!276 Phytium: Fixed display error for ps23xx when using ast and pe2201 bmc card

From: @ultra_planet 
Reviewed-by: @t_feng 
Signed-off-by: @t_feng

0025-phytium-xfree86-Fixed-display-error-for-ps23xx-when-.patch

@@ -0,0 +1,195 @@
+From 5836cdc9865b480be90603e3e4f6b2d604952370 Mon Sep 17 00:00:00 2001
+From: Jiakun Shuai <shuaijiakun1288@phytium.com.cn>
+Date: Mon, 20 May 2024 15:29:26 +0800
+Subject: [PATCH] phytium: xfree86: Fixed display error for ps23xx when using
+ ast and pe2201 bmc card
+
+bugzilla: https://gitee.com/openeuler/kernel/issues/I9NGXP
+
+Used in conjunction with issue number I9NGXP to fix display error
+for ps23xx when using ast and pe2201 bmc card.
+
+Signed-off-by: Jiakun Shuai <shuaijiakun1288@phytium.com.cn>
+---
+ hw/xfree86/drivers/modesetting/driver.c | 158 +++++++++++++++++++++++-
+ 1 file changed, 157 insertions(+), 1 deletion(-)
+
+diff --git a/hw/xfree86/drivers/modesetting/driver.c b/hw/xfree86/drivers/modesetting/driver.c
+index ef4a314..f9555e4 100644
+--- a/hw/xfree86/drivers/modesetting/driver.c
++++ b/hw/xfree86/drivers/modesetting/driver.c
+@@ -1143,6 +1143,162 @@ msUpdateIntersect(modesettingPtr ms, shadowBufPtr pBuf, BoxPtr box,
+     return dirty;
+ }
+ 
++static void align_memcpy(void *dest, void *source, size_t size)
++{
++    char *dst1, *dst2, *p, *src, *dst;
++
++    src = (char *)source;
++    dst = (char *)dest;
++
++    dst1 = (char *)(((unsigned long)dst + 0xf) & ~0xf);
++    dst2 = (char *)(((unsigned long)dst + size) & ~0xf);
++    p = dst;
++
++    while((p< dst1) && size){
++        *p++ = *src++;
++        size--;
++    };
++
++    memcpy(dst1, (char *)src, (size & (~0xf)));
++
++    src += (size & (~0xf));
++    size = (size & 0xf);
++
++    p = dst2;
++    while(size--){
++        *p++ = *src++;
++    };
++}
++
++#define AST_BMC_VENDOR_ID 0x1a03
++#define FT_BMC_VENDOR_ID 0x1db7
++#define FT_BMC_DEVICE_ID 0xdc3e
++#define DRM_AST_VRAM_TYPE_DEVICE 0x0
++#define DRM_IOCTL_AST_VRAM_TYPE_DEVICE DRM_IO(DRM_COMMAND_BASE + DRM_AST_VRAM_TYPE_DEVICE)
++#define DRM_PHYTIUM_VRAM_TYPE_DEVICE 0x0
++#define DRM_IOCTL_PHYTIUM_VRAM_TYPE_DEVICE DRM_IO(DRM_COMMAND_BASE + DRM_PHYTIUM_VRAM_TYPE_DEVICE)
++
++static Bool device_is_ast_bmc(struct pci_device *pci)
++{
++	if (pci->vendor_id == AST_BMC_VENDOR_ID) {
++		return TRUE;
++	}
++
++	return FALSE;
++}
++
++static Bool device_is_ft_bmc(struct pci_device *pci)
++{
++	if (pci->vendor_id == FT_BMC_VENDOR_ID && pci->device_id == FT_BMC_DEVICE_ID) {
++		return TRUE;
++	}
++
++	return FALSE;
++}
++
++static void
++msshadowUpdatePacked(ScreenPtr pScreen, shadowBufPtr pBuf)
++{
++    RegionPtr damage = DamageRegion(pBuf->pDamage);
++    PixmapPtr pShadow = pBuf->pPixmap;
++    int nbox = RegionNumRects(damage);
++    BoxPtr pbox = RegionRects(damage);
++    FbBits *shaBase, *shaLine, *sha;
++    FbStride shaStride;
++    int scrBase, scrLine, scr;
++    int shaBpp;
++    _X_UNUSED int shaXoff, shaYoff;
++    int x, y, w, h, width;
++    int i;
++    FbBits *winBase = NULL, *win;
++    CARD32 winSize;
++    static Bool firstQuery = TRUE;
++    static Bool forceAlign = FALSE;
++    Bool isAstBMC = FALSE;
++    Bool isFtBMC = FALSE;
