commit bc111a2e67e16d4e6d4f3196ab86c22c1e278c45
Author: Matt Turner <mattst88@gmail.com>
Date:   Tue Dec 1 10:55:00 2020 -0500

    xserver 1.20.10
    
    Signed-off-by: Matt Turner <mattst88@gmail.com>

commit 06d1a032ee491547f7037c3ff042065dc2aeaa99
Author: Matthieu Herrb <matthieu@herrb.eu>
Date:   Thu Nov 12 19:15:07 2020 +0100

    Check SetMap request length carefully.
    
    Avoid out of bounds memory accesses on too short request.
    
    ZDI-CAN 11572 /  CVE-2020-14360
    
    This vulnerability was discovered by:
    Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
    
    Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
    (cherry picked from commit 446ff2d3177087b8173fa779fa5b77a2a128988b)

commit 7ccb3b0eabb4658daf0ecb2c78a53609ae2c263b
Author: Matthieu Herrb <matthieu@herrb.eu>
Date:   Sun Oct 11 17:05:09 2020 +0200

    Fix XkbSetDeviceInfo() and SetDeviceIndicators() heap overflows
    
    ZDI-CAN 11389 / CVE-2020-25712
    
    This vulnerability was discovered by:
    Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
    
    Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
    (cherry picked from commit 87c64fc5b0db9f62f4e361444f4b60501ebf67b9)

commit 440ed5948ba5818abf5ea5fdc5a9d98514658fd3
Author: Michel Dänzer <mdaenzer@redhat.com>
Date:   Tue Dec 1 11:25:31 2020 +0100

    present/wnmd: Translate update region to screen space
    
    The region as passed in is in the source pixmap's coordinate space, so
    intersecting it with the clipList (which is in screen space) resulted in
    disappointment.
    
    Fixes Firefox popups such as the hamburger menu when using the EGL
    backend.
    
    v2:
    * Drop vblank->x/y_off from RegionTranslate call, since they're always
      0 here (present_wnmd_check_flip rejects flips for x/y_off != 0).
    
    Reported-by: Robert Mader <robert.mader@posteo.de>
    Tested-by: Robert Mader <robert.mader@posteo.de>
    Reviewed-by: Olivier Fourdan <ofourdan@redhat.com>
    Tested-by: Joakim Tjernlund <joakim.tjernlund@infinera.com> # v1
    (cherry picked from commit 466b8b43fb355c6040cee45406860b8b8c04e948)

commit 54f9af1c61bd10e2e65cbb17069e0c9ec1f9a2c5
Author: Kishore Kadiyala <kishore.kadiyala@intel.com>
Date:   Tue Dec 1 11:13:51 2020 +0100

    modesetting: keep going if a modeset fails on EnterVT
    
    There was a time when setting a mode on a CRTC would not depend on the
    associated connector's state. If a mode had been set successfully once,
    it would mean it would work later on.
    
    This changed with the introduction of new connectors type that now
    require a link training sequence (DP, HDMI 2.0), and that means that
    some events may have happened while the X server was not master that
    would then prevent the mode from successfully be restored to its
    previous state.
    
    This patch relaxes the requirement that all modes should be restored on
    EnterVT, or the entire X-Server would go down by allowing modesets to
    fail (with some warnings). If a modeset fails, the CRTC will be
    disabled, and a RandR event will be sent for the desktop environment to
    fix the situation as well as possible.
    
    Additional patches might be needed to make sure that the user would
    never be left with all screens black in some scenarios.
    
    v2 (Martin Peres):
     - whitespace fixes
     - remove the uevent handling (it is done in a previous patch)
     - improve the commit message
     - reduce the size of the patch by not changing lines needlessly
     - return FALSE if one modeset fails in ignore mode
     - add comments/todos to explain why we do things
     - disable the CRTCs that failed the modeset
    
    Signed-off-by: Kishore Kadiyala <kishore.kadiyala@intel.com>
    Signed-off-by: Martin Peres <martin.peres@linux.intel.com>
    Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
    Tested-by: Kishore Kadiyala <kishore.kadiyala@intel.com>
    Closes: #1010
    (cherry picked from commit efb3abddd49fb75bd6d0e31046fed43d258c93da)

commit bd0f53725b581e4698f5f3ec366a9507bd2556e2
Author: Martin Peres <martin.peres@linux.intel.com>
Date:   Tue Dec 1 11:10:34 2020 +0100

    modesetting: check the kms state on EnterVT
    
    Normally, we would receive a uevent coming from Linux's DRM subsystem,
    which would trigger the check for disappearing/appearing resources.
    However, this event is not received when X is not master (another VT
    is selected), and so the userspace / desktop environment would not be
    notified about the changes that happened while X wasn't master.
    
    To fix the issue, this patch forces a refresh on EnterVT by splitting
    the kms-checking code from the uevent handling into its own (exported)
    function called drmmode_update_kms_state. This function is then called
    from both the uevent-handling function, and on EnterVT right before
    restoring the modes.
    
    Signed-off-by: Martin Peres <martin.peres@linux.intel.com>
    Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
    Acked-by: Kishore Kadiyala <kishore.kadiyala@intel.com>
    Tested-by: Kishore Kadiyala <kishore.kadiyala@intel.com>
    (cherry picked from commit 293cf660c95d7ba36510bcc4114d7fd5c5f3801c)

commit 5c400cae1f9817045378966effa6bca91e45aead
Author: Olivier Fourdan <ofourdan@redhat.com>
Date:   Tue Oct 27 16:33:55 2020 +0100

    configure: Build hashtable for Xres and glvnd
    
    With autoconf, hashtable support is built along with Xres support.
    
