These functions aren't used by and drivers (and TimerInit() shouldn't be
be called from modules at all), thus unexport them.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1330>
* this symbol is a server configuration flag (can be passed via cmdline)
for limiting the max size of big-requests. there shouldn't be any need
to use it outside the core X server (in server modules like drivers
or external extension) - therefore unexport it
* in order to reduce namespace pollution of public (server module API)
headers, create a new internal header for those tings (more to come)
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1275>
The symbols HAVE_SIGACTION and BUSFAULT are set under the same conditions,
so can be consolidated into one. Also define dummies when HAVE_SIGACTION
is not set, so a few #ifdef's less clutterig the code.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1297>
This breaks the xf86-input-synaptics driver:
synaptics.c: In function 'clickpad_guess_clickfingers':
synaptics.c:2638:5: error: implicit declaration of function 'BUG_RETURN_VAL' [-Werror=implicit-function-declaration]
2638 | BUG_RETURN_VAL(hw->num_mt_mask > sizeof(close_point) * 8, 0);
This reverts commit 442aec2219.
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1316>
The workQueue pointer is currently declared extern, so that WaitForSomething()
can check wether we've got something in the queue and call ProcessWorkQueue()
then.
But that's trivial to simplify: just let ProcessWorkQueue() return early if
workQueue == NULL. Gives us a better isolation of internal stuff as well as
ProcessWorkQueue() protecting itself from possible segfault.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1310>
The generic auth handling isn't really OS specific, and only few sites
actually need to call it, so at least it's prototypes are better off in some
separate header.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1311>
The MIT authentication handling isn't really OS specific, and only few sites
actually need to call it, so at least it's prototypes are better off in some
separate header.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1311>
The xdmcp authentication handling isn't really OS specific, and only few sites
actually need to call it, so at least it's prototypes are better off in some
separate header.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1311>
The xdmcp handling isn't really OS specific, and only few sites actually need
to call it, so at least it's prototypes are better off in some separate header.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1311>
The rpc authentication handling isn't really OS specific, and only few sites
actually need to call it, so at least it's prototypes are better off in some
separate header.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1311>
The old approach of builtin color lookup used a binary search of strings
within text blocks (their start offsets defined in the color array).
This could potentially lead to buffer overflow, if the requested color
name far outreaches the text block (eg. same prefix as some entry near to
the end, but really huge). This alone wouldn't allow remote memory readout
(just comparing), but could possibly trigger page faults (sigsegv) or used
as a building block for some more complex attack.
OTOH, the old approach is also hard to maintain, ugly programming style:
on each change, all the offset need to be carefully recounted, which is
pretty error-prone.
Both problems are solved by moving to simple, per-entry, char* pointers,
instead of the one large text block.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1313>
The "name" field doesn't actually hold the color's name, but instead the
offset of the name in the string table block. Thus, fix the field's name
to reflect this.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1313>
I can't tell what this code was originally for - it was added in 1988,
4 years before the release of the SysV R4 release of Solaris 2.0, and
I can't find anywhere that defined SUNSYSV.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1315>
Apollo Domain/OS died in the 1990's and has never been supported in
the modular Xserver builds.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Yet another step of uncluttering includes: move out the BUG_* macros
into a separate header, which then is included as-needed.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
This is more portable than libbsd as everything Just Works, even on BSD systems,
and is the recommended method of consuming libbsd nowadays.
It also helpfully lets things work with glibc-provided functions for new
enough glibc.
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/973
Co-authored-by: Guillem Jover <guillem@hadrons.org>
Signed-off-by: Sam James <sam@gentoo.org>
To correctly render a window making use of SHAPE, a compositor
must query the shape rectangles. This may not be a desirable
feature for a Wayland compositor. Allow SHAPE to be turned off at
runtime, so that the compositor can opt-out.
Signed-off-by: Simon Ser <contact@emersion.fr>
Withoug a proper implementation of DetermineClientCmd, clients that
connect via an ssh tunnel are miscategorized as local. This results
in failures when we try to use SCM_RIGHTS (eg: in MIT-SHM).
Fixes: https://github.com/XQuartz/XQuartz/issues/314
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
This provides a way to determine the pid of a peer connection on
systems like darwin that do not support getpeerucred() nor
SO_PEERCRED.
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
GetLocalClientCreds() was preferring getpeereid() above other implementations.
getpeereid(), however, only returns the effective uid and gid of the peer,
leaving the pid unset. When this happens, we are unable to use the pid to
determine the peer's command line arguments and incorrectly treat ssh-tunneled
traffic as local.
To address this, we now prioritize getpeerucred() or SO_PEERCRED as those two
implementations will return the pid in addition to uid and gid.
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
The X server swapping code is a huge attack surface, much of this code
is untested and prone to security issues. The use-case of byte-swapped
clients is very niche, so let's disable this by default and allow it
only when the respective config option or commandline flag is given.
For Xorg, this adds the ServerFlag "AllowByteSwappedClients" "on".
For all DDX, this adds the commandline options +byteswappedclients and
-byteswappedclients to enable or disable, respectively.
Fixes#1201https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1029
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
The commit 9bf46610a9 "os: Immediately
queue initial WriteToClient" effectively disables buffering (of all
writes, not just the "initial" write), since the OS's network buffers
will usually be large enough to hold whatever replies we have sent.
This does improve performance when drawing over a Unix socket (I measure
approximtely 10%, not the ~5x mentioned in that commit message, probably
due to the large changes in this area since that commit), but it
decreases performance when drawing over a network due to the additional
TCP packets. This decrease is small (~10%) in most cases, but if the two
machines have mismatched Nagle / tcp_delay settings it can cause
XGetWindowAttributes to take 200ms (because it's composed of two
requests, the 2nd of which might wait for the ack which is delayed).
Avoid network slowdowns by making the immediate flush conditional on
who->local.
Signed-off-by: Peter Harris <pharris@opentext.com>
Most of these came from a mass bcopy() -> memmove() substitution in 1993
with a commit comment of "Ansification (changed bfuncs -> mfuncs)"
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
This avoids warnings from system headers when building with debian bullseye:
In file included from ../dist-unpack/xserver-21.1.99.1/os/rpcauth.c:47:
/usr/include/tirpc/rpc/rpc.h:83:12: error: redundant redeclaration of ‘bindresvport’ [-Werror=redundant-decls]
83 | extern int bindresvport(int, struct sockaddr_in *);
| ^~~~~~~~~~~~
In file included from /usr/include/tirpc/rpc/rpc.h:40,
from ../dist-unpack/xserver-21.1.99.1/os/rpcauth.c:47:
/usr/include/netinet/in.h:503:12: note: previous declaration of ‘bindresvport’ was here
503 | extern int bindresvport (int __sockfd, struct sockaddr_in *__sock_in) __THROW;
| ^~~~~~~~~~~~
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
This changes away from hard-coding the /tmp/launch-* path to now
supporting a generic <absolute path to unix socket>[.<screen>]
format for $DISPLAY.
cf-libxcb: d978a4f69b30b630f28d07f1003cf290284d24d8
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
CC: Adam Jackson <ajax@kemper.freedesktop.org>
libunwind has a function to query whether the cursor points to a signal frame.
Use this to print
1: <signal handler called>
like GDB does, rather than printing something less useful such as
1: /usr/lib/libpthread.so.0 (funlockfile+0x60) [0x7f679838b870]
Signed-off-by: Aaron Plattner <aplattner@nvidia.com>
Currently, when main hardware screen is powered-off,
X server initializes fake screen's timer with
1 second update interval.
Streaming software like Nomachine or Vnc, as well as
desktop input automation suffers from it, since it
will forever be stuck on 1 fps until the display is
turned back on.
This commit adds command line option -fakescreenfps <int>
that allows the user to change the default fake screen
timer.
Signed-off-by: Baranin Alexander <ismailsiege@gmail.com>
Meson does not like comparing things of different types which is a
problem when reading back values of feature flags as they may contain
either false (bool) or 1 (string).
Since there is a strong reason why we use false when the feature does
not exist, we work around this issue by always converting the returned
value to int via to_int().
Fixes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1190
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
Stop assuming that a failure to link always means that the file indeed
exists. In case of other failure (e.g., permissions), the user would get an
inconsistent "Can't read lock file" message.
Signed-off-by: Olivier Certner <olce.freedesktop@certner.fr>
When the command line option "-terminate" is used, it could be
interesting to give it an optional grace period to let the Xserver
running for a little longer in case a new connection occurs.
This adds an optional parameter to the "-terminate" command line option
for this purpose.
v2: Use a delay in seconds instead of milliseconds
(Martin Peres <martin.peres@mupuf.org>)
v3: Clarify man page entry, ensure terminateDelay is always >= 0,
simplify TimerFree(). (Peter Hutterer <peter.hutterer@who-t.net>)
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
This will make the behavior of meson consistent with autotools. The
configuration macros are exposed to public headers so any inconsistency
is likely to break code for anyone who's not careful to use #ifdef
instead of #if.
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
This has not been tested, but os_deps is not used anywhere in the file,
so it's likely this was a typo.
