commit ec37e559614cf4eaba67d3ca0693f09fd95a5d57
Author: Adam Jackson <ajax@redhat.com>
Date:   Wed Oct 4 15:29:18 2017 -0400

    xserver 1.19.4
    
    Signed-off-by: Adam Jackson <ajax@redhat.com>

commit 12fe3d3e9f494ef84832efe94ba00db92be499b1
Author: Louis-Francis Ratté-Boulianne <lfrb@collabora.com>
Date:   Wed Sep 27 01:19:58 2017 -0400

    present: Check the whole exec queue on event
    
    Later events are sometimes added in front of the queue (e.g.
    if page flipping fails) so we need to check the whole queue
    on event.
    
    Signed-off-by: Louis-Francis Ratté-Boulianne <lfrb@collabora.com>
    Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
    (cherry picked from commit c2f2b25ab55c67f9f3ad07c02fa746eae7c61196)

commit 388dc1aeac9acf2d51ad5103570beffd81d78b96
Author: Keith Packard <keithp@keithp.com>
Date:   Fri Sep 29 08:48:33 2017 -0700

    xf86-video-modesetting: Add ms_queue_vblank helper [v3]
    
    This provides an API wrapper around the kernel interface for queueing
    a vblank event, simplifying all of the callers.
    
    v2: Fix missing '|' in computing vbl.request.type
    
    v3: Remove spurious bit of next patch (thanks, Michel Dänzer)
    
    Signed-off-by: Keith Packard <keithp@keithp.com>
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    (cherry picked from commit 677c32bcda98a96585bb1f66b57e0755a157b772)

commit 8bd33a2db7337b2801fc630a57e36b6aeea219d9
Author: Keith Packard <keithp@keithp.com>
Date:   Thu Jul 27 10:08:32 2017 -0700

    xkb: Handle xkb formated string output safely (CVE-2017-13723)
    
    Generating strings for XKB data used a single shared static buffer,
    which offered several opportunities for errors. Use a ring of
    resizable buffers instead, to avoid problems when strings end up
    longer than anticipated.
    
    Reviewed-by: Michal Srb <msrb@suse.com>
    Signed-off-by: Keith Packard <keithp@keithp.com>
    Signed-off-by: Julien Cristau <jcristau@debian.org>
    (cherry picked from commit 94f11ca5cf011ef123bd222cabeaef6f424d76ac)

commit 3094c4c6d879215923f2183ecd048b4f5429b182
Author: Michal Srb <msrb@suse.com>
Date:   Thu Jul 27 11:54:26 2017 +0200

    xkb: Escape non-printable characters correctly.
    
    XkbStringText escapes non-printable characters using octal numbers. Such escape
    sequence would be at most 5 characters long ("\0123"), so it reserves 5 bytes
    in the buffer. Due to char->unsigned int conversion, it would print much longer
    string for negative numbers.
    
    Reviewed-by: Keith Packard <keithp@keithp.com>
    Signed-off-by: Julien Cristau <jcristau@debian.org>
    (cherry picked from commit eaf1f72ed8994b708d94ec2de7b1a99f5c4a39b8)

commit a510fb811100bc27f0bfafe5d073998551161819
Author: Michal Srb <msrb@suse.com>
Date:   Fri Jul 28 16:27:10 2017 +0200

    Xext/shm: Validate shmseg resource id (CVE-2017-13721)
    
    Otherwise it can belong to a non-existing client and abort X server with
    FatalError "client not in use", or overwrite existing segment of another
    existing client.
    
    Signed-off-by: Julien Cristau <jcristau@debian.org>
    (cherry picked from commit b95f25af141d33a65f6f821ea9c003f66a01e1f1)

commit 3cea13cc40e2421ebefcf2ee0eb949a7bc4e63fd
Author: Adam Jackson <ajax@redhat.com>
Date:   Fri Jun 16 15:44:47 2017 -0400

    dmx: Remove some not-very-interesting debug prints
    
    gcc/glibc think the snprintf in dmxExecOS() might truncate. Yes, it
    might, and we also don't care. Just delete all this.
    
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    Acked-by: Keith Packard <keithp@keithp.com>
    (cherry picked from commit d6db66811643d3762716f6b144a7358572216a4f)

commit 320e48c9217a8bdcd07dc8ce4aebec043e4afa3c
Author: Adam Jackson <ajax@redhat.com>
Date:   Fri Jun 16 15:44:46 2017 -0400

    dmx: Silence an unused-result warning
    
    Modern glibc is very insistent that you care about whether write()
    succeeds:
    
    ../hw/dmx/input/usb-keyboard.c: In function ‘kbdUSBCtrl’:
    ../hw/dmx/input/usb-keyboard.c:292:9: warning: ignoring return value of ‘write’, declared with attribute warn_unused_result [-Wunused-result]
             write(priv->fd, &event, sizeof(event));
             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    Reviewed-by: Keith Packard <keithp@keithp.com>
    (cherry picked from commit 17ad6e5d5616039021455bc821d6ee2497f7ebde)

commit c5d409a292008c4219c77a1bdb7621eb0ac42991
Author: Jon TURNEY <jon.turney@dronecode.org.uk>
Date:   Mon Jun 26 14:54:04 2017 +0100

    Move statically linked xorgxkb files from dixmods to a separate directory
    
    [ajax: Fixed test/Makefile.am as well]
    
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    (cherry picked from commit fbdd73fac68383c93f6f5c6a7615860503039999)

commit 359186b13bc6ea6d8c3340c392c0aba5b9376a5d
Author: Dawid Kurek <dawid.kurek@displaylink.com>
Date:   Thu Jul 6 14:51:11 2017 +0200

    modesetting: Blacklist EVDI devices from PRIME sync
    
    UDL (usb) devices are blacklisted because of they weird behaviour when
    it comes to vblank events. As EVDI uses very similar model of handling
    vblanks it should be treated similarly.
    