    Yet, glvnd also use it, so when disabling Xres from configure, the
    build will fail at link time because hashtable functions are not
    available.
    
    Untie the build of hashtable from Xres support, just like meson build
    does.
    
    Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
    Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1091
    (cherry picked from commit 899cebb76ab7754fea49f7babcd64a7e94052cc8)

commit 253569a3d281996d7c84041020e14313756900da
Author: Olivier Fourdan <ofourdan@redhat.com>
Date:   Thu Nov 5 18:35:54 2020 +0100

    xwayland: Create an xwl_window for toplevel only
    
    One general assumption in Xwayland is that the xwl_window remains the
    same for all the child windows of the toplevel window.
    
    When mapping a new X11 window, ensure_surface_for_window() checks for an
    existing xwl_window by using xwl_window_get() which will just check for
    the registered xwl_window for the window.
    
    That means that a client mapping a child window of an existing window
    with a xwl_window will get another different xwl_window.
    
    If an X11 client issues a Present request on the parent window, hence
    placed underneath its child window of the same size, the Wayland
    compositor may not send the frame callback event for the parent's
    Wayland surface which is reckoned to be not visible, obscured behind
    the other Wayland surface for the child X11 window.
    
    That bug affects some games running in wine which may get 1 fps because
    the repaint occurs only on timeout with a long interval (as with, e.g.
    https://bugs.winehq.org/show_bug.cgi?id=47066)
    
    Fix ensure_surface_for_window() by using xwl_window_from_window() which
    will walk the window tree, so that a child window won't get another
    xwl_window than its parent.
    
    https://gitlab.freedesktop.org/xorg/xserver/-/issues/1099
    See-also: https://bugs.winehq.org/show_bug.cgi?id=47066
    Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
    Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
    (cherry picked from commit 606ba7fc51e5420646f75c4e672fbe61eb7c7e6e)

commit 0811a9ff783c252b3e4d558bf31c6b066b0633e1
Author: Olivier Fourdan <ofourdan@redhat.com>
Date:   Mon Nov 2 15:44:31 2020 +0100

    xwayland: non-rootless requires the wl_shell protocol
    
    When running non-rootless, Xwayland requires that the Wayland compositor
    supports the wl_shell protocol.
    
    Check for wl_shell protocol support at startup and exit cleanly if
    missing rather than segfaulting later in ensure_surface_for_window()
    while trying to use wl_shell_get_shell_surface().
    
    Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
    Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
    Reviewed-by: Simon Ser <contact@emersion.fr>
    (cherry picked from commit ffd02d9b26bd560849c407a6dd4f5c4d7d2c1736)

commit b3ae038c32870a4a1bb42b6e1cf2ebedc8b7bc8d
Author: Alex Goins <agoins@nvidia.com>
Date:   Mon Oct 5 18:19:52 2020 -0500

    glamor: Update pixmap's devKind when making it exportable
    
    When making a pixmap exportable, glamor will currently create a temporary
    exported pixmap backed by a GBM bo, with the devKind updated to the stride of
    the bo. However, when the backing of the exported pixmap is swapped into the
    original, the devKind of the original is not updated.
    
    Some GBM bos may get implicitly padded, in which case the devKind of the pixmap
    will not match the stride of the backing bo. For example, an 800x600 pixmap will
    have a devKind of 3200, but the bo's stride will be 3328. This can cause
    corruption with PRIME, when the sink uses the wrong stride to display the shared
    pixmap.
    
    This commit changes glamor_make_pixmap_exportable() to update the devKind of the
    original pixmap after it swaps exported pixmap's backing into it, keeping
    everything consistent.
    
    Fixes issue #1018.
    
    Signed-off-by: Alex Goins <agoins@nvidia.com>
    Signed-off-by: Aaron Plattner <aplattner@nvidia.com>
    Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
    (cherry picked from commit 7a7e55c5c1d6461a9f4d9a4e0129c1c6e1fd3d66)

commit d6c389cb87b220f7005cebf483708267b5f4a1c3
Author: Bernhard Übelacker <bernhardu@mailbox.org>
Date:   Sun Sep 27 18:03:48 2020 +0200

    os: Fix instruction pointer written in xorg_backtrace
    
    The address retrieved in "pip.start_ip" is not necessarily the same
    address as unw_get_proc_name finds as nearest symbol and returns in "off".
    Therefore using "pip.start_ip + off" is not reliable, at least
    visible in the binaries from the Debian repository.
    
    Bug-Debian: https://bugs.debian.org/971088
    
    Signed-off-by: Bernhard Übelacker <bernhardu@mailbox.org>
    (cherry picked from commit c15dd0ba4893f79f7181e783cb1ba404edca917a)

commit c3e4c1a0fd5d4d6015e9e6317b758018317e56d1
Author: Michel Dänzer <mdaenzer@redhat.com>
Date:   Tue Jul 28 18:40:47 2020 +0200

    present/wnmd: Execute copies at target_msc-1 already
    
    It always takes one update cycle for the copy to become visible on the
    host windowing system, so waiting for the target MSC resulted in 1 cycle
    delay.
    
    We re-use the idle list for copies which were executed but need their
    completion event sent.
    
    Fixes black seams when resizing the "Builder" sub-window of
    
     GDK_BACKEND=x11 gtk4-demo
    
    on Xwayland (see
    https://gitlab.gnome.org/GNOME/mutter/-/issues/1290#note_873557).
    
