xdmcp.c:1404:1: warning: function 'XdmcpFatal' could be declared with attribute 'noreturn'
[-Wmissing-noreturn,Semantic Issue]
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
xdmauth.c:230:13: warning: absolute value function 'abs' given an argument of type 'long' but has parameter of
type
'int'
which may cause truncation of value [-Wabsolute-value,Semantic Issue]
if (abs(now - client->time) > TwentyFiveMinutes) {
^
xdmauth.c:230:13: note: use function 'labs' instead [Semantic Issue]
if (abs(now - client->time) > TwentyFiveMinutes) {
^~~
labs
xdmauth.c:302:9: warning: absolute value function 'abs' given an argument of type 'long' but has parameter of type
'int' which
may cause truncation of value [-Wabsolute-value,Semantic Issue]
if (abs(client->time - now) > TwentyMinutes) {
^
xdmauth.c:302:9: note: use function 'labs' instead [Semantic Issue]
if (abs(client->time - now) > TwentyMinutes) {
^~~
labs
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
These extensions were accessing internal OS functions and
structures. Expose the necessary functionality to them and remove
their use of osdep.h
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
There was a complicated scheme to increase the time between keepalives
from 3 minutes up to as much as 24 hours in an attempt to reduce
network traffic from idle X terminals. X terminals receiving X
traffic, or receiving user input would use the 3 minute value; X
terminals without any network traffic would use a longer value.
However, this was actually broken -- any activity in the X server,
either client requests or user input, would end up resetting the
keepalive timeout, so a user mashing on the keyboard would never
discover that the XDMCP master had disappeared and have the session
terminated, which was precisely the design goal of the XDMCP keepalive
mechanism.
Instead of attempting to fix this, accept the cost of a pair of XDMCP
packets once every three minutes and just perform keepalives
regularly.
This will also make reworking the block and wakeup handler APIs to
eliminate select masks easier.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
The X server used to wait for the user to hit a key or move the mouse
before restarting the session after a keepalive failure. This,
presumably, was to avoid having the X server continuously spew XDMCP
protocol on the network while the XDM server was dead.
Switching into this state was removed from the server some time before
XFree86 4.3.99.16, so the remaining bits of code have been dead for
over a decade, and no-one ever noticed.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
Commit 4b4b9086 "os: support new implicit local user access mode [CVE-2015-3164
2/3]" carefully places the relevant code it adds under !NO_LOCAL_CLIENT_CRED,
but unfortunately doesn't notice that NO_LOCAL_CLIENT_CRED is defined as a
side-effect in the middle of GetLocalClientCreds(), so many of these checks
precede its definition.
Move the check if NO_LOCAL_CLIENT_CRED should be defined to configure.ac, so it
always occurs before it's first use.
v2:
Move check to configure.ac
v3:
Use AC_CACHE_CHECK and name cache varaible appropriately
[ajax: Massaged commit message]
Signed-off-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Reviewed-by: Ray Strode <rstrode@redhat.com>
Commit 94ab7455 added SA_RESTART to the SIGALRM handler. However, the
Popen code tears down and recreates the SIGALRM handler via OsSignal(),
and this flag is dropped at this time.
Clean the code to use just a single codepath for creating this signal
handler, always applying SA_RESTART.
[ajax: Fixed commit id]
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Daniel Drake <drake@endlessm.com>
The X server frequently deals with SIGIO and SIGALRM interruptions.
If process execution is inside certain blocking system calls
when these signals arrive, e.g. with the kernel blocked on
a contended semaphore, the system calls will be interrupted.
Some system calls are automatically restartable (the kernel re-executes
them with the same parameters once the signal handler returns) but
only if the signal handler allows it.
Set SA_RESTART on the signal handlers to enable this convenient
behaviour.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Daniel Drake <drake@endlessm.com>
Make the maximum number of clients user configurable, either from the command
line or from xorg.conf
This patch works by using the MAXCLIENTS (raised to 512) as the maximum
allowed number of clients, but allowing the actual limit to be set by the
user to a lower value (keeping the default of 256).