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
This helps on KAME-based systems which want to get rid of this hack.
The assumption is that if sin6_scope_id is set, then the interface index
is no longer embedded in the address.
Signed-off-by: Jeremie Courreges-Anglas <jca@wxcvbn.org>
Not all extensions can be enabled or disabled at runtime, list the
extensions which can from the help message rather than on error only.
v2:
* Print the header message in the ListStaticExtensions() (Peter
Hutterer)
* Do not export ListStaticExtensions() as Xserver API
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
All of these uses were attempting to set FD_CLOEXEC, which happens to be
(1<<0). Since flags is going to be aligned in memory, its address is
never going to have the low bit set, so we were never actually setting
what we meant to.
Fixes: xorg/xserver#1114
The address retrieved in "pip.start_ip" is not necessarily the same
address as unw_get_proc_name finds as nearest symbol and returns in "off".
Therefore using "pip.start_ip + off" is not reliable, at least
visible in the binaries from the Debian repository.
Bug-Debian: https://bugs.debian.org/971088
Signed-off-by: Bernhard Übelacker <bernhardu@mailbox.org>
Most (but not all) of these were found by using
codespell --builtin clear,rare,usage,informal,code,names
but not everything reported by that was fixed.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
../os/xsha1.c:36:10: fatal error: 'sha1.h' file not found
#include <sha1.h>
^~~~~~~~
../os/xsha1.c:45:5: error: implicit declaration of function 'SHA1Init' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
SHA1Init(ctx);
^
../os/xsha1.c:54:5: error: implicit declaration of function 'SHA1Update' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
SHA1Update(sha1_ctx, data, size);
^
../os/xsha1.c:63:5: error: implicit declaration of function 'SHA1Final' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
SHA1Final(result, sha1_ctx);
^
You might as well, it's harmless. Better, some cleanup code (like DRI2
swap wait) needs to run both normally and at client exit, so it
simplifies the callers to not need to check first. See 4308f5d3 for a
similar example.
Props: @ajax (Adam Jackson)
Fixes: xorg/xserver#211
Signed-off-by: Daniel Llewellyn <diddledan@ubuntu.com>
If a client is in the process of being closed down, then its client->osPrivate
pointer will be set to NULL by CloseDownConnection. This can cause a crash if
freeing the client's resources results in a call to AttendClient. For example,
if the client has a pending sync fence:
Thread 1 "X" received signal SIGSEGV, Segmentation fault.
AttendClient (client=0x5571c4aed9a0) at ../os/connection.c:942
(gdb) bt
#0 AttendClient (client=0x5571c4aed9a0) at ../os/connection.c:942
#1 0x00005571c3dbb865 in SyncAwaitTriggerFired (pTrigger=<optimized out>) at ../Xext/sync.c:694
#2 0x00005571c3dd5749 in miSyncDestroyFence (pFence=0x5571c5063980) at ../miext/sync/misync.c:120
#3 0x00005571c3dbbc69 in FreeFence (obj=<optimized out>, id=<optimized out>) at ../Xext/sync.c:1909
#4 0x00005571c3d7a01d in doFreeResource (res=0x5571c506e3d0, skip=skip@entry=0) at ../dix/resource.c:880
#5 0x00005571c3d7b1dc in FreeClientResources (client=0x5571c4aed9a0) at ../dix/resource.c:1146
#6 FreeClientResources (client=0x5571c4aed9a0) at ../dix/resource.c:1109
#7 0x00005571c3d5525f in CloseDownClient (client=0x5571c4aed9a0) at ../dix/dispatch.c:3473
#8 0x00005571c3d55eeb in Dispatch () at ../dix/dispatch.c:492
#9 0x00005571c3d59e96 in dix_main (argc=3, argv=0x7ffe7854bc28, envp=<optimized out>) at ../dix/main.c:276
#10 0x00007fea4837cb6b in __libc_start_main (main=0x5571c3d1d060 <main>, argc=3, argv=0x7ffe7854bc28, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffe7854bc18) at ../csu/libc-start.c:308
#11 0x00005571c3d1d09a in _start () at ../Xext/sync.c:2378
(gdb) print client->osPrivate
$1 = (void *) 0x0
Since the client is about to be freed, its ignore count doesn't matter and
AttendClient can simply be a no-op. Check for client->clientGone in AttendClient
and remove similar checks from two callers that had them.
Signed-off-by: Aaron Plattner <aplattner@nvidia.com>
Wrong version got committed, but wasn't noticed since it only builds
with meson, not autoconf.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
MinGW defines SIG_BLOCK, but doesn't have signal masks, so rather than
checking for SIG_BLOCK, add a configure check for sigprocmask.
v2:
Also add check to meson.build
It can take some time for Xorg to start. If Xorg runs as a systemd
service and other services are based on it, they have no way to
determine when Xorg is really ready to accept requests. Let's use
sd_notify() provided by libsystemd to signal systemd for readiness.
If Xorg has not been started as a systemd service, this won't do
anything.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Differences from autotools:
* Autotools defined NO_ALLOCA for OSX builds. I don't think we need
this anymore as Xalloc.h is no longer used anywhere in the xserver.
* X11.bin is linked with -u,miDCInitialize, and then libserver_mi
provided to satisfy (just) that. It's been that way since the commit
which added it. We can't write the equivalent in meson due to linker
argument ordering issues, but do we really need to?
* An explicit -Dsecure-rpc=false is required for OSX, since in meson we
don't do the checks that XTRANS_SECURE_RPC_FLAGS did for the existence
of the specific RPC functions required.
In the meson build, functions to make up for the shortcomings of libc
are compiled into a separate library. We don't bother making the pixman
headers available (reasonably enough) to this compilation, but they are
required indirectly by dix.h. Just remove this unneeded include.
GetTimeInMillis is called first, which sets clockid to
CLOCK_MONOTONIC_COARSE, which is typically much lower resolution than
the callers of GetTimeInMicros want.
Prior to a779fda224, GetTimeInMillis and
GetTimeInMicros did not share a clockid.
Restore the clockid split to fix the granularity of GetTimeInMicros.
Signed-off-by: Peter Harris <pharris@opentext.com>
This contortion made a bit more sense before we got SetNotifyFd and
friends, but now there's no need for it.
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
CVE-2018-14665 also made it possible to exploit this to access
memory. With -logfile forbidden when running with elevated privileges
this is no longer an issue.
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
Reviewed-by: Adam Jackson <ajax@redhat.com>
xdmcpSocket survives during the reset, there is no
need to create a new one.
This commit restores logic that was broken by
49c0f2413d in Xorg 1.19.
Signed-off-by: Alexander Volkov <a.volkov@rusbitech.ru>
These are so close to identical that most DDXes implement one in terms
of the other. All the relevant cases can be distinguished by the error
code, so merge the functions together to make things simpler.
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Adam Jackson <ajax@redhat.com>
This variable was no longer being read anywhere. MAXCLIENTS the macro is
the compile-time maximum limit, LIMITCLIENTS the macro is the default
limit, LimitClients the variable is the limit for the current server.
Signed-off-by: Adam Jackson <ajax@redhat.com>
The client ID is only needed for XRes, and autotools build ignores the
--clientids= arg if xres is disabled. We haven't made a meson option
for disabling tracking client ids (is it actually worth a build
option?), so just make this depend on xres.
Signed-off-by: Eric Anholt <eric@anholt.net>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Currently our meson.build just makes the assumption that the libc is
going to provide RPC functions. This doesn't actually seem to be the
case on Fedora, which causes compilation to fail unexpectedly:
../../Projects/xserver/os/rpcauth.c:47:10: fatal error: rpc/rpc.h: No such file or directory
#include <rpc/rpc.h>
^~~~~~~~~~~
compilation terminated.
So, in the event that we can't use libtirpc ensure that we actually
check whether or not the libc provides rpc/rpc.h. If it doesn't, raise
an error.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Lyude Paul <lyude@redhat.com>
If a driver calls AttendClient() from within a timer callback we
need to re-compute the local 'are_ready' to prevent the attended
client from waiting until WaitForSomething() times out.
This is a fix similar to commit 9ed5b263.
Signed-off-by: Damien Leone <dleone@nvidia.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
As we are not freeing elements while iterating the list of timers, we
can forgo using the safe variant, and reduce the number of pointer
dances required for the insertion sort.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Currently, we use xorg_list_add(new, head->prev) which is functionaly
equivalent to xorg_list_append(), but with more pointer chasing, so
reduce the strain on the reader and compiler by using the simpler
append().
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Currently we only check timer expiry if there are no client fd (or
other input) waiting to be serviced. This makes it very easy to starve
the timers with long request queues, and so miss critical timestamps.
The timer subsystem is just another input waiting to be serviced, so
evaluate it on every loop like all the others, at the cost of calling
GetTimeInMillis() slightly more frequently. (A more invasive and likely
OS specific alternative would be to move the timer wheel to the local
equivalent of timerfd, and treat it as an input fd to the event loop
exactly equivalent to all the others, and so also serviced on every
pass. The trade-off being that the kernel timer wheel is likely more
efficiently integrated with epoll, but individual updates to each timer
would then require syscalls.)