    Unfortunately, this cannot completely fix the seams with apps which
    queue up multiple frames in advance, since there's always at least one
    queued frame corresponding to the old window size. But it should at
    least help a little in that case as well.
    
    v2:
    * Bug fix: Don't update exec_msc in present_wnmd_check_flip_window.
      (Roman Gilg)
    * Use exec_msc = target_msc - 1 instead of exec_msc--, and add a
      comment, for clarity.
    v3:
    * Drop exec_msc = target_msc again in present_wnmd_execute.
    * present_execute_copy should never set vblank->queued in
      present_wnmd_execute now, so replace that branch with an assertion.
      (Roman Gilg)
    
    Reviewed-by: Roman Gilg <subdiff@gmail.com>
    Tested-by: Roman Gilg <subdiff@gmail.com>
    (cherry picked from commit 1cccb486d48a5d2e7649836b993805bb65dc09e3)
    [Since present_wnmd_event_notify hasn't been split up on the 1.20
    branch, it needs to check vblank->flip. Doing the same in
    present_wnmd_free_idle_vblanks to be safe, though I'm not sure it's
    actually possible to hit non-flips there.]

commit 96ef31e0f20fcffb2edfe4cb9510f994c188785f
Author: Michel Dänzer <mdaenzer@redhat.com>
Date:   Tue Jul 28 18:53:45 2020 +0200

    present/wnmd: Move up present_wnmd_queue_vblank
    
    Allowing it to be called from more functions than before. No functional
    change.
    
    Reviewed-by: Roman Gilg <subdiff@gmail.com>
    Tested-by: Roman Gilg <subdiff@gmail.com>
    (cherry picked from commit d14ea667feccf085c7d66a7c63f380975e07af66)

commit 669e40390c3679b649db33f0aa4ae4cfdd17e2a9
Author: Michel Dänzer <mdaenzer@redhat.com>
Date:   Fri Sep 11 17:00:35 2020 +0200

    present: Add present_vblank::exec_msc field
    
    For tracking the MSC when the present can be executed separately from
    the target MSC.
    
    Allows removing the requeue field instead, plus more later.
    
    v2:
    * Rename wait_msc → exec_msc (Roman Gilg)
    * Use exec_msc = target_msc instead of exec_msc++, for clarity.
    * Bug fix: Set exec_msc = target_msc also if present_flip returned
      false in present_execute.
    v3:
    * Set exec_msc = target_msc also if present_wnmd_flip returned
      false in present_wnmd_execute, for consistency.
    v4:
    * Specifically check for exec_msc == crtc_msc + 1 in
      present_execute_wait/copy, to avoid re-introducing
      https://bugs.freedesktop.org/show_bug.cgi?id=94596 .
    
    Reviewed-by: Roman Gilg <subdiff@gmail.com>
    Tested-by: Roman Gilg <subdiff@gmail.com>
    (cherry picked from commit b0b3159abd8001fa3f6dfc44a288a95a62aa5cf6)

commit dae234efdb7bba75744aa1697386df3c0db5348a
Author: Michel Dänzer <mdaenzer@redhat.com>
Date:   Fri Sep 11 17:00:18 2020 +0200

    present: Move flip target_msc adjustment out of present_vblank_create
    
    Preparation for different handling between SCMD & WNMD. No functional
    change intended.
    
    Reviewed-by: Roman Gilg <subdiff@gmail.com>
    Tested-by: Roman Gilg <subdiff@gmail.com>
    (cherry picked from commit 4c92dea952f7fed19857904f0f552900257ef4b9)

commit 1930ed233fdec5d22e4fc192769a0126faabb3ea
Author: Olivier Fourdan <ofourdan@redhat.com>
Date:   Mon Sep 14 15:39:10 2020 +0200

    xwayland: Remove pending stream reference when freeing
    
    The EGLStream backend keeps a queue of pending streams for each Xwayland
    window.
    
    However, when this pending queue is freed, the corresponding private
    data may not be cleared (typically if the pixmap for this window has
    changed before the compositor finished attaching the consumer for the
    window's pixmap's original eglstream), leading to a use-after-free and a
    crash when trying to use that data as the window pixmap.
    
    Make sure to clear the private data when the pending stream is freed.
    
    Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1055
    Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
    Tested-by: Karol Szuster <karolsz9898@gmail.com>
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    (cherry picked from commit a5f439dcd21b4fda093cb382bb1a758b434a1444)

commit 1ac389dda89b2882c80767c91bbe88e01818491c
Author: Greg V <greg@unrelenting.technology>
Date:   Tue Sep 15 17:41:04 2020 +0300

    xwayland: use drmGetNodeTypeFromFd for checking if a node is a render one
    
    Major/minor numbers are a.. major (ha) source of pain in FreeBSD porting.
    In this case, Xwayland was thinking that /dev/dri/card0 is already a render node,
    because the st_rdev on FreeBSD was passing the Linux-style check,
    and because of the assumption, acceleration would fail because
    various ioctls like AMDGPU_INFO would be denied on the non-render node.
    
    Switch to libdrm's function that already works correctly on all platforms.
    
    Signed-off-by: Greg V <greg@unrelenting.technology>
    Reviewed-by: Emmanuel Vadot <manu@FreeBSD.org>
    (cherry picked from commit 239ebdc9e447d4f836d0c2aa6068c6064fffb46c)

commit d108c2c82cba242ea5998d7c91254d90d3a5db71
Author: Olivier Fourdan <ofourdan@redhat.com>
Date:   Fri Sep 11 11:30:18 2020 +0200

    xwayland: Do not discard frame callbacks on allow commits
    
    Currently, when a X11 client (usually the X11 window manager from a
    Wayland compositor) changes the value of the X11 property
    `_XWAYLAND_ALLOW_COMMITS` from `false` to `true`, all pending frame
    callbacks on the window are discarded so that the commit occurs
    immediately.
    
