commit ff76b219f6513b5ef63105165c301f7d69da0e05
Author: Julien Cristau <jcristau@debian.org>
Date:   Wed Feb 11 00:33:17 2015 +0100

    Bump to 1.16.4
    
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit 8f61533b16635a0a13f4048235246edb138fa40b
Author: Olivier Fourdan <ofourdan@redhat.com>
Date:   Fri Jan 16 08:44:45 2015 +0100

    xkb: Check strings length against request size
    
    Ensure that the given strings length in an XkbSetGeometry request remain
    within the limits of the size of the request.
    
    Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit 20079c36cf7d377938ca5478447d8b9045cb7d43)
    (cherry picked from commit f160e722672dbb2b5215870b47bcc51461d96ff1)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit 747cea16c4de1f48e838e1388301a2e24a3da6c4
Author: Olivier Fourdan <ofourdan@redhat.com>
Date:   Fri Jan 16 20:08:59 2015 +0100

    xkb: Don't swap XkbSetGeometry data in the input buffer
    
    The XkbSetGeometry request embeds data which needs to be swapped when the
    server and the client have different endianess.
    
    _XkbSetGeometry() invokes functions that swap these data directly in the
    input buffer.
    
    However, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once
    (if there is more than one keyboard), thus causing on swapped clients the
    same data to be swapped twice in memory, further causing a server crash
    because the strings lengths on the second time are way off bounds.
    
    To allow _XkbSetGeometry() to run reliably more than once with swapped
    clients, do not swap the data in the buffer, use variables instead.
    
    Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit 81c90dc8f0aae3b65730409b1b615b5fa7280ebd)
    (cherry picked from commit 29be310c303914090298ddda93a5bd5d00a94945)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit 0722a8043c89e7224c398eef270611cc65c1e219
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Sat Jan 17 10:09:54 2015 +0000

    dri2: SourceOffloads may be for DRI3 only
    
    As a DDX may declare offload support without supporting DRI2
    (because it is using an alternative acceleration mechanism like DRI3),
    when iterating the list of offload_source Screens to find a matching
    DRI2 provider we need to check before assuming it is DRI2 capable.
    
    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=88514
    Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
    Reviewed-by: Dave Airlie <airlied@redhat.com>
    Signed-off-by: Keith Packard <keithp@keithp.com>
    (cherry picked from commit 082931014811e587a9734cbf4d88fd948979b641)

commit f7e3478fe7817457017f31eb51803c4d03c69249
Author: Adam Jackson <ajax@redhat.com>
Date:   Mon Jan 5 16:48:11 2015 -0500

    dix: make RegionInit legal C++
    
    The CVE fix in:
    
        commit 97015a07b9e15d8ec5608b95d95ec0eb51202acb
        Author: Alan Coopersmith <alan.coopersmith@oracle.com>
        Date:   Wed Jan 22 22:37:15 2014 -0800
    
            dix: integer overflow in RegionSizeof() [CVE-2014-8092 3/4]
    
    offended the C++ demons:
    
    ../../include/regionstr.h:147:45: error: invalid conversion from 'void*' to
    'pixman_region16_data_t* {aka pixman_region16_data*}' [-fpermissive]
    
    Normally this isn't a problem, because around here we have the sense and
    common decency to not use C++, but this does make tigervnc fail to build,
    which is a little rude of us.
    
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Signed-off-by: Keith Packard <keithp@keithp.com>
    (cherry picked from commit bb23fbf5bb278113c9c481875423b4d128180972)

commit 645ae07fac78dd2444fd744d3bf9b27e27d06e41
Author: Dave Airlie <airlied@redhat.com>
Date:   Fri Jan 30 09:59:49 2015 +1000

    config/udev: Respect seat assignments when assigned devices
    
    Jonathan Dieter posted a few patches to do this inside the Xorg
    server but it makes no sense to do it there, just have the code
    we use to probe the device list at startup check seat assignments
    using the same code we check at hotplug time.
    
    Bugilla: https://bugzilla.redhat.com/show_bug.cgi?id=1183654
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    Acked-by: Hans de Goede <hdegoede@redhat.com>
    Tested-by: Jonathan Dieter <jdieter@lesbg.com>
    Signed-off-by: Dave Airlie <airlied@redhat.com>
    Signed-off-by: Keith Packard <keithp@keithp.com>
    (cherry picked from commit 697b696e5e24d0679f133183a3bb0852025377c2)

commit cdcf9e95108853e5ea2ed825a25e8f3b4d527535
Author: Dave Airlie <airlied@redhat.com>
Date:   Wed Jan 7 09:19:27 2015 +1000

    randr: attempt to fix primary on slave output (v2)
    
    If the user wants to set one of the slave devices as
    the primary output, we shouldn't fail to do so,
    we were returning BadMatch which was tripping up
    gnome-settings-daemon and bad things ensues.
    
