diff --git a/.gitignore b/.gitignore
index d2f073c..dff77f2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/xorg-server-1.15.0.tar.bz2
+SOURCES/xorg-server-1.17.2.tar.bz2
diff --git a/.xorg-x11-server.metadata b/.xorg-x11-server.metadata
index 2d0886b..929b5d7 100644
--- a/.xorg-x11-server.metadata
+++ b/.xorg-x11-server.metadata
@@ -1 +1 @@
-a0f347a9002770925fe95d4b9275068b44b4a4b0 SOURCES/xorg-server-1.15.0.tar.bz2
+56ac29a82b99bcf4c7ba2fca41a44cfa18748262 SOURCES/xorg-server-1.17.2.tar.bz2
diff --git a/SOURCES/0001-Always-install-vbe-and-int10-sdk-headers.patch b/SOURCES/0001-Always-install-vbe-and-int10-sdk-headers.patch
index cc01440..7dd249c 100644
--- a/SOURCES/0001-Always-install-vbe-and-int10-sdk-headers.patch
+++ b/SOURCES/0001-Always-install-vbe-and-int10-sdk-headers.patch
@@ -1,29 +1,37 @@
-From f1a28f50ab58c3a69acdbe55770c23b57d31d98b Mon Sep 17 00:00:00 2001
+From fc306295751178802405e0faa3f2e4e40cd913f0 Mon Sep 17 00:00:00 2001
 From: Adam Jackson <ajax@redhat.com>
 Date: Wed, 15 Aug 2012 12:35:21 -0400
 Subject: [PATCH] Always install vbe and int10 sdk headers
 
 Signed-off-by: Adam Jackson <ajax@redhat.com>
 ---
- hw/xfree86/Makefile.am | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
+ hw/xfree86/Makefile.am | 12 ++----------
+ 1 file changed, 2 insertions(+), 10 deletions(-)
 
 diff --git a/hw/xfree86/Makefile.am b/hw/xfree86/Makefile.am
-index 2a12b5e..cd63967 100644
+index 27f2cc6..f9a078f 100644
 --- a/hw/xfree86/Makefile.am
 +++ b/hw/xfree86/Makefile.am
-@@ -30,9 +30,9 @@ if INT10MODULE
- INT10_SUBDIR = int10
+@@ -26,17 +26,9 @@ if VGAHW
+ VGAHW_SUBDIR = vgahw
  endif
  
+-if VBE
+-VBE_SUBDIR = vbe
+-endif
+-
+-if INT10MODULE
+-INT10_SUBDIR = int10
+-endif
+-
 -SUBDIRS = common ddc x86emu $(INT10_SUBDIR) os-support parser \
 +SUBDIRS = common ddc x86emu int10 os-support parser \
  	  ramdac $(VGAHW_SUBDIR) loader modes $(DRI_SUBDIR) \
 -	  $(DRI2_SUBDIR) . $(VBE_SUBDIR) i2c dixmods \
 +	  $(DRI2_SUBDIR) . vbe i2c dixmods \
- 	  fbdevhw shadowfb exa $(XF86UTILS_SUBDIR) doc man
+ 	  fbdevhw shadowfb exa $(XF86UTILS_SUBDIR) doc man \
+ 	  $(GLAMOR_EGL_SUBDIR) drivers
  
- DIST_SUBDIRS = common ddc i2c x86emu int10 fbdevhw os-support \
 -- 
 2.1.0
 
diff --git a/SOURCES/0001-Run-vesa-probe-last.patch b/SOURCES/0001-Run-vesa-probe-last.patch
new file mode 100644
index 0000000..6afaad4
--- /dev/null
+++ b/SOURCES/0001-Run-vesa-probe-last.patch
@@ -0,0 +1,26 @@
+From 7a1980ce6eaacacb1d8124f3022217fa14c48a69 Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax@redhat.com>
+Date: Wed, 15 Apr 2015 12:41:20 -0400
+Subject: [PATCH] Run vesa probe last
+
+Signed-off-by: Adam Jackson <ajax@redhat.com>
+---
+ hw/xfree86/common/xf86Config.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/xfree86/common/xf86Config.c b/hw/xfree86/common/xf86Config.c
+index d42572f..4f57149 100644
+--- a/hw/xfree86/common/xf86Config.c
++++ b/hw/xfree86/common/xf86Config.c
+@@ -519,7 +519,7 @@ xf86InputDriverlistFromConfig(void)
+ static void
+ fixup_video_driver_list(const char **drivers)
+ {
+-    static const char *fallback[5] = { "modesetting", "fbdev", "vesa", "wsfb", NULL };
++    static const char *fallback[5] = { "wsfb", "vesa", "fbdev", "modesetting", NULL };
+     const char **end, **drv;
+     const char *x;
+     int i;
+-- 
+2.1.0
+
diff --git a/SOURCES/0001-Xephyr-restore-initial-window-resize-lost-in-xcb-con.patch b/SOURCES/0001-Xephyr-restore-initial-window-resize-lost-in-xcb-con.patch
deleted file mode 100644
index b1e95dc..0000000
--- a/SOURCES/0001-Xephyr-restore-initial-window-resize-lost-in-xcb-con.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 7b2a517ba99f6756e98c4aef47d9b9399b997157 Mon Sep 17 00:00:00 2001
-From: Julien Cristau <jcristau@debian.org>
-Date: Wed, 26 Mar 2014 23:24:20 +0100
-Subject: [PATCH] Xephyr: restore initial window resize lost in xcb conversion
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The XResizeWindow call wasn't replaced by the xcb equivalent, so we
-were no longer setting the initial window size, only wm size hints.
-
-Regression from commit a2b73da "Xephyr: start converting hostx.c over to
-xcb"
-
-Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=74849
-
-Signed-off-by: Julien Cristau <jcristau@debian.org>
-Reported-by: Laércio de Sousa <lbsousajr@gmail.com>
-Tested-by: Jon TURNEY <jon.turney@dronecode.org.uk>
-Reviewed-by: Jon TURNEY <jon.turney@dronecode.org.uk>
-Signed-off-by: Keith Packard <keithp@keithp.com>
----
- hw/kdrive/ephyr/hostx.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/hw/kdrive/ephyr/hostx.c b/hw/kdrive/ephyr/hostx.c
-index 3054f5f..4f48770 100644
---- a/hw/kdrive/ephyr/hostx.c
-+++ b/hw/kdrive/ephyr/hostx.c
-@@ -710,6 +710,12 @@ hostx_screen_init(KdScreenInfo *screen,
-             malloc(scrpriv->ximg->stride * buffer_height);
-     }
- 
-+    {
-+        uint32_t mask = XCB_CONFIG_WINDOW_WIDTH | XCB_CONFIG_WINDOW_HEIGHT;
-+        uint32_t values[2] = {width, height};
-+        xcb_configure_window(HostX.conn, scrpriv->win, mask, values);
-+    }
-+
-     if (scrpriv->win_pre_existing == None && !EphyrWantResize) {
-         /* Ask the WM to keep our size static */
-         xcb_size_hints_t size_hints = {0};
--- 
-1.9.3
-
diff --git a/SOURCES/0001-Xi-Ensure-DeviceChanged-is-emitted-after-grabs-are-d.patch b/SOURCES/0001-Xi-Ensure-DeviceChanged-is-emitted-after-grabs-are-d.patch
deleted file mode 100644
index 022b7a2..0000000
--- a/SOURCES/0001-Xi-Ensure-DeviceChanged-is-emitted-after-grabs-are-d.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From 78d09336391faf6e3fe9f67771b03114f23c0b7c Mon Sep 17 00:00:00 2001
-From: Carlos Garnacho <carlosg@gnome.org>
-Date: Thu, 2 Jan 2014 21:33:30 +0100
-Subject: [PATCH] Xi: Ensure DeviceChanged is emitted after grabs are
- deactivated
-
-When a grab on a slave device is deactivated, the master device must
-be checked, just in case there were events from other devices while
-the slave device was stolen away by the passive grab. This may
-introduce misbehaviors on mismatching valuators and device features
-later on UpdateDeviceState().
-
-Signed-off-by: Carlos Garnacho <carlosg@gnome.org>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
-(cherry picked from commit b2d5ee2e3684951b611fd2068d57cc65fd8305a3)
----
- Xi/exevents.c | 19 ++++++++++++++++++-
- 1 file changed, 18 insertions(+), 1 deletion(-)
-
-diff --git a/Xi/exevents.c b/Xi/exevents.c
-index ed6dc36..6b9561e 100644
---- a/Xi/exevents.c
-+++ b/Xi/exevents.c
-@@ -1783,8 +1783,25 @@ ProcessDeviceEvent(InternalEvent *ev, DeviceIntPtr device)
-         DeliverDeviceEvents(GetSpriteWindow(device), (InternalEvent *) event,
-                             NullGrab, NullWindow, device);
- 
--    if (deactivateDeviceGrab == TRUE)
-+    if (deactivateDeviceGrab == TRUE) {
-         (*device->deviceGrab.DeactivateGrab) (device);
-+
-+        if (!IsMaster (device) && !IsFloating (device)) {
-+            int flags, num_events = 0;
-+            InternalEvent dce;
-+
-+            flags = (IsPointerDevice (device)) ?
-+                DEVCHANGE_POINTER_EVENT : DEVCHANGE_KEYBOARD_EVENT;
-+            UpdateFromMaster (&dce, device, flags, &num_events);
-+            BUG_WARN(num_events > 1);
-+
-+            if (num_events == 1)
-+                ChangeMasterDeviceClasses(GetMaster (device, MASTER_ATTACHED),
-+                                          &dce.changed_event);
-+        }
-+
-+    }
-+
-     event->detail.key = key;
- }
- 
--- 
-1.9.0
-
diff --git a/SOURCES/0001-arch-Fix-image-and-bitmap-byte-order-for-ppc64le.patch b/SOURCES/0001-arch-Fix-image-and-bitmap-byte-order-for-ppc64le.patch
deleted file mode 100644
index f6d994e..0000000
--- a/SOURCES/0001-arch-Fix-image-and-bitmap-byte-order-for-ppc64le.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From adb7bc3386559dfee34b359dadcbb6796bc416e7 Mon Sep 17 00:00:00 2001
-From: Dinar Valeev <dvaleev@suse.com>
-Date: Mon, 24 Feb 2014 11:36:54 +0100
-Subject: [PATCH] arch: Fix image and bitmap byte order for ppc64le
-
-So far PPC was big endian for sure. For ppc64le this is no longer
-true.
-
-Signed-off-by: Egbert Eich <eich@freedesktop.org>
-Reviewed-by: Mark Kettenis <kettenis@openbsd.org>
-Signed-off-by: Keith Packard <keithp@keithp.com>
----
- include/servermd.h | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/include/servermd.h b/include/servermd.h
-index 081123b..e413314 100644
---- a/include/servermd.h
-+++ b/include/servermd.h
-@@ -114,8 +114,13 @@ SOFTWARE.
- 
- #if defined(__powerpc__) || defined(__ppc__) || defined(__ppc64__)
- 
--#define IMAGE_BYTE_ORDER        MSBFirst
--#define BITMAP_BIT_ORDER        MSBFirst
-+#if defined(__LITTLE_ENDIAN__)
-+#define IMAGE_BYTE_ORDER      LSBFirst
-+#define BITMAP_BIT_ORDER      LSBFirst
-+#else
-+#define IMAGE_BYTE_ORDER      MSBFirst
-+#define BITMAP_BIT_ORDER      MSBFirst
-+#endif
- #define GLYPHPADBYTES           4
- 
- #endif                          /* PowerPC */
--- 
-1.9.3
-
diff --git a/SOURCES/0001-configure-Don-t-add-GLX_SYS_LIBS-to-Xorg-s-SYS_LIBS.patch b/SOURCES/0001-configure-Don-t-add-GLX_SYS_LIBS-to-Xorg-s-SYS_LIBS.patch
deleted file mode 100644
index 489c170..0000000
--- a/SOURCES/0001-configure-Don-t-add-GLX_SYS_LIBS-to-Xorg-s-SYS_LIBS.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From e22db97a3a64c9c942fbabfb2a21244834cce1c9 Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax@redhat.com>
-Date: Wed, 5 Feb 2014 11:06:10 -0500
-Subject: [PATCH] configure: Don't add GLX_SYS_LIBS to Xorg's SYS_LIBS
-
-libglx.so links libGL, but Xorg should not.
-
-Signed-off-by: Adam Jackson <ajax@redhat.com>
----
- configure.ac | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/configure.ac b/configure.ac
-index f62e705..e607a55 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -1868,7 +1868,7 @@ if test "x$XORG" = xyes; then
- 	if test "x$PCI" = xyes; then
- 		PKG_CHECK_MODULES([PCIACCESS], $LIBPCIACCESS)
- 		SDK_REQUIRED_MODULES="$SDK_REQUIRED_MODULES $LIBPCIACCESS"
--		XORG_SYS_LIBS="$XORG_SYS_LIBS $PCIACCESS_LIBS $GLX_SYS_LIBS $LIBDRM_LIBS"
-+		XORG_SYS_LIBS="$XORG_SYS_LIBS $PCIACCESS_LIBS $LIBDRM_LIBS"
- 		XORG_CFLAGS="$XORG_CFLAGS $PCIACCESS_CFLAGS $LIBDRM_CFLAGS"
- 
- 		AC_DEFINE(XSERVER_LIBPCIACCESS, 1, [Use libpciaccess for all pci manipulation])
--- 
-1.8.5.3
-
diff --git a/SOURCES/0001-dix-fix-button-state-check-before-changing-a-button-.patch b/SOURCES/0001-dix-fix-button-state-check-before-changing-a-button-.patch
deleted file mode 100644
index c808c39..0000000
--- a/SOURCES/0001-dix-fix-button-state-check-before-changing-a-button-.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 25d10464f440b8b34594b7c988a99a830ea39a29 Mon Sep 17 00:00:00 2001
-From: Peter Hutterer <peter.hutterer@who-t.net>
-Date: Fri, 24 Jan 2014 18:16:54 +1000
-Subject: [PATCH] dix: fix button state check before changing a button mapping
-
-dev->button->down is a bitmask, not a normal array. Use the helper function to
-check, we technically allow the mapping to change after the physical button
-has been pressed (but not yet processed yet), so only check BUTTON_PROCESSED.
-
-From XSetPointerMapping(3):
-"If any of the buttons to be altered are logically in the down state,
-XSetPointerMapping returns MappingBusy, and the mapping is not changed."
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
-Reviewed-by: Daniel Stone <daniel@fooishbar.org>
----
- dix/inpututils.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/dix/inpututils.c b/dix/inpututils.c
-index a10a7c7..e5bcc31 100644
---- a/dix/inpututils.c
-+++ b/dix/inpututils.c
-@@ -60,7 +60,8 @@ check_butmap_change(DeviceIntPtr dev, CARD8 *map, int len, CARD32 *errval_out,
-     }
- 
-     for (i = 0; i < len; i++) {
--        if (dev->button->map[i + 1] != map[i] && dev->button->down[i + 1])
-+        if (dev->button->map[i + 1] != map[i] &&
-+            button_is_down(dev, i + 1, BUTTON_PROCESSED))
-             return MappingBusy;
-     }
- 
--- 
-1.8.4.2
-
diff --git a/SOURCES/0001-dri2-Fix-detection-of-wrong-prime_id-in-GetScreenPri.patch b/SOURCES/0001-dri2-Fix-detection-of-wrong-prime_id-in-GetScreenPri.patch
deleted file mode 100644
index 2d4f12e..0000000
--- a/SOURCES/0001-dri2-Fix-detection-of-wrong-prime_id-in-GetScreenPri.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 4958c6a43e27e3521533fbe7497050a6ad5f45c0 Mon Sep 17 00:00:00 2001
-From: Michal Srb <msrb@suse.com>
-Date: Tue, 15 Apr 2014 18:54:35 +0300
-Subject: [PATCH 1/3] dri2: Fix detection of wrong prime_id in GetScreenPrime.
-
-Checking the iterating variable ("slave") against null can not detect if the
-xorg_list_for_each_entry finished without break being invoked - slave variable
-will be always non-null. This caused segfault whenever someone tried to use
-DRI_PRIME with incorrect id while having at least one render offloading slave
-configured.
-
-Restructurize the GetScreenPrime to work as expected.
-
-Reviewed-by: Dave Airlie <airlied@redhat.com>
-Signed-off-by: Keith Packard <keithp@keithp.com>
----
- hw/xfree86/dri2/dri2.c | 6 ++----
- 1 file changed, 2 insertions(+), 4 deletions(-)
-
-diff --git a/hw/xfree86/dri2/dri2.c b/hw/xfree86/dri2/dri2.c
-index 0b047f0..a983aed 100644
---- a/hw/xfree86/dri2/dri2.c
-+++ b/hw/xfree86/dri2/dri2.c
-@@ -156,11 +156,9 @@ GetScreenPrime(ScreenPtr master, int prime_id)
- 
-         ds = DRI2GetScreen(slave);
-         if (ds->prime_id == prime_id)
--            break;
-+            return slave;
-     }
--    if (!slave)
--        return master;
--    return slave;
-+    return master;
- }
- 
- static DRI2ScreenPtr
--- 
-1.9.3
-
diff --git a/SOURCES/0001-ephyr-Properly-implement-hardware-cursors.patch b/SOURCES/0001-ephyr-Properly-implement-hardware-cursors.patch
deleted file mode 100644
index 1ba4dc8..0000000
--- a/SOURCES/0001-ephyr-Properly-implement-hardware-cursors.patch
+++ /dev/null
@@ -1,459 +0,0 @@
-From 31360bf6bcdc388c8546fefd495163a30b0918e5 Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax@redhat.com>
-Date: Tue, 19 Aug 2014 14:22:30 -0400
-Subject: [PATCH] ephyr: Properly implement hardware cursors
-
-Technique is basically the same as in Xnest, just create a new cursor on
-the host server every time.  Could be optimized to remember cursors on
-the host and merely switch among them, if someone's feeling adventurous.
-
-Signed-off-by: Adam Jackson <ajax@redhat.com>
----
- configure.ac                  |   2 +-
- hw/kdrive/ephyr/Makefile.am   |   1 +
- hw/kdrive/ephyr/ephyrcursor.c | 216 ++++++++++++++++++++++++++++++++++++++++++
- hw/kdrive/ephyr/ephyrinit.c   |  63 ------------
- hw/kdrive/ephyr/hostx.c       |  74 +++++++++++++++
- hw/kdrive/ephyr/hostx.h       |   5 +
- 6 files changed, 297 insertions(+), 64 deletions(-)
- create mode 100644 hw/kdrive/ephyr/ephyrcursor.c
-
-diff --git a/configure.ac b/configure.ac
-index f3d9654..e83949d 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -2364,7 +2364,7 @@ if test "$KDRIVE" = yes; then
-        AC_DEFINE(KDRIVE_MOUSE, 1, [Enable KDrive mouse driver])
-     fi
- 
--    XEPHYR_REQUIRED_LIBS="xau xdmcp xcb xcb-shape xcb-aux xcb-image xcb-icccm xcb-shm xcb-keysyms"
-+    XEPHYR_REQUIRED_LIBS="xau xdmcp xcb xcb-shape xcb-render xcb-aux xcb-image xcb-icccm xcb-shm xcb-keysyms"
-     if test "x$XV" = xyes; then
-         XEPHYR_REQUIRED_LIBS="$XEPHYR_REQUIRED_LIBS xcb-xv"
-     fi
-diff --git a/hw/kdrive/ephyr/Makefile.am b/hw/kdrive/ephyr/Makefile.am
-index 10c5917..155e11e 100644
---- a/hw/kdrive/ephyr/Makefile.am
-+++ b/hw/kdrive/ephyr/Makefile.am
-@@ -68,6 +68,7 @@ Xephyr_SOURCES = \
- 	ephyr_draw.c \
- 	os.c \
- 	ephyrinit.c \
-+	ephyrcursor.c \
- 	hostx.c \
- 	hostx.h \
- 	$(XV_SRCS) \
-diff --git a/hw/kdrive/ephyr/ephyrcursor.c b/hw/kdrive/ephyr/ephyrcursor.c
-new file mode 100644
-index 0000000..b19e301
---- /dev/null
-+++ b/hw/kdrive/ephyr/ephyrcursor.c
-@@ -0,0 +1,216 @@
-+/*
-+ * Copyright © 2014 Red Hat, Inc.
-+ *
-+ * Permission is hereby granted, free of charge, to any person obtaining a
-+ * copy of this software and associated documentation files (the "Software"),
-+ * to deal in the Software without restriction, including without limitation
-+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
-+ * and/or sell copies of the Software, and to permit persons to whom the
-+ * Software is furnished to do so, subject to the following conditions:
-+ *
-+ * The above copyright notice and this permission notice (including the next
-+ * paragraph) shall be included in all copies or substantial portions of the
-+ * Software.
-+ *
-+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
-+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
-+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
-+ * DEALINGS IN THE SOFTWARE.
-+ *
-+ * Author:
-+ *      Adam Jackson <ajax@redhat.com>
-+ */
-+
-+#ifdef HAVE_CONFIG_H
-+#include <kdrive-config.h>
-+#endif
-+#include "ephyr.h"
-+#include "ephyrlog.h"
-+#include "hostx.h"
-+#include "cursorstr.h"
-+#include <xcb/render.h>
-+
-+static DevPrivateKeyRec ephyrCursorPrivateKey;
-+
-+typedef struct _ephyrCursor {
-+    xcb_cursor_t cursor;
-+} ephyrCursorRec, *ephyrCursorPtr;
-+
-+static ephyrCursorPtr
-+ephyrGetCursor(CursorPtr cursor)
-+{
-+    return dixGetPrivateAddr(&cursor->devPrivates, &ephyrCursorPrivateKey);
-+}
-+
-+static void
-+ephyrRealizeCoreCursor(EphyrScrPriv *scr, CursorPtr cursor)
-+{
-+    ephyrCursorPtr hw = ephyrGetCursor(cursor);
-+    xcb_connection_t *conn = hostx_get_xcbconn();
-+    xcb_pixmap_t source, mask;
-+    xcb_image_t *image;
-+    xcb_gcontext_t gc = hostx_get_cursor_gc();
-+    int w = cursor->bits->width, h = cursor->bits->height;
-+
-+    source = xcb_generate_id(conn);
-+    mask = xcb_generate_id(conn);
-+    xcb_create_pixmap(conn, 1, source, scr->win, w, h);
-+    xcb_create_pixmap(conn, 1, mask, scr->win, w, h);
-+
-+    image = xcb_image_create_native(conn, w, h, XCB_IMAGE_FORMAT_XY_BITMAP,
-+                                    1, NULL, ~0, NULL);
-+    image->data = cursor->bits->source;
-+    xcb_image_put(conn, source, gc, image, 0, 0, 0);
-+    xcb_image_destroy(image);
-+
-+    image = xcb_image_create_native(conn, w, h, XCB_IMAGE_FORMAT_XY_BITMAP,
-+                                    1, NULL, ~0, NULL);
-+    image->data = cursor->bits->mask;
-+    xcb_image_put(conn, mask, gc, image, 0, 0, 0);
-+    xcb_image_destroy(image);
-+
-+    hw->cursor = xcb_generate_id(conn);
-+    xcb_create_cursor(conn, hw->cursor, source, mask, 
-+                      cursor->foreRed, cursor->foreGreen, cursor->foreBlue,
-+                      cursor->backRed, cursor->backGreen, cursor->backBlue,
-+                      cursor->bits->xhot, cursor->bits->yhot);
-+
-+    xcb_free_pixmap(conn, source);
-+    xcb_free_pixmap(conn, mask);
-+}
-+
-+#ifdef ARGB_CURSOR
-+static void
-+ephyrRealizeARGBCursor(EphyrScrPriv *scr, CursorPtr cursor)
-+{
-+    ephyrCursorPtr hw = ephyrGetCursor(cursor);
-+    xcb_connection_t *conn = hostx_get_xcbconn();
-+    xcb_gcontext_t gc;
-+    xcb_pixmap_t source;
-+    xcb_render_picture_t picture;
-+    xcb_image_t *image;
-+    int w = cursor->bits->width, h = cursor->bits->height;
-+
-+    /* dix' storage is PICT_a8r8g8b8 */
-+    source = xcb_generate_id(conn);
-+    xcb_create_pixmap(conn, 32, source, scr->win, w, h);
-+
-+    gc = xcb_generate_id(conn);
-+    xcb_create_gc(conn, gc, source, 0, NULL);
-+    image = xcb_image_create_native(conn, w, h, XCB_IMAGE_FORMAT_Z_PIXMAP,
-+                                    32, NULL, ~0, NULL);
-+    image->data = (void *)cursor->bits->argb;
-+    xcb_image_put(conn, source, gc, image, 0, 0, 0);
-+    xcb_free_gc(conn, gc);
-+    xcb_image_destroy(image);
-+
-+    picture = xcb_generate_id(conn);
-+    xcb_render_create_picture(conn, picture, source, hostx_get_argb_format(),
-+                              0, NULL);
-+    xcb_free_pixmap(conn, source);
-+
-+    hw->cursor = xcb_generate_id(conn);
-+    xcb_render_create_cursor(conn, hw->cursor, picture,
-+                             cursor->bits->xhot, cursor->bits->yhot);
-+
-+    xcb_render_free_picture(conn, picture);
-+}
-+#endif
-+
-+static Bool
-+ephyrRealizeCursor(DeviceIntPtr dev, ScreenPtr screen, CursorPtr cursor)
-+{
-+    KdScreenPriv(screen);
-+    KdScreenInfo *kscr = pScreenPriv->screen;
-+    EphyrScrPriv *scr = kscr->driver;
-+
-+#ifdef ARGB_CURSOR
-+    if (cursor->bits->argb)
-+        ephyrRealizeARGBCursor(scr, cursor);
-+    else
-+#endif
-+    {
-+        ephyrRealizeCoreCursor(scr, cursor);
-+    }
-+    return TRUE;
-+}
-+
-+static Bool
-+ephyrUnrealizeCursor(DeviceIntPtr dev, ScreenPtr screen, CursorPtr cursor)
-+{
-+    ephyrCursorPtr hw = ephyrGetCursor(cursor);
-+
-+    if (hw->cursor) {
-+        xcb_free_cursor(hostx_get_xcbconn(), hw->cursor);
-+        hw->cursor = None;
-+    }
-+
-+    return TRUE;
-+}
-+
-+static void
-+ephyrSetCursor(DeviceIntPtr dev, ScreenPtr screen, CursorPtr cursor, int x,
-+               int y)
-+{
-+    KdScreenPriv(screen);
-+    KdScreenInfo *kscr = pScreenPriv->screen;
-+    EphyrScrPriv *scr = kscr->driver;
-+    uint32_t attr = None;
-+
-+    /* XXX really? */
-+    if (cursor)
-+        attr = ephyrGetCursor(cursor)->cursor;
-+
-+    xcb_change_window_attributes(hostx_get_xcbconn(), scr->win,
-+                                 XCB_CW_CURSOR, &attr);
-+    xcb_flush(hostx_get_xcbconn());
-+}
-+
-+static void
-+ephyrMoveCursor(DeviceIntPtr dev, ScreenPtr screen, int x, int y)
-+{
-+    ;
-+}
-+
-+static Bool
-+ephyrDeviceCursorInitialize(DeviceIntPtr dev, ScreenPtr screen)
-+{
-+    return TRUE;
-+}
-+
-+static void
-+ephyrDeviceCursorCleanup(DeviceIntPtr dev, ScreenPtr screen)
-+{
-+}
-+
-+miPointerSpriteFuncRec EphyrPointerSpriteFuncs = {
-+    ephyrRealizeCursor,
-+    ephyrUnrealizeCursor,
-+    ephyrSetCursor,
-+    ephyrMoveCursor,
-+    ephyrDeviceCursorInitialize,
-+    ephyrDeviceCursorCleanup
-+};
-+
-+Bool
-+ephyrCursorInit(ScreenPtr screen)
-+{
-+    if (!dixRegisterPrivateKey(&ephyrCursorPrivateKey, PRIVATE_CURSOR_BITS,
-+                               sizeof(ephyrCursorRec)))
-+        return FALSE;
-+
-+    miPointerInitialize(screen,
-+                        &EphyrPointerSpriteFuncs,
-+                        &ephyrPointerScreenFuncs, FALSE);
-+
-+    return TRUE;
-+}
-+
-+void
-+ephyrCursorEnable(ScreenPtr screen)
-+{
-+}
-+
-diff --git a/hw/kdrive/ephyr/ephyrinit.c b/hw/kdrive/ephyr/ephyrinit.c
-index fc00010..e823eb8 100644
---- a/hw/kdrive/ephyr/ephyrinit.c
-+++ b/hw/kdrive/ephyr/ephyrinit.c
-@@ -350,69 +350,6 @@ OsVendorInit(void)
-     KdOsInit(&EphyrOsFuncs);
- }
- 
--/* 'Fake' cursor stuff, could be improved */
--
--static Bool
--ephyrRealizeCursor(DeviceIntPtr pDev, ScreenPtr pScreen, CursorPtr pCursor)
--{
--    return TRUE;
--}
--
--static Bool
--ephyrUnrealizeCursor(DeviceIntPtr pDev, ScreenPtr pScreen, CursorPtr pCursor)
--{
--    return TRUE;
--}
--
--static void
--ephyrSetCursor(DeviceIntPtr pDev, ScreenPtr pScreen, CursorPtr pCursor, int x,
--               int y)
--{
--    ;
--}
--
--static void
--ephyrMoveCursor(DeviceIntPtr pDev, ScreenPtr pScreen, int x, int y)
--{
--    ;
--}
--
--static Bool
--ephyrDeviceCursorInitialize(DeviceIntPtr pDev, ScreenPtr pScreen)
--{
--    return TRUE;
--}
--
--static void
--ephyrDeviceCursorCleanup(DeviceIntPtr pDev, ScreenPtr pScreen)
--{
--}
--
--miPointerSpriteFuncRec EphyrPointerSpriteFuncs = {
--    ephyrRealizeCursor,
--    ephyrUnrealizeCursor,
--    ephyrSetCursor,
--    ephyrMoveCursor,
--    ephyrDeviceCursorInitialize,
--    ephyrDeviceCursorCleanup
--};
--
--Bool
--ephyrCursorInit(ScreenPtr pScreen)
--{
--    miPointerInitialize(pScreen,
--                        &EphyrPointerSpriteFuncs,
--                        &ephyrPointerScreenFuncs, FALSE);
--
--    return TRUE;
--}
--
--void
--ephyrCursorEnable(ScreenPtr pScreen)
--{
--    ;
--}
--
- KdCardFuncs ephyrFuncs = {
-     ephyrCardInit,              /* cardinit */
-     ephyrScreenInitialize,      /* scrinit */
-diff --git a/hw/kdrive/ephyr/hostx.c b/hw/kdrive/ephyr/hostx.c
-index 1c75974..f995fc0 100644
---- a/hw/kdrive/ephyr/hostx.c
-+++ b/hw/kdrive/ephyr/hostx.c
-@@ -70,6 +70,8 @@ struct EphyrHostXVars {
-     xcb_visualtype_t *visual;
-     Window winroot;
-     xcb_gcontext_t  gc;
-+    xcb_gcontext_t  curgc;
-+    xcb_render_pictformat_t argb_format;
-     int depth;
-     Bool use_sw_cursor;
-     Bool use_fullscreen;
-@@ -1157,6 +1159,78 @@ out:
-     return is_ok;
- }
- 
-+xcb_gcontext_t
-+hostx_get_cursor_gc(void)
-+{
-+    uint32_t mask = XCB_GC_FUNCTION |
-+                    XCB_GC_PLANE_MASK |
-+                    XCB_GC_FOREGROUND |
-+                    XCB_GC_BACKGROUND |
-+                    XCB_GC_CLIP_MASK;
-+    uint32_t val[] = {
-+        XCB_GX_COPY,    /* function */
-+        ~0,             /* planemask */
-+        1L,             /* foreground */
-+        0L,             /* background */
-+        None,           /* clipmask */
-+    };
-+
-+    if (HostX.curgc == None) {
-+        xcb_pixmap_t p = xcb_generate_id(HostX.conn);
-+        HostX.curgc = xcb_generate_id(HostX.conn);
-+
-+        xcb_create_pixmap(HostX.conn, 1, p, HostX.winroot /* XXX */,
-+                          1, 1);
-+        xcb_create_gc(HostX.conn, HostX.curgc, p, mask, val);
-+        xcb_free_pixmap(HostX.conn, p);
-+    }
-+
-+    return HostX.curgc;
-+}
-+
-+xcb_render_pictformat_t
-+hostx_get_argb_format(void)
-+{
-+    if (HostX.argb_format == None) {
-+        xcb_render_query_pict_formats_reply_t *formats;
-+        xcb_render_pictforminfo_iterator_t i;
-+
-+        formats = xcb_render_query_pict_formats_reply(HostX.conn,
-+                    xcb_render_query_pict_formats(HostX.conn),
-+                    NULL);
-+
-+        for (i = xcb_render_query_pict_formats_formats_iterator(formats);
-+             i.rem;
-+             xcb_render_pictforminfo_next(&i)) {
-+
-+            if (i.data->type != XCB_RENDER_PICT_TYPE_DIRECT)
-+                continue;
-+
-+            if (i.data->depth != 32)
-+                continue;
-+
-+            if (i.data->direct.red_mask != 0xff ||
-+                i.data->direct.green_mask != 0xff ||
-+                i.data->direct.blue_mask != 0xff ||
-+                i.data->direct.alpha_mask != 0xff)
-+                continue;
-+
-+            if (i.data->direct.red_shift != 16 ||
-+                i.data->direct.green_shift != 8 ||
-+                i.data->direct.blue_shift != 0 ||
-+                i.data->direct.alpha_shift != 24)
-+                continue;
-+
-+            HostX.argb_format = i.data->id;
-+            break;
-+        }
-+
-+        free(formats);
-+    }
-+
-+    return HostX.argb_format;
-+}
-+
- #ifdef XF86DRI
- typedef struct {
-     int is_valid;
-diff --git a/hw/kdrive/ephyr/hostx.h b/hw/kdrive/ephyr/hostx.h
-index e83323a..de488a4 100644
---- a/hw/kdrive/ephyr/hostx.h
-+++ b/hw/kdrive/ephyr/hostx.h
-@@ -29,6 +29,7 @@
- #include <X11/X.h>
- #include <X11/Xmd.h>
- #include <xcb/xcb.h>
-+#include <xcb/render.h>
- #include "ephyr.h"
- 
- #define EPHYR_WANT_DEBUG 0
-@@ -174,6 +175,10 @@ int hostx_set_window_bounding_rectangles(int a_window,
- 
- int host_has_extension(xcb_extension_t *extension);
- 
-+xcb_gcontext_t hostx_get_cursor_gc(void);
-+
-+xcb_render_pictformat_t hostx_get_argb_format(void);
-+
- #ifdef XF86DRI
- int hostx_lookup_peer_window(void *a_local_window,
-                              int *a_host_peer /*out parameter */ );
--- 
-1.9.3
-
diff --git a/SOURCES/0001-ephyr-Repaint-entire-screen-when-colormap-is-updated.patch b/SOURCES/0001-ephyr-Repaint-entire-screen-when-colormap-is-updated.patch
deleted file mode 100644
index 1d78b72..0000000
--- a/SOURCES/0001-ephyr-Repaint-entire-screen-when-colormap-is-updated.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From ae796d43c934ba378c9a618adc81c6729a14b2f8 Mon Sep 17 00:00:00 2001
-From: Keith Packard <keithp@keithp.com>
-Date: Thu, 6 Feb 2014 19:17:50 -0800
-Subject: [PATCH] ephyr: Repaint entire screen when colormap is updated
-
-Any time the colormap is changed, the entire screen needs to be
-repainted to match.
-
-Signed-off-by: Keith Packard <keithp@keithp.com>
-Reviewed-by: Adam Jackson <ajax@redhat.com>
-Reviewed-by: Eric Anholt <eric@anholt.net>
----
- hw/kdrive/ephyr/ephyr.c | 15 +++++++++++++++
- 1 file changed, 15 insertions(+)
-
-diff --git a/hw/kdrive/ephyr/ephyr.c b/hw/kdrive/ephyr/ephyr.c
-index da80c95..9681273 100644
---- a/hw/kdrive/ephyr/ephyr.c
-+++ b/hw/kdrive/ephyr/ephyr.c
-@@ -1232,6 +1232,9 @@ ephyrGetColors(ScreenPtr pScreen, int n, xColorItem * pdefs)
- void
- ephyrPutColors(ScreenPtr pScreen, int n, xColorItem * pdefs)
- {
-+    KdScreenPriv(pScreen);
-+    KdScreenInfo *screen = pScreenPriv->screen;
-+    EphyrScrPriv *scrpriv = screen->driver;
-     int min, max, p;
- 
-     /* XXX Not sure if this is right */
-@@ -1251,6 +1254,18 @@ ephyrPutColors(ScreenPtr pScreen, int n, xColorItem * pdefs)
-                              pdefs->green >> 8, pdefs->blue >> 8);
-         pdefs++;
-     }
-+    if (scrpriv->pDamage) {
-+        BoxRec box;
-+        RegionRec region;
-+
-+        box.x1 = 0;
-+        box.y1 = 0;
-+        box.x2 = pScreen->width;
-+        box.y2 = pScreen->height;
-+        RegionInit(&region, &box, 1);
-+        DamageReportDamage(scrpriv->pDamage, &region);
-+        RegionUninit(&region);
-+    }
- }
- 
- /* Mouse calls */
--- 
-1.8.5.3
-
diff --git a/SOURCES/0001-glamor-make-current-in-prepare-paths.patch b/SOURCES/0001-glamor-make-current-in-prepare-paths.patch
new file mode 100644
index 0000000..376a3f4
--- /dev/null
+++ b/SOURCES/0001-glamor-make-current-in-prepare-paths.patch
@@ -0,0 +1,40 @@
+From db5337afb248edf81087cf8d74006fc496d70589 Mon Sep 17 00:00:00 2001
+From: Dave Airlie <airlied@redhat.com>
+Date: Wed, 15 Jul 2015 17:56:11 +1000
+Subject: [PATCH] glamor: make current in prepare paths
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Lots of the accel paths only make current once they start
+doing someting, so a lot of them call the bail paths without
+make current, which means on PRIME systems for example
+we end up in the wrong context.
+
+Add a prepare pixmap in the prepare fallback path.
+
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=90667
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Reviewed-and-Tested-by: Michel Dänzer <michel.daenzer@amd.com>
+Reviewed-by: Eric Anholt <eric@anholt.net>
+---
+ glamor/glamor_prepare.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/glamor/glamor_prepare.c b/glamor/glamor_prepare.c
+index 833291c..5a73e6c 100644
+--- a/glamor/glamor_prepare.c
++++ b/glamor/glamor_prepare.c
+@@ -45,6 +45,8 @@ glamor_prep_pixmap_box(PixmapPtr pixmap, glamor_access_t access, BoxPtr box)
+     if (!GLAMOR_PIXMAP_PRIV_HAS_FBO(priv))
+         return TRUE;
+ 
++    glamor_make_current(glamor_priv);
++
+     RegionInit(&region, box, 1);
+ 
+     /* See if it's already mapped */
+-- 
+2.4.3
+
diff --git a/SOURCES/0001-glx-swrast-Do-more-GLX-extension-setup.patch b/SOURCES/0001-glx-swrast-Do-more-GLX-extension-setup.patch
new file mode 100644
index 0000000..ee10db5
--- /dev/null
+++ b/SOURCES/0001-glx-swrast-Do-more-GLX-extension-setup.patch
@@ -0,0 +1,106 @@
+From 2d7194334a9f84e417ec90e220b2fe476f704612 Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax@redhat.com>
+Date: Fri, 15 May 2015 11:27:31 -0400
+Subject: [PATCH] glx/swrast: Do more GLX extension setup
+
+This gets you nice things like core contexts when using Xvfb.
+
+Also, no, MESA_copy_sub_buffer is not enabled automatically.
+
+Reviewed-by: James Jones <jajones@nvidia.com>
+Reviewed-by: Jon Turney <jon.turney@dronecode.org.uk>
+Signed-off-by: Adam Jackson <ajax@redhat.com>
+---
+ glx/glxdriswrast.c | 37 ++++++++++++++++++++++++++++++++++---
+ 1 file changed, 34 insertions(+), 3 deletions(-)
+
+diff --git a/glx/glxdriswrast.c b/glx/glxdriswrast.c
+index 5d9aa04..e25ca47 100644
+--- a/glx/glxdriswrast.c
++++ b/glx/glxdriswrast.c
+@@ -71,6 +71,8 @@ struct __GLXDRIscreen {
+     const __DRIcopySubBufferExtension *copySubBuffer;
+     const __DRItexBufferExtension *texBuffer;
+     const __DRIconfig **driConfigs;
++
++    unsigned char glx_enable_bits[__GLX_EXT_BYTES];
+ };
+ 
+ struct __GLXDRIcontext {
+@@ -394,21 +396,36 @@ initializeExtensions(__GLXDRIscreen * screen)
+     const __DRIextension **extensions;
+     int i;
+ 
++    if (screen->swrast->base.version >= 3) {
++        __glXEnableExtension(screen->glx_enable_bits,
++                             "GLX_ARB_create_context");
++        __glXEnableExtension(screen->glx_enable_bits,
++                             "GLX_ARB_create_context_profile");
++        __glXEnableExtension(screen->glx_enable_bits,
++                             "GLX_EXT_create_context_es2_profile");
++    }
++
++    /* these are harmless to enable unconditionally */
++    __glXEnableExtension(screen->glx_enable_bits, "GLX_EXT_framebuffer_sRGB");
++    __glXEnableExtension(screen->glx_enable_bits, "GLX_ARB_fbconfig_float");
++    __glXEnableExtension(screen->glx_enable_bits, "GLX_SGI_make_current_read");
++    __glXEnableExtension(screen->glx_enable_bits, "GLX_MESA_copy_sub_buffer");
++
+     extensions = screen->core->getExtensions(screen->driScreen);
+ 
+     for (i = 0; extensions[i]; i++) {
+         if (strcmp(extensions[i]->name, __DRI_COPY_SUB_BUFFER) == 0) {
+             screen->copySubBuffer =
+                 (const __DRIcopySubBufferExtension *) extensions[i];
+             /* GLX_MESA_copy_sub_buffer is always enabled. */
+         }
+ 
+         if (strcmp(extensions[i]->name, __DRI_TEX_BUFFER) == 0) {
+             screen->texBuffer = (const __DRItexBufferExtension *) extensions[i];
+             /* GLX_EXT_texture_from_pixmap is always enabled. */
+         }
+ 
+         /* Ignore unknown extensions */
+     }
+ }
+ 
+@@ -420,6 +435,7 @@ __glXDRIscreenProbe(ScreenPtr pScreen)
+ {
+     const char *driverName = "swrast";
+     __GLXDRIscreen *screen;
++    size_t buffer_size;
+ 
+     screen = calloc(1, sizeof *screen);
+     if (screen == NULL)
+@@ -431,6 +447,8 @@ __glXDRIscreenProbe(ScreenPtr pScreen)
+     screen->base.swapInterval = NULL;
+     screen->base.pScreen = pScreen;
+ 
++    __glXInitExtensionEnableBits(screen->glx_enable_bits);
++
+     screen->driver = glxProbeDriver(driverName,
+                                     (void **) &screen->core,
+                                     __DRI_CORE, 1,
+@@ -459,6 +477,19 @@ __glXDRIscreenProbe(ScreenPtr pScreen)
+ 
+     __glXScreenInit(&screen->base, pScreen);
+ 
++    /* The first call simply determines the length of the extension string.
++     * This allows us to allocate some memory to hold the extension string,
++     * but it requires that we call __glXGetExtensionString a second time.
++     */
++    buffer_size = __glXGetExtensionString(screen->glx_enable_bits, NULL);
++    if (buffer_size > 0) {
++        free(screen->base.GLXextensions);
++
++        screen->base.GLXextensions = xnfalloc(buffer_size);
++        (void) __glXGetExtensionString(screen->glx_enable_bits,
++                                       screen->base.GLXextensions);
++    }
++
+     screen->base.GLXmajor = 1;
+     screen->base.GLXminor = 4;
+ 
+-- 
+2.4.3
+
diff --git a/SOURCES/0001-input-Remove-invalid-bug-checks.patch b/SOURCES/0001-input-Remove-invalid-bug-checks.patch
deleted file mode 100644
index 1501df4..0000000
--- a/SOURCES/0001-input-Remove-invalid-bug-checks.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From 6a848122def0f2a439e21c50f22814db11760132 Mon Sep 17 00:00:00 2001
-From: Michal Srb <msrb@suse.com>
-Date: Wed, 2 Apr 2014 17:14:05 +0300
-Subject: [PATCH] input: Remove invalid bug checks.
-
-Commit 2f1aedcaed8fd99b823d451bf1fb02330c078f67 added several bug checks. Some
-of them are not correct.
-
-Checks in Init(Ptr|String|Bell|Led|Integer)FeedbackClassDeviceStruct verify
-that no feedback struct was set yet, but that is not required. If any feedback
-structs are already present, the function will chain them behind the new one.
-
-Signed-off-by: Michal Srb <msrb@suse.com>
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
----
- dix/devices.c | 5 -----
- 1 file changed, 5 deletions(-)
-
-diff --git a/dix/devices.c b/dix/devices.c
-index ab923d5..73f60f4 100644
---- a/dix/devices.c
-+++ b/dix/devices.c
-@@ -1475,7 +1475,6 @@ InitPtrFeedbackClassDeviceStruct(DeviceIntPtr dev, PtrCtrlProcPtr controlProc)
-     PtrFeedbackPtr feedc;
- 
-     BUG_RETURN_VAL(dev == NULL, FALSE);
--    BUG_RETURN_VAL(dev->ptrfeed != NULL, FALSE);
- 
-     feedc = malloc(sizeof(PtrFeedbackClassRec));
-     if (!feedc)
-@@ -1519,7 +1518,6 @@ InitStringFeedbackClassDeviceStruct(DeviceIntPtr dev,
-     StringFeedbackPtr feedc;
- 
-     BUG_RETURN_VAL(dev == NULL, FALSE);
--    BUG_RETURN_VAL(dev->stringfeed != NULL, FALSE);
- 
-     feedc = malloc(sizeof(StringFeedbackClassRec));
-     if (!feedc)
-@@ -1556,7 +1554,6 @@ InitBellFeedbackClassDeviceStruct(DeviceIntPtr dev, BellProcPtr bellProc,
-     BellFeedbackPtr feedc;
- 
-     BUG_RETURN_VAL(dev == NULL, FALSE);
--    BUG_RETURN_VAL(dev->bell != NULL, FALSE);
- 
-     feedc = malloc(sizeof(BellFeedbackClassRec));
-     if (!feedc)
-@@ -1578,7 +1575,6 @@ InitLedFeedbackClassDeviceStruct(DeviceIntPtr dev, LedCtrlProcPtr controlProc)
-     LedFeedbackPtr feedc;
- 
-     BUG_RETURN_VAL(dev == NULL, FALSE);
--    BUG_RETURN_VAL(dev->leds != NULL, FALSE);
- 
-     feedc = malloc(sizeof(LedFeedbackClassRec));
-     if (!feedc)
-@@ -1601,7 +1597,6 @@ InitIntegerFeedbackClassDeviceStruct(DeviceIntPtr dev,
-     IntegerFeedbackPtr feedc;
- 
-     BUG_RETURN_VAL(dev == NULL, FALSE);
--    BUG_RETURN_VAL(dev->intfeed != NULL, FALSE);
- 
-     feedc = malloc(sizeof(IntegerFeedbackClassRec));
-     if (!feedc)
--- 
-1.9.3
-
diff --git a/SOURCES/0001-kms-implement-a-double-buffered-shadow-mode.patch b/SOURCES/0001-kms-implement-a-double-buffered-shadow-mode.patch
new file mode 100644
index 0000000..ebce42b
--- /dev/null
+++ b/SOURCES/0001-kms-implement-a-double-buffered-shadow-mode.patch
@@ -0,0 +1,242 @@
+From 46ac5c2c39a476c44fae207ca9745a8a60c7ea72 Mon Sep 17 00:00:00 2001
+From: Fedora X Ninjas <x@fedoraproject.org>
+Date: Wed, 19 Aug 2015 13:45:43 -0400
+Subject: [PATCH] kms: implement a double-buffered shadow mode
+
+Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
+---
+ hw/xfree86/drivers/modesetting/driver.c          | 127 ++++++++++++++++++++++-
+ hw/xfree86/drivers/modesetting/drmmode_display.c |   7 ++
+ hw/xfree86/drivers/modesetting/drmmode_display.h |   2 +
+ 3 files changed, 131 insertions(+), 5 deletions(-)
+
+diff --git a/hw/xfree86/drivers/modesetting/driver.c b/hw/xfree86/drivers/modesetting/driver.c
+index 1215cb3..b0c2f17 100644
+--- a/hw/xfree86/drivers/modesetting/driver.c
++++ b/hw/xfree86/drivers/modesetting/driver.c
+@@ -124,6 +124,7 @@ typedef enum {
+     OPTION_DEVICE_PATH,
+     OPTION_SHADOW_FB,
+     OPTION_ACCEL_METHOD,
++    OPTION_DOUBLE_SHADOW,
+ } modesettingOpts;
+ 
+ static const OptionInfoRec Options[] = {
+@@ -131,6 +132,7 @@ static const OptionInfoRec Options[] = {
+     {OPTION_DEVICE_PATH, "kmsdev", OPTV_STRING, {0}, FALSE},
+     {OPTION_SHADOW_FB, "ShadowFB", OPTV_BOOLEAN, {0}, FALSE},
+     {OPTION_ACCEL_METHOD, "AccelMethod", OPTV_STRING, {0}, FALSE},
++    {OPTION_DOUBLE_SHADOW, "DoubleShadow", OPTV_BOOLEAN, {0}, FALSE},
+     {-1, NULL, OPTV_NONE, {0}, FALSE}
+ };
+ 
+@@ -615,6 +617,32 @@ try_enable_glamor(ScrnInfoPtr pScrn)
+ #endif
+ }
+ 
++static Bool
++msShouldDoubleShadow(ScrnInfoPtr pScrn, modesettingPtr ms)
++{
++    Bool ret = FALSE, asked;
++    int from;
++    drmVersionPtr v = drmGetVersion(ms->fd);
++
++    if (!strcmp(v->name, "mgag200") ||
++	!strcmp(v->name, "ast")) /* XXX || rn50 */
++	ret = TRUE;
++
++    drmFreeVersion(v);
++
++    asked = xf86GetOptValBool(ms->Options, OPTION_DOUBLE_SHADOW, &ret);
++
++    if (asked)
++	from = X_CONFIG;
++    else
++	from = X_INFO;
++
++    xf86DrvMsg(pScrn->scrnIndex, from,
++	       "Double-buffered shadow updates: %s", ret ? "on" : "off");
++
++    return ret;
++}
++
+ #ifndef DRM_CAP_CURSOR_WIDTH
+ #define DRM_CAP_CURSOR_WIDTH 0x8
+ #endif
+@@ -814,6 +842,8 @@ PreInit(ScrnInfoPtr pScrn, int flags)
+                    prefer_shadow ? "YES" : "NO",
+ 		   ms->drmmode.force_24_32 ? "FORCE" :
+                    ms->drmmode.shadow_enable ? "YES" : "NO");
++
++	ms->drmmode.shadow_enable2 = msShouldDoubleShadow(pScrn, ms);
+     }
+ 
+     if (drmmode_pre_init(pScrn, &ms->drmmode, pScrn->bitsPerPixel / 8) == FALSE) {
+@@ -872,10 +902,91 @@ msShadowWindow(ScreenPtr screen, CARD32 row, CARD32 offset, int mode,
+     return ((uint8_t *) ms->drmmode.front_bo.dumb->ptr + row * stride + offset);
+ }
+ 
++/* somewhat arbitrary tile size, in pixels */
++#define TILE 16
++
++static int
++msUpdateIntersect(modesettingPtr ms, shadowBufPtr pBuf, BoxPtr box,
++		  xRectangle *prect)
++{
++    int i, dirty = 0, stride = pBuf->pPixmap->devKind, cpp = ms->drmmode.cpp;
++    int width = (box->x2 - box->x1) * cpp;
++    unsigned char *old, *new;
++
++    old = ms->drmmode.shadow_fb2;
++    old += (box->y1 * stride) + (box->x1 * cpp);
++    new = ms->drmmode.shadow_fb;
++    new += (box->y1 * stride) + (box->x1 * cpp);
++
++    for (i = box->y2 - box->y1 - 1; i >= 0; i--) {
++	unsigned char *o = old + i * stride,
++		      *n = new + i * stride;
++	if (memcmp(o, n, width) != 0) {
++	    dirty = 1;
++	    memcpy(o, n, width);
++	}
++    }
++
++    if (dirty) {
++	prect->x = box->x1;
++	prect->y = box->y1;
++	prect->width = box->x2 - box->x1;
++	prect->height = box->y2 - box->y1;
++    }
++
++    return dirty;
++}
++
+ static void
+ msUpdatePacked(ScreenPtr pScreen, shadowBufPtr pBuf)
+ {
+-    shadowUpdatePacked(pScreen, pBuf);
++    ScrnInfoPtr pScrn = xf86ScreenToScrn(pScreen);
++    modesettingPtr ms = modesettingPTR(pScrn);
++    Bool use_ms_shadow = ms->drmmode.force_24_32 && pScrn->bitsPerPixel == 32;
++
++    if (ms->drmmode.shadow_enable2 && ms->drmmode.shadow_fb2) do {
++	RegionPtr damage = DamageRegion(pBuf->pDamage), tiles;
++	BoxPtr extents = RegionExtents(damage);
++	xRectangle *prect;
++	int nrects;
++	int i, j, tx1, tx2, ty1, ty2;
++
++	tx1 = extents->x1 / TILE;
++	tx2 = (extents->x2 + TILE - 1) / TILE;
++	ty1 = extents->y1 / TILE;
++	ty2 = (extents->y2 + TILE - 1) / TILE;
++
++	nrects = (tx2 - tx1) * (ty2 - ty1);
++	if (!(prect = calloc(nrects, sizeof(xRectangle))))
++	    break;
++
++	nrects = 0;
++	for (j = ty2 - 1; j >= ty1; j--) {
++	    for (i = tx2 - 1; i >= tx1; i--) {
++		BoxRec box;
++
++		box.x1 = max(i * TILE, extents->x1);
++		box.y1 = max(j * TILE, extents->y1);
++		box.x2 = min((i+1) * TILE, extents->x2);
++		box.y2 = min((j+1) * TILE, extents->y2);
++
++		if (RegionContainsRect(damage, &box) != rgnOUT) {
++		    if (msUpdateIntersect(ms, pBuf, &box, prect + nrects)) {
++			nrects++;
++		    }
++		}
++	    }
++	}
++
++	tiles = RegionFromRects(nrects, prect, CT_NONE);
++	RegionIntersect(damage, damage, tiles);
++	RegionDestroy(tiles);
++    } while (0);
++
++    if (use_ms_shadow)
++	ms_shadowUpdate32to24(pScreen, pBuf);
++    else
++	shadowUpdatePacked(pScreen, pBuf);
+ }
+ 
+ static Bool
+@@ -887,7 +998,6 @@ CreateScreenResources(ScreenPtr pScreen)
+     Bool ret;
+     void *pixels = NULL;
+     int err;
+-    Bool use_ms_shadow = ms->drmmode.force_24_32 && pScrn->bitsPerPixel == 32;
+ 
+     pScreen->CreateScreenResources = ms->createScreenResources;
+     ret = pScreen->CreateScreenResources(pScreen);
+@@ -915,13 +1025,18 @@ CreateScreenResources(ScreenPtr pScreen)
+     if (ms->drmmode.shadow_enable)
+         pixels = ms->drmmode.shadow_fb;
+ 
++    if (ms->drmmode.shadow_enable2) {
++	ms->drmmode.shadow_fb2 = calloc(1, pScrn->displayWidth * pScrn->virtualY * ((pScrn->bitsPerPixel + 7) >> 3));
++	if (!ms->drmmode.shadow_fb2)
++	    ms->drmmode.shadow_enable2 = FALSE;
++    }
++
+     if (!pScreen->ModifyPixmapHeader(rootPixmap, -1, -1, -1, -1, -1, pixels))
+         FatalError("Couldn't adjust screen pixmap\n");
+ 
+     if (ms->drmmode.shadow_enable) {
+-        if (!shadowAdd(pScreen, rootPixmap,
+-		       use_ms_shadow ? ms_shadowUpdate32to24 : msUpdatePacked,
+-                       msShadowWindow, 0, 0))
++        if (!shadowAdd(pScreen, rootPixmap, msUpdatePacked, msShadowWindow,
++		       0, 0))
+             return FALSE;
+     }
+ 
+@@ -1238,6 +1353,8 @@ CloseScreen(ScreenPtr pScreen)
+         shadowRemove(pScreen, pScreen->GetScreenPixmap(pScreen));
+         free(ms->drmmode.shadow_fb);
+         ms->drmmode.shadow_fb = NULL;
++	free(ms->drmmode.shadow_fb2);
++	ms->drmmode.shadow_fb2 = NULL;
+     }
+     drmmode_uevent_fini(pScrn, &ms->drmmode);
+ 
+diff --git a/hw/xfree86/drivers/modesetting/drmmode_display.c b/hw/xfree86/drivers/modesetting/drmmode_display.c
+index 079fceb..66f0bbe 100644
+--- a/hw/xfree86/drivers/modesetting/drmmode_display.c
++++ b/hw/xfree86/drivers/modesetting/drmmode_display.c
+@@ -1382,6 +1382,13 @@ drmmode_xf86crtc_resize(ScrnInfoPtr scrn, int width, int height)
+         drmmode->shadow_fb = new_pixels;
+     }
+ 
++    if (drmmode->shadow_enable2) {
++        uint32_t size = scrn->displayWidth * scrn->virtualY * cpp;
++        void *fb2 = calloc(1, size);
++	free(drmmode->shadow_fb2);
++	drmmode->shadow_fb2 = fb2;
++    }
++
+     screen->ModifyPixmapHeader(ppix, width, height, -1, -1,
+ 			       scrn->displayWidth * cpp, new_pixels);
+ 
+diff --git a/hw/xfree86/drivers/modesetting/drmmode_display.h b/hw/xfree86/drivers/modesetting/drmmode_display.h
+index 927efec..3a7d222 100644
+--- a/hw/xfree86/drivers/modesetting/drmmode_display.h
++++ b/hw/xfree86/drivers/modesetting/drmmode_display.h
+@@ -65,8 +65,10 @@ typedef struct {
+ 
+     Bool glamor;
+     Bool shadow_enable;
++    Bool shadow_enable2;
+     Bool force_24_32;
+     void *shadow_fb;
++    void *shadow_fb2;
+ 
+     /**
+      * A screen-sized pixmap when we're doing triple-buffered DRI2
+-- 
+2.5.0
+
diff --git a/SOURCES/0001-link-with-z-now.patch b/SOURCES/0001-link-with-z-now.patch
index 25f057c..bbc09d5 100644
--- a/SOURCES/0001-link-with-z-now.patch
+++ b/SOURCES/0001-link-with-z-now.patch
@@ -1,26 +1,26 @@
-From 58f5196a02b2fea360a35e2ea7046a320aca2b4e Mon Sep 17 00:00:00 2001
+From c24c9c3ac032c17dd63120d0adba1ef32edcf8dd Mon Sep 17 00:00:00 2001
 From: Adam Jackson <ajax@redhat.com>
-Date: Mon, 27 Jun 2011 11:21:23 -0400
-Subject: [PATCH 01/15] link with -z now
+Date: Wed, 15 Apr 2015 12:44:49 -0400
+Subject: [PATCH] link with -z now
 