There is a limit size of 29 bits to be used to store both the client ID and
the X resources ID, so by reducing the number of clients allowed to connect to
the X server, the user can increase the number of X resources per client or
vice-versa.
Parts of this patch are based on a similar patch from Adam Jackson
<ajax@redhat.com>
This now requires at least xproto 7.0.28
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
backtrace.c uses a word size provided by libunwind. In some
architectures like MIPS, libunwind makes that word size 64-bit for all
variants of the architecture.
In the lines #90 and #98, backtrace.c tries to do a cast to a pointer,
which fails in all MIPS variants with 32-bit pointers, like MIPS32 or
MIPS64 n32, because it's trying to do a cast from a 64-bit wide variable
to a 32-bit pointer:
Making all in os
make[2]: Entering directory
`/home/test/test/1/output/build/xserver_xorg-server-1.15.1/os'
CC WaitFor.lo
CC access.lo
CC auth.lo
CC backtrace.lo
backtrace.c: In function 'xorg_backtrace':
backtrace.c:90:20: error: cast to pointer from integer of different size
[-Werror=int-to-pointer-cast]
if (dladdr((void *)(pip.start_ip + off), &dlinfo) &&
dlinfo.dli_fname &&
^
backtrace.c:98:13: error: cast to pointer from integer of different size
[-Werror=int-to-pointer-cast]
(void *)(pip.start_ip + off));
^
cc1: some warnings being treated as errors
make[2]: *** [backtrace.lo] Error 1
make[2]: *** Waiting for unfinished jobs....
Making the cast to a pointer-sized integer, and then to a pointer fixes
the problem.
Related:
https://bugs.freedesktop.org/show_bug.cgi?id=79939
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
If the X server is started without a '-auth' argument, then
it gets started wide open to all local users on the system.
This isn't a great default access model, but changing it in
Xorg at this point would break backward compatibility.
Xwayland, on the other hand is new, and much more targeted
in scope. It could, in theory, be changed to allow the much
more secure default of a "user who started X server can connect
clients to that server."
This commit paves the way for that change, by adding a mechanism
for DDXs to opt-in to that behavior. They merely need to call
LocalAccessScopeUser()
in their init functions.
A subsequent commit will add that call for Xwayland.
Signed-off-by: Ray Strode <rstrode@redhat.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
xorg/xserver/os/utils.c: In function ‘Win32TempDir’:
xorg/xserver/os/utils.c:1643:1: warning: old-style function definition [-Wold-style-definition]
Signed-off-by: Colin Harrison <colin.harrison@virgin.net>
Reviewed-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Xtrans.h must be included on WIN32 to prototype _XSERVTransWSAStartup()
xserver/os/xdmcp.c: In function ‘get_addr_by_name’:
xserver/os/xdmcp.c:1483:5: error: implicit declaration of function ‘_XSERVTransWSAStartup’ [-Werror=implicit-function-declaration]
Signed-off-by: Colin Harrison <colin.harrison@virgin.net>
Reviewed-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Wrapper for realloc() that checks for overflow when multiplying
arguments together, so we don't have to add overflow checks to
every single call. For documentation on usage, see:
http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man3/calloc.3
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Acked-by: Matt Turner <mattst88@gmail.com>
The xnfcalloc() macro took two arguments but simply multiplied them
together without checking for overflow and defeating any overflow
checking that calloc() might have done. Let's not do that.
The original XNFcalloc() function is left for now to preserve driver
ABI, but is marked as deprecated so it can be removed in a future round
of ABI break/cleanup.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matt Turner <mattst88@gmail.com>
XdmcpFatal uses the format specifier %*.*s, which vpnprintf() doesn't
understand, which causes a backtrace and prevents the reason for the XDMCP
failure being logged.