    Fix all the places we use primaryOutput to work
    out primaryCrtc and take it into a/c when slave
    gpus are in use.
    
    v2: review from Aaron, fix indent, unhide has_primary from
    macro. I left the int vs Bool alone to be consistent with
    code below, a future patch could fix both.
    
    Signed-off-by: Dave Airlie <airlied@redhat.com>
    Reviewed-by: Aaron Plattner <aplattner@nvidia.com>
    Signed-off-by: Keith Packard <keithp@keithp.com>
    (cherry picked from commit df1b401f57ad4b4925bad66684445b476562f26f)

commit 5c4da5634505556c8249ba6da0adee9fb2621096
Author: Nikhil Mahale <nmahale@nvidia.com>
Date:   Sat Jan 24 17:06:59 2015 -0800

    os: Fix timer race conditions
    
    Fixing following kind of race-conditions -
    
        WaitForSomething()
        |
        ---->  // timers -> timer-1 -> timer-2 -> null
               while (timers && (int) (timers->expires - now) <= 0)
                   // prototype - DoTimer(OsTimerPtr timer, CARD32 now, OsTimerPtr *prev)
                   DoTimer(timers, now, &timers)
                   |
                   |
                   ----> OsBlockSignals();  .... OS Signal comes just before blocking it,
                                            .... timer-1 handler gets called.
                                                 // timer-1 gets served and scheduled again;
                                                 // timers -> timer-2 -> timer-1 -> null
                                            ....
                         *prev = timer->next;
                          timer->next = NULL;   // timers -> null
                          // timers list gets corrupted here and timer-2 gets removed from list.
    
    Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=86288
    Signed-off-by: Nikhil Mahale <nmahale@nvidia.com>
    Reviewed-by: Julien Cristau <jcristau@debian.org>
    
    v2: Apply warning fixes from Keith Packard <keithp@keithp.com>
    
    Reviewed-by: Aaron Plattner <aplattner@nvidia.com>
    Signed-off-by: Aaron Plattner <aplattner@nvidia.com>
    Signed-off-by: Keith Packard <keithp@keithp.com>
    (cherry picked from commit fe4c774c572e3f55a7417f0ca336ae1479a966ad)

commit f39ac527baab8a38d023e3a8416757ccfcead42a
Author: Keith Packard <keithp@keithp.com>
Date:   Sat Jan 3 08:46:45 2015 -0800

    dix: Allow zero-height PutImage requests
    
    The length checking code validates PutImage height and byte width by
    making sure that byte-width >= INT32_MAX / height. If height is zero,
    this generates a divide by zero exception. Allow zero height requests
    explicitly, bypassing the INT32_MAX check.
    
    Signed-off-by: Keith Packard <keithp@keithp.com>
    Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    (cherry picked from commit dc777c346d5d452a53b13b917c45f6a1bad2f20b)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit 16f157cbf6b9c3193b4e622b9c4552e83a343e9d
Author: Julien Cristau <jcristau@debian.org>
Date:   Sat Dec 20 12:38:41 2014 +0100

    Bump to 1.16.3
    
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit 9b037af0410bb1f63d370d8b8be06135de7af600
Author: Julien Cristau <jcristau@debian.org>
Date:   Tue Dec 9 20:55:02 2014 +0100

    Bump to 1.16.2.901
    
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit f7ff55a374d91f8b513159809ed41c3e029a6074
Author: Keith Packard <keithp@keithp.com>
Date:   Tue Dec 9 09:31:00 2014 -0800

    dix: GetHosts bounds check using wrong pointer value [CVE-2014-8092 pt. 6]
    
    GetHosts saves the pointer to allocated memory in *data, and then
    wants to bounds-check writes to that region, but was mistakenly using
    a bare 'data' instead of '*data'. Also, data is declared as void **,
    so we need a cast to turn it into a byte pointer so we can actually do
    pointer comparisons.
    
    Signed-off-by: Keith Packard <keithp@keithp.com>
    Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    (cherry picked from commit 1559a94395258fd73e369f1a2c98a44bfe21a486)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit 8e7c4380a56ab05412f630e9b6e02580cb04a804
Author: Keith Packard <keithp@keithp.com>
Date:   Tue Dec 9 09:30:59 2014 -0800

    Missing parens in REQUEST_FIXED_SIZE macro [CVE-2014-8092 pt. 5]
    
    The 'n' parameter must be surrounded by parens in both places to
    prevent precedence from mis-computing things.
    
    Signed-off-by: Keith Packard <keithp@keithp.com>
    Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    (cherry picked from commit 9802a0162f738de03585ca3f3b8a8266494f7d45)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit 1069ca99298bf1e85e001bfde90b00a42afdb5d8
Author: Keith Packard <keithp@keithp.com>
Date:   Tue Dec 9 09:30:58 2014 -0800

    glx: Can't mix declarations and code in X.org sources [CVE-2014-8098 pt. 9]
    
    We're using compiler compatibility settings which generate warnings
    when a variable is declared after the first statement.
    