    When doing a page flip, EVDI does not wait for real vblank, but
    simulates it by adding constant delay. It also does not support
    DRM_IOCTL_WAIT_VBLANK.
    
    In contrast to UDL, EVDI uses platform devices, thus instead of 'usb' in
    path they all have 'platform'.
    
    It is possible to blacklist by 'platform', so without explicitly saying
    'evdi', but it might be misleading when it comes to real reason for it.
    
    Signed-off-by: Dawid Kurek <dawid.kurek@displaylink.com>
    (cherry picked from commit fbd80b2c8ebe9fd41229dc5438524d107c071ff1)

commit 5571318f22f17883e26977a4c72e1e46d17bdf5d
Author: Keith Packard <keithp@keithp.com>
Date:   Mon Sep 25 16:18:22 2017 -0700

    modesetting: Skip no-longer-present connectors when resetting BAD links
    
    Outputs may have NULL mode_output (connector) pointers if the
    connector disappears while the server is running. Skip these when
    resetting outputs with BAD link status.
    
    Signed-off-by: Keith Packard <keithp@keithp.com>
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    (cherry picked from commit 37f4e7651a2fd51efa613a08a1e705553be33e76)

commit 787655d5df0c8c43e5e424af3e6e35b8daf54a7d
Author: Martin Peres <martin.peres@linux.intel.com>
Date:   Mon Apr 10 16:48:21 2017 +0300

    modesetting: re-set the crtc's mode when link-status goes BAD
    
    Despite all the careful planning of the kernel, a link may become
    insufficient to handle the currently-set mode. At this point, the
    kernel should mark this particular configuration as being broken
    and potentially prune the mode before setting the offending connector's
    link-status to BAD and send the userspace a hotplug event. This may
    happen right after a modeset or later on.
    
    Upon receiving a hot-plug event, we iterate through the connectors to
    re-apply the currently-set mode on all the connectors that have a
    link-status property set to BAD. The kernel may be able to get the
    link to work by dropping to using a lower link bpp (with the same
    display bpp). However, the modeset may fail if the kernel has pruned
    the mode, so to make users aware of this problem a warning is outputed
    in the logs to warn about having a potentially-black display.
    
    This patch does not modify the current behaviour of always propagating
    the events to the randr clients. This allows desktop environments to
    re-probe the connectors and select a new resolution based on the new
    (currated) mode list if a mode disapeared. This behaviour is expected in
    order to pass the Display Port compliance tests.
    
    Signed-off-by: Martin Peres <martin.peres@linux.intel.com>
    Reviewed-by: Eric Anholt <eric@anholt.net>
    (cherry picked from commit bcee1b76aa0db8525b491485e90b8740763d7de6)

commit 126144c2355ce5a3a350f15ef97389c7f34bb6fb
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Fri May 5 09:04:35 2017 +1000

    xfree86: up the path name size to 512 in xf86MatchDriverFromFiles
    
    ./hw/xfree86/common/xf86pciBus.c: In function ‘xf86MatchDriverFromFiles’:
    ../hw/xfree86/common/xf86pciBus.c:1330:52: warning: ‘snprintf’ output may be
    truncated before the last format character [-Wformat-truncation=]
                 snprintf(path_name, sizeof(path_name), "%s/%s", ^~~~~~~
    ../hw/xfree86/common/xf86pciBus.c:1330:13: note: ‘snprintf’ output between 2
    
    dirent->d_name is 256, so sprintf("%s/%s") into a 256 buffer gives us:
    
    and 257 bytes into a destination of size 256
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit 96af794dc648eadcd596893412d7530e92cb5421)

commit a114286c079c42067b001ac330501496e2e297a1
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Wed Sep 6 11:53:02 2017 +1000

    test: fix compiler warning
    
    signal-logging.c:182:12: warning: suggest parentheses around assignment used as truth value [-Wparentheses]
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit ea82ececbf85a7ac3d0931687f44c57534fde17c)

commit d230e12d7dac4461626d0c6edfd692571592a280
Author: Nick Sarnie <commendsarnex@gmail.com>
Date:   Sat Sep 23 17:35:48 2017 -0400

    suid: Include sysmacros.h to fix build after glibc-2.25
    
    [Added HAVE_SYS_SYSMACROS_H guard - ajax]
    
    Signed-off-by: Nick Sarnie <commendsarnex@gmail.com>
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    (cherry picked from commit 84e3b96b531363e47f6789aacfcae4aa60135e2e)

commit c5320244a3501aaf9558715e9097a2a625cb768b
Author: Adam Jackson <ajax@redhat.com>
Date:   Thu Apr 27 14:45:25 2017 -0400

    xfree86: Silence a new glibc warning
    
    glibc would like to stop declaring major()/minor() macros in
    <sys/types.h> because that header gets included absolutely everywhere
    and unix device major/minor is perhaps usually not what's expected. Fair
    enough. If one includes <sys/sysmacros.h> as well then glibc knows we
    meant it and doesn't warn, so do that if it exists.
    