++    ScrnInfoPtr pScrn = xf86ScreenToScrn(pScreen);
++    modesettingPtr ms = modesettingPTR(pScrn);
++    struct pci_device *pci = NULL;
++
++    if (BUS_PLATFORM == ms->pEnt->location.type) {
++        pci = ms->pEnt->location.id.plat->pdev;
++    } else if (BUS_PCI == ms->pEnt->location.type) {
++        pci = ms->pEnt->location.id.pci;
++    }
++
++    if (pci && device_is_ast_bmc(pci)) {
++        isAstBMC = TRUE;
++        if (firstQuery) {
++			if (1 == drmIoctl(ms->fd, DRM_IOCTL_AST_VRAM_TYPE_DEVICE, NULL)) {
++				forceAlign = TRUE;
++			}
++			firstQuery = FALSE;
++        }
++    } else if (pci && device_is_ft_bmc(pci)) {
++		isFtBMC = TRUE;
++		if (firstQuery) {
++			if (1 == drmIoctl(ms->fd, DRM_IOCTL_PHYTIUM_VRAM_TYPE_DEVICE, NULL)) {
++				forceAlign = TRUE;
++			}
++			firstQuery = FALSE;
++        }
++	}
++
++    fbGetDrawable(&pShadow->drawable, shaBase, shaStride, shaBpp, shaXoff,
++                  shaYoff);
++    while (nbox--) {
++        x = pbox->x1 * shaBpp;
++        y = pbox->y1;
++        w = (pbox->x2 - pbox->x1) * shaBpp;
++        h = pbox->y2 - pbox->y1;
++
++        scrLine = (x >> FB_SHIFT);
++        shaLine = shaBase + y * shaStride + (x >> FB_SHIFT);
++
++        x &= FB_MASK;
++        w = (w + x + FB_MASK) >> FB_SHIFT;
++
++        while (h--) {
++            winSize = 0;
++            scrBase = 0;
++            width = w;
++            scr = scrLine;
++            sha = shaLine;
++            while (width) {
++                /* how much remains in this window */
++                i = scrBase + winSize - scr;
++                if (i <= 0 || scr < scrBase) {
++                    winBase = (FbBits *) (*pBuf->window) (pScreen,
++                                                          y,
++                                                          scr * sizeof(FbBits),
++                                                          SHADOW_WINDOW_WRITE,
++                                                          &winSize,
++                                                          pBuf->closure);
++                    if (!winBase)
++                        return;
++                    scrBase = scr;
++                    winSize /= sizeof(FbBits);
++                    i = winSize;
++                }
++                win = winBase + (scr - scrBase);
++                if (i > width)
++                    i = width;
++                width -= i;
++                scr += i;
++                if ((isFtBMC || isAstBMC) && forceAlign) {
++                    align_memcpy(win, sha, i * sizeof(FbBits));
++                } else {
++                    memcpy(win, sha, i * sizeof(FbBits));
++                }
++                sha += i;
++            }
++            shaLine += shaStride;
++            y++;
++        }
++        pbox++;
++    }
++}
++
+ static void
+ msUpdatePacked(ScreenPtr pScreen, shadowBufPtr pBuf)
+ {
+@@ -1193,7 +1349,7 @@ msUpdatePacked(ScreenPtr pScreen, shadowBufPtr pBuf)
+     if (use_3224)
+         shadowUpdate32to24(pScreen, pBuf);
+     else
+-        shadowUpdatePacked(pScreen, pBuf);
++        msshadowUpdatePacked(pScreen, pBuf);
+ }
+ 
+ static Bool
+-- 
+2.37.0
+