 Signed-off-by: Adam Jackson <ajax@redhat.com>
 ---
- hw/xfree86/Makefile.am |    2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
+ hw/xfree86/Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/hw/xfree86/Makefile.am b/hw/xfree86/Makefile.am
-index c3899b5..9e422f2 100644
+index 27f2cc6..116eeb2 100644
 --- a/hw/xfree86/Makefile.am
 +++ b/hw/xfree86/Makefile.am
-@@ -67,7 +67,7 @@ Xorg_LDADD = \
+@@ -79,7 +79,7 @@ Xorg_LDADD = \
              $(XSERVER_SYS_LIBS)
  Xorg_DEPENDENCIES = $(LOCAL_LIBS)
  
 -Xorg_LDFLAGS = $(LD_EXPORT_SYMBOLS_FLAG)
 +Xorg_LDFLAGS = $(LD_EXPORT_SYMBOLS_FLAG) -Wl,-z,now -pie
  
- BUILT_SOURCES = xorg.conf.example
- DISTCLEANFILES = xorg.conf.example
+ if SUID_WRAPPER
+ wrapdir = $(SUID_WRAPPER_DIR)
 -- 
-1.7.7.6
+2.1.0
 
diff --git a/SOURCES/0001-mi-don-t-process-events-from-disabled-devices-77884.patch b/SOURCES/0001-mi-don-t-process-events-from-disabled-devices-77884.patch
deleted file mode 100644
index 3c7af3a..0000000
--- a/SOURCES/0001-mi-don-t-process-events-from-disabled-devices-77884.patch
+++ /dev/null
@@ -1,101 +0,0 @@
-From e0e84775030cce77b37bb87739bebfd6635ea303 Mon Sep 17 00:00:00 2001
-From: Peter Hutterer <peter.hutterer@who-t.net>
-Date: Wed, 21 May 2014 10:07:31 +1000
-Subject: [PATCH 1/3] mi: don't process events from disabled devices (#77884)
-
-Once a device is disabled, it doesn't have a sprite pointer anymore. If an
-event is still in the queue and processed after DisableDevice finished, a
-dereference causes a crash. Example backtrace (crash forced by injecting an
-event at the right time):
-
-(EE) 0: /opt/xorg/bin/Xorg (OsSigHandler+0x3c) [0x48d334]
-(EE) 1: /lib64/libpthread.so.0 (__restore_rt+0x0) [0x37fcc0f74f]
-(EE) 2: /opt/xorg/bin/Xorg (mieqMoveToNewScreen+0x38) [0x609240]
-(EE) 3: /opt/xorg/bin/Xorg (mieqProcessDeviceEvent+0xd4) [0x609389]
-(EE) 4: /opt/xorg/bin/Xorg (mieqProcessInputEvents+0x206) [0x609720]
-(EE) 5: /opt/xorg/bin/Xorg (ProcessInputEvents+0xd) [0x4aeb58]
-(EE) 6: /opt/xorg/bin/Xorg (xf86VTSwitch+0x1a6) [0x4af457]
-(EE) 7: /opt/xorg/bin/Xorg (xf86Wakeup+0x2bf) [0x4af0a7]
-(EE) 8: /opt/xorg/bin/Xorg (WakeupHandler+0x83) [0x4445cb]
-(EE) 9: /opt/xorg/bin/Xorg (WaitForSomething+0x3fe) [0x491bf6]
-(EE) 10: /opt/xorg/bin/Xorg (Dispatch+0x97) [0x435748]
-(EE) 11: /opt/xorg/bin/Xorg (dix_main+0x61d) [0x4438a9]
-(EE) 12: /opt/xorg/bin/Xorg (main+0x28) [0x49ba28]
-(EE) 13: /lib64/libc.so.6 (__libc_start_main+0xf5) [0x37fc821d65]
-(EE) 14: /opt/xorg/bin/Xorg (_start+0x29) [0x425e69]
-(EE) 15: ? (?+0x29) [0x29]
-
-xf86VTSwitch() calls ProcessInputEvents() before disabling a device, and
-DisableDevice() calls mieqProcessInputEvents() again when flushing touches and
-button events. Between that and disabling the device (which causes new events
-to be refused) there is a window where events may be triggered and enqueued.
-On the next call to PIE that event is processed on a now defunct device,
-causing the crash.
-
-The simplest fix to this is to discard events from disabled devices. We flush
-the queue often enough before disabling that when we get here, we really don't
-care about the events from this device.
-
-X.Org Bug 77884 <http://bugs.freedesktop.org/show_bug.cgi?id=77884>
-
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
-Reported-by: Maarten Lankhorst <maarten.lankhorst@canonical.com>
-Tested-by: Maarten Lankhorst <maarten.lankhorst@canonical.com>
-Reviewed-by: Keith Packard <keithp@keithp.com>
-Signed-off-by: Keith Packard <keithp@keithp.com>
-(cherry picked from commit 9fb08310b51b46736f3ca8dbc04efdf502420403)
----
- mi/mieq.c    |  4 ++++
- test/input.c | 14 +++++++++++++-
- 2 files changed, 17 insertions(+), 1 deletion(-)
-
-diff --git a/mi/mieq.c b/mi/mieq.c
-index 4c07480..188a0b0 100644
---- a/mi/mieq.c
-+++ b/mi/mieq.c
-@@ -515,6 +515,10 @@ mieqProcessDeviceEvent(DeviceIntPtr dev, InternalEvent *event, ScreenPtr screen)
- 
-     verify_internal_event(event);
- 
-+    /* refuse events from disabled devices */
-+    if (!dev->enabled)
-+        return 0;
-+
-     /* Custom event handler */
-     handler = miEventQueue.handlers[event->any.type];
- 
-diff --git a/test/input.c b/test/input.c
-index df20f82..4603c60 100644
---- a/test/input.c
-+++ b/test/input.c
-@@ -1708,6 +1708,18 @@ mieq_test_event_handler(int screenNum, InternalEvent *ie, DeviceIntPtr dev)
- static void
- _mieq_test_generate_events(uint32_t start, uint32_t count)
- {
-+    static DeviceIntRec dev;
-+    static SpriteInfoRec spriteInfo;
-+    static SpriteRec sprite;
-+
-+    memset(&dev, 0, sizeof(dev));
-+    memset(&spriteInfo, 0, sizeof(spriteInfo));
-+    memset(&sprite, 0, sizeof(sprite));
-+    dev.spriteInfo = &spriteInfo;
-+    spriteInfo.sprite = &sprite;
-+
-+    dev.enabled = 1;
-+
-     count += start;
-     while (start < count) {
-         RawDeviceEvent e = { 0 };
-@@ -1717,7 +1729,7 @@ _mieq_test_generate_events(uint32_t start, uint32_t count)
-         e.time = GetTimeInMillis();
-         e.flags = start;
- 
--        mieqEnqueue(NULL, (InternalEvent *) &e);
-+        mieqEnqueue(&dev, (InternalEvent *) &e);
- 
-         start++;
-     }
--- 
-1.9.3
-
diff --git a/SOURCES/0001-modesetting-Claim-PCI-devices-as-PCI-not-platform.patch b/SOURCES/0001-modesetting-Claim-PCI-devices-as-PCI-not-platform.patch
new file mode 100644
index 0000000..f66dc36
--- /dev/null
+++ b/SOURCES/0001-modesetting-Claim-PCI-devices-as-PCI-not-platform.patch
@@ -0,0 +1,39 @@
+From ffce7eb36404a96b860586d79f50dac820700e51 Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax@redhat.com>
+Date: Tue, 29 Sep 2015 13:24:31 -0400
+Subject: [PATCH] modesetting: Claim PCI devices as PCI not platform
+
+The X -configure code is hideously bad, and the platform bus path in it
+doesn't claim devices the same way the PCI path does, nDevToConfig is never
+incremented so nothing looks configurable.  For most devices we can work
+around this by claiming the device as PCI not as platform, since both will
+be scanned.
+
+This probably doesn't fix X -configure on non-PCI devices with this driver,
+but those are pretty rare in comparison.  A proper fix would involve
+rewriting the autoconfig code to be comprehensible, which is too invasive
+to consider doing downstream.
+
+---
+ hw/xfree86/drivers/modesetting/driver.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/hw/xfree86/drivers/modesetting/driver.c b/hw/xfree86/drivers/modesetting/driver.c
+index b0c2f17..4989069 100644
+--- a/hw/xfree86/drivers/modesetting/driver.c
++++ b/hw/xfree86/drivers/modesetting/driver.c
+@@ -370,6 +370,11 @@ ms_platform_probe(DriverPtr driver,
+     const char *path = xf86_platform_device_odev_attributes(dev)->path;
+     int scr_flags = 0;
+ 
++    if (dev->pdev) {
++	/* claim pci devices later, not here */
++	return FALSE;
++    }
++
+     if (flags & PLATFORM_PROBE_GPU_SCREEN)
+         scr_flags = XF86_ALLOCATE_GPU_SCREEN;
+ 
+-- 
+2.4.3
+
diff --git a/SOURCES/0001-modesetting-Fix-the-error-check-from-DRM_IOCTL_MODE_.patch b/SOURCES/0001-modesetting-Fix-the-error-check-from-DRM_IOCTL_MODE_.patch
new file mode 100644
index 0000000..bb6d474
--- /dev/null
+++ b/SOURCES/0001-modesetting-Fix-the-error-check-from-DRM_IOCTL_MODE_.patch
@@ -0,0 +1,38 @@
+From 6fed3ac4419f88220894143d65854cf41d459b53 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 16 Feb 2015 17:00:53 +0100
+Subject: [PATCH 1/5] modesetting: Fix the error check from
+ DRM_IOCTL_MODE_CURSOR2
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The error value isn't always -EINVAL, e.g. the kernel drm core returns
+-ENXIO when the corresponding ops doesn't exist.  Without this fix,
+DRM_IOCTL_MODE_CURSOR2 would be dealt as success even if it
+shouldn't.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
+---
+ hw/xfree86/drivers/modesetting/drmmode_display.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hw/xfree86/drivers/modesetting/drmmode_display.c b/hw/xfree86/drivers/modesetting/drmmode_display.c
+index 6a13660..04cb17a 100644
+--- a/hw/xfree86/drivers/modesetting/drmmode_display.c
++++ b/hw/xfree86/drivers/modesetting/drmmode_display.c
+@@ -472,8 +472,8 @@ drmmode_set_cursor(xf86CrtcPtr crtc)
+                               cursor->bits->xhot, cursor->bits->yhot);
+         if (!ret)
+             return;
+-        if (ret == -EINVAL)
+-            use_set_cursor2 = FALSE;
++
++        use_set_cursor2 = FALSE;
+     }
+ 
+     ret = drmModeSetCursor(drmmode->fd, drmmode_crtc->mode_crtc->crtc_id, handle,
+-- 
+2.4.3
+
diff --git a/SOURCES/0001-modesetting-Implement-32-24-bpp-conversion-in-shadow.patch b/SOURCES/0001-modesetting-Implement-32-24-bpp-conversion-in-shadow.patch
new file mode 100644
index 0000000..cd53fc4
--- /dev/null
+++ b/SOURCES/0001-modesetting-Implement-32-24-bpp-conversion-in-shadow.patch
@@ -0,0 +1,518 @@
+From 71b321fbb79998d92766ca94ab3f8220d07d4616 Mon Sep 17 00:00:00 2001
+From: Dave Airlie <airlied@redhat.com>
+Date: Wed, 29 Jul 2015 11:52:20 -0400
+Subject: [PATCH] modesetting: Implement 32->24 bpp conversion in shadow update
+
+24bpp front buffers tend to be the least well tested path for client
+rendering.  On the qemu cirrus emulation, and on some Matrox G200 server
+chips, the hardware can't do 32bpp at all.  It's better to just allocate
+a 32bpp shadow and downconvert in the upload hook than expose a funky
+pixmap format to clients.
+
+[ajax: Ported from RHEL and separate modesetting driver, lifted kbpp
+into the drmmode struct, cleaned up commit message, fixed 16bpp]
+
+[ajax: Backported from upstream submission to 1.17 branch]
+
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+Signed-off-by: Dave Airlied <airlied@redhat.com>
+---
+ hw/xfree86/drivers/modesetting/Makefile.am       |   3 +
+ hw/xfree86/drivers/modesetting/driver.c          |  51 ++++++---
+ hw/xfree86/drivers/modesetting/drmmode_display.c |  59 +++++-----
+ hw/xfree86/drivers/modesetting/drmmode_display.h |   7 +-
+ hw/xfree86/drivers/modesetting/sh3224.c          | 140 +++++++++++++++++++++++
+ hw/xfree86/drivers/modesetting/sh3224.h          |   7 ++
+ 6 files changed, 217 insertions(+), 50 deletions(-)
+ create mode 100644 hw/xfree86/drivers/modesetting/sh3224.c
+ create mode 100644 hw/xfree86/drivers/modesetting/sh3224.h
+
+diff --git a/hw/xfree86/drivers/modesetting/Makefile.am b/hw/xfree86/drivers/modesetting/Makefile.am
+index 82c4f2f..206418e 100644
+--- a/hw/xfree86/drivers/modesetting/Makefile.am
++++ b/hw/xfree86/drivers/modesetting/Makefile.am
+@@ -35,6 +35,7 @@ AM_CPPFLAGS = \
+ 	-I$(srcdir)/../../modes \
+ 	-I$(srcdir)/../../parser \
+ 	-I$(srcdir)/../../ramdac \
++	-I$(srcdir) \
+ 	$(NULL)
+ 
+ modesetting_drv_la_LTLIBRARIES = modesetting_drv.la
+@@ -51,6 +52,8 @@ modesetting_drv_la_SOURCES = \
+ 	 dumb_bo.c \
+ 	 dumb_bo.h \
+ 	 present.c \
++	 sh3224.c \
++	 sh3224.h \
+ 	 vblank.c \
+ 	 $(NULL)
+ 
+diff --git a/hw/xfree86/drivers/modesetting/driver.c b/hw/xfree86/drivers/modesetting/driver.c
+index d52517d..1215cb3 100644
+--- a/hw/xfree86/drivers/modesetting/driver.c
++++ b/hw/xfree86/drivers/modesetting/driver.c
+@@ -60,6 +60,7 @@
+ #endif
+ 
+ #include "driver.h"
++#include "sh3224.h"
+ 
+ static void AdjustFrame(ScrnInfoPtr pScrn, int x, int y);
+ static Bool CloseScreen(ScreenPtr pScreen);
+@@ -634,7 +635,6 @@ PreInit(ScrnInfoPtr pScrn, int flags)
+     uint64_t value = 0;
+     int ret;
+     int bppflags;
+-    int defaultdepth, defaultbpp;
+ 
+     if (pScrn->numEntities != 1)
+         return FALSE;
+@@ -729,16 +729,23 @@ PreInit(ScrnInfoPtr pScrn, int flags)
+             pScrn->capabilities |= RR_Capability_SinkOutput;
+     }
+ #endif
+-    drmmode_get_default_bpp(pScrn, &ms->drmmode, &defaultdepth, &defaultbpp);
+-    if (defaultdepth == 24 && defaultbpp == 24)
+-        bppflags = SupportConvert32to24 | Support24bppFb;
+-    else
+-        bppflags = PreferConvert24to32 | SupportConvert24to32 | Support32bppFb;
++    bppflags = PreferConvert24to32 | SupportConvert24to32 | Support32bppFb;
+ 
+-    if (!xf86SetDepthBpp
+-        (pScrn, defaultdepth, defaultdepth, defaultbpp, bppflags))
++    if (!xf86SetDepthBpp(pScrn,
++			 drmmode_check_default_depth(pScrn, &ms->drmmode),
++			 0, 0, bppflags))
+         return FALSE;
+ 
++    ms->drmmode.kbpp = pScrn->bitsPerPixel;
++    if (pScrn->depth >= 24) {
++	if (!drmmode_check_32bpp(pScrn, &ms->drmmode)) {
++	    ms->drmmode.force_24_32 = TRUE;
++	    ms->drmmode.kbpp = 24;
++	    xf86DrvMsg(pScrn->scrnIndex, X_INFO,
++		       "Using 24bpp hw front buffer with 32bpp shadow\n");
++	}
++    }
++
+     switch (pScrn->depth) {
+     case 15:
+     case 16:
+@@ -750,6 +757,8 @@ PreInit(ScrnInfoPtr pScrn, int flags)
+                    pScrn->depth);
+         return FALSE;
+     }
++    if (ms->drmmode.kbpp == 0)
++	ms->drmmode.kbpp = pScrn->bitsPerPixel;
+     xf86PrintDepthBpp(pScrn);
+ 
+     /* Process the options */
+@@ -786,18 +795,24 @@ PreInit(ScrnInfoPtr pScrn, int flags)
+     } else {
+         Bool prefer_shadow = TRUE;
+ 
+-        ret = drmGetCap(ms->fd, DRM_CAP_DUMB_PREFER_SHADOW, &value);
+-        if (!ret) {
+-            prefer_shadow = !!value;
+-        }
++	if (ms->drmmode.force_24_32) {
++	    prefer_shadow = TRUE;
++	    ms->drmmode.shadow_enable = TRUE;
++	} else {
++	    ret = drmGetCap(ms->fd, DRM_CAP_DUMB_PREFER_SHADOW, &value);
++	    if (!ret) {
++		prefer_shadow = !!value;
++	    }
+ 
+-        ms->drmmode.shadow_enable = xf86ReturnOptValBool(ms->Options,
+-                                                         OPTION_SHADOW_FB,
+-                                                         prefer_shadow);
++	    ms->drmmode.shadow_enable = xf86ReturnOptValBool(ms->Options,
++							     OPTION_SHADOW_FB,
++							     prefer_shadow);
++	}
+ 
+         xf86DrvMsg(pScrn->scrnIndex, X_INFO,
+                    "ShadowFB: preferred %s, enabled %s\n",
+                    prefer_shadow ? "YES" : "NO",
++		   ms->drmmode.force_24_32 ? "FORCE" :
+                    ms->drmmode.shadow_enable ? "YES" : "NO");
+     }
+ 
+@@ -851,7 +866,7 @@ msShadowWindow(ScreenPtr screen, CARD32 row, CARD32 offset, int mode,
+     modesettingPtr ms = modesettingPTR(pScrn);
+     int stride;
+ 
+-    stride = (pScrn->displayWidth * pScrn->bitsPerPixel) / 8;
++    stride = (pScrn->displayWidth * ms->drmmode.kbpp) / 8;
+     *size = stride;
+ 
+     return ((uint8_t *) ms->drmmode.front_bo.dumb->ptr + row * stride + offset);
+@@ -872,6 +887,7 @@ CreateScreenResources(ScreenPtr pScreen)
+     Bool ret;
+     void *pixels = NULL;
+     int err;
++    Bool use_ms_shadow = ms->drmmode.force_24_32 && pScrn->bitsPerPixel == 32;
+ 
+     pScreen->CreateScreenResources = ms->createScreenResources;
+     ret = pScreen->CreateScreenResources(pScreen);
+@@ -903,7 +919,8 @@ CreateScreenResources(ScreenPtr pScreen)
+         FatalError("Couldn't adjust screen pixmap\n");
+ 
+     if (ms->drmmode.shadow_enable) {
+-        if (!shadowAdd(pScreen, rootPixmap, msUpdatePacked,
++        if (!shadowAdd(pScreen, rootPixmap,
++		       use_ms_shadow ? ms_shadowUpdate32to24 : msUpdatePacked,
+                        msShadowWindow, 0, 0))
+             return FALSE;
+     }
+diff --git a/hw/xfree86/drivers/modesetting/drmmode_display.c b/hw/xfree86/drivers/modesetting/drmmode_display.c
+index b803314..349bddb 100644
+--- a/hw/xfree86/drivers/modesetting/drmmode_display.c
++++ b/hw/xfree86/drivers/modesetting/drmmode_display.c
+@@ -288,7 +288,7 @@ drmmode_set_mode_major(xf86CrtcPtr crtc, DisplayModePtr mode,
+     if (drmmode->fb_id == 0) {
+         ret = drmModeAddFB(drmmode->fd,
+                            pScrn->virtualX, height,
+-                           pScrn->depth, pScrn->bitsPerPixel,
++                           pScrn->depth, drmmode->kbpp,
+                            drmmode_bo_get_pitch(&drmmode->front_bo),
+                            drmmode_bo_get_handle(&drmmode->front_bo),
+                            &drmmode->fb_id);
+@@ -1340,6 +1340,7 @@ drmmode_xf86crtc_resize(ScrnInfoPtr scrn, int width, int height)
+     uint32_t old_fb_id;
+     int i, pitch, old_width, old_height, old_pitch;
+     int cpp = (scrn->bitsPerPixel + 7) / 8;
++    int kcpp = (drmmode->kbpp + 7) / 8;
+     PixmapPtr ppix = screen->GetScreenPixmap(screen);
+     void *new_pixels = NULL;
+ 
+@@ -1361,17 +1362,17 @@ drmmode_xf86crtc_resize(ScrnInfoPtr scrn, int width, int height)
+     old_front = drmmode->front_bo;
+ 
+     if (!drmmode_create_bo(drmmode, &drmmode->front_bo,
+-                           width, height, scrn->bitsPerPixel))
++                           width, height, drmmode->kbpp))
+         goto fail;
+ 
+     pitch = drmmode_bo_get_pitch(&drmmode->front_bo);
+ 
+     scrn->virtualX = width;
+     scrn->virtualY = height;
+-    scrn->displayWidth = pitch / cpp;
++    scrn->displayWidth = pitch / kcpp;
+ 
+     ret = drmModeAddFB(drmmode->fd, width, height, scrn->depth,
+-                       scrn->bitsPerPixel, pitch,
++                       drmmode->kbpp, pitch,
+                        drmmode_bo_get_handle(&drmmode->front_bo),
+                        &drmmode->fb_id);
+     if (ret)
+@@ -1384,8 +1385,7 @@ drmmode_xf86crtc_resize(ScrnInfoPtr scrn, int width, int height)
+     }
+ 
+     if (drmmode->shadow_enable) {
+-        uint32_t size = scrn->displayWidth * scrn->virtualY *
+-            ((scrn->bitsPerPixel + 7) >> 3);
++        uint32_t size = scrn->displayWidth * scrn->virtualY * cpp;
+         new_pixels = calloc(1, size);
+         if (new_pixels == NULL)
+             goto fail;
+@@ -1393,7 +1393,8 @@ drmmode_xf86crtc_resize(ScrnInfoPtr scrn, int width, int height)
+         drmmode->shadow_fb = new_pixels;
+     }
+ 
+-    screen->ModifyPixmapHeader(ppix, width, height, -1, -1, pitch, new_pixels);
++    screen->ModifyPixmapHeader(ppix, width, height, -1, -1,
++			       scrn->displayWidth * cpp, new_pixels);
+ 
+     if (!drmmode_glamor_handle_new_screen_pixmap(drmmode))
+         goto fail;
+@@ -1420,7 +1421,7 @@ drmmode_xf86crtc_resize(ScrnInfoPtr scrn, int width, int height)
+     drmmode->front_bo = old_front;
+     scrn->virtualX = old_width;
+     scrn->virtualY = old_height;
+-    scrn->displayWidth = old_pitch / cpp;
++    scrn->displayWidth = old_pitch / kcpp;
+     drmmode->fb_id = old_fb_id;
+ 
+     return FALSE;
+@@ -1695,7 +1696,7 @@ drmmode_create_initial_bos(ScrnInfoPtr pScrn, drmmode_ptr drmmode)
+     xf86CrtcConfigPtr xf86_config = XF86_CRTC_CONFIG_PTR(pScrn);
+     int width;
+     int height;
+-    int bpp = pScrn->bitsPerPixel;
++    int bpp = ms->drmmode.kbpp;
+     int i;
+     int cpp = (bpp + 7) / 8;
+ 
+@@ -1778,29 +1779,30 @@ drmmode_free_bos(ScrnInfoPtr pScrn, drmmode_ptr drmmode)
+     }
+ }
+ 
++/* returns 0 if no preference or check failed */
++int
++drmmode_check_default_depth(ScrnInfoPtr pScrn, drmmode_ptr drmmode)
++{
++    uint64_t value = 0;
++
++    drmGetCap(drmmode->fd, DRM_CAP_DUMB_PREFERRED_DEPTH, &value);
++
++    return value;
++}
++
+ /* ugly workaround to see if we can create 32bpp */
+-void
+-drmmode_get_default_bpp(ScrnInfoPtr pScrn, drmmode_ptr drmmode, int *depth,
+-                        int *bpp)
++Bool
++drmmode_check_32bpp(ScrnInfoPtr pScrn, drmmode_ptr drmmode)
+ {
+     drmModeResPtr mode_res;
+-    uint64_t value;
+     struct dumb_bo *bo;
+     uint32_t fb_id;
+     int ret;
++    int can = FALSE;
+ 
+-    /* 16 is fine */
+-    ret = drmGetCap(drmmode->fd, DRM_CAP_DUMB_PREFERRED_DEPTH, &value);
+-    if (!ret && (value == 16 || value == 8)) {
+-        *depth = value;
+-        *bpp = value;
+-        return;
+-    }
+-
+-    *depth = 24;
+     mode_res = drmModeGetResources(drmmode->fd);
+     if (!mode_res)
+-        return;
++        goto out;
+ 
+     if (mode_res->min_width == 0)
+         mode_res->min_width = 1;
+@@ -1809,25 +1811,22 @@ drmmode_get_default_bpp(ScrnInfoPtr pScrn, drmmode_ptr drmmode, int *depth,
+     /*create a bo */
+     bo = dumb_bo_create(drmmode->fd, mode_res->min_width, mode_res->min_height,
+                         32);
+-    if (!bo) {
+-        *bpp = 24;
+-        goto out;
+-    }
++    if (!bo)
++	goto out;
+ 
+     ret = drmModeAddFB(drmmode->fd, mode_res->min_width, mode_res->min_height,
+                        24, 32, bo->pitch, bo->handle, &fb_id);
+ 
+     if (ret) {
+-        *bpp = 24;
+         dumb_bo_destroy(drmmode->fd, bo);
+         goto out;
+     }
+ 
+     drmModeRmFB(drmmode->fd, fb_id);
+-    *bpp = 32;
++    can = TRUE;
+ 
+     dumb_bo_destroy(drmmode->fd, bo);
+  out:
+     drmModeFreeResources(mode_res);
+-    return;
++    return can;
+ }
+diff --git a/hw/xfree86/drivers/modesetting/drmmode_display.h b/hw/xfree86/drivers/modesetting/drmmode_display.h
+index 3a8959a..927efec 100644
+--- a/hw/xfree86/drivers/modesetting/drmmode_display.h
++++ b/hw/xfree86/drivers/modesetting/drmmode_display.h
+@@ -50,6 +50,7 @@ typedef struct {
+     drmModeResPtr mode_res;
+     drmModeFBPtr mode_fb;
+     int cpp;
++    int	kbpp;
+     ScrnInfoPtr scrn;
+ 
+     struct gbm_device *gbm;
+@@ -64,6 +65,7 @@ typedef struct {
+ 
+     Bool glamor;
+     Bool shadow_enable;
++    Bool force_24_32;
+     void *shadow_fb;
+ 
+     /**
+@@ -158,9 +160,8 @@ Bool drmmode_create_initial_bos(ScrnInfoPtr pScrn, drmmode_ptr drmmode);
+ void *drmmode_map_front_bo(drmmode_ptr drmmode);
+ Bool drmmode_map_cursor_bos(ScrnInfoPtr pScrn, drmmode_ptr drmmode);
+ void drmmode_free_bos(ScrnInfoPtr pScrn, drmmode_ptr drmmode);
+-void drmmode_get_default_bpp(ScrnInfoPtr pScrn, drmmode_ptr drmmmode,
+-                             int *depth, int *bpp);
+-
++Bool drmmode_check_32bpp(ScrnInfoPtr pScrn, drmmode_ptr drmmmode);
++int drmmode_check_default_depth(ScrnInfoPtr pScrn, drmmode_ptr drmmode);
+ 
+ #ifndef DRM_CAP_DUMB_PREFERRED_DEPTH
+ #define DRM_CAP_DUMB_PREFERRED_DEPTH 3
+diff --git a/hw/xfree86/drivers/modesetting/sh3224.c b/hw/xfree86/drivers/modesetting/sh3224.c
+new file mode 100644
+index 0000000..a64a103
+--- /dev/null
++++ b/hw/xfree86/drivers/modesetting/sh3224.c
+@@ -0,0 +1,140 @@
++/*
++ *
++ * Copyright © 2000 Keith Packard
++ *
++ * Permission to use, copy, modify, distribute, and sell this software and its
++ * documentation for any purpose is hereby granted without fee, provided that
++ * the above copyright notice appear in all copies and that both that
++ * copyright notice and this permission notice appear in supporting
++ * documentation, and that the name of Keith Packard not be used in
++ * advertising or publicity pertaining to distribution of the software without
++ * specific, written prior permission.  Keith Packard makes no
++ * representations about the suitability of this software for any purpose.  It
++ * is provided "as is" without express or implied warranty.
++ *
++ * KEITH PACKARD DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
++ * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
++ * EVENT SHALL KEITH PACKARD BE LIABLE FOR ANY SPECIAL, INDIRECT OR
++ * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE,
++ * DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
++ * TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
++ * PERFORMANCE OF THIS SOFTWARE.
++ */
++
++#ifdef HAVE_DIX_CONFIG_H
++#include "dix-config.h"
++#endif
++
++#include    "shadow.h"
++#include    "fb.h"
++
++#include "sh3224.h"
++#define Get8(a)	((CARD32) READ(a))
++
++#if BITMAP_BIT_ORDER == MSBFirst
++#define Get24(a)    ((Get8(a) << 16) | (Get8((a)+1) << 8) | Get8((a)+2))
++#define Put24(a,p)  ((WRITE((a+0), (CARD8) ((p) >> 16))), \
++		     (WRITE((a+1), (CARD8) ((p) >> 8))), \
++		     (WRITE((a+2), (CARD8) (p))))
++#else
++#define Get24(a)    (Get8(a) | (Get8((a)+1) << 8) | (Get8((a)+2)<<16))
++#define Put24(a,p)  ((WRITE((a+0), (CARD8) (p))), \
++		     (WRITE((a+1), (CARD8) ((p) >> 8))), \
++		     (WRITE((a+2), (CARD8) ((p) >> 16))))
++#endif
++
++static void
++sh24_32BltLine(CARD8 *srcLine,
++               CARD8 *dstLine,
++               int width)
++{
++    CARD32 *src;
++    CARD8 *dst;
++    int w;
++    CARD32 pixel;
++
++    src = (CARD32 *) srcLine;
++    dst = dstLine;
++    w = width;
++
++    while (((long)dst & 3) && w) {
++	w--;
++	pixel = READ(src++);
++	Put24(dst, pixel);
++	dst += 3;
++    }
++    /* Do four aligned pixels at a time */
++    while (w >= 4) {
++	CARD32 s0, s1;
++
++	s0 = READ(src++);
++	s1 = READ(src++);
++#if BITMAP_BIT_ORDER == LSBFirst
++	WRITE((CARD32 *) dst, (s0 & 0xffffff) | (s1 << 24));
++#else
++	WRITE((CARD32 *) dst, (s0 << 8) | ((s1 & 0xffffff) >> 16));
++#endif
++	s0 = READ(src++);
++#if BITMAP_BIT_ORDER == LSBFirst
++	WRITE((CARD32 *) (dst + 4),
++	      ((s1 & 0xffffff) >> 8) | (s0 << 16));
++#else
++	WRITE((CARD32 *) (dst + 4),
++	      (s1 << 16) | ((s0 & 0xffffff) >> 8));
++#endif
++	s1 = READ(src++);
++#if BITMAP_BIT_ORDER == LSBFirst
++	WRITE((CARD32 *) (dst + 8),
++	      ((s0 & 0xffffff) >> 16) | (s1 << 8));
++#else
++	WRITE((CARD32 *) (dst + 8), (s0 << 24) | (s1 & 0xffffff));
++#endif
++	dst += 12;
++	w -= 4;
++    }
++    while (w--) {
++	pixel = READ(src++);
++	Put24(dst, pixel);
++	dst += 3;
++    }
++}
++
++void
++ms_shadowUpdate32to24(ScreenPtr pScreen, shadowBufPtr pBuf)
++{
++    RegionPtr damage = shadowDamage(pBuf);
++    PixmapPtr pShadow = pBuf->pPixmap;
++    int nbox = RegionNumRects(damage);
++    BoxPtr pbox = RegionRects(damage);
++    FbStride shaStride;
++    int shaBpp;
++    _X_UNUSED int shaXoff, shaYoff;
++    int x, y, w, h;
++    CARD32 winSize;
++    FbBits *shaBase, *shaLine;
++    CARD8 *winBase = NULL, *winLine;
++
++    fbGetDrawable(&pShadow->drawable, shaBase, shaStride, shaBpp, shaXoff,
++                  shaYoff);
++
++    /* just get the initial window base + stride */
++    winBase = (*pBuf->window)(pScreen, 0, 0, SHADOW_WINDOW_WRITE,
++			      &winSize, pBuf->closure);
++
++    while (nbox--) {
++        x = pbox->x1;
++        y = pbox->y1;
++        w = pbox->x2 - pbox->x1;
++        h = pbox->y2 - pbox->y1;
++
++	winLine = winBase + y * winSize + (x * 3);
++        shaLine = shaBase + y * shaStride + ((x * shaBpp) >> FB_SHIFT);
++
++        while (h--) {
++	    sh24_32BltLine((CARD8 *)shaLine, (CARD8 *)winLine, w);
++	    winLine += winSize;
++            shaLine += shaStride;
++        }
++        pbox++;
++    }
++}
+diff --git a/hw/xfree86/drivers/modesetting/sh3224.h b/hw/xfree86/drivers/modesetting/sh3224.h
+new file mode 100644
+index 0000000..fc301f9
+--- /dev/null
++++ b/hw/xfree86/drivers/modesetting/sh3224.h
+@@ -0,0 +1,7 @@
++#ifndef SH3224_H
++#define SH3224_H
++
++void
++ms_shadowUpdate32to24(ScreenPtr pScreen, shadowBufPtr pBuf);
++
++#endif
+-- 
+1.8.3.1
+
diff --git a/SOURCES/0001-pixmap-fix-reverse-optimus-support-with-multiple-hea.patch b/SOURCES/0001-pixmap-fix-reverse-optimus-support-with-multiple-hea.patch
deleted file mode 100644
index 366cc2d..0000000
--- a/SOURCES/0001-pixmap-fix-reverse-optimus-support-with-multiple-hea.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-From 4b281c11423b7bac8f0265e650a3e7ff890081bc Mon Sep 17 00:00:00 2001
-From: Dave Airlie <airlied@gmail.com>
-Date: Tue, 30 Jul 2013 13:48:04 +1000
-Subject: [PATCH] pixmap: fix reverse optimus support with multiple heads
-
-For doing reverese optimus to multiple outputs on a secondary GPU
-the GPU can store the blits into a large screen pixmap, unfortunately
-this means we need a destination offset into the dirty code, so
-add a new API that just adds this interface.
-
-Signed-off-by: Dave Airlie <airlied@redhat.com>
----
- dix/pixmap.c        | 18 ++++++++++++++----
- include/pixmap.h    |  6 ++++++
- include/pixmapstr.h |  1 +
- 3 files changed, 21 insertions(+), 4 deletions(-)
-
-diff --git a/dix/pixmap.c b/dix/pixmap.c
-index fe92147..e01d961 100644
---- a/dix/pixmap.c
-+++ b/dix/pixmap.c
-@@ -164,9 +164,9 @@ PixmapPtr PixmapShareToSlave(PixmapPtr pixmap, ScreenPtr slave)
- }
- 
- Bool
--PixmapStartDirtyTracking(PixmapPtr src,
--                         PixmapPtr slave_dst,
--                         int x, int y)
-+PixmapStartDirtyTracking2(PixmapPtr src,
-+			  PixmapPtr slave_dst,
-+			  int x, int y, int dst_x, int dst_y)
- {
-     ScreenPtr screen = src->drawable.pScreen;
-     PixmapDirtyUpdatePtr dirty_update;
-@@ -179,6 +179,8 @@ PixmapStartDirtyTracking(PixmapPtr src,
-     dirty_update->slave_dst = slave_dst;
-     dirty_update->x = x;
-     dirty_update->y = y;
-+    dirty_update->dst_x = dst_x;
-+    dirty_update->dst_y = dst_y;
- 
-     dirty_update->damage = DamageCreate(NULL, NULL,
-                                         DamageReportNone,
-@@ -195,6 +197,14 @@ PixmapStartDirtyTracking(PixmapPtr src,
- }
- 
- Bool
-+PixmapStartDirtyTracking(PixmapPtr src,
-+			 PixmapPtr slave_dst,
-+			 int x, int y)
-+{
-+   return PixmapStartDirtyTracking2(src, slave_dst, x, y, 0, 0);
-+}
-+
-+Bool
- PixmapStopDirtyTracking(PixmapPtr src, PixmapPtr slave_dst)
- {
-     ScreenPtr screen = src->drawable.pScreen;
-@@ -262,7 +272,7 @@ Bool PixmapSyncDirtyHelper(PixmapDirtyUpdatePtr dirty, RegionPtr dirty_region)
-         h = dst_box.y2 - dst_box.y1;
- 
-         pGC->ops->CopyArea(&dirty->src->drawable, &dst->drawable, pGC,
--                           dirty->x + dst_box.x1, dirty->y + dst_box.y1, w, h, dst_box.x1, dst_box.y1);
-+                           dirty->x + dst_box.x1, dirty->y + dst_box.y1, w, h, dirty->dst_x + dst_box.x1, dirty->dst_y + dst_box.y1);
-         b++;
-     }
-     FreeScratchGC(pGC);
-diff --git a/include/pixmap.h b/include/pixmap.h
-index 921a94d..d7d0a5e 100644
---- a/include/pixmap.h
-+++ b/include/pixmap.h
-@@ -120,6 +120,12 @@ PixmapStartDirtyTracking(PixmapPtr src,
-                          PixmapPtr slave_dst,
-                          int x, int y);
- 
-+#define HAS_DIRTYTRACKING2 1
-+extern _X_EXPORT Bool
-+PixmapStartDirtyTracking2(PixmapPtr src,
-+			  PixmapPtr slave_dst,
-+			  int x, int y, int dst_x, int dst_y);
-+
- extern _X_EXPORT Bool
- PixmapStopDirtyTracking(PixmapPtr src, PixmapPtr slave_dst);
- 
-diff --git a/include/pixmapstr.h b/include/pixmapstr.h
-index 2a1ef9b..2bdff98 100644
---- a/include/pixmapstr.h
-+++ b/include/pixmapstr.h
-@@ -90,6 +90,7 @@ typedef struct _PixmapDirtyUpdate {
-     int x, y;
-     DamagePtr damage;
-     struct xorg_list ent;
-+    int dst_x, dst_y;
- } PixmapDirtyUpdateRec;
- 
- static inline void
--- 
-1.8.2.1
-
diff --git a/SOURCES/0001-randr-attempt-to-fix-primary-on-slave-output.patch b/SOURCES/0001-randr-attempt-to-fix-primary-on-slave-output.patch
deleted file mode 100644
index 2ac89dd..0000000
--- a/SOURCES/0001-randr-attempt-to-fix-primary-on-slave-output.patch
+++ /dev/null
@@ -1,130 +0,0 @@
-From 535366ffcf36b38815c9c344402b21c126050188 Mon Sep 17 00:00:00 2001
-From: Fedora X Ninjas <x@fedoraproject.org>
-Date: Fri, 21 Feb 2014 03:30:50 +0000
-Subject: [PATCH] randr: attempt to fix primary on slave output
-
----
- randr/rroutput.c   |  6 +++++-
- randr/rrscreen.c   | 22 ++++++++++++++++++----
- randr/rrxinerama.c | 12 ++++++++++--
- 3 files changed, 33 insertions(+), 7 deletions(-)
-
-diff --git a/randr/rroutput.c b/randr/rroutput.c
-index 2b0b82f..07aa0ec 100644
---- a/randr/rroutput.c
-+++ b/randr/rroutput.c
-@@ -540,7 +540,11 @@ ProcRRSetOutputPrimary(ClientPtr client)
-     if (stuff->output) {
-         VERIFY_RR_OUTPUT(stuff->output, output, DixReadAccess);
- 
--        if (output->pScreen != pWin->drawable.pScreen) {
-+        if (!output->pScreen->isGPU && output->pScreen != pWin->drawable.pScreen) {
-+            client->errorValue = stuff->window;
-+            return BadMatch;
-+        }
-+        if (output->pScreen->isGPU && output->pScreen->current_master != pWin->drawable.pScreen) {
-             client->errorValue = stuff->window;
-             return BadMatch;
-         }
-diff --git a/randr/rrscreen.c b/randr/rrscreen.c
-index 36179ae..47d1823 100644
---- a/randr/rrscreen.c
-+++ b/randr/rrscreen.c
-@@ -322,8 +322,13 @@ static inline void swap_modeinfos(xRRModeInfo *modeinfos, int i)
-     swapl(&modeinfos[i].modeFlags);
- }
- 
--#define update_arrays(gpuscreen, pScrPriv) do {            \
-+#define update_arrays(gpuscreen, pScrPriv, primary_crtc) do {            \
-     for (j = 0; j < pScrPriv->numCrtcs; j++) {             \
-+        if (has_primary && \
-+            primary_crtc == pScrPriv->crtcs[j]) { \
-+            has_primary = 0;   \
-+            continue; \
-+        }\
-         crtcs[crtc_count] = pScrPriv->crtcs[j]->id;        \
-         if (client->swapped)                               \
-             swapl(&crtcs[crtc_count]);                     \
-@@ -366,9 +371,11 @@ rrGetMultiScreenResources(ClientPtr client, Bool query, ScreenPtr pScreen)
-     unsigned long extraLen;
-     CARD8 *extra;
-     RRCrtc *crtcs;
-+    RRCrtcPtr primary_crtc = NULL;
-     RROutput *outputs;
-     xRRModeInfo *modeinfos;
-     CARD8 *names;
-+    int has_primary = 0;
- 
-     /* we need to iterate all the GPU masters and all their output slaves */
-     total_crtcs = 0;
-@@ -426,18 +433,25 @@ rrGetMultiScreenResources(ClientPtr client, Bool query, ScreenPtr pScreen)
-     modeinfos = (xRRModeInfo *)(outputs + total_outputs);
-     names = (CARD8 *)(modeinfos + total_modes);
- 
--    /* TODO primary */
-     crtc_count = 0;
-     output_count = 0;
-     mode_count = 0;
- 
-     pScrPriv = rrGetScrPriv(pScreen);
--    update_arrays(pScreen, pScrPriv);
-+    if (pScrPriv->primaryOutput && pScrPriv->primaryOutput->crtc) {
-+        has_primary = 1;
-+	primary_crtc = pScrPriv->primaryOutput->crtc;
-+        crtcs[0] = pScrPriv->primaryOutput->crtc->id;
-+        if (client->swapped)
-+            swapl(&crtcs[0]);
-+	crtc_count = 1;
-+    }
-+    update_arrays(pScreen, pScrPriv, primary_crtc);
- 
-     xorg_list_for_each_entry(iter, &pScreen->output_slave_list, output_head) {
-         pScrPriv = rrGetScrPriv(iter);
- 
--        update_arrays(iter, pScrPriv);
-+        update_arrays(iter, pScrPriv, primary_crtc);
-     }
- 
-     assert(bytes_to_int32((char *) names - (char *) extra) == rep.length);
-diff --git a/randr/rrxinerama.c b/randr/rrxinerama.c
-index 76d728c..363cead 100644
---- a/randr/rrxinerama.c
-+++ b/randr/rrxinerama.c
-@@ -344,15 +344,17 @@ ProcRRXineramaQueryScreens(ClientPtr client)
-         ScreenPtr slave;
-         rrScrPriv(pScreen);
-         int has_primary = 0;
-+        RRCrtcPtr primary_crtc = NULL;
- 
-         if (pScrPriv->primaryOutput && pScrPriv->primaryOutput->crtc) {
-             has_primary = 1;
-+            primary_crtc = pScrPriv->primaryOutput->crtc;
-             RRXineramaWriteCrtc(client, pScrPriv->primaryOutput->crtc);
-         }
- 
-         for (i = 0; i < pScrPriv->numCrtcs; i++) {
-             if (has_primary &&
--                pScrPriv->primaryOutput->crtc == pScrPriv->crtcs[i]) {
-+                primary_crtc == pScrPriv->crtcs[i]) {
-                 has_primary = 0;
-                 continue;
-             }
-@@ -362,8 +364,14 @@ ProcRRXineramaQueryScreens(ClientPtr client)
-         xorg_list_for_each_entry(slave, &pScreen->output_slave_list, output_head) {
-             rrScrPrivPtr pSlavePriv;
-             pSlavePriv = rrGetScrPriv(slave);
--            for (i = 0; i < pSlavePriv->numCrtcs; i++)
-+            for (i = 0; i < pSlavePriv->numCrtcs; i++) {
-+                if (has_primary &&
-+                    primary_crtc == pSlavePriv->crtcs[i]) {
-+                    has_primary = 0;
-+                    continue;
-+                }
-                 RRXineramaWriteCrtc(client, pSlavePriv->crtcs[i]);
-+            }
-         }
-     }
- 
--- 
-1.8.3.1
-
diff --git a/SOURCES/0001-right-of.patch b/SOURCES/0001-right-of.patch
new file mode 100644
index 0000000..a847a48
--- /dev/null
+++ b/SOURCES/0001-right-of.patch
@@ -0,0 +1,157 @@
+From f96860984536dc3b6763286195b69f73759d2dad Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax@redhat.com>
+Date: Wed, 15 Apr 2015 12:43:03 -0400
+Subject: [PATCH] right-of
+
+Signed-off-by: Adam Jackson <ajax@redhat.com>
+
+diff --git a/hw/xfree86/common/xf86str.h b/hw/xfree86/common/xf86str.h
+index 643a65d..b5f1fa8 100644
+--- a/hw/xfree86/common/xf86str.h
++++ b/hw/xfree86/common/xf86str.h
+@@ -508,10 +508,13 @@ typedef struct _confdrirec {
+ } confDRIRec, *confDRIPtr;
+ 
+ /* These values should be adjusted when new fields are added to ScrnInfoRec */
+-#define NUM_RESERVED_INTS		16
++#define NUM_RESERVED_INTS		15
+ #define NUM_RESERVED_POINTERS		14
+ #define NUM_RESERVED_FUNCS		10
+ 
++/* let clients know they can use this */
++#define XF86_SCRN_HAS_PREFER_CLONE 1
++
+ typedef void *(*funcPointer) (void);
+ 
+ /* flags for depth 24 pixmap options */
+@@ -768,6 +771,9 @@ typedef struct _ScrnInfoRec {
+     ClockRangePtr clockRanges;
+     int adjustFlags;
+ 
++    /* initial rightof support disable */
++    int                 preferClone;
++
+     /*
+      * These can be used when the minor ABI version is incremented.
+      * The NUM_* parameters must be reduced appropriately to keep the
+diff --git a/hw/xfree86/modes/xf86Crtc.c b/hw/xfree86/modes/xf86Crtc.c
+index 9d592a7..1e32a90 100644
+--- a/hw/xfree86/modes/xf86Crtc.c
++++ b/hw/xfree86/modes/xf86Crtc.c
+@@ -1123,6 +1123,15 @@ xf86InitialOutputPositions(ScrnInfoPtr scrn, DisplayModePtr * modes)
+     int o;
+     int min_x, min_y;
+ 
++    /* check for initial right-of heuristic */
++    for (o = 0; o < config->num_output; o++)
++    {
++        xf86OutputPtr output = config->output[o];
++
++        if (output->initial_x || output->initial_y)
++            return TRUE;
++    }
++
+     for (o = 0; o < config->num_output; o++) {
+         xf86OutputPtr output = config->output[o];
+ 
+@@ -2102,6 +2111,57 @@ bestModeForAspect(xf86CrtcConfigPtr config, Bool *enabled, float aspect)
+     return match;
+ }
+ 
++static int
++numEnabledOutputs(xf86CrtcConfigPtr config, Bool *enabled)
++{
++    int i = 0, p;
++
++    for (i = 0, p = -1; nextEnabledOutput(config, enabled, &p); i++) ;
++
++    return i;
++}
++
++static Bool
++xf86TargetRightOf(ScrnInfoPtr scrn, xf86CrtcConfigPtr config,
++                  DisplayModePtr *modes, Bool *enabled,
++                  int width, int height)
++{
++    int o;
++    int w = 0;
++
++    if (scrn->preferClone)
++        return FALSE;
++
++    if (numEnabledOutputs(config, enabled) < 2)
++        return FALSE;
++
++    for (o = -1; nextEnabledOutput(config, enabled, &o); ) {
++        DisplayModePtr mode =
++            xf86OutputHasPreferredMode(config->output[o], width, height);
++
++        if (!mode)
++            return FALSE;
++
++        w += mode->HDisplay;
++    }
++
++    if (w > width)
++        return FALSE;
++
++    w = 0;
++    for (o = -1; nextEnabledOutput(config, enabled, &o); ) {
++        DisplayModePtr mode =
++            xf86OutputHasPreferredMode(config->output[o], width, height);
++
++        config->output[o]->initial_x = w;
++        w += mode->HDisplay;
++
++        modes[o] = mode;
++    }
++
++    return TRUE;
++}
++
+ static Bool
+ xf86TargetPreferred(ScrnInfoPtr scrn, xf86CrtcConfigPtr config,
+                     DisplayModePtr * modes, Bool *enabled,
+@@ -2178,14 +2238,10 @@ xf86TargetPreferred(ScrnInfoPtr scrn, xf86CrtcConfigPtr config,
+      */
+     if (!ret)
+         do {
+-            int i = 0;
+             float aspect = 0.0;
+             DisplayModePtr a = NULL, b = NULL;
+ 
+-            /* count the number of enabled outputs */
+-            for (i = 0, p = -1; nextEnabledOutput(config, enabled, &p); i++);
+-
+-            if (i != 1)
++            if (numEnabledOutputs(config, enabled) != 1)
+                 break;
+ 
+             p = -1;
+@@ -2491,6 +2547,8 @@ xf86InitialConfiguration(ScrnInfoPtr scrn, Bool canGrow)
+     else {
+         if (xf86TargetUserpref(scrn, config, modes, enabled, width, height))
+             xf86DrvMsg(i, X_INFO, "Using user preference for initial modes\n");
++        else if (xf86TargetRightOf(scrn, config, modes, enabled, width, height))
++            xf86DrvMsg(i, X_INFO, "Using spanning desktop for initial modes\n");
+         else if (xf86TargetPreferred
+                  (scrn, config, modes, enabled, width, height))
+             xf86DrvMsg(i, X_INFO, "Using exact sizes for initial modes\n");
+@@ -2510,9 +2568,11 @@ xf86InitialConfiguration(ScrnInfoPtr scrn, Bool canGrow)
+                        "Output %s enabled but has no modes\n",
+                        config->output[o]->name);
+         else
+-            xf86DrvMsg(scrn->scrnIndex, X_INFO,
+-                       "Output %s using initial mode %s\n",
+-                       config->output[o]->name, modes[o]->name);
++            xf86DrvMsg (scrn->scrnIndex, X_INFO,
++                        "Output %s using initial mode %s +%d+%d\n",
++                        config->output[o]->name, modes[o]->name,
++                        config->output[o]->initial_x,
++                        config->output[o]->initial_y);
+     }
+ 
+     /*
+-- 
+2.1.0
+
diff --git a/SOURCES/0001-rrcrtc-brackets-are-hard-lets-go-shopping.patch b/SOURCES/0001-rrcrtc-brackets-are-hard-lets-go-shopping.patch
deleted file mode 100644
index 6605162..0000000
--- a/SOURCES/0001-rrcrtc-brackets-are-hard-lets-go-shopping.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From dd0c31d6b7559bb0dda6283a5d345d537f1d6b42 Mon Sep 17 00:00:00 2001
-From: Dave Airlie <airlied@gmail.com>
-Date: Tue, 30 Jul 2013 13:17:45 +1000
-Subject: [PATCH] rrcrtc: brackets are hard, lets go shopping.
-
-Slaving two outputs on a secondary GPU to a primary GPU testing
-picked this up, in that we'd try to resize to the totally the
-wrong thing, then as usual segfault in the rotation code.
-
-Signed-off-by: Dave Airlie <airlied@redhat.com>
----
- randr/rrcrtc.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/randr/rrcrtc.c b/randr/rrcrtc.c
-index 2f76b62..40b01f0 100644
---- a/randr/rrcrtc.c
-+++ b/randr/rrcrtc.c
-@@ -474,7 +474,7 @@ rrCheckPixmapBounding(ScreenPtr pScreen,
- 
-     xorg_list_for_each_entry(slave, &pScreen->output_slave_list, output_head) {
-         rrScrPriv(slave);
--        for (c = 0; c < pScrPriv->numCrtcs; c++)
-+        for (c = 0; c < pScrPriv->numCrtcs; c++) {
-             if (pScrPriv->crtcs[c] == rr_crtc) {
-                 newbox.x1 = x;
-                 newbox.x2 = x + w;
-@@ -489,8 +489,9 @@ rrCheckPixmapBounding(ScreenPtr pScreen,
-                 newbox.y1 = pScrPriv->crtcs[c]->y;
-                 newbox.y2 = pScrPriv->crtcs[c]->y + pScrPriv->crtcs[c]->mode->mode.height;
-             }
--        RegionInit(&new_crtc_region, &newbox, 1);
--        RegionUnion(&total_region, &total_region, &new_crtc_region);
-+	    RegionInit(&new_crtc_region, &newbox, 1);
-+	    RegionUnion(&total_region, &total_region, &new_crtc_region);
-+	}
-     }
- 
-     newsize = RegionExtents(&total_region);
--- 
-1.8.2.1
-
diff --git a/SOURCES/0001-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch b/SOURCES/0001-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch
deleted file mode 100644
index d6df2b3..0000000
--- a/SOURCES/0001-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From a6eac4b0e8c615176ad43dccc353e667023e2d6e Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Fri, 17 Jan 2014 18:54:03 -0800
-Subject: [PATCH 01/33] unchecked malloc may allow unauthed client to crash
- Xserver [CVE-2014-8091]
-
-authdes_ezdecode() calls malloc() using a length provided by the
-connection handshake sent by a newly connected client in order
-to authenticate to the server, so should be treated as untrusted.
-
-It didn't check if malloc() failed before writing to the newly
-allocated buffer, so could lead to a server crash if the server
-fails to allocate memory (up to UINT16_MAX bytes, since the len
-field is a CARD16 in the X protocol).
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
----
- os/rpcauth.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/os/rpcauth.c b/os/rpcauth.c
-index bd219ac..c5bf787 100644
---- a/os/rpcauth.c
-+++ b/os/rpcauth.c
-@@ -66,6 +66,10 @@ authdes_ezdecode(const char *inmsg, int len)
-     SVCXPRT xprt;
- 
-     temp_inmsg = malloc(len);
-+    if (temp_inmsg == NULL) {
-+        why = AUTH_FAILED; /* generic error, since there is no AUTH_BADALLOC */
-+        return NULL;
-+    }
-     memmove(temp_inmsg, inmsg, len);
- 
-     memset((char *) &msg, 0, sizeof(msg));
--- 
-1.9.3
-
diff --git a/SOURCES/0001-xfree86-Add-modesetting-to-the-fallback-driver-list.patch b/SOURCES/0001-xfree86-Add-modesetting-to-the-fallback-driver-list.patch
deleted file mode 100644
index 01b9535..0000000
--- a/SOURCES/0001-xfree86-Add-modesetting-to-the-fallback-driver-list.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From d144bd31ac1cb8d6af7346538c88853e4c26577d Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax@redhat.com>
-Date: Wed, 13 Aug 2014 10:34:45 -0400
-Subject: [PATCH] xfree86: Add modesetting to the fallback driver list
-
-Signed-off-by: Adam Jackson <ajax@redhat.com>
----
- hw/xfree86/common/xf86Config.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/xfree86/common/xf86Config.c b/hw/xfree86/common/xf86Config.c
-index b5efc02..79cef99 100644
---- a/hw/xfree86/common/xf86Config.c
-+++ b/hw/xfree86/common/xf86Config.c
-@@ -507,7 +507,7 @@ xf86InputDriverlistFromConfig(void)
- static void
- fixup_video_driver_list(char **drivers)
- {
--    static const char *fallback[4] = { "fbdev", "vesa", "wsfb", NULL };
-+    static const char *fallback[5] = { "wsfb", "vesa", "fbdev", "modesetting", NULL };
-     char **end, **drv;
-     char *x;
-     int i;
--- 
-2.1.0
-
diff --git a/SOURCES/0001-xinerama-Implement-graphics-exposures-for-window-pix.patch b/SOURCES/0001-xinerama-Implement-graphics-exposures-for-window-pix.patch
index 4eceb4a..54f0b1d 100644
--- a/SOURCES/0001-xinerama-Implement-graphics-exposures-for-window-pix.patch
+++ b/SOURCES/0001-xinerama-Implement-graphics-exposures-for-window-pix.patch
@@ -66,7 +66,7 @@ index 83a2e08..8e3120d 100644
  
          FOR_NSCREENS_BACKWARD(j) {
              stuff->gc = gc->info[j].id;
-@@ -1123,14 +1124,63 @@ PanoramiXCopyArea(ClientPtr client)
+@@ -1123,14 +1124,62 @@ PanoramiXCopyArea(ClientPtr client)
              }
  