    Weston uses that mechanism to prevent the content of the window from
    showing before it's ready when mapping the window initially, but
    discarding the pending frame callbacks has no effect on the initial
    mapping of the X11 window since at that point there cannot be any frame
    callback on a surface which hasn't been committed yet anyway.
    
    However, discarding pending frame callbacks can be problematic if we
    were to use the same `_XWAYLAND_ALLOW_COMMITS` mechanism to prevent
    damages to be posted before the X11 toplevel is updated completely
    (including the window decorations from the X11 window manager).
    
    Remove the portion of code discarding the pending frame callback,
    Xwayland should always wait for a pending frame callback if there's one
    before posting new damages.
    
    Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
    Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.com>
    Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
    https://gitlab.freedesktop.org/xorg/xserver/merge_requests/333
    (cherry picked from commit 66da95a172c4941b75ffedcdaa0138c0a48f11fb)

commit 174cb91d82d643f78d8ba2b9999312b9d7dea98c
Author: Michel Dänzer <mdaenzer@redhat.com>
Date:   Mon Sep 7 18:40:34 2020 +0200

    present/wnmd: Remove dead check from present_wnmd_check_flip
    
    present_wnmd_toplvl_pixmap_window returns a window with the same window
    pixmap, so the check could never fail.
    
    Reviewed-by: Roman Gilg <subdiff@gmail.com>
    (cherry picked from commit b6b1161fd7ac409156fb69439897bcabdeacf393)

commit 51ee6e5ceb0cacc8e2fa225ad5391ffb159e36a0
Author: Michel Dänzer <mdaenzer@redhat.com>
Date:   Mon Sep 7 18:39:17 2020 +0200

    xwayland: Check window pixmap in xwl_present_check_flip2
    
    We can only flip if the window pixmap matches that of the toplevel
    window. Doing so regardless could cause the toplevel window pixmap to
    get destroyed while it was still referenced by the window, resulting in
    use-after-free and likely a crash.
    
    Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1033
    Reviewed-by: Olivier Fourdan <ofourdan@redhat.com>
    Reviewed-by: Roman Gilg <subdiff@gmail.com>
    (cherry picked from commit 4c25356d6cd908c5030c70e712076dff318ac00d)

commit f4006d795cb199bf7deeb00f542c592db6a5becb
Author: Michel Dänzer <mdaenzer@redhat.com>
Date:   Mon Sep 7 18:35:10 2020 +0200

    present/wnmd: Can't use page flipping for windows clipped by children
    
    Noticed this was missing while working on the following fix.
    
    v2:
    * Dropped present_wnmd_can_window_flip hunk (that function is never
      called, will be cleaned up in a follow-up MR).
    
    Reviewed-by: Olivier Fourdan <ofourdan@redhat.com> # v1
    Reviewed-by: Roman Gilg <subdiff@gmail.com>
    (cherry picked from commit 7ac303c7b1e3b1be79ba3648e217798683e65a99)

commit 1e84fda2020b12a83c6b9c6d31ab84f993c6176c
Author: Michel Dänzer <mdaenzer@redhat.com>
Date:   Tue Sep 1 11:24:57 2020 +0200

    xfree86: Take second reference for SavedCursor in xf86CursorSetCursor
    
    The same pointer is kept in CurrentCursor as well, therefore two
    RefCursor calls are needed.
    
    Fixes use-after-free after switching VTs.
    
    Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1067
    (cherry picked from commit 919f1f46fc67dae93b2b3f278fcbfc77af34ec58)

commit 8c3c8bda2c44fb3d62b954b02b08e3b1771ef5bc
Author: Michel Dänzer <mdaenzer@redhat.com>
Date:   Tue Aug 25 17:26:56 2020 +0200

    glamor: Fix glamor_poly_fill_rect_gl xRectangle::width/height handling
    
    (Using GLSL 1.30 or newer)
    
    The width/height members of xRectangle are unsigned, but they were
    being interpreted as signed when converting to floating point for the
    vertex shader, producing incorrect drawing for values > 32767.
    
    v2:
    * Use separate GL_UNSIGNED_SHORT vertex attribute for width/height.
      (Eric Anholt)
    
    Reviewed-by: Eric Anholt <eric@anholt.net>
    (cherry picked from commit 032af35657aa95c6bbdb74ff8c72e535b9b56cfa)

commit b28c882889cbea9be3748d3dee1b21ba6eb90b66
Author: Arthur Williams <taaparthur@gmail.com>
Date:   Fri Sep 25 04:52:57 2020 +0000

    include: Increase the number of max. input devices to 256.
    
    Extending the decade old f0124ed93, to increase the number of input
    devices from 40 to 256. 40 translates at most 9 MD, while 256 will allow
    63 MD. It is an arbitrary number, but people are hitting the current
    limit under reasonable conditions.
    