Reviewed-by: Peter Harris <pharris@opentext.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Querying a pkg-config variable using the --variable option produces the
value of the given variable as stored in the pkg-config file and should
not be used to add directories to the include search path.
The reason for this is that it breaks cross-compilation, because header
files are installed relative to the host sysroot. pkg-config supports a
PKG_CONFIG_SYSROOT_DIR environment variable that points to this sysroot
and will prepend that to the path of directories in -I or -L options in
pkg-config's Cflags, Libs or Libs.private keywords. However, because no
context can be inferred from variable names, as opposed to the keywords
with fixed meaning, the sysroot path will not be prepended to them. The
build system is responsible for doing so if necessary since it is aware
of the context in which the variable is used.
Adding the include directory returned by pkg-config to the include path
leaks build system information into the cross-build and break with very
confusing errors such as this:
In file included from include/misc.h:82:0,
from dix/atom.c:55:
/usr/include/pthread.h:682:6: warning: '__regparm__' attribute directive ignored [-Wattributes]
__cleanup_fct_attribute;
^~~~~~~~~~~~~~~~~~~~~~~
or this:
In file included from include/misc.h:139:0,
from dix/atom.c:55:
/usr/include/stdlib.h:133:8: error: '_Float128' is not supported on this target
extern _Float128 strtof128 (const char *__restrict __nptr,
^~~~~~~~~
Fix this by replacing the include directory with the appropriate xproto
dependency required to add the correct include directory to the compile
command for subdirectories that are missing the dependency. As detailed
above, this gives pkg-config the opportunity to prepend the sysroot for
all paths in -I compiler options.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Trivial way to reproduce the bug:
$ Xorg -logfile /tmp/mylog -config /etc/xpra/xorg.conf -displayfd 2
The server then moans:
Failed to rename log file "/tmp/mylog" to "/tmp/mylog": No such file or directory
And the log file is created but immediately renamed to "/tmp/mylog.old".
This is caused by the changes to the log file handling introduced by
this commit:
https://cgit.freedesktop.org/xorg/xserver/commit/?id=edcb6426f20c3be5dd5f50b76a686754aef2f64e
To fix this, only rename the logfile if the log filename contains the
magic substitution string "%s".
Signed-off-by: Antoine Martin <antoine@nagafix.co.uk>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Nicolai Hähnle <nicolai.haehnle@amd.com>
Reviewed-by: Ben Crocker <bcrocker@redhat.com>
Reviewed-by: Antoine Martin <antoine@nagafix.co.uk>
Tested-by: Ben Crocker <bcrocker@redhat.com>
Having different types of code all trying to check for elevated privileges
is a bad idea. This implementation is the most thorough one.
Signed-off-by: Nicolai Hähnle <nicolai.haehnle@amd.com>
Reviewed-by: Ben Crocker <bcrocker@redhat.com>
Reviewed-by: Antoine Martin <antoine@nagafix.co.uk>
Tested-by: Ben Crocker <bcrocker@redhat.com>
Reviewed-by: Emil Velikov <emil.velikov@collabora.com>
Otherwise this is broken on cygwin:
rrlease.c: In function ‘ProcRRCreateLease’:
rrlease.c:305:9: error: implicit declaration of function ‘WriteFdToClient’ [-Werror=implicit-function-declaration]
if (WriteFdToClient(client, fd, TRUE) < 0) {
Signed-off-by: Adam Jackson <ajax@redhat.com>
When xorg_backtrace calls unw_get_proc_name and an error occurs, offset
might not be set for the current frame.
Initialize offset for each frame so that the offset from another frame
cannot be used inadvertently.
Signed-off-by: Jeff Smith <whydoubt@gmail.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
When a monotonic clock is not available, GetTimeInMicros() returns the
time in nanoseconds. Instead, return the time in microseconds, as the
name indicates.
Signed-off-by: Jeff Smith <whydoubt@gmail.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
The inputthread is kept locked all the time while X server's VT is not active.
If the X server is terminated while not active, it will be stuck forever in
InputThreadFini waiting for the thread to join, but it wouldn't because it is
locked.
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=103782
Signed-off-by: Michal Srb <msrb@suse.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Building with strict-aliasing rightly chirps here:
../os/xdmcp.c: In function ‘XdmcpRegisterConnection’:
../os/xdmcp.c:489:31: warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing]
&((struct sockaddr_in6 *) &address)->sin6_addr.s6_addr[12];
^~~~~~~~~~~~
We have "const char *address", so &address here is a char ** (i.e., it
points to the slot on the stack containing the pointer to the character
array passed in as an argument). Casting that to a struct sockaddr_in6 *
is wrong, because it means that area of the stack will be reinterpreted
as a struct sockaddr_in6.
Instead, cast address, not &address.
Signed-off-by: Adam Jackson <ajax@redhat.com>
x11perf -noop with 200 xlogos connected is slightly faster with ports:
before after Operation
---------- ----------------- --------------------
18400000.0 19200000.0 (1.04) X protocol NoOperation
Acked-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Peter Harris <pharris@opentext.com>
AIX's poll only allows FD_SETSIZE entries in the fd list, which is
insufficient for expanded MaxClients.
As a bonus, x11perf -noop with ~250 xlogos connected is slightly faster
with pollset:
before after Operation
--------- ---------------- --------------------
5750000.0 5990000.0 (1.04) X protocol NoOperation
Signed-off-by: Peter Harris <pharris@opentext.com>
Acked-by: Keith Packard <keithp@keithp.com>
SIGQUIT is a normal termination request, but any other signal we handle
here wants a core. This has the effect of making FatalError's call to
AbortServer trigger the
if (CoreDump)
OsAbort();
path. This will allow us to remove some DDX code that has the same net
effect.
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Dave Airlie <airlied@redhat.com>
Don't reuse cmd for strtok output to ensure the proper pointer is
freed afterwards.
The code incorrectly assumed the pointer returned by strtok(cmd, ":")
would always point to cmd. However, strtok(str, sep) != str if str
begins with sep. This caused an invalid-free crash when running
a program under X with a name beginning with a colon.
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=104123
Signed-off-by: Tomasz Śniatowski <kailoran@gmail.com>
Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
Terminate a dead session when -once was passed. Don't restart it.
Signed-off-by: Daniel Martin <consume.noise@gmail.com>
Reviewed-by: Walter Harms <wharms@bfs.de>
This was always wide enough to work on an fd_mask ("mask" ffs
presumably). We don't operate on fd_masks anymore, so this can go.
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Roundhouse kick replacing the various (sizeof(foo)/sizeof(foo[0])) with
the ARRAY_SIZE macro from dix.h when possible. A semantic patch for
coccinelle has been used first. Additionally, a few macros have been
inlined as they had only one or two users.
Signed-off-by: Daniel Martin <consume.noise@gmail.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
A client can send a big request where the 32B "length" field has value
0. When the big request header is removed and the length corrected,
the value will underflow to 0xFFFFFFFF. Functions processing the
request later will think that the client sent much more data and may
touch memory beyond the receive buffer.
Signed-off-by: Eric Anholt <eric@anholt.net>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
The meson build gives me:
../os/utils.c: In function ‘LockServer’:
../os/utils.c:310:40: warning: ‘snprintf’ output may be truncated before the last format character [-Wformat-truncation=]
snprintf(pid_str, sizeof(pid_str), "%10ld\n", (long) getpid());
^~~~~~~~~
../os/utils.c:310:5: note: ‘snprintf’ output between 12 and 13 bytes into a destination of size 12
snprintf(pid_str, sizeof(pid_str), "%10ld\n", (long) getpid());
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Which seems to be due to the %d part meaning that a negative number's -
sign would be one wider than we're expecting. Fine, just coerce it to
unsigned.
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
The function itself does not depend on the macro. Move it outside
of the ifdef guard and remove the identical copy in XWIN.
This is step 1 towards removing the duplication in winauth.c and moving
the OS specifics to os/
Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
Reviewed-by: Jon Turney <jon.turney@dronecode.org.uk>
The epoll code depends on epoll_create1, not epoll_create.
Signed-off-by: Peter Harris <pharris@opentext.com>
Signed-off-by: Eric Anholt <eric@anholt.net>
Reviewed-by: Eric Anholt <eric@anholt.net>
This ensures that we don't use the now-closed file descriptor in the
future.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
oc->trans_conn is set to NULL when the connection is closed. At this
point, oc->fd is no longer valid and shouldn't be used. Move
dereference of oc->fd up into YieldControlNoInput where the state of
oc->trans_conn can be checked in a single place.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
In set_poll_client, check oc->trans_conn to make sure the connection
is still running before changing the ospoll configuration of the file
descriptor in case some other bit of the server is now using this file
descriptor.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
AbortClient performs most of the same operations as
CloseDownFileDescriptor except that it doesn't call ospoll_remove,
leaving that unaware that the file descriptor has been closed.