    Signed-off-by: Keith Packard <keithp@keithp.com>
    Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    (cherry picked from commit 61b17c0f10307e25e51e30e6fb1d3e3127f82d86)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit 044764b5c627d1a6e8ea1dd8cf741a26aeb4b2e7
Author: Keith Packard <keithp@keithp.com>
Date:   Tue Dec 9 09:30:57 2014 -0800

    dbe: Call to DDX SwapBuffers requires address of int, not unsigned int [CVE-2014-8097 pt. 2]
    
    When the local types used to walk the DBE request were changed, this
    changed the type of the parameter passed to the DDX SwapBuffers API,
    but there wasn't a matching change in the API definition.
    
    At this point, with the API frozen, I just stuck a new variable in
    with the correct type. Because we've already bounds-checked nStuff to
    be smaller than UINT32_MAX / sizeof(DbeSwapInfoRec), we know it will
    fit in a signed int without overflow.
    
    Signed-off-by: Keith Packard <keithp@keithp.com
    Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    (cherry picked from commit b20912c3d45cbbde3c443e6c3d9e189092fe65e1)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit 73b1880eb37bd8ffbc3e36739e94f9b56b8323b9
Author: Robert Morell <rmorell@nvidia.com>
Date:   Wed Nov 12 18:51:43 2014 -0800

    glx: Fix mask truncation in __glXGetAnswerBuffer [CVE-2014-8093 6/6]
    
    On a system where sizeof(unsigned) != sizeof(intptr_t), the unary
    bitwise not operation will result in a mask that clears all high bits
    from temp_buf in the expression:
            temp_buf = (temp_buf + mask) & ~mask;
    
    Signed-off-by: Robert Morell <rmorell@nvidia.com>
    Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    (cherry picked from commit 7e7630bbb775573eea2a2335adb9d190c3e1e971)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit 912df16404b80ea143bd75cdacc0d0976bae4c96
Author: Adam Jackson <ajax@redhat.com>
Date:   Mon Nov 10 12:13:48 2014 -0500

    glx: Pass remaining request length into ->varsize (v2) [CVE-2014-8098 8/8]
    
    v2: Handle more multiplies in indirect_reqsize.c (Julien Cristau)
    
    Reviewed-by: Julien Cristau <jcristau@debian.org>
    Reviewed-by: Michal Srb <msrb@suse.com>
    Reviewed-by: Andy Ritger <aritger@nvidia.com>
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    (cherry picked from commit e883c170c15493ab3637c0a01890f5a7ca4e16a5)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit 92de7a90a1f48b7fd37b8c78f6a2b8dfa13714a6
Author: Adam Jackson <ajax@redhat.com>
Date:   Mon Nov 10 12:13:47 2014 -0500

    glx: Length checking for non-generated single requests (v2) [CVE-2014-8098 7/8]
    
    v2:
    Fix single versus vendor-private length checking for ARB_imaging subset
    extensions. (Julien Cristau)
    
    v3:
    Fix single versus vendor-private length checking for ARB_imaging subset
    extensions. (Julien Cristau)
    
    Reviewed-by: Michal Srb <msrb@suse.com>
    Reviewed-by: Andy Ritger <aritger@nvidia.com>
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    Signed-off-by: Julien Cristau <jcristau@debian.org>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    (cherry picked from commit 984583a497c813df5827ae22483133e704fee79c)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit 44ed4a6547136a0945cd85f93b83392cf53f58f2
Author: Adam Jackson <ajax@redhat.com>
Date:   Mon Nov 10 12:13:46 2014 -0500

    glx: Length-checking for non-generated vendor private requests [CVE-2014-8098 6/8]
    
    Reviewed-by: Keith Packard <keithp@keithp.com>
    Reviewed-by: Michal Srb <msrb@suse.com>
    Reviewed-by: Andy Ritger <aritger@nvidia.com>
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    (cherry picked from commit 44ba149f28ece93c2fbfc9cc980588de5322dd4b)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit fe9672204ad9edc09c4ae6ba1b9e9de09ec98287
Author: Adam Jackson <ajax@redhat.com>
Date:   Mon Nov 10 12:13:45 2014 -0500

    glx: Request length checks for SetClientInfoARB [CVE-2014-8098 5/8]
    