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    (cherry picked from commit d732c36597fab2e9bc4f2aa72cf1110997697557)

commit 0e79797e3cb3f8fafe271f4f233a8a8fd25f2001
Author: Adam Jackson <ajax@redhat.com>
Date:   Wed Aug 30 15:11:45 2017 -0400

    os: Fix warning in LockServer
    
    The meson build gives me:
    
    ../os/utils.c: In function ‘LockServer’:
    ../os/utils.c:310:40: warning: ‘snprintf’ output may be truncated before the last format character [-Wformat-truncation=]
         snprintf(pid_str, sizeof(pid_str), "%10ld\n", (long) getpid());
                                            ^~~~~~~~~
    ../os/utils.c:310:5: note: ‘snprintf’ output between 12 and 13 bytes into a destination of size 12
         snprintf(pid_str, sizeof(pid_str), "%10ld\n", (long) getpid());
         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    Which seems to be due to the %d part meaning that a negative number's -
    sign would be one wider than we're expecting. Fine, just coerce it to
    unsigned.
    
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    (cherry picked from commit aabf65d2a0206bd1a9c6e9a9f3153ded873dfd43)

commit 69ab094a08513849bb68cd2750840e88db6e5933
Author: Olivier Fourdan <ofourdan@redhat.com>
Date:   Wed Jul 26 16:00:38 2017 +0200

    glamor: Avoid overflow between box32 and box16 box
    
    glamor_compute_transform_clipped_regions() uses a temporary box32
    internally which is copied back to a box16 to init the regions16,
    thus causing a potential overflow.
    
    If an overflow occurs, the given region is invalid and the pixmap
    init region will fail.
    
    Simply check that the coordinates won't overflow when copying back to
    the box16, avoiding a crash later down the line in glamor.
    
    Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=101894
    Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
    Tested-by: Fabrice Bellet <fabrice@bellet.info>
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    (cherry picked from commit 9869dcb349b49f6d4cc2fab5d927cd8b1d1f463c)

commit 421814bc81ba8dfaa9be59b8b35b3a9114dbcb8b
Author: Olivier Fourdan <ofourdan@redhat.com>
Date:   Wed Jul 26 16:00:37 2017 +0200

    glamor: handle NULL source picture
    
    COMPOSITE_REGION() can pass NULL as a source picture, make sure we
    handle that nicely in both glamor_composite_clipped_region() and
    glamor_composite_choose_shader().
    
    Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=101894
    Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    (cherry picked from commit bd353e9b84e013fc34ed730319d5b63d20977903)

commit baa25315014af350c9c04c2c83beeee36aead042
Author: Olivier Fourdan <ofourdan@redhat.com>
Date:   Thu Aug 31 10:23:00 2017 +0200

    xwayland: Fix a segfault with pointer locking
    
    Xwayland would crash in some circumstances while trying to issue a
    pointer locking when the cursor is hidden when there is no seat focus
    window set.
    
    The crash signature looks like:
    
     #0  zwp_pointer_constraints_v1_lock_pointer ()
     #1  xwl_pointer_warp_emulator_lock () at xwayland-input.c:2584
     #2  xwl_seat_maybe_lock_on_hidden_cursor () at xwayland-input.c:2756
     #3  xwl_seat_maybe_lock_on_hidden_cursor () at xwayland-input.c:2765
     #4  xwl_seat_cursor_visibility_changed () at xwayland-input.c:2768
     #5  xwl_set_cursor () at xwayland-cursor.c:245
     #6  miPointerUpdateSprite () at mipointer.c:468
     #7  miPointerDisplayCursor () at mipointer.c:206
     #8  CursorDisplayCursor () at cursor.c:150
     #9  AnimCurDisplayCursor () at animcur.c:220
     #10 ChangeToCursor () at events.c:936
     #11 ActivatePointerGrab () at events.c:1542
     #12 GrabDevice () at events.c:5120
     #13 ProcGrabPointer () at events.c:4908
     #14 Dispatch () at dispatch.c:478
     #15 dix_main () at main.c:276
    
    xwl_pointer_warp_emulator_lock() tries to use the surface from the
    xwl_seat->focus_window leading to a NULL pointer dereference when that
    value is NULL.
    
    Check that xwl_seat->focus_window is not NULL earlier in the stack in
    xwl_seat_maybe_lock_on_hidden_cursor() and return early if not the case
    to avoid the crash.
    
    Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=102474
    Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
    Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit cdd0352ba05d4d8482aaca41797e05d40e58da36)

commit 6f29c8375281c0337ab94f7919a70c20149b0fc6
Author: Michal Srb <msrb@suse.com>
Date:   Fri Jul 7 17:21:46 2017 +0200

    Xi: Test exact size of XIBarrierReleasePointer
    
    Otherwise a client can send any value of num_barriers and cause reading or swapping of values on heap behind the receive buffer.
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit 211e05ac85a294ef361b9f80d689047fa52b9076)

commit c8eb79c1834cef5657e227844111052e0dd78661
Author: Rodrigo Vivi <rodrigo.vivi@intel.com>
Date:   Thu Jun 29 13:29:58 2017 -0700

    dri2: Sync i965_pci_ids.h from Mesa.
    
    Copied from Mesa with no modifications.
    
    Gives us Coffee Lake and Cannon Lake PCI IDs.
    
    Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
    Acked-by: Kenneth Graunke <kenneth@whitecape.org>
    (cherry picked from commit abb031e731f5c159add1b3351de9c4bb121bf00a)

commit 37815323721790c4311faff9743f4d2f902b5506
Author: Adam Jackson <ajax@redhat.com>
Date:   Thu Jun 29 10:32:00 2017 -0400

    wayland: Sync drm.xml with Mesa
    
    ... where it is named src/egl/wayland/wayland-drm/wayland-drm.xml and
    has its requests sorted by protocol version number, avoiding a warning
    from wayland-scanner.
    
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    Reviewed-by: Daniel Stone <daniels@collabora.com>
    (cherry picked from commit 04511a0476b5c860e7d157b01080dff94d935f74)

commit 0934d56dc804780f3e83ae0153c797d392e6faba
Author: Michel Dänzer <michel.daenzer@amd.com>
Date:   Fri Jun 16 11:30:03 2017 +0900

    xfree86/modes: Use RRTransformEqual in xf86RandR12CrtcSet
    
    The memcmp didn't catch when e.g. only the filter changed. Tested by
    alternately running
    
    xrandr --output DVI-I-0 --scale-from 3840x2160 --filter bilinear
    xrandr --output DVI-I-0 --scale-from 3840x2160 --filter nearest
    
    Reviewed-by: Aaron Plattner <aplattner@nvidia.com>
    (cherry picked from commit 4212c884c423e5ce2cd3b4d67c0d656475fddc79)

commit 358f0bcd4f6703302b8895e42e20d1cbdfff102e
Author: Aaron Plattner <aplattner@nvidia.com>
Date:   Thu Jun 15 14:28:27 2017 -0700

    randr: Use RRTransformEqual in RRCrtcPendingTransform
    
    Currently, RRCrtcPendingTransform returns false unless the
    transformation matrix itself is changing. This makes RRCrtcSet skip
    doing anything if the only thing that is changing is the transform
    filter.
    
    There's already a function for comparing RRTransformPtrs, so use that
    instead.
    
    Tested by running
    
      xrandr --output DP-1 --mode 1920x1080 --rate 144 --scale 0.5x0.5 --filter nearest
    
    follwed by
    
      xrandr --output DP-1 --mode 1920x1080 --rate 144 --scale 0.5x0.5 --filter bilinear
    
    Signed-off-by: Aaron Plattner <aplattner@nvidia.com>
    Reviewed-and-Tested-by: Michel Dänzer <michel.daenzer@amd.com>
    (cherry picked from commit 091af80be48c37f16c679d35fc12ad33e6b0cd74)

commit ed8fbabacac3cd4c7798bd36713894a2068cee13
Author: Michal Srb <msrb@suse.com>
Date:   Wed May 24 15:54:42 2017 +0300

    Xi: Do not try to swap GenericEvent.
    
    The SProcXSendExtensionEvent must not attempt to swap GenericEvent because
    it is assuming that the event has fixed size and gives the swapping function
    xEvent-sized buffer.
    
    A GenericEvent would be later rejected by ProcXSendExtensionEvent anyway.
    
    Signed-off-by: Michal Srb <msrb@suse.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit ba336b24052122b136486961c82deac76bbde455)

commit e8f6a1bb77cbd1bb30d8dc956c5fdc98e25a22aa
Author: Michal Srb <msrb@suse.com>
Date:   Wed May 24 15:54:41 2017 +0300

    Xi: Verify all events in ProcXSendExtensionEvent.
    
    The requirement is that events have type in range
    EXTENSION_EVENT_BASE..lastEvent, but it was tested
    only for first event of all.
    
    Signed-off-by: Michal Srb <msrb@suse.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit 8caed4df36b1f802b4992edcfd282cbeeec35d9d)

commit 21f559038c8776acc6439faadbdcab7df4300c66
Author: Michal Srb <msrb@suse.com>
Date:   Wed May 24 15:54:40 2017 +0300

    dix: Disallow GenericEvent in SendEvent request.
    
    The SendEvent request holds xEvent which is exactly 32 bytes long, no more,
    no less. Both ProcSendEvent and SProcSendEvent verify that the received data
    exactly match the request size. However nothing stops the client from passing
    in event with xEvent::type = GenericEvent and any value of
    xGenericEvent::length.
    
    In the case of ProcSendEvent, the event will be eventually passed to
    WriteEventsToClient which will see that it is Generic event and copy the
    arbitrary length from the receive buffer (and possibly past it) and send it to
    the other client. This allows clients to copy unitialized heap memory out of X
    server or to crash it.
    
    In case of SProcSendEvent, it will attempt to swap the incoming event by
    calling a swapping function from the EventSwapVector array. The swapped event
    is written to target buffer, which in this case is local xEvent variable. The
    xEvent variable is 32 bytes long, but the swapping functions for GenericEvents
    expect that the target buffer has size matching the size of the source
    GenericEvent. This allows clients to cause stack buffer overflows.
    
    Signed-off-by: Michal Srb <msrb@suse.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit 215f894965df5fb0bb45b107d84524e700d2073c)

commit cdf15ab8f94d54bce72f37653fc46daf482b1671
Author: Michal Srb <msrb@suse.com>
Date:   Wed May 24 15:54:39 2017 +0300

    Xi: Zero target buffer in SProcXSendExtensionEvent.
    
    Make sure that the xEvent eventT is initialized with zeros, the same way as
    in SProcSendEvent.
    