              (*pGC->ops->PutImage) (pDst, pGC, pDst->depth, dstx, dsty,
@@ -127,8 +127,7 @@ index 83a2e08..8e3120d 100644
 +            RegionIntersect(&rgn, &rgn, pGC->pCompositeClip);
 +
 +            /* and expose */
-+            pGC->pScreen->SendGraphicsExpose(client, &rgn, dst->info[0].id,
-+                                             X_CopyArea, 0);
++            SendGraphicsExpose(client, &rgn, dst->info[0].id, X_CopyArea, 0);
 +            RegionUninit(&rgn);
 +        }
      }
diff --git a/SOURCES/0001-xkb-Check-strings-length-against-request-size.patch b/SOURCES/0001-xkb-Check-strings-length-against-request-size.patch
deleted file mode 100644
index 1a37143..0000000
--- a/SOURCES/0001-xkb-Check-strings-length-against-request-size.patch
+++ /dev/null
@@ -1,141 +0,0 @@
-From ab0fd32fb12b2153177dd101976c9dd23793b947 Mon Sep 17 00:00:00 2001
-From: Olivier Fourdan <ofourdan@redhat.com>
-Date: Fri, 16 Jan 2015 08:44:45 +0100
-Subject: [PATCH] xkb: Check strings length against request size
-
-Ensure that the given strings length in an XkbSetGeometry request remain
-within the limits of the size of the request.
-
-Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
----
- xkb/xkb.c | 65 +++++++++++++++++++++++++++++++++++++++------------------------
- 1 file changed, 40 insertions(+), 25 deletions(-)
-
-diff --git a/xkb/xkb.c b/xkb/xkb.c
-index b9a3ac4..f3988f9 100644
---- a/xkb/xkb.c
-+++ b/xkb/xkb.c
-@@ -4957,25 +4957,29 @@ ProcXkbGetGeometry(ClientPtr client)
- 
- /***====================================================================***/
- 
--static char *
--_GetCountedString(char **wire_inout, Bool swap)
-+static Status
-+_GetCountedString(char **wire_inout, ClientPtr client, char **str)
- {
--    char *wire, *str;
-+    char *wire, *next;
-     CARD16 len;
- 
-     wire = *wire_inout;
-     len = *(CARD16 *) wire;
--    if (swap) {
-+    if (client->swapped) {
-         swaps(&len);
-     }
--    str = malloc(len + 1);
--    if (str) {
--        memcpy(str, &wire[2], len);
--        str[len] = '\0';
--    }
--    wire += XkbPaddedSize(len + 2);
--    *wire_inout = wire;
--    return str;
-+    next = wire + XkbPaddedSize(len + 2);
-+    /* Check we're still within the size of the request */
-+    if (client->req_len <
-+        bytes_to_int32(next - (char *) client->requestBuffer))
-+        return BadValue;
-+    *str = malloc(len + 1);
-+    if (!*str)
-+        return BadAlloc;
-+    memcpy(*str, &wire[2], len);
-+    *(*str + len) = '\0';
-+    *wire_inout = next;
-+    return Success;
- }
- 
- static Status
-@@ -4987,6 +4991,7 @@ _CheckSetDoodad(char **wire_inout,
-     xkbAnyDoodadWireDesc any;
-     xkbTextDoodadWireDesc text;
-     XkbDoodadPtr doodad;
-+    Status status;
- 
-     dWire = (xkbDoodadWireDesc *) (*wire_inout);
-     any = dWire->any;
-@@ -5036,8 +5041,14 @@ _CheckSetDoodad(char **wire_inout,
-         doodad->text.width = text.width;
-         doodad->text.height = text.height;
-         doodad->text.color_ndx = dWire->text.colorNdx;
--        doodad->text.text = _GetCountedString(&wire, client->swapped);
--        doodad->text.font = _GetCountedString(&wire, client->swapped);
-+        status = _GetCountedString(&wire, client, &doodad->text.text);
-+        if (status != Success)
-+            return status;
-+        status = _GetCountedString(&wire, client, &doodad->text.font);
-+        if (status != Success) {
-+            free (doodad->text.text);
-+            return status;
-+        }
-         break;
-     case XkbIndicatorDoodad:
-         if (dWire->indicator.onColorNdx >= geom->num_colors) {
-@@ -5072,7 +5083,9 @@ _CheckSetDoodad(char **wire_inout,
-         }
-         doodad->logo.color_ndx = dWire->logo.colorNdx;
-         doodad->logo.shape_ndx = dWire->logo.shapeNdx;
--        doodad->logo.logo_name = _GetCountedString(&wire, client->swapped);
-+        status = _GetCountedString(&wire, client, &doodad->logo.logo_name);
-+        if (status != Success)
-+            return status;
-         break;
-     default:
-         client->errorValue = _XkbErrCode2(0x4F, dWire->any.type);
-@@ -5304,18 +5317,20 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client)
-     char *wire;
- 
-     wire = (char *) &req[1];
--    geom->label_font = _GetCountedString(&wire, client->swapped);
-+    status = _GetCountedString(&wire, client, &geom->label_font);
-+    if (status != Success)
-+        return status;
- 
-     for (i = 0; i < req->nProperties; i++) {
-         char *name, *val;
- 
--        name = _GetCountedString(&wire, client->swapped);
--        if (!name)
--            return BadAlloc;
--        val = _GetCountedString(&wire, client->swapped);
--        if (!val) {
-+        status = _GetCountedString(&wire, client, &name);
-+        if (status != Success)
-+            return status;
-+        status = _GetCountedString(&wire, client, &val);
-+        if (status != Success) {
-             free(name);
--            return BadAlloc;
-+            return status;
-         }
-         if (XkbAddGeomProperty(geom, name, val) == NULL) {
-             free(name);
-@@ -5349,9 +5364,9 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client)
-     for (i = 0; i < req->nColors; i++) {
-         char *name;
- 
--        name = _GetCountedString(&wire, client->swapped);
--        if (!name)
--            return BadAlloc;
-+        status = _GetCountedString(&wire, client, &name);
-+        if (status != Success)
-+            return status;
-         if (!XkbAddGeomColor(geom, name, geom->num_colors)) {
-             free(name);
-             return BadAlloc;
--- 
-2.1.0
-
diff --git a/SOURCES/0001-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch b/SOURCES/0001-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch
deleted file mode 100644
index 7a65c6f..0000000
--- a/SOURCES/0001-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch
+++ /dev/null
@@ -1,105 +0,0 @@
-From 56306e378787d1f04e159e2b3f99d2611bf51563 Mon Sep 17 00:00:00 2001
-From: Olivier Fourdan <ofourdan@redhat.com>
-Date: Fri, 16 Jan 2015 20:08:59 +0100
-Subject: [PATCH] xkb: Don't swap XkbSetGeometry data in the input buffer
-
-The XkbSetGeometry request embeds data which needs to be swapped when the
-server and the client have different endianess.
-
-_XkbSetGeometry() invokes functions that swap these data directly in the
-input buffer.
-
-However, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once
-(if there is more than one keyboard), thus causing on swapped clients the
-same data to be swapped twice in memory, further causing a server crash
-because the strings lengths on the second time are way off bounds.
-
-To allow _XkbSetGeometry() to run reliably more than once with swapped
-clients, do not swap the data in the buffer, use variables instead.
-
-Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
----
- xkb/xkb.c | 35 +++++++++++++++++++----------------
- 1 file changed, 19 insertions(+), 16 deletions(-)
-
-diff --git a/xkb/xkb.c b/xkb/xkb.c
-index 15c7f34..b9a3ac4 100644
---- a/xkb/xkb.c
-+++ b/xkb/xkb.c
-@@ -4961,14 +4961,13 @@ static char *
- _GetCountedString(char **wire_inout, Bool swap)
- {
-     char *wire, *str;
--    CARD16 len, *plen;
-+    CARD16 len;
- 
-     wire = *wire_inout;
--    plen = (CARD16 *) wire;
-+    len = *(CARD16 *) wire;
-     if (swap) {
--        swaps(plen);
-+        swaps(&len);
-     }
--    len = *plen;
-     str = malloc(len + 1);
-     if (str) {
-         memcpy(str, &wire[2], len);
-@@ -4985,25 +4984,28 @@ _CheckSetDoodad(char **wire_inout,
- {
-     char *wire;
-     xkbDoodadWireDesc *dWire;
-+    xkbAnyDoodadWireDesc any;
-+    xkbTextDoodadWireDesc text;
-     XkbDoodadPtr doodad;
- 
-     dWire = (xkbDoodadWireDesc *) (*wire_inout);
-+    any = dWire->any;
-     wire = (char *) &dWire[1];
-     if (client->swapped) {
--        swapl(&dWire->any.name);
--        swaps(&dWire->any.top);
--        swaps(&dWire->any.left);
--        swaps(&dWire->any.angle);
-+        swapl(&any.name);
-+        swaps(&any.top);
-+        swaps(&any.left);
-+        swaps(&any.angle);
-     }
-     CHK_ATOM_ONLY(dWire->any.name);
--    doodad = XkbAddGeomDoodad(geom, section, dWire->any.name);
-+    doodad = XkbAddGeomDoodad(geom, section, any.name);
-     if (!doodad)
-         return BadAlloc;
-     doodad->any.type = dWire->any.type;
-     doodad->any.priority = dWire->any.priority;
--    doodad->any.top = dWire->any.top;
--    doodad->any.left = dWire->any.left;
--    doodad->any.angle = dWire->any.angle;
-+    doodad->any.top = any.top;
-+    doodad->any.left = any.left;
-+    doodad->any.angle = any.angle;
-     switch (doodad->any.type) {
-     case XkbOutlineDoodad:
-     case XkbSolidDoodad:
-@@ -5026,12 +5028,13 @@ _CheckSetDoodad(char **wire_inout,
-                                               dWire->text.colorNdx);
-             return BadMatch;
-         }
-+        text = dWire->text;
-         if (client->swapped) {
--            swaps(&dWire->text.width);
--            swaps(&dWire->text.height);
-+            swaps(&text.width);
-+            swaps(&text.height);
-         }
--        doodad->text.width = dWire->text.width;
--        doodad->text.height = dWire->text.height;
-+        doodad->text.width = text.width;
-+        doodad->text.height = text.height;
-         doodad->text.color_ndx = dWire->text.colorNdx;
-         doodad->text.text = _GetCountedString(&wire, client->swapped);
-         doodad->text.font = _GetCountedString(&wire, client->swapped);
--- 
-2.1.0
-
diff --git a/SOURCES/0001-xkb-factor-out-the-StateNotify-flag-check.patch b/SOURCES/0001-xkb-factor-out-the-StateNotify-flag-check.patch
deleted file mode 100644
index 23be5f4..0000000
--- a/SOURCES/0001-xkb-factor-out-the-StateNotify-flag-check.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From 8826be58a43ba27f5c65b71535cd6985b5e7ca0d Mon Sep 17 00:00:00 2001
-From: Peter Hutterer <peter.hutterer@who-t.net>
-Date: Wed, 26 Feb 2014 16:03:19 +1000
-Subject: [PATCH 1/4] xkb: factor out the StateNotify flag check
-
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
-Reviewed-by: Daniel Stone <daniel@fooishbar.org>
-(cherry picked from commit dda2468e579762dbd1fed2c75b5587d98f841e9c)
----
- xkb/xkbActions.c | 27 ++++++++++++++++++---------
- 1 file changed, 18 insertions(+), 9 deletions(-)
-
-diff --git a/xkb/xkbActions.c b/xkb/xkbActions.c
-index e32005c..26e1fa0 100644
---- a/xkb/xkbActions.c
-+++ b/xkb/xkbActions.c
-@@ -1127,6 +1127,22 @@ _XkbApplyFilters(XkbSrvInfoPtr xkbi, unsigned kc, XkbAction *pAction)
-     return send;
- }
- 
-+static int
-+_XkbEnsureStateChange(XkbSrvInfoPtr xkbi)
-+{
-+    Bool genStateNotify = FALSE;
-+
-+    /* The state may change, so if we're not in the middle of sending a state
-+     * notify, prepare for it */
-+    if ((xkbi->flags & _XkbStateNotifyInProgress) == 0) {
-+        xkbi->prev_state = xkbi->state;
-+        xkbi->flags |= _XkbStateNotifyInProgress;
-+        genStateNotify = TRUE;
-+    }
-+
-+    return genStateNotify;
-+}
-+
- void
- XkbHandleActions(DeviceIntPtr dev, DeviceIntPtr kbd, DeviceEvent *event)
- {
-@@ -1146,15 +1162,8 @@ XkbHandleActions(DeviceIntPtr dev, DeviceIntPtr kbd, DeviceEvent *event)
-     keyc = kbd->key;
-     xkbi = keyc->xkbInfo;
-     key = event->detail.key;
--    /* The state may change, so if we're not in the middle of sending a state
--     * notify, prepare for it */
--    if ((xkbi->flags & _XkbStateNotifyInProgress) == 0) {
--        xkbi->prev_state = xkbi->state;
--        xkbi->flags |= _XkbStateNotifyInProgress;
--        genStateNotify = TRUE;
--    }
--    else
--        genStateNotify = FALSE;
-+
-+    genStateNotify = _XkbEnsureStateChange(xkbi);
- 
-     xkbi->clearMods = xkbi->setMods = 0;
-     xkbi->groupChange = 0;
--- 
-1.9.3
-
diff --git a/SOURCES/0002-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch b/SOURCES/0002-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch
deleted file mode 100644
index c03babe..0000000
--- a/SOURCES/0002-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From e36af2fb51fc170ff6ca2565b6bbe1ef772741d9 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Wed, 22 Jan 2014 21:11:16 -0800
-Subject: [PATCH 02/33] dix: integer overflow in ProcPutImage() [CVE-2014-8092
- 1/4]
-
-ProcPutImage() calculates a length field from a width, left pad and depth
-specified by the client (if the specified format is XYPixmap).
-
-The calculations for the total amount of memory the server needs for the
-pixmap can overflow a 32-bit number, causing out-of-bounds memory writes
-on 32-bit systems (since the length is stored in a long int variable).
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
----
- dix/dispatch.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/dix/dispatch.c b/dix/dispatch.c
-index 8dcd9cb..94f262c 100644
---- a/dix/dispatch.c
-+++ b/dix/dispatch.c
-@@ -1957,6 +1957,9 @@ ProcPutImage(ClientPtr client)
-     tmpImage = (char *) &stuff[1];
-     lengthProto = length;
- 
-+    if (lengthProto >= (INT32_MAX / stuff->height))
-+        return BadLength;
-+
-     if ((bytes_to_int32(lengthProto * stuff->height) +
-          bytes_to_int32(sizeof(xPutImageReq))) != client->req_len)
-         return BadLength;
--- 
-1.9.3
-
diff --git a/SOURCES/0002-dri2-Use-the-PrimeScreen-when-creating-reusing-buffe.patch b/SOURCES/0002-dri2-Use-the-PrimeScreen-when-creating-reusing-buffe.patch
deleted file mode 100644
index 4a9f35c..0000000
--- a/SOURCES/0002-dri2-Use-the-PrimeScreen-when-creating-reusing-buffe.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From f863f15c7cb3af88975aab17a87746887f6d2a28 Mon Sep 17 00:00:00 2001
-From: Chris Wilson <chris@chris-wilson.co.uk>
-Date: Wed, 18 Jun 2014 11:14:43 +0100
-Subject: [PATCH 2/3] dri2: Use the PrimeScreen when creating/reusing buffers
-
-This fixes a segfault when we attempt to call ds->ReuseBufferNotify()
-passing a Prime DRI2BufferPtr to the master backend.
-
-Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=80001
-Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
-Reviewed-by: Dave Airlie <airlied@redhat.com>
-Signed-off-by: Keith Packard <keithp@keithp.com>
----
- hw/xfree86/dri2/dri2.c | 16 ++++++----------
- 1 file changed, 6 insertions(+), 10 deletions(-)
-
-diff --git a/hw/xfree86/dri2/dri2.c b/hw/xfree86/dri2/dri2.c
-index a983aed..074ef08 100644
---- a/hw/xfree86/dri2/dri2.c
-+++ b/hw/xfree86/dri2/dri2.c
-@@ -415,18 +415,14 @@ DRI2DrawableGone(pointer p, XID id)
- }
- 
- static DRI2BufferPtr
--create_buffer(DrawablePtr pDraw,
-+create_buffer(DRI2ScreenPtr ds, DrawablePtr pDraw,
-               unsigned int attachment, unsigned int format)
- {
--    ScreenPtr primeScreen;
--    DRI2DrawablePtr pPriv;
--    DRI2ScreenPtr ds;
-     DRI2BufferPtr buffer;
--    pPriv = DRI2GetDrawable(pDraw);
--    primeScreen = GetScreenPrime(pDraw->pScreen, pPriv->prime_id);
--    ds = DRI2GetScreenPrime(pDraw->pScreen, pPriv->prime_id);
-     if (ds->CreateBuffer2)
--        buffer = (*ds->CreateBuffer2)(primeScreen, pDraw, attachment, format);
-+        buffer = (*ds->CreateBuffer2)(GetScreenPrime(pDraw->pScreen,
-+                                                     DRI2GetDrawable(pDraw)->prime_id),
-+                                      pDraw, attachment, format);
-     else
-         buffer = (*ds->CreateBuffer)(pDraw, attachment, format);
-     return buffer;
-@@ -475,7 +471,7 @@ allocate_or_reuse_buffer(DrawablePtr pDraw, DRI2ScreenPtr ds,
-     if ((old_buf < 0)
-         || attachment == DRI2BufferFrontLeft
-         || !dimensions_match || (pPriv->buffers[old_buf]->format != format)) {
--        *buffer = create_buffer (pDraw, attachment, format);
-+        *buffer = create_buffer(ds, pDraw, attachment, format);
-         return TRUE;
- 
-     }
-@@ -538,7 +534,7 @@ do_get_buffers(DrawablePtr pDraw, int *width, int *height,
-         return NULL;
-     }
- 
--    ds = DRI2GetScreen(pDraw->pScreen);
-+    ds = DRI2GetScreenPrime(pDraw->pScreen, pPriv->prime_id);
- 
-     dimensions_match = (pDraw->width == pPriv->width)
-         && (pDraw->height == pPriv->height);
--- 
-1.9.3
-
diff --git a/SOURCES/0002-mi-Build-fix-mieqProcessDeviceEvent-returns-void.patch b/SOURCES/0002-mi-Build-fix-mieqProcessDeviceEvent-returns-void.patch
deleted file mode 100644
index 885afdf..0000000
--- a/SOURCES/0002-mi-Build-fix-mieqProcessDeviceEvent-returns-void.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 0cf6a389dac4b15a832cd33a341b2dfeedcedff0 Mon Sep 17 00:00:00 2001
-From: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
-Date: Thu, 5 Jun 2014 20:38:44 -0700
-Subject: [PATCH 2/3] mi: Build fix: mieqProcessDeviceEvent returns void
-
-mieq.c:520:9: error: void function 'mieqProcessDeviceEvent' should not return a value [-Wreturn-type,Semantic Issue]
-        return 0;
-        ^      ~
-1 error generated.
-
-Regression-from: 9fb08310b51b46736f3ca8dbc04efdf502420403
-Found-by: Tinderbox
-
-Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-(cherry picked from commit e27a839bf0488d5b1cc2e2a887f2ea0e3d790790)
----
- mi/mieq.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/mi/mieq.c b/mi/mieq.c
-index 188a0b0..a321983 100644
---- a/mi/mieq.c
-+++ b/mi/mieq.c
-@@ -517,7 +517,7 @@ mieqProcessDeviceEvent(DeviceIntPtr dev, InternalEvent *event, ScreenPtr screen)
- 
-     /* refuse events from disabled devices */
-     if (!dev->enabled)
--        return 0;
-+        return;
- 
-     /* Custom event handler */
-     handler = miEventQueue.handlers[event->any.type];
--- 
-1.9.3
-
diff --git a/SOURCES/0002-modesetting-Use-load_cursor_argb_check-for-sw-cursor.patch b/SOURCES/0002-modesetting-Use-load_cursor_argb_check-for-sw-cursor.patch
new file mode 100644
index 0000000..0f87f11
--- /dev/null
+++ b/SOURCES/0002-modesetting-Use-load_cursor_argb_check-for-sw-cursor.patch
@@ -0,0 +1,83 @@
+From 69e95d106533be1bea74e3874cf6eb0fdb0f3f12 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 16 Feb 2015 17:00:54 +0100
+Subject: [PATCH 2/5] modesetting: Use load_cursor_argb_check for sw cursor
+ fallback
+
+The modesetting driver still has an everlasting bug of invisible
+cursor on cirrus and other KMS drivers where no hardware cursor is
+supported.  This patch is a part of an attempt to address it.
+
+This patch particularly converts the current load_cursor_argb callback
+of modesetting driver to load_cursor_argb_check so that it can return
+whether the driver handles the hw cursor or falls back to the sw
+cursor.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Reviewed-by: Kenneth Graunke <kenneth@whitecape.org>
+---
+ hw/xfree86/drivers/modesetting/drmmode_display.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/hw/xfree86/drivers/modesetting/drmmode_display.c b/hw/xfree86/drivers/modesetting/drmmode_display.c
+index 04cb17a..baeef46 100644
+--- a/hw/xfree86/drivers/modesetting/drmmode_display.c
++++ b/hw/xfree86/drivers/modesetting/drmmode_display.c
+@@ -452,7 +452,7 @@ drmmode_set_cursor_position(xf86CrtcPtr crtc, int x, int y)
+     drmModeMoveCursor(drmmode->fd, drmmode_crtc->mode_crtc->crtc_id, x, y);
+ }
+ 
+-static void
++static Bool
+ drmmode_set_cursor(xf86CrtcPtr crtc)
+ {
+     drmmode_crtc_private_ptr drmmode_crtc = crtc->driver_private;
+@@ -471,7 +471,7 @@ drmmode_set_cursor(xf86CrtcPtr crtc)
+                               handle, ms->cursor_width, ms->cursor_height,
+                               cursor->bits->xhot, cursor->bits->yhot);
+         if (!ret)
+-            return;
++            return TRUE;
+ 
+         use_set_cursor2 = FALSE;
+     }
+@@ -486,11 +486,15 @@ drmmode_set_cursor(xf86CrtcPtr crtc)
+         cursor_info->MaxWidth = cursor_info->MaxHeight = 0;
+         drmmode_crtc->drmmode->sw_cursor = TRUE;
+         /* fallback to swcursor */
++        return FALSE;
+     }
++    return TRUE;
+ }
+ 
+-static void
+-drmmode_load_cursor_argb(xf86CrtcPtr crtc, CARD32 *image)
++static void drmmode_hide_cursor(xf86CrtcPtr crtc);
++
++static Bool
++drmmode_load_cursor_argb_check(xf86CrtcPtr crtc, CARD32 *image)
+ {
+     modesettingPtr ms = modesettingPTR(crtc->scrn);
+     drmmode_crtc_private_ptr drmmode_crtc = crtc->driver_private;
+@@ -504,7 +508,8 @@ drmmode_load_cursor_argb(xf86CrtcPtr crtc, CARD32 *image)
+         ptr[i] = image[i];      // cpu_to_le32(image[i]);
+ 
+     if (drmmode_crtc->cursor_up)
+-        drmmode_set_cursor(crtc);
++        return drmmode_set_cursor(crtc);
++    return TRUE;
+ }
+ 
+ static void
+@@ -767,7 +772,7 @@ static const xf86CrtcFuncsRec drmmode_crtc_funcs = {
+     .set_cursor_position = drmmode_set_cursor_position,
+     .show_cursor = drmmode_show_cursor,
+     .hide_cursor = drmmode_hide_cursor,
+-    .load_cursor_argb = drmmode_load_cursor_argb,
++    .load_cursor_argb_check = drmmode_load_cursor_argb_check,
+ 
+     .gamma_set = drmmode_crtc_gamma_set,
+     .destroy = NULL,            /* XXX */
+-- 
+2.4.3
+
diff --git a/SOURCES/0002-xkb-factor-out-state-update-into-a-function.patch b/SOURCES/0002-xkb-factor-out-state-update-into-a-function.patch
deleted file mode 100644
index 1ffdfb7..0000000
--- a/SOURCES/0002-xkb-factor-out-state-update-into-a-function.patch
+++ /dev/null
@@ -1,96 +0,0 @@
-From 9afd9b0a614a43800dabbe08eee3f82fb486c20f Mon Sep 17 00:00:00 2001
-From: Peter Hutterer <peter.hutterer@who-t.net>
-Date: Wed, 26 Feb 2014 16:16:10 +1000
-Subject: [PATCH 2/4] xkb: factor out state update into a function
-
-No functional changes
-
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
-Reviewed-by: Daniel Stone <daniel@fooishbar.org>
-(cherry picked from commit 656841798c99bcd79da47c03ec666a48b855541f)
----
- xkb/xkbActions.c | 55 ++++++++++++++++++++++++++++++++-----------------------
- 1 file changed, 32 insertions(+), 23 deletions(-)
-
-diff --git a/xkb/xkbActions.c b/xkb/xkbActions.c
-index 26e1fa0..2534c70 100644
---- a/xkb/xkbActions.c
-+++ b/xkb/xkbActions.c
-@@ -1143,13 +1143,43 @@ _XkbEnsureStateChange(XkbSrvInfoPtr xkbi)
-     return genStateNotify;
- }
- 
-+static void
-+_XkbApplyState(DeviceIntPtr dev, Bool genStateNotify, int evtype, int key)
-+{
-+    XkbSrvInfoPtr xkbi = dev->key->xkbInfo;
-+    int changed;
-+
-+    XkbComputeDerivedState(xkbi);
-+
-+    changed = XkbStateChangedFlags(&xkbi->prev_state, &xkbi->state);
-+    if (genStateNotify) {
-+        if (changed) {
-+            xkbStateNotify sn;
-+
-+            sn.keycode = key;
-+            sn.eventType = evtype;
-+            sn.requestMajor = sn.requestMinor = 0;
-+            sn.changed = changed;
-+            XkbSendStateNotify(dev, &sn);
-+        }
-+        xkbi->flags &= ~_XkbStateNotifyInProgress;
-+    }
-+
-+    changed = XkbIndicatorsToUpdate(dev, changed, FALSE);
-+    if (changed) {
-+        XkbEventCauseRec cause;
-+        XkbSetCauseKey(&cause, key, evtype);
-+        XkbUpdateIndicators(dev, changed, FALSE, NULL, &cause);
-+    }
-+}
-+
- void
- XkbHandleActions(DeviceIntPtr dev, DeviceIntPtr kbd, DeviceEvent *event)
- {
-     int key, bit, i;
-     XkbSrvInfoPtr xkbi;
-     KeyClassPtr keyc;
--    int changed, sendEvent;
-+    int sendEvent;
-     Bool genStateNotify;
-     XkbAction act;
-     XkbFilterPtr filter;
-@@ -1296,28 +1326,7 @@ XkbHandleActions(DeviceIntPtr dev, DeviceIntPtr kbd, DeviceEvent *event)
-         FixKeyState(event, dev);
-     }
- 
--    XkbComputeDerivedState(xkbi);
--    changed = XkbStateChangedFlags(&xkbi->prev_state, &xkbi->state);
--    if (genStateNotify) {
--        if (changed) {
--            xkbStateNotify sn;
--
--            sn.keycode = key;
--            sn.eventType = event->type;
--            sn.requestMajor = sn.requestMinor = 0;
--            sn.changed = changed;
--            XkbSendStateNotify(dev, &sn);
--        }
--        xkbi->flags &= ~_XkbStateNotifyInProgress;
--    }
--    changed = XkbIndicatorsToUpdate(dev, changed, FALSE);
--    if (changed) {
--        XkbEventCauseRec cause;
--
--        XkbSetCauseKey(&cause, key, event->type);
--        XkbUpdateIndicators(dev, changed, FALSE, NULL, &cause);
--    }
--    return;
-+    _XkbApplyState(dev, genStateNotify, event->type, key);
- }
- 
- int
--- 
-1.9.3
-
diff --git a/SOURCES/0003-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch b/SOURCES/0003-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch
deleted file mode 100644
index 2f3a9e1..0000000
--- a/SOURCES/0003-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 014672abf617b4d0585640cdd56ce11cfb51800a Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Mon, 6 Jan 2014 23:30:14 -0800
-Subject: [PATCH 03/33] dix: integer overflow in GetHosts() [CVE-2014-8092 2/4]
-
-GetHosts() iterates over all the hosts it has in memory, and copies
-them to a buffer. The buffer length is calculated by iterating over
-all the hosts and adding up all of their combined length. There is a
-potential integer overflow, if there are lots and lots of hosts (with
-a combined length of > ~4 gig). This should be possible by repeatedly
-calling ProcChangeHosts() on 64bit machines with enough memory.
-
-This patch caps the list at 1mb, because multi-megabyte hostname
-lists for X access control are insane.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
----
- os/access.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/os/access.c b/os/access.c
-index 6d991b3..dc12348 100644
---- a/os/access.c
-+++ b/os/access.c
-@@ -1323,6 +1323,10 @@ GetHosts(pointer *data, int *pnHosts, int *pLen, BOOL * pEnabled)
-     for (host = validhosts; host; host = host->next) {
-         nHosts++;
-         n += pad_to_int32(host->len) + sizeof(xHostEntry);
-+        /* Could check for INT_MAX, but in reality having more than 1mb of
-+           hostnames in the access list is ridiculous */
-+        if (n >= 1048576)
-+            break;
-     }
-     if (n) {
-         *data = ptr = malloc(n);
-@@ -1331,6 +1335,8 @@ GetHosts(pointer *data, int *pnHosts, int *pLen, BOOL * pEnabled)
-         }
-         for (host = validhosts; host; host = host->next) {
-             len = host->len;
-+            if ((ptr + sizeof(xHostEntry) + len) > (data + n))
-+                break;
-             ((xHostEntry *) ptr)->family = host->family;
-             ((xHostEntry *) ptr)->length = len;
-             ptr += sizeof(xHostEntry);
--- 
-1.9.3
-
diff --git a/SOURCES/0003-dri2-Invalidate-DRI2Buffers-upon-SetWindowPixmap-upd.patch b/SOURCES/0003-dri2-Invalidate-DRI2Buffers-upon-SetWindowPixmap-upd.patch
deleted file mode 100644
index 05076a1..0000000
--- a/SOURCES/0003-dri2-Invalidate-DRI2Buffers-upon-SetWindowPixmap-upd.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From d789f561b787719b67fd245c33187e48ad792795 Mon Sep 17 00:00:00 2001
-From: Chris Wilson <chris@chris-wilson.co.uk>
-Date: Tue, 10 Jun 2014 07:45:05 +0100
-Subject: [PATCH 3/3] dri2: Invalidate DRI2Buffers upon SetWindowPixmap updates
-
-When transitioning to a redirected or unredirected Window, the Composite
-layer modifies the Window's Pixmap. However, the DRI2Buffer for the
-Drawable is still pointing to the backing bo of the old Pixmap with the
-result that rendering goes astray.
-
-This now also effects DRI2 Drawables that are touched by PresentPixmap.
-
-v2: Fixup the function name after rebasing
-
-Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
-Cc: Reinis Danne <reinis.danne@gmail.com>
-Reviewed-by: Dave Airlie <airlied@redhat.com>
-Cc: Keith Packard <keithp@keithp.com>
-Signed-off-by: Keith Packard <keithp@keithp.com>
----
- hw/xfree86/dri2/dri2.c | 20 ++++++++++++++++++++
- 1 file changed, 20 insertions(+)
-
-diff --git a/hw/xfree86/dri2/dri2.c b/hw/xfree86/dri2/dri2.c
-index 074ef08..38a83cd 100644
---- a/hw/xfree86/dri2/dri2.c
-+++ b/hw/xfree86/dri2/dri2.c
-@@ -130,6 +130,7 @@ typedef struct _DRI2Screen {
-     HandleExposuresProcPtr HandleExposures;
- 
-     ConfigNotifyProcPtr ConfigNotify;
-+    SetWindowPixmapProcPtr SetWindowPixmap;
-     DRI2CreateBuffer2ProcPtr CreateBuffer2;
-     DRI2DestroyBuffer2ProcPtr DestroyBuffer2;
-     DRI2CopyRegion2ProcPtr CopyRegion2;
-@@ -1379,6 +1380,21 @@ DRI2ConfigNotify(WindowPtr pWin, int x, int y, int w, int h, int bw,
-     return Success;
- }
- 
-+static void
-+DRI2SetWindowPixmap(WindowPtr pWin, PixmapPtr pPix)
-+{
-+    DrawablePtr pDraw = (DrawablePtr) pWin;
-+    ScreenPtr pScreen = pDraw->pScreen;
-+    DRI2ScreenPtr ds = DRI2GetScreen(pScreen);
-+
-+    pScreen->SetWindowPixmap = ds->SetWindowPixmap;
-+    (*pScreen->SetWindowPixmap) (pWin, pPix);
-+    ds->SetWindowPixmap = pScreen->SetWindowPixmap;
-+    pScreen->SetWindowPixmap = DRI2SetWindowPixmap;
-+
-+    DRI2InvalidateDrawableAll(pDraw);
-+}
-+
- #define MAX_PRIME DRI2DriverPrimeMask
- static int
- get_prime_id(void)
-@@ -1525,6 +1541,9 @@ DRI2ScreenInit(ScreenPtr pScreen, DRI2InfoPtr info)
-     ds->ConfigNotify = pScreen->ConfigNotify;
-     pScreen->ConfigNotify = DRI2ConfigNotify;
- 
-+    ds->SetWindowPixmap = pScreen->SetWindowPixmap;
-+    pScreen->SetWindowPixmap = DRI2SetWindowPixmap;
-+
-     xf86DrvMsg(pScreen->myNum, X_INFO, "[DRI2] Setup complete\n");
-     for (i = 0; i < sizeof(driverTypeNames) / sizeof(driverTypeNames[0]); i++) {
-         if (i < ds->numDrivers && ds->driverNames[i]) {
-@@ -1549,6 +1568,7 @@ DRI2CloseScreen(ScreenPtr pScreen)
-     DRI2ScreenPtr ds = DRI2GetScreen(pScreen);
- 
-     pScreen->ConfigNotify = ds->ConfigNotify;
-+    pScreen->SetWindowPixmap = ds->SetWindowPixmap;
- 
-     if (ds->prime_id)
-         prime_id_allocate_bitmask &= ~(1 << ds->prime_id);
--- 
-1.9.3
-
diff --git a/SOURCES/0003-mieq-Fix-a-crash-regression-in-mieqProcessDeviceEven.patch b/SOURCES/0003-mieq-Fix-a-crash-regression-in-mieqProcessDeviceEven.patch
deleted file mode 100644
index 0c238e6..0000000
--- a/SOURCES/0003-mieq-Fix-a-crash-regression-in-mieqProcessDeviceEven.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 6acabbb322bdbfaf32b1bd7467081def7cb45e2e Mon Sep 17 00:00:00 2001
-From: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
-Date: Sat, 19 Jul 2014 17:08:09 -0700
-Subject: [PATCH 3/3] mieq: Fix a crash regression in mieqProcessDeviceEvent
-
-(lldb) bt
-* thread #6: tid = 0x92d4eb, 0x00000001001dee94 X11.bin`mieqProcessDeviceEvent(dev=0x0000000000000000, event=0x0000000100298bb0,
-screen=0x0000000000000000) + 36 at mieq.c:519, stop reason = EXC_BAD_ACCESS (code=1, address=0x44)
-  * frame #0: 0x00000001001dee94 X11.bin`mieqProcessDeviceEvent(dev=0x0000000000000000, event=0x0000000100298bb0, screen=0x0000000000000000) + 36 at
-mieq.c:519
-    frame #1: 0x00000001001df3eb X11.bin`mieqProcessInputEvents + 555 at mieq.c:631
-    frame #2: 0x0000000100017674 X11.bin`ProcessInputEvents + 20 at darwinEvents.c:422
-    frame #3: 0x0000000100175eaa X11.bin`Dispatch + 154 at dispatch.c:357
-    frame #4: 0x0000000100181b4a X11.bin`dix_main(argc=4, argv=0x00007fff5fbff750, envp=0x00007fff5fbff650) + 1594 at main.c:296
-    frame #5: 0x000000010001ba80 X11.bin`server_thread(arg=0x0000000101208220) + 64 at quartzStartup.c:66
-    frame #6: 0x00007fff89bb9899 libsystem_pthread.dylib`_pthread_body + 138
-    frame #7: 0x00007fff89bb972a libsystem_pthread.dylib`_pthread_start + 137
-    frame #8: 0x00007fff89bbdfc9 libsystem_pthread.dylib`thread_start + 13
-
-Regression from: 9fb08310b51b46736f3ca8dbc04efdf502420403
-
-Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-(cherry picked from commit 1faa76670572e3478965fd2cd9ab60ab2d865e3a)
----
- mi/mieq.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/mi/mieq.c b/mi/mieq.c
-index a321983..6a8dd57 100644
---- a/mi/mieq.c
-+++ b/mi/mieq.c
-@@ -516,7 +516,7 @@ mieqProcessDeviceEvent(DeviceIntPtr dev, InternalEvent *event, ScreenPtr screen)
-     verify_internal_event(event);
- 
-     /* refuse events from disabled devices */
--    if (!dev->enabled)
-+    if (dev && !dev->enabled)
-         return;
- 
-     /* Custom event handler */
--- 
-1.9.3
-
diff --git a/SOURCES/0003-modesetting-Fix-hw-cursor-check-at-the-first-call.patch b/SOURCES/0003-modesetting-Fix-hw-cursor-check-at-the-first-call.patch
new file mode 100644
index 0000000..d18d394
--- /dev/null
+++ b/SOURCES/0003-modesetting-Fix-hw-cursor-check-at-the-first-call.patch
@@ -0,0 +1,71 @@
+From b0bfd0cf08c29bf07e22f88b437ca6dfcd8d1af5 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 16 Feb 2015 17:00:55 +0100
+Subject: [PATCH 3/5] modesetting: Fix hw cursor check at the first call
+
+With the previous patch, the modesetting driver can now return whether
+the driver supports hw cursor.  However, it alone doesn't suffice,
+unfortunately. drmmode_load_cursor_argb_check() is called in the
+following chain:
+
+  xf86CursorSetCursor()
+    -> xf86SetCursor()
+       -> xf86DriverLoadCursorARGB()
+         -> xf86_load_cursor_argb()
+           -> xf86_crtc_load_cursor_argb()
+             -> drmmode_load_cursor_argb_check()
+
+*but* at first with drmmode_crtc->cursor_up = FALSE.  Then the
+function doesn't actually set the cursor but returns TRUE
+unconditionally.  The actual call of drmmode_set_cursor() is done at
+first via the show_cursor callback, and there is no check of sw cursor
+fallback any longer at this place. Since it's called only once per
+cursor setup, so the xserver still thinks as if the hw cursor is
+supported.
+
+This patch is an ad hoc fix to correct the behavior somehow: it does
+call drmmode_set_cursor() at the very first time even if cursor_up is
+FALSE, then quickly hides again.  In that way, whether the hw cursor
+is supported is evaluated in the right place at the right time.
+
+Of course, it might be more elegant if we have a more proper mechanism
+to fall back to sw cursor at any call path.  But it'd need more
+rework, so I leave this workaround as is for now.
+
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+---
+ hw/xfree86/drivers/modesetting/drmmode_display.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/hw/xfree86/drivers/modesetting/drmmode_display.c b/hw/xfree86/drivers/modesetting/drmmode_display.c
+index baeef46..022b9e6 100644
+--- a/hw/xfree86/drivers/modesetting/drmmode_display.c
++++ b/hw/xfree86/drivers/modesetting/drmmode_display.c
+@@ -500,6 +500,7 @@ drmmode_load_cursor_argb_check(xf86CrtcPtr crtc, CARD32 *image)
+     drmmode_crtc_private_ptr drmmode_crtc = crtc->driver_private;
+     int i;
+     uint32_t *ptr;
++    static Bool first_time = TRUE;
+ 
+     /* cursor should be mapped already */
+     ptr = (uint32_t *) (drmmode_crtc->cursor_bo->ptr);
+@@ -507,8 +508,13 @@ drmmode_load_cursor_argb_check(xf86CrtcPtr crtc, CARD32 *image)
+     for (i = 0; i < ms->cursor_width * ms->cursor_height; i++)
+         ptr[i] = image[i];      // cpu_to_le32(image[i]);
+ 
+-    if (drmmode_crtc->cursor_up)
+-        return drmmode_set_cursor(crtc);
++    if (drmmode_crtc->cursor_up || first_time) {
++        Bool ret = drmmode_set_cursor(crtc);
++        if (!drmmode_crtc->cursor_up)
++	    drmmode_hide_cursor(crtc);
++        first_time = FALSE;
++        return ret;
++    }
+     return TRUE;
+ }
+ 
+-- 
+2.4.3
+
diff --git a/SOURCES/0003-xkb-push-locked-modifier-state-down-to-attached-slav.patch b/SOURCES/0003-xkb-push-locked-modifier-state-down-to-attached-slav.patch
deleted file mode 100644
index c54d477..0000000
--- a/SOURCES/0003-xkb-push-locked-modifier-state-down-to-attached-slav.patch
+++ /dev/null
@@ -1,101 +0,0 @@
-From f326e7db9c644e2b7bba0939b5bdd5637b8dbc01 Mon Sep 17 00:00:00 2001
-From: Peter Hutterer <peter.hutterer@who-t.net>
-Date: Wed, 26 Feb 2014 16:20:08 +1000
-Subject: [PATCH 3/4] xkb: push locked modifier state down to attached slave
- devices
-
-Whenever the master changes, push the locked modifier state to the attached
-slave devices, then update the indicators. This way, when NumLock or CapsLock
-are hit on any device, the LED will light up on all devices. Likewise, a new
-keyboard attached to a master device will light up with the correct
-indicators.
-
-The indicators are handled per-keyboard, depending on the layout, i.e. if one
-keyboard has grp_led:num set, the NumLock LED won't light up on that keyboard.
-
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
-Reviewed-by: Daniel Stone <daniel@fooishbar.org>
-(cherry picked from commit 45fb3a934dc0db51584aba37c2f9d73deff9191d)
----
- dix/devices.c    |  3 +++
- include/xkbsrv.h |  4 ++++
- xkb/xkbActions.c | 20 ++++++++++++++++++++
- 3 files changed, 27 insertions(+)
-
-diff --git a/dix/devices.c b/dix/devices.c
-index a680ed8..4692251 100644
---- a/dix/devices.c
-+++ b/dix/devices.c
-@@ -416,6 +416,8 @@ EnableDevice(DeviceIntPtr dev, BOOL sendevent)
-         XISendDeviceHierarchyEvent(flags);
-     }
- 
-+    if (!IsMaster(dev))
-+        XkbPushLockedStateToSlaves(GetMaster(dev, MASTER_KEYBOARD), 0, 0);
-     RecalculateMasterButtons(dev);
- 
-     /* initialise an idle timer for this device*/
-@@ -2648,6 +2650,7 @@ AttachDevice(ClientPtr client, DeviceIntPtr dev, DeviceIntPtr master)
-         dev->spriteInfo->paired = master;
-         dev->spriteInfo->spriteOwner = FALSE;
- 
-+        XkbPushLockedStateToSlaves(GetMaster(dev, MASTER_KEYBOARD), 0, 0);
-         RecalculateMasterButtons(master);
-     }
- 
-diff --git a/include/xkbsrv.h b/include/xkbsrv.h
-index d5a4eb6..f23f786 100644
---- a/include/xkbsrv.h
-+++ b/include/xkbsrv.h
-@@ -638,6 +638,10 @@ extern _X_EXPORT void XkbHandleActions(DeviceIntPtr /* dev */ ,
-                                        DeviceEvent *    /* event */
-     );
- 
-+extern void XkbPushLockedStateToSlaves(DeviceIntPtr /* master */,
-+                                       int /* evtype */,
-+                                       int /* key */);
-+
- extern _X_EXPORT Bool XkbEnableDisableControls(XkbSrvInfoPtr /* xkbi */ ,
-                                                unsigned long /* change */ ,
-                                                unsigned long /* newValues */ ,
-diff --git a/xkb/xkbActions.c b/xkb/xkbActions.c
-index 2534c70..ba7368b 100644
---- a/xkb/xkbActions.c
-+++ b/xkb/xkbActions.c
-@@ -1174,6 +1174,25 @@ _XkbApplyState(DeviceIntPtr dev, Bool genStateNotify, int evtype, int key)
- }
- 
- void
-+XkbPushLockedStateToSlaves(DeviceIntPtr master, int evtype, int key)
-+{
-+    DeviceIntPtr dev;
-+    Bool genStateNotify;
-+
-+    nt_list_for_each_entry(dev, inputInfo.devices, next) {
-+        if (!dev->key || GetMaster(dev, MASTER_KEYBOARD) != master)
-+            continue;
-+
-+        genStateNotify = _XkbEnsureStateChange(dev->key->xkbInfo);
-+
-+        dev->key->xkbInfo->state.locked_mods =
-+            master->key->xkbInfo->state.locked_mods;
-+
-+        _XkbApplyState(dev, genStateNotify, evtype, key);
-+    }
-+}
-+
-+void
- XkbHandleActions(DeviceIntPtr dev, DeviceIntPtr kbd, DeviceEvent *event)
- {
-     int key, bit, i;
-@@ -1327,6 +1346,7 @@ XkbHandleActions(DeviceIntPtr dev, DeviceIntPtr kbd, DeviceEvent *event)
-     }
- 
-     _XkbApplyState(dev, genStateNotify, event->type, key);
-+    XkbPushLockedStateToSlaves(dev, event->type, key);
- }
- 
- int
--- 
-1.9.3
-
diff --git a/SOURCES/0004-dix-integer-overflow-in-RegionSizeof-CVE-2014-8092-3.patch b/SOURCES/0004-dix-integer-overflow-in-RegionSizeof-CVE-2014-8092-3.patch
deleted file mode 100644
index 197c1f4..0000000
--- a/SOURCES/0004-dix-integer-overflow-in-RegionSizeof-CVE-2014-8092-3.patch
+++ /dev/null
@@ -1,129 +0,0 @@
-From eb6ed19fb89996cf630259ba474c186d35993799 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Wed, 22 Jan 2014 22:37:15 -0800
-Subject: [PATCH 04/33] dix: integer overflow in RegionSizeof() [CVE-2014-8092
- 3/4]
-
-RegionSizeof contains several integer overflows if a large length
-value is passed in.  Once we fix it to return 0 on overflow, we
-also have to fix the callers to handle this error condition
-
-v2: Fixed limit calculation in RegionSizeof as pointed out by jcristau.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Reviewed-by: Julien Cristau <jcristau@debian.org>
-Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
----
- dix/region.c        | 20 +++++++++++++-------
- include/regionstr.h | 10 +++++++---
- 2 files changed, 20 insertions(+), 10 deletions(-)
-
-diff --git a/dix/region.c b/dix/region.c
-index 15f3d01..e5eed01 100644
---- a/dix/region.c
-+++ b/dix/region.c
-@@ -169,7 +169,6 @@ Equipment Corporation.
-         ((r1)->y1 <= (r2)->y1) && \
-         ((r1)->y2 >= (r2)->y2) )
- 
--#define xallocData(n) malloc(RegionSizeof(n))
- #define xfreeData(reg) if ((reg)->data && (reg)->data->size) free((reg)->data)
- 
- #define RECTALLOC_BAIL(pReg,n,bail) \
-@@ -205,8 +204,9 @@ if (!(pReg)->data || (((pReg)->data->numRects + (n)) > (pReg)->data->size)) \
- #define DOWNSIZE(reg,numRects)						 \
- if (((numRects) < ((reg)->data->size >> 1)) && ((reg)->data->size > 50)) \
- {									 \
--    RegDataPtr NewData;							 \
--    NewData = (RegDataPtr)realloc((reg)->data, RegionSizeof(numRects));	 \
-+    size_t NewSize = RegionSizeof(numRects);				 \
-+    RegDataPtr NewData =						 \
-+        (NewSize > 0) ? realloc((reg)->data, NewSize) : NULL ;		 \
-     if (NewData)							 \
-     {									 \
- 	NewData->size = (numRects);					 \
-@@ -345,17 +345,20 @@ Bool
- RegionRectAlloc(RegionPtr pRgn, int n)
- {
-     RegDataPtr data;
-+    size_t rgnSize;
- 
-     if (!pRgn->data) {
-         n++;
--        pRgn->data = xallocData(n);
-+        rgnSize = RegionSizeof(n);
-+        pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL;
-         if (!pRgn->data)
-             return RegionBreak(pRgn);
-         pRgn->data->numRects = 1;
-         *RegionBoxptr(pRgn) = pRgn->extents;
-     }
-     else if (!pRgn->data->size) {
--        pRgn->data = xallocData(n);
-+        rgnSize = RegionSizeof(n);
-+        pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL;
-         if (!pRgn->data)
-             return RegionBreak(pRgn);
-         pRgn->data->numRects = 0;
-@@ -367,7 +370,8 @@ RegionRectAlloc(RegionPtr pRgn, int n)
-                 n = 250;
-         }
-         n += pRgn->data->numRects;
--        data = (RegDataPtr) realloc(pRgn->data, RegionSizeof(n));
-+        rgnSize = RegionSizeof(n);
-+        data = (rgnSize > 0) ? realloc(pRgn->data, rgnSize) : NULL;
-         if (!data)
-             return RegionBreak(pRgn);
-         pRgn->data = data;
-@@ -1312,6 +1316,7 @@ RegionFromRects(int nrects, xRectangle *prect, int ctype)
- {
- 
-     RegionPtr pRgn;
-+    size_t rgnSize;
-     RegDataPtr pData;
-     BoxPtr pBox;
-     int i;
-@@ -1338,7 +1343,8 @@ RegionFromRects(int nrects, xRectangle *prect, int ctype)
-         }
-         return pRgn;
-     }
--    pData = xallocData(nrects);
-+    rgnSize = RegionSizeof(nrects);
-+    pData = (rgnSize > 0) ? malloc(rgnSize) : NULL;
-     if (!pData) {
-         RegionBreak(pRgn);
-         return pRgn;
-diff --git a/include/regionstr.h b/include/regionstr.h
-index 4a0725d..33df87f 100644
---- a/include/regionstr.h
-+++ b/include/regionstr.h
-@@ -127,7 +127,10 @@ RegionEnd(RegionPtr reg)
- static inline size_t
- RegionSizeof(int n)
- {
--    return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)));
-+    if (n < ((INT_MAX - sizeof(RegDataRec)) / sizeof(BoxRec)))
-+        return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)));
-+    else
-+        return 0;
- }
- 
- static inline void
-@@ -138,9 +141,10 @@ RegionInit(RegionPtr _pReg, BoxPtr _rect, int _size)
-         (_pReg)->data = (RegDataPtr) NULL;
-     }
-     else {
-+        size_t rgnSize;
-         (_pReg)->extents = RegionEmptyBox;
--        if (((_size) > 1) && ((_pReg)->data =
--                              (RegDataPtr) malloc(RegionSizeof(_size)))) {
-+        if (((_size) > 1) && ((rgnSize = RegionSizeof(_size)) > 0) &&
-+            (((_pReg)->data = (RegDataPtr) malloc(rgnSize)) != NULL)) {
-             (_pReg)->data->size = (_size);
-             (_pReg)->data->numRects = 0;
-         }
--- 
-1.9.3
-
diff --git a/SOURCES/0004-xkb-ignore-floating-slave-devices-when-updating-from.patch b/SOURCES/0004-xkb-ignore-floating-slave-devices-when-updating-from.patch
deleted file mode 100644
index 0a16540..0000000
--- a/SOURCES/0004-xkb-ignore-floating-slave-devices-when-updating-from.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 70999994284ea2d1392a45dfa28fcbc99fd65818 Mon Sep 17 00:00:00 2001
-From: Peter Hutterer <peter.hutterer@who-t.net>
-Date: Mon, 4 Aug 2014 10:07:41 +1000
-Subject: [PATCH 4/4] xkb: ignore floating slave devices when updating from
- master (#81885)
-
-Introduced in 45fb3a934dc0db51584aba37c2f9d73deff9191d. When a device is
-enabled, the master's locked state is pushed to the slave. If the device is
-floating, no master exists and we triggered a NULL-pointer dereference
-in XkbPushLockedStateToSlaves.
-
-X.Org Bug 81885 <http://bugs.freedesktop.org/show_bug.cgi?id=81885>
-
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
----
- dix/devices.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/dix/devices.c b/dix/devices.c
-index 4692251..b389c7c 100644
---- a/dix/devices.c
-+++ b/dix/devices.c
-@@ -416,7 +416,7 @@ EnableDevice(DeviceIntPtr dev, BOOL sendevent)
-         XISendDeviceHierarchyEvent(flags);
-     }
- 
--    if (!IsMaster(dev))
-+    if (!IsMaster(dev) && !IsFloating(dev))
-         XkbPushLockedStateToSlaves(GetMaster(dev, MASTER_KEYBOARD), 0, 0);
-     RecalculateMasterButtons(dev);
- 
--- 
-1.9.3
-
diff --git a/SOURCES/0005-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-2014-.patch b/SOURCES/0005-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-2014-.patch
deleted file mode 100644
index 7142e87..0000000
--- a/SOURCES/0005-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-2014-.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 0e80157d06ab07ac4535448f84eec94c52716bb4 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Wed, 22 Jan 2014 23:44:46 -0800
-Subject: [PATCH 05/33] dix: integer overflow in REQUEST_FIXED_SIZE()
- [CVE-2014-8092 4/4]
-
-Force use of 64-bit integers when evaluating data provided by clients
-in 32-bit fields which can overflow when added or multiplied during
-checks.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
----
- include/dix.h | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/include/dix.h b/include/dix.h
-index fa7ccd4..7c36932 100644
---- a/include/dix.h
-+++ b/include/dix.h
-@@ -76,7 +76,8 @@ SOFTWARE.
- 
- #define REQUEST_FIXED_SIZE(req, n)\
-     if (((sizeof(req) >> 2) > client->req_len) || \
--        (((sizeof(req) + (n) + 3) >> 2) != client->req_len)) \
-+        ((n >> 2) >= client->req_len) || \
-+        ((((uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len))  \
-          return(BadLength)
- 
- #define LEGAL_NEW_RESOURCE(id,client)\
--- 
-1.9.3
-
diff --git a/SOURCES/0006-dri2-integer-overflow-in-ProcDRI2GetBuffers-CVE-2014.patch b/SOURCES/0006-dri2-integer-overflow-in-ProcDRI2GetBuffers-CVE-2014.patch
deleted file mode 100644
index 570a0bc..0000000
--- a/SOURCES/0006-dri2-integer-overflow-in-ProcDRI2GetBuffers-CVE-2014.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 7cadf50d0b2f036ddaf9d4d93405fd68bbe53f2a Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Wed, 22 Jan 2014 23:40:18 -0800
-Subject: [PATCH 06/33] dri2: integer overflow in ProcDRI2GetBuffers()
- [CVE-2014-8094]
-
-ProcDRI2GetBuffers() tries to validate a length field (count).
-There is an integer overflow in the validation. This can cause
-out of bound reads and memory corruption later on.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Reviewed-by: Julien Cristau <jcristau@debian.org>
-Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
----
- hw/xfree86/dri2/dri2ext.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/hw/xfree86/dri2/dri2ext.c b/hw/xfree86/dri2/dri2ext.c
-index b858213..b70624e 100644
---- a/hw/xfree86/dri2/dri2ext.c
-+++ b/hw/xfree86/dri2/dri2ext.c
-@@ -281,6 +281,9 @@ ProcDRI2GetBuffers(ClientPtr client)
-     unsigned int *attachments;
- 
-     REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * 4);
-+    if (stuff->count > (INT_MAX / 4))
-+        return BadLength;
-+
-     if (!validDrawable(client, stuff->drawable, DixReadAccess | DixWriteAccess,
-                        &pDrawable, &status))
-         return status;
--- 
-1.9.3
-
diff --git a/SOURCES/0007-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch b/SOURCES/0007-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch
deleted file mode 100644
index 2762085..0000000
--- a/SOURCES/0007-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From 5c37a8a720a39c881fe8e5ee59de1e570f9ce01d Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Wed, 22 Jan 2014 23:12:04 -0800
-Subject: [PATCH 07/33] dbe: unvalidated lengths in DbeSwapBuffers calls
- [CVE-2014-8097]
-
-ProcDbeSwapBuffers() has a 32bit (n) length value that it uses to read
-from a buffer. The length is never validated, which can lead to out of
-bound reads, and possibly returning the data read from out of bounds to
-the misbehaving client via an X Error packet.
-
-SProcDbeSwapBuffers() swaps data (for correct endianness) before
-handing it off to the real proc.  While doing the swapping, the
-length field is not validated, which can cause memory corruption.
-
-v2: reorder checks to avoid compilers optimizing out checks for overflow
-that happen after we'd already have done the overflowing multiplications.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
----
- dbe/dbe.c | 11 ++++++++---
- 1 file changed, 8 insertions(+), 3 deletions(-)
-
-diff --git a/dbe/dbe.c b/dbe/dbe.c
-index 5524615..79eefeb 100644
---- a/dbe/dbe.c
-+++ b/dbe/dbe.c
-@@ -450,18 +450,20 @@ ProcDbeSwapBuffers(ClientPtr client)
-     DbeSwapInfoPtr swapInfo;
-     xDbeSwapInfo *dbeSwapInfo;
-     int error;
--    register int i, j;
--    int nStuff;
-+    unsigned int i, j;
-+    unsigned int nStuff;
- 
-     REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
-     nStuff = stuff->n;          /* use local variable for performance. */
- 
-     if (nStuff == 0) {
-+        REQUEST_SIZE_MATCH(xDbeSwapBuffersReq);
-         return Success;
-     }
- 
-     if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec))
-         return BadAlloc;
-+    REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, nStuff * sizeof(xDbeSwapInfo));
- 
-     /* Get to the swap info appended to the end of the request. */
-     dbeSwapInfo = (xDbeSwapInfo *) &stuff[1];
-@@ -914,13 +916,16 @@ static int
- SProcDbeSwapBuffers(ClientPtr client)
- {
-     REQUEST(xDbeSwapBuffersReq);
--    register int i;
-+    unsigned int i;
-     xDbeSwapInfo *pSwapInfo;
- 
-     swaps(&stuff->length);
-     REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
- 
-     swapl(&stuff->n);
-+    if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
-+        return BadAlloc;
-+    REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));
- 
-     if (stuff->n != 0) {
-         pSwapInfo = (xDbeSwapInfo *) stuff + 1;
--- 
-1.9.3
-
diff --git a/SOURCES/0008-Xi-unvalidated-lengths-in-Xinput-extension-CVE-2014-.patch b/SOURCES/0008-Xi-unvalidated-lengths-in-Xinput-extension-CVE-2014-.patch
deleted file mode 100644
index e798a68..0000000
--- a/SOURCES/0008-Xi-unvalidated-lengths-in-Xinput-extension-CVE-2014-.patch
+++ /dev/null
@@ -1,552 +0,0 @@
-From 757fe009c45278807d6951d6380292de9133f0f8 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sun, 26 Jan 2014 10:54:41 -0800
-Subject: [PATCH 08/33] Xi: unvalidated lengths in Xinput extension
- [CVE-2014-8095]
-
-Multiple functions in the Xinput extension handling of requests from
-clients failed to check that the length of the request sent by the
-client was large enough to perform all the required operations and
-thus could read or write to memory outside the bounds of the request
-buffer.
-
-This commit includes the creation of a new REQUEST_AT_LEAST_EXTRA_SIZE
-macro in include/dix.h for the common case of needing to ensure a
-request is large enough to include both the request itself and a
-minimum amount of extra data following the request header.
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
----
- Xi/chgdctl.c            |  8 ++++++--
- Xi/chgfctl.c            |  2 ++
- Xi/sendexev.c           |  3 +++
- Xi/xiallowev.c          |  2 ++
- Xi/xichangecursor.c     |  2 +-
- Xi/xichangehierarchy.c  | 35 ++++++++++++++++++++++++++++++++---
- Xi/xigetclientpointer.c |  1 +
- Xi/xigrabdev.c          |  9 ++++++++-
- Xi/xipassivegrab.c      | 12 ++++++++++--
- Xi/xiproperty.c         | 14 ++++++--------
- Xi/xiquerydevice.c      |  1 +
- Xi/xiquerypointer.c     |  2 ++
- Xi/xiselectev.c         |  8 ++++++++
- Xi/xisetclientpointer.c |  3 ++-
- Xi/xisetdevfocus.c      |  4 ++++