If the file descriptor is re-used before the server comes back around
to clean up, and that new file descriptor is passed to SetNotifyFd,
then that function will mistakenly re-interpret the stale ClientPtr
returned by ospoll_data as a struct notify * instead and mangle data
badly.
To fix this, the patch does:
1) Change CloseDownFileDescriptor so that it can be called multiple
times on the same OsCommPtr. The calls related to the file
descriptor are moved inside the check for trans_conn and
oc->trans_conn is set to NULL after cleaning up.
2) Move the XdmcpCloseDisplay call into CloseDownFileDescriptor. I
don't think the actually matters as we just need to know at some
point that the session client has exited. Moving it avoids the
possibility of having this accidentally trigger from another client
with the same fd which closes down at around the same time.
3) Change AbortClient to call CloseDownFileDescriptor. This makes sure
that all of the fd-related clean up happens in the same way
everywhere, in particular ensures that ospoll is notified about the
closed file descriptor at the time it is closed and not some time later.
Debian-bug: https://bugs.debian.org/862824
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
This infrastructure is no longer read, only written; the mapping
from fd to client is now handled by ospoll.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
Whatever problem this is trying to fix, we don't care. Just include the
thing and stop worrying about whether _POSIX_SOURCE is defined.
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Tested-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Use conf_data outside of include/ to avoid re-running detection of the
same functions.
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Peter Harris <pharris@opentext.com>
Include dix-config.h first to pick up _GNU_SOURCE so we get the
definition for sigset_t.
Reported-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Test to build xserver_poll.c was inverted compared to autoconf. Build
xserver_poll.c if poll is missing.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Jon Turney <jon.turney@dronecode.org.uk>
This makes sure the server will go look at the client again, notice
that the FD is no longer valid and close the client down.
Bugzilla: https://bugs.freedesktop.org/100863
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-and-Tested-by: Michel Dänzer <michel.daenzer@amd.com>
There are three copies of the same short sequence of operations to
close down a client when a write error occurs. Create a new function,
AbortClient, which performs these operations and then call it from the
three places.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-and-Tested-by: Michel Dänzer <michel.daenzer@amd.com>
This is all just stuff we wish we had in libc, and some of this gets
used in eg. the dmx utilities build, so split it to its own library to
avoid pulling in xserver stuff.
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Adam Jackson <ajax@redhat.com>
This is a work in progress that builds Xvfb, Xephyr, Xwayland, Xnest,
and Xdmx so far. The outline of Xquartz/Xwin support is in tree, but
hasn't been built yet. The unit tests are also not done.
The intent is to build this as a complete replacement for the
autotools system, then eventually replace autotools. meson is faster
to generate the build, faster to run the bulid, shorter to write the
build files in, and less error-prone than autotools.
v2: Fix indentation nits, move version declaration to project(), use
existing meson_options for version-config.h's vendor name/web.
Signed-off-by: Eric Anholt <eric@anholt.net>
Acked-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
We mostly use #ifdef throughout the tree, and this lets the generated
config.h files just be #define TOKEN instead of #define TOKEN 1.
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Eric Anholt <eric@anholt.net>
Without this, assertion failures can make life hard for users and those
trying to help them.
v2:
* Change commit log wording slightly to "can make life hard", since
apparently e.g. logind can alleviate that somewhat.
* Set default handler for SIGABRT in
hw/xfree86/common/xf86Init.c:InstallSignalHandlers() and
hw/xquartz/quartz.c:QuartzInitOutput() (Eric Anholt)
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Michel Dänzer <michel.daenzer@amd.com>
The clever pointer tricks were actually not working, and we were doing
the byte-by-byte moves in general. By just doing the memcpy and
obvious byte swap code, we end up generating actual byte swap
instructions, thanks to optimizing compilers.
text data bss dec hex filename
before: 2240807 51552 132016 2424375 24fe37 hw/xfree86/Xorg
after: 2215167 51552 132016 2398735 249a0f hw/xfree86/Xorg
Signed-off-by: Eric Anholt <eric@anholt.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
Most of this is a legacy of the old "extmod" design where you could load
_some_ extensions dynamically but only if the server had been built with
support for them in the first place.
Note that since we now only initialize the DPMS extension if at least
one screen supports it, we no longer need DPMSCapableFlag: if it would
be false, we would never read its value.
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Eric Anholt <eric@anholt.net>
timingsafe_memcmp.c:21:1: warning: no previous prototype for ‘timingsafe_memcmp’ [-Wmissing-prototypes]
timingsafe_memcmp(const void *b1, const void *b2, size_t len)
Signed-off-by: Adam Jackson <ajax@redhat.com>
- typo in #ifdef check
- also need to add AC_CHECK_FUNCS([arc4random_buf])
Reported-by Eric Engestrom. Thanks
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
And the current code for MitToId has a use-after-free() issue.
[Also remove the actual implementations - ajax]
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Provide the function definition for systems that don't have it.
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
The input thread should generate events, not send them. Make it easier to
find the instances where it's doing so.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Tested-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Olivier Fourdan <ofourdan@redhat.com>
Fixes a regression from
commit 41da295eb5
Author: Keith Packard <keithp@keithp.com>
Date: Sun Nov 3 13:12:40 2013 -0800
Trap SIGBUS to handle truncated shared memory segments
that causes the SIGBUS handler to fail to chain up correctly and
corrupts nearby memory instead.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
==8734== Thread 2 InputThread:
==8734== Conditional jump or move depends on uninitialised value(s)
==8734== at 0x2FDB05: InputThreadDoWork (inputthread.c:333)
==8734== by 0x6924423: start_thread (pthread_create.c:333)
==8734== by 0x6C229BE: clone (clone.S:105)
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Remove leftover from commit e10ba9e, MAX_TIMES_PER is not used anymore.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Solaris 11.3.5 introduced support for /proc/pid/cmdline, so try it
first, and if we can't open it, then fallback to /proc/pid/psinfo
as we did before.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
A client which is attended while a grab is blocking execution of its
requests needs to be placed in the saved_ready_clients list so that it
will get scheduled once the grab terminates. Otherwise, if the client
never sends another request, there is no way for it to be placed in
the ready_clients list.
v2: Wrap comment above mark_client_saved_ready.
Remove test for OS_COMM_IGNORED which will always be true.
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=99333
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
Fixes a regression introduced in 0b2f30834b. If a driver posts input
events during a timer function (wacom and synaptics do this during tap
timeouts), ProcessInputEvents() is not called for these events. There are no
new events on any fds, so the events just sit in the queue waiting for
something else to happen.
Fix this by simply returning 0 from check_timers if we ran at least one of
them or reset them all. This way the callers ospoll_wait will exit and
continue with normal processing.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
The custom os/os.O library reuses *.o files of os/libos.la.
The current rule assumes automake puts all the objects into per-target
am__*_la_OBJECTS variable. At least with AC_REPLACE_FUNCS, this no
longer holds (as wanted objects are put into LTLIBOBJS instead).
Depend on automake's result, the *.la library instead, to express demand
of any its dependencies being built.
Should be fixing randomly occuring "undefined reference to `strlcpy'"
errors when linking Xvfb and other DDX-es that could use os.O.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Mihail Konev <k.mvc@ya.ru>
If a work proc wakes up a sleeping client and it is ready to execute,
we need to re-compute the local 'are_ready' value before deciding
what timeout value to use in WaitForSomething.
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=98030
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
On Linux, setting the main thread's name changes the program name
(/proc/self/comm). Setting it to MainThread breaks scripts that rely on
the command name, e.g. ps -C Xorg.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
When putting a device node into a poll-request list, do not overwrite a
"please-remove" element with the same fd, so that a closed device file
is ospoll_remove'd prior to being ospoll_add'ed.
Before, the opposite order was possible, resulting in ospoll_add
considering the newly opened file being already polled, should it have a
fd for which the "please-remove" has not been procesed yet. In this
case, no further events would be seen from the device.
Signed-off-by: Mihail Konev <k.mvc@ya.ru>
Regressed-in: 52d6a1e832
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=97880
Patchwork: https://patchwork.freedesktop.org/patch/113763/
Hit-and-Reduced-by: Hans de Goede <hdegoede@redhat.com>
Reviewed-and-Reduced-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
When a client is marked as write blocked, clear any old 'write ready'
bit in the osfds structure so that a new indication of write ready
(which is marked as edge trigggered) will trigger the callback.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Tested-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Tested-by: Matthieu Herrb <matthieu@herrb.eu>
When a client with pending output is ready (has request data pending),
FlushAllOutput will skip it to get all of the requests processed
before sending any queued output. That means FlushAllOutput is going
to return with some output pending to a client which isn't known to be
write blocked. And that means NewOutputPending needs to be set so that
FlushAllOutput will get called again to actually go flush this client.
It might be interesting to try just flushing the client to send any
queued data along the way. This patch just restores the server
behavior to what it was before the ospoll changes.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Tested-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Tested-by: Matthieu Herrb <matthieu@herrb.eu>
Autoconf logic borrowed from glib
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Tested-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
If RTLD_DI_SETSIGNAL is set to let us turn runtime linker/loader errors
into catchable signals, then we should only show the errors when catching
that signal, instead of tossing out red herrings to distract people with
unrelated crashes long after their last failed symbol lookup (especially
when using drivers built to support multiple API's by checking which
symbols are available before calling them).