    Some event swapping functions do not overwrite all 32 bytes of xEvent
    structure, for example XSecurityAuthorizationRevoked. Two cooperating
    clients, one swapped and the other not, can send
    XSecurityAuthorizationRevoked event to each other to retrieve old stack data
    from X server. This can be potentialy misused to go around ASLR or
    stack-protector.
    
    Signed-off-by: Michal Srb <msrb@suse.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit 05442de962d3dc624f79fc1a00eca3ffc5489ced)

commit 3a53e4407fb9e0c0e0dbf8d147b67f6e36aea5ae
Author: Michel Dänzer <michel.daenzer@amd.com>
Date:   Tue Jun 6 18:42:06 2017 +0900

    glamor: Fix temporary pixmap coordinate offsets
    
    The previous values happened to work in basic cases, but not in general
    if the destination is a subwindow or has a border.
    
    Fixes crash with xli, which moves a large subwindow inside a smaller
    parent window for scrolling.
    
    No regressions with xterm, x11perf -copyplane or the xscreensaver
    phosphor hack.
    
    Bug: https://bugs.debian.org/857983
    Reviewed-by: Keith Packard <keithp@keithp.com>
    (cherry picked from commit ffda82ed04d28feae2e001dbd0c32d6c795d90b1)

commit 87a7393799ab5d1ea4a19ae7687cd50ac0dceeb4
Author: Adam Jackson <ajax@redhat.com>
Date:   Mon Jun 12 14:43:23 2017 -0400

    modesetting: Validate the atom for enum properties
    
    The client could have said anything here, and if what they said doesn't
    actually name an atom NameForAtom() will return NULL, and strcmp() will
    be unhappy about that.
    
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit d4995a3936ae283b9080fdaa0905daa669ebacfc)

commit faeee7646695261e60ea03d934a0c496a429f31b
Author: Carlos Garnacho <carlosg@gnome.org>
Date:   Sun May 28 15:56:21 2017 +0200

    Xi: Use WarpPointerProc hook on XI pointer warping implementation
    
    Just like we do with XWarpPointer's.
    
    Signed-off-by: Carlos Garnacho <carlosg@gnome.org>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit 95febc42cadf392a888104ad6d5cf4f34fdde7d5)

commit c6df0d03de22b57d5faa77b19ac1ec0311f4f3a5
Author: Carlos Garnacho <carlosg@gnome.org>
Date:   Sun May 28 15:56:20 2017 +0200

    xwayland: Lock the pointer if it is confined and has no cursor
    
    In the typical pattern in games of "hide cursor, grab with a confineTo,
    warp constantly the pointer to the middle of the window" the last warping
    step is actually rather optional. Some games may choose to just set up a
    grab with confineTo argument, and trust that they'll get correct relative
    X/Y axis values despite the hidden cursor hitting the confinement window
    edge.
    
    To cater for these cases, lock the pointer whenever there is a pointer
    confinement and the cursor is hidden. This ensures the pointer position
    is in sync with the compositor's when it's next shown again, and more
    importantly resorts to the relative pointer for event delivery.
    
    Signed-off-by: Carlos Garnacho <carlosg@gnome.org>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit ca17f3e9fd3b59fdc5ffd0e5d78e4db6ddc87aa1)

commit 2ccea152c091e25474a83588e18475567471e7c8
Author: Carlos Garnacho <carlosg@gnome.org>
Date:   Sun May 28 15:56:19 2017 +0200

    xwayland: Update root window size when desktop size changes
    
    This fixes grabs on InputOnly windows whose parent is the root window
    failing with GrabNotViewable. This is due to window->borderSize/windowSize
    being computed as clipped by its parent, resulting in a null region.
    
    Setting up the right size on the root window makes the InputOnly size
    correct too, so the GrabNotViewable paths aren't hit anymore.
    
    Signed-off-by: Carlos Garnacho <carlosg@gnome.org>
    Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit 513e3bd3870fdb8a8e0e2e52c0fa93872300bc8b)

commit 0e5b08f2eef946e9d9d071f0a79ead379419d8a7
Author: Carlos Garnacho <carlosg@gnome.org>
Date:   Sun May 28 15:56:18 2017 +0200

    xwayland: "Accept" confineTo on InputOnly windows
    
    Of sorts, actually make it confine to the pointer focus, as the
    InputOnly window is entirely invisible to xwayland accounting,
    we don't have a xwl_window for it.
    
    Signed-off-by: Carlos Garnacho <carlosg@gnome.org>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit fafdb0cc9697eb53635ed1e78bec1d4cd87ab3a2)

commit 420f77a1ba8bfbbf8c06f6dd57e9ee36124b7360
Author: Carlos Garnacho <carlosg@gnome.org>
Date:   Sun May 28 15:56:17 2017 +0200

    xwayland: Allow pointer warp on root/None window
    
    Of sorts, as we can't honor pointer warping across the whole root window
    coordinates, peek the pointer focus in these cases.
    
    Signed-off-by: Carlos Garnacho <carlosg@gnome.org>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit c217fcb4c4640ffd2fefee63c6fcd7ea5e64b942)

commit 40edd409bfc527223dfae89c7f84fea0721dec49
Author: Michel Dänzer <michel.daenzer@amd.com>
Date:   Fri May 26 12:30:13 2017 +0900

    glamor: Store the actual EGL/GLX context pointer in lastGLContext
    
    Fixes subtle breakage which could sometimes trigger after a server reset
    with multiple screens using glamor:
    
    Screen A enters glamor_close_screen last and calls various cleanup
    functions, which at some point call glamor_make_current to make sure
    screen A's GL context is current. This sets lastGLContext to screen A's
    &glamor_priv->ctx. Finally, glamor_close_screen calls
    glamor_release_screen_priv, which calls free(glamor_priv).
    