See also:
https://bugs.freedesktop.org/show_bug.cgi?id=66862https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758574
"%*.*s" is also currently used in a few other places, so teach vpnprintf() how
to handle it
$ fgrep -r "%*.*s" *
hw/dmx/config/scanner.l: fprintf(stderr, "parse error on line %d at token \"%*.*s\"\n",
hw/dmx/dmxlog.c: ErrorF("(%s) dmx[i%d/%*.*s]: ", type,
hw/dmx/input/dmxinputinit.c: dmxLogCont(dmxInfo, "\t[i%d/%*.*s",
os/access.c: ErrorF("Xserver: siAddrMatch(): type = %s, value = %*.*s -- %s\n",
os/access.c: ("Xserver: siCheckAddr(): type = %s, value = %*.*s, len = %d -- %s\n",
os/xdmcp.c: FatalError("XDMCP fatal error: %s %*.*s\n", type,
Signed-off-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Reviewed-by: Colin Harrison <colin.harrison@virgin.net>
In X server 1.17, the default configuration is now -nolisten tcp. In this
configuration, XDMCP options don't work usefully, as the X server is not
listening on the port for the display that it tells the display manager to
connect to.
Signed-off-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Colin Harrison <colin.harrison@virgin.net>
Since _XSERVTransClose frees the connection pointer passed to it,
remove that pointer from the array, so we don't try to double free it
if we come back into CloseWellKnownConnections again.
Should fix https://bugzilla.yoctoproject.org/show_bug.cgi?id=6665 in which
the shutdown section of the main() loop called CloseWellKnownConnections()
and then moved on to ddxGiveUp(), which failed to release the VT and thus
called AbortServer(), which called CloseWellKnownConnections() again.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
This was reported on irc on Fedora when rawhide went to 1.17.1.
regression occured in: 2566835b43
os: Eliminate uninitialized value warnings from access.c
siAddrMatch doesn't need addr to be a useful value, it checks
some things like localuser without having an address at all.
Signed-off-by: Dave Airlie <airlied@redhat.com>
Tested-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Use typedefs to work around dtrace dropping const qualifiers from probe
arguments when generating Xserver-dtrace.h. Add new probes.h header to
avoid having to replicate these typedefs in every file with dtrace probes.
Gets rid of these warnings from gcc 4.8:
getevents.c:1096:9:
warning: passing argument 6 of '__dtrace_Xserver___input__event' discards
'const' qualifier from pointer target type [enabled by default]
getevents.c:1096:9:
warning: passing argument 7 of '__dtrace_Xserver___input__event' disards
'const' qualifier from pointer target type [enabled by default]
getevents.c:1651:9:
warning: passing argument 6 of '__dtrace_Xserver___input__event' disards
'const' qualifier from pointer target type [enabled by default]
getevents.c:1651:9:
warning: passing argument 7 of '__dtrace_Xserver___input__event' disards
'const' qualifier from pointer target type [enabled by default]
getevents.c:1791:9:
warning: passing argument 6 of '__dtrace_Xserver___input__event' disards
'const' qualifier from pointer target type [enabled by default]
getevents.c:1791:9:
warning: passing argument 7 of '__dtrace_Xserver___input__event' disards
'const' qualifier from pointer target type [enabled by default]
getevents.c:1921:9:
warning: passing argument 6 of '__dtrace_Xserver___input__event' disards
'const' qualifier from pointer target type [enabled by default]
getevents.c:1921:9:
warning: passing argument 7 of '__dtrace_Xserver___input__event' disards
'const' qualifier from pointer target type [enabled by default]
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
I'm interested in copying this code to the mesa project, but before
doing that it seems prudent to have the license and copyright
attributions in place before copying that. To get this list of names I
went through:
git log -- os/xsha1.c
and:
git log -- render/glyph.c
Signed-off-by: Keith Packard <keithp@keithp.com>
Gets rid of gcc 4.8 warning:
osinit.c:211:9: warning: ISO C90 forbids mixed declarations and code
[-Wdeclaration-after-statement]
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
GetHosts saves the pointer to allocated memory in *data, and then
wants to bounds-check writes to that region, but was mistakenly using
a bare 'data' instead of '*data'. Also, data is declared as void **,
so we need a cast to turn it into a byte pointer so we can actually do
pointer comparisons.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
GetHosts() iterates over all the hosts it has in memory, and copies
them to a buffer. The buffer length is calculated by iterating over
all the hosts and adding up all of their combined length. There is a
potential integer overflow, if there are lots and lots of hosts (with
a combined length of > ~4 gig). This should be possible by repeatedly
calling ProcChangeHosts() on 64bit machines with enough memory.
