From 914938e9682a41b1571bc4416d366a9ff74e4742 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Jan 11 2019 12:35:35 +0000
Subject: More Xwayland/Present fixes from upstream


---

diff --git a/0001-present-wnmd-Fix-use-after-free-on-CRTC-removal.patch b/0001-present-wnmd-Fix-use-after-free-on-CRTC-removal.patch
new file mode 100644
index 0000000..9ac7ea8
--- /dev/null
+++ b/0001-present-wnmd-Fix-use-after-free-on-CRTC-removal.patch
@@ -0,0 +1,69 @@
+From f89518e17f7d507734af212785e0b3e47954f603 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 22 Oct 2018 11:48:25 +0200
+Subject: [PATCH xserver] present/wnmd: Fix use after free on CRTC removal
+
+Xwayland will add and remove CRTCs as Wayland outputs are added or
+removed.
+
+If there is a pending flip when this occurs, the
+`xwl_present_sync_callback()` will be triggered after the Xwayland
+output's RRCtrcPtr has been destroyed, hence causing a crash in Xwayland
+while trying to use freed memory:
+
+  #1  abort ()
+  #2  OsAbort () at utils.c:1350
+  #3  AbortServer () at log.c:877
+  #4  FatalError () at log.c:1015
+  #5  OsSigHandler () at osinit.c:156
+  #6  <signal handler called>
+  #7  dixGetPrivate () at ../include/privates.h:122
+  #8  dixLookupPrivate () at ../include/privates.h:166
+  #9  present_screen_priv () at present_priv.h:198
+  #10 present_wnmd_flip () at present_wnmd.c:358
+  #11 present_wnmd_execute () at present_wnmd.c:466
+  #12 present_wnmd_re_execute () at present_wnmd.c:80
+  #13 xwl_present_sync_callback () at xwayland-present.c:287
+  #14 ffi_call_unix64 () from /lib64/libffi.so.6
+  #15 ffi_call () from /lib64/libffi.so.6
+  #16 wl_closure_invoke () at src/connection.c:1006
+  #17 dispatch_event () at src/wayland-client.c:1427
+  #18 dispatch_queue () at src/wayland-client.c:1573
+  #19 wl_display_dispatch_queue_pending () at src/wayland-client.c:1815
+  #20 wl_display_dispatch_pending () at src/wayland-client.c:1878
+  #21 xwl_read_events () at xwayland.c:814
+  #22 ospoll_wait () at ospoll.c:651
+  #23 WaitForSomething () at WaitFor.c:208
+  #24 Dispatch () at ../include/list.h:220
+  #25 dix_main () at main.c:276
+
+To avoid the issue, get the `ScreenPtr` from the window instead of the
+CRTC that might have been just freed, `xwl_present_flip()` has no use
+for the CRTC anyway.
+
+Bugzilla: https://bugs.freedesktop.org/108249
+Suggested-by: Michel Daenzer <michel.daenzer@amd.com>
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Michel Daenzer <michel.daenzer@amd.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+(cherry picked from commit b768b7d6cec41b8b320c468ec41aab5a8b49b27b)
+---
+ present/present_wnmd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/present/present_wnmd.c b/present/present_wnmd.c
+index 8f3836440..2c6412a72 100644
+--- a/present/present_wnmd.c
++++ b/present/present_wnmd.c
+@@ -354,7 +354,7 @@ present_wnmd_flip(WindowPtr window,
+                   Bool sync_flip,
+                   RegionPtr damage)
+ {
+-    ScreenPtr                   screen = crtc->pScreen;
++    ScreenPtr                   screen = window->drawable.pScreen;
+     present_screen_priv_ptr     screen_priv = present_screen_priv(screen);
+ 
+     return (*screen_priv->wnmd_info->flip) (window,
+-- 
+2.20.1
+
diff --git a/0001-xwayland-Plug-leaks-in-xwl_present_sync_callback.patch b/0001-xwayland-Plug-leaks-in-xwl_present_sync_callback.patch
new file mode 100644
index 0000000..b2b89af
--- /dev/null
+++ b/0001-xwayland-Plug-leaks-in-xwl_present_sync_callback.patch
@@ -0,0 +1,48 @@
+From 64f5e6ec2d297f90e9b9785a1cb7285d609a1877 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <michel.daenzer@amd.com>
+Date: Fri, 19 Oct 2018 18:27:37 +0200
+Subject: [PATCH xserver] xwayland: Plug leaks in xwl_present_sync_callback
+
+xwl_present_window->sync_callback was leaked.
+
+The event memory was leaked if the corresponding buffer had already been
+released.
+
+(cherry picked from commit cb0de153bf0c486da7e968ab0f258c9c0c9ed34a)
+---
+ hw/xwayland/xwayland-present.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/hw/xwayland/xwayland-present.c b/hw/xwayland/xwayland-present.c
+index 316e04443..fb5c6499e 100644
+--- a/hw/xwayland/xwayland-present.c
++++ b/hw/xwayland/xwayland-present.c
+@@ -274,6 +274,9 @@ xwl_present_sync_callback(void *data,
+     struct xwl_present_event *event = data;
+     struct xwl_present_window *xwl_present_window = event->xwl_present_window;
+ 
++    wl_callback_destroy(xwl_present_window->sync_callback);