    Later, screen B enters glamor_init, which allocates a new glamor_priv.
    With bad luck, this can return the same pointer which was previously
    used for screen A's glamor_priv. So when screen B's glamor_init calls
    glamor_make_current, lastGLContext == &glamor_priv->ctx, so MakeCurrent
    isn't called for screen B's GL context, and the following OpenGL API
    calls triggered by glamor_init mess up screen A's GL context.
    
    The observed end result of this was a crash in glamor_get_vbo_space
    because glamor_priv->vbo didn't match the GL context, though there might
    be other possible outcomes.
    
    Assigning the actual GL context pointer to lastGLContext prevents this
    by preventing the false negative test in glamor_make_current.
    
    Reviewed-by: Keith Packard <keithp@keithp.com>
    Reviewed-by: Eric Anholt <eric@anholt.net>
    (cherry picked from commit 7c88977d338a01aca866e52c9e736f8857fb9ae4)

commit 7c4f7b3a49a43984ab90788b85b35078feadf42a
Author: Lyude <lyude@redhat.com>
Date:   Tue May 30 16:39:49 2017 -0400

    xwayland: Don't load extension list more than once
    
    When running an Xwayland server from the command line, we end up
    resetting the server every time all of the clients connected to the
    server leave. This would be fine, except that xwayland makes the mistake
    of unconditionally calling LoadExtensionList(). This causes us to setup
    the glxExtension twice in a row which means that when we lose our last
    client on the second server generation, we end up trying to call the glx
    destructors twice in a row resulting in a segfault:
    
    (EE)
    (EE) Backtrace:
    (EE) 0: Xwayland (OsSigHandler+0x3b) [0x4982f9]
    (EE) 1: /lib64/libpthread.so.0 (__restore_rt+0x0) [0x70845bf]
    (EE) 2: /usr/lib64/dri/swrast_dri.so (__driDriverGetExtensions_virtio_gpu+0x32897d) [0x1196e5bd]
    (EE) 3: /usr/lib64/dri/swrast_dri.so (__driDriverGetExtensions_virtio_gpu+0x328a45) [0x1196e745]
    (EE) 4: /usr/lib64/dri/swrast_dri.so (__driDriverGetExtensions_virtio_gpu+0x32665f) [0x11969f7f]
    (EE) 5: Xwayland (__glXDRIscreenDestroy+0x30) [0x54686e]
    (EE) 6: Xwayland (glxCloseScreen+0x3f) [0x5473db]
    (EE) 7: Xwayland (glxCloseScreen+0x53) [0x5473ef]
    (EE) 8: Xwayland (dix_main+0x7b6) [0x44c8c9]
    (EE) 9: Xwayland (main+0x28) [0x61c503]
    (EE) 10: /lib64/libc.so.6 (__libc_start_main+0xf1) [0x72b1401]
    (EE) 11: Xwayland (_start+0x2a) [0x4208fa]
    (EE) 12: ? (?+0x2a) [0x2a]
    (EE)
    (EE) Segmentation fault at address 0x18
    (EE)
    Fatal server error:
    (EE) Caught signal 11 (Segmentation fault). Server aborting
    (EE)
    
    Easy reproduction recipe:
    - Start an Xwayland session with the default settings
    - Open a window
    - Close that window
    - Open another window
    - Close that window
    - Total annihilation occurs
    
    Signed-off-by: Lyude <lyude@redhat.com>
    Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit 4f29366f1e5678505fb882143c9b4a892d5b8273)

commit d8f63717e05ae8d820ceae74216916ebd180441d
Author: Jason Gerecke <killertofu@gmail.com>
Date:   Fri May 26 14:27:19 2017 -0700

    xfree86: Fix interpretation of xf86WaitForInput timeout
    
    Commit aa6717ce2 switched xf86WaitForInput from using select(2) to using
    poll(2). Before this change, the timeout was interpreted as being in
    microseconds; afterwards it is fed directly to xorg_poll which interprets
    it as being in milliseconds. This results in the function potentially
    blocking 1000x longer than intended. This commit scales down the timeout
    argument before passing it to xorg_poll, being careful to ensure the result
    is not rounded down due to integer division.
    
    Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit 2fbf62b2fb3dcb29551251d09aa695715bb754f4)

commit 444929b446a0ef5873d6346c3f3091adb8fbe6bb
Author: Keith Packard <keithp@keithp.com>
Date:   Wed May 10 21:50:45 2017 -0700

    dix: Remove clients from input and output ready queues after closing
    
    Delay removing the client from these two queues until all potential
    I/O has completed in case we mark the client as ready for reading or
    with pending output during the close operation.
    
    Bugzilla: https://bugs.freedesktop.org/100957
    Signed-off-by: Keith Packard <keithp@keithp.com>
    Tested-by: Nick Sarnie <commendsarnex@gmail.com>
    Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
    (cherry picked from commit d9e23ea4228575344e3b4c0443cecc5eb75356e4)

commit d808b573992ae1fc7706d8897a92783b847040e3
Author: Keith Packard <keithp@keithp.com>
Date:   Sat Apr 29 00:26:10 2017 -0700

    os: Mark client as ready to read when closing due to write failure [100863]
    
    This makes sure the server will go look at the client again, notice
    that the FD is no longer valid and close the client down.
    