    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=64793
    Signed-off-by: Arthur Williams <taaparthur@gmail.com>
    
    (cherry picked from commit fe439596b99db65bbae35eff1ea0b79db167f8d6)

commit af4c84ce8855e84c0ad89b929bc972e884f0b8e3
Author: Olivier Fourdan <ofourdan@redhat.com>
Date:   Tue Sep 8 10:03:33 2020 +0200

    Revert "linux: Make platform device probe less fragile"
    
    This reverts commit 74b7427c41b4e4104af7abf70a996c086d3d7628.
    
    https://gitlab.freedesktop.org/xorg/xserver/-/issues/1068

commit 39cb95e959fab97a7e255dda1a1599b096fb0f7e
Author: Olivier Fourdan <ofourdan@redhat.com>
Date:   Tue Sep 8 10:03:11 2020 +0200

    Revert "linux: Fix platform device PCI detection for complex bus topologies"
    
    This reverts commit 5c96eb5f44e62a4cfe835023cde304eb5795b8fd.
    
    https://gitlab.freedesktop.org/xorg/xserver/-/issues/1068

commit 4b6fce5975c2f931a0478cf4deeec97529b05eb6
Author: Olivier Fourdan <ofourdan@redhat.com>
Date:   Tue Sep 8 10:01:55 2020 +0200

    Revert "linux: Fix platform device probe for DT-based PCI"
    
    This reverts commit 249a12c54a9316b089bd22683c011519348496df.
    
    https://gitlab.freedesktop.org/xorg/xserver/-/issues/1068

commit afb77415e1fb862c322754230f63bb70fd596943
Author: Matt Turner <mattst88@gmail.com>
Date:   Tue Aug 25 08:23:42 2020 -0700

    xserver 1.20.9
    
    Signed-off-by: Matt Turner <mattst88@gmail.com>

commit 705d7213935820d9f56563ee9e17aa9beb365c1e
Author: Matthieu Herrb <matthieu@herrb.eu>
Date:   Tue Aug 18 14:55:01 2020 +0200

    Fix XRecordRegisterClients() Integer underflow
    
    CVE-2020-14362 ZDI-CAN-11574
    
    This vulnerability was discovered by:
    Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
    
    Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
    (cherry picked from commit 24acad216aa0fc2ac451c67b2b86db057a032050)

commit 5b384e7678c5a155dd8752f018c8292153c1295e
Author: Matthieu Herrb <matthieu@herrb.eu>
Date:   Tue Aug 18 14:52:29 2020 +0200

    Fix XkbSelectEvents() integer underflow
    
    CVE-2020-14361 ZDI-CAN 11573
    
    This vulnerability was discovered by:
    Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
    
    Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
    (cherry picked from commit 90304b3c2018a6b8f4a79de86364d2af15cb9ad8)

commit eff3f6cdd398bfac040351e99e64baf3bf64fa2e
Author: Matthieu Herrb <matthieu@herrb.eu>
Date:   Tue Aug 18 14:49:04 2020 +0200

    Fix XIChangeHierarchy() integer underflow
    
    CVE-2020-14346 / ZDI-CAN-11429
    
    This vulnerability was discovered by:
    Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
    
    Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
    (cherry picked from commit 1e3392b07923987c6c9d09cf75b24f397b59bd5e)

commit 1d3a1092c30af660b1366fcd344af745590aa29f
Author: Matthieu Herrb <matthieu@herrb.eu>
Date:   Tue Aug 18 14:46:32 2020 +0200

    Correct bounds checking in XkbSetNames()
    
    CVE-2020-14345 / ZDI 11428
    
    This vulnerability was discovered by:
    Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
    
    Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
    (cherry picked from commit 11f22a3bf694d7061d552c99898d843bcdaf0cf1)

commit 249a12c54a9316b089bd22683c011519348496df
Author: Huacai Chen <chenhc@lemote.com>
Date:   Sun Jul 5 05:59:58 2020 -0400

    linux: Fix platform device probe for DT-based PCI
    
    On a DT-base PCI platform, the sysfs path of vga device is like this:
    /sys/devices/platform/bus@10000000/1a000000.pci/pci0000:00/0000:00:11.0/0000:04:00.0.
    
    Then the ID_PATH from udev is platform-1a000000.pci-pci-0000:04:00.0 and
    the BusID will be pci-0000:04:00.0, which causes Xorg start fail. This
    is because config_udev_odev_setup_attribs() use strstr() to search the
    first "pci-" in ID_PATH. To fix this, we implement a strrstr() function
    and use it to search the last "pci-" in ID_PATH, which can get a correct
    BusID.
    
    (backported from commit 9fbd3e43dd9e13700df96b508c3d97f77e2b9f7e)
    
    Reviewed-by: Dave Airlie <airlied@redhat.com>
    Signed-off-by: Huacai Chen <chenhc@lemote.com>

commit 5c96eb5f44e62a4cfe835023cde304eb5795b8fd
Author: Adam Jackson <ajax@redhat.com>
Date:   Wed Jun 19 14:23:56 2019 -0400

    linux: Fix platform device PCI detection for complex bus topologies
    
    Suppose you're in a Hyper-V guest and are trying to use PCI passthrough.
    The ID_PATH that udev will construct for that looks something like
    "acpi-VMBUS:00-pci-b8c8:00:00.0", and obviously looking for "pci-" in
    the first four characters of that is going to not work.
    
    Instead, strstr. I suppose it's possible you could have _multiple_ PCI
    buses in the path, in which case you'd want strrstr, if that were a
    thing.
    