    Reviewed-by: Keith Packard <keithp@keithp.com>
    Reviewed-by: Julien Cristau <jcristau@debian.org>
    Reviewed-by: Michal Srb <msrb@suse.com>
    Reviewed-by: Andy Ritger <aritger@nvidia.com>
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    (cherry picked from commit afe177020d1fb776c6163f21eddc82cb185b95ca)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit 525db4433b042ad5a116ca0366498f5bc36e1640
Author: Adam Jackson <ajax@redhat.com>
Date:   Mon Nov 10 12:13:44 2014 -0500

    glx: Top-level length checking for swapped VendorPrivate requests [CVE-2014-8098 4/8]
    
    Reviewed-by: Keith Packard <keithp@keithp.com>
    Reviewed-by: Julien Cristau <jcristau@debian.org>
    Reviewed-by: Michal Srb <msrb@suse.com>
    Reviewed-by: Andy Ritger <aritger@nvidia.com>
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    (cherry picked from commit c91e4abc3b892f42802efa20fef7ada442c2d3f5)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit cbf197e1c97ae0402abfc35514ef62120baee3a6
Author: Adam Jackson <ajax@redhat.com>
Date:   Mon Nov 10 12:13:43 2014 -0500

    glx: Length checking for RenderLarge requests (v2) [CVE-2014-8098 3/8]
    
    This is a half-measure until we start passing request length into the
    varsize function, but it's better than the nothing we had before.
    
    v2: Verify that there's at least a large render header's worth of
    dataBytes (Julien Cristau)
    
    Reviewed-by: Michal Srb <msrb@suse.com>
    Reviewed-by: Andy Ritger <aritger@nvidia.com>
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    (cherry picked from commit a33a939e6abb255b14d8dbc85fcbd2c55b958bae)
    Signed-off-by: Julien Cristau <jcristau@debian.org>
    
    Conflicts:
    	glx/glxcmds.c

commit 7590915c9d76ff7efdc6398a37351df9fab2ce7d
Author: Adam Jackson <ajax@redhat.com>
Date:   Mon Nov 10 12:13:42 2014 -0500

    glx: Integer overflow protection for non-generated render requests (v3) [CVE-2014-8093 5/6]
    
    v2:
    Fix constants in __glXMap2fReqSize (Michal Srb)
    Validate w/h/d for proxy targets too (Keith Packard)
    
    v3:
    Fix Map[12]Size to correctly reject order == 0 (Julien Cristau)
    
    Reviewed-by: Keith Packard <keithp@keithp.com>
    Reviewed-by: Michal Srb <msrb@suse.com>
    Reviewed-by: Andy Ritger <aritger@nvidia.com>
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    (cherry picked from commit 698888e6671d54c7ae41e9d456f7f5483a3459d2)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit 20bc891f767a398bff3301369f8a78f9e65b7eda
Author: Julien Cristau <jcristau@debian.org>
Date:   Mon Nov 10 12:13:41 2014 -0500

    glx: Length checking for GLXRender requests (v2) [CVE-2014-8098 2/8]
    
    v2:
    Remove can't-happen comparison for cmdlen < 0 (Michal Srb)
    
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    Reviewed-by: Michal Srb <msrb@suse.com>
    Reviewed-by: Andy Ritger <aritger@nvidia.com>
    Signed-off-by: Julien Cristau <jcristau@debian.org>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    (cherry picked from commit be09e0c988ffdb0371293af49fb4ea8f49ed324a)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit 233429c1d8c1183bead2d6f3726c92a7fc557ca9
Author: Adam Jackson <ajax@redhat.com>
Date:   Mon Nov 10 12:13:40 2014 -0500

    glx: Add safe_{add,mul,pad} (v3) [CVE-2014-8093 4/6]
    
    These are paranoid about integer overflow, and will return -1 if their
    operation would overflow a (signed) integer or if either argument is
    negative.
    
    Note that RenderLarge requests are sized with a uint32_t so in principle
    this could be sketchy there, but dix limits bigreqs to 128M so you
    shouldn't ever notice, and honestly if you're sending more than 2G of
    rendering commands you're already doing something very wrong.
    
    v2: Use INT_MAX for consistency with the rest of the server (jcristau)
    v3: Reject negative arguments (anholt)
    
    Reviewed-by: Keith Packard <keithp@keithp.com>
    Reviewed-by: Julien Cristau <jcristau@debian.org>
    Reviewed-by: Michal Srb <msrb@suse.com>
    Reviewed-by: Andy Ritger <aritger@nvidia.com>
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    (cherry picked from commit 2a5cbc17fc72185bf0fa06fef26d1f782de72595)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit e7dc700de969242983ca0964e38e87a79675f7fa
Author: Adam Jackson <ajax@redhat.com>
Date:   Mon Nov 10 12:13:39 2014 -0500

    glx: Fix image size computation for EXT_texture_integer [CVE-2014-8098 1/8]
    
    Without this we'd reject the request with BadLength.  Note that some old
    versions of Mesa had a bug in the same place, and would _send_ zero
    bytes of image data; these will now be rejected, correctly.
    