This patch caps the list at 1mb, because multi-megabyte hostname
lists for X access control are insane.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
authdes_ezdecode() calls malloc() using a length provided by the
connection handshake sent by a newly connected client in order
to authenticate to the server, so should be treated as untrusted.
It didn't check if malloc() failed before writing to the newly
allocated buffer, so could lead to a server crash if the server
fails to allocate memory (up to UINT16_MAX bytes, since the len
field is a CARD16 in the X protocol).
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
When (long) is larger than (int), and when realloc succeeds with sizes
larger than INT_MAX, ConnectionOutput->size and ConnectionOutput->count
overflow and become negative.
When ConnectionOutput->count is negative, InsertIOV does not actually
insert an IOV, and FlushClient goes into an infinite loop of writev(fd,
iov, 0) [an empty list].
Avoid this situation by killing the client when it has more than INT_MAX
unread bytes of data.
Signed-off-by: Peter Harris <pharris@opentext.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
ErrorFSigSafe calls LogVMessageVerbSigSafe with the message type set to X_ERROR.
That generates this in the log:
(EE) Server terminated successfully (0). Closing log file.
People periodically report this as an error, sometimes quoting this "error"
rather than an earlier error that actually caused a problem.
v2: Use X_INFO instead of X_NOTICE
Signed-off-by: Aaron Plattner <aplattner@nvidia.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Keith Packard <keithp@keithp.com>
The ConvertAddr function doesn't reliably set the 'addr' return value,
and so callers are getting flagged for using potentially uninitialized
values. Initialize the value in the callers to NULL and then go ahead
and check for NULL values before using them.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-displayfd should check ports up to 65535
Noticed during https://cygwin.com/ml/cygwin-xfree/2014-07/msg00024.html
Signed-off-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
In the unlikely event of a failure in creating processes, signal
masks will fall from the panels above you. Secure your mask before
telling your child what to do, since it won't exist, and you will
instead cause the server itself to be replaced by a shell running
the target program.
Found by Coverity #53397: Missing break in switch
Execution falls through to the next case statement or default;
this might indicate a common typo.
In System: Missing break statement between cases in switch statement (CWE-484)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
Signed-off-by: Keith Packard <keithp@keithp.com>
This disables the tcp listen socket by default. Then, it
uses a new xtrans interface, TRANS(Listen), to provide a command line
option to re-enable those if desired.
v2: Leave unix socket enabled by default. Add configure options.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
$ gcc --version
gcc (Gentoo 4.4.3-r2 p1.2) 4.4.3
/jhbuild/checkout/xorg/xserver/os/log.c: In function ‘LogInit’:
/jhbuild/checkout/xorg/xserver/os/log.c:199: error: #pragma GCC diagnostic not allowed inside functions
/jhbuild/checkout/xorg/xserver/os/log.c:201: warning: format not a string literal, argument types not checked
/jhbuild/checkout/xorg/xserver/os/log.c:212: error: #pragma GCC diagnostic not allowed inside functions
/jhbuild/checkout/xorg/xserver/os/log.c:214: warning: format not a string literal, argument types not checked
etc.
Reviewed-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
This should have been part of d0da0e9c3b
Signed-off-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Signed-off-by: Eric Anholt <eric@anholt.net>
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Keith Packard <keithp@keithp.com>
Almost every situation of someone running indirect GLX is a mistake
that results in X Server crashes. Indirect GLX is the cause of
regular security vulnerabilities, and rarely provides any capability
to the user. Just disable it unless someone wants to enable it for
their special use case (using +iglx on the command line).
Signed-off-by: Eric Anholt <eric@anholt.net>
Acked-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
In commit e67f2d7e0f ("gcc 4.2.1 doesn't
support #pragma GCC diagnostic ignored"), some compile time
conditionals were added around the #pragma usage. Those conditionals
ensure that the #pragma are not used on gcc <= 4.2.