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Aaron Plattner <aplattner@nvidia.com>
O_CLOEXEC is not a file bit. It is not setable with F_SETFL. One must
use it when calling open(2). To set it cloexec on an existing fd,
F_SETFD and FD_CLOEXEC must be used.
This also fixes a build failure regression on configurations that don't
have O_CLOEXEC defined.
cf: http://pubs.opengroup.org/onlinepubs/9699919799/functions/fcntl.html
Regressed-in: 30ac756798
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
This change has two effects:
1. Only calls FlushCallbacks when we're actually flushing data to a
client. The unnecessary FlushCallback calls could cause significant
performance degradation with compositing, which is significantly
reduced even without any driver changes.
2. By passing the ClientPtr to FlushCallbacks, drivers can completely
eliminate unnecessary flushing of GPU commands by keeping track of
whether we're flushing any XDamageNotify events to the client for
which the corresponding rendering commands haven't been flushed to
the GPU yet.
Reviewed-by: Adam Jackson <ajax@redha.com>
Signed-off-by: Michel Dänzer <michel.daenzer@amd.com>
If a file descriptor is added or removed from an ospoll callback, then
the arrays containing file descriptor information will have all of
their indices changed, so the loop state is no longer consistent. Just
bail out and let the caller come back around to try again.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Instead of freeing the struct ospollfd elements when the fd is
removed by the user, delay that until epoll is idle so that we are
sure no epoll_event structures could contain the stale pointer. This
handles cases where an fd is removed from the ospoll callback
interface, and also in case the OS keeps stale pointers around after
the call to epoll_ctl with EPOLL_CTL_DEL.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Calling InputThreadRegisterDev twice with the same fd should replace
the existing function and args instead of creating a new entry with
the same fd.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
xf86AddEnabledDevice() prepends the new fd to the list,
xf86RemoveEnabledDevice() then searches for a matching fd and removes that
entry. If this is done for the same fd (and since we lose all information but
the actual fd) we usually unregister virtual devices in reverse order, causing
a dereference of already released memory.
Case in point:
- the wacom driver calls xf86AddEnabledDevice() once for the physical device,
then multiple times for the virtual subdevices
- when the physical device is unplugged, the driver calls
xf86RemoveEnabledDevice() for the physical device
- all we have is the fd, so we end up removing the last virtual device from
the fd set
- xf86DeleteInput() frees the physical device's pInfo
- the fd goes crazy with ENODEV, but a read_input() now passes the already
freed pInfo for the physical device
- boom
Fix this by appending to the fd list to provide bug-for-bug compatibility with
the old SIGIO code. This needs to be fixed in the driver, but meanwhile not
crashing the server provides for better user experience.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
Do all timer stuff before blocking, avoiding a bunch of duplicate code
and merge common code in WaitForSomething.
The WaitForSomething changes need a bit of explanation to show that
the new code is effectively equivalent to the old. Eliding error
checking and trivial bits we've got:
Before:
if (ready clients)
timeout = 0
else
compute timeout
i = poll
if (i <= 0) {
if (ready clients)
return TRUE;
if (input)
return FALSE;
if (any ready timers) {
run timers
return FALSE;
}
} else {
if (input)
return FALSE;
if (any ready timers) {
run timers
return FALSE;
}
if (ready clients)
return TRUE;
}
After:
if (ready clients)
timeout = 0;
else
compute timeout
run_timers
poll
if (input)
return FALSE;
if (ready clients)
return TRUE;
The old code would return TRUE if there were ready clients and input
pending. Dispatch would then schedule that ready client, but before
processing any requests, it would notice that there was input pending
and go process it. The new code just checks for input first, which is
effectively the same.
If the poll timed out and there weren't clients ready, then timers
would get run.
If the poll didn't time out, then timers would get run, even if there
were clients now ready. Now, if the timeout interval was zero, that
means that the timers must have been ready *before* poll was
invoked. In this case, we should simply run the timers before calling
poll -- no sense calling poll just to discard any data that it
generates.
If the timeout interval was non-zero, and poll didn't timeout, then
either there aren't any timers to run, or we got a surprise and hit a
timer exactly as a client became ready to run. This is the one case
where the new code is different from the old; the new code delays the
timer call until the next time WaitForSomething is called.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
No sense having an open-coded linked list here, plus the doubly linked
list is more efficient
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
poll provides per-fd notification of failure, so we don't need
CheckConnections anymore.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
There's no reason to close these now that we don't care what file
descriptors we use.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
There's no reason not to offer ridiculous numbers of clients; only a
few static data structures are arrays of this length.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
With no code depending on the range of file descriptors, checking
for that can be eliminated.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Replace use of select(2) to avoid fd limits. Note that
InputThreadFillPipe used select as well, but none of the files passed
were non-blocking, so there was no need for that code at all.
v2: Keep ospoll API usage single threaded to avoid re-entrancy issues
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Eliminates all of the fd_set mangling in the server main thread
v2: Listen for POLLOUT while writes are blocked.
v3: Only mark client not ready on EAGAIN return from read
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
This converts the dispatch loop into using a list of ready clients
instead of an array. This changes the WaitForSomething API so that it
notifies DIX when a client becomes ready to read, instead of returning
the set of ready clients.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
This provides a wrapper around poll or epoll providing a
callback-based interface for monitoring activity on a large set of
file descriptors.
v2: use xserver_poll API instead of poll. Don't use WSAPoll as
that is broken.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
v2: rename as 'xserver_poll' to avoid potential library name
collisions. Provide 'xserver_poll.h' which uses the system
poll where available and falls back to this emulation otherwise.
Autodetects when this is required, building the emulation only
then
Source: https://github.com/bmc/poll
Signed-off-by: Adam Jackson <ajax@redhat.com>
The file descriptors passed to InputThreadFillPipe are always
blocking, so there's no need to use Select (or poll).
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
The timeout resolution offered in the AdjustWaitForDelay call is
only milliseconds, so passing around the timeout as a pointer to a
struct timeval is not helpful. Doing everything in milliseconds up to
the point of the select call simplifies the code without affecting
functionality at all.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Instead of having scheduling done in two places (one in
WaitForSomething, and the other in SmartScheduleClient), just stick
all of the scheduling in SmartScheduleClient.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
All uses of these interfaces should instead be using the NotifyFd API
instead.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
This removes the last uses of fd_set from the server interfaces
outside of the OS layer itself.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Instead of open-coding a single FD wait, use NotifyFd to wait for the
FD to become readable before returning the error message.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
This new libXfont API eliminates exposing internal X server symbols to
the font library, replacing those with a struct full of the entire API
needed to use that library.
v2: Use libXfont2 instead of libXfont_2
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
For link local addresses the XDMCP server would need to either know the
interface thru a scope identifier or try all available interfaces. If
they don't this address will fail in which case the XDMCP server could
still try the other addresses passed - however some only try the first
address and then give up.
Even if this seems to be the wrong place to fix this it seems to be
easier than fixing all display servers.
[ajax: Cleaned up commit message]
Reviewed-by: Adam Jackson <ajax@redhat.com>
As the man page for the latter states:
The effects of signal() in a multithreaded process are unspecified.
We already have an interface to call sigaction() instead, use it.
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Timer processing can happen on either the main thread or the input
thread. As a result, it must be done under the input lock.
Signals are unrelated to timers now that SIGIO isn't used for input
processing, so stop blocking signals while processing timers.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
If the server calls AbortServer during the first-time initialization
(which can happen if you start the server on an already using
DISPLAY), then the dbus code will shut down and call the notify fd
interface. If the notify fd list hasn't been initialized, the server
will crash.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
The list of input devices may be changed by hotplugging while the
server is active, and those changes may come from either the main
thread or the input thread. That means the list of input devices needs
to be protected by a mutex.
This prevents input drivers from receiving I/O ready callbacks after
removing a device.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
By default the X server will try CLOCK_MONOTONIC_COARSE before
CLOCK_MONOTONIC, while A Wayland compositor may only support getting
their timestamps from the CLOCK_MONOTONIC clock. This causes various
issues since it may happen that a timestamp from CLOCK_MONOTONIC
retrieved before a sending an X request will still be "later" than the
timestamp the X server than gets after receiving the request, due to the
fact that CLOCK_MONOTONIC_COARSE has a lower resolution.
To avoid these issues, make Xwayland always use CLOCK_MONOTONIC, so
that it becomes possible for Wayland compositor only supporting
CLOCK_MONOTONIC and X server to use the same clock.
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
Acked-by: Daniel Stone <daniels@collabora.com>
Tested-by: Olivier Fourdan <ofourdan@redhat.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
input_force_unlock was mis-using input_mutex_lock and leaving it set
to -1. As this is executed from OsInit at each server generation, on
the second time through, the mutex would be left locked (!) due to the
trylock call. This caused input to fail after the first server reset.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
This matches a change made in xcb and improves performance for a small
increase in memory usage.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
The current SIGIO signal handler method, used at generation of input events,
has a bunch of oddities. This patch introduces an alternative way using a
thread, which is used to select() all input device file descriptors.