    (backported from commit 9acff309434a8029bcce1b22530043459bb71791)
    
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    Signed-off-by: Huacai Chen <chenhc@lemote.com>

commit 74b7427c41b4e4104af7abf70a996c086d3d7628
Author: Adam Jackson <ajax@redhat.com>
Date:   Tue Sep 18 14:37:51 2018 -0400

    linux: Make platform device probe less fragile
    
    At the point where xf86BusProbe runs we haven't yet taken our own VT,
    which means we can't perform drm "master" operations on the device. This
    is tragic, because we need master to fish the bus id string out of the
    kernel, which we can only do after drmSetInterfaceVersion, which for
    some reason stores that string on the device not the file handle and
    thus needs master access.
    
    Fortunately we know the format of the busid string, and it happens to
    almost be the same as the ID_PATH variable from udev. Use that instead
    and stop calling drmSetInterfaceVersion.
    
    (backported from commit 0816e8fca6194dfb4cc94c3a7fcb2c7f2a921386)
    
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    Signed-off-by: Huacai Chen <chenhc@lemote.com>

commit 4979ac8f0be6fa2c4a1edd8a527f7d2134d8586a
Author: Matthieu Herrb <matthieu@herrb.eu>
Date:   Sat Jul 25 19:33:50 2020 +0200

    fix for ZDI-11426
    
    Avoid leaking un-initalized memory to clients by zeroing the
    whole pixmap on initial allocation.
    
    This vulnerability was discovered by:
    Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
    
    Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
    Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    (cherry picked from commit a6b2cbe91793ae4967cd21a7103d889248029553)

commit 2720b871575504349d9f4dffbc73539f1626bd78
Author: Aaron Ma <aaron.ma@canonical.com>
Date:   Thu Jul 30 11:02:39 2020 +0200

    xfree86: add drm modes on non-GTF panels
    
    EDID1.4 replaced GTF Bit with Continuous or Non-Continuous Frequency Display.
    
    Check the "Display Range Limits Descriptor" for GTF support.
    If panel doesn't support GTF, then add gtf modes.
    
    Otherwise X will only show the modes in "Detailed Timing Descriptor".
    
    V2: Coding style changes.
    V3: Coding style changes, remove unused variate.
    V4: remove unused variate.
    
    BugLink: https://gitlab.freedesktop.org/drm/intel/issues/313
    Signed-off-by: Aaron Ma <aaron.ma@canonical.com>
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    (cherry picked from commit 6a79a737e2c0bc730ee693b4ea4a1530c108be4e)

commit 7da8e7babee16f7d518cd9ee2a71c950fe2c3c3f
Author: Roman Gilg <subdiff@gmail.com>
Date:   Fri Jul 24 12:21:37 2020 +0200

    present: Check valid region in window mode flips
    
    For Pixmap flips to have well defined outcomes the window must be contained by
    the valid region if such region was specified.
    
    The valid region is inserted as an argument to the check in window mode.
    Setting this argument is missing in screen mode as well but we ignore it for now
    and only add it to window mode.
    
    It seems there are none or only very few clients actually making use of valid
    regions at the moment. For simplicity we therefore just check if a valid region
    was set by the client and in this case do never flip, independently of the
    window being contained by the region or not.
    
    Signed-off-by: Roman Gilg <subdiff@gmail.com>
    (cherry picked from commit 591916ea9e7a77f68f436b4a541402d9deadfe64)

commit 4a65b6617ecc43b754885894f6575fb7dc4bb74d
Author: Michel Dänzer <mdaenzer@redhat.com>
Date:   Thu Jul 23 19:14:28 2020 +0200

    xwayland: Handle NULL xwl_seat in xwl_seat_can_emulate_pointer_warp
    
    This can happen e.g. with weston's headless backend.
    
    Reviewed-by: Olivier Fourdan <ofourdan@redhat.com>
    (cherry picked from commit e33453f9111b21e4814d628e6ae00bc7b200f404)

commit 10cabe0b978677cfac4bfb405295a16ee8eedb34
Author: Michel Dänzer <mdaenzer@redhat.com>
Date:   Tue Mar 17 12:58:12 2020 +0100

    xwayland: Propagate damage x1/y1 coordinates in xwl_present_flip
    
    This couldn't have worked correctly for non-0 x1/y1.
    
    Noticed by inspection.
    
    Reviewed-by: Simon Ser <contact@emersion.fr>
    (cherry picked from commits 9141196d3104ab37385c3e385deaa70c002dd184)
    (cherry picked fixup from commit 85a6fd11c723888ca093785a3df43066fdca9c33)

commit 3b51978b9ca8cdc71508f6db2411255ca6406c3a
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Tue Jul 21 18:34:28 2020 +0200

    doc: Update URLs in Xserver-DTrace.xml
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    (cherry picked from commit 0006aecba097b437f96a462075494d68bdad24c1)

commit 6cbd6a09b9037c6e6074127324978a51442ca375
Author: Olivier Fourdan <ofourdan@redhat.com>
Date:   Tue Jun 2 11:23:46 2020 +0200

    xwayland: Use a fixed DPI value for core protocol
    
    The way Xwayland works (like all Wayland clients), it first queries the
    Wayland registry, set up all relevant protocols and then initializes its
    own structures.
    
    That means Xwayland will get the Wayland outputs from the Wayland
    compositor, compute the physical size of the combined outputs and set
    the corresponding Xwayland screen properties accordingly.
    
    Then it creates the X11 screen using fbScreenInit() but does so by using
    a default DPI value of 96. That value is used to set the physical size
    of the X11 screen, hence overriding the value computed from the actual
    physical size provided by the Wayland compositor.
    
    As a result, the DPI computed by tools such as xdpyinfo will always be
    96 regardless of the actual screen size and resolution.
    