- Xi/xiwarppointer.c      |  2 ++
- include/dix.h           |  4 ++++
- 17 files changed, 94 insertions(+), 18 deletions(-)
-
-diff --git a/Xi/chgdctl.c b/Xi/chgdctl.c
-index d078aa2..b3ee867 100644
---- a/Xi/chgdctl.c
-+++ b/Xi/chgdctl.c
-@@ -78,7 +78,7 @@ SProcXChangeDeviceControl(ClientPtr client)
- 
-     REQUEST(xChangeDeviceControlReq);
-     swaps(&stuff->length);
--    REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq);
-+    REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl));
-     swaps(&stuff->control);
-     ctl = (xDeviceCtl *) &stuff[1];
-     swaps(&ctl->control);
-@@ -115,7 +115,7 @@ ProcXChangeDeviceControl(ClientPtr client)
-     xDeviceEnableCtl *e;
- 
-     REQUEST(xChangeDeviceControlReq);
--    REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq);
-+    REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl));
- 
-     len = stuff->length - bytes_to_int32(sizeof(xChangeDeviceControlReq));
-     ret = dixLookupDevice(&dev, stuff->deviceid, client, DixManageAccess);
-@@ -192,6 +192,10 @@ ProcXChangeDeviceControl(ClientPtr client)
-         break;
-     case DEVICE_ENABLE:
-         e = (xDeviceEnableCtl *) &stuff[1];
-+        if ((len != bytes_to_int32(sizeof(xDeviceEnableCtl)))) {
-+            ret = BadLength;
-+            goto out;
-+        }
- 
-         if (IsXTestDevice(dev, NULL))
-             status = !Success;
-diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c
-index 6dcf60c..224c2ba 100644
---- a/Xi/chgfctl.c
-+++ b/Xi/chgfctl.c
-@@ -467,6 +467,8 @@ ProcXChangeFeedbackControl(ClientPtr client)
-         xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]);
- 
-         if (client->swapped) {
-+            if (len < bytes_to_int32(sizeof(xStringFeedbackCtl)))
-+                return BadLength;
-             swaps(&f->num_keysyms);
-         }
-         if (len !=
-diff --git a/Xi/sendexev.c b/Xi/sendexev.c
-index 3c21386..183f88d 100644
---- a/Xi/sendexev.c
-+++ b/Xi/sendexev.c
-@@ -135,6 +135,9 @@ ProcXSendExtensionEvent(ClientPtr client)
-     if (ret != Success)
-         return ret;
- 
-+    if (stuff->num_events == 0)
-+        return ret;
-+
-     /* The client's event type must be one defined by an extension. */
- 
-     first = ((xEvent *) &stuff[1]);
-diff --git a/Xi/xiallowev.c b/Xi/xiallowev.c
-index ebef233..ca263ef 100644
---- a/Xi/xiallowev.c
-+++ b/Xi/xiallowev.c
-@@ -48,6 +48,7 @@ int
- SProcXIAllowEvents(ClientPtr client)
- {
-     REQUEST(xXIAllowEventsReq);
-+    REQUEST_AT_LEAST_SIZE(xXIAllowEventsReq);
- 
-     swaps(&stuff->length);
-     swaps(&stuff->deviceid);
-@@ -55,6 +56,7 @@ SProcXIAllowEvents(ClientPtr client)
-     if (stuff->length > 3) {
-         xXI2_2AllowEventsReq *req_xi22 = (xXI2_2AllowEventsReq *) stuff;
- 
-+        REQUEST_AT_LEAST_SIZE(xXI2_2AllowEventsReq);
-         swapl(&req_xi22->touchid);
-         swapl(&req_xi22->grab_window);
-     }
-diff --git a/Xi/xichangecursor.c b/Xi/xichangecursor.c
-index 0be6bc0..33e9e9c 100644
---- a/Xi/xichangecursor.c
-+++ b/Xi/xichangecursor.c
-@@ -57,11 +57,11 @@ int
- SProcXIChangeCursor(ClientPtr client)
- {
-     REQUEST(xXIChangeCursorReq);
-+    REQUEST_SIZE_MATCH(xXIChangeCursorReq);
-     swaps(&stuff->length);
-     swapl(&stuff->win);
-     swapl(&stuff->cursor);
-     swaps(&stuff->deviceid);
--    REQUEST_SIZE_MATCH(xXIChangeCursorReq);
-     return (ProcXIChangeCursor(client));
- }
- 
-diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
-index e2f4b8a..8e3415b 100644
---- a/Xi/xichangehierarchy.c
-+++ b/Xi/xichangehierarchy.c
-@@ -407,7 +407,7 @@ int
- ProcXIChangeHierarchy(ClientPtr client)
- {
-     xXIAnyHierarchyChangeInfo *any;
--    int required_len = sizeof(xXIChangeHierarchyReq);
-+    size_t len;			/* length of data remaining in request */
-     int rc = Success;
-     int flags[MAXDEVICES] = { 0 };
- 
-@@ -417,21 +417,46 @@ ProcXIChangeHierarchy(ClientPtr client)
-     if (!stuff->num_changes)
-         return rc;
- 
-+    if (stuff->length > (INT_MAX >> 2))
-+        return BadAlloc;
-+    len = (stuff->length << 2) - sizeof(xXIAnyHierarchyChangeInfo);
-+
-     any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
-     while (stuff->num_changes--) {
-+        if (len < sizeof(xXIAnyHierarchyChangeInfo)) {
-+            rc = BadLength;
-+            goto unwind;
-+        }
-+
-         SWAPIF(swaps(&any->type));
-         SWAPIF(swaps(&any->length));
- 
--        required_len += any->length;
--        if ((stuff->length * 4) < required_len)
-+        if ((any->length > (INT_MAX >> 2)) || (len < (any->length << 2)))
-             return BadLength;
- 
-+#define CHANGE_SIZE_MATCH(type) \
-+    do { \
-+        if ((len < sizeof(type)) || (any->length != (sizeof(type) >> 2))) { \
-+            rc = BadLength; \
-+            goto unwind; \
-+        } \
-+    } while(0)
-+
-         switch (any->type) {
-         case XIAddMaster:
-         {
-             xXIAddMasterInfo *c = (xXIAddMasterInfo *) any;
- 
-+            /* Variable length, due to appended name string */
-+            if (len < sizeof(xXIAddMasterInfo)) {
-+                rc = BadLength;
-+                goto unwind;
-+            }
-             SWAPIF(swaps(&c->name_len));
-+            if (c->name_len > (len - sizeof(xXIAddMasterInfo))) {
-+                rc = BadLength;
-+                goto unwind;
-+            }
- 
-             rc = add_master(client, c, flags);
-             if (rc != Success)
-@@ -442,6 +467,7 @@ ProcXIChangeHierarchy(ClientPtr client)
-         {
-             xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any;
- 
-+            CHANGE_SIZE_MATCH(xXIRemoveMasterInfo);
-             rc = remove_master(client, r, flags);
-             if (rc != Success)
-                 goto unwind;
-@@ -451,6 +477,7 @@ ProcXIChangeHierarchy(ClientPtr client)
-         {
-             xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any;
- 
-+            CHANGE_SIZE_MATCH(xXIDetachSlaveInfo);
-             rc = detach_slave(client, c, flags);
-             if (rc != Success)
-                 goto unwind;
-@@ -460,6 +487,7 @@ ProcXIChangeHierarchy(ClientPtr client)
-         {
-             xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any;
- 
-+            CHANGE_SIZE_MATCH(xXIAttachSlaveInfo);
-             rc = attach_slave(client, c, flags);
-             if (rc != Success)
-                 goto unwind;
-@@ -467,6 +495,7 @@ ProcXIChangeHierarchy(ClientPtr client)
-             break;
-         }
- 
-+        len -= any->length * 4;
-         any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4);
-     }
- 
-diff --git a/Xi/xigetclientpointer.c b/Xi/xigetclientpointer.c
-index 3c90d58..306dd39 100644
---- a/Xi/xigetclientpointer.c
-+++ b/Xi/xigetclientpointer.c
-@@ -50,6 +50,7 @@ int
- SProcXIGetClientPointer(ClientPtr client)
- {
-     REQUEST(xXIGetClientPointerReq);
-+    REQUEST_SIZE_MATCH(xXIGetClientPointerReq);
- 
-     swaps(&stuff->length);
-     swapl(&stuff->win);
-diff --git a/Xi/xigrabdev.c b/Xi/xigrabdev.c
-index 63d95bc..e2a2ae3 100644
---- a/Xi/xigrabdev.c
-+++ b/Xi/xigrabdev.c
-@@ -47,6 +47,11 @@ int
- SProcXIGrabDevice(ClientPtr client)
- {
-     REQUEST(xXIGrabDeviceReq);
-+    /*
-+     * Check here for at least the length of the struct we swap, then
-+     * let ProcXIGrabDevice check the full size after we swap mask_len.
-+     */
-+    REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq);
- 
-     swaps(&stuff->length);
-     swaps(&stuff->deviceid);
-@@ -71,7 +76,7 @@ ProcXIGrabDevice(ClientPtr client)
-     unsigned int pointer_mode;
- 
-     REQUEST(xXIGrabDeviceReq);
--    REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq);
-+    REQUEST_FIXED_SIZE(xXIGrabDeviceReq, ((size_t) stuff->mask_len) * 4);
- 
-     ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGrabAccess);
-     if (ret != Success)
-@@ -131,6 +136,7 @@ int
- SProcXIUngrabDevice(ClientPtr client)
- {
-     REQUEST(xXIUngrabDeviceReq);
-+    REQUEST_SIZE_MATCH(xXIUngrabDeviceReq);
- 
-     swaps(&stuff->length);
-     swaps(&stuff->deviceid);
-@@ -148,6 +154,7 @@ ProcXIUngrabDevice(ClientPtr client)
-     TimeStamp time;
- 
-     REQUEST(xXIUngrabDeviceReq);
-+    REQUEST_SIZE_MATCH(xXIUngrabDeviceReq);
- 
-     ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGetAttrAccess);
-     if (ret != Success)
-diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
-index eccec0a..a714a44 100644
---- a/Xi/xipassivegrab.c
-+++ b/Xi/xipassivegrab.c
-@@ -53,6 +53,7 @@ SProcXIPassiveGrabDevice(ClientPtr client)
-     uint32_t *mods;
- 
-     REQUEST(xXIPassiveGrabDeviceReq);
-+    REQUEST_AT_LEAST_SIZE(xXIPassiveGrabDeviceReq);
- 
-     swaps(&stuff->length);
-     swaps(&stuff->deviceid);
-@@ -63,6 +64,8 @@ SProcXIPassiveGrabDevice(ClientPtr client)
-     swaps(&stuff->mask_len);
-     swaps(&stuff->num_modifiers);
- 
-+    REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
-+        ((uint32_t) stuff->mask_len + stuff->num_modifiers) *4);
-     mods = (uint32_t *) &stuff[1];
- 
-     for (i = 0; i < stuff->num_modifiers; i++, mods++) {
-@@ -92,7 +95,8 @@ ProcXIPassiveGrabDevice(ClientPtr client)
-     int mask_len;
- 
-     REQUEST(xXIPassiveGrabDeviceReq);
--    REQUEST_AT_LEAST_SIZE(xXIPassiveGrabDeviceReq);
-+    REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
-+        ((uint32_t) stuff->mask_len + stuff->num_modifiers) * 4);
- 
-     if (stuff->deviceid == XIAllDevices)
-         dev = inputInfo.all_devices;
-@@ -248,6 +252,7 @@ SProcXIPassiveUngrabDevice(ClientPtr client)
-     uint32_t *modifiers;
- 
-     REQUEST(xXIPassiveUngrabDeviceReq);
-+    REQUEST_AT_LEAST_SIZE(xXIPassiveUngrabDeviceReq);
- 
-     swaps(&stuff->length);
-     swapl(&stuff->grab_window);
-@@ -255,6 +260,8 @@ SProcXIPassiveUngrabDevice(ClientPtr client)
-     swapl(&stuff->detail);
-     swaps(&stuff->num_modifiers);
- 
-+    REQUEST_FIXED_SIZE(xXIPassiveUngrabDeviceReq,
-+                       ((uint32_t) stuff->num_modifiers) << 2);
-     modifiers = (uint32_t *) &stuff[1];
- 
-     for (i = 0; i < stuff->num_modifiers; i++, modifiers++)
-@@ -273,7 +280,8 @@ ProcXIPassiveUngrabDevice(ClientPtr client)
-     int i, rc;
- 
-     REQUEST(xXIPassiveUngrabDeviceReq);
--    REQUEST_AT_LEAST_SIZE(xXIPassiveUngrabDeviceReq);
-+    REQUEST_FIXED_SIZE(xXIPassiveUngrabDeviceReq,
-+                       ((uint32_t) stuff->num_modifiers) << 2);
- 
-     if (stuff->deviceid == XIAllDevices)
-         dev = inputInfo.all_devices;
-diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
-index 796ba09..c99e282 100644
---- a/Xi/xiproperty.c
-+++ b/Xi/xiproperty.c
-@@ -1013,10 +1013,9 @@ int
- SProcXListDeviceProperties(ClientPtr client)
- {
-     REQUEST(xListDevicePropertiesReq);
-+    REQUEST_SIZE_MATCH(xListDevicePropertiesReq);
- 
-     swaps(&stuff->length);
--
--    REQUEST_SIZE_MATCH(xListDevicePropertiesReq);
-     return (ProcXListDeviceProperties(client));
- }
- 
-@@ -1037,10 +1036,10 @@ int
- SProcXDeleteDeviceProperty(ClientPtr client)
- {
-     REQUEST(xDeleteDevicePropertyReq);
-+    REQUEST_SIZE_MATCH(xDeleteDevicePropertyReq);
- 
-     swaps(&stuff->length);
-     swapl(&stuff->property);
--    REQUEST_SIZE_MATCH(xDeleteDevicePropertyReq);
-     return (ProcXDeleteDeviceProperty(client));
- }
- 
-@@ -1048,13 +1047,13 @@ int
- SProcXGetDeviceProperty(ClientPtr client)
- {
-     REQUEST(xGetDevicePropertyReq);
-+    REQUEST_SIZE_MATCH(xGetDevicePropertyReq);
- 
-     swaps(&stuff->length);
-     swapl(&stuff->property);
-     swapl(&stuff->type);
-     swapl(&stuff->longOffset);
-     swapl(&stuff->longLength);
--    REQUEST_SIZE_MATCH(xGetDevicePropertyReq);
-     return (ProcXGetDeviceProperty(client));
- }
- 
-@@ -1253,11 +1252,10 @@ int
- SProcXIListProperties(ClientPtr client)
- {
-     REQUEST(xXIListPropertiesReq);
-+    REQUEST_SIZE_MATCH(xXIListPropertiesReq);
- 
-     swaps(&stuff->length);
-     swaps(&stuff->deviceid);
--
--    REQUEST_SIZE_MATCH(xXIListPropertiesReq);
-     return (ProcXIListProperties(client));
- }
- 
-@@ -1279,11 +1277,11 @@ int
- SProcXIDeleteProperty(ClientPtr client)
- {
-     REQUEST(xXIDeletePropertyReq);
-+    REQUEST_SIZE_MATCH(xXIDeletePropertyReq);
- 
-     swaps(&stuff->length);
-     swaps(&stuff->deviceid);
-     swapl(&stuff->property);
--    REQUEST_SIZE_MATCH(xXIDeletePropertyReq);
-     return (ProcXIDeleteProperty(client));
- }
- 
-@@ -1291,6 +1289,7 @@ int
- SProcXIGetProperty(ClientPtr client)
- {
-     REQUEST(xXIGetPropertyReq);
-+    REQUEST_SIZE_MATCH(xXIGetPropertyReq);
- 
-     swaps(&stuff->length);
-     swaps(&stuff->deviceid);
-@@ -1298,7 +1297,6 @@ SProcXIGetProperty(ClientPtr client)
-     swapl(&stuff->type);
-     swapl(&stuff->offset);
-     swapl(&stuff->len);
--    REQUEST_SIZE_MATCH(xXIGetPropertyReq);
-     return (ProcXIGetProperty(client));
- }
- 
-diff --git a/Xi/xiquerydevice.c b/Xi/xiquerydevice.c
-index 4e544f0..67a9a4f 100644
---- a/Xi/xiquerydevice.c
-+++ b/Xi/xiquerydevice.c
-@@ -54,6 +54,7 @@ int
- SProcXIQueryDevice(ClientPtr client)
- {
-     REQUEST(xXIQueryDeviceReq);
-+    REQUEST_SIZE_MATCH(xXIQueryDeviceReq);
- 
-     swaps(&stuff->length);
-     swaps(&stuff->deviceid);
-diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c
-index e9bdd42..7ec0c85 100644
---- a/Xi/xiquerypointer.c
-+++ b/Xi/xiquerypointer.c
-@@ -63,6 +63,8 @@ int
- SProcXIQueryPointer(ClientPtr client)
- {
-     REQUEST(xXIQueryPointerReq);
-+    REQUEST_SIZE_MATCH(xXIQueryPointerReq);
-+
-     swaps(&stuff->length);
-     swaps(&stuff->deviceid);
-     swapl(&stuff->win);
-diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c
-index 45a996e..168579f 100644
---- a/Xi/xiselectev.c
-+++ b/Xi/xiselectev.c
-@@ -114,6 +114,7 @@ int
- SProcXISelectEvents(ClientPtr client)
- {
-     int i;
-+    int len;
-     xXIEventMask *evmask;
- 
-     REQUEST(xXISelectEventsReq);
-@@ -122,10 +123,17 @@ SProcXISelectEvents(ClientPtr client)
-     swapl(&stuff->win);
-     swaps(&stuff->num_masks);
- 
-+    len = stuff->length - bytes_to_int32(sizeof(xXISelectEventsReq));
-     evmask = (xXIEventMask *) &stuff[1];
-     for (i = 0; i < stuff->num_masks; i++) {
-+        if (len < bytes_to_int32(sizeof(xXIEventMask)))
-+            return BadLength;
-+        len -= bytes_to_int32(sizeof(xXIEventMask));
-         swaps(&evmask->deviceid);
-         swaps(&evmask->mask_len);
-+        if (len < evmask->mask_len)
-+            return BadLength;
-+        len -= evmask->mask_len;
-         evmask =
-             (xXIEventMask *) (((char *) &evmask[1]) + evmask->mask_len * 4);
-     }
-diff --git a/Xi/xisetclientpointer.c b/Xi/xisetclientpointer.c
-index 38ff51e..24d4a53 100644
---- a/Xi/xisetclientpointer.c
-+++ b/Xi/xisetclientpointer.c
-@@ -51,10 +51,11 @@ int
- SProcXISetClientPointer(ClientPtr client)
- {
-     REQUEST(xXISetClientPointerReq);
-+    REQUEST_SIZE_MATCH(xXISetClientPointerReq);
-+
-     swaps(&stuff->length);
-     swapl(&stuff->win);
-     swaps(&stuff->deviceid);
--    REQUEST_SIZE_MATCH(xXISetClientPointerReq);
-     return (ProcXISetClientPointer(client));
- }
- 
-diff --git a/Xi/xisetdevfocus.c b/Xi/xisetdevfocus.c
-index 372ec24..96a9a16 100644
---- a/Xi/xisetdevfocus.c
-+++ b/Xi/xisetdevfocus.c
-@@ -44,6 +44,8 @@ int
- SProcXISetFocus(ClientPtr client)
- {
-     REQUEST(xXISetFocusReq);
-+    REQUEST_AT_LEAST_SIZE(xXISetFocusReq);
-+
-     swaps(&stuff->length);
-     swaps(&stuff->deviceid);
-     swapl(&stuff->focus);
-@@ -56,6 +58,8 @@ int
- SProcXIGetFocus(ClientPtr client)
- {
-     REQUEST(xXIGetFocusReq);
-+    REQUEST_AT_LEAST_SIZE(xXIGetFocusReq);
-+
-     swaps(&stuff->length);
-     swaps(&stuff->deviceid);
- 
-diff --git a/Xi/xiwarppointer.c b/Xi/xiwarppointer.c
-index 3f051f7..780758a 100644
---- a/Xi/xiwarppointer.c
-+++ b/Xi/xiwarppointer.c
-@@ -56,6 +56,8 @@ int
- SProcXIWarpPointer(ClientPtr client)
- {
-     REQUEST(xXIWarpPointerReq);
-+    REQUEST_SIZE_MATCH(xXIWarpPointerReq);
-+
-     swaps(&stuff->length);
-     swapl(&stuff->src_win);
-     swapl(&stuff->dst_win);
-diff --git a/include/dix.h b/include/dix.h
-index 7c36932..72adad3 100644
---- a/include/dix.h
-+++ b/include/dix.h
-@@ -74,6 +74,10 @@ SOFTWARE.
-     if ((sizeof(req) >> 2) > client->req_len )\
-          return(BadLength)
- 
-+#define REQUEST_AT_LEAST_EXTRA_SIZE(req, extra)  \
-+    if (((sizeof(req) + ((uint64_t) extra)) >> 2) > client->req_len ) \
-+         return(BadLength)
-+
- #define REQUEST_FIXED_SIZE(req, n)\
-     if (((sizeof(req) >> 2) > client->req_len) || \
-         ((n >> 2) >= client->req_len) || \
--- 
-1.9.3
-
diff --git a/SOURCES/0009-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDList-C.patch b/SOURCES/0009-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDList-C.patch
deleted file mode 100644
index 354536d..0000000
--- a/SOURCES/0009-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDList-C.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 182af4a188dcdc11228c15ce3252d1503015ced7 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sun, 26 Jan 2014 17:18:54 -0800
-Subject: [PATCH 09/33] xcmisc: unvalidated length in SProcXCMiscGetXIDList()
- [CVE-2014-8096]
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
----
- Xext/xcmisc.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/Xext/xcmisc.c b/Xext/xcmisc.c
-index 034bfb6..1e91010 100644
---- a/Xext/xcmisc.c
-+++ b/Xext/xcmisc.c
-@@ -167,6 +167,7 @@ static int
- SProcXCMiscGetXIDList(ClientPtr client)
- {
-     REQUEST(xXCMiscGetXIDListReq);
-+    REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq);
- 
-     swaps(&stuff->length);
-     swapl(&stuff->count);
--- 
-1.9.3
-
diff --git a/SOURCES/0010-Xv-unvalidated-lengths-in-XVideo-extension-swapped-p.patch b/SOURCES/0010-Xv-unvalidated-lengths-in-XVideo-extension-swapped-p.patch
deleted file mode 100644
index 5b1af8b..0000000
--- a/SOURCES/0010-Xv-unvalidated-lengths-in-XVideo-extension-swapped-p.patch
+++ /dev/null
@@ -1,180 +0,0 @@
-From 24b5c3df657bfe27db9ae21289fbdfc4f887117e Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sun, 26 Jan 2014 19:23:17 -0800
-Subject: [PATCH 10/33] Xv: unvalidated lengths in XVideo extension swapped
- procs [CVE-2014-8099]
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
----
- Xext/xvdisp.c | 20 ++++++++++++++++++++
- 1 file changed, 20 insertions(+)
-
-diff --git a/Xext/xvdisp.c b/Xext/xvdisp.c
-index 613867a..74a12bb 100644
---- a/Xext/xvdisp.c
-+++ b/Xext/xvdisp.c
-@@ -1207,6 +1207,7 @@ static int
- SProcXvQueryExtension(ClientPtr client)
- {
-     REQUEST(xvQueryExtensionReq);
-+    REQUEST_SIZE_MATCH(xvQueryExtensionReq);
-     swaps(&stuff->length);
-     return XvProcVector[xv_QueryExtension] (client);
- }
-@@ -1215,6 +1216,7 @@ static int
- SProcXvQueryAdaptors(ClientPtr client)
- {
-     REQUEST(xvQueryAdaptorsReq);
-+    REQUEST_SIZE_MATCH(xvQueryAdaptorsReq);
-     swaps(&stuff->length);
-     swapl(&stuff->window);
-     return XvProcVector[xv_QueryAdaptors] (client);
-@@ -1224,6 +1226,7 @@ static int
- SProcXvQueryEncodings(ClientPtr client)
- {
-     REQUEST(xvQueryEncodingsReq);
-+    REQUEST_SIZE_MATCH(xvQueryEncodingsReq);
-     swaps(&stuff->length);
-     swapl(&stuff->port);
-     return XvProcVector[xv_QueryEncodings] (client);
-@@ -1233,6 +1236,7 @@ static int
- SProcXvGrabPort(ClientPtr client)
- {
-     REQUEST(xvGrabPortReq);
-+    REQUEST_SIZE_MATCH(xvGrabPortReq);
-     swaps(&stuff->length);
-     swapl(&stuff->port);
-     swapl(&stuff->time);
-@@ -1243,6 +1247,7 @@ static int
- SProcXvUngrabPort(ClientPtr client)
- {
-     REQUEST(xvUngrabPortReq);
-+    REQUEST_SIZE_MATCH(xvUngrabPortReq);
-     swaps(&stuff->length);
-     swapl(&stuff->port);
-     swapl(&stuff->time);
-@@ -1253,6 +1258,7 @@ static int
- SProcXvPutVideo(ClientPtr client)
- {
-     REQUEST(xvPutVideoReq);
-+    REQUEST_SIZE_MATCH(xvPutVideoReq);
-     swaps(&stuff->length);
-     swapl(&stuff->port);
-     swapl(&stuff->drawable);
-@@ -1272,6 +1278,7 @@ static int
- SProcXvPutStill(ClientPtr client)
- {
-     REQUEST(xvPutStillReq);
-+    REQUEST_SIZE_MATCH(xvPutStillReq);
-     swaps(&stuff->length);
-     swapl(&stuff->port);
-     swapl(&stuff->drawable);
-@@ -1291,6 +1298,7 @@ static int
- SProcXvGetVideo(ClientPtr client)
- {
-     REQUEST(xvGetVideoReq);
-+    REQUEST_SIZE_MATCH(xvGetVideoReq);
-     swaps(&stuff->length);
-     swapl(&stuff->port);
-     swapl(&stuff->drawable);
-@@ -1310,6 +1318,7 @@ static int
- SProcXvGetStill(ClientPtr client)
- {
-     REQUEST(xvGetStillReq);
-+    REQUEST_SIZE_MATCH(xvGetStillReq);
-     swaps(&stuff->length);
-     swapl(&stuff->port);
-     swapl(&stuff->drawable);
-@@ -1329,6 +1338,7 @@ static int
- SProcXvPutImage(ClientPtr client)
- {
-     REQUEST(xvPutImageReq);
-+    REQUEST_AT_LEAST_SIZE(xvPutImageReq);
-     swaps(&stuff->length);
-     swapl(&stuff->port);
-     swapl(&stuff->drawable);
-@@ -1352,6 +1362,7 @@ static int
- SProcXvShmPutImage(ClientPtr client)
- {
-     REQUEST(xvShmPutImageReq);
-+    REQUEST_SIZE_MATCH(xvShmPutImageReq);
-     swaps(&stuff->length);
-     swapl(&stuff->port);
-     swapl(&stuff->drawable);
-@@ -1379,6 +1390,7 @@ static int
- SProcXvSelectVideoNotify(ClientPtr client)
- {
-     REQUEST(xvSelectVideoNotifyReq);
-+    REQUEST_SIZE_MATCH(xvSelectVideoNotifyReq);
-     swaps(&stuff->length);
-     swapl(&stuff->drawable);
-     return XvProcVector[xv_SelectVideoNotify] (client);
-@@ -1388,6 +1400,7 @@ static int
- SProcXvSelectPortNotify(ClientPtr client)
- {
-     REQUEST(xvSelectPortNotifyReq);
-+    REQUEST_SIZE_MATCH(xvSelectPortNotifyReq);
-     swaps(&stuff->length);
-     swapl(&stuff->port);
-     return XvProcVector[xv_SelectPortNotify] (client);
-@@ -1397,6 +1410,7 @@ static int
- SProcXvStopVideo(ClientPtr client)
- {
-     REQUEST(xvStopVideoReq);
-+    REQUEST_SIZE_MATCH(xvStopVideoReq);
-     swaps(&stuff->length);
-     swapl(&stuff->port);
-     swapl(&stuff->drawable);
-@@ -1407,6 +1421,7 @@ static int
- SProcXvSetPortAttribute(ClientPtr client)
- {
-     REQUEST(xvSetPortAttributeReq);
-+    REQUEST_SIZE_MATCH(xvSetPortAttributeReq);
-     swaps(&stuff->length);
-     swapl(&stuff->port);
-     swapl(&stuff->attribute);
-@@ -1418,6 +1433,7 @@ static int
- SProcXvGetPortAttribute(ClientPtr client)
- {
-     REQUEST(xvGetPortAttributeReq);
-+    REQUEST_SIZE_MATCH(xvGetPortAttributeReq);
-     swaps(&stuff->length);
-     swapl(&stuff->port);
-     swapl(&stuff->attribute);
-@@ -1428,6 +1444,7 @@ static int
- SProcXvQueryBestSize(ClientPtr client)
- {
-     REQUEST(xvQueryBestSizeReq);
-+    REQUEST_SIZE_MATCH(xvQueryBestSizeReq);
-     swaps(&stuff->length);
-     swapl(&stuff->port);
-     swaps(&stuff->vid_w);
-@@ -1441,6 +1458,7 @@ static int
- SProcXvQueryPortAttributes(ClientPtr client)
- {
-     REQUEST(xvQueryPortAttributesReq);
-+    REQUEST_SIZE_MATCH(xvQueryPortAttributesReq);
-     swaps(&stuff->length);
-     swapl(&stuff->port);
-     return XvProcVector[xv_QueryPortAttributes] (client);
-@@ -1450,6 +1468,7 @@ static int
- SProcXvQueryImageAttributes(ClientPtr client)
- {
-     REQUEST(xvQueryImageAttributesReq);
-+    REQUEST_SIZE_MATCH(xvQueryImageAttributesReq);
-     swaps(&stuff->length);
-     swapl(&stuff->port);
-     swapl(&stuff->id);
-@@ -1462,6 +1481,7 @@ static int
- SProcXvListImageFormats(ClientPtr client)
- {
-     REQUEST(xvListImageFormatsReq);
-+    REQUEST_SIZE_MATCH(xvListImageFormatsReq);
-     swaps(&stuff->length);
-     swapl(&stuff->port);
-     return XvProcVector[xv_ListImageFormats] (client);
--- 
-1.9.3
-
diff --git a/SOURCES/0011-dri3-unvalidated-lengths-in-DRI3-extension-swapped-p.patch b/SOURCES/0011-dri3-unvalidated-lengths-in-DRI3-extension-swapped-p.patch
deleted file mode 100644
index 9039011..0000000
--- a/SOURCES/0011-dri3-unvalidated-lengths-in-DRI3-extension-swapped-p.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From f8d54fefd98dd2ffd8d5680a6b7b5276b683e3e0 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sun, 26 Jan 2014 19:28:05 -0800
-Subject: [PATCH 11/33] dri3: unvalidated lengths in DRI3 extension swapped
- procs [CVE-2014-8103 1/2]
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
----
- dri3/dri3_request.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/dri3/dri3_request.c b/dri3/dri3_request.c
-index 4e1408f..2d05066 100644
---- a/dri3/dri3_request.c
-+++ b/dri3/dri3_request.c
-@@ -311,6 +311,7 @@ static int
- sproc_dri3_query_version(ClientPtr client)
- {
-     REQUEST(xDRI3QueryVersionReq);
-+    REQUEST_SIZE_MATCH(xDRI3QueryVersionReq);
- 
-     swaps(&stuff->length);
-     swapl(&stuff->majorVersion);
-@@ -322,6 +323,7 @@ static int
- sproc_dri3_open(ClientPtr client)
- {
-     REQUEST(xDRI3OpenReq);
-+    REQUEST_SIZE_MATCH(xDRI3OpenReq);
- 
-     swaps(&stuff->length);
-     swapl(&stuff->drawable);
-@@ -333,6 +335,7 @@ static int
- sproc_dri3_pixmap_from_buffer(ClientPtr client)
- {
-     REQUEST(xDRI3PixmapFromBufferReq);
-+    REQUEST_SIZE_MATCH(xDRI3PixmapFromBufferReq);
- 
-     swaps(&stuff->length);
-     swapl(&stuff->pixmap);
-@@ -348,6 +351,7 @@ static int
- sproc_dri3_buffer_from_pixmap(ClientPtr client)
- {
-     REQUEST(xDRI3BufferFromPixmapReq);
-+    REQUEST_SIZE_MATCH(xDRI3BufferFromPixmapReq);
- 
-     swaps(&stuff->length);
-     swapl(&stuff->pixmap);
-@@ -358,6 +362,7 @@ static int
- sproc_dri3_fence_from_fd(ClientPtr client)
- {
-     REQUEST(xDRI3FenceFromFDReq);
-+    REQUEST_SIZE_MATCH(xDRI3FenceFromFDReq);
- 
-     swaps(&stuff->length);
-     swapl(&stuff->drawable);
-@@ -369,6 +374,7 @@ static int
- sproc_dri3_fd_from_fence(ClientPtr client)
- {
-     REQUEST(xDRI3FDFromFenceReq);
-+    REQUEST_SIZE_MATCH(xDRI3FDFromFenceReq);
- 
-     swaps(&stuff->length);
-     swapl(&stuff->drawable);
--- 
-1.9.3
-
diff --git a/SOURCES/0012-present-unvalidated-lengths-in-Present-extension-pro.patch b/SOURCES/0012-present-unvalidated-lengths-in-Present-extension-pro.patch
deleted file mode 100644
index 54575b6..0000000
--- a/SOURCES/0012-present-unvalidated-lengths-in-Present-extension-pro.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From a2ae01b5777b94b1e7bf7319223365f57c213a57 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sun, 26 Jan 2014 19:33:34 -0800
-Subject: [PATCH 12/33] present: unvalidated lengths in Present extension procs
- [CVE-2014-8103 2/2]
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Reviewed-by: Julien Cristau <jcristau@debian.org>
-Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
----
- present/present_request.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/present/present_request.c b/present/present_request.c
-index 1064dcb..1a60c8a 100644
---- a/present/present_request.c
-+++ b/present/present_request.c
-@@ -210,6 +210,7 @@ proc_present_query_capabilities (ClientPtr client)
-     RRCrtcPtr   crtc = NULL;
-     int         r;
- 
-+    REQUEST_SIZE_MATCH(xPresentQueryCapabilitiesReq);
-     r = dixLookupWindow(&window, stuff->target, client, DixGetAttrAccess);
-     switch (r) {
-     case Success:
-@@ -254,6 +255,7 @@ static int
- sproc_present_query_version(ClientPtr client)
- {
-     REQUEST(xPresentQueryVersionReq);
-+    REQUEST_SIZE_MATCH(xPresentQueryVersionReq);
- 
-     swaps(&stuff->length);
-     swapl(&stuff->majorVersion);
-@@ -265,6 +267,7 @@ static int
- sproc_present_pixmap(ClientPtr client)
- {
-     REQUEST(xPresentPixmapReq);
-+    REQUEST_AT_LEAST_SIZE(xPresentPixmapReq);
- 
-     swaps(&stuff->length);
-     swapl(&stuff->window);
-@@ -284,6 +287,7 @@ static int
- sproc_present_notify_msc(ClientPtr client)
- {
-     REQUEST(xPresentNotifyMSCReq);
-+    REQUEST_SIZE_MATCH(xPresentNotifyMSCReq);
- 
-     swaps(&stuff->length);
-     swapl(&stuff->window);
-@@ -297,6 +301,7 @@ static int
- sproc_present_select_input (ClientPtr client)
- {
-     REQUEST(xPresentSelectInputReq);
-+    REQUEST_SIZE_MATCH(xPresentSelectInputReq);
- 
-     swaps(&stuff->length);
-     swapl(&stuff->window);
-@@ -308,6 +313,7 @@ static int
- sproc_present_query_capabilities (ClientPtr client)
- {
-     REQUEST(xPresentQueryCapabilitiesReq);
-+    REQUEST_SIZE_MATCH(xPresentQueryCapabilitiesReq);
-     swaps(&stuff->length);
-     swapl(&stuff->target);
-     return (*proc_present_vector[stuff->presentReqType]) (client);
--- 
-1.9.3
-
diff --git a/SOURCES/0013-randr-unvalidated-lengths-in-RandR-extension-swapped.patch b/SOURCES/0013-randr-unvalidated-lengths-in-RandR-extension-swapped.patch
deleted file mode 100644
index dec7cb0..0000000
--- a/SOURCES/0013-randr-unvalidated-lengths-in-RandR-extension-swapped.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 7b32b2e84bdd72ab9e304645b714f06d1732f490 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sun, 26 Jan 2014 19:38:09 -0800
-Subject: [PATCH 13/33] randr: unvalidated lengths in RandR extension swapped
- procs [CVE-2014-8101]
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
----
- randr/rrsdispatch.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/randr/rrsdispatch.c b/randr/rrsdispatch.c
-index 9968c7f..5af8fec 100644
---- a/randr/rrsdispatch.c
-+++ b/randr/rrsdispatch.c
-@@ -27,6 +27,7 @@ SProcRRQueryVersion(ClientPtr client)
- {
-     REQUEST(xRRQueryVersionReq);
- 
-+    REQUEST_SIZE_MATCH(xRRQueryVersionReq);
-     swaps(&stuff->length);
-     swapl(&stuff->majorVersion);
-     swapl(&stuff->minorVersion);
-@@ -38,6 +39,7 @@ SProcRRGetScreenInfo(ClientPtr client)
- {
-     REQUEST(xRRGetScreenInfoReq);
- 
-+    REQUEST_SIZE_MATCH(xRRGetScreenInfoReq);
-     swaps(&stuff->length);
-     swapl(&stuff->window);
-     return (*ProcRandrVector[stuff->randrReqType]) (client);
-@@ -69,6 +71,7 @@ SProcRRSelectInput(ClientPtr client)
- {
-     REQUEST(xRRSelectInputReq);
- 
-+    REQUEST_SIZE_MATCH(xRRSelectInputReq);
-     swaps(&stuff->length);
-     swapl(&stuff->window);
-     swaps(&stuff->enable);
-@@ -152,6 +155,7 @@ SProcRRConfigureOutputProperty(ClientPtr client)
- {
-     REQUEST(xRRConfigureOutputPropertyReq);
- 
-+    REQUEST_AT_LEAST_SIZE(xRRConfigureOutputPropertyReq);
-     swaps(&stuff->length);
-     swapl(&stuff->output);
-     swapl(&stuff->property);
--- 
-1.9.3
-
diff --git a/SOURCES/0014-render-check-request-size-before-reading-it-CVE-2014.patch b/SOURCES/0014-render-check-request-size-before-reading-it-CVE-2014.patch
deleted file mode 100644
index 09fc6a0..0000000
--- a/SOURCES/0014-render-check-request-size-before-reading-it-CVE-2014.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 4b0137857115c025232c866d0ecd3a68688ca9e4 Mon Sep 17 00:00:00 2001
-From: Julien Cristau <jcristau@debian.org>
-Date: Tue, 28 Oct 2014 10:30:04 +0100
-Subject: [PATCH 14/33] render: check request size before reading it
- [CVE-2014-8100 1/2]
-
-Otherwise we may be reading outside of the client request.
-
-Signed-off-by: Julien Cristau <jcristau@debian.org>
-Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
----
- render/render.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/render/render.c b/render/render.c
-index 51f75ae..ce03b13 100644
---- a/render/render.c
-+++ b/render/render.c
-@@ -276,11 +276,11 @@ ProcRenderQueryVersion(ClientPtr client)
- 
-     REQUEST(xRenderQueryVersionReq);
- 
-+    REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
-+
-     pRenderClient->major_version = stuff->majorVersion;
-     pRenderClient->minor_version = stuff->minorVersion;
- 
--    REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
--
-     if ((stuff->majorVersion * 1000 + stuff->minorVersion) <
-         (SERVER_RENDER_MAJOR_VERSION * 1000 + SERVER_RENDER_MINOR_VERSION)) {
-         rep.majorVersion = stuff->majorVersion;
--- 
-1.9.3
-
diff --git a/SOURCES/0015-render-unvalidated-lengths-in-Render-extn.-swapped-p.patch b/SOURCES/0015-render-unvalidated-lengths-in-Render-extn.-swapped-p.patch
deleted file mode 100644
index caaa3b3..0000000
--- a/SOURCES/0015-render-unvalidated-lengths-in-Render-extn.-swapped-p.patch
+++ /dev/null
@@ -1,141 +0,0 @@
-From eec950e6fcafd315b5f211c78fc7d4b775df1036 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sun, 26 Jan 2014 19:51:29 -0800
-Subject: [PATCH 15/33] render: unvalidated lengths in Render extn. swapped
- procs [CVE-2014-8100 2/2]
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
----
- render/render.c | 16 +++++++++++++++-
- 1 file changed, 15 insertions(+), 1 deletion(-)
-
-diff --git a/render/render.c b/render/render.c
-index ce03b13..4e47efd 100644
---- a/render/render.c
-+++ b/render/render.c
-@@ -1995,7 +1995,7 @@ static int
- SProcRenderQueryVersion(ClientPtr client)
- {
-     REQUEST(xRenderQueryVersionReq);
--
-+    REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
-     swaps(&stuff->length);
-     swapl(&stuff->majorVersion);
-     swapl(&stuff->minorVersion);
-@@ -2006,6 +2006,7 @@ static int
- SProcRenderQueryPictFormats(ClientPtr client)
- {
-     REQUEST(xRenderQueryPictFormatsReq);
-+    REQUEST_SIZE_MATCH(xRenderQueryPictFormatsReq);
-     swaps(&stuff->length);
-     return (*ProcRenderVector[stuff->renderReqType]) (client);
- }
-@@ -2014,6 +2015,7 @@ static int
- SProcRenderQueryPictIndexValues(ClientPtr client)
- {
-     REQUEST(xRenderQueryPictIndexValuesReq);
-+    REQUEST_AT_LEAST_SIZE(xRenderQueryPictIndexValuesReq);
-     swaps(&stuff->length);
-     swapl(&stuff->format);
-     return (*ProcRenderVector[stuff->renderReqType]) (client);
-@@ -2029,6 +2031,7 @@ static int
- SProcRenderCreatePicture(ClientPtr client)
- {
-     REQUEST(xRenderCreatePictureReq);
-+    REQUEST_AT_LEAST_SIZE(xRenderCreatePictureReq);
-     swaps(&stuff->length);
-     swapl(&stuff->pid);
-     swapl(&stuff->drawable);
-@@ -2042,6 +2045,7 @@ static int
- SProcRenderChangePicture(ClientPtr client)
- {
-     REQUEST(xRenderChangePictureReq);
-+    REQUEST_AT_LEAST_SIZE(xRenderChangePictureReq);
-     swaps(&stuff->length);
-     swapl(&stuff->picture);
-     swapl(&stuff->mask);
-@@ -2053,6 +2057,7 @@ static int
- SProcRenderSetPictureClipRectangles(ClientPtr client)
- {
-     REQUEST(xRenderSetPictureClipRectanglesReq);
-+    REQUEST_AT_LEAST_SIZE(xRenderSetPictureClipRectanglesReq);
-     swaps(&stuff->length);
-     swapl(&stuff->picture);
-     swaps(&stuff->xOrigin);
-@@ -2065,6 +2070,7 @@ static int
- SProcRenderFreePicture(ClientPtr client)
- {
-     REQUEST(xRenderFreePictureReq);
-+    REQUEST_SIZE_MATCH(xRenderFreePictureReq);
-     swaps(&stuff->length);
-     swapl(&stuff->picture);
-     return (*ProcRenderVector[stuff->renderReqType]) (client);
-@@ -2074,6 +2080,7 @@ static int
- SProcRenderComposite(ClientPtr client)
- {
-     REQUEST(xRenderCompositeReq);
-+    REQUEST_SIZE_MATCH(xRenderCompositeReq);
-     swaps(&stuff->length);
-     swapl(&stuff->src);
-     swapl(&stuff->mask);
-@@ -2093,6 +2100,7 @@ static int
- SProcRenderScale(ClientPtr client)
- {
-     REQUEST(xRenderScaleReq);
-+    REQUEST_SIZE_MATCH(xRenderScaleReq);
-     swaps(&stuff->length);
-     swapl(&stuff->src);
-     swapl(&stuff->dst);
-@@ -2193,6 +2201,7 @@ static int
- SProcRenderCreateGlyphSet(ClientPtr client)
- {
-     REQUEST(xRenderCreateGlyphSetReq);
-+    REQUEST_SIZE_MATCH(xRenderCreateGlyphSetReq);
-     swaps(&stuff->length);
-     swapl(&stuff->gsid);
-     swapl(&stuff->format);
-@@ -2203,6 +2212,7 @@ static int
- SProcRenderReferenceGlyphSet(ClientPtr client)
- {
-     REQUEST(xRenderReferenceGlyphSetReq);
-+    REQUEST_SIZE_MATCH(xRenderReferenceGlyphSetReq);
-     swaps(&stuff->length);
-     swapl(&stuff->gsid);
-     swapl(&stuff->existing);
-@@ -2213,6 +2223,7 @@ static int
- SProcRenderFreeGlyphSet(ClientPtr client)
- {
-     REQUEST(xRenderFreeGlyphSetReq);
-+    REQUEST_SIZE_MATCH(xRenderFreeGlyphSetReq);
-     swaps(&stuff->length);
-     swapl(&stuff->glyphset);
-     return (*ProcRenderVector[stuff->renderReqType]) (client);
-@@ -2227,6 +2238,7 @@ SProcRenderAddGlyphs(ClientPtr client)
-     xGlyphInfo *gi;
- 
-     REQUEST(xRenderAddGlyphsReq);
-+    REQUEST_AT_LEAST_SIZE(xRenderAddGlyphsReq);
-     swaps(&stuff->length);
-     swapl(&stuff->glyphset);
-     swapl(&stuff->nglyphs);
-@@ -2261,6 +2273,7 @@ static int
- SProcRenderFreeGlyphs(ClientPtr client)
- {
-     REQUEST(xRenderFreeGlyphsReq);
-+    REQUEST_AT_LEAST_SIZE(xRenderFreeGlyphsReq);
-     swaps(&stuff->length);
-     swapl(&stuff->glyphset);
-     SwapRestL(stuff);
-@@ -2278,6 +2291,7 @@ SProcRenderCompositeGlyphs(ClientPtr client)
-     int size;
- 
-     REQUEST(xRenderCompositeGlyphsReq);
-+    REQUEST_AT_LEAST_SIZE(xRenderCompositeGlyphsReq);
- 
-     switch (stuff->renderReqType) {
-     default:
--- 
-1.9.3
-
diff --git a/SOURCES/0016-xfixes-unvalidated-length-in-SProcXFixesSelectSelect.patch b/SOURCES/0016-xfixes-unvalidated-length-in-SProcXFixesSelectSelect.patch
deleted file mode 100644
index 963fd44..0000000
--- a/SOURCES/0016-xfixes-unvalidated-length-in-SProcXFixesSelectSelect.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 9994f0703ab49802e956f0ccae1ddb50143b6bad Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sun, 26 Jan 2014 20:02:20 -0800
-Subject: [PATCH 16/33] xfixes: unvalidated length in
- SProcXFixesSelectSelectionInput [CVE-2014-8102]
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
----
- xfixes/select.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/xfixes/select.c b/xfixes/select.c
-index ee8ed6f..c5a68ca 100644
---- a/xfixes/select.c
-+++ b/xfixes/select.c
-@@ -201,6 +201,7 @@ SProcXFixesSelectSelectionInput(ClientPtr client)
- {
-     REQUEST(xXFixesSelectSelectionInputReq);
- 
-+    REQUEST_SIZE_MATCH(xXFixesSelectSelectionInputReq);
-     swaps(&stuff->length);
-     swapl(&stuff->window);
-     swapl(&stuff->selection);
--- 
-1.9.3
-
diff --git a/SOURCES/0017-Add-request-length-checking-test-cases-for-some-Xinp.patch b/SOURCES/0017-Add-request-length-checking-test-cases-for-some-Xinp.patch
deleted file mode 100644
index 7700c78..0000000
--- a/SOURCES/0017-Add-request-length-checking-test-cases-for-some-Xinp.patch
+++ /dev/null
@@ -1,214 +0,0 @@
-From 2bc68568ee6d8b75da07d98818142af081f0b132 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sun, 9 Feb 2014 21:27:27 -0800
-Subject: [PATCH 17/33] Add request length checking test cases for some Xinput
- 1.x requests
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
----
- configure.ac                             |   1 +
- test/Makefile.am                         |   2 +-
- test/xi1/Makefile.am                     |  34 +++++++++
- test/xi1/protocol-xchangedevicecontrol.c | 122 +++++++++++++++++++++++++++++++
- 4 files changed, 158 insertions(+), 1 deletion(-)
- create mode 100644 test/xi1/Makefile.am
- create mode 100644 test/xi1/protocol-xchangedevicecontrol.c
-
-diff --git a/configure.ac b/configure.ac
-index 2202a56..e1f0fe4 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -2538,6 +2538,7 @@ hw/kdrive/fbdev/Makefile
- hw/kdrive/linux/Makefile
- hw/kdrive/src/Makefile
- test/Makefile
-+test/xi1/Makefile
- test/xi2/Makefile
- xserver.ent
- xorg-server.pc
-diff --git a/test/Makefile.am b/test/Makefile.am
-index 2852bb3..cd739e2 100644
---- a/test/Makefile.am
-+++ b/test/Makefile.am
-@@ -4,7 +4,7 @@ noinst_PROGRAMS = list string
- if XORG
- # Tests that require at least some DDX functions in order to fully link
- # For now, requires xf86 ddx, could be adjusted to use another
--SUBDIRS += xi2
-+SUBDIRS += xi1 xi2
- noinst_PROGRAMS += xkb input xtest misc fixes xfree86 hashtabletest os signal-logging touch
- endif
- check_LTLIBRARIES = libxservertest.la
-diff --git a/test/xi1/Makefile.am b/test/xi1/Makefile.am
-new file mode 100644
-index 0000000..907fa7a
---- /dev/null
-+++ b/test/xi1/Makefile.am
-@@ -0,0 +1,34 @@
-+if ENABLE_UNIT_TESTS
-+if HAVE_LD_WRAP
-+noinst_PROGRAMS =  \
-+	protocol-xchangedevicecontrol
-+
-+TESTS=$(noinst_PROGRAMS)
-+TESTS_ENVIRONMENT = $(XORG_MALLOC_DEBUG_ENV)
-+
-+AM_CFLAGS = $(DIX_CFLAGS) @XORG_CFLAGS@
-+AM_CPPFLAGS = @XORG_INCS@ -I$(srcdir)/../xi2
-+TEST_LDADD=../libxservertest.la $(XORG_SYS_LIBS) $(XSERVER_SYS_LIBS) $(GLX_SYS_LIBS)
-+COMMON_SOURCES=$(srcdir)/../xi2/protocol-common.c
-+
-+if SPECIAL_DTRACE_OBJECTS
-+TEST_LDADD += $(OS_LIB) $(DIX_LIB)
-+endif
-+
-+protocol_xchangedevicecontrol_LDADD=$(TEST_LDADD)
-+
-+protocol_xchangedevicecontrol_LDFLAGS=$(AM_LDFLAGS) -Wl,-wrap,WriteToClient
-+
-+protocol_xchangedevicecontrol_SOURCES=$(COMMON_SOURCES) protocol-xchangedevicecontrol.c
-+
-+else
-+# Print that xi1-tests were skipped (exit code 77 for automake test harness)
-+TESTS = xi1-tests
-+CLEANFILES = $(TESTS)
-+
-+xi1-tests:
-+	@echo 'echo "ld -wrap support required for xi1 unit tests, skipping"' > $@
-+	@echo 'exit 77' >> $@
-+	$(AM_V_GEN)chmod +x $@
-+endif
-+endif
-diff --git a/test/xi1/protocol-xchangedevicecontrol.c b/test/xi1/protocol-xchangedevicecontrol.c
-new file mode 100644
-index 0000000..8e638b2
---- /dev/null
-+++ b/test/xi1/protocol-xchangedevicecontrol.c
-@@ -0,0 +1,122 @@
-+/**
-+ * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
-+ *
-+ * Permission is hereby granted, free of charge, to any person obtaining a
-+ * copy of this software and associated documentation files (the "Software"),
-+ * to deal in the Software without restriction, including without limitation
-+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
-+ * and/or sell copies of the Software, and to permit persons to whom the
-+ * Software is furnished to do so, subject to the following conditions:
-+ *
-+ * The above copyright notice and this permission notice (including the next
-+ * paragraph) shall be included in all copies or substantial portions of the
-+ * Software.
-+ *
-+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
-+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
-+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
-+ * DEALINGS IN THE SOFTWARE.
-+ */
-+
-+#ifdef HAVE_DIX_CONFIG_H
-+#include <dix-config.h>
-+#endif
-+
-+/*
-+ * Protocol testing for ChangeDeviceControl request.
-+ */
-+#include <stdint.h>
-+#include <X11/X.h>
-+#include <X11/Xproto.h>
-+#include <X11/extensions/XIproto.h>
-+#include "inputstr.h"
-+#include "chgdctl.h"
-+
-+#include "protocol-common.h"
-+
-+static ClientRec client_request;
-+
-+static void
-+reply_ChangeDeviceControl(ClientPtr client, int len, char *data, void *userdata)
-+{
-+    xChangeDeviceControlReply *rep = (xChangeDeviceControlReply *) data;
-+
-+    if (client->swapped) {
-+        swapl(&rep->length);
-+        swaps(&rep->sequenceNumber);
-+    }
-+
-+    reply_check_defaults(rep, len, ChangeDeviceControl);
-+
-+    /* XXX: check status code in reply */
-+}
-+
-+static void
-+request_ChangeDeviceControl(ClientPtr client, xChangeDeviceControlReq * req,
-+                            xDeviceCtl *ctl, int error)
-+{
-+    int rc;
-+
-+    client_request.req_len = req->length;
-+    rc = ProcXChangeDeviceControl(&client_request);
-+    assert(rc == error);
-+
-+    /* XXX: ChangeDeviceControl doesn't seem to fill in errorValue to check */
-+
-+    client_request.swapped = TRUE;
-+    swaps(&req->length);
-+    swaps(&req->control);
-+    swaps(&ctl->length);
-+    swaps(&ctl->control);
-+    /* XXX: swap other contents of ctl, depending on type */
-+    rc = SProcXChangeDeviceControl(&client_request);
-+    assert(rc == error);
-+}
-+
-+static unsigned char *data[4096];       /* the request buffer */
-+
-+static void
-+test_ChangeDeviceControl(void)
-+{
-+    xChangeDeviceControlReq *request = (xChangeDeviceControlReq *) data;
-+    xDeviceCtl *control = (xDeviceCtl *) (&request[1]);
-+
-+    request_init(request, ChangeDeviceControl);
-+
-+    reply_handler = reply_ChangeDeviceControl;
-+
-+    client_request = init_client(request->length, request);
-+
-+    printf("Testing invalid lengths:\n");
-+    printf(" -- no control struct\n");
-+    request_ChangeDeviceControl(&client_request, request, control, BadLength);
-+
-+    printf(" -- xDeviceResolutionCtl\n");
-+    request_init(request, ChangeDeviceControl);
-+    request->control = DEVICE_RESOLUTION;
-+    control->length = (sizeof(xDeviceResolutionCtl) >> 2);
-+    request->length += control->length - 2;
-+    request_ChangeDeviceControl(&client_request, request, control, BadLength);
-+
-+    printf(" -- xDeviceEnableCtl\n");
-+    request_init(request, ChangeDeviceControl);
-+    request->control = DEVICE_ENABLE;
-+    control->length = (sizeof(xDeviceEnableCtl) >> 2);
-+    request->length += control->length - 2;
-+    request_ChangeDeviceControl(&client_request, request, control, BadLength);
-+
-+    /* XXX: Test functionality! */
-+}
-+
-+int
-+main(int argc, char **argv)
-+{
-+    init_simple();
-+
-+    test_ChangeDeviceControl();
-+
-+    return 0;
-+}
--- 
-1.9.3
-
diff --git a/SOURCES/0018-Add-request-length-checking-test-cases-for-some-Xinp.patch b/SOURCES/0018-Add-request-length-checking-test-cases-for-some-Xinp.patch
deleted file mode 100644
index ad128a0..0000000
--- a/SOURCES/0018-Add-request-length-checking-test-cases-for-some-Xinp.patch
+++ /dev/null
@@ -1,90 +0,0 @@
-From 2c23ed603e792f8bf958ec8056e5e13c35a4c0fe Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sun, 9 Feb 2014 21:28:05 -0800
-Subject: [PATCH 18/33] Add request length checking test cases for some Xinput
- 2.x requests
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
----
- test/xi2/protocol-xigetclientpointer.c  | 5 +++++
- test/xi2/protocol-xipassivegrabdevice.c | 8 ++++++++
- test/xi2/protocol-xiquerypointer.c      | 4 ++++
- test/xi2/protocol-xiwarppointer.c       | 3 +++
- 4 files changed, 20 insertions(+)
-
-diff --git a/test/xi2/protocol-xigetclientpointer.c b/test/xi2/protocol-xigetclientpointer.c
-index 28eb8d3..570c53e 100644
---- a/test/xi2/protocol-xigetclientpointer.c
-+++ b/test/xi2/protocol-xigetclientpointer.c
-@@ -124,6 +124,11 @@ test_XIGetClientPointer(void)
-     request.win = INVALID_WINDOW_ID;
-     request_XIGetClientPointer(&client_request, &request, BadWindow);
- 
-+    printf("Testing invalid length\n");
-+    client_request.req_len -= 4;
-+    request_XIGetClientPointer(&client_request, &request, BadLength);
-+    client_request.req_len += 4;
-+
-     test_data.cp_is_set = FALSE;
- 
-     printf("Testing window None, unset ClientPointer.\n");
-diff --git a/test/xi2/protocol-xipassivegrabdevice.c b/test/xi2/protocol-xipassivegrabdevice.c
-index 84b386b..d0b9004 100644
---- a/test/xi2/protocol-xipassivegrabdevice.c
-+++ b/test/xi2/protocol-xipassivegrabdevice.c
-@@ -138,6 +138,7 @@ request_XIPassiveGrabDevice(ClientPtr client, xXIPassiveGrabDeviceReq * req,
-     int rc;
-     int modifiers;
- 
-+    client_request.req_len = req->length;
-     rc = ProcXIPassiveGrabDevice(&client_request);
-     assert(rc == error);
- 
-@@ -188,6 +189,13 @@ test_XIPassiveGrabDevice(void)
-     request_XIPassiveGrabDevice(&client_request, request, BadDevice,
-                                 request->deviceid);
- 
-+    printf("Testing invalid length\n");
-+    request->length -= 2;
-+    request_XIPassiveGrabDevice(&client_request, request, BadLength,
-+                                client_request.errorValue);
-+    /* re-init request since swapped length test leaves some values swapped */
-+    request_init(request, XIPassiveGrabDevice);
-+    request->grab_window = CLIENT_WINDOW_ID;
-     request->deviceid = XIAllMasterDevices;
- 
-     printf("Testing invalid grab types\n");
-diff --git a/test/xi2/protocol-xiquerypointer.c b/test/xi2/protocol-xiquerypointer.c
-index fc66b64..c0421f6 100644
---- a/test/xi2/protocol-xiquerypointer.c
-+++ b/test/xi2/protocol-xiquerypointer.c
-@@ -201,6 +201,10 @@ test_XIQueryPointer(void)
-     test_data.dev = devices.mouse;
-     request.deviceid = devices.mouse->id;
-     request_XIQueryPointer(&client_request, &request, Success);
-+
-+    /* test REQUEST_SIZE_MATCH */
-+    client_request.req_len -= 4;
-+    request_XIQueryPointer(&client_request, &request, BadLength);
- }
- 
- int
-diff --git a/test/xi2/protocol-xiwarppointer.c b/test/xi2/protocol-xiwarppointer.c
-index f7986c1..3aaaae6 100644
---- a/test/xi2/protocol-xiwarppointer.c
-+++ b/test/xi2/protocol-xiwarppointer.c
-@@ -198,6 +198,9 @@ test_XIWarpPointer(void)
-     request_XIWarpPointer(&client_request, &request, Success);
- 
-     /* FIXME: src_x/y checks */
-+
-+    client_request.req_len -= 2; /* invalid length */
-+    request_XIWarpPointer(&client_request, &request, BadLength);
- }
- 
- int
--- 
-1.9.3
-
diff --git a/SOURCES/0019-Add-REQUEST_FIXED_SIZE-testcases-to-test-misc.c.patch b/SOURCES/0019-Add-REQUEST_FIXED_SIZE-testcases-to-test-misc.c.patch
deleted file mode 100644
index 37403c3..0000000
--- a/SOURCES/0019-Add-REQUEST_FIXED_SIZE-testcases-to-test-misc.c.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From 19434b3ce4ed730d71155ba3edf44f68979ddb28 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sun, 9 Feb 2014 22:42:47 -0800
-Subject: [PATCH 19/33] Add REQUEST_FIXED_SIZE testcases to test/misc.c
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
----
- test/misc.c | 37 +++++++++++++++++++++++++++++++++++++
- 1 file changed, 37 insertions(+)
-
-diff --git a/test/misc.c b/test/misc.c
-index dd792e6..66330a1 100644
---- a/test/misc.c
-+++ b/test/misc.c
-@@ -28,6 +28,8 @@
- #include <stdint.h>
- #include "misc.h"
- #include "scrnintstr.h"
-+#include "dix.h"
-+#include "dixstruct.h"
- 
- ScreenInfo screenInfo;
- 
-@@ -155,11 +157,46 @@ dix_update_desktop_dimensions(void)
-     assert_dimensions(-w2, -h2, w2, h2);
- }
- 
-+static int
-+dix_request_fixed_size_overflow(ClientRec *client)
-+{
-+    xReq req = { 0 };
-+
-+    client->req_len = req.length = 1;
-+    REQUEST_FIXED_SIZE(req, SIZE_MAX);
-+    return Success;
-+}
-+
-+static int
-+dix_request_fixed_size_match(ClientRec *client)
-+{
-+    xReq req = { 0 };
-+
-+    client->req_len = req.length = 9;
-+    REQUEST_FIXED_SIZE(req, 30);
-+    return Success;
-+}
-+
-+static void
-+dix_request_size_checks(void)
-+{
-+    ClientRec client = { 0 };
-+    int rc;
-+
-+    rc = dix_request_fixed_size_overflow(&client);
-+    assert(rc == BadLength);
-+
-+    rc = dix_request_fixed_size_match(&client);
-+    assert(rc == Success);
-+}
-+
-+
- int
- main(int argc, char **argv)
- {
-     dix_version_compare();
-     dix_update_desktop_dimensions();
-+    dix_request_size_checks();
- 
-     return 0;
- }
--- 
-1.9.3
-
diff --git a/SOURCES/0020-glx-Be-more-paranoid-about-variable-length-requests-.patch b/SOURCES/0020-glx-Be-more-paranoid-about-variable-length-requests-.patch
deleted file mode 100644
index d700194..0000000
--- a/SOURCES/0020-glx-Be-more-paranoid-about-variable-length-requests-.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 326a95955f6dd3c157ba7ddf41a4b11304764c53 Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax@redhat.com>
-Date: Mon, 10 Nov 2014 12:13:36 -0500
-Subject: [PATCH 20/33] glx: Be more paranoid about variable-length requests
- [CVE-2014-8093 1/6]
-
-If the size computation routine returns -1 we should just reject the
-request outright.  Clamping it to zero could give an attacker the
-opportunity to also mangle cmdlen in such a way that the subsequent
-length check passes, and the request would get executed, thus passing
-data we wanted to reject to the renderer.
-
-Reviewed-by: Keith Packard <keithp@keithp.com>
-Reviewed-by: Julien Cristau <jcristau@debian.org>
-Reviewed-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Andy Ritger <aritger@nvidia.com>
-Signed-off-by: Adam Jackson <ajax@redhat.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
----
- glx/glxcmds.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/glx/glxcmds.c b/glx/glxcmds.c
-index b8da048..27777e9 100644
---- a/glx/glxcmds.c
-+++ b/glx/glxcmds.c
-@@ -2052,7 +2052,7 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
-             extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
-                                       client->swapped);
-             if (extra < 0) {
--                extra = 0;
-+                return BadLength;
-             }
-             if (cmdlen != __GLX_PAD(entry.bytes + extra)) {
-                 return BadLength;
-@@ -2169,7 +2169,7 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
-             extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE,
-                                       client->swapped);
-             if (extra < 0) {
--                extra = 0;
-+                return BadLength;
-             }
-             /* large command's header is 4 bytes longer, so add 4 */
-             if (cmdlen != __GLX_PAD(entry.bytes + 4 + extra)) {
--- 
-1.9.3
-
diff --git a/SOURCES/0021-glx-Be-more-strict-about-rejecting-invalid-image-siz.patch b/SOURCES/0021-glx-Be-more-strict-about-rejecting-invalid-image-siz.patch
deleted file mode 100644
index 5af9a12..0000000
