Signed-off-by: Nicolai Hähnle <nicolai.haehnle@amd.com>
Reviewed-by: Ben Crocker <bcrocker@redhat.com>
Reviewed-by: Antoine Martin <antoine@nagafix.co.uk>
Tested-by: Ben Crocker <bcrocker@redhat.com>
Having different types of code all trying to check for elevated privileges
is a bad idea. This implementation is the most thorough one.
Signed-off-by: Nicolai Hähnle <nicolai.haehnle@amd.com>
Reviewed-by: Ben Crocker <bcrocker@redhat.com>
Reviewed-by: Antoine Martin <antoine@nagafix.co.uk>
Tested-by: Ben Crocker <bcrocker@redhat.com>
Reviewed-by: Emil Velikov <emil.velikov@collabora.com>
When a monotonic clock is not available, GetTimeInMicros() returns the
time in nanoseconds. Instead, return the time in microseconds, as the
name indicates.
Signed-off-by: Jeff Smith <whydoubt@gmail.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
The meson build gives me:
../os/utils.c: In function ‘LockServer’:
../os/utils.c:310:40: warning: ‘snprintf’ output may be truncated before the last format character [-Wformat-truncation=]
snprintf(pid_str, sizeof(pid_str), "%10ld\n", (long) getpid());
^~~~~~~~~
../os/utils.c:310:5: note: ‘snprintf’ output between 12 and 13 bytes into a destination of size 12
snprintf(pid_str, sizeof(pid_str), "%10ld\n", (long) getpid());
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Which seems to be due to the %d part meaning that a negative number's -
sign would be one wider than we're expecting. Fine, just coerce it to
unsigned.
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Whatever problem this is trying to fix, we don't care. Just include the
thing and stop worrying about whether _POSIX_SOURCE is defined.
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Tested-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
We mostly use #ifdef throughout the tree, and this lets the generated
config.h files just be #define TOKEN instead of #define TOKEN 1.
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Eric Anholt <eric@anholt.net>
Without this, assertion failures can make life hard for users and those
trying to help them.
v2:
* Change commit log wording slightly to "can make life hard", since
apparently e.g. logind can alleviate that somewhat.
* Set default handler for SIGABRT in
hw/xfree86/common/xf86Init.c:InstallSignalHandlers() and
hw/xquartz/quartz.c:QuartzInitOutput() (Eric Anholt)
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Michel Dänzer <michel.daenzer@amd.com>
Most of this is a legacy of the old "extmod" design where you could load
_some_ extensions dynamically but only if the server had been built with
support for them in the first place.
Note that since we now only initialize the DPMS extension if at least
one screen supports it, we no longer need DPMSCapableFlag: if it would
be false, we would never read its value.
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Eric Anholt <eric@anholt.net>
There's no reason not to offer ridiculous numbers of clients; only a
few static data structures are arrays of this length.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
The timeout resolution offered in the AdjustWaitForDelay call is
only milliseconds, so passing around the timeout as a pointer to a
struct timeval is not helpful. Doing everything in milliseconds up to
the point of the select call simplifies the code without affecting
functionality at all.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
This new libXfont API eliminates exposing internal X server symbols to
the font library, replacing those with a struct full of the entire API
needed to use that library.
v2: Use libXfont2 instead of libXfont_2
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
As the man page for the latter states:
The effects of signal() in a multithreaded process are unspecified.
We already have an interface to call sigaction() instead, use it.
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
By default the X server will try CLOCK_MONOTONIC_COARSE before
CLOCK_MONOTONIC, while A Wayland compositor may only support getting
their timestamps from the CLOCK_MONOTONIC clock. This causes various
issues since it may happen that a timestamp from CLOCK_MONOTONIC
retrieved before a sending an X request will still be "later" than the
timestamp the X server than gets after receiving the request, due to the
fact that CLOCK_MONOTONIC_COARSE has a lower resolution.
To avoid these issues, make Xwayland always use CLOCK_MONOTONIC, so
that it becomes possible for Wayland compositor only supporting
CLOCK_MONOTONIC and X server to use the same clock.
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
Acked-by: Daniel Stone <daniels@collabora.com>
Tested-by: Olivier Fourdan <ofourdan@redhat.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
The current SIGIO signal handler method, used at generation of input events,
has a bunch of oddities. This patch introduces an alternative way using a
thread, which is used to select() all input device file descriptors.
A mutex was used to control the access to input structures by the main and input
threads. Two pipes to emit alert events (such hotplug ones) and guarantee the
proper communication between them was also used.