backport-CVE-2024-31080.patch

@@ -0,0 +1,48 @@
+From 96798fc1967491c80a4d0c8d9e0a80586cb2152b Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 22 Mar 2024 18:51:45 -0700
+Subject: [PATCH] Xi: ProcXIGetSelectedEvents needs to use unswapped length to
+ send reply
+
+CVE-2024-31080
+
+Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762
+Fixes: 53e821ab4 ("Xi: add request processing for XIGetSelectedEvents.")
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
+
+Conflict:NA
+Reference:https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b
+---
+ Xi/xiselectev.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c
+index edcb8a0d36..ac14949871 100644
+--- a/Xi/xiselectev.c
++++ b/Xi/xiselectev.c
+@@ -349,6 +349,7 @@ ProcXIGetSelectedEvents(ClientPtr client)
+     InputClientsPtr others = NULL;
+     xXIEventMask *evmask = NULL;
+     DeviceIntPtr dev;
++    uint32_t length;
+ 
+     REQUEST(xXIGetSelectedEventsReq);
+     REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq);
+@@ -418,10 +419,12 @@ ProcXIGetSelectedEvents(ClientPtr client)
+         }
+     }
+ 
++    /* save the value before SRepXIGetSelectedEvents swaps it */
++    length = reply.length;
+     WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply);
+ 
+     if (reply.num_masks)
+-        WriteToClient(client, reply.length * 4, buffer);
++        WriteToClient(client, length * 4, buffer);
+ 
+     free(buffer);
+     return Success;
+-- 
+GitLab
+

backport-CVE-2024-31081.patch

@@ -0,0 +1,46 @@
+From 3e77295f888c67fc7645db5d0c00926a29ffecee Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 22 Mar 2024 18:56:27 -0700
+Subject: [PATCH] Xi: ProcXIPassiveGrabDevice needs to use unswapped length to
+ send reply
+
+CVE-2024-31081
+
+Fixes: d220d6907 ("Xi: add GrabButton and GrabKeysym code.")
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
+
+Conflict:NA
+Reference:https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645db5d0c00926a29ffecee
+---
+ Xi/xipassivegrab.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
+index c9ac2f8553..896233bec2 100644
+--- a/Xi/xipassivegrab.c
++++ b/Xi/xipassivegrab.c
+@@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client)
+     GrabParameters param;
+     void *tmp;
+     int mask_len;
++    uint32_t length;
+ 
+     REQUEST(xXIPassiveGrabDeviceReq);
+     REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
+@@ -247,9 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client)
+         }
+     }
+ 
++    /* save the value before SRepXIPassiveGrabDevice swaps it */
++    length = rep.length;
+     WriteReplyToClient(client, sizeof(rep), &rep);
+     if (rep.num_modifiers)
+-        WriteToClient(client, rep.length * 4, modifiers_failed);
++        WriteToClient(client, length * 4, modifiers_failed);
+ 
+  out:
+     free(modifiers_failed);
+-- 
+GitLab
+