--- a/SOURCES/0021-glx-Be-more-strict-about-rejecting-invalid-image-siz.patch
+++ /dev/null
@@ -1,166 +0,0 @@
-From 679072061a39f72d4473b3a9c45f4bef6383f033 Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax@redhat.com>
-Date: Mon, 10 Nov 2014 12:13:37 -0500
-Subject: [PATCH 21/33] glx: Be more strict about rejecting invalid image sizes
- [CVE-2014-8093 2/6]
-
-Before this we'd just clamp the image size to 0, which was just
-hideously stupid; if the parameters were such that they'd overflow an
-integer, you'd allocate a small buffer, then pass huge values into (say)
-ReadPixels, and now you're scribbling over arbitrary server memory.
-
-Reviewed-by: Keith Packard <keithp@keithp.com>
-Reviewed-by: Julien Cristau <jcristau@debian.org>
-Reviewed-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Andy Ritger <aritger@nvidia.com>
-Signed-off-by: Adam Jackson <ajax@redhat.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
----
- glx/singlepix.c     | 16 ++++++++--------
- glx/singlepixswap.c | 16 ++++++++--------
- 2 files changed, 16 insertions(+), 16 deletions(-)
-
-diff --git a/glx/singlepix.c b/glx/singlepix.c
-index 506fdaa..8b6c261 100644
---- a/glx/singlepix.c
-+++ b/glx/singlepix.c
-@@ -65,7 +65,7 @@ __glXDisp_ReadPixels(__GLXclientState * cl, GLbyte * pc)
-     lsbFirst = *(GLboolean *) (pc + 25);
-     compsize = __glReadPixels_size(format, type, width, height);
-     if (compsize < 0)
--        compsize = 0;
-+        return BadLength;
- 
-     glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
-     glPixelStorei(GL_PACK_LSB_FIRST, lsbFirst);
-@@ -124,7 +124,7 @@ __glXDisp_GetTexImage(__GLXclientState * cl, GLbyte * pc)
-     compsize =
-         __glGetTexImage_size(target, level, format, type, width, height, depth);
-     if (compsize < 0)
--        compsize = 0;
-+        return BadLength;
- 
-     glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
-     __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
-@@ -218,9 +218,9 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
-     compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
- 
-     if (compsize < 0)
--        compsize = 0;
-+        return BadLength;
-     if (compsize2 < 0)
--        compsize2 = 0;
-+        return BadLength;
-     compsize = __GLX_PAD(compsize);
-     compsize2 = __GLX_PAD(compsize2);
- 
-@@ -296,7 +296,7 @@ GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
-      */
-     compsize = __glGetTexImage_size(target, 1, format, type, width, height, 1);
-     if (compsize < 0)
--        compsize = 0;
-+        return BadLength;
- 
-     glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
-     __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
-@@ -365,7 +365,7 @@ GetHistogram(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
-      */
-     compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
-     if (compsize < 0)
--        compsize = 0;
-+        return BadLength;
- 
-     glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
-     __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
-@@ -426,7 +426,7 @@ GetMinmax(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
- 
-     compsize = __glGetTexImage_size(target, 1, format, type, 2, 1, 1);
-     if (compsize < 0)
--        compsize = 0;
-+        return BadLength;
- 
-     glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
-     __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
-@@ -491,7 +491,7 @@ GetColorTable(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
-      */
-     compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
-     if (compsize < 0)
--        compsize = 0;
-+        return BadLength;
- 
-     glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
-     __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
-diff --git a/glx/singlepixswap.c b/glx/singlepixswap.c
-index 8469101..8dc304f 100644
---- a/glx/singlepixswap.c
-+++ b/glx/singlepixswap.c
-@@ -75,7 +75,7 @@ __glXDispSwap_ReadPixels(__GLXclientState * cl, GLbyte * pc)
-     lsbFirst = *(GLboolean *) (pc + 25);
-     compsize = __glReadPixels_size(format, type, width, height);
-     if (compsize < 0)
--        compsize = 0;
-+        return BadLength;
- 
-     glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
-     glPixelStorei(GL_PACK_LSB_FIRST, lsbFirst);
-@@ -144,7 +144,7 @@ __glXDispSwap_GetTexImage(__GLXclientState * cl, GLbyte * pc)
-     compsize =
-         __glGetTexImage_size(target, level, format, type, width, height, depth);
-     if (compsize < 0)
--        compsize = 0;
-+        return BadLength;
- 
-     glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
-     __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
-@@ -252,9 +252,9 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
-     compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
- 
-     if (compsize < 0)
--        compsize = 0;
-+        return BadLength;
-     if (compsize2 < 0)
--        compsize2 = 0;
-+        return BadLength;
-     compsize = __GLX_PAD(compsize);
-     compsize2 = __GLX_PAD(compsize2);
- 
-@@ -338,7 +338,7 @@ GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
-      */
-     compsize = __glGetTexImage_size(target, 1, format, type, width, height, 1);
-     if (compsize < 0)
--        compsize = 0;
-+        return BadLength;
- 
-     glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
-     __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
-@@ -415,7 +415,7 @@ GetHistogram(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
-      */
-     compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
-     if (compsize < 0)
--        compsize = 0;
-+        return BadLength;
- 
-     glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
-     __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
-@@ -483,7 +483,7 @@ GetMinmax(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
- 
-     compsize = __glGetTexImage_size(target, 1, format, type, 2, 1, 1);
-     if (compsize < 0)
--        compsize = 0;
-+        return BadLength;
- 
-     glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
-     __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
-@@ -554,7 +554,7 @@ GetColorTable(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
-      */
-     compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
-     if (compsize < 0)
--        compsize = 0;
-+        return BadLength;
- 
-     glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
-     __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
--- 
-1.9.3
-
diff --git a/SOURCES/0022-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch b/SOURCES/0022-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch
deleted file mode 100644
index 98d12cd..0000000
--- a/SOURCES/0022-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From 4c909ffb1b8d6fc2ba61dc764e047f95dd8950b7 Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax@redhat.com>
-Date: Mon, 10 Nov 2014 12:13:38 -0500
-Subject: [PATCH 22/33] glx: Additional paranoia in __glXGetAnswerBuffer /
- __GLX_GET_ANSWER_BUFFER (v2) [CVE-2014-8093 3/6]
-
-If the computed reply size is negative, something went wrong, treat it
-as an error.
-
-v2: Be more careful about size_t being unsigned (Matthieu Herrb)
-v3: SIZE_MAX not SIZE_T_MAX (Alan Coopersmith)
-
-Reviewed-by: Julien Cristau <jcristau@debian.org>
-Reviewed-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Andy Ritger <aritger@nvidia.com>
-Signed-off-by: Adam Jackson <ajax@redhat.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
----
- glx/indirect_util.c | 7 ++++++-
- glx/unpack.h        | 3 ++-
- 2 files changed, 8 insertions(+), 2 deletions(-)
-
-diff --git a/glx/indirect_util.c b/glx/indirect_util.c
-index f9d1243..183af83 100644
---- a/glx/indirect_util.c
-+++ b/glx/indirect_util.c
-@@ -76,9 +76,14 @@ __glXGetAnswerBuffer(__GLXclientState * cl, size_t required_size,
-     const unsigned mask = alignment - 1;
- 
-     if (local_size < required_size) {
--        const size_t worst_case_size = required_size + alignment;
-+        size_t worst_case_size;
-         intptr_t temp_buf;
- 
-+        if (required_size < SIZE_MAX - alignment)
-+            worst_case_size = required_size + alignment;
-+        else
-+            return NULL;
-+
-         if (cl->returnBufSize < worst_case_size) {
-             void *temp = realloc(cl->returnBuf, worst_case_size);
- 
-diff --git a/glx/unpack.h b/glx/unpack.h
-index 52fba74..2b1ebcf 100644
---- a/glx/unpack.h
-+++ b/glx/unpack.h
-@@ -83,7 +83,8 @@ extern xGLXSingleReply __glXReply;
- ** pointer.
- */
- #define __GLX_GET_ANSWER_BUFFER(res,cl,size,align)			 \
--    if ((size) > sizeof(answerBuffer)) {				 \
-+    if (size < 0) return BadLength;                                      \
-+    else if ((size) > sizeof(answerBuffer)) {				 \
- 	int bump;							 \
- 	if ((cl)->returnBufSize < (size)+(align)) {			 \
- 	    (cl)->returnBuf = (GLbyte*)realloc((cl)->returnBuf,	 	 \
--- 
-1.9.3
-
diff --git a/SOURCES/0023-glx-Fix-image-size-computation-for-EXT_texture_integ.patch b/SOURCES/0023-glx-Fix-image-size-computation-for-EXT_texture_integ.patch
deleted file mode 100644
index 6e97c00..0000000
--- a/SOURCES/0023-glx-Fix-image-size-computation-for-EXT_texture_integ.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From 4941859d354bb0cc02dbc2589a43e29e13dfeba6 Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax@redhat.com>
-Date: Mon, 10 Nov 2014 12:13:39 -0500
-Subject: [PATCH 23/33] glx: Fix image size computation for EXT_texture_integer
- [CVE-2014-8098 1/8]
-
-Without this we'd reject the request with BadLength.  Note that some old
-versions of Mesa had a bug in the same place, and would _send_ zero
-bytes of image data; these will now be rejected, correctly.
-
-Reviewed-by: Keith Packard <keithp@keithp.com>
-Reviewed-by: Julien Cristau <jcristau@debian.org>
-Reviewed-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Andy Ritger <aritger@nvidia.com>
-Signed-off-by: Adam Jackson <ajax@redhat.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
----
- glx/rensize.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/glx/rensize.c b/glx/rensize.c
-index bcc3a53..10f76bc 100644
---- a/glx/rensize.c
-+++ b/glx/rensize.c
-@@ -224,6 +224,11 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
-         case GL_ALPHA:
-         case GL_LUMINANCE:
-         case GL_INTENSITY:
-+        case GL_RED_INTEGER_EXT:
-+        case GL_GREEN_INTEGER_EXT:
-+        case GL_BLUE_INTEGER_EXT:
-+        case GL_ALPHA_INTEGER_EXT:
-+        case GL_LUMINANCE_INTEGER_EXT:
-             elementsPerGroup = 1;
-             break;
-         case GL_422_EXT:
-@@ -234,14 +239,19 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
-         case GL_DEPTH_STENCIL_MESA:
-         case GL_YCBCR_MESA:
-         case GL_LUMINANCE_ALPHA:
-+        case GL_LUMINANCE_ALPHA_INTEGER_EXT:
-             elementsPerGroup = 2;
-             break;
-         case GL_RGB:
-         case GL_BGR:
-+        case GL_RGB_INTEGER_EXT:
-+        case GL_BGR_INTEGER_EXT:
-             elementsPerGroup = 3;
-             break;
-         case GL_RGBA:
-         case GL_BGRA:
-+        case GL_RGBA_INTEGER_EXT:
-+        case GL_BGRA_INTEGER_EXT:
-         case GL_ABGR_EXT:
-             elementsPerGroup = 4;
-             break;
--- 
-1.9.3
-
diff --git a/SOURCES/0024-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6.patch b/SOURCES/0024-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6.patch
deleted file mode 100644
index 65962df..0000000
--- a/SOURCES/0024-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From f5a7c552b4e0268df93cce2d7f418a7f81770873 Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax@redhat.com>
-Date: Mon, 10 Nov 2014 12:13:40 -0500
-Subject: [PATCH 24/33] glx: Add safe_{add,mul,pad} (v3) [CVE-2014-8093 4/6]
-
-These are paranoid about integer overflow, and will return -1 if their
-operation would overflow a (signed) integer or if either argument is
-negative.
-
-Note that RenderLarge requests are sized with a uint32_t so in principle
-this could be sketchy there, but dix limits bigreqs to 128M so you
-shouldn't ever notice, and honestly if you're sending more than 2G of
-rendering commands you're already doing something very wrong.
-
-v2: Use INT_MAX for consistency with the rest of the server (jcristau)
-v3: Reject negative arguments (anholt)
-
-Reviewed-by: Keith Packard <keithp@keithp.com>
-Reviewed-by: Julien Cristau <jcristau@debian.org>
-Reviewed-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Andy Ritger <aritger@nvidia.com>
-Signed-off-by: Adam Jackson <ajax@redhat.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
----
- glx/glxserver.h | 41 +++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 41 insertions(+)
-
-diff --git a/glx/glxserver.h b/glx/glxserver.h
-index 7f36e5f..14c5dda 100644
---- a/glx/glxserver.h
-+++ b/glx/glxserver.h
-@@ -230,6 +230,47 @@ extern void glxSwapQueryServerStringReply(ClientPtr client,
-  * Routines for computing the size of variably-sized rendering commands.
-  */
- 
-+static _X_INLINE int
-+safe_add(int a, int b)
-+{
-+    if (a < 0 || b < 0)
-+        return -1;
-+
-+    if (INT_MAX - a < b)
-+        return -1;
-+
-+    return a + b;
-+}
-+
-+static _X_INLINE int
-+safe_mul(int a, int b)
-+{
-+    if (a < 0 || b < 0)
-+        return -1;
-+
-+    if (a == 0 || b == 0)
-+        return 0;
-+
-+    if (a > INT_MAX / b)
-+        return -1;
-+
-+    return a * b;
-+}
-+
-+static _X_INLINE int
-+safe_pad(int a)
-+{
-+    int ret;
-+
-+    if (a < 0)
-+        return -1;
-+
-+    if ((ret = safe_add(a, 3)) < 0)
-+        return -1;
-+
-+    return ret & (GLuint)~3;
-+}
-+
- extern int __glXTypeSize(GLenum enm);
- extern int __glXImageSize(GLenum format, GLenum type,
-                           GLenum target, GLsizei w, GLsizei h, GLsizei d,
--- 
-1.9.3
-
diff --git a/SOURCES/0025-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch b/SOURCES/0025-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch
deleted file mode 100644
index 9be4a5c..0000000
--- a/SOURCES/0025-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From e2f9051eb4dee56023b3d1b81baa6137bce4b56b Mon Sep 17 00:00:00 2001
-From: Julien Cristau <jcristau@debian.org>
-Date: Mon, 10 Nov 2014 12:13:41 -0500
-Subject: [PATCH 25/33] glx: Length checking for GLXRender requests (v2)
- [CVE-2014-8098 2/8]
-
-v2:
-Remove can't-happen comparison for cmdlen < 0 (Michal Srb)
-
-Reviewed-by: Adam Jackson <ajax@redhat.com>
-Reviewed-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Andy Ritger <aritger@nvidia.com>
-Signed-off-by: Julien Cristau <jcristau@debian.org>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
----
- glx/glxcmds.c | 21 ++++++++++-----------
- 1 file changed, 10 insertions(+), 11 deletions(-)
-
-diff --git a/glx/glxcmds.c b/glx/glxcmds.c
-index 27777e9..5b37e37 100644
---- a/glx/glxcmds.c
-+++ b/glx/glxcmds.c
-@@ -2015,7 +2015,7 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
-     left = (req->length << 2) - sz_xGLXRenderReq;
-     while (left > 0) {
-         __GLXrenderSizeData entry;
--        int extra;
-+        int extra = 0;
-         __GLXdispatchRenderProcPtr proc;
-         int err;
- 
-@@ -2034,6 +2034,9 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
-         cmdlen = hdr->length;
-         opcode = hdr->opcode;
- 
-+        if (left < cmdlen)
-+            return BadLength;
-+
-         /*
-          ** Check for core opcodes and grab entry data.
-          */
-@@ -2047,6 +2050,10 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
-             return __glXError(GLXBadRenderRequest);
-         }
- 
-+        if (cmdlen < entry.bytes) {
-+            return BadLength;
-+        }
-+
-         if (entry.varsize) {
-             /* variable size command */
-             extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
-@@ -2054,17 +2061,9 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
-             if (extra < 0) {
-                 return BadLength;
-             }
--            if (cmdlen != __GLX_PAD(entry.bytes + extra)) {
--                return BadLength;
--            }
-         }
--        else {
--            /* constant size command */
--            if (cmdlen != __GLX_PAD(entry.bytes)) {
--                return BadLength;
--            }
--        }
--        if (left < cmdlen) {
-+
-+        if (cmdlen != safe_pad(safe_add(entry.bytes, extra))) {
-             return BadLength;
-         }
- 
--- 
-1.9.3
-
diff --git a/SOURCES/0026-glx-Integer-overflow-protection-for-non-generated-re.patch b/SOURCES/0026-glx-Integer-overflow-protection-for-non-generated-re.patch
deleted file mode 100644
index 8bbbdbf..0000000
--- a/SOURCES/0026-glx-Integer-overflow-protection-for-non-generated-re.patch
+++ /dev/null
@@ -1,226 +0,0 @@
-From 2b07b8876559e0ec7fe6ac79ea49d8cabab2703f Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax@redhat.com>
-Date: Mon, 10 Nov 2014 12:13:42 -0500
-Subject: [PATCH 26/33] glx: Integer overflow protection for non-generated
- render requests (v3) [CVE-2014-8093 5/6]
-
-v2:
-Fix constants in __glXMap2fReqSize (Michal Srb)
-Validate w/h/d for proxy targets too (Keith Packard)
-
-v3:
-Fix Map[12]Size to correctly reject order == 0 (Julien Cristau)
-
-Reviewed-by: Keith Packard <keithp@keithp.com>
-Reviewed-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Andy Ritger <aritger@nvidia.com>
-Signed-off-by: Adam Jackson <ajax@redhat.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
----
- glx/rensize.c | 77 +++++++++++++++++++++++++++++++----------------------------
- 1 file changed, 41 insertions(+), 36 deletions(-)
-
-diff --git a/glx/rensize.c b/glx/rensize.c
-index 10f76bc..6ee0f9c 100644
---- a/glx/rensize.c
-+++ b/glx/rensize.c
-@@ -43,19 +43,11 @@
-   (((a & 0xff000000U)>>24) | ((a & 0xff0000U)>>8) | \
-    ((a & 0xff00U)<<8) | ((a & 0xffU)<<24))
- 
--static int
--Map1Size(GLint k, GLint order)
--{
--    if (order <= 0 || k < 0)
--        return -1;
--    return k * order;
--}
--
- int
- __glXMap1dReqSize(const GLbyte * pc, Bool swap)
- {
-     GLenum target;
--    GLint order, k;
-+    GLint order;
- 
-     target = *(GLenum *) (pc + 16);
-     order = *(GLint *) (pc + 20);
-@@ -63,15 +55,16 @@ __glXMap1dReqSize(const GLbyte * pc, Bool swap)
-         target = SWAPL(target);
-         order = SWAPL(order);
-     }
--    k = __glMap1d_size(target);
--    return 8 * Map1Size(k, order);
-+    if (order < 1)
-+        return -1;
-+    return safe_mul(8, safe_mul(__glMap1d_size(target), order));
- }
- 
- int
- __glXMap1fReqSize(const GLbyte * pc, Bool swap)
- {
-     GLenum target;
--    GLint order, k;
-+    GLint order;
- 
-     target = *(GLenum *) (pc + 0);
-     order = *(GLint *) (pc + 12);
-@@ -79,23 +72,24 @@ __glXMap1fReqSize(const GLbyte * pc, Bool swap)
-         target = SWAPL(target);
-         order = SWAPL(order);
-     }
--    k = __glMap1f_size(target);
--    return 4 * Map1Size(k, order);
-+    if (order < 1)
-+        return -1;
-+    return safe_mul(4, safe_mul(__glMap1f_size(target), order));
- }
- 
- static int
- Map2Size(int k, int majorOrder, int minorOrder)
- {
--    if (majorOrder <= 0 || minorOrder <= 0 || k < 0)
-+    if (majorOrder < 1 || minorOrder < 1)
-         return -1;
--    return k * majorOrder * minorOrder;
-+    return safe_mul(k, safe_mul(majorOrder, minorOrder));
- }
- 
- int
- __glXMap2dReqSize(const GLbyte * pc, Bool swap)
- {
-     GLenum target;
--    GLint uorder, vorder, k;
-+    GLint uorder, vorder;
- 
-     target = *(GLenum *) (pc + 32);
-     uorder = *(GLint *) (pc + 36);
-@@ -105,15 +99,14 @@ __glXMap2dReqSize(const GLbyte * pc, Bool swap)
-         uorder = SWAPL(uorder);
-         vorder = SWAPL(vorder);
-     }
--    k = __glMap2d_size(target);
--    return 8 * Map2Size(k, uorder, vorder);
-+    return safe_mul(8, Map2Size(__glMap2d_size(target), uorder, vorder));
- }
- 
- int
- __glXMap2fReqSize(const GLbyte * pc, Bool swap)
- {
-     GLenum target;
--    GLint uorder, vorder, k;
-+    GLint uorder, vorder;
- 
-     target = *(GLenum *) (pc + 0);
-     uorder = *(GLint *) (pc + 12);
-@@ -123,8 +116,7 @@ __glXMap2fReqSize(const GLbyte * pc, Bool swap)
-         uorder = SWAPL(uorder);
-         vorder = SWAPL(vorder);
-     }
--    k = __glMap2f_size(target);
--    return 4 * Map2Size(k, uorder, vorder);
-+    return safe_mul(4, Map2Size(__glMap2f_size(target), uorder, vorder));
- }
- 
- /**
-@@ -175,14 +167,16 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
-     GLint bytesPerElement, elementsPerGroup, groupsPerRow;
-     GLint groupSize, rowSize, padding, imageSize;
- 
-+    if (w == 0 || h == 0 || d == 0)
-+        return 0;
-+
-     if (w < 0 || h < 0 || d < 0 ||
-         (type == GL_BITMAP &&
-          (format != GL_COLOR_INDEX && format != GL_STENCIL_INDEX))) {
-         return -1;
-     }
--    if (w == 0 || h == 0 || d == 0)
--        return 0;
- 
-+    /* proxy targets have no data */
-     switch (target) {
-     case GL_PROXY_TEXTURE_1D:
-     case GL_PROXY_TEXTURE_2D:
-@@ -199,6 +193,12 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
-         return 0;
-     }
- 
-+    /* real data has to have real sizes */
-+    if (imageHeight < 0 || rowLength < 0 || skipImages < 0 || skipRows < 0)
-+        return -1;
-+    if (alignment != 1 && alignment != 2 && alignment != 4 && alignment != 8)
-+        return -1;
-+
-     if (type == GL_BITMAP) {
-         if (rowLength > 0) {
-             groupsPerRow = rowLength;
-@@ -207,11 +207,14 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
-             groupsPerRow = w;
-         }
-         rowSize = bits_to_bytes(groupsPerRow);
-+        if (rowSize < 0)
-+            return -1;
-         padding = (rowSize % alignment);
-         if (padding) {
-             rowSize += alignment - padding;
-         }
--        return ((h + skipRows) * rowSize);
-+
-+        return safe_mul(safe_add(h, skipRows), rowSize);
-     }
-     else {
-         switch (format) {
-@@ -303,6 +306,7 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
-         default:
-             return -1;
-         }
-+        /* known safe by the switches above, not checked */
-         groupSize = bytesPerElement * elementsPerGroup;
-         if (rowLength > 0) {
-             groupsPerRow = rowLength;
-@@ -310,18 +314,21 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
-         else {
-             groupsPerRow = w;
-         }
--        rowSize = groupsPerRow * groupSize;
-+
-+        if ((rowSize = safe_mul(groupsPerRow, groupSize)) < 0)
-+            return -1;
-         padding = (rowSize % alignment);
-         if (padding) {
-             rowSize += alignment - padding;
-         }
--        if (imageHeight > 0) {
--            imageSize = (imageHeight + skipRows) * rowSize;
--        }
--        else {
--            imageSize = (h + skipRows) * rowSize;
--        }
--        return ((d + skipImages) * imageSize);
-+
-+        if (imageHeight > 0)
-+            h = imageHeight;
-+        h = safe_add(h, skipRows);
-+
-+        imageSize = safe_mul(h, rowSize);
-+
-+        return safe_mul(safe_add(d, skipImages), imageSize);
-     }
- }
- 
-@@ -445,9 +452,7 @@ __glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap)
-     /* XXX Should rowLength be used for either or both image? */
-     image1size = __glXImageSize(format, type, 0, w, 1, 1,
-                                 0, rowLength, 0, 0, alignment);
--    image1size = __GLX_PAD(image1size);
-     image2size = __glXImageSize(format, type, 0, h, 1, 1,
-                                 0, rowLength, 0, 0, alignment);
--    return image1size + image2size;
--
-+    return safe_add(safe_pad(image1size), image2size);
- }
--- 
-1.9.3
-
diff --git a/SOURCES/0027-glx-Top-level-length-checking-for-swapped-VendorPriv.patch b/SOURCES/0027-glx-Top-level-length-checking-for-swapped-VendorPriv.patch
deleted file mode 100644
index 06456e5..0000000
--- a/SOURCES/0027-glx-Top-level-length-checking-for-swapped-VendorPriv.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 4123cc39c0d1c801f3e41bb5c36dad904cbe5509 Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax@redhat.com>
-Date: Mon, 10 Nov 2014 12:13:44 -0500
-Subject: [PATCH 27/33] glx: Top-level length checking for swapped
- VendorPrivate requests [CVE-2014-8098 4/8]
-
-Reviewed-by: Keith Packard <keithp@keithp.com>
-Reviewed-by: Julien Cristau <jcristau@debian.org>
-Reviewed-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Andy Ritger <aritger@nvidia.com>
-Signed-off-by: Adam Jackson <ajax@redhat.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
----
- glx/glxcmdsswap.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c
-index 5d179f3..9ec1222 100644
---- a/glx/glxcmdsswap.c
-+++ b/glx/glxcmdsswap.c
-@@ -958,11 +958,13 @@ __glXDispSwap_RenderLarge(__GLXclientState * cl, GLbyte * pc)
- int
- __glXDispSwap_VendorPrivate(__GLXclientState * cl, GLbyte * pc)
- {
-+    ClientPtr client = cl->client;
-     xGLXVendorPrivateReq *req;
-     GLint vendorcode;
-     __GLXdispatchVendorPrivProcPtr proc;
- 
-     __GLX_DECLARE_SWAP_VARIABLES;
-+    REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq);
- 
-     req = (xGLXVendorPrivateReq *) pc;
-     __GLX_SWAP_SHORT(&req->length);
-@@ -985,11 +987,13 @@ __glXDispSwap_VendorPrivate(__GLXclientState * cl, GLbyte * pc)
- int
- __glXDispSwap_VendorPrivateWithReply(__GLXclientState * cl, GLbyte * pc)
- {
-+    ClientPtr client = cl->client;
-     xGLXVendorPrivateWithReplyReq *req;
-     GLint vendorcode;
-     __GLXdispatchVendorPrivProcPtr proc;
- 
-     __GLX_DECLARE_SWAP_VARIABLES;
-+    REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateWithReplyReq);
- 
-     req = (xGLXVendorPrivateWithReplyReq *) pc;
-     __GLX_SWAP_SHORT(&req->length);
--- 
-1.9.3
-
diff --git a/SOURCES/0028-glx-Request-length-checks-for-SetClientInfoARB-CVE-2.patch b/SOURCES/0028-glx-Request-length-checks-for-SetClientInfoARB-CVE-2.patch
deleted file mode 100644
index 2d2355b..0000000
--- a/SOURCES/0028-glx-Request-length-checks-for-SetClientInfoARB-CVE-2.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From 4c8973a3f7632b82367c439b30c2b9444112c2ac Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax@redhat.com>
-Date: Mon, 10 Nov 2014 12:13:45 -0500
-Subject: [PATCH 28/33] glx: Request length checks for SetClientInfoARB
- [CVE-2014-8098 5/8]
-
-Reviewed-by: Keith Packard <keithp@keithp.com>
-Reviewed-by: Julien Cristau <jcristau@debian.org>
-Reviewed-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Andy Ritger <aritger@nvidia.com>
-Signed-off-by: Adam Jackson <ajax@redhat.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
----
- glx/clientinfo.c | 19 ++++++++++++++-----
- 1 file changed, 14 insertions(+), 5 deletions(-)
-
-diff --git a/glx/clientinfo.c b/glx/clientinfo.c
-index 4aaa4c9..c5fef30 100644
---- a/glx/clientinfo.c
-+++ b/glx/clientinfo.c
-@@ -33,18 +33,21 @@ static int
- set_client_info(__GLXclientState * cl, xGLXSetClientInfoARBReq * req,
-                 unsigned bytes_per_version)
- {
-+    ClientPtr client = cl->client;
-     char *gl_extensions;
-     char *glx_extensions;
- 
-+    REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
-+
-     /* Verify that the size of the packet matches the size inferred from the
-      * sizes specified for the various fields.
-      */
--    const unsigned expected_size = sz_xGLXSetClientInfoARBReq
--        + (req->numVersions * bytes_per_version)
--        + __GLX_PAD(req->numGLExtensionBytes)
--        + __GLX_PAD(req->numGLXExtensionBytes);
-+    int size = sz_xGLXSetClientInfoARBReq;
-+    size = safe_add(size, safe_mul(req->numVersions, bytes_per_version));
-+    size = safe_add(size, safe_pad(req->numGLExtensionBytes));
-+    size = safe_add(size, safe_pad(req->numGLXExtensionBytes));
- 
--    if (req->length != (expected_size / 4))
-+    if (size < 0 || req->length != (size / 4))
-         return BadLength;
- 
-     /* Verify that the actual length of the GL extension string matches what's
-@@ -80,8 +83,11 @@ __glXDisp_SetClientInfoARB(__GLXclientState * cl, GLbyte * pc)
- int
- __glXDispSwap_SetClientInfoARB(__GLXclientState * cl, GLbyte * pc)
- {
-+    ClientPtr client = cl->client;
-     xGLXSetClientInfoARBReq *req = (xGLXSetClientInfoARBReq *) pc;
- 
-+    REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
-+
-     req->length = bswap_16(req->length);
-     req->numVersions = bswap_32(req->numVersions);
-     req->numGLExtensionBytes = bswap_32(req->numGLExtensionBytes);
-@@ -99,8 +105,11 @@ __glXDisp_SetClientInfo2ARB(__GLXclientState * cl, GLbyte * pc)
- int
- __glXDispSwap_SetClientInfo2ARB(__GLXclientState * cl, GLbyte * pc)
- {
-+    ClientPtr client = cl->client;
-     xGLXSetClientInfoARBReq *req = (xGLXSetClientInfoARBReq *) pc;
- 
-+    REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
-+
-     req->length = bswap_16(req->length);
-     req->numVersions = bswap_32(req->numVersions);
-     req->numGLExtensionBytes = bswap_32(req->numGLExtensionBytes);
--- 
-1.9.3
-
diff --git a/SOURCES/0029-glx-Length-checking-for-non-generated-vendor-private.patch b/SOURCES/0029-glx-Length-checking-for-non-generated-vendor-private.patch
deleted file mode 100644
index 35ad31f..0000000
--- a/SOURCES/0029-glx-Length-checking-for-non-generated-vendor-private.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From ba4578b09afdd9d7b232b442bba14520779a0a8d Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax@redhat.com>
-Date: Mon, 10 Nov 2014 12:13:46 -0500
-Subject: [PATCH 29/33] glx: Length-checking for non-generated vendor private
- requests [CVE-2014-8098 6/8]
-
-Reviewed-by: Keith Packard <keithp@keithp.com>
-Reviewed-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Andy Ritger <aritger@nvidia.com>
-Signed-off-by: Adam Jackson <ajax@redhat.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
----
- glx/indirect_program.c | 2 ++
- glx/swap_interval.c    | 2 ++
- 2 files changed, 4 insertions(+)
-
-diff --git a/glx/indirect_program.c b/glx/indirect_program.c
-index fa4a240..965d7ed 100644
---- a/glx/indirect_program.c
-+++ b/glx/indirect_program.c
-@@ -56,6 +56,8 @@ DoGetProgramString(struct __GLXclientStateRec *cl, GLbyte * pc,
-     __GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error);
-     ClientPtr client = cl->client;
- 
-+    REQUEST_FIXED_SIZE(xGLXVendorPrivateWithReplyReq, 8);
-+
-     pc += __GLX_VENDPRIV_HDR_SIZE;
-     if (cx != NULL) {
-         GLenum target;
-diff --git a/glx/swap_interval.c b/glx/swap_interval.c
-index 17bc992..2320550 100644
---- a/glx/swap_interval.c
-+++ b/glx/swap_interval.c
-@@ -46,6 +46,8 @@ DoSwapInterval(__GLXclientState * cl, GLbyte * pc, int do_swap)
-     __GLXcontext *cx;
-     GLint interval;
- 
-+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 4);
-+
-     cx = __glXLookupContextByTag(cl, tag);
- 
-     if ((cx == NULL) || (cx->pGlxScreen == NULL)) {
--- 
-1.9.3
-
diff --git a/SOURCES/0030-glx-Length-checking-for-non-generated-single-request.patch b/SOURCES/0030-glx-Length-checking-for-non-generated-single-request.patch
deleted file mode 100644
index 98c6b7d..0000000
--- a/SOURCES/0030-glx-Length-checking-for-non-generated-single-request.patch
+++ /dev/null
@@ -1,565 +0,0 @@
-From 98fbd6f58553ba0d193a06d2b7b1820ea4483e67 Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax@redhat.com>
-Date: Mon, 10 Nov 2014 12:13:47 -0500
-Subject: [PATCH 30/33] glx: Length checking for non-generated single requests
- (v2) [CVE-2014-8098 7/8]
-
-v2:
-Fix single versus vendor-private length checking for ARB_imaging subset
-extensions. (Julien Cristau)
-
-v3:
-Fix single versus vendor-private length checking for ARB_imaging subset
-extensions. (Julien Cristau)
-
-Reviewed-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Andy Ritger <aritger@nvidia.com>
-Signed-off-by: Adam Jackson <ajax@redhat.com>
-Signed-off-by: Julien Cristau <jcristau@debian.org>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
----
- glx/indirect_texture_compression.c |  4 ++++
- glx/single2.c                      | 23 +++++++++++++++-----
- glx/single2swap.c                  | 19 ++++++++++++----
- glx/singlepix.c                    | 44 +++++++++++++++++++++++++-------------
- glx/singlepixswap.c                | 34 ++++++++++++++++++++++++-----
- 5 files changed, 95 insertions(+), 29 deletions(-)
-
-diff --git a/glx/indirect_texture_compression.c b/glx/indirect_texture_compression.c
-index 94de47d..bb640ad 100644
---- a/glx/indirect_texture_compression.c
-+++ b/glx/indirect_texture_compression.c
-@@ -43,6 +43,8 @@ __glXDisp_GetCompressedTexImage(struct __GLXclientStateRec *cl, GLbyte * pc)
-     __GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error);
-     ClientPtr client = cl->client;
- 
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
-+
-     pc += __GLX_SINGLE_HDR_SIZE;
-     if (cx != NULL) {
-         const GLenum target = *(GLenum *) (pc + 0);
-@@ -85,6 +87,8 @@ __glXDispSwap_GetCompressedTexImage(struct __GLXclientStateRec *cl, GLbyte * pc)
-         __glXForceCurrent(cl, bswap_32(req->contextTag), &error);
-     ClientPtr client = cl->client;
- 
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
-+
-     pc += __GLX_SINGLE_HDR_SIZE;
-     if (cx != NULL) {
-         const GLenum target = (GLenum) bswap_32(*(int *) (pc + 0));
-diff --git a/glx/single2.c b/glx/single2.c
-index 53b661d..a6ea614 100644
---- a/glx/single2.c
-+++ b/glx/single2.c
-@@ -45,11 +45,14 @@
- int
- __glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
- {
-+    ClientPtr client = cl->client;
-     GLsizei size;
-     GLenum type;
-     __GLXcontext *cx;
-     int error;
- 
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
-+
-     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
-     if (!cx) {
-         return error;
-@@ -76,10 +79,13 @@ __glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
- int
- __glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
- {
-+    ClientPtr client = cl->client;
-     __GLXcontext *cx;
-     GLsizei size;
-     int error;
- 
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
-+
-     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
-     if (!cx) {
-         return error;
-@@ -104,7 +110,7 @@ __glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
- int
- __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
- {
--    ClientPtr client;
-+    ClientPtr client = cl->client;
-     xGLXRenderModeReply reply;
-     __GLXcontext *cx;
-     GLint nitems = 0, retBytes = 0, retval, newModeCheck;
-@@ -112,6 +118,8 @@ __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
-     GLenum newMode;
-     int error;
- 
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
-+
-     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
-     if (!cx) {
-         return error;
-@@ -188,7 +196,6 @@ __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
-      ** selection array, as per the API for glRenderMode itself.
-      */
-  noChangeAllowed:;
--    client = cl->client;
-     reply = (xGLXRenderModeReply) {
-         .type = X_Reply,
-         .sequenceNumber = client->sequence,
-@@ -207,9 +214,12 @@ __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
- int
- __glXDisp_Flush(__GLXclientState * cl, GLbyte * pc)
- {
-+    ClientPtr client = cl->client;
-     __GLXcontext *cx;
-     int error;
- 
-+    REQUEST_SIZE_MATCH(xGLXSingleReq);
-+
-     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
-     if (!cx) {
-         return error;
-@@ -223,10 +233,12 @@ __glXDisp_Flush(__GLXclientState * cl, GLbyte * pc)
- int
- __glXDisp_Finish(__GLXclientState * cl, GLbyte * pc)
- {
-+    ClientPtr client = cl->client;
-     __GLXcontext *cx;
--    ClientPtr client;
-     int error;
- 
-+    REQUEST_SIZE_MATCH(xGLXSingleReq);
-+
-     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
-     if (!cx) {
-         return error;
-@@ -317,7 +329,7 @@ __glXcombine_strings(const char *cext_string, const char *sext_string)
- int
- DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap)
- {
--    ClientPtr client;
-+    ClientPtr client = cl->client;
-     __GLXcontext *cx;
-     GLenum name;
-     const char *string;
-@@ -327,6 +339,8 @@ DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap)
-     char *buf = NULL, *buf1 = NULL;
-     GLint length = 0;
- 
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
-+
-     /* If the client has the opposite byte order, swap the contextTag and
-      * the name.
-      */
-@@ -343,7 +357,6 @@ DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap)
-     pc += __GLX_SINGLE_HDR_SIZE;
-     name = *(GLenum *) (pc + 0);
-     string = (const char *) glGetString(name);
--    client = cl->client;
- 
-     if (string == NULL)
-         string = "";
-diff --git a/glx/single2swap.c b/glx/single2swap.c
-index 764501f..5349069 100644
---- a/glx/single2swap.c
-+++ b/glx/single2swap.c
-@@ -41,6 +41,7 @@
- int
- __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
- {
-+    ClientPtr client = cl->client;
-     GLsizei size;
-     GLenum type;
- 
-@@ -48,6 +49,8 @@ __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
-     __GLXcontext *cx;
-     int error;
- 
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
-+
-     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
-     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
-     if (!cx) {
-@@ -77,12 +80,15 @@ __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
- int
- __glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
- {
-+    ClientPtr client = cl->client;
-     __GLXcontext *cx;
-     GLsizei size;
- 
-     __GLX_DECLARE_SWAP_VARIABLES;
-     int error;
- 
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
-+
-     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
-     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
-     if (!cx) {
-@@ -109,7 +115,7 @@ __glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
- int
- __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
- {
--    ClientPtr client;
-+    ClientPtr client = cl->client;
-     __GLXcontext *cx;
-     xGLXRenderModeReply reply;
-     GLint nitems = 0, retBytes = 0, retval, newModeCheck;
-@@ -120,6 +126,8 @@ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
-     __GLX_DECLARE_SWAP_ARRAY_VARIABLES;
-     int error;
- 
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
-+
-     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
-     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
-     if (!cx) {
-@@ -200,7 +208,6 @@ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
-      ** selection array, as per the API for glRenderMode itself.
-      */
-  noChangeAllowed:;
--    client = cl->client;
-     reply = (xGLXRenderModeReply) {
-         .type = X_Reply,
-         .sequenceNumber = client->sequence,
-@@ -224,11 +231,14 @@ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
- int
- __glXDispSwap_Flush(__GLXclientState * cl, GLbyte * pc)
- {
-+    ClientPtr client = cl->client;
-     __GLXcontext *cx;
-     int error;
- 
-     __GLX_DECLARE_SWAP_VARIABLES;
- 
-+    REQUEST_SIZE_MATCH(xGLXSingleReq);
-+
-     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
-     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
-     if (!cx) {
-@@ -243,12 +253,14 @@ __glXDispSwap_Flush(__GLXclientState * cl, GLbyte * pc)
- int
- __glXDispSwap_Finish(__GLXclientState * cl, GLbyte * pc)
- {
-+    ClientPtr client = cl->client;
-     __GLXcontext *cx;
--    ClientPtr client;
-     int error;
- 
-     __GLX_DECLARE_SWAP_VARIABLES;
- 
-+    REQUEST_SIZE_MATCH(xGLXSingleReq);
-+
-     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
-     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
-     if (!cx) {
-@@ -260,7 +272,6 @@ __glXDispSwap_Finish(__GLXclientState * cl, GLbyte * pc)
-     cx->hasUnflushedCommands = GL_FALSE;
- 
-     /* Send empty reply packet to indicate finish is finished */
--    client = cl->client;
-     __GLX_BEGIN_REPLY(0);
-     __GLX_PUT_RETVAL(0);
-     __GLX_SWAP_REPLY_HEADER();
-diff --git a/glx/singlepix.c b/glx/singlepix.c
-index 8b6c261..54ed7fd 100644
---- a/glx/singlepix.c
-+++ b/glx/singlepix.c
-@@ -51,6 +51,8 @@ __glXDisp_ReadPixels(__GLXclientState * cl, GLbyte * pc)
-     int error;
-     char *answer, answerBuffer[200];
- 
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
-+
-     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
-     if (!cx) {
-         return error;
-@@ -100,6 +102,8 @@ __glXDisp_GetTexImage(__GLXclientState * cl, GLbyte * pc)
-     char *answer, answerBuffer[200];
-     GLint width = 0, height = 0, depth = 1;
- 
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
-+
-     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
-     if (!cx) {
-         return error;
-@@ -157,6 +161,8 @@ __glXDisp_GetPolygonStipple(__GLXclientState * cl, GLbyte * pc)
-     GLubyte answerBuffer[200];
-     char *answer;
- 
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
-+
-     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
-     if (!cx) {
-         return error;
-@@ -217,15 +223,13 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
-     compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
-     compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
- 
--    if (compsize < 0)
-+    if ((compsize = safe_pad(compsize)) < 0)
-         return BadLength;
--    if (compsize2 < 0)
-+    if ((compsize2 = safe_pad(compsize2)) < 0)
-         return BadLength;
--    compsize = __GLX_PAD(compsize);
--    compsize2 = __GLX_PAD(compsize2);
- 
-     glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
--    __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1);
-+    __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);
-     __glXClearErrorOccured();
-     glGetSeparableFilter(*(GLenum *) (pc + 0), *(GLenum *) (pc + 4),
-                          *(GLenum *) (pc + 8), answer, answer + compsize, NULL);
-@@ -249,7 +253,8 @@ int
- __glXDisp_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc)
- {
-     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
--
-+    ClientPtr client = cl->client;
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
-     return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
- }
- 
-@@ -257,7 +262,8 @@ int
- __glXDisp_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc)
- {
-     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
--
-+    ClientPtr client = cl->client;
-+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
-     return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
- }
- 
-@@ -323,7 +329,8 @@ int
- __glXDisp_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc)
- {
-     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
--
-+    ClientPtr client = cl->client;
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
-     return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
- }
- 
-@@ -331,7 +338,8 @@ int
- __glXDisp_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc)
- {
-     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
--
-+    ClientPtr client = cl->client;
-+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
-     return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
- }
- 
-@@ -390,7 +398,8 @@ int
- __glXDisp_GetHistogram(__GLXclientState * cl, GLbyte * pc)
- {
-     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
--
-+    ClientPtr client = cl->client;
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
-     return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
- }
- 
-@@ -398,7 +407,8 @@ int
- __glXDisp_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc)
- {
-     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
--
-+    ClientPtr client = cl->client;
-+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
-     return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
- }
- 
-@@ -450,7 +460,8 @@ int
- __glXDisp_GetMinmax(__GLXclientState * cl, GLbyte * pc)
- {
-     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
--
-+    ClientPtr client = cl->client;
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
-     return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
- }
- 
-@@ -458,7 +469,8 @@ int
- __glXDisp_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc)
- {
-     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
--
-+    ClientPtr client = cl->client;
-+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
-     return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
- }
- 
-@@ -517,7 +529,8 @@ int
- __glXDisp_GetColorTable(__GLXclientState * cl, GLbyte * pc)
- {
-     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
--
-+    ClientPtr client = cl->client;
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
-     return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
- }
- 
-@@ -525,6 +538,7 @@ int
- __glXDisp_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc)
- {
-     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
--
-+    ClientPtr client = cl->client;
-+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
-     return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
- }
-diff --git a/glx/singlepixswap.c b/glx/singlepixswap.c
-index 8dc304f..9eff592 100644
---- a/glx/singlepixswap.c
-+++ b/glx/singlepixswap.c
-@@ -53,6 +53,8 @@ __glXDispSwap_ReadPixels(__GLXclientState * cl, GLbyte * pc)
-     int error;
-     char *answer, answerBuffer[200];
- 
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
-+
-     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
-     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
-     if (!cx) {
-@@ -114,6 +116,8 @@ __glXDispSwap_GetTexImage(__GLXclientState * cl, GLbyte * pc)
-     char *answer, answerBuffer[200];
-     GLint width = 0, height = 0, depth = 1;
- 
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
-+
-     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
-     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
-     if (!cx) {
-@@ -184,6 +188,8 @@ __glXDispSwap_GetPolygonStipple(__GLXclientState * cl, GLbyte * pc)
- 
-     __GLX_DECLARE_SWAP_VARIABLES;
- 
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
-+
-     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
-     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
-     if (!cx) {
-@@ -251,15 +257,13 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
-     compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
-     compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
- 
--    if (compsize < 0)
-+    if ((compsize = safe_pad(compsize)) < 0)
-         return BadLength;
--    if (compsize2 < 0)
-+    if ((compsize2 = safe_pad(compsize2)) < 0)
-         return BadLength;
--    compsize = __GLX_PAD(compsize);
--    compsize2 = __GLX_PAD(compsize2);
- 
-     glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
--    __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1);
-+    __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);
-     __glXClearErrorOccured();
-     glGetSeparableFilter(*(GLenum *) (pc + 0), *(GLenum *) (pc + 4),
-                          *(GLenum *) (pc + 8), answer, answer + compsize, NULL);
-@@ -285,7 +289,9 @@ int
- __glXDispSwap_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc)
- {
-     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-+    ClientPtr client = cl->client;
- 
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
-     return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
- }
- 
-@@ -293,7 +299,9 @@ int
- __glXDispSwap_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc)
- {
-     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-+    ClientPtr client = cl->client;
- 
-+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
-     return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
- }
- 
-@@ -367,7 +375,9 @@ int
- __glXDispSwap_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc)
- {
-     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-+    ClientPtr client = cl->client;
- 
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
-     return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
- }
- 
-@@ -375,7 +385,9 @@ int
- __glXDispSwap_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc)
- {
-     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-+    ClientPtr client = cl->client;
- 
-+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
-     return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
- }
- 
-@@ -441,7 +453,9 @@ int
- __glXDispSwap_GetHistogram(__GLXclientState * cl, GLbyte * pc)
- {
-     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-+    ClientPtr client = cl->client;
- 
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
-     return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
- }
- 
-@@ -449,7 +463,9 @@ int
- __glXDispSwap_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc)
- {
-     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-+    ClientPtr client = cl->client;
- 
-+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
-     return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
- }
- 
-@@ -507,7 +523,9 @@ int
- __glXDispSwap_GetMinmax(__GLXclientState * cl, GLbyte * pc)
- {
-     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-+    ClientPtr client = cl->client;
- 
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
-     return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
- }
- 
-@@ -515,7 +533,9 @@ int
- __glXDispSwap_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc)
- {
-     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-+    ClientPtr client = cl->client;
- 
-+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
-     return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
- }
- 
-@@ -581,7 +601,9 @@ int
- __glXDispSwap_GetColorTable(__GLXclientState * cl, GLbyte * pc)
- {
-     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-+    ClientPtr client = cl->client;
- 
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
-     return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
- }
- 
-@@ -589,6 +611,8 @@ int
- __glXDispSwap_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc)
- {
-     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-+    ClientPtr client = cl->client;
- 
-+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
-     return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
- }
--- 
-1.9.3
-
diff --git a/SOURCES/0031-glx-Fix-mask-truncation-in-__glXGetAnswerBuffer-CVE-.patch b/SOURCES/0031-glx-Fix-mask-truncation-in-__glXGetAnswerBuffer-CVE-.patch
deleted file mode 100644
index cdbbba1..0000000
--- a/SOURCES/0031-glx-Fix-mask-truncation-in-__glXGetAnswerBuffer-CVE-.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 32a1e43ecfe456363ddcb87cc39ef80bcb44fd55 Mon Sep 17 00:00:00 2001
-From: Robert Morell <rmorell@nvidia.com>
-Date: Wed, 12 Nov 2014 18:51:43 -0800
-Subject: [PATCH 31/33] glx: Fix mask truncation in __glXGetAnswerBuffer
- [CVE-2014-8093 6/6]
-
-On a system where sizeof(unsigned) != sizeof(intptr_t), the unary
-bitwise not operation will result in a mask that clears all high bits
-from temp_buf in the expression:
-        temp_buf = (temp_buf + mask) & ~mask;
-
-Signed-off-by: Robert Morell <rmorell@nvidia.com>
-Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
----
- glx/indirect_util.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/glx/indirect_util.c b/glx/indirect_util.c
-index 183af83..cebb782 100644
---- a/glx/indirect_util.c
-+++ b/glx/indirect_util.c
-@@ -73,7 +73,7 @@ __glXGetAnswerBuffer(__GLXclientState * cl, size_t required_size,
-                      void *local_buffer, size_t local_size, unsigned alignment)
- {
-     void *buffer = local_buffer;
--    const unsigned mask = alignment - 1;
-+    const intptr_t mask = alignment - 1;
- 
-     if (local_size < required_size) {
-         size_t worst_case_size;
--- 
-1.9.3
-
diff --git a/SOURCES/0032-glx-Length-checking-for-RenderLarge-requests-v2-CVE-.patch b/SOURCES/0032-glx-Length-checking-for-RenderLarge-requests-v2-CVE-.patch
deleted file mode 100644
index e057a3b..0000000
--- a/SOURCES/0032-glx-Length-checking-for-RenderLarge-requests-v2-CVE-.patch
+++ /dev/null
@@ -1,159 +0,0 @@
-From 8f27c9536131c71dddc120344ed5cd3643e99135 Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax@redhat.com>
-Date: Mon, 10 Nov 2014 12:13:43 -0500
-Subject: [PATCH 32/33] glx: Length checking for RenderLarge requests (v2)
- [CVE-2014-8098 3/8]
-
-This is a half-measure until we start passing request length into the