    Reviewed-by: Keith Packard <keithp@keithp.com>
    Reviewed-by: Julien Cristau <jcristau@debian.org>
    Reviewed-by: Michal Srb <msrb@suse.com>
    Reviewed-by: Andy Ritger <aritger@nvidia.com>
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    (cherry picked from commit 13d36923e0ddb077f4854e354c3d5c80590b5d9d)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit 25e0fe2b59189be91a84626bc45278c7596ac438
Author: Adam Jackson <ajax@redhat.com>
Date:   Mon Nov 10 12:13:38 2014 -0500

    glx: Additional paranoia in __glXGetAnswerBuffer / __GLX_GET_ANSWER_BUFFER (v2) [CVE-2014-8093 3/6]
    
    If the computed reply size is negative, something went wrong, treat it
    as an error.
    
    v2: Be more careful about size_t being unsigned (Matthieu Herrb)
    v3: SIZE_MAX not SIZE_T_MAX (Alan Coopersmith)
    
    Reviewed-by: Julien Cristau <jcristau@debian.org>
    Reviewed-by: Michal Srb <msrb@suse.com>
    Reviewed-by: Andy Ritger <aritger@nvidia.com>
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    (cherry picked from commit 717a1b37767b41e14859e5022ae9e679152821a9)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit de17ad13eb38af4bd5c8f085200bdab88496062f
Author: Adam Jackson <ajax@redhat.com>
Date:   Mon Nov 10 12:13:37 2014 -0500

    glx: Be more strict about rejecting invalid image sizes [CVE-2014-8093 2/6]
    
    Before this we'd just clamp the image size to 0, which was just
    hideously stupid; if the parameters were such that they'd overflow an
    integer, you'd allocate a small buffer, then pass huge values into (say)
    ReadPixels, and now you're scribbling over arbitrary server memory.
    
    Reviewed-by: Keith Packard <keithp@keithp.com>
    Reviewed-by: Julien Cristau <jcristau@debian.org>
    Reviewed-by: Michal Srb <msrb@suse.com>
    Reviewed-by: Andy Ritger <aritger@nvidia.com>
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    (cherry picked from commit ab2ba9338aa5e85b4487bc7fbe69985c76483e01)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit 1d496e046e398cd9d6d77edf8958967c86983bf0
Author: Adam Jackson <ajax@redhat.com>
Date:   Mon Nov 10 12:13:36 2014 -0500

    glx: Be more paranoid about variable-length requests [CVE-2014-8093 1/6]
    
    If the size computation routine returns -1 we should just reject the
    request outright.  Clamping it to zero could give an attacker the
    opportunity to also mangle cmdlen in such a way that the subsequent
    length check passes, and the request would get executed, thus passing
    data we wanted to reject to the renderer.
    
    Reviewed-by: Keith Packard <keithp@keithp.com>
    Reviewed-by: Julien Cristau <jcristau@debian.org>
    Reviewed-by: Michal Srb <msrb@suse.com>
    Reviewed-by: Andy Ritger <aritger@nvidia.com>
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    (cherry picked from commit 23fe7718bb171e71db2d1a30505c2ca2988799d9)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit 5a4760babdfeb114d1e89df735496f042df352fe
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sun Feb 9 22:42:47 2014 -0800

    Add REQUEST_FIXED_SIZE testcases to test/misc.c
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit f4afd53f2aeaddf509bf9f71d1716dd273fd6e14)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit efacb60e01513e9a96f2630159727835e2a8af0b
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sun Feb 9 21:28:05 2014 -0800

    Add request length checking test cases for some Xinput 2.x requests
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit 2df83bb122debc3c20cfc3d3b0edc85cd0270f79)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit 3b4aa58d565ea4542586cfc8be3f88d5616f77ed
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sun Feb 9 21:27:27 2014 -0800

    Add request length checking test cases for some Xinput 1.x requests
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit d153a85f7478a7a67ccb02fbca6390b0ab1732ee)
    Signed-off-by: Julien Cristau <jcristau@debian.org>
    
    Conflicts:
    	test/Makefile.am

commit 4f30f4dd47df6dfd363a15a12fd30b727c0bbaa8
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sun Jan 26 20:02:20 2014 -0800

    xfixes: unvalidated length in SProcXFixesSelectSelectionInput [CVE-2014-8102]
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit a0ece23a8bd300c8be10812d368dc8058c97c63e)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit 18c7f1e49b16ce9264e77f9c244495ceb24e3f5a
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sun Jan 26 19:51:29 2014 -0800

    render: unvalidated lengths in Render extn. swapped procs [CVE-2014-8100 2/2]
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit 5d3a788aeb2fbd3ca2812747dc18c94a8b981c63)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit 0ad9121071adf1425623170c9d3bc19333d0f1a2
Author: Julien Cristau <jcristau@debian.org>
Date:   Tue Oct 28 10:30:04 2014 +0100

    render: check request size before reading it [CVE-2014-8100 1/2]
    
    Otherwise we may be reading outside of the client request.
    