backport-CVE-2024-31082.patch

@@ -0,0 +1,50 @@
+From 6c684d035c06fd41c727f0ef0744517580864cef Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 22 Mar 2024 19:07:34 -0700
+Subject: [PATCH] Xquartz: ProcAppleDRICreatePixmap needs to use unswapped
+ length to send reply
+
+CVE-2024-31082
+
+Fixes: 14205ade0 ("XQuartz: appledri: Fix byte swapping in replies")
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
+
+Conflict:NA
+Reference:https://gitlab.freedesktop.org/xorg/xserver/-/commit/6c684d035c06fd41c727f0ef0744517580864cef
+---
+ hw/xquartz/xpr/appledri.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/hw/xquartz/xpr/appledri.c b/hw/xquartz/xpr/appledri.c
+index 77574655b2..40422b61a9 100644
+--- a/hw/xquartz/xpr/appledri.c
++++ b/hw/xquartz/xpr/appledri.c
+@@ -272,6 +272,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
+     xAppleDRICreatePixmapReply rep;
+     int width, height, pitch, bpp;
+     void *ptr;
++    CARD32 stringLength;
+ 
+     REQUEST_SIZE_MATCH(xAppleDRICreatePixmapReq);
+ 
+@@ -307,6 +308,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
+     if (sizeof(rep) != sz_xAppleDRICreatePixmapReply)
+         ErrorF("error sizeof(rep) is %zu\n", sizeof(rep));
+ 
++    stringLength = rep.stringLength;  /* save unswapped value */
+     if (client->swapped) {
+         swaps(&rep.sequenceNumber);
+         swapl(&rep.length);
+@@ -319,7 +321,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
+     }
+ 
+     WriteToClient(client, sizeof(rep), &rep);
+-    WriteToClient(client, rep.stringLength, path);
++    WriteToClient(client, stringLength, path);
+ 
+     return Success;
+ }
+-- 
+GitLab
+

backport-CVE-2024-31083.patch

@@ -0,0 +1,115 @@
+From bdca6c3d1f5057eeb31609b1280fc93237b00c77 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 30 Jan 2024 13:13:35 +1000
+Subject: [PATCH] render: fix refcounting of glyphs during ProcRenderAddGlyphs
+
+Previously, AllocateGlyph would return a new glyph with refcount=0 and a
+re-used glyph would end up not changing the refcount at all. The
+resulting glyph_new array would thus have multiple entries pointing to
+the same non-refcounted glyphs.
+
+AddGlyph may free a glyph, resulting in a UAF when the same glyph
+pointer is then later used.
+
+Fix this by returning a refcount of 1 for a new glyph and always
+incrementing the refcount for a re-used glyph, followed by dropping that
+refcount back down again when we're done with it.
+
+CVE-2024-31083, ZDI-CAN-22880
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
+
+Conflict: render/glyphstr_priv.h => render/glyphstr.h and void FreeGlyph(GlyphPtr glyph, int format) => extern void FreeGlyph(GlyphPtr glyph, int format)
+Reference:https://gitlab.freedesktop.org/xorg/xserver/-/commit/bdca6c3d1f5057eeb31609b1280fc93237b00c77