A mutex was used to control the access to input structures by the main and input
threads. Two pipes to emit alert events (such hotplug ones) and guarantee the
proper communication between them was also used.
Co-authored-by: Fernando Carrijo <fcarrijo@freedesktop.org>
Signed-off-by: Tiago Vignatti <tiago.vignatti@nokia.com>
v2: Fix non-Xorg link. Enable where supported by default.
This also splits out the actual enabling of input threads to
DDX-specific patches which follow
v3: Make the input lock recursive
v4: Use regular RECURSIVE_MUTEXes instead of rolling our own
Respect the --disable-input-thread configuration option by
providing stubs that expose the same API/ABI.
Respond to style comments from Peter Hutterer.
v5: use __func__ in inputthread debug and error mesages.
Respond to style comments from Peter Hutterer.
v6: use AX_PTHREAD instead of inlining pthread tests.
Suggested by Emil Velikov <emil.l.velikov@gmail.com>
v7: Use pthread_sigmask instead of sigprocmask when using threads
Suggested by Adam Jackson <ajax@redhat.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
This removes all of the SIGIO handling support used for input
throughout the X server, preparing the way for using threads for input
handling instead.
Places calling OsBlockSIGIO and OsReleaseSIGIO are marked with calls
to stub functions input_lock/input_unlock so that we don't lose this
information.
xfree86 SIGIO support is reworked to use internal versions of
OsBlockSIGIO and OsReleaseSIGIO.
v2: Don't change locking order (Peter Hutterer)
v3: Comment weird && FALSE in xf86Helper.c
Leave errno save/restore in xf86ReadInput
Squash with stub adding patch (Peter Hutterer)
v4: Leave UseSIGIO config parameter so that
existing config files don't break (Peter Hutterer)
v5: Split a couple of independent patch bits out
of kinput.c (Peter Hutterer)
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
By the time we get to ComputeLocalClient, we've already done
NextAvailableClient → ReserveClientIds → DetermineClientCmd (assuming
we're built with #define CLIENTIDS), so we can look up the name of the
client process and refuse to treat ssh's X forwarding as if it were
local.
v2: (Michel Dänzer)
* Only match "ssh" itself, not other executable names starting with
that prefix.
* Ignore executable path for the match.
v3: (Michel Dänzer)
* Use GetClientCmdName (Mark Kettenis)
* Perform check on Windows as well, but only ignore path on Cygwin
(Martin Peres, Emil Velikov, Jon Turney)
v4: (Michel Dänzer)
* Cut of any colon and whatever comes after it. (Adam Jackson)
* Add bugzilla reference.
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=93261
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Michel Dänzer <michel.daenzer@amd.com>
The type of fd_mask was changed in Cygwin 2.4.0 headers from 'long' to
'unsigned long'. This exposes an existing problem with winauth.c, which
includes Xwindows.h (which includes windows.h, which defines WIN32),
before including osdep.h, which causes the now conflicting definition of
fd_mask in osdep.h to be exposed:
In file included from ../os/osdep.h:198:18: error: conflicting types for
‘fd_mask’ typedef long int fd_mask; /usr/include/sys/select.h:46:23:
note: previous declaration of ‘fd_mask’ was here typedef unsigned long
fd_mask;
Adjust the include guards in osdep.h to make sure we only use WIN32
guarded code when not compiling for Cygwin (i.e. WIN32 && !__CYGWIN__)
This isn't a very elegant, but unfortunately appears to be the best
solution, since it doesn't seem to be possible to write the test in a
positive form.
Future work: Should also audit of all the other uses of WIN32 in
xserver, and make sure they are correct.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Jon Turney <jon.turney@dronecode.org.uk>
Removed from xtrans in 2012, and never wired up in the modular build
anyway.
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
When -displayfd is looping through the possible display ids to use,
if it can't open all the listening sockets for one (say when :0 is
already in use), it calls CloseWellKnownConnections to close all
the ListenTransConns entries before the point that ListenTransFds
was allocated & initialized, so CloseWellKnownConnections would
segfault trying to read entries from a NULL ListenTransFds pointer.
Introduced by commit 7b02f0b8
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Fixes https://bugs.freedesktop.org/show_bug.cgi?id=93212
Previously all X servers started with -displayfd would overwrite
Xorg.0.log - now a temporary name of Xorg.pid-<pid>.log is used
until after -displayfd finds an open display - then it is renamed
to the traditional Xorg.<display>.log name.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Replace the custom path for dealing with new incoming connections with
the general-purpose NotifyFd API.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
This removes the block and wakeup handlers and replaces them with a
combination of a NotifyFd callback and timers.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
This adds the ability to be notified when a file descriptor is
available for writing.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
This provides a callback-based interface to monitor file
descriptors beyond the usual client and device interfaces.
Modules within the server using file descriptors for reading and/or
writing can call
Bool SetNotifyFd(int fd, NotifyFdProcPtr notify_fd, int mask, void *data);
mask can be any combination of X_NOTIFY_READ and X_NOTIFY_WRITE.
When 'fd' becomes readable or writable, the notify_fd function will be
called with the 'fd', the ready conditions and 'data' values as arguments,
When the module no longer needs to monitor the fd, it will call
void RemoveNotifyFd(int fd);
RemoveNotifyFd may be called from the notify function.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
This allows the server to call GetTimeInMillis() after each request is
processed to avoid needing setitimer. -dumbSched now turns off the
setitimer.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
Globally replace #ifdef and #if defined usage of 'sun' with '__sun'
such that strict ISO compiler modes such as -ansi or -std=c99 can be used.
Signed-off-by: Richard PALO <richard@NetBSD.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
In WaitForSomething(), the fd_set clientsWritable may be used
unitialized when the boolean AnyClientsWriteBlocked is set in the
WakeupHandler(). This leads to a crash in FlushAllOutput() after
x11proto's commit 2c94cdb453bc641246cc8b9a876da9799bee1ce7.
The problem did not manifest before because both the XFD_SIZE and the
maximum number of clients were set to 256. As the connectionTranslation
table was initalized for the 256 clients to 0, the test on the index not
being 0 was aborting before dereferencing the client #0.
As of commit 2c94cdb453bc641246cc8b9a876da9799bee1ce7 in x11proto, the
XFD_SIZE got bumped to 512. This lead the OutputPending fd_set to have
any fd above 256 to be uninitialized which in turns lead to reading an
index after the end of the ConnectionTranslation table. This index would
then be used to find the client corresponding to the fd marked as
pending writes and would also result to an out-of-bound access which
would usually be the fatal one.
Fix this by zeroing the clientsWritable fd_set at the beginning of
WaitForSomething(). In this case, the bottom part of the loop, which
would indirectly call FlushAllOutput, will not do any work but the next
call to select will result in the execution of the right codepath. This
is exactly what we want because we need to know the writable clients
before handling them. In the end, it also makes sure that the fds above
MaxClient are initialized, preventing the crash in FlushAllOutput().
Thanks to everyone involved in tracking this one down!
Reported-by: Karol Herbst <freedesktop@karolherbst.de>
Reported-by: Tobias Klausmann <tobias.klausmann@mni.thm.de>
Signed-off-by: Martin Peres <martin.peres@linux.intel.com>
Tested-by: Tobias Klausmann <tobias.klausmann@mni.thm.de>
Tested-by: Martin Peres <martin.peres@linux.intel.com>
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=91316
Cc: Ilia Mirkin <imirkin@alum.mit.edu>
Cc: Olivier Fourdan <ofourdan@redhat.com
Cc: Adam Jackson <ajax@redhat.com>
Cc: Alan Coopersmith <alan.coopersmith@oracle.com
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
xdmcp.c:1404:1: warning: function 'XdmcpFatal' could be declared with attribute 'noreturn'
[-Wmissing-noreturn,Semantic Issue]
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
xdmauth.c:230:13: warning: absolute value function 'abs' given an argument of type 'long' but has parameter of
type
'int'
which may cause truncation of value [-Wabsolute-value,Semantic Issue]
if (abs(now - client->time) > TwentyFiveMinutes) {
^
xdmauth.c:230:13: note: use function 'labs' instead [Semantic Issue]
if (abs(now - client->time) > TwentyFiveMinutes) {
^~~
labs
xdmauth.c:302:9: warning: absolute value function 'abs' given an argument of type 'long' but has parameter of type
'int' which
may cause truncation of value [-Wabsolute-value,Semantic Issue]
if (abs(client->time - now) > TwentyMinutes) {
^
xdmauth.c:302:9: note: use function 'labs' instead [Semantic Issue]
if (abs(client->time - now) > TwentyMinutes) {
^~~
labs
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
These extensions were accessing internal OS functions and
structures. Expose the necessary functionality to them and remove
their use of osdep.h
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
There was a complicated scheme to increase the time between keepalives
from 3 minutes up to as much as 24 hours in an attempt to reduce
network traffic from idle X terminals. X terminals receiving X
traffic, or receiving user input would use the 3 minute value; X
terminals without any network traffic would use a longer value.