    Signed-off-by: Julien Cristau <jcristau@debian.org>
    Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    (cherry picked from commit b5f9ef03df6a650571b29d3d1c1d2b67c6e84336)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit df64ac720642c86efcc47b64621e8a0f1e705f16
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sun Jan 26 19:38:09 2014 -0800

    randr: unvalidated lengths in RandR extension swapped procs [CVE-2014-8101]
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit 3df2fcf12499ebdb26b9b67419ea485a42041f33)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit ea45001614b771933590a77fdd281b910c637c1b
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sun Jan 26 19:33:34 2014 -0800

    present: unvalidated lengths in Present extension procs [CVE-2014-8103 2/2]
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    Reviewed-by: Julien Cristau <jcristau@debian.org>
    (cherry picked from commit d155b7a8e38e74aee96bf52c20c8b6a330d7d462)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit e3a1255a727518332c4a8d2af30c357aee0d50f0
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sun Jan 26 19:28:05 2014 -0800

    dri3: unvalidated lengths in DRI3 extension swapped procs [CVE-2014-8103 1/2]
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit 0a6085aaf3581cca558d960ea176ddf3a41a2213)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit c092c31c83706cc449787d2378b7d4970e9eba8f
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sun Jan 26 19:23:17 2014 -0800

    Xv: unvalidated lengths in XVideo extension swapped procs [CVE-2014-8099]
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit 32a95fb7c7dbe22c9441c62762dfa4a8ec54d6c3)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit 3d8e2731b5dae431fe68e79ff21d067aed65a077
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sun Jan 26 17:18:54 2014 -0800

    xcmisc: unvalidated length in SProcXCMiscGetXIDList() [CVE-2014-8096]
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit 7553082b9b883b5f130044f3d53bce2f0b660e52)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit 4d3d93c68b0af02f4bc4e75b0395bbbfb8a2f15c
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sun Jan 26 10:54:41 2014 -0800

    Xi: unvalidated lengths in Xinput extension [CVE-2014-8095]
    
    Multiple functions in the Xinput extension handling of requests from
    clients failed to check that the length of the request sent by the
    client was large enough to perform all the required operations and
    thus could read or write to memory outside the bounds of the request
    buffer.
    
    This commit includes the creation of a new REQUEST_AT_LEAST_EXTRA_SIZE
    macro in include/dix.h for the common case of needing to ensure a
    request is large enough to include both the request itself and a
    minimum amount of extra data following the request header.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit 73c63afb93c0af1bfd1969bf6e71c9edca586c77)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit d88c66541e4653bcccd083894657b45443d09970
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Wed Jan 22 23:12:04 2014 -0800

    dbe: unvalidated lengths in DbeSwapBuffers calls [CVE-2014-8097]
    
    ProcDbeSwapBuffers() has a 32bit (n) length value that it uses to read
    from a buffer. The length is never validated, which can lead to out of
    bound reads, and possibly returning the data read from out of bounds to
    the misbehaving client via an X Error packet.
    
    SProcDbeSwapBuffers() swaps data (for correct endianness) before
    handing it off to the real proc.  While doing the swapping, the
    length field is not validated, which can cause memory corruption.
    
    v2: reorder checks to avoid compilers optimizing out checks for overflow
    that happen after we'd already have done the overflowing multiplications.
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit 2ef42519c41e793579c9cea699c866fee3d9321f)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit db386cd6a1ccf62d3be9fc88994d48ef9f8375cf
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Wed Jan 22 23:40:18 2014 -0800

    dri2: integer overflow in ProcDRI2GetBuffers() [CVE-2014-8094]
    
    ProcDRI2GetBuffers() tries to validate a length field (count).
    There is an integer overflow in the validation. This can cause
    out of bound reads and memory corruption later on.
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    Reviewed-by: Julien Cristau <jcristau@debian.org>
    (cherry picked from commit 6692670fde081bbfe9313f17d84037ae9116702a)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit 2883994f9f2d5cae63816db6945dfea618e4a2ee
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Wed Jan 22 23:44:46 2014 -0800

    dix: integer overflow in REQUEST_FIXED_SIZE() [CVE-2014-8092 4/4]
    
    Force use of 64-bit integers when evaluating data provided by clients
    in 32-bit fields which can overflow when added or multiplied during
    checks.
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit e0e11644622a589129a01e11e5d105dc74a098de)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit c2515e9dfd5642e90f2b2526db02afc4ad217a53
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Wed Jan 22 22:37:15 2014 -0800

    dix: integer overflow in RegionSizeof() [CVE-2014-8092 3/4]
    