+---
+ render/glyph.c         |   5 +-
+ render/glyphstr.h      |   1 +
+ render/render.c        |  15 +++--
+ 3 files changed, 15 insertions(+), 6 deletions(-)
+ create mode 100644 render/glyphstr.h.orig
+
+diff --git a/render/glyph.c b/render/glyph.c
+index f3ed9cf..d5fc5f3 100644
+--- a/render/glyph.c
++++ b/render/glyph.c
+@@ -245,10 +245,11 @@ FreeGlyphPicture(GlyphPtr glyph)
+     }
+ }
+ 
+-static void
++void
+ FreeGlyph(GlyphPtr glyph, int format)
+ {
+     CheckDuplicates(&globalGlyphs[format], "FreeGlyph");
++    BUG_RETURN(glyph->refcnt == 0);
+     if (--glyph->refcnt == 0) {
+         GlyphRefPtr gr;
+         int i;
+@@ -354,7 +355,7 @@ AllocateGlyph(xGlyphInfo * gi, int fdepth)
+     glyph = (GlyphPtr) malloc(size);
+     if (!glyph)
+         return 0;
+-    glyph->refcnt = 0;
++    glyph->refcnt = 1;
+     glyph->size = size + sizeof(xGlyphInfo);
+     glyph->info = *gi;
+     dixInitPrivates(glyph, (char *) glyph + head_size, PRIVATE_GLYPH);
+diff --git a/render/glyphstr.h b/render/glyphstr.h
+index 2f51bd2..3b1d806 100644
+--- a/render/glyphstr.h
++++ b/render/glyphstr.h
+@@ -108,6 +108,7 @@ extern Bool
+ extern GlyphPtr FindGlyph(GlyphSetPtr glyphSet, Glyph id);
+ 
+ extern GlyphPtr AllocateGlyph(xGlyphInfo * gi, int format);
++extern void FreeGlyph(GlyphPtr glyph, int format);
+ 
+ extern Bool
+  ResizeGlyphSet(GlyphSetPtr glyphSet, CARD32 change);
+diff --git a/render/render.c b/render/render.c
+index 456f156..5bc2a20 100644
+--- a/render/render.c
++++ b/render/render.c
+@@ -1076,6 +1076,7 @@ ProcRenderAddGlyphs(ClientPtr client)
+ 
+         if (glyph_new->glyph && glyph_new->glyph != DeletedGlyph) {
+             glyph_new->found = TRUE;
++            ++glyph_new->glyph->refcnt;
+         }
+         else {
+             GlyphPtr glyph;
+@@ -1168,8 +1169,10 @@ ProcRenderAddGlyphs(ClientPtr client)
+         err = BadAlloc;
+         goto bail;
+     }
+-    for (i = 0; i < nglyphs; i++)
++    for (i = 0; i < nglyphs; i++) {
+         AddGlyph(glyphSet, glyphs[i].glyph, glyphs[i].id);
++        FreeGlyph(glyphs[i].glyph, glyphSet->fdepth);
++    }
+ 
+     if (glyphsBase != glyphsLocal)
+         free(glyphsBase);
+@@ -1179,9 +1182,13 @@ ProcRenderAddGlyphs(ClientPtr client)
+         FreePicture((void *) pSrc, 0);
+     if (pSrcPix)
+         FreeScratchPixmapHeader(pSrcPix);
+-    for (i = 0; i < nglyphs; i++)
+-        if (glyphs[i].glyph && !glyphs[i].found)
+-            free(glyphs[i].glyph);
++    for (i = 0; i < nglyphs; i++) {
++        if (glyphs[i].glyph) {
++            --glyphs[i].glyph->refcnt;
++            if (!glyphs[i].found)
++                free(glyphs[i].glyph);
++        }
++    }
+     if (glyphsBase != glyphsLocal)
+         free(glyphsBase);
+     return err;
+-- 
+2.43.0
+