However, the usage of #pragma diagnostic inside functions was only
added in gcc 4.6, and a build failure is therefore experienced with
gcc 4.5:
log.c: In function 'LogInit':
log.c:199:9: error: #pragma GCC diagnostic not allowed inside functions
log.c:201:9: warning: format not a string literal, argument types not checked
log.c:212:9: error: #pragma GCC diagnostic not allowed inside functions
log.c:214:17: warning: format not a string literal, argument types not checked
$ ./host/usr/bin/powerpc-linux-gnu-gcc -v
[...]
gcc version 4.5.2 (Sourcery G++ Lite 2011.03-38)
This patch therefore adjusts the compile time conditionals to make
sure the #pragma is not used on gcc <= 4.5, and only used on gcc >=
4.6.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Acked-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
Regenerate os/oscolor.c from rgb.txt. This adds the following
colors: aqua, lime, fuchsia, crimson, indigo, olive, rebecca
purple, silver and teal. It also adds versions of gray, grey,
green, maroon and purple prefixed with web and x11 for the
colors that are different between X11 and HTML/CSS web colors.
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=52289
Related: https://bugs.freedesktop.org/show_bug.cgi?id=80371
Signed-off-by: nobody
Tested-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
pharris says that the resets should not be done in the hotplugging case.
This may fix a crash reported against XQuartz:
http://xquartz.macosforge.org/trac/ticket/869
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Peter Harris <pharris@opentext.com>
The comment lies, shm hasn't used this code since:
commit fdef7be5c8
Author: Alan Coopersmith <alan.coopersmith@sun.com>
Date: Tue Oct 9 18:44:04 2007 -0700
Sun bug 6589829: include zoneid of shm segment in access [...]
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Even though -Wcomment doesn't mind it (in gcc or clang), the appearance
of */* confuses the syntax highlighter of some editors (eg. vim), and
causes warnings in MSVC.
Signed-off-by: Peter Harris <pharris@opentext.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
If an empty string is provided to LogMessageVerbSigSafe, the length of the
printed string is 0.
Read-only access only and the only effect it had was adding a linebreak or not.
X.Org Bug 80890 <http://bugs.freedesktop.org/show_bug.cgi?id=80890>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
If we're smart enough to warn, we should be smart enough to just pass it
through to the right function. Worst case we lose some formatting specifiers
which pnprintf will complain about anyway. And in most cases it won't matter.
This requires renaming pnprintf to vpnprintf and changing the size_t to int to
be compatible with Xvscnprintf. pnprintf is internal only, the others are
exported API so we can't change them as easily.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
Add -displayfd into -help text. It was mentioned in the man page but seem to have been missed from the -help text.
Signed-off-by: Keith Packard <keithp@keithp.com>
The attack surface for indirect GLX is huge, and it's of no use to
most people (if you get an indirect GL context, you're better served
by a immediate X error than actually trying to use an indirect GL
context and finding out that it doesn't support doing anything you
want, slowly). This flag gives you a chance to disable indirect GLX
in environments where you just don't need it.
I put in both the '+' and '-' arguments right now, so that it's easy
to patch the value to change the default policy.
Signed-off-by: Eric Anholt <eric@anholt.net>
Acked-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
Fixes a valgrind complaint:
==8805== Syscall param rt_sigaction(act->sa_mask) points to uninitialised byte(s)
==8805== at 0x5EB8315: __libc_sigaction (sigaction.c:66)
==8805== by 0x5B13DA: busfault_init (busfault.c:145)
==8805== by 0x5A60A2: OsInit (osinit.c:191)
==8805== by 0x46EBA2: dix_main (main.c:163)
Signed-off-by: Eric Anholt <eric@anholt.net>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
There's no place to log the message if writing to the log file fails,
and we surely don't want to crash in that case, so just ignore errors
and keep going.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Jamey Sharp <jamey@minilop.net>
There's no sense verifying that we can create the lock file and then
ignoring the return value from write.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Jamey Sharp <jamey@minilop.net>
When the server is started with the -displayfd option, check to make
sure that the writes succeed and give up running if they don't.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Jamey Sharp <jamey@minilop.net>
Failing to clear this means that we'll attempt to write the display
number to a random file descriptor on subsequent X server generations.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Jamey Sharp <jamey@minilop.net>
Handle -displayfd and an explicit display number sensibly, e.g. use the
explicitly specified display number, and write it to the displayfd
v2: displayfd might be 0, so use -1 as invalid value
v3: Rebase for addition of NoListenAll flag
Signed-off-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Reviewed-by: Kristian Høgsberg <krh@bitplanet.net>
When the Xwayland server is socket-activated, we need to connect and
initialize the window manager before the activating client gets to
proceed with connecting. We do this by passing a socket file
descriptor for the window manager connection to the Xwayland server,
which then uses this new function to set it up as an X client.