-varsize function, but it's better than the nothing we had before.
-
-v2: Verify that there's at least a large render header's worth of
-dataBytes (Julien Cristau)
-
-Reviewed-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Andy Ritger <aritger@nvidia.com>
-Signed-off-by: Adam Jackson <ajax@redhat.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
----
- glx/glxcmds.c | 57 ++++++++++++++++++++++++++++++++++-----------------------
- 1 file changed, 34 insertions(+), 23 deletions(-)
-
-diff --git a/glx/glxcmds.c b/glx/glxcmds.c
-index 5b37e37..317e113 100644
---- a/glx/glxcmds.c
-+++ b/glx/glxcmds.c
-@@ -2099,6 +2099,8 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
- 
-     __GLX_DECLARE_SWAP_VARIABLES;
- 
-+    REQUEST_AT_LEAST_SIZE(xGLXRenderLargeReq);
-+
-     req = (xGLXRenderLargeReq *) pc;
-     if (client->swapped) {
-         __GLX_SWAP_SHORT(&req->length);
-@@ -2114,12 +2116,14 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
-         __glXResetLargeCommandStatus(cl);
-         return error;
-     }
-+    if (safe_pad(req->dataBytes) < 0)
-+        return BadLength;
-     dataBytes = req->dataBytes;
- 
-     /*
-      ** Check the request length.
-      */
--    if ((req->length << 2) != __GLX_PAD(dataBytes) + sz_xGLXRenderLargeReq) {
-+    if ((req->length << 2) != safe_pad(dataBytes) + sz_xGLXRenderLargeReq) {
-         client->errorValue = req->length;
-         /* Reset in case this isn't 1st request. */
-         __glXResetLargeCommandStatus(cl);
-@@ -2129,7 +2133,7 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
- 
-     if (cl->largeCmdRequestsSoFar == 0) {
-         __GLXrenderSizeData entry;
--        int extra;
-+        int extra = 0;
-         size_t cmdlen;
-         int err;
- 
-@@ -2142,13 +2146,17 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
-             return __glXError(GLXBadLargeRequest);
-         }
- 
-+        if (dataBytes < __GLX_RENDER_LARGE_HDR_SIZE)
-+            return BadLength;
-+
-         hdr = (__GLXrenderLargeHeader *) pc;
-         if (client->swapped) {
-             __GLX_SWAP_INT(&hdr->length);
-             __GLX_SWAP_INT(&hdr->opcode);
-         }
--        cmdlen = hdr->length;
-         opcode = hdr->opcode;
-+        if ((cmdlen = safe_pad(hdr->length)) < 0)
-+            return BadLength;
- 
-         /*
-          ** Check for core opcodes and grab entry data.
-@@ -2170,17 +2178,13 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
-             if (extra < 0) {
-                 return BadLength;
-             }
--            /* large command's header is 4 bytes longer, so add 4 */
--            if (cmdlen != __GLX_PAD(entry.bytes + 4 + extra)) {
--                return BadLength;
--            }
-         }
--        else {
--            /* constant size command */
--            if (cmdlen != __GLX_PAD(entry.bytes + 4)) {
--                return BadLength;
--            }
-+
-+        /* the +4 is safe because we know entry.bytes is small */
-+        if (cmdlen != safe_pad(safe_add(entry.bytes + 4, extra))) {
-+            return BadLength;
-         }
-+
-         /*
-          ** Make enough space in the buffer, then copy the entire request.
-          */
-@@ -2207,6 +2211,7 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
-          ** We are receiving subsequent (i.e. not the first) requests of a
-          ** multi request command.
-          */
-+        int bytesSoFar; /* including this packet */
- 
-         /*
-          ** Check the request number and the total request count.
-@@ -2225,11 +2230,18 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
-         /*
-          ** Check that we didn't get too much data.
-          */
--        if ((cl->largeCmdBytesSoFar + dataBytes) > cl->largeCmdBytesTotal) {
-+        if ((bytesSoFar = safe_add(cl->largeCmdBytesSoFar, dataBytes)) < 0) {
-+            client->errorValue = dataBytes;
-+            __glXResetLargeCommandStatus(cl);
-+            return __glXError(GLXBadLargeRequest);
-+        }
-+
-+        if (bytesSoFar > cl->largeCmdBytesTotal) {
-             client->errorValue = dataBytes;
-             __glXResetLargeCommandStatus(cl);
-             return __glXError(GLXBadLargeRequest);
-         }
-+
-         memcpy(cl->largeCmdBuf + cl->largeCmdBytesSoFar, pc, dataBytes);
-         cl->largeCmdBytesSoFar += dataBytes;
-         cl->largeCmdRequestsSoFar++;
-@@ -2241,17 +2253,16 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
-              ** This is the last request; it must have enough bytes to complete
-              ** the command.
-              */
--            /* NOTE: the two pad macros have been added below; they are needed
--             ** because the client library pads the total byte count, but not
--             ** the per-request byte counts.  The Protocol Encoding says the
--             ** total byte count should not be padded, so a proposal will be 
--             ** made to the ARB to relax the padding constraint on the total 
--             ** byte count, thus preserving backward compatibility.  Meanwhile, 
--             ** the padding done below fixes a bug that did not allow
--             ** large commands of odd sizes to be accepted by the server.
-+            /* NOTE: the pad macro below is needed because the client library
-+             ** pads the total byte count, but not the per-request byte counts.
-+             ** The Protocol Encoding says the total byte count should not be
-+             ** padded, so a proposal will be made to the ARB to relax the
-+             ** padding constraint on the total byte count, thus preserving
-+             ** backward compatibility.  Meanwhile, the padding done below
-+             ** fixes a bug that did not allow large commands of odd sizes to
-+             ** be accepted by the server.
-              */
--            if (__GLX_PAD(cl->largeCmdBytesSoFar) !=
--                __GLX_PAD(cl->largeCmdBytesTotal)) {
-+            if (safe_pad(cl->largeCmdBytesSoFar) != cl->largeCmdBytesTotal) {
-                 client->errorValue = dataBytes;
-                 __glXResetLargeCommandStatus(cl);
-                 return __glXError(GLXBadLargeRequest);
--- 
-1.9.3
-
diff --git a/SOURCES/0033-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch b/SOURCES/0033-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch
deleted file mode 100644
index f0d0bdd..0000000
--- a/SOURCES/0033-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch
+++ /dev/null
@@ -1,917 +0,0 @@
-From 58b89d38df58b11d8492af605b571b4232761220 Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax@redhat.com>
-Date: Mon, 10 Nov 2014 12:13:48 -0500
-Subject: [PATCH 33/33] glx: Pass remaining request length into ->varsize (v2)
- [CVE-2014-8098 8/8]
-
-v2: Handle more multiplies in indirect_reqsize.c (Julien Cristau)
-
-Reviewed-by: Julien Cristau <jcristau@debian.org>
-Reviewed-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Andy Ritger <aritger@nvidia.com>
-Signed-off-by: Adam Jackson <ajax@redhat.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
----
- glx/glxcmds.c          |   7 +-
- glx/glxserver.h        |   2 +-
- glx/indirect_reqsize.c | 142 +++++++++++++++++++-------------------
- glx/indirect_reqsize.h | 181 ++++++++++++++++++++++++++++++-------------------
- glx/rensize.c          |  27 +++++---
- 5 files changed, 205 insertions(+), 154 deletions(-)
-
-diff --git a/glx/glxcmds.c b/glx/glxcmds.c
-index 317e113..e3bff67 100644
---- a/glx/glxcmds.c
-+++ b/glx/glxcmds.c
-@@ -2057,7 +2057,8 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
-         if (entry.varsize) {
-             /* variable size command */
-             extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
--                                      client->swapped);
-+                                      client->swapped,
-+                                      left - __GLX_RENDER_HDR_SIZE);
-             if (extra < 0) {
-                 return BadLength;
-             }
-@@ -2134,6 +2135,7 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
-     if (cl->largeCmdRequestsSoFar == 0) {
-         __GLXrenderSizeData entry;
-         int extra = 0;
-+        int left = (req->length << 2) - sz_xGLXRenderLargeReq;
-         size_t cmdlen;
-         int err;
- 
-@@ -2174,7 +2176,8 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
-              ** will be in the 1st request, so it's okay to do this.
-              */
-             extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE,
--                                      client->swapped);
-+                                      client->swapped,
-+                                      left - __GLX_RENDER_LARGE_HDR_SIZE);
-             if (extra < 0) {
-                 return BadLength;
-             }
-diff --git a/glx/glxserver.h b/glx/glxserver.h
-index 14c5dda..0083721 100644
---- a/glx/glxserver.h
-+++ b/glx/glxserver.h
-@@ -179,7 +179,7 @@ typedef int (*__GLXprocPtr) (__GLXclientState *, char *pc);
- /*
-  * Tables for computing the size of each rendering command.
-  */
--typedef int (*gl_proto_size_func) (const GLbyte *, Bool);
-+typedef int (*gl_proto_size_func) (const GLbyte *, Bool, int);
- 
- typedef struct {
-     int bytes;
-diff --git a/glx/indirect_reqsize.c b/glx/indirect_reqsize.c
-index 026afb6..092a421 100644
---- a/glx/indirect_reqsize.c
-+++ b/glx/indirect_reqsize.c
-@@ -31,24 +31,22 @@
- #include "indirect_size.h"
- #include "indirect_reqsize.h"
- 
--#define __GLX_PAD(x)  (((x) + 3) & ~3)
--
- #if defined(__CYGWIN__) || defined(__MINGW32__)
- #undef HAVE_ALIAS
- #endif
- #ifdef HAVE_ALIAS
- #define ALIAS2(from,to) \
--    GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \
-+    GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \
-         __attribute__ ((alias( # to )));
- #define ALIAS(from,to) ALIAS2( from, __glX ## to ## ReqSize )
- #else
- #define ALIAS(from,to) \
--    GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \
--    { return __glX ## to ## ReqSize( pc, swap ); }
-+    GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \
-+    { return __glX ## to ## ReqSize( pc, swap, reqlen ); }
- #endif
- 
- int
--__glXCallListsReqSize(const GLbyte * pc, Bool swap)
-+__glXCallListsReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLsizei n = *(GLsizei *) (pc + 0);
-     GLenum type = *(GLenum *) (pc + 4);
-@@ -60,11 +58,11 @@ __glXCallListsReqSize(const GLbyte * pc, Bool swap)
-     }
- 
-     compsize = __glCallLists_size(type);
--    return __GLX_PAD((compsize * n));
-+    return safe_pad(safe_mul(compsize, n));
- }
- 
- int
--__glXBitmapReqSize(const GLbyte * pc, Bool swap)
-+__glXBitmapReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLint row_length = *(GLint *) (pc + 4);
-     GLint image_height = 0;
-@@ -88,7 +86,7 @@ __glXBitmapReqSize(const GLbyte * pc, Bool swap)
- }
- 
- int
--__glXFogfvReqSize(const GLbyte * pc, Bool swap)
-+__glXFogfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLenum pname = *(GLenum *) (pc + 0);
-     GLsizei compsize;
-@@ -98,11 +96,11 @@ __glXFogfvReqSize(const GLbyte * pc, Bool swap)
-     }
- 
-     compsize = __glFogfv_size(pname);
--    return __GLX_PAD((compsize * 4));
-+    return safe_pad(safe_mul(compsize, 4));
- }
- 
- int
--__glXLightfvReqSize(const GLbyte * pc, Bool swap)
-+__glXLightfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLenum pname = *(GLenum *) (pc + 4);
-     GLsizei compsize;
-@@ -112,11 +110,11 @@ __glXLightfvReqSize(const GLbyte * pc, Bool swap)
-     }
- 
-     compsize = __glLightfv_size(pname);
--    return __GLX_PAD((compsize * 4));
-+    return safe_pad(safe_mul(compsize, 4));
- }
- 
- int
--__glXLightModelfvReqSize(const GLbyte * pc, Bool swap)
-+__glXLightModelfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLenum pname = *(GLenum *) (pc + 0);
-     GLsizei compsize;
-@@ -126,11 +124,11 @@ __glXLightModelfvReqSize(const GLbyte * pc, Bool swap)
-     }
- 
-     compsize = __glLightModelfv_size(pname);
--    return __GLX_PAD((compsize * 4));
-+    return safe_pad(safe_mul(compsize, 4));
- }
- 
- int
--__glXMaterialfvReqSize(const GLbyte * pc, Bool swap)
-+__glXMaterialfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLenum pname = *(GLenum *) (pc + 4);
-     GLsizei compsize;
-@@ -140,11 +138,11 @@ __glXMaterialfvReqSize(const GLbyte * pc, Bool swap)
-     }
- 
-     compsize = __glMaterialfv_size(pname);
--    return __GLX_PAD((compsize * 4));
-+    return safe_pad(safe_mul(compsize, 4));
- }
- 
- int
--__glXPolygonStippleReqSize(const GLbyte * pc, Bool swap)
-+__glXPolygonStippleReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLint row_length = *(GLint *) (pc + 4);
-     GLint image_height = 0;
-@@ -164,7 +162,7 @@ __glXPolygonStippleReqSize(const GLbyte * pc, Bool swap)
- }
- 
- int
--__glXTexParameterfvReqSize(const GLbyte * pc, Bool swap)
-+__glXTexParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLenum pname = *(GLenum *) (pc + 4);
-     GLsizei compsize;
-@@ -174,11 +172,11 @@ __glXTexParameterfvReqSize(const GLbyte * pc, Bool swap)
-     }
- 
-     compsize = __glTexParameterfv_size(pname);
--    return __GLX_PAD((compsize * 4));
-+    return safe_pad(safe_mul(compsize, 4));
- }
- 
- int
--__glXTexImage1DReqSize(const GLbyte * pc, Bool swap)
-+__glXTexImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLint row_length = *(GLint *) (pc + 4);
-     GLint image_height = 0;
-@@ -206,7 +204,7 @@ __glXTexImage1DReqSize(const GLbyte * pc, Bool swap)
- }
- 
- int
--__glXTexImage2DReqSize(const GLbyte * pc, Bool swap)
-+__glXTexImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLint row_length = *(GLint *) (pc + 4);
-     GLint image_height = 0;
-@@ -236,7 +234,7 @@ __glXTexImage2DReqSize(const GLbyte * pc, Bool swap)
- }
- 
- int
--__glXTexEnvfvReqSize(const GLbyte * pc, Bool swap)
-+__glXTexEnvfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLenum pname = *(GLenum *) (pc + 4);
-     GLsizei compsize;
-@@ -246,11 +244,11 @@ __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap)
-     }
- 
-     compsize = __glTexEnvfv_size(pname);
--    return __GLX_PAD((compsize * 4));
-+    return safe_pad(safe_mul(compsize, 4));
- }
- 
- int
--__glXTexGendvReqSize(const GLbyte * pc, Bool swap)
-+__glXTexGendvReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLenum pname = *(GLenum *) (pc + 4);
-     GLsizei compsize;
-@@ -260,11 +258,11 @@ __glXTexGendvReqSize(const GLbyte * pc, Bool swap)
-     }
- 
-     compsize = __glTexGendv_size(pname);
--    return __GLX_PAD((compsize * 8));
-+    return safe_pad(safe_mul(compsize, 8));
- }
- 
- int
--__glXTexGenfvReqSize(const GLbyte * pc, Bool swap)
-+__glXTexGenfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLenum pname = *(GLenum *) (pc + 4);
-     GLsizei compsize;
-@@ -274,11 +272,11 @@ __glXTexGenfvReqSize(const GLbyte * pc, Bool swap)
-     }
- 
-     compsize = __glTexGenfv_size(pname);
--    return __GLX_PAD((compsize * 4));
-+    return safe_pad(safe_mul(compsize, 4));
- }
- 
- int
--__glXPixelMapfvReqSize(const GLbyte * pc, Bool swap)
-+__glXPixelMapfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLsizei mapsize = *(GLsizei *) (pc + 4);
- 
-@@ -286,11 +284,11 @@ __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap)
-         mapsize = bswap_32(mapsize);
-     }
- 
--    return __GLX_PAD((mapsize * 4));
-+    return safe_pad(safe_mul(mapsize, 4));
- }
- 
- int
--__glXPixelMapusvReqSize(const GLbyte * pc, Bool swap)
-+__glXPixelMapusvReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLsizei mapsize = *(GLsizei *) (pc + 4);
- 
-@@ -298,11 +296,11 @@ __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap)
-         mapsize = bswap_32(mapsize);
-     }
- 
--    return __GLX_PAD((mapsize * 2));
-+    return safe_pad(safe_mul(mapsize, 2));
- }
- 
- int
--__glXDrawPixelsReqSize(const GLbyte * pc, Bool swap)
-+__glXDrawPixelsReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLint row_length = *(GLint *) (pc + 4);
-     GLint image_height = 0;
-@@ -330,7 +328,7 @@ __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap)
- }
- 
- int
--__glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap)
-+__glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLsizei n = *(GLsizei *) (pc + 0);
- 
-@@ -338,11 +336,11 @@ __glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap)
-         n = bswap_32(n);
-     }
- 
--    return __GLX_PAD((n * 4) + (n * 4));
-+    return safe_pad(safe_add(safe_mul(n, 4), safe_mul(n, 4)));
- }
- 
- int
--__glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap)
-+__glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLint row_length = *(GLint *) (pc + 4);
-     GLint image_height = 0;
-@@ -370,7 +368,7 @@ __glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap)
- }
- 
- int
--__glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap)
-+__glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLint row_length = *(GLint *) (pc + 4);
-     GLint image_height = 0;
-@@ -400,7 +398,7 @@ __glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap)
- }
- 
- int
--__glXColorTableReqSize(const GLbyte * pc, Bool swap)
-+__glXColorTableReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLint row_length = *(GLint *) (pc + 4);
-     GLint image_height = 0;
-@@ -428,7 +426,7 @@ __glXColorTableReqSize(const GLbyte * pc, Bool swap)
- }
- 
- int
--__glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap)
-+__glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLenum pname = *(GLenum *) (pc + 4);
-     GLsizei compsize;
-@@ -438,11 +436,11 @@ __glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap)
-     }
- 
-     compsize = __glColorTableParameterfv_size(pname);
--    return __GLX_PAD((compsize * 4));
-+    return safe_pad(safe_mul(compsize, 4));
- }
- 
- int
--__glXColorSubTableReqSize(const GLbyte * pc, Bool swap)
-+__glXColorSubTableReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLint row_length = *(GLint *) (pc + 4);
-     GLint image_height = 0;
-@@ -470,7 +468,7 @@ __glXColorSubTableReqSize(const GLbyte * pc, Bool swap)
- }
- 
- int
--__glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap)
-+__glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLint row_length = *(GLint *) (pc + 4);
-     GLint image_height = 0;
-@@ -498,7 +496,7 @@ __glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap)
- }
- 
- int
--__glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap)
-+__glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLint row_length = *(GLint *) (pc + 4);
-     GLint image_height = 0;
-@@ -528,7 +526,7 @@ __glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap)
- }
- 
- int
--__glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap)
-+__glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLenum pname = *(GLenum *) (pc + 4);
-     GLsizei compsize;
-@@ -538,11 +536,11 @@ __glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap)
-     }
- 
-     compsize = __glConvolutionParameterfv_size(pname);
--    return __GLX_PAD((compsize * 4));
-+    return safe_pad(safe_mul(compsize, 4));
- }
- 
- int
--__glXTexImage3DReqSize(const GLbyte * pc, Bool swap)
-+__glXTexImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLint row_length = *(GLint *) (pc + 4);
-     GLint image_height = *(GLint *) (pc + 8);
-@@ -579,7 +577,7 @@ __glXTexImage3DReqSize(const GLbyte * pc, Bool swap)
- }
- 
- int
--__glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap)
-+__glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLint row_length = *(GLint *) (pc + 4);
-     GLint image_height = *(GLint *) (pc + 8);
-@@ -613,7 +611,7 @@ __glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap)
- }
- 
- int
--__glXCompressedTexImage1DReqSize(const GLbyte * pc, Bool swap)
-+__glXCompressedTexImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLsizei imageSize = *(GLsizei *) (pc + 20);
- 
-@@ -621,11 +619,11 @@ __glXCompressedTexImage1DReqSize(const GLbyte * pc, Bool swap)
-         imageSize = bswap_32(imageSize);
-     }
- 
--    return __GLX_PAD(imageSize);
-+    return safe_pad(imageSize);
- }
- 
- int
--__glXCompressedTexImage2DReqSize(const GLbyte * pc, Bool swap)
-+__glXCompressedTexImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLsizei imageSize = *(GLsizei *) (pc + 24);
- 
-@@ -633,11 +631,11 @@ __glXCompressedTexImage2DReqSize(const GLbyte * pc, Bool swap)
-         imageSize = bswap_32(imageSize);
-     }
- 
--    return __GLX_PAD(imageSize);
-+    return safe_pad(imageSize);
- }
- 
- int
--__glXCompressedTexImage3DReqSize(const GLbyte * pc, Bool swap)
-+__glXCompressedTexImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLsizei imageSize = *(GLsizei *) (pc + 28);
- 
-@@ -645,11 +643,11 @@ __glXCompressedTexImage3DReqSize(const GLbyte * pc, Bool swap)
-         imageSize = bswap_32(imageSize);
-     }
- 
--    return __GLX_PAD(imageSize);
-+    return safe_pad(imageSize);
- }
- 
- int
--__glXCompressedTexSubImage3DReqSize(const GLbyte * pc, Bool swap)
-+__glXCompressedTexSubImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLsizei imageSize = *(GLsizei *) (pc + 36);
- 
-@@ -657,11 +655,11 @@ __glXCompressedTexSubImage3DReqSize(const GLbyte * pc, Bool swap)
-         imageSize = bswap_32(imageSize);
-     }
- 
--    return __GLX_PAD(imageSize);
-+    return safe_pad(imageSize);
- }
- 
- int
--__glXPointParameterfvReqSize(const GLbyte * pc, Bool swap)
-+__glXPointParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLenum pname = *(GLenum *) (pc + 0);
-     GLsizei compsize;
-@@ -671,11 +669,11 @@ __glXPointParameterfvReqSize(const GLbyte * pc, Bool swap)
-     }
- 
-     compsize = __glPointParameterfv_size(pname);
--    return __GLX_PAD((compsize * 4));
-+    return safe_pad(safe_mul(compsize, 4));
- }
- 
- int
--__glXDrawBuffersReqSize(const GLbyte * pc, Bool swap)
-+__glXDrawBuffersReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLsizei n = *(GLsizei *) (pc + 0);
- 
-@@ -683,11 +681,11 @@ __glXDrawBuffersReqSize(const GLbyte * pc, Bool swap)
-         n = bswap_32(n);
-     }
- 
--    return __GLX_PAD((n * 4));
-+    return safe_pad(safe_mul(n, 4));
- }
- 
- int
--__glXProgramStringARBReqSize(const GLbyte * pc, Bool swap)
-+__glXProgramStringARBReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLsizei len = *(GLsizei *) (pc + 8);
- 
-@@ -695,11 +693,11 @@ __glXProgramStringARBReqSize(const GLbyte * pc, Bool swap)
-         len = bswap_32(len);
-     }
- 
--    return __GLX_PAD(len);
-+    return safe_pad(len);
- }
- 
- int
--__glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap)
-+__glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLsizei n = *(GLsizei *) (pc + 4);
- 
-@@ -707,11 +705,11 @@ __glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap)
-         n = bswap_32(n);
-     }
- 
--    return __GLX_PAD((n * 8));
-+    return safe_pad(safe_mul(n, 8));
- }
- 
- int
--__glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap)
-+__glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLsizei n = *(GLsizei *) (pc + 4);
- 
-@@ -719,11 +717,11 @@ __glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap)
-         n = bswap_32(n);
-     }
- 
--    return __GLX_PAD((n * 16));
-+    return safe_pad(safe_mul(n, 16));
- }
- 
- int
--__glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap)
-+__glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLsizei n = *(GLsizei *) (pc + 4);
- 
-@@ -731,11 +729,11 @@ __glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap)
-         n = bswap_32(n);
-     }
- 
--    return __GLX_PAD((n * 24));
-+    return safe_pad(safe_mul(n, 24));
- }
- 
- int
--__glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap)
-+__glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLsizei n = *(GLsizei *) (pc + 4);
- 
-@@ -743,11 +741,11 @@ __glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap)
-         n = bswap_32(n);
-     }
- 
--    return __GLX_PAD((n * 12));
-+    return safe_pad(safe_mul(n, 12));
- }
- 
- int
--__glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap)
-+__glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLsizei n = *(GLsizei *) (pc + 4);
- 
-@@ -755,11 +753,11 @@ __glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap)
-         n = bswap_32(n);
-     }
- 
--    return __GLX_PAD((n * 6));
-+    return safe_pad(safe_mul(n, 6));
- }
- 
- int
--__glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap)
-+__glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLsizei n = *(GLsizei *) (pc + 4);
- 
-@@ -767,7 +765,7 @@ __glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap)
-         n = bswap_32(n);
-     }
- 
--    return __GLX_PAD((n * 32));
-+    return safe_pad(safe_mul(n, 32));
- }
- 
- ALIAS(Fogiv, Fogfv)
-diff --git a/glx/indirect_reqsize.h b/glx/indirect_reqsize.h
-index 43e1e69..f0d8893 100644
---- a/glx/indirect_reqsize.h
-+++ b/glx/indirect_reqsize.h
-@@ -36,115 +36,156 @@
- #define PURE
- #endif
- 
--extern PURE _X_HIDDEN int __glXCallListsReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXBitmapReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXFogfvReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXFogivReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXLightfvReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXLightivReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXLightModelfvReqSize(const GLbyte * pc,
--                                                   Bool swap);
--extern PURE _X_HIDDEN int __glXLightModelivReqSize(const GLbyte * pc,
--                                                   Bool swap);
--extern PURE _X_HIDDEN int __glXMaterialfvReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXMaterialivReqSize(const GLbyte * pc, Bool swap);
-+extern PURE _X_HIDDEN int __glXCallListsReqSize(const GLbyte * pc, Bool swap,
-+                                                int reqlen);
-+extern PURE _X_HIDDEN int __glXBitmapReqSize(const GLbyte * pc, Bool swap,
-+                                             int reqlen);
-+extern PURE _X_HIDDEN int __glXFogfvReqSize(const GLbyte * pc, Bool swap,
-+                                            int reqlen);
-+extern PURE _X_HIDDEN int __glXFogivReqSize(const GLbyte * pc, Bool swap,
-+                                            int reqlen);
-+extern PURE _X_HIDDEN int __glXLightfvReqSize(const GLbyte * pc, Bool swap,
-+                                              int reqlen);
-+extern PURE _X_HIDDEN int __glXLightivReqSize(const GLbyte * pc, Bool swap,
-+                                              int reqlen);
-+extern PURE _X_HIDDEN int __glXLightModelfvReqSize(const GLbyte * pc, Bool swap,
-+                                                   int reqlen);
-+extern PURE _X_HIDDEN int __glXLightModelivReqSize(const GLbyte * pc, Bool swap,
-+                                                   int reqlen);
-+extern PURE _X_HIDDEN int __glXMaterialfvReqSize(const GLbyte * pc, Bool swap,
-+                                                 int reqlen);
-+extern PURE _X_HIDDEN int __glXMaterialivReqSize(const GLbyte * pc, Bool swap,
-+                                                 int reqlen);
- extern PURE _X_HIDDEN int __glXPolygonStippleReqSize(const GLbyte * pc,
--                                                     Bool swap);
-+                                                     Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXTexParameterfvReqSize(const GLbyte * pc,
--                                                     Bool swap);
-+                                                     Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXTexParameterivReqSize(const GLbyte * pc,
--                                                     Bool swap);
--extern PURE _X_HIDDEN int __glXTexImage1DReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXTexImage2DReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXTexEnvivReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXTexGendvReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXTexGenfvReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXTexGenivReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXMap1dReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXMap1fReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXMap2dReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXMap2fReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXPixelMapuivReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXDrawArraysReqSize(const GLbyte * pc, Bool swap);
-+                                                     Bool swap, int reqlen);
-+extern PURE _X_HIDDEN int __glXTexImage1DReqSize(const GLbyte * pc, Bool swap,
-+                                                 int reqlen);
-+extern PURE _X_HIDDEN int __glXTexImage2DReqSize(const GLbyte * pc, Bool swap,
-+                                                 int reqlen);
-+extern PURE _X_HIDDEN int __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap,
-+                                               int reqlen);
-+extern PURE _X_HIDDEN int __glXTexEnvivReqSize(const GLbyte * pc, Bool swap,
-+                                               int reqlen);
-+extern PURE _X_HIDDEN int __glXTexGendvReqSize(const GLbyte * pc, Bool swap,
-+                                               int reqlen);
-+extern PURE _X_HIDDEN int __glXTexGenfvReqSize(const GLbyte * pc, Bool swap,
-+                                               int reqlen);
-+extern PURE _X_HIDDEN int __glXTexGenivReqSize(const GLbyte * pc, Bool swap,
-+                                               int reqlen);
-+extern PURE _X_HIDDEN int __glXMap1dReqSize(const GLbyte * pc, Bool swap,
-+                                            int reqlen);
-+extern PURE _X_HIDDEN int __glXMap1fReqSize(const GLbyte * pc, Bool swap,
-+                                            int reqlen);
-+extern PURE _X_HIDDEN int __glXMap2dReqSize(const GLbyte * pc, Bool swap,
-+                                            int reqlen);
-+extern PURE _X_HIDDEN int __glXMap2fReqSize(const GLbyte * pc, Bool swap,
-+                                            int reqlen);
-+extern PURE _X_HIDDEN int __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap,
-+                                                 int reqlen);
-+extern PURE _X_HIDDEN int __glXPixelMapuivReqSize(const GLbyte * pc, Bool swap,
-+                                                  int reqlen);
-+extern PURE _X_HIDDEN int __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap,
-+                                                  int reqlen);
-+extern PURE _X_HIDDEN int __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap,
-+                                                 int reqlen);
-+extern PURE _X_HIDDEN int __glXDrawArraysReqSize(const GLbyte * pc, Bool swap,
-+                                                 int reqlen);
- extern PURE _X_HIDDEN int __glXPrioritizeTexturesReqSize(const GLbyte * pc,
--                                                         Bool swap);
-+                                                         Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXTexSubImage1DReqSize(const GLbyte * pc,
--                                                    Bool swap);
-+                                                    Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXTexSubImage2DReqSize(const GLbyte * pc,
--                                                    Bool swap);
--extern PURE _X_HIDDEN int __glXColorTableReqSize(const GLbyte * pc, Bool swap);
-+                                                    Bool swap, int reqlen);
-+extern PURE _X_HIDDEN int __glXColorTableReqSize(const GLbyte * pc, Bool swap,
-+                                                 int reqlen);
- extern PURE _X_HIDDEN int __glXColorTableParameterfvReqSize(const GLbyte * pc,
--                                                            Bool swap);
-+                                                            Bool swap,
-+                                                            int reqlen);
- extern PURE _X_HIDDEN int __glXColorTableParameterivReqSize(const GLbyte * pc,
--                                                            Bool swap);
-+                                                            Bool swap,
-+                                                            int reqlen);
- extern PURE _X_HIDDEN int __glXColorSubTableReqSize(const GLbyte * pc,
--                                                    Bool swap);
-+                                                    Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXConvolutionFilter1DReqSize(const GLbyte * pc,
--                                                          Bool swap);
-+                                                          Bool swap,
-+                                                          int reqlen);
- extern PURE _X_HIDDEN int __glXConvolutionFilter2DReqSize(const GLbyte * pc,
--                                                          Bool swap);
-+                                                          Bool swap,
-+                                                          int reqlen);
- extern PURE _X_HIDDEN int __glXConvolutionParameterfvReqSize(const GLbyte * pc,
--                                                             Bool swap);
-+                                                             Bool swap,
-+                                                             int reqlen);
- extern PURE _X_HIDDEN int __glXConvolutionParameterivReqSize(const GLbyte * pc,
--                                                             Bool swap);
-+                                                             Bool swap,
-+                                                             int reqlen);
- extern PURE _X_HIDDEN int __glXSeparableFilter2DReqSize(const GLbyte * pc,
--                                                        Bool swap);
--extern PURE _X_HIDDEN int __glXTexImage3DReqSize(const GLbyte * pc, Bool swap);
-+                                                        Bool swap, int reqlen);
-+extern PURE _X_HIDDEN int __glXTexImage3DReqSize(const GLbyte * pc, Bool swap,
-+                                                 int reqlen);
- extern PURE _X_HIDDEN int __glXTexSubImage3DReqSize(const GLbyte * pc,
--                                                    Bool swap);
-+                                                    Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXCompressedTexImage1DReqSize(const GLbyte * pc,
--                                                           Bool swap);
-+                                                           Bool swap,
-+                                                           int reqlen);
- extern PURE _X_HIDDEN int __glXCompressedTexImage2DReqSize(const GLbyte * pc,
--                                                           Bool swap);
-+                                                           Bool swap,
-+                                                           int reqlen);
- extern PURE _X_HIDDEN int __glXCompressedTexImage3DReqSize(const GLbyte * pc,
--                                                           Bool swap);
-+                                                           Bool swap,
-+                                                           int reqlen);
- extern PURE _X_HIDDEN int __glXCompressedTexSubImage1DReqSize(const GLbyte * pc,
--                                                              Bool swap);
-+                                                              Bool swap,
-+                                                              int reqlen);
- extern PURE _X_HIDDEN int __glXCompressedTexSubImage2DReqSize(const GLbyte * pc,
--                                                              Bool swap);
-+                                                              Bool swap,
-+                                                              int reqlen);
- extern PURE _X_HIDDEN int __glXCompressedTexSubImage3DReqSize(const GLbyte * pc,
--                                                              Bool swap);
-+                                                              Bool swap,
-+                                                              int reqlen);
- extern PURE _X_HIDDEN int __glXPointParameterfvReqSize(const GLbyte * pc,
--                                                       Bool swap);
-+                                                       Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXPointParameterivReqSize(const GLbyte * pc,
--                                                       Bool swap);
--extern PURE _X_HIDDEN int __glXDrawBuffersReqSize(const GLbyte * pc, Bool swap);
-+                                                       Bool swap, int reqlen);
-+extern PURE _X_HIDDEN int __glXDrawBuffersReqSize(const GLbyte * pc, Bool swap,
-+                                                  int reqlen);
- extern PURE _X_HIDDEN int __glXProgramStringARBReqSize(const GLbyte * pc,
--                                                       Bool swap);
-+                                                       Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXDeleteFramebuffersReqSize(const GLbyte * pc,
--                                                         Bool swap);
-+                                                         Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXDeleteRenderbuffersReqSize(const GLbyte * pc,
--                                                          Bool swap);
-+                                                          Bool swap,
-+                                                          int reqlen);
- extern PURE _X_HIDDEN int __glXVertexAttribs1dvNVReqSize(const GLbyte * pc,
--                                                         Bool swap);
-+                                                         Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXVertexAttribs1fvNVReqSize(const GLbyte * pc,
--                                                         Bool swap);
-+                                                         Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXVertexAttribs1svNVReqSize(const GLbyte * pc,
--                                                         Bool swap);
-+                                                         Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXVertexAttribs2dvNVReqSize(const GLbyte * pc,
--                                                         Bool swap);
-+                                                         Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXVertexAttribs2fvNVReqSize(const GLbyte * pc,
--                                                         Bool swap);
-+                                                         Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXVertexAttribs2svNVReqSize(const GLbyte * pc,
--                                                         Bool swap);
-+                                                         Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXVertexAttribs3dvNVReqSize(const GLbyte * pc,
--                                                         Bool swap);
-+                                                         Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXVertexAttribs3fvNVReqSize(const GLbyte * pc,
--                                                         Bool swap);
-+                                                         Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXVertexAttribs3svNVReqSize(const GLbyte * pc,
--                                                         Bool swap);
-+                                                         Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXVertexAttribs4dvNVReqSize(const GLbyte * pc,
--                                                         Bool swap);
-+                                                         Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXVertexAttribs4fvNVReqSize(const GLbyte * pc,
--                                                         Bool swap);
-+                                                         Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXVertexAttribs4svNVReqSize(const GLbyte * pc,
--                                                         Bool swap);
-+                                                         Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXVertexAttribs4ubvNVReqSize(const GLbyte * pc,
--                                                          Bool swap);
-+                                                          Bool swap,
-+                                                          int reqlen);
- 
- #undef PURE
- 
-diff --git a/glx/rensize.c b/glx/rensize.c
-index 6ee0f9c..a532467 100644
---- a/glx/rensize.c
-+++ b/glx/rensize.c
-@@ -44,7 +44,7 @@
-    ((a & 0xff00U)<<8) | ((a & 0xffU)<<24))
- 
- int
--__glXMap1dReqSize(const GLbyte * pc, Bool swap)
-+__glXMap1dReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLenum target;
-     GLint order;
-@@ -61,7 +61,7 @@ __glXMap1dReqSize(const GLbyte * pc, Bool swap)
- }
- 
- int
--__glXMap1fReqSize(const GLbyte * pc, Bool swap)
-+__glXMap1fReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLenum target;
-     GLint order;
-@@ -86,7 +86,7 @@ Map2Size(int k, int majorOrder, int minorOrder)
- }
- 
- int
--__glXMap2dReqSize(const GLbyte * pc, Bool swap)
-+__glXMap2dReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLenum target;
-     GLint uorder, vorder;
-@@ -103,7 +103,7 @@ __glXMap2dReqSize(const GLbyte * pc, Bool swap)
- }
- 
- int
--__glXMap2fReqSize(const GLbyte * pc, Bool swap)
-+__glXMap2fReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLenum target;
-     GLint uorder, vorder;
-@@ -359,13 +359,14 @@ __glXTypeSize(GLenum enm)
- }
- 
- int
--__glXDrawArraysReqSize(const GLbyte * pc, Bool swap)
-+__glXDrawArraysReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     __GLXdispatchDrawArraysHeader *hdr = (__GLXdispatchDrawArraysHeader *) pc;
-     __GLXdispatchDrawArraysComponentHeader *compHeader;
-     GLint numVertexes = hdr->numVertexes;
-     GLint numComponents = hdr->numComponents;
-     GLint arrayElementSize = 0;
-+    GLint x, size;
-     int i;
- 
-     if (swap) {
-@@ -374,6 +375,13 @@ __glXDrawArraysReqSize(const GLbyte * pc, Bool swap)
-     }
- 
-     pc += sizeof(__GLXdispatchDrawArraysHeader);
-+    reqlen -= sizeof(__GLXdispatchDrawArraysHeader);
-+
-+    size = safe_mul(sizeof(__GLXdispatchDrawArraysComponentHeader),
-+                    numComponents);
-+    if (size < 0 || reqlen < 0 || reqlen < size)
-+        return -1;
-+
-     compHeader = (__GLXdispatchDrawArraysComponentHeader *) pc;
- 
-     for (i = 0; i < numComponents; i++) {
-@@ -417,17 +425,18 @@ __glXDrawArraysReqSize(const GLbyte * pc, Bool swap)
-             return -1;
-         }
- 
--        arrayElementSize += __GLX_PAD(numVals * __glXTypeSize(datatype));
-+        x = safe_pad(safe_mul(numVals, __glXTypeSize(datatype)));
-+        if ((arrayElementSize = safe_add(arrayElementSize, x)) < 0)
-+            return -1;
- 
-         pc += sizeof(__GLXdispatchDrawArraysComponentHeader);
-     }
- 
--    return ((numComponents * sizeof(__GLXdispatchDrawArraysComponentHeader)) +
--            (numVertexes * arrayElementSize));
-+    return safe_add(size, safe_mul(numVertexes, arrayElementSize));
- }
- 
- int
--__glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap)
-+__glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     __GLXdispatchConvolutionFilterHeader *hdr =
-         (__GLXdispatchConvolutionFilterHeader *) pc;
--- 
-1.9.3
-
diff --git a/SOURCES/0040-xfree86-Keep-a-non-seat0-X-server-from-touching-VTs-.patch b/SOURCES/0040-xfree86-Keep-a-non-seat0-X-server-from-touching-VTs-.patch
deleted file mode 100644
index 80ee1cd..0000000
--- a/SOURCES/0040-xfree86-Keep-a-non-seat0-X-server-from-touching-VTs-.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From b2e2ea665f284517690d8501aa5de2f708ea6e7d Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?La=C3=A9rcio=20de=20Sousa?= <lbsousajr@gmail.com>
-Date: Thu, 12 Dec 2013 14:22:48 -0200
-Subject: [PATCH] xfree86: Keep a non-seat0 X server from touching VTs (#71258)
-
-Updated patch following Hans de Goede's advice.
-
-If -seat option is passed with a value different from seat0,
-X server won't call xf86OpenConsole().
-
-This is needed to avoid any race condition between seat0 and
-non-seat0 X servers. If a non-seat0 X server opens a given VT
-before a seat0 one which expects to open the same VT, one can
-get an inactive systemd-logind graphical session for seat0.
-
-This patch was first tested in a multiseat setup with multiple
-video cards and works quite well.
-
-I suppose it can also make things like DontVTSwitch and -sharevts
-meaningless for non-seat0 seats, so it may fix bug #69477, too.
-
-Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=71258
-       https://bugs.freedesktop.org/show_bug.cgi?id=69477 (maybe)
-
-See also: http://lists.x.org/archives/xorg-devel/2013-October/038391.html
-          https://bugzilla.redhat.com/show_bug.cgi?id=1018196
-
-Signed-off-by: Hans de Goede <hdegoede@redhat.com>
-Reviewed-by: Hans de Goede <hdegoede@redhat.com>
----
- hw/xfree86/common/xf86Init.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/hw/xfree86/common/xf86Init.c b/hw/xfree86/common/xf86Init.c
-index f95eec5..4729879 100644
---- a/hw/xfree86/common/xf86Init.c
-+++ b/hw/xfree86/common/xf86Init.c
-@@ -554,7 +554,8 @@ InitOutput(ScreenInfo * pScreenInfo, int argc, char **argv)
-             if (NEED_IO_ENABLED(flags))
-                 want_hw_access = TRUE;
- 
--            if (!(flags & HW_SKIP_CONSOLE))
-+	    /* Non-seat0 X servers should not open console */
-+	    if (!(flags & HW_SKIP_CONSOLE) && !ServerIsNotSeat0())
-                 xorgHWOpenConsole = TRUE;
-         }
- 
--- 
-2.1.0
-
diff --git a/SOURCES/xserver-1.6.99-right-of.patch b/SOURCES/xserver-1.6.99-right-of.patch
deleted file mode 100644
index bf7e7c8..0000000
--- a/SOURCES/xserver-1.6.99-right-of.patch
+++ /dev/null
@@ -1,162 +0,0 @@
-From 291bc9f827188461ff9717efccec1e350db537e8 Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax@redhat.com>
-Date: Tue, 28 Jul 2009 11:07:13 -0400
-Subject: [PATCH 3/7] RANDR: right-of placement by default
-
-[Enhanced to add a new prefer clone option for drivers. This
-allows for servers like RN50 where two heads are disjoint. - airlied]
----
- hw/xfree86/common/xf86str.h |    8 ++++-
- hw/xfree86/modes/xf86Crtc.c |   76 ++++++++++++++++++++++++++++++++++++++-----
- 2 files changed, 75 insertions(+), 9 deletions(-)
-
-diff --git a/hw/xfree86/common/xf86str.h b/hw/xfree86/common/xf86str.h
-index 0590262..d246634 100644
---- a/hw/xfree86/common/xf86str.h
-+++ b/hw/xfree86/common/xf86str.h
-@@ -508,10 +508,13 @@ typedef struct _confdrirec {
- } confDRIRec, *confDRIPtr;
- 
- /* These values should be adjusted when new fields are added to ScrnInfoRec */
--#define NUM_RESERVED_INTS		16
-+#define NUM_RESERVED_INTS		15
- #define NUM_RESERVED_POINTERS		14
- #define NUM_RESERVED_FUNCS		10
- 
-+/* let clients know they can use this */
-+#define XF86_SCRN_HAS_PREFER_CLONE 1
-+
- typedef pointer (*funcPointer) (void);
- 
- /* flags for depth 24 pixmap options */
-@@ -769,6 +772,9 @@ typedef struct _ScrnInfoRec {
-     ClockRangePtr clockRanges;
-     int adjustFlags;
- 
-+    /* initial rightof support disable */
-+    int                 preferClone;
-+
-     /*
-      * These can be used when the minor ABI version is incremented.
-      * The NUM_* parameters must be reduced appropriately to keep the
-diff --git a/hw/xfree86/modes/xf86Crtc.c b/hw/xfree86/modes/xf86Crtc.c
-index 154f684..c58088d 100644
---- a/hw/xfree86/modes/xf86Crtc.c
-+++ b/hw/xfree86/modes/xf86Crtc.c
-@@ -1130,6 +1130,15 @@ xf86InitialOutputPositions(ScrnInfoPtr scrn, DisplayModePtr * modes)
-     int o;
-     int min_x, min_y;
- 
-+    /* check for initial right-of heuristic */
-+    for (o = 0; o < config->num_output; o++)
-+    {
-+        xf86OutputPtr output = config->output[o];
-+
-+        if (output->initial_x || output->initial_y)
-+            return TRUE;
-+    }
-+
-     for (o = 0; o < config->num_output; o++) {
-         xf86OutputPtr output = config->output[o];
- 
-@@ -1998,6 +2007,57 @@ bestModeForAspect(xf86CrtcConfigPtr config, Bool *enabled, float aspect)
-     return match;
- }
- 
-+static int
-+numEnabledOutputs(xf86CrtcConfigPtr config, Bool *enabled)
-+{
-+    int i = 0, p;
-+
-+    for (i = 0, p = -1; nextEnabledOutput(config, enabled, &p); i++) ;
-+
-+    return i;
-+}
-+
-+static Bool
-+xf86TargetRightOf(ScrnInfoPtr scrn, xf86CrtcConfigPtr config,
-+                  DisplayModePtr *modes, Bool *enabled,
-+                  int width, int height)
-+{
-+    int o;
-+    int w = 0;
-+
-+    if (scrn->preferClone)
-+        return FALSE;
-+
-+    if (numEnabledOutputs(config, enabled) < 2)
-+        return FALSE;
-+
-+    for (o = -1; nextEnabledOutput(config, enabled, &o); ) {
-+        DisplayModePtr mode =
-+            xf86OutputHasPreferredMode(config->output[o], width, height);
-+
-+        if (!mode)
-+            return FALSE;
-+
-+        w += mode->HDisplay;
-+    }
-+
-+    if (w > width)
-+        return FALSE;
-+
-+    w = 0;
-+    for (o = -1; nextEnabledOutput(config, enabled, &o); ) {
-+        DisplayModePtr mode =
-+            xf86OutputHasPreferredMode(config->output[o], width, height);
-+
-+        config->output[o]->initial_x = w;
-+        w += mode->HDisplay;
-+
-+        modes[o] = mode;
-+    }
-+
-+    return TRUE;
-+}
-+
- static Bool
- xf86TargetPreferred(ScrnInfoPtr scrn, xf86CrtcConfigPtr config,
-                     DisplayModePtr * modes, Bool *enabled,
-@@ -2074,14 +2134,10 @@ xf86TargetPreferred(ScrnInfoPtr scrn, xf86CrtcConfigPtr config,
-      */
-     if (!ret)
-         do {
--            int i = 0;
-             float aspect = 0.0;
-             DisplayModePtr a = NULL, b = NULL;
- 
--            /* count the number of enabled outputs */
--            for (i = 0, p = -1; nextEnabledOutput(config, enabled, &p); i++);
--
--            if (i != 1)
-+            if (numEnabledOutputs(config, enabled) != 1)
-                 break;
- 
-             p = -1;
-@@ -2385,6 +2441,8 @@ xf86InitialConfiguration(ScrnInfoPtr scrn, Bool canGrow)
-     else {
-         if (xf86TargetUserpref(scrn, config, modes, enabled, width, height))
-             xf86DrvMsg(i, X_INFO, "Using user preference for initial modes\n");
-+        else if (xf86TargetRightOf(scrn, config, modes, enabled, width, height))
-+            xf86DrvMsg(i, X_INFO, "Using spanning desktop for initial modes\n");
-         else if (xf86TargetPreferred
-                  (scrn, config, modes, enabled, width, height))
-             xf86DrvMsg(i, X_INFO, "Using exact sizes for initial modes\n");
-@@ -2404,9 +2462,11 @@ xf86InitialConfiguration(ScrnInfoPtr scrn, Bool canGrow)
-                        "Output %s enabled but has no modes\n",
-                        config->output[o]->name);
-         else
--            xf86DrvMsg(scrn->scrnIndex, X_INFO,
--                       "Output %s using initial mode %s\n",
--                       config->output[o]->name, modes[o]->name);
-+            xf86DrvMsg (scrn->scrnIndex, X_INFO,
-+                        "Output %s using initial mode %s +%d+%d\n",
-+                        config->output[o]->name, modes[o]->name,
-+                        config->output[o]->initial_x,
-+                        config->output[o]->initial_y);
-     }
- 
-     /*
--- 
-1.7.10.4
-
diff --git a/SOURCES/xvfb-run.sh b/SOURCES/xvfb-run.sh
index 84ad0fc..086c8b9 100644
--- a/SOURCES/xvfb-run.sh
+++ b/SOURCES/xvfb-run.sh
@@ -64,7 +64,10 @@ Usage: $PROGNAME [OPTION ...] COMMAND
 Run COMMAND (usually an X client) in a virtual X server environment.
 Options:
 -a        --auto-servernum          try to get a free server number, starting at
-                                    --server-num
+                                    --server-num (deprecated, use --auto-display
+                                    instead)
+-d        --auto-display            use the X server to find a display number
+                                    automatically
 -e FILE   --error-file=FILE         file used to store xauth errors and Xvfb
                                     output (default: $ERRORFILE)
 -f FILE   --auth-file=FILE          file used to store auth cookie
@@ -97,7 +100,7 @@ find_free_servernum() {
 }
 