backport-dix-Fix-use-after-free-in-input-device-shutdown.patch

@@ -0,0 +1,81 @@
+From 1801fe0ac3926882d47d7e1ad6c0518a2cdffd41 Mon Sep 17 00:00:00 2001
+From: Povilas Kanapickas <povilas@radix.lt>
+Date: Sun, 19 Dec 2021 18:11:07 +0200
+Subject: [PATCH] dix: Fix use after free in input device shutdown
+
+This fixes access to freed heap memory via dev->master. E.g. when
+running BarrierNotify.ReceivesNotifyEvents/7 test from
+xorg-integration-tests:
+
+==24736==ERROR: AddressSanitizer: heap-use-after-free on address
+0x619000065020 at pc 0x55c450e2b9cf bp 0x7fffc532fd20 sp 0x7fffc532fd10
+READ of size 4 at 0x619000065020 thread T0
+    #0 0x55c450e2b9ce in GetMaster ../../../dix/devices.c:2722
+    #1 0x55c450e9d035 in IsFloating ../../../dix/events.c:346
+    #2 0x55c4513209c6 in GetDeviceUse ../../../Xi/xiquerydevice.c:525
+../../../Xi/xichangehierarchy.c:95
+    #4 0x55c450e3455c in RemoveDevice ../../../dix/devices.c:1204
+../../../hw/xfree86/common/xf86Xinput.c:1142
+    #6 0x55c450e17b04 in CloseDeviceList ../../../dix/devices.c:1038
+    #7 0x55c450e1de85 in CloseDownDevices ../../../dix/devices.c:1068
+    #8 0x55c450e837ef in dix_main ../../../dix/main.c:302
+    #9 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
+(/lib/x86_64-linux-gnu/libc.so.6+0x28564)
+    #11 0x55c450d0113d in _start (/usr/lib/xorg/Xorg+0x117713d)
+
+0x619000065020 is located 160 bytes inside of 912-byte region
+[0x619000064f80,0x619000065310)
+freed by thread T0 here:
+(/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
+    #1 0x55c450e19f1c in CloseDevice ../../../dix/devices.c:1014
+    #2 0x55c450e343a4 in RemoveDevice ../../../dix/devices.c:1186
+../../../hw/xfree86/common/xf86Xinput.c:1142
+    #4 0x55c450e17b04 in CloseDeviceList ../../../dix/devices.c:1038
+    #5 0x55c450e1de85 in CloseDownDevices ../../../dix/devices.c:1068
+    #6 0x55c450e837ef in dix_main ../../../dix/main.c:302
+    #7 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
+(/lib/x86_64-linux-gnu/libc.so.6+0x28564)
+
+previously allocated by thread T0 here:
+(/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10ddc6)
+    #1 0x55c450e1c57b in AddInputDevice ../../../dix/devices.c:259
+    #2 0x55c450e34840 in AllocDevicePair ../../../dix/devices.c:2755
+    #3 0x55c45130318f in add_master ../../../Xi/xichangehierarchy.c:152
+../../../Xi/xichangehierarchy.c:465
+    #5 0x55c4512cb9f5 in ProcIDispatch ../../../Xi/extinit.c:390
+    #6 0x55c450e6a92b in Dispatch ../../../dix/dispatch.c:551
+    #7 0x55c450e834b7 in dix_main ../../../dix/main.c:272
+    #8 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
+(/lib/x86_64-linux-gnu/libc.so.6+0x28564)
+
+The problem is caused by dev->master being not reset when disabling the
+device, which then causes dangling pointer when the master device itself
+is being deleted when exiting whole server.
+
+Note that RecalculateMasterButtons() requires dev->master to be still
+valid, so we can reset it only at the end of function.
+
+Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
+
+Reference:https://gitlab.freedesktop.org/xorg/xserver/-/commit/1801fe0ac3926882d47d7e1ad6c0518a2cdffd41
+Conflict:NA
+
+---
+ dix/devices.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/dix/devices.c b/dix/devices.c
+index e62c34c55e..5f9ce1678f 100644
+--- a/dix/devices.c
++++ b/dix/devices.c
+@@ -520,6 +520,7 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
+     }
+ 
+     RecalculateMasterButtons(dev);
++    dev->master = NULL;
+ 
+     return TRUE;
+ }
+-- 
+GitLab
+

backport-dix-fix-valuator-copy-paste-error-in-the-DeviceState.patch

@@ -0,0 +1,36 @@
+From 133e0d651c5d12bf01999d6289e84e224ba77adc Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Mon, 22 Jan 2024 14:22:12 +1000
+Subject: [PATCH] dix: fix valuator copy/paste error in the DeviceStateNotify
+ event
+
+Fixes 219c54b8a3337456ce5270ded6a67bcde53553d5
+
+Conflict:NA
+Reference:https://gitlab.freedesktop.org/xorg/xserver/-/commit/133e0d651c5d12bf01999d6289e84e224ba77adc
+---
+ dix/enterleave.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/dix/enterleave.c b/dix/enterleave.c
+index 7b7ba1098b..c1e6ac600e 100644
+--- a/dix/enterleave.c
++++ b/dix/enterleave.c
+@@ -619,11 +619,11 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
+     ev->first_valuator = first;
+     switch (ev->num_valuators) {
+     case 6:
+-        ev->valuator2 = v->axisVal[first + 5];
++        ev->valuator5 = v->axisVal[first + 5];
+     case 5:
+-        ev->valuator2 = v->axisVal[first + 4];
++        ev->valuator4 = v->axisVal[first + 4];
+     case 4:
+-        ev->valuator2 = v->axisVal[first + 3];
++        ev->valuator3 = v->axisVal[first + 3];
+     case 3:
+         ev->valuator2 = v->axisVal[first + 2];
+     case 2:
+-- 
+GitLab
+