Signed-off-by: Kristian Høgsberg <krh@bitplanet.net>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
A socket-activated server will receive its listening sockets from the
parent process and should not create its own sockets. This patch
introduces a NoListen flag that can be set by a DDX to prevent
the server from creating the sockets. When NoListen is enabled, we
also disable the server lock checking, since the parent process is
responsible for checking the lock before picking the display name and
creating the sockets.
Signed-off-by: Kristian Høgsberg <krh@bitplanet.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
This function was written to allow the X server to inherit the listen
socket from launchd on OS X. The code is not specific to OS X though
and will be useful for on-demand launched Xwayland servers.
Signed-off-by: Kristian Høgsberg <krh@bitplanet.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
This reverts commit d0339a5c66.
seriously, what the fuck? Are we making xstrdup() return a const char now too?
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
These are generated in code which uses sprintf as a convenient way to
construct strings from various pieces.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Eric Anholt <eric@anholt.net>
Solaris <sys/errno.h> has:
#define EWOULDBLOCK EAGAIN
so checking (errno == EAGAIN || errno == EWOULDBLOCK) is overkill.
This leads cppcheck 1.62 to complain:
[xserver/os/io.c:365] -> [xserver/os/io.c:365]: (style) Same expression on both sides of '||'.
[xserver/os/io.c:941] -> [xserver/os/io.c:941]: (style) Same expression on both sides of '||'.
This quiets it, and reduces the number of calls Solaris Studio cc
generates to the __errno() function to get the thread-specific errno value.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Keith Packard <keithp@keithp.com>
We call atoi() on the server's display to get the socket but otherwise use the
unmodified display for log file name, xkb paths, etc. This results in
Xorg :banana being the equivalent of Xorg :0, except for the log files being
in /var/log/Xorg.banana.log. I'm not sure there's a good use-case for this
behaviour.
Check the display for something that looks reasonable, i.e. digits only, but
do allow for :0.0 (i.e. digits, followed by a period, followed by one or two
digits).
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
This just removes the comment markers from around the formals in
several function prototypes near where pointer -> void * changes were
made. There are plenty more of these to fix.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
This lets us stop using the 'pointer' typedef in Xdefs.h as 'pointer'
is used throughout the X server for other things, and having duplicate
names generates compiler warnings.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Eric Anholt <eric@anholt.net>
Applications may end up allocating a bunch of shmfence objects, each
of which uses a file descriptor, which must be kept open lest some
other client ask for a copy of it later on.
Lacking an API that can turn a memory mapping back into a file
descriptor, about the best we can do is push the file descriptors out
of the way of other X clients so that we don't run out of the ability
to accept new connections.
This uses fcntl F_GETFD to push the FD up above MAXCLIENTS.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
The former doesn't exist on BSD and the latter is available everywhere
AFAIK (checked Solaris and Linux).
You also might want to wrap that line ;).
Reported-by: Mark Kettenis <mark.kettenis@xs4all.nl>
Signed-off-by: Keith Packard <keithp@keithp.com>
req_fds and SetReqFds in include/dixstruct.h
ReadFdFromClient, WriteFdToClient and the FD flushing in os/io.c
Signed-off-by: Keith Packard <keithp@keithp.com>
If a client passes a section of memory via file descriptor and then
subsequently truncates that file, the underlying pages will be freed
and the addresses invalidated. Subsequent accesses to the page will
fail with a SIGBUS error.