Co-authored-by: Fernando Carrijo <fcarrijo@freedesktop.org>
Signed-off-by: Tiago Vignatti <tiago.vignatti@nokia.com>
v2: Fix non-Xorg link. Enable where supported by default.
This also splits out the actual enabling of input threads to
DDX-specific patches which follow
v3: Make the input lock recursive
v4: Use regular RECURSIVE_MUTEXes instead of rolling our own
Respect the --disable-input-thread configuration option by
providing stubs that expose the same API/ABI.
Respond to style comments from Peter Hutterer.
v5: use __func__ in inputthread debug and error mesages.
Respond to style comments from Peter Hutterer.
v6: use AX_PTHREAD instead of inlining pthread tests.
Suggested by Emil Velikov <emil.l.velikov@gmail.com>
v7: Use pthread_sigmask instead of sigprocmask when using threads
Suggested by Adam Jackson <ajax@redhat.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
This removes all of the SIGIO handling support used for input
throughout the X server, preparing the way for using threads for input
handling instead.
Places calling OsBlockSIGIO and OsReleaseSIGIO are marked with calls
to stub functions input_lock/input_unlock so that we don't lose this
information.
xfree86 SIGIO support is reworked to use internal versions of
OsBlockSIGIO and OsReleaseSIGIO.
v2: Don't change locking order (Peter Hutterer)
v3: Comment weird && FALSE in xf86Helper.c
Leave errno save/restore in xf86ReadInput
Squash with stub adding patch (Peter Hutterer)
v4: Leave UseSIGIO config parameter so that
existing config files don't break (Peter Hutterer)
v5: Split a couple of independent patch bits out
of kinput.c (Peter Hutterer)
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Removed from xtrans in 2012, and never wired up in the modular build
anyway.
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
This allows the server to call GetTimeInMillis() after each request is
processed to avoid needing setitimer. -dumbSched now turns off the
setitimer.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
Commit 94ab7455 added SA_RESTART to the SIGALRM handler. However, the
Popen code tears down and recreates the SIGALRM handler via OsSignal(),
and this flag is dropped at this time.
Clean the code to use just a single codepath for creating this signal
handler, always applying SA_RESTART.
[ajax: Fixed commit id]
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Daniel Drake <drake@endlessm.com>
The X server frequently deals with SIGIO and SIGALRM interruptions.
If process execution is inside certain blocking system calls
when these signals arrive, e.g. with the kernel blocked on
a contended semaphore, the system calls will be interrupted.
Some system calls are automatically restartable (the kernel re-executes
them with the same parameters once the signal handler returns) but
only if the signal handler allows it.
Set SA_RESTART on the signal handlers to enable this convenient
behaviour.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Daniel Drake <drake@endlessm.com>
Make the maximum number of clients user configurable, either from the command
line or from xorg.conf
This patch works by using the MAXCLIENTS (raised to 512) as the maximum
allowed number of clients, but allowing the actual limit to be set by the
user to a lower value (keeping the default of 256).
There is a limit size of 29 bits to be used to store both the client ID and
the X resources ID, so by reducing the number of clients allowed to connect to
the X server, the user can increase the number of X resources per client or
vice-versa.
Parts of this patch are based on a similar patch from Adam Jackson
<ajax@redhat.com>
This now requires at least xproto 7.0.28
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
xorg/xserver/os/utils.c: In function ‘Win32TempDir’:
xorg/xserver/os/utils.c:1643:1: warning: old-style function definition [-Wold-style-definition]
Signed-off-by: Colin Harrison <colin.harrison@virgin.net>
Reviewed-by: Jon TURNEY <jon.turney@dronecode.org.uk>
The xnfcalloc() macro took two arguments but simply multiplied them
together without checking for overflow and defeating any overflow
checking that calloc() might have done. Let's not do that.
The original XNFcalloc() function is left for now to preserve driver
ABI, but is marked as deprecated so it can be removed in a future round
of ABI break/cleanup.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matt Turner <mattst88@gmail.com>
In the unlikely event of a failure in creating processes, signal
masks will fall from the panels above you. Secure your mask before
telling your child what to do, since it won't exist, and you will
instead cause the server itself to be replaced by a shell running
the target program.
Found by Coverity #53397: Missing break in switch
Execution falls through to the next case statement or default;
this might indicate a common typo.