 # Parse the command line.
-ARGS=$(getopt --options +ae:f:hn:lp:s:w: \
+ARGS=$(getopt --options +ade:f:hn:lp:s:w: \
        --long auto-servernum,error-file:auth-file:,help,server-num:,listen-tcp,xauth-protocol:,server-args:,wait: \
        --name "$PROGNAME" -- "$@")
 GETOPT_STATUS=$?
@@ -112,6 +115,7 @@ eval set -- "$ARGS"
 while :; do
     case "$1" in
         -a|--auto-servernum) SERVERNUM=$(find_free_servernum) ;;
+        -d|--auto-display) AUTO_DISPLAY=1 ;;
         -e|--error-file) ERRORFILE="$2"; shift ;;
         -f|--auth-file) AUTHFILE="$2"; shift ;;
         -h|--help) SHOWHELP="yes" ;;
@@ -143,23 +147,34 @@ if ! which xauth >/dev/null; then
     exit 3
 fi
 
+# Set up the temp dir for the pid and X authorization file
+XVFB_RUN_TMPDIR="$(mktemp --directory --tmpdir $PROGNAME.XXXXXX)"
 # If the user did not specify an X authorization file to use, set up a temporary
 # directory to house one.
 if [ -z "$AUTHFILE" ]; then
-    XVFB_RUN_TMPDIR="$(mktemp --directory --tmpdir $PROGNAME.XXXXXX)"
     AUTHFILE=$(mktemp -p "$XVFB_RUN_TMPDIR" Xauthority.XXXXXX)
 fi
 