backport-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch

@@ -0,0 +1,75 @@
+From 337d8d48b618d4fc0168a7b978be4c3447650b04 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Fri, 5 Apr 2024 15:24:49 +0200
+Subject: [PATCH] render: Avoid possible double-free in ProcRenderAddGlyphs()
+
+ProcRenderAddGlyphs() adds the glyph to the glyphset using AddGlyph() and
+then frees it using FreeGlyph() to decrease the reference count, after
+AddGlyph() has increased it.
+
+AddGlyph() however may chose to reuse an existing glyph if it's already
+in the glyphSet, and free the glyph that was given, in which case the
+caller function, ProcRenderAddGlyphs() will call FreeGlyph() on an
+already freed glyph, as reported by ASan:
+
+  READ of size 4 thread T0
+    #0 in FreeGlyph xserver/render/glyph.c:252
+    #1 in ProcRenderAddGlyphs xserver/render/render.c:1174
+    #2 in Dispatch xserver/dix/dispatch.c:546
+    #3 in dix_main xserver/dix/main.c:271
+    #4 in main xserver/dix/stubmain.c:34
+    #5 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
+    #6 in __libc_start_main_impl ../csu/libc-start.c:360
+    #7  (/usr/bin/Xwayland+0x44fe4)
+  Address is located 0 bytes inside of 64-byte region
+  freed by thread T0 here:
+    #0 in __interceptor_free libsanitizer/asan/asan_malloc_linux.cpp:52
+    #1 in _dixFreeObjectWithPrivates xserver/dix/privates.c:538
+    #2 in AddGlyph xserver/render/glyph.c:295
+    #3 in ProcRenderAddGlyphs xserver/render/render.c:1173
+    #4 in Dispatch xserver/dix/dispatch.c:546
+    #5 in dix_main xserver/dix/main.c:271
+    #6 in main xserver/dix/stubmain.c:34
+    #7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
+  previously allocated by thread T0 here:
+    #0 in __interceptor_malloc libsanitizer/asan/asan_malloc_linux.cpp:69
+    #1 in AllocateGlyph xserver/render/glyph.c:355
+    #2 in ProcRenderAddGlyphs xserver/render/render.c:1085
+    #3 in Dispatch xserver/dix/dispatch.c:546
+    #4 in dix_main xserver/dix/main.c:271
+    #5 in main xserver/dix/stubmain.c:34
+    #6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
+  SUMMARY: AddressSanitizer: heap-use-after-free xserver/render/glyph.c:252 in FreeGlyph
+
+To avoid that, make sure not to free the given glyph in AddGlyph().
+
+v2: Simplify the test using the boolean returned from AddGlyph() (Michel)
+v3: Simplify even more by not freeing the glyph in AddGlyph() (Peter)
+
+Fixes: bdca6c3d1 - render: fix refcounting of glyphs during ProcRenderAddGlyphs
+Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1476>
+
+Conflict:NA
+Reference:https://gitlab.freedesktop.org/xorg/xserver/-/commit/6c684d035c06fd41c727f0ef0744517580864cef
+---
+ render/glyph.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/render/glyph.c b/render/glyph.c
+index 13991f8a12..5fa7f3b5b4 100644
+--- a/render/glyph.c
++++ b/render/glyph.c
+@@ -291,8 +291,6 @@ AddGlyph(GlyphSetPtr glyphSet, GlyphPtr glyph, Glyph id)
+     gr = FindGlyphRef(&globalGlyphs[glyphSet->fdepth], signature,
+                       TRUE, glyph->sha1);
+     if (gr->glyph && gr->glyph != DeletedGlyph && gr->glyph != glyph) {
+-        FreeGlyphPicture(glyph);
+-        dixFreeObjectWithPrivates(glyph, PRIVATE_GLYPH);
+         glyph = gr->glyph;
+     }
+     else if (gr->glyph != glyph) {
+-- 
+GitLab
+

xorg-x11-server.spec

@@ -16,7 +16,7 @@
 
 Name:           xorg-x11-server
 Version:        1.20.11
-Release:        27
+Release:        32
 Summary:        X.Org X11 X server
 License:        MIT and GPLv2
 URL:            https://www.x.org
@@ -79,6 +79,7 @@ Patch0028: 0024-xwayland-Remove-unnecessary-xwl_window_is_toplevel-c.patch
 