    RegionSizeof contains several integer overflows if a large length
    value is passed in.  Once we fix it to return 0 on overflow, we
    also have to fix the callers to handle this error condition
    
    v2: Fixed limit calculation in RegionSizeof as pointed out by jcristau.
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    Reviewed-by: Julien Cristau <jcristau@debian.org>
    (cherry picked from commit 97015a07b9e15d8ec5608b95d95ec0eb51202acb)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit cbfdb284c943c202c1fd47e560bd980a74dd662b
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Mon Jan 6 23:30:14 2014 -0800

    dix: integer overflow in GetHosts() [CVE-2014-8092 2/4]
    
    GetHosts() iterates over all the hosts it has in memory, and copies
    them to a buffer. The buffer length is calculated by iterating over
    all the hosts and adding up all of their combined length. There is a
    potential integer overflow, if there are lots and lots of hosts (with
    a combined length of > ~4 gig). This should be possible by repeatedly
    calling ProcChangeHosts() on 64bit machines with enough memory.
    
    This patch caps the list at 1mb, because multi-megabyte hostname
    lists for X access control are insane.
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit bc8e20430b6f6378daf6ce4329029248a88af08b)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit b022d4ef9d89c806024bd0cd367da1b249cc2b2d
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Wed Jan 22 21:11:16 2014 -0800

    dix: integer overflow in ProcPutImage() [CVE-2014-8092 1/4]
    
    ProcPutImage() calculates a length field from a width, left pad and depth
    specified by the client (if the specified format is XYPixmap).
    
    The calculations for the total amount of memory the server needs for the
    pixmap can overflow a 32-bit number, causing out-of-bounds memory writes
    on 32-bit systems (since the length is stored in a long int variable).
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit eeae42d60bf3d5663ea088581f6c28a82cd17829)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit f1365eb0ec50bee7d99d4659319c4d93eb21642a
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Fri Jan 17 18:54:03 2014 -0800

    unchecked malloc may allow unauthed client to crash Xserver [CVE-2014-8091]
    
    authdes_ezdecode() calls malloc() using a length provided by the
    connection handshake sent by a newly connected client in order
    to authenticate to the server, so should be treated as untrusted.
    
    It didn't check if malloc() failed before writing to the newly
    allocated buffer, so could lead to a server crash if the server
    fails to allocate memory (up to UINT16_MAX bytes, since the len
    field is a CARD16 in the X protocol).
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit 90cc925c5991fcb203f72d00b04419cd754a9b2c)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit 07b01bb5bd3587cd14d9dd2c8f4b145cf1757fe5
Author: Keith Packard <keithp@keithp.com>
Date:   Thu Oct 9 15:17:17 2014 +0200

    glx: check return from __glXGetAnswerBuffer
    
    This function can return NULL; make sure every caller tests for that.
    
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    Signed-off-by: Keith Packard <keithp@keithp.com>
    (cherry picked from commit 61a292adf45405641de1c522a04c148e0a152acd)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit d1bd02fb6746a4393e2538bf605b610e1764a413
Author: Mario Kleiner <mario.kleiner.de@gmail.com>
Date:   Sat Dec 6 05:40:08 2014 +0100

    present: Fix use of vsynced pageflips and honor PresentOptionAsync. (v4)
    
    Pageflips for Pixmap presents were not synchronized to vblank on
    drivers with support for PresentCapabilityAsync, due to some
    missing init for vblank->sync_flips. The PresentOptionAsync
    flag was completely ignored for pageflipped presents.
    
    Vsynced flips only worked by accident on the intel-ddx, as that
    driver doesn't have PresentCapabilityAsync support.
    
    On nouveau-ddx, which supports PresentCapabilityAsync, this
    always caused non-vsynced pageflips with pretty ugly tearing.
    
    This patch fixes the problem, as tested on top of XOrg 1.16.2
    on nouveau and intel.
    
    v4: Add additional PresentCapabilityAsync caps check, as
    suggested by Eric Anholt.
    
    Please also apply to XOrg 1.17 and XOrg 1.16.2 stable.
    
    Applying on top of XOrg 1.16.2 requires cherry-picking
    commit 2051514652481a83bd7cf22e57cb0fcd40333f33
    which trivially fixes lack of support for protocol option
    PresentOptionCopy - get two bug fixes for the price of one!
    
    Signed-off-by: Mario Kleiner <mario.kleiner.de@gmail.com>
    Reviewed-by: Eric Anholt <eric@anholt.net>
    Signed-off-by: Keith Packard <keithp@keithp.com>
    (cherry picked from commit aae6460694ac3667abb8c34fdf3a7dae524827a4)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit 77ef968c86b4ed1accd6f04ef7bc3d9700c22ed2
Author: Mario Kleiner <mario.kleiner.de@gmail.com>
Date:   Sat Dec 6 05:40:07 2014 +0100

    present: Avoid crashes in DebugPresent(), a bit more info.
    