In System: Missing break statement between cases in switch statement (CWE-484)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
Signed-off-by: Keith Packard <keithp@keithp.com>
This disables the tcp listen socket by default. Then, it
uses a new xtrans interface, TRANS(Listen), to provide a command line
option to re-enable those if desired.
v2: Leave unix socket enabled by default. Add configure options.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
This should have been part of d0da0e9c3b
Signed-off-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Signed-off-by: Eric Anholt <eric@anholt.net>
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Keith Packard <keithp@keithp.com>
Almost every situation of someone running indirect GLX is a mistake
that results in X Server crashes. Indirect GLX is the cause of
regular security vulnerabilities, and rarely provides any capability
to the user. Just disable it unless someone wants to enable it for
their special use case (using +iglx on the command line).
Signed-off-by: Eric Anholt <eric@anholt.net>
Acked-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
Add -displayfd into -help text. It was mentioned in the man page but seem to have been missed from the -help text.
Signed-off-by: Keith Packard <keithp@keithp.com>
The attack surface for indirect GLX is huge, and it's of no use to
most people (if you get an indirect GL context, you're better served
by a immediate X error than actually trying to use an indirect GL
context and finding out that it doesn't support doing anything you
want, slowly). This flag gives you a chance to disable indirect GLX
in environments where you just don't need it.
I put in both the '+' and '-' arguments right now, so that it's easy
to patch the value to change the default policy.
Signed-off-by: Eric Anholt <eric@anholt.net>
Acked-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
There's no sense verifying that we can create the lock file and then
ignoring the return value from write.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Jamey Sharp <jamey@minilop.net>
Handle -displayfd and an explicit display number sensibly, e.g. use the
explicitly specified display number, and write it to the displayfd
v2: displayfd might be 0, so use -1 as invalid value
v3: Rebase for addition of NoListenAll flag
Signed-off-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Reviewed-by: Kristian Høgsberg <krh@bitplanet.net>
A socket-activated server will receive its listening sockets from the
parent process and should not create its own sockets. This patch
introduces a NoListen flag that can be set by a DDX to prevent
the server from creating the sockets. When NoListen is enabled, we
also disable the server lock checking, since the parent process is
responsible for checking the lock before picking the display name and
creating the sockets.
Signed-off-by: Kristian Høgsberg <krh@bitplanet.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
This reverts commit d0339a5c66.
seriously, what the fuck? Are we making xstrdup() return a const char now too?
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
We call atoi() on the server's display to get the socket but otherwise use the
unmodified display for log file name, xkb paths, etc. This results in
Xorg :banana being the equivalent of Xorg :0, except for the log files being
in /var/log/Xorg.banana.log. I'm not sure there's a good use-case for this
behaviour.
Check the display for something that looks reasonable, i.e. digits only, but
do allow for :0.0 (i.e. digits, followed by a period, followed by one or two
digits).
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
This lets us stop using the 'pointer' typedef in Xdefs.h as 'pointer'
is used throughout the X server for other things, and having duplicate
names generates compiler warnings.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Eric Anholt <eric@anholt.net>
Applications may end up allocating a bunch of shmfence objects, each
of which uses a file descriptor, which must be kept open lest some
other client ask for a copy of it later on.
Lacking an API that can turn a memory mapping back into a file
descriptor, about the best we can do is push the file descriptors out
of the way of other X clients so that we don't run out of the ability
to accept new connections.
This uses fcntl F_GETFD to push the FD up above MAXCLIENTS.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
The selection of which clock to use for this function was not actually
getting used when fetching the final clock value.
Reported-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Keith Packard <keithp@keithp.com>
It's already not optional at configure time, this just makes it so at
build time too.
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Truncating the fraction part leads to a test failure where -1203.30 is
printed as -1203.29. Round this to the nearest value instead by adding
0.5 before converting to an integer
Signed-off-by: Keith Packard <keithp@keithp.com>
This is the lazy man's %f support. Print the decimal part of the number,
then append a decimal point, then print the first two digits of the
fractional part. So %f in sigsafe printing is really %.2f.
No boundary checks in place here.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
The formatter confused address operators preceded by casts with
bitwise-and expressions, placing spaces on either side of both.
That syntax isn't used by ordinary address operators, however,
so fix them for consistency.
Signed-off-by: Yaakov Selkowitz <yselkowitz@users.sourceforge.net>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
setitimer() and SIGALRM aren't available on WIN32, so smart scheduler
code cannot be built. Provide only stubs for smart scheduler timer
code, and disable smart scheduler by default.
Signed-off-by: Ryan Pavlik <rpavlik@iastate.edu>
Reviewed-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Tested-by: Yaakov Selkowitz <yselkowitz@users.sourceforge.net>
Reviewed-by: Keith Packard <keithp@keithp.com>