "assert" line numbers and BUILD_TIME were
the only differences found.
The comparison was done with this script:
dir1=$1
dir2=$2
for dir in $dir1 $dir2; do
(cd $dir && find . -name '*.o' | while read file; do
dir=`dirname $file`
base=`basename $file .o`
dump=$dir/$base.dump
objdump -d $file > $dump
done)
done
find $dir1 -name '*.dump' | while read dump; do
otherdump=`echo $dump | sed "s;$dir1;$dir2;"`
diff -u $dump $otherdump
done
Signed-off-by: Keith Packard <keithp@keithp.com>
Acked-by: Daniel Stone <daniel@fooishbar.org>
Acked-by: Alan Coopersmith <alan.coopersmith@oracle.com>
memType is a uint64_t on powerpc. Using memType only really makes
sense for *physical* addresses, which can be 64-bit for 32-bit
systems running on 64-bit hardware.
However, unmapVidMem() only deals with *virtual* addresses, which
are guaranteed to fit into an uintptr_t.
Signed-off-by: Jeremy Huddleston <jeremyhu@apple.com>
Reviewed-by: Mark Kettenis <kettenis@openbsd.org>
Also remove odd definition MAP_FAILED.
Signed-off-by: Alexandr Shadchin <Alexandr.Shadchin@gmail.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Cast it to a char *, mimicking the return immediately below it.
Signed-off-by: Daniel Stone <daniel@fooishbar.org>
Reviewed-by: Mark Kettenis <kettenis@openbsd.org>
Disable timer/keyboard trapping on GNU/Hurd for now
Trapping disabled for now, as some VBIOSes (mga-g450 notably) use these
ports, and the int10 wrapper is not emulating them.
It's effectively what happens in the Linux variant too, as iopl() is used there,
making the ioperm() meaningless.
Signed-off-by: Olaf Buddenhagen <antrik@users.sf.net>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
The only remaining X-functions used in server are XNF*, the rest is converted to
plain alloc/calloc/realloc/free/strdup.
X* functions are still exported from server and x* macros are still defined in
header file, so both ABI and API are not affected by this change.
Signed-off-by: Mikhail Gusarov <dottedmag@dottedmag.net>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Let's let glibc do the right thing for dense/sparse selection.
The _alpha_iobase code has been unused since the switch to libpciaccess. It
really should have been killed by fba700f1f6a8976.
Signed-off-by: Matt Turner <mattst88@gmail.com>
Tested-by: Michael Cree <mcree@orcon.net.nz>
Signed-off-by: Keith Packard <keithp@keithp.com>
I couldn't find any version of the X xserver that ever used lnx_font.c
so let's delete it. I tried contacting its author, Egbert, multiple
times on IRC and email [*] but never got any response. It also hasn't
been seriously touched since January 2005.
[*] http://lists.x.org/archives/xorg-devel/2009-October/002855.html
Signed-off-by: Matt Turner <mattst88@gmail.com>
Reviewed-by: Tiago Vignatti <tiago.vignatti@nokia.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
When testing if an fd is valid, the required construct is >= 0, not > 0.
[Daniel: Fixed up the Linux MTRR case as well.]
Signed-off-by: Martin Ettl <ettl.martin@gmx.de>
Signed-off-by: Daniel Stone <daniel@fooishbar.org>
Save in a few special cases, _X_EXPORT should not be used in C source
files. Instead, it should be used in headers, and the proper C source
include that header. Some special cases are symbols that need to be
shared between modules, but not expected to be used by external drivers,
and symbols that are accessible via LoaderSymbol/dlopen.
This patch also adds conditionally some new sdk header files, depending
on extensions enabled. These files were added to match pattern for
other extensions/modules, that is, have the headers "deciding" symbol
visibility in the sdk. These headers are:
o Xext/panoramiXsrv.h, Xext/panoramiX.h
o fbpict.h (unconditionally)
o vidmodeproc.h
o mioverlay.h (unconditionally, used only by xaa)
o xfixes.h (unconditionally, symbols required by dri2)
LoaderSymbol and similar functions now don't have different prototypes,
in loaderProcs.h and xf86Module.h, so that both headers can be included,
without the need of defining IN_LOADER.
xf86NewInputDevice() device prototype readded to xf86Xinput.h, but
not exported (and with a comment about it).
Add XSERV_t, TRANS_SERVER, TRANS_REOPEN to quash warnings.
Add #include <dix-config.h> or <xorg-config.h>, as appropriate, to all
source files in the xserver/xorg tree, predicated on defines of
HAVE_{DIX,XORG}_CONFIG_H. Change all Xfont includes to
<X11/fonts/foo.h>.
change "foo.h" to <X11/foo.h> for core headers, e.g. X.h, Xpoll.h;
change "foo.h", "extensions/foo.h" and "X11/foo.h" to
<X11/extensions/foo.h> for extension headers, e.g. Xv.h;
change "foo.[ch]" to <X11/Xtrans/foo.[ch]> for Xtrans files.
Linux-only fixes: Fix case where a smaller write-combining region
blocks write-combining setting of the whole frame buffer. Fix bug in wc
setting code when regions are first splitted and setting of
write-combining then fails.
permissions when no access to HW registers is required. For API changes
which mostly involve the modifications to make the RRFunc (introduced
with 6.8) more flexible please check Bugzilla #2407. NOTE: This patch
applies changes to OS specific files for other OSes which I cannot
test.
Aaron Plattner
brian
Matt Turner
Adam Jackson
Max Filippov
Alexey Brodkin
Eric Anholt
Keith Packard
Andreas Schwab
Jeremy Huddleston
Alexandr Shadchin
Daniel Stone
Samuel Thibault
Macpaul Lin
Mikhail Gusarov
Martin Ettl
Peter Hutterer
Paulo Cesar Pereira de Andrade
Kazuhiro Inaoka
Adam Jackson
Lennart Buytenhek
Bastian Blank
Adam Jackson
Adam Jackson
Alan Coopersmith
Thomas Hellstrom
Egbert Eich
Søren Sandmann Pedersen
Eric Anholt