++    xwl_present_window->sync_callback = NULL;
++
+     event->pending = FALSE;
+ 
+     if (event->abort) {
+@@ -289,12 +292,14 @@ xwl_present_sync_callback(void *data,
+                               xwl_present_window->ust,
+                               xwl_present_window->msc);
+ 
+-    if (event->buffer_released)
++    if (event->buffer_released) {
+         /* If the buffer was already released, send the event now again */
+         present_wnmd_event_notify(xwl_present_window->window,
+                                   event->event_id,
+                                   xwl_present_window->ust,
+                                   xwl_present_window->msc);
++        xwl_present_free_event(event);
++    }
+ }
+ 
+ static const struct wl_callback_listener xwl_present_sync_listener = {
+-- 
+2.20.1
+
diff --git a/0001-xwayland-handle-case-without-any-crtc.patch b/0001-xwayland-handle-case-without-any-crtc.patch
new file mode 100644
index 0000000..8985ec6
--- /dev/null
+++ b/0001-xwayland-handle-case-without-any-crtc.patch
@@ -0,0 +1,62 @@
+From a352f979545723054b0a74862a56dc53b1be93fb Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Tue, 8 Jan 2019 12:48:53 +0100
+Subject: [PATCH xserver] xwayland: handle case without any crtc
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Xwayland creates and destroys the CRTC along with the Wayland outputs,
+so there is possibly a case where the number of CRTC drops to 0.
+
+However, `xwl_present_get_crtc()` always return `crtcs[0]` which is
+invalid when `numCrtcs` is 0.
+
+That leads to crash if a client queries the Present capabilities when
+there is no CRTC, the backtrace looks like:
+
+  #0  raise() from libc.so
+  #1  abort() from libc.so
+  #2  OsAbort() at utils.c:1350
+  #3  AbortServer() at log.c:879
+  #4  FatalError() at log.c:1017
+  #5  OsSigHandler() at osinit.c:156
+  #6  OsSigHandler() at osinit.c:110
+  #7  <signal handler called>
+  #8  main_arena() from libc.so
+  #9  proc_present_query_capabilities() at present_request.c:236
+  #10 Dispatch() at dispatch.c:478
+  #11 dix_main() at main.c:276
+
+To avoid returning an invalid pointer (`crtcs[0]`) in that case, simply
+check for `numCrtcs` being 0 and return `NULL` in that case.
+
+Thanks to Michel Dänzer <michel.daenzer@amd.com> for pointing this as a
+possible cause of the crash.
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
+Bugzilla: https://bugzilla.redhat.com/1609181
+(cherry picked from commit e8295c50209f2963fa2823e8de7e8363a38cd2d1)
+---
+ hw/xwayland/xwayland-present.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/hw/xwayland/xwayland-present.c b/hw/xwayland/xwayland-present.c
+index 980034db4..74fe84672 100644
+--- a/hw/xwayland/xwayland-present.c
++++ b/hw/xwayland/xwayland-present.c
+@@ -323,6 +323,10 @@ xwl_present_get_crtc(WindowPtr present_window)
+         return NULL;
+ 
+     rr_private = rrGetScrPriv(present_window->drawable.pScreen);
++
++    if (rr_private->numCrtcs == 0)
++        return NULL;
++
+     return rr_private->crtcs[0];
+ }
+ 
+-- 
+2.20.1
+
diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec
index 55383d5..ad810d4 100644
--- a/xorg-x11-server.spec
+++ b/xorg-x11-server.spec
@@ -46,7 +46,7 @@
 Summary:   X.Org X11 X server
 Name:      xorg-x11-server
 Version:   1.20.3
-Release:   2%{?gitdate:.%{gitdate}}%{?dist}
+Release:   3%{?gitdate:.%{gitdate}}%{?dist}
 URL:       http://www.x.org
 License:   MIT
 Group:     User Interface/X
@@ -106,6 +106,11 @@ Patch14: 0004-xwayland-Replace-xwl_window-present_window-with-pres.patch
 Patch15: 0005-xwayland-Add-xwl_present_unrealize_window.patch
 Patch16: 0006-xwayland-Don-t-need-xwl_window-anymore-in-xwl_presen.patch
 Patch17: 0007-xwayland-Don-t-take-buffer-release-queue-into-accoun.patch
+Patch18: 0001-xwayland-Plug-leaks-in-xwl_present_sync_callback.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1609181
+Patch19: 0001-xwayland-handle-case-without-any-crtc.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1661748
+Patch20: 0001-present-wnmd-Fix-use-after-free-on-CRTC-removal.patch
 
 BuildRequires: systemtap-sdt-devel
 BuildRequires: git
@@ -540,6 +545,9 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete
 
 
 %changelog
+* Fri Jan 11 2019 Olivier Fourdan <ofourdan@redhat.com> - 1.20.3-3
+- More Xwayland/Present fixes from upstream (rhbz#1609181, rhbz#1661748)
+
 * Thu Dec 06 2018 Olivier Fourdan <ofourdan@redhat.com> - 1.20.3-2
 - Xwayland/Present fixes from master upstream