    However, if the Wayland outputs get reconfigured, or new outputs added,
    or existing outputs removed, Xwayland will recompute and update the
    physical size of the screen, leading to an unexpected change of DPI.
    
    To avoid that discrepancy, use a fixed size DPI (defaults to 96, and can
    be set using the standard command lime option "-dpi") and compute a
    physical screen size to match that DPI setting.
    
    Note that only affects legacy core protocols, X11 clients can still get
    the actual physical output size as reported by the Wayland compositor
    using the RandR protocol, which also allows for the size to be 0 if the
    size is unknown or meaningless.
    
    Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
    Reviewed-by: Simon Ser <contact@emersion.fr>
    Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/731
    (cherry picked from commit b0413b6e99c6b5fbc04229ce64ddf1f41b08e63e)

commit d4e8c4622890b0cdcfe5f4b9c5608d15ce976901
Author: Simon Ser <contact@emersion.fr>
Date:   Tue Jul 21 18:28:01 2020 +0200

    xwayland: only use linux-dmabuf if format/modifier was advertised
    
    Previously, linux-dmabuf was used unconditionally if the buffer had a
    modifier. However creating a linux-dmabuf buffer with a format/modifier
    which hasn't been advertised will fail.
    
    Change xwl_glamor_gbm_get_wl_buffer_for_pixmap to use linux-dmabuf when
    the format/modifier has been advertised only.
    
    Signed-off-by: Simon Ser <contact@emersion.fr>
    Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1035
    Tested-by: Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
    Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
    (cherry picked from commit c0e13cbf5a56e1fdd1e4ce58ebdefb6d2904e4b3)

commit c726ceacc1a39c56d2b054ac5f35798d0c3640d7
Author: Martin Weber <martin.weber@secunet.com>
Date:   Tue Jul 21 18:24:41 2020 +0200

    hw/xfree86: Avoid cursor use after free
    
    During a VT-Switch a raw pointer to the shared cursor object
    is saved which is then freed (in case of low refcount) by a call to
    xf86CursorSetCursor with argument pCurs = NullCursor.
    This leads to a dangling pointer which can follow in a use after free.
    
    This fix ensures that there is a shared handle saved for the VT-Switch cycle.
    
    Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
    (cherry picked from commit 7ae221ad5774756766dc78a73d71f4163ac7b1c6)

commit 0679d4660579d0f399b5a9b8140d0c0d3483fa9f
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Tue Jul 21 18:14:51 2020 +0200

    Update URL's in man pages
    
    Mostly http->https conversions, but also replaces gitweb.fd.o
    with gitlab.fd.o, and xquartz.macosforge.org with xquartz.org.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    (cherry picked from commit a5151f58cf98d1696d60a3577dc50851f159da8a)

commit 3059a2e62ae7ef665a537ee0fc2ec24beccf17ae
Author: Olivier Fourdan <ofourdan@redhat.com>
Date:   Wed Jun 3 10:17:13 2020 +0200

    xwayland: Disable the MIT-SCREEN-SAVER extension when rootless
    
    Xwayland is just a Wayland client, no X11 screensaver should be
    expected to work reliably on Xwayland when running rootless because
    Xwayland cannot grab the input devices so it has no way to actually
    lock the screen managed by the Wayland compositor.
    
    Turn off the screensaver on Xwayland when running rootless by setting
    the screensaver timeout and interval and their default values to zero
    and disable the MIT-SCREEN-SAVER extension.
    
    Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1051
    Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
    Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit 5c20e4b834145f590c68dbc98e33c7d3d710001a)

commit 23c55ec32973e0a75d723e3f37769dd711c9c59c
Author: Michel Dänzer <mdaenzer@redhat.com>
Date:   Wed Jul 22 18:20:14 2020 +0200

    xwayland: Hold a pixmap reference in struct xwl_present_event
    
    In the log of the commit below, I claimed this wasn't necessary on the
    1.20 branch, but this turned out to be wrong: It meant that
    event->buffer could already be destroyed in xwl_present_free_event,
    resulting in use-after-free and likely a crash.
    
    Fixes: 22c0808ac88f "xwayland: Free all remaining events in
                         xwl_present_cleanup"

commit 1179938c179a6e96170275e24adac3325539be65
Author: Alex Goins <agoins@nvidia.com>
Date:   Thu Jul 2 20:12:43 2020 -0500

    randr: Check rrPrivKey in RRHasScanoutPixmap()
    
    RRHasScanoutPixmap() is called from xf86CheckHWCursor(), regardless of whether
    or not RandR has been initialized.
    
    As mentioned in commit 4226c6d, it's possible that RandR has not been
    initialized if the server is configured with Xinerama and there is more than one
    X screen. Calling rrGetScrPriv when RandR isn't initialized causes an assertion
    failure that aborts the server:
    
          Xorg: ../include/privates.h:121: dixGetPrivateAddr: Assertion
          key->initialized' failed.
    
    Just as in commit 4226c6d, fix the problem by checking
    dixPrivateKeyRegistered(rrPrivKey) before calling rrGetScrPriv.
    
    Signed-off-by: Alex Goins <agoins@nvidia.com>
    Acked-by: Olivier Fourdan <ofourdan@redhat.com>
    (cherry picked from commit 8eeff5d7880c6885ee6f206355599f13d739afa7)

commit 4912f693e8e3abbd090ee02b4bfe14703c3bad0f
Author: Jose Maria Casanova Crespo <jmcasanova@igalia.com>
Date:   Fri May 15 18:33:11 2020 +0200

    modesetting: Fix front_bo leak at drmmode_xf86crtc_resize on XRandR rotation
    
    Since the introduction of "modesetting: Remove unnecessary fb addition from
    drmmode_xf86crtc_resize" the fb_id isn't initialited at
    drmmode_xf86crtc_resize.
    