However, this was actually broken -- any activity in the X server,
either client requests or user input, would end up resetting the
keepalive timeout, so a user mashing on the keyboard would never
discover that the XDMCP master had disappeared and have the session
terminated, which was precisely the design goal of the XDMCP keepalive
mechanism.
Instead of attempting to fix this, accept the cost of a pair of XDMCP
packets once every three minutes and just perform keepalives
regularly.
This will also make reworking the block and wakeup handler APIs to
eliminate select masks easier.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
The X server used to wait for the user to hit a key or move the mouse
before restarting the session after a keepalive failure. This,
presumably, was to avoid having the X server continuously spew XDMCP
protocol on the network while the XDM server was dead.
Switching into this state was removed from the server some time before
XFree86 4.3.99.16, so the remaining bits of code have been dead for
over a decade, and no-one ever noticed.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
Commit 4b4b9086 "os: support new implicit local user access mode [CVE-2015-3164
2/3]" carefully places the relevant code it adds under !NO_LOCAL_CLIENT_CRED,
but unfortunately doesn't notice that NO_LOCAL_CLIENT_CRED is defined as a
side-effect in the middle of GetLocalClientCreds(), so many of these checks
precede its definition.
Move the check if NO_LOCAL_CLIENT_CRED should be defined to configure.ac, so it
always occurs before it's first use.
v2:
Move check to configure.ac
v3:
Use AC_CACHE_CHECK and name cache varaible appropriately
[ajax: Massaged commit message]
Signed-off-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Reviewed-by: Ray Strode <rstrode@redhat.com>
Commit 94ab7455 added SA_RESTART to the SIGALRM handler. However, the
Popen code tears down and recreates the SIGALRM handler via OsSignal(),
and this flag is dropped at this time.
Clean the code to use just a single codepath for creating this signal
handler, always applying SA_RESTART.
[ajax: Fixed commit id]
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Daniel Drake <drake@endlessm.com>
The X server frequently deals with SIGIO and SIGALRM interruptions.
If process execution is inside certain blocking system calls
when these signals arrive, e.g. with the kernel blocked on
a contended semaphore, the system calls will be interrupted.
Some system calls are automatically restartable (the kernel re-executes
them with the same parameters once the signal handler returns) but
only if the signal handler allows it.
Set SA_RESTART on the signal handlers to enable this convenient
behaviour.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Daniel Drake <drake@endlessm.com>
Make the maximum number of clients user configurable, either from the command
line or from xorg.conf
This patch works by using the MAXCLIENTS (raised to 512) as the maximum
allowed number of clients, but allowing the actual limit to be set by the
user to a lower value (keeping the default of 256).
There is a limit size of 29 bits to be used to store both the client ID and
the X resources ID, so by reducing the number of clients allowed to connect to
the X server, the user can increase the number of X resources per client or
vice-versa.
Parts of this patch are based on a similar patch from Adam Jackson
<ajax@redhat.com>
This now requires at least xproto 7.0.28
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
backtrace.c uses a word size provided by libunwind. In some
architectures like MIPS, libunwind makes that word size 64-bit for all
variants of the architecture.
In the lines #90 and #98, backtrace.c tries to do a cast to a pointer,
which fails in all MIPS variants with 32-bit pointers, like MIPS32 or
MIPS64 n32, because it's trying to do a cast from a 64-bit wide variable
to a 32-bit pointer:
Making all in os
make[2]: Entering directory
`/home/test/test/1/output/build/xserver_xorg-server-1.15.1/os'
CC WaitFor.lo
CC access.lo
CC auth.lo
CC backtrace.lo
backtrace.c: In function 'xorg_backtrace':
backtrace.c:90:20: error: cast to pointer from integer of different size
[-Werror=int-to-pointer-cast]
if (dladdr((void *)(pip.start_ip + off), &dlinfo) &&
dlinfo.dli_fname &&
^
backtrace.c:98:13: error: cast to pointer from integer of different size
[-Werror=int-to-pointer-cast]
(void *)(pip.start_ip + off));
^
cc1: some warnings being treated as errors
make[2]: *** [backtrace.lo] Error 1
make[2]: *** Waiting for unfinished jobs....
Making the cast to a pointer-sized integer, and then to a pointer fixes
the problem.
Related:
https://bugs.freedesktop.org/show_bug.cgi?id=79939
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
If the X server is started without a '-auth' argument, then
it gets started wide open to all local users on the system.
This isn't a great default access model, but changing it in
Xorg at this point would break backward compatibility.
Xwayland, on the other hand is new, and much more targeted
in scope. It could, in theory, be changed to allow the much
more secure default of a "user who started X server can connect
clients to that server."
This commit paves the way for that change, by adding a mechanism
for DDXs to opt-in to that behavior. They merely need to call
LocalAccessScopeUser()
in their init functions.
A subsequent commit will add that call for Xwayland.
Signed-off-by: Ray Strode <rstrode@redhat.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
xorg/xserver/os/utils.c: In function ‘Win32TempDir’:
xorg/xserver/os/utils.c:1643:1: warning: old-style function definition [-Wold-style-definition]
Signed-off-by: Colin Harrison <colin.harrison@virgin.net>
Reviewed-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Xtrans.h must be included on WIN32 to prototype _XSERVTransWSAStartup()
xserver/os/xdmcp.c: In function ‘get_addr_by_name’:
xserver/os/xdmcp.c:1483:5: error: implicit declaration of function ‘_XSERVTransWSAStartup’ [-Werror=implicit-function-declaration]
Signed-off-by: Colin Harrison <colin.harrison@virgin.net>
Reviewed-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Wrapper for realloc() that checks for overflow when multiplying
arguments together, so we don't have to add overflow checks to
every single call. For documentation on usage, see:
http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man3/calloc.3
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Acked-by: Matt Turner <mattst88@gmail.com>
The xnfcalloc() macro took two arguments but simply multiplied them
together without checking for overflow and defeating any overflow
checking that calloc() might have done. Let's not do that.
The original XNFcalloc() function is left for now to preserve driver
ABI, but is marked as deprecated so it can be removed in a future round
of ABI break/cleanup.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matt Turner <mattst88@gmail.com>
XdmcpFatal uses the format specifier %*.*s, which vpnprintf() doesn't
understand, which causes a backtrace and prevents the reason for the XDMCP
failure being logged.
See also:
https://bugs.freedesktop.org/show_bug.cgi?id=66862https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758574
"%*.*s" is also currently used in a few other places, so teach vpnprintf() how
to handle it
$ fgrep -r "%*.*s" *
hw/dmx/config/scanner.l: fprintf(stderr, "parse error on line %d at token \"%*.*s\"\n",
hw/dmx/dmxlog.c: ErrorF("(%s) dmx[i%d/%*.*s]: ", type,
hw/dmx/input/dmxinputinit.c: dmxLogCont(dmxInfo, "\t[i%d/%*.*s",
os/access.c: ErrorF("Xserver: siAddrMatch(): type = %s, value = %*.*s -- %s\n",
os/access.c: ("Xserver: siCheckAddr(): type = %s, value = %*.*s, len = %d -- %s\n",
os/xdmcp.c: FatalError("XDMCP fatal error: %s %*.*s\n", type,
Signed-off-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Reviewed-by: Colin Harrison <colin.harrison@virgin.net>
In X server 1.17, the default configuration is now -nolisten tcp. In this
configuration, XDMCP options don't work usefully, as the X server is not
listening on the port for the display that it tells the display manager to
connect to.
Signed-off-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Colin Harrison <colin.harrison@virgin.net>
Since _XSERVTransClose frees the connection pointer passed to it,
remove that pointer from the array, so we don't try to double free it
if we come back into CloseWellKnownConnections again.
Should fix https://bugzilla.yoctoproject.org/show_bug.cgi?id=6665 in which
the shutdown section of the main() loop called CloseWellKnownConnections()
and then moved on to ddxGiveUp(), which failed to release the VT and thus
called AbortServer(), which called CloseWellKnownConnections() again.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
This was reported on irc on Fedora when rawhide went to 1.17.1.
regression occured in: 2566835b43
os: Eliminate uninitialized value warnings from access.c
siAddrMatch doesn't need addr to be a useful value, it checks
some things like localuser without having an address at all.
Signed-off-by: Dave Airlie <airlied@redhat.com>
Tested-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Use typedefs to work around dtrace dropping const qualifiers from probe
arguments when generating Xserver-dtrace.h. Add new probes.h header to
avoid having to replicate these typedefs in every file with dtrace probes.