 Patch0100: 0001-Fix-the-crash-in-shadowUpdatePacked-because-of-memcp.patch
 Patch0101: 0002-present-Crash-in-present_scmd_get_crtc-and-present_flush.patch
+Patch0102: 0025-phytium-xfree86-Fixed-display-error-for-ps23xx-when-.patch
 
 Patch0029: xorg-s11-server-CVE-2018-20839.patch
 Patch6000: backport-CVE-2021-4008.patch
@@ -117,6 +118,13 @@ Patch6033: backport-0001-CVE-2024-0229.patch
 Patch6034: backport-0002-CVE-2024-0229.patch
 Patch6035: backport-0003-CVE-2024-0229.patch
 Patch6036: fix-segfault-if-CreateGC-failed-in-XaceHook.patch
+Patch6037: backport-CVE-2024-31080.patch
+Patch6038: backport-CVE-2024-31081.patch
+Patch6039: backport-CVE-2024-31082.patch
+Patch6040: backport-CVE-2024-31083.patch
+Patch6041: backport-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch
+Patch6042: backport-dix-Fix-use-after-free-in-input-device-shutdown.patch
+Patch6043: backport-dix-fix-valuator-copy-paste-error-in-the-DeviceState.patch
 
 BuildRequires:  audit-libs-devel autoconf automake bison dbus-devel flex git gcc 
 BuildRequires:  systemtap-sdt-devel libtool pkgconfig 
@@ -458,6 +466,28 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete
 %{_mandir}/man*/*
 
 %changelog
+* Thu May 30 2024 shuaijiakun <shuaijiakun1288@phytium.com.cn> -1.20.11-32
+- Type:feature
+- CVE:NA
+- SUG:NA
+- DESC:fix display error for ps23xx when using ast and pe2201 bmc card.
+
+* Fri Apr 26 2024 yanglu <yanglu72@h-partners.com> -1.20.11-31
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:fix regression caused by the fix for CVE-2024-0229 
+       fix use after free related to CVE-2024-21886
+
+* Wed Apr 17 2024 yanglu <yanglu72@h-partners.com> -1.20.11-30
+- fix regression caused by the fix for CVE-2024-31083
+
+* Sun Apr 7 2024 yanglu <yanglu72@h-partners.com> -1.20.11-29
+- fix CVE-2024-31080 CVE-2024-31081 CVE-2024-31082 CVE-2024-31083
+
+* Wed Feb 28 2024 zhangliangpengkun<zhangliangpengkun@xfusion.com> - 1.20.11-28
+- fix changelog The CVE is should be CVE-2023-6816.
+
 * Mon Feb 5 2024 niuwanli <niuwanli@cysoftware.com.cn> - 1.20.11-27
 - fix segfault if CreateGC failed in XaceHook
 
@@ -465,7 +495,7 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete
 - Modify sw_64 patch to use all arch
 
 * Thu Jan 18 2024 zhouwenpei <zhouwenpei1@h-partners.com> -1.20.11-25
-- fix CVE-2024-21885,CVE-2024-21886,CVE-2024-0408,CVE-2024-0409,CVE-2024-6816,CVE-2024-0229
+- fix CVE-2024-21885,CVE-2024-21886,CVE-2024-0408,CVE-2024-0409,CVE-2023-6816,CVE-2024-0229
 
 * Fri Dec 15 2023 zhangpan <zhangpan103@h-partners.com> -1.20.11-24
 - fix CVE-2023-6478 CVE-2023-6377