    Rotate operation of XRandR uses rotate_bo. So in this case the fb_id
    associated to the front_bo is not initialized at drmmode_set_mode_major.
    So fd_id remains 0.
    
    As every call to drmmode_xf86crtc_resize allocates a new front_bo we should
    destroy unconditionally the old_front_bo if operation success. So we free
    the allocated GBM handles.
    
    This avoids crashing xserver with a OOM in the RPI4 1Gb at 4k resolution
    after 3 series xrandr rotations from normal to left and vice versa reported at
    https://github.com/raspberrypi/firmware/issues/1345
    
    Signed-off-by: Jose Maria Casanova Crespo <jmcasanova@igalia.com>
    Reviewed-by: Keith Packard <keithp@keithp.com>
    Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1024
    Fixes: 8774532121 "modesetting: Remove unnecessary fb addition from
           drmmode_xf86crtc_resize"
    (cherry picked from commit 73480f172aeced074dd9301ae4d97f7d2f3a9a45)

commit ccbcf083d5c676311aab77cc837a2539a7278a62
Author: Lyude Paul <lyude@redhat.com>
Date:   Tue Jul 14 18:32:39 2020 -0400

    xwayland: Store xwl_tablet_pad in its own private key
    
    When a slave device causes the master virtual pointer device to change
    device types, the device's private data pointer
    (device->public.devicePrivate) is also changed to match the type of the
    slave device. This can be a problem though, as tablet pad devices will
    set the device's private data pointer to their own xwl_tablet_pad
    struct. This can cause us to dereference the pointer as the wrong type,
    and result in a segfault:
    
    Thread 1 "Xwayland" received signal SIGSEGV, Segmentation fault.
    wl_proxy_marshal (proxy=0x51, opcode=opcode@entry=0) at src/wayland-client.c:792
    792             va_start(ap, opcode);
    (gdb) bt
    0  wl_proxy_marshal (proxy=0x51, opcode=opcode@entry=0) at
      src/wayland-client.c:792
    1  0x00005610b27b6c55 in wl_pointer_set_cursor (hotspot_y=0,
      hotspot_x=0, surface=0x0, serial=<optimized out>, wl_pointer=<optimized
      out>) at /usr/include/wayland-client-protocol.h:4610
    2  xwl_seat_set_cursor (xwl_seat=xwl_seat@entry=0x5610b46d5d10) at
      xwayland-cursor.c:137
    3  0x00005610b27b6ecd in xwl_set_cursor (device=<optimized out>,
      screen=<optimized out>, cursor=<optimized out>, x=<optimized out>,
      y=<optimized out>) at xwayland-cursor.c:249
    4  0x00005610b2800b46 in miPointerUpdateSprite (pDev=0x5610b4501a30) at
      mipointer.c:468
    5  miPointerUpdateSprite (pDev=0x5610b4501a30) at mipointer.c:410
    6  0x00005610b2800e56 in miPointerDisplayCursor (pCursor=0x5610b4b35740,
      pScreen=0x5610b3d54410, pDev=0x5610b4501a30) at mipointer.c:206
    7  miPointerDisplayCursor (pDev=0x5610b4501a30, pScreen=0x5610b3d54410,
      pCursor=0x5610b4b35740) at mipointer.c:194
    8  0x00005610b27ed62b in CursorDisplayCursor (pDev=<optimized out>,
      pScreen=0x5610b3d54410, pCursor=0x5610b4b35740) at cursor.c:168
    9  0x00005610b28773ee in AnimCurDisplayCursor (pDev=0x5610b4501a30,
      pScreen=0x5610b3d54410, pCursor=0x5610b4b35740) at animcur.c:197
    10 0x00005610b28eb4ca in ChangeToCursor (pDev=0x5610b4501a30,
      cursor=0x5610b4b35740) at events.c:938
    11 0x00005610b28ec99f in WindowHasNewCursor
      (pWin=pWin@entry=0x5610b4b2e0c0) at events.c:3362
    12 0x00005610b291102d in ChangeWindowAttributes (pWin=0x5610b4b2e0c0,
      vmask=<optimized out>, vlist=vlist@entry=0x5610b4c41dcc,
      client=client@entry=0x5610b4b2c900) at window.c:1561
    13 0x00005610b28db8e3 in ProcChangeWindowAttributes (client=0x5610b4b2c900)
      at dispatch.c:746
    14 0x00005610b28e1e5b in Dispatch () at dispatch.c:497
    15 0x00005610b28e5f34 in dix_main (argc=16, argv=0x7ffc7a601b68,
      envp=<optimized out>) at main.c:276
    16 0x00007f8828cde042 in __libc_start_main (main=0x5610b27ae930 <main>,
      argc=16, argv=0x7ffc7a601b68, init=<optimized out>, fini=<optimized
      out>, rtld_fini=<optimized out>, stack_end=0x7ffc7a601b58) at
      ../csu/libc-start.c:308
    17 0x00005610b27ae96e in _start () at cursor.c:1064
    
    Simple reproducer in gnome-shell: open up an Xwayland window, press some
    tablet buttons, lock and unlock the screen. Repeat if it doesn't crash
    the first time.
    
    So, let's fix this by registering our own device-specific private key
    for storing a backpointer to xwl_tablet_pad, so that all input devices
    have their private data pointers set to their respective xwl_seat.
    
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