 # Start Xvfb.
 MCOOKIE=$(mcookie)
 
+if [ -z "$AUTO_DISPLAY" ]; then
+  # Old style using a pre-computed SERVERNUM
+  XAUTHORITY=$AUTHFILE Xvfb ":$SERVERNUM" $XVFBARGS $LISTENTCP >>"$ERRORFILE" \
+  2>&1 &
+  XVFBPID=$!
+else
+  # New style using Xvfb to provide a free display
+  PIDFILE=$(mktemp -p "$XVFB_RUN_TMPDIR" pid.XXXXXX)
+  SERVERNUM=$(XAUTHORITY=$AUTHFILE Xvfb -displayfd 9 $XVFBARGS $LISTENTCP \
+  9>&1 2>"$ERRORFILE" & echo $! > $PIDFILE)
+  XVFBPID=$(cat $PIDFILE)
+fi
+sleep "$STARTWAIT"
+
 XAUTHORITY=$AUTHFILE xauth source - << EOF >>"$ERRORFILE" 2>&1
 add :$SERVERNUM $XAUTHPROTO $MCOOKIE
 EOF
-XAUTHORITY=$AUTHFILE Xvfb ":$SERVERNUM" $XVFBARGS $LISTENTCP >>"$ERRORFILE" \
-  2>&1 &
-XVFBPID=$!
-sleep "$STARTWAIT"
 
 # Start the command and save its exit status.
 set +e
diff --git a/SPECS/xorg-x11-server.spec b/SPECS/xorg-x11-server.spec
index cc7a250..dd1fa64 100644
--- a/SPECS/xorg-x11-server.spec
+++ b/SPECS/xorg-x11-server.spec
@@ -16,11 +16,11 @@
 # source because rpm is a terrible language.
 %global ansic_major 0
 %global ansic_minor 4
-%global videodrv_major 15
+%global videodrv_major 19
 %global videodrv_minor 0
-%global xinput_major 20
+%global xinput_major 21
 %global xinput_minor 0
-%global extension_major 8
+%global extension_major 9
 %global extension_minor 0
 %endif
 
@@ -41,8 +41,8 @@
 
 Summary:   X.Org X11 X server
 Name:      xorg-x11-server
-Version:   1.15.0
-Release:   33%{?gitdate:.%{gitdate}}%{?dist}
+Version:   1.17.2
+Release:   10%{?gitdate:.%{gitdate}}%{?dist}
 URL:       http://www.x.org
 License:   MIT
 Group:     User Interface/X
@@ -77,105 +77,39 @@ Source40: driver-abi-rebuild.sh
 # Sync with RHEL6.6
 Patch01: 0001-dix-Fix-GrabPointer-to-not-wrongly-succeed-on-redire.patch
 Patch02: 0001-Enable-PAM-support.patch
-Patch03: 0001-ephyr-Properly-implement-hardware-cursors.patch
-Patch04: 0001-ephyr-Repaint-entire-screen-when-colormap-is-updated.patch
-Patch05: 0001-input-Remove-invalid-bug-checks.patch
-Patch06: 0001-Xephyr-restore-initial-window-resize-lost-in-xcb-con.patch
 Patch07: 0001-xf86AddBusDeviceToConfigure-Store-device-in-DevToCon.patch
-Patch08: 0001-xfree86-Add-modesetting-to-the-fallback-driver-list.patch
+Patch08: 0001-Run-vesa-probe-last.patch
 Patch09: 0001-xfree86-Allow-mixed-fbdev-and-pci-setups.patch
-Patch10: 0001-Xi-Ensure-DeviceChanged-is-emitted-after-grabs-are-d.patch
 
 # RHEL-specific mustard
 Patch100: 0001-mustard-Don-t-probe-for-drivers-not-shipped-in-RHEL7.patch
+Patch101: 0001-Always-install-vbe-and-int10-sdk-headers.patch
+
+# Backports from post-1.17
+Patch200: 0001-glx-swrast-Do-more-GLX-extension-setup.patch
+Patch201: 0001-glamor-make-current-in-prepare-paths.patch
 
 # Trivial things to never merge upstream ever:
 # This really could be done prettier.
 Patch5002: xserver-1.4.99-ssh-isnt-local.patch
-
-# ajax needs to upstream this
-Patch6030: xserver-1.6.99-right-of.patch
-
-Patch7025: 0001-Always-install-vbe-and-int10-sdk-headers.patch
-
-# do not upstream - do not even use here yet
-Patch7027: xserver-autobind-hotplug.patch
-
-# Fix multiple monitors in reverse optimus configurations
-Patch8040: 0001-rrcrtc-brackets-are-hard-lets-go-shopping.patch
-Patch8041: 0001-pixmap-fix-reverse-optimus-support-with-multiple-hea.patch
-
-# extra magic to be upstreamed
-Patch9003: 0001-link-with-z-now.patch
+Patch5003: 0001-right-of.patch
+Patch5004: xserver-autobind-hotplug.patch
+Patch5005: 0001-link-with-z-now.patch
 
 # submitted: http://lists.x.org/archives/xorg-devel/2013-October/037996.html
 Patch9100: exa-only-draw-valid-trapezoids.patch
-Patch9101: 0001-configure-Don-t-add-GLX_SYS_LIBS-to-Xorg-s-SYS_LIBS.patch
-Patch9102: 0001-dix-fix-button-state-check-before-changing-a-button-.patch
-Patch9103: 0001-randr-attempt-to-fix-primary-on-slave-output.patch
-
-Patch9200: 0040-xfree86-Keep-a-non-seat0-X-server-from-touching-VTs-.patch
-
-# Bug 1047921 - USB keyboard LED indicators do not work correctly under some circumstances
-Patch9210: 0001-xkb-factor-out-the-StateNotify-flag-check.patch
-Patch9211: 0002-xkb-factor-out-state-update-into-a-function.patch
-Patch9212: 0003-xkb-push-locked-modifier-state-down-to-attached-slav.patch
-Patch9213: 0004-xkb-ignore-floating-slave-devices-when-updating-from.patch
-
-# Bug 1095964 - X server crashes when processing events from disabled devices
-Patch9220: 0001-mi-don-t-process-events-from-disabled-devices-77884.patch
-Patch9221: 0002-mi-Build-fix-mieqProcessDeviceEvent-returns-void.patch
-Patch9922: 0003-mieq-Fix-a-crash-regression-in-mieqProcessDeviceEven.patch
-
-# ppc64le support
-Patch9230: 0001-arch-Fix-image-and-bitmap-byte-order-for-ppc64le.patch
 
 # Bug 798994 - Exposure event not generated in Xinerama mode
 Patch9231: 0001-xinerama-Implement-graphics-exposures-for-window-pix.patch
 
-# dri2 prime fixes
-Patch9300: 0001-dri2-Fix-detection-of-wrong-prime_id-in-GetScreenPri.patch
-Patch9301: 0002-dri2-Use-the-PrimeScreen-when-creating-reusing-buffe.patch
-Patch9302: 0003-dri2-Invalidate-DRI2Buffers-upon-SetWindowPixmap-upd.patch
-
-# CVEs all over.
-Patch10000: 0001-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch
-Patch10001: 0002-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch
-Patch10002: 0003-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch
-Patch10003: 0004-dix-integer-overflow-in-RegionSizeof-CVE-2014-8092-3.patch
-Patch10004: 0005-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-2014-.patch
-Patch10005: 0006-dri2-integer-overflow-in-ProcDRI2GetBuffers-CVE-2014.patch
-Patch10006: 0007-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch
-Patch10007: 0008-Xi-unvalidated-lengths-in-Xinput-extension-CVE-2014-.patch
-Patch10008: 0009-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDList-C.patch
-Patch10009: 0010-Xv-unvalidated-lengths-in-XVideo-extension-swapped-p.patch
-Patch10010: 0011-dri3-unvalidated-lengths-in-DRI3-extension-swapped-p.patch
-Patch10011: 0012-present-unvalidated-lengths-in-Present-extension-pro.patch
-Patch10012: 0013-randr-unvalidated-lengths-in-RandR-extension-swapped.patch
-Patch10013: 0014-render-check-request-size-before-reading-it-CVE-2014.patch
-Patch10014: 0015-render-unvalidated-lengths-in-Render-extn.-swapped-p.patch
-Patch10015: 0016-xfixes-unvalidated-length-in-SProcXFixesSelectSelect.patch
-Patch10016: 0017-Add-request-length-checking-test-cases-for-some-Xinp.patch
-Patch10017: 0018-Add-request-length-checking-test-cases-for-some-Xinp.patch
-Patch10018: 0019-Add-REQUEST_FIXED_SIZE-testcases-to-test-misc.c.patch
-Patch10019: 0020-glx-Be-more-paranoid-about-variable-length-requests-.patch
-Patch10020: 0021-glx-Be-more-strict-about-rejecting-invalid-image-siz.patch
-Patch10021: 0022-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch
-Patch10022: 0023-glx-Fix-image-