    DebugPresent() crashed the server when a dri3 drawable
    was closed while a pageflipped present was still pending,
    due to vblank->window-> Null-Ptr deref, so debug builds
    caused new problems to debug.
    
    E.g.,
    
    glXSwapBuffers(...);
    glXDestroyWindow(...);
    -> Pageflip for non-existent window completes -> boom.
    
    Also often happens when switching desktop compositor on/off
    due to Present unflips, or when logging out of session.
    
    Also add info if a Present is queued for copyswap or pageflip,
    if the present is vsynced, and the serial no of the Present
    request, to aid debugging of pageflip and vsync issues. The
    serial number is useful as Mesa's dri3/present backend encodes
    its sendSBC in the serial number, so one can easily correlate
    server debug output with Mesa and with the SBC values returned
    to actual OpenGL client applications via OML_sync_control and
    INTEL_swap_events extension, makes debugging quite a bit more
    easy.
    
    Please also cherry-pick this for a 1.16.x stable update.
    
    Signed-off-by: Mario Kleiner <mario.kleiner.de@gmail.com>
    Reviewed-by: Eric Anholt <eric@anholt.net>
    Signed-off-by: Keith Packard <keithp@keithp.com>
    (cherry picked from commit 32d3100bd78efe41d468f7d66861296aee468b6f)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit f1fc86d61ed97f21579d2125c26de858c1d3ee43
Author: Keith Packard <keithp@keithp.com>
Date:   Wed Sep 10 14:02:13 2014 -0700

    present: Support PresentOptionCopy
    
    We added this option to the present protocol before 1.0 but somehow
    never implemented it in the server. It's pretty simple; just don't
    ever do flips if the application specifies Copy.
    
    Signed-off-by: Keith Packard <keithp@keithp.com>
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    (cherry picked from commit 2051514652481a83bd7cf22e57cb0fcd40333f33)
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit 386329ec7238edfd1b680c4a7acd39947a161ab5
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Mon Dec 1 14:26:11 2014 -0800

    Add -iglx & +iglx to Xserver.man
    
    Covers the current state after commits 99f0365b1fbdfd9238b9f,
    d0da0e9c3bb8fe0cd4879, & e3aa13b8d63ea2fba6eb4 were all applied.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: James Jones <jajones@nvidia.com>
    Reviewed-by: Robert Morell <rmorell@nvidia.com>
    Signed-off-by: Keith Packard <keithp@keithp.com>
    (cherry picked from commit b09d59342804db7dbb8056dca43dd39f54e290aa)
    
    [alanc: Modified for server-1.16-branch to show +iglx as default instead of
            -iglx, to match code in os/utils.c in server-1.16-branch.]
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit a471a15c779377073fd5d6bb8cff40dff917eca9
Author: Alex Orange <crazycasta@gmail.com>
Date:   Fri Oct 3 15:41:38 2014 -0600

    fb: Fix Bresenham algorithms for commonly used small segments.
    
    Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=54168
    
    Fix errors introducted in 863d528a9f76d0e8f122aebf19f8564a4c67a938. Said
    patch does indeed remove the problematic writes to bad memory, however
    it also introduces errors in the algoritm. This patch has the effect of
    reverting said patch and adding an if in the proper location to catch
    the out of bounds memory write without causing problems to the overall
    algorithm.
    
    Signed-off-by: Alex Orange <crazycasta@gmail.com>
    Reviewed-by: Peter Harris <pharris@opentext.com>
    Tested-by: Peter Harris <pharris@opentext.com>
    Signed-off-by: Keith Packard <keithp@keithp.com>
    (cherry picked from commit 1b94fd77792310c80b0a2bcf4bf6d4e4c4c23bca)

commit 4393c7f1ba6140a02232f04fbb434a80d663a99d
Author: Julien Cristau <jcristau@debian.org>
Date:   Mon Nov 10 16:38:52 2014 +0100

    Bump to 1.16.2
    
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit 151ec89574c0d1b4566137d0f2d965ef48f04ec5
Author: Julien Cristau <jcristau@debian.org>
Date:   Sun Nov 2 11:21:33 2014 +0100

    Bump to 1.16.1.901

commit a4d9637504ea4c97ca22d86c9f2e275f5253470d
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Thu Oct 16 14:09:08 2014 +0100

    Xext/shm: Detach SHM segment after Pixmap is released
    
    The GPU may still have a reference to the SHM segment which would only
    be finally released when the Pixmap is destroy. So we can only detach
    the SHM segment (and thereby making the memory unaccessible) after the
    backend has had a chance to flush any remaining references.
    
    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=85058
    Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
    Reported-and-tested-by: gedgon@gmail.com
    Reviewed-by: Adam Jackson <ajax@redhat.com>