    Bugzilla: https://bugs.freedesktop.org/100863
    Signed-off-by: Keith Packard <keithp@keithp.com>
    Reviewed-and-Tested-by: Michel Dänzer <michel.daenzer@amd.com>
    (cherry picked from commit e2f68296ffb8e40035c0ebd949b67d1e2e424e11)

commit 7a2525fba60a04a95a4a8b26c2b628dc8fdfdeff
Author: Keith Packard <keithp@keithp.com>
Date:   Sat Apr 29 00:21:47 2017 -0700

    os: un-duplicate code to close client on write failure
    
    There are three copies of the same short sequence of operations to
    close down a client when a write error occurs. Create a new function,
    AbortClient, which performs these operations and then call it from the
    three places.
    
    Signed-off-by: Keith Packard <keithp@keithp.com>
    Reviewed-and-Tested-by: Michel Dänzer <michel.daenzer@amd.com>
    (cherry picked from commit a82971b07035ee9a4e3ed01326e7c1eab34b5a19)

commit b3de3ebcf450fd4ab1543dd2f133e45e9c0b9e7e
Author: Michel Dänzer <michel.daenzer@amd.com>
Date:   Wed Apr 26 18:31:08 2017 +0900

    os: Handle SIGABRT
    
    Without this, assertion failures can make life hard for users and those
    trying to help them.
    
    v2:
    * Change commit log wording slightly to "can make life hard", since
      apparently e.g. logind can alleviate that somewhat.
    * Set default handler for SIGABRT in
      hw/xfree86/common/xf86Init.c:InstallSignalHandlers() and
      hw/xquartz/quartz.c:QuartzInitOutput() (Eric Anholt)
    
    Reviewed-by: Eric Anholt <eric@anholt.net>
    Signed-off-by: Michel Dänzer <michel.daenzer@amd.com>
    (cherry picked from commit 27a6b9f7c84c914d0f5909ec1069d72f5035bc04)

commit e59a32c897c9f093f54ce4b695e9aff1ba20bda2
Author: Olivier Fourdan <ofourdan@redhat.com>
Date:   Fri Apr 21 09:05:51 2017 +0200

    glamor: an FBO is not needed for Xv pixmaps
    
    It appears that on some hardware/diver combo such as nv30/nouveau, using
    GL_ALPHA as format for 8-bit depth will cause an incomplete attachment
    error (GL_FRAMEBUFFER_INCOMPLETE_ATTACHMENT) when trying to bind the
    texture.
    
    As a result, the FBO is NULL and glamor segfaults when trying to access
    the FBO width/height in pixmap_priv_get_scale() in glamor_xv_render().
    
    This happens with glamor-xv which uses 8-bit pixmaps, meaning that on
    such hardware/driver, trying to play a video using Xv will lead to a
    crash of the Xserver. This affects Xwayland, Xephyr, modesetting driver
    with glamor accel.
    
    But the use of an FBO is not actually needed for glamox-xv, so by
    disabling FBO at pixmap creation, we can avoid the issue entirely.
    
    Fix suggested by Eric Anholt <eric@anholt.net>
    
    Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
    Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=100710
    Fixes: https://bugzilla.redhat.com/1412814
    Reviewed-by: Eric Anholt <eric@anholt.net>
    (cherry picked from commit 7bfb87a2137853295ecc9e544a15626cfd773a02)

commit 6a6bf1ae046124a9d8a6f3f53f02707951c85c43
Author: Michel Dänzer <michel.daenzer@amd.com>
Date:   Wed Apr 12 17:58:05 2017 +0900

    xfree86/modes: Make colormap/gamma glue code work with RandR disabled
    
    E.g. because Xinerama is enabled.
    
    Fixes crash on startup and wrong colours in that case.
    
    Bugzilla: https://bugs.freedesktop.org/100293
    Bugzilla: https://bugs.freedesktop.org/100294
    Fixes: 62f44052573b ("xfree86/modes: Move gamma initialization to
                          xf86RandR12Init12 v2")
    Tested-by: Mariusz Bialonczyk <manio@skyboo.net>
    Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
    (cherry picked from commit 41dafcc2a2942fc4c94ce3cbafc4a1b413c460c3)

commit 74126530c0c22cf3e5f8bd2dd2740fded2df098f
Author: Adam Jackson <ajax@redhat.com>
Date:   Fri Apr 7 10:24:54 2017 -0400

    xephyr: Check for host XVideo support before trying to use it
    
    Otherwise xcb will treat our attempt to send xv requests as a connection
    error (quite reasonably: we're asking it to emit a request for which
    there is no defined major opcode), and we'll die quietly the first time
    we hit KdBlockhandler.
    
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    Reviewed-by: Eric Anholt <eric@anholt.net>
    (cherry picked from commit 14d2fe74f4e51c5b37eab4b7475c804a0340b530)

commit 60ae865a703cb2c51c0b00cd768a46a20d79f0f1
Author: Daniel Stone <daniels@collabora.com>
Date:   Fri Apr 7 14:27:58 2017 +0100

    modesetting: Set correct DRM event context version
    
    DRM_EVENT_CONTEXT_VERSION is the latest context version supported by
    whatever version of libdrm is present. modesetting was blindly asserting
    it supported whatever version that may be, even if it actually didn't.
    
    With libdrm 2.4.78, setting a higher context version than 2 will attempt
    to call the page_flip_handler2 vfunc if it was non-NULL, which being a
    random chunk of stack memory, it might well have been.
    