Trap that SIGBUS, figure out which segment was causing the error and
then allocate new pages to fill in for that region. Mark the offending
shared segment as invalid and free the resource ID so that the client
will be able to tell when subsequently attempting to use the segment.
Signed-off-by: Keith Packard <keithp@keithp.com>
v2: Use MAP_FIXED to simplify the recovery logic (Mark Kettenis)
v3: Also catch errors in ShmCreateSegment
Conflicts:
include/dix-config.h.in
include/xorg-config.h.in
The selection of which clock to use for this function was not actually
getting used when fetching the final clock value.
Reported-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Keith Packard <keithp@keithp.com>
This passes a file descriptor from the client to the server, which is
then mmap'd
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
This adds two interfaces:
void SetReqFds(ClientPtr client, int req_fds)
Marks the number of file descriptors expected for this
request. Call this before any request processing so that
any un-retrieved file descriptors will be closed
automatically.
int ReadFdFromClient(ClientPtr client)
Reads the next queued file descriptor from the connection. If
this request is not expecting any more file descriptors, or
if there are no more file descriptors available from the
connection, then this will return -1.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
And now that we have the accessors, localize it. No functional changes, just
preparing for a future change.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
It is needed in IPv6 configurations (for inet_pton) also when
SIOCGIFCONF is not defined.
Signed-off-by: Pino Toscano <toscano.pino@tiscali.it>
Acked-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Signed-off-by: Julien Cristau <jcristau@debian.org>
It's already not optional at configure time, this just makes it so at
build time too.
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Adam Jackson <ajax@redhat.com>
If we immediately put the WriteToClient() buffer into the socket's write
queue, not only do we benefit from sending the response back to client
earlier, but we also avoid the overhead of copying the data into our own
staging buffer and causing extra work in the next select(). The write is
effectively free as typically we may only send one reply per client per
select() call, so the cost of the FlushClient() is the same.
shmget10: 26400 -> 110000
getimage10: 25000 -> 108000
shmget500: 3160 -> 13500
getimage500: 1000 -> 1010
The knock-on effect is that on a mostly idle composited desktop, the CPU
overhead is dominated by the memmove in WriteToClient, which is in turn
eliminated by this patch.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
If we are not backing up logfiles, remove the old logfile before trying to write
a new logfile, as otherwise the operation may fail if the previous logfile was
created by a different user.
This change is useful when:
- The DDX doesn't use the logfile backup mechanism (i.e. not Xorg)
- The DDX is run by a non-root user, and then by a different non-root user
- The logfile directory doesn't have the restricted-deletion flag set
Signed-off-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Acked-by: Yaakov Selkowitz <yselkowitz@users.sourceforge.net>
Reviewed-by: Yaakov Selkowitz <yselkowitz@users.sourceforge.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
If a client sends a request larger than maxBigRequestSize, the server is
supposed to ignore it.
Before commit cf88363d, the server would simply disconnect the client. After
that commit, it attempts to gracefully ignore the request by remembering how
long the client specified the request to be, and ignoring that many bytes.
However, if a client sends a BigReq header with a large size and disconnects
before actually sending the rest of the specified request, the server will
reuse the ConnectionInput buffer without resetting the ignoreBytes field. This
makes the server ignore new X clients' requests.
This fixes that behavior by resetting the ignoreBytes field when putting the
ConnectionInput buffer back on the FreeInputs list.
Signed-off-by: Robert Morell <rmorell@nvidia.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Backtrace logging etc. is already sigsafe, but the actual FatalError message
in response is not yet, leading to amusing logs like this:
(EE) Segmentation fault at address 0x0
(EE) BUG: triggered 'if (inSignalContext)'
(EE) BUG: log.c:499 in LogVMessageVerb()
(EE) Warning: attempting to log data in a signal unsafe manner while in
signal context.
Please update to check inSignalContext and/or use LogMessageVerbSigSafe() or
ErrorFSigSafe().
The offending log format message is:
Fatal server error:
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
Mainly for %ld, smaller than int is propagated anyway, and %lld isn't really
used.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