Gets rid of these warnings from gcc 4.8:
getevents.c:1096:9:
warning: passing argument 6 of '__dtrace_Xserver___input__event' discards
'const' qualifier from pointer target type [enabled by default]
getevents.c:1096:9:
warning: passing argument 7 of '__dtrace_Xserver___input__event' disards
'const' qualifier from pointer target type [enabled by default]
getevents.c:1651:9:
warning: passing argument 6 of '__dtrace_Xserver___input__event' disards
'const' qualifier from pointer target type [enabled by default]
getevents.c:1651:9:
warning: passing argument 7 of '__dtrace_Xserver___input__event' disards
'const' qualifier from pointer target type [enabled by default]
getevents.c:1791:9:
warning: passing argument 6 of '__dtrace_Xserver___input__event' disards
'const' qualifier from pointer target type [enabled by default]
getevents.c:1791:9:
warning: passing argument 7 of '__dtrace_Xserver___input__event' disards
'const' qualifier from pointer target type [enabled by default]
getevents.c:1921:9:
warning: passing argument 6 of '__dtrace_Xserver___input__event' disards
'const' qualifier from pointer target type [enabled by default]
getevents.c:1921:9:
warning: passing argument 7 of '__dtrace_Xserver___input__event' disards
'const' qualifier from pointer target type [enabled by default]
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
I'm interested in copying this code to the mesa project, but before
doing that it seems prudent to have the license and copyright
attributions in place before copying that. To get this list of names I
went through:
git log -- os/xsha1.c
and:
git log -- render/glyph.c
Signed-off-by: Keith Packard <keithp@keithp.com>
Gets rid of gcc 4.8 warning:
osinit.c:211:9: warning: ISO C90 forbids mixed declarations and code
[-Wdeclaration-after-statement]
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
GetHosts saves the pointer to allocated memory in *data, and then
wants to bounds-check writes to that region, but was mistakenly using
a bare 'data' instead of '*data'. Also, data is declared as void **,
so we need a cast to turn it into a byte pointer so we can actually do
pointer comparisons.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
GetHosts() iterates over all the hosts it has in memory, and copies
them to a buffer. The buffer length is calculated by iterating over
all the hosts and adding up all of their combined length. There is a
potential integer overflow, if there are lots and lots of hosts (with
a combined length of > ~4 gig). This should be possible by repeatedly
calling ProcChangeHosts() on 64bit machines with enough memory.
This patch caps the list at 1mb, because multi-megabyte hostname
lists for X access control are insane.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
authdes_ezdecode() calls malloc() using a length provided by the
connection handshake sent by a newly connected client in order
to authenticate to the server, so should be treated as untrusted.
It didn't check if malloc() failed before writing to the newly
allocated buffer, so could lead to a server crash if the server
fails to allocate memory (up to UINT16_MAX bytes, since the len
field is a CARD16 in the X protocol).
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
When (long) is larger than (int), and when realloc succeeds with sizes
larger than INT_MAX, ConnectionOutput->size and ConnectionOutput->count
overflow and become negative.
When ConnectionOutput->count is negative, InsertIOV does not actually
insert an IOV, and FlushClient goes into an infinite loop of writev(fd,
iov, 0) [an empty list].
Avoid this situation by killing the client when it has more than INT_MAX
unread bytes of data.
Signed-off-by: Peter Harris <pharris@opentext.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
ErrorFSigSafe calls LogVMessageVerbSigSafe with the message type set to X_ERROR.
That generates this in the log:
(EE) Server terminated successfully (0). Closing log file.
People periodically report this as an error, sometimes quoting this "error"
rather than an earlier error that actually caused a problem.
v2: Use X_INFO instead of X_NOTICE
Signed-off-by: Aaron Plattner <aplattner@nvidia.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Keith Packard <keithp@keithp.com>
The ConvertAddr function doesn't reliably set the 'addr' return value,
and so callers are getting flagged for using potentially uninitialized
values. Initialize the value in the callers to NULL and then go ahead
and check for NULL values before using them.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-displayfd should check ports up to 65535
Noticed during https://cygwin.com/ml/cygwin-xfree/2014-07/msg00024.html
Signed-off-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
In the unlikely event of a failure in creating processes, signal
masks will fall from the panels above you. Secure your mask before
telling your child what to do, since it won't exist, and you will
instead cause the server itself to be replaced by a shell running
the target program.
Found by Coverity #53397: Missing break in switch
Execution falls through to the next case statement or default;
this might indicate a common typo.
In System: Missing break statement between cases in switch statement (CWE-484)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
Signed-off-by: Keith Packard <keithp@keithp.com>
This disables the tcp listen socket by default. Then, it
uses a new xtrans interface, TRANS(Listen), to provide a command line
option to re-enable those if desired.
v2: Leave unix socket enabled by default. Add configure options.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
$ gcc --version
gcc (Gentoo 4.4.3-r2 p1.2) 4.4.3
/jhbuild/checkout/xorg/xserver/os/log.c: In function ‘LogInit’:
/jhbuild/checkout/xorg/xserver/os/log.c:199: error: #pragma GCC diagnostic not allowed inside functions
/jhbuild/checkout/xorg/xserver/os/log.c:201: warning: format not a string literal, argument types not checked
/jhbuild/checkout/xorg/xserver/os/log.c:212: error: #pragma GCC diagnostic not allowed inside functions
/jhbuild/checkout/xorg/xserver/os/log.c:214: warning: format not a string literal, argument types not checked
etc.
Reviewed-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
This should have been part of d0da0e9c3b
Signed-off-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Signed-off-by: Eric Anholt <eric@anholt.net>
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Keith Packard <keithp@keithp.com>
Almost every situation of someone running indirect GLX is a mistake
that results in X Server crashes. Indirect GLX is the cause of
regular security vulnerabilities, and rarely provides any capability
to the user. Just disable it unless someone wants to enable it for
their special use case (using +iglx on the command line).
Signed-off-by: Eric Anholt <eric@anholt.net>
Acked-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
In commit e67f2d7e0f ("gcc 4.2.1 doesn't
support #pragma GCC diagnostic ignored"), some compile time
conditionals were added around the #pragma usage. Those conditionals
ensure that the #pragma are not used on gcc <= 4.2.
However, the usage of #pragma diagnostic inside functions was only
added in gcc 4.6, and a build failure is therefore experienced with
gcc 4.5:
log.c: In function 'LogInit':
log.c:199:9: error: #pragma GCC diagnostic not allowed inside functions
log.c:201:9: warning: format not a string literal, argument types not checked
log.c:212:9: error: #pragma GCC diagnostic not allowed inside functions
log.c:214:17: warning: format not a string literal, argument types not checked
$ ./host/usr/bin/powerpc-linux-gnu-gcc -v
[...]
gcc version 4.5.2 (Sourcery G++ Lite 2011.03-38)
This patch therefore adjusts the compile time conditionals to make
sure the #pragma is not used on gcc <= 4.5, and only used on gcc >=
4.6.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Acked-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
Regenerate os/oscolor.c from rgb.txt. This adds the following
colors: aqua, lime, fuchsia, crimson, indigo, olive, rebecca
purple, silver and teal. It also adds versions of gray, grey,
green, maroon and purple prefixed with web and x11 for the
colors that are different between X11 and HTML/CSS web colors.
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=52289
Related: https://bugs.freedesktop.org/show_bug.cgi?id=80371
Signed-off-by: nobody
Tested-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
pharris says that the resets should not be done in the hotplugging case.
This may fix a crash reported against XQuartz:
http://xquartz.macosforge.org/trac/ticket/869
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Peter Harris <pharris@opentext.com>
The comment lies, shm hasn't used this code since:
commit fdef7be5c8
Author: Alan Coopersmith <alan.coopersmith@sun.com>
Date: Tue Oct 9 18:44:04 2007 -0700
Sun bug 6589829: include zoneid of shm segment in access [...]
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Even though -Wcomment doesn't mind it (in gcc or clang), the appearance
of */* confuses the syntax highlighter of some editors (eg. vim), and
causes warnings in MSVC.
Signed-off-by: Peter Harris <pharris@opentext.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
Enrico Weigelt, metux IT consult
Matthieu Herrb
Peter Hutterer
Alan Coopersmith
Zoltán Böszörményi
Jan Beich
Sam James
Simon Ser
Jeremy Huddleston Sequoia
Julian Orth
Peter Harris
Aaron Plattner
Povilas Kanapickas
nerdopolis
Boris-Barboris
Olivier Certner
Olivier Fourdan
Claes Nästén
Jeremie Courreges-Anglas
Adam Jackson
Bernhard Übelacker
Daniel Llewellyn
Jon Turney
Topi Miettinen
Andreas Fett
Alexander Volkov
Eric Anholt
Lyude Paul
Damien Leone
Chris Wilson
Thierry Reding
Antoine Martin
Nicolai Hähnle
Jeffrey Smith
Michal Srb
Tomasz Śniatowski
Daniel Martin
Emil Velikov
Keith Packard
Michel Dänzer
Mihail Konev
Brian M. Clapper
Reinhard Max
Jonas Ådahl
Richard PALO
Martin Peres
Daniel Drake
Vicente Olivert Riera
Ray Strode
Colin Harrison
Dave Airlie
Nikhil Mahale
Carl Worth
Thomas Petazzoni
Daphne Pfister