    Set the version as 2, which should be bumped only with the appropriate
    version checks.
    
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    Signed-off-by: Daniel Stone <daniels@collabora.com>
    (cherry picked from commit 0c8e6ed85810e96d84173a52d628863802a78d82)

commit df4d01e6aa957ec8eb2814832de2f78ca42ee238
Author: Tobias Stoeckmann <tobias@stoeckmann.org>
Date:   Sun Mar 12 14:21:38 2017 +0100

    dmx: Fix null pointer dereference
    
    A null pointer dereference can occur in dmxSync, because TimerForce
    does not handle a null pointer.
    
    dmxSyncTimer is set to NULL a few lines above on a certain condition,
    which happened on my machine. The explicit NULL check allowed me to
    start Xdmx again without a segmentation fault.
    
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    (cherry picked from commit 21eda7464d0e13ac6558edaf6531c3d3251e05df)

commit e23000d83f8dbab4effd9f344f3d776634a1d56e
Author: Tobias Stoeckmann <tobias@stoeckmann.org>
Date:   Sun Mar 19 17:55:07 2017 +0100

    record: Fix OOB access in ProcRecordUnregisterClients
    
    If a client sends a RecordUnregisterClients request with an nClients
    field larger than INT_MAX / 4, an integer overflow leads to an
    out of boundary access in RecordSanityCheckClientSpecifiers.
    
    An example line with libXtst would be:
    XRecordUnregisterClients(dpy, rc, clients, 0x40000001);
    
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    (cherry picked from commit 40c12a76c2ae57adefd3b1d412387ebbfe2fb784)

commit 3166138ea681537dbe164e2888ccb96bb022220b
Author: Kenneth Graunke <kenneth@whitecape.org>
Date:   Fri Mar 17 13:45:04 2017 -0700

    dri2: Sync i965_pci_ids.h from Mesa.
    
    Copied from Mesa with no modifications.  Gives us Geminilake PCI IDs.
    
    Signed-off-by: Kenneth Graunke <kenneth@whitecape.org>
    Acked-by: Eric Anholt <eric@anholt.net>
    (cherry picked from commit 368f60d461421fe5e2bbd90652d6ac858dbff8fe)

commit 2191f9b49e5e542e39f451d1819de00043a90e8f
Author: Olivier Fourdan <ofourdan@redhat.com>
Date:   Fri Mar 17 15:58:26 2017 +0100

    glamor: avoid a crash if texture allocation failed
    
    Texture creation in _glamor_create_tex() can fail if a GL_OUT_OF_MEMORY
    is raised, in which case the texture returned is zero.
    
    But the texture value is not checked in glamor_create_fbo() and glamor
    will abort in glamor_pixmap_ensure_fb() because the fbo->tex is 0:
    
      Truncated backtrace:
      Thread no. 1 (10 frames)
       #4 glamor_pixmap_ensure_fb at glamor_fbo.c:57
       #5 glamor_create_fbo_from_tex at glamor_fbo.c:112
       #6 glamor_create_fbo at glamor_fbo.c:159
       #7 glamor_create_fbo_array at glamor_fbo.c:210
       #8 glamor_create_pixmap at glamor.c:226
       #9 compNewPixmap at compalloc.c:536
       #10 compAllocPixmap at compalloc.c:605
       #11 compCheckRedirect at compwindow.c:167
       #12 compRealizeWindow at compwindow.c:267
       #13 RealizeTree at window.c:2617
    
    Check the value returned by _glamor_create_tex() in glamor_create_fbo()
    and return NULL in the texture is zero.
    
    All callers of glamor_create_fbo() actually check the returned value and
    will use a fallback code path if it's NULL.
    
    Please cherry-pick this to active stable branches.
    
    Bugzilla: https://bugzilla.redhat.com/1433305
    Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
    Reviewed-by: Eric Anholt <eric@anholt.net>
    (cherry picked from commit 8805a48ed35afb2ca66315656c1575ae5a01c639)

commit 0f3196bf805b1d36b786852096dd86be290a2c9d
Author: Adam Jackson <ajax@redhat.com>
Date:   Fri Mar 17 12:40:03 2017 -0400

    ephyr: Don't clobber bitsPerPixel when using glamor
    
    This ends up passing 0 as the bpp argument to fb screen setup, which is
    not really the best plan.
    
    Reviewed-by: Eric Anholt <eric@anholt.net>
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    (cherry picked from commit 83c4297d2c4fd501a9d36bc0cb7d357a8d22394c)

commit c58bff7e9601b3eeb0be95c0a60c6588d051e923
Author: Eric Anholt <eric@anholt.net>
Date:   Wed Mar 15 17:51:46 2017 -0700

    glamor: Fix dashed line rendering.
    
    We were binding the screen pixmap as the dash and sampling its alpha,
    which is usually just 1.0 (no dashing at all).
    
    Please cherry-pick this to active stable branches.
    
    Signed-off-by: Eric Anholt <eric@anholt.net>
    Reviewed-by: Keith Packard <keithp@keithp.com>
    Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
    (cherry picked from commit fe0b297420fc1de8a7fab28457d0864b3182e967)

commit 2f36c6faa0dac168cee6049d7dfac59a5e32edcd
Author: Adam Jackson <ajax@redhat.com>
Date:   Wed Nov 2 12:49:25 2016 -0400

    xinerama: Implement graphics exposures for window->pixmap copies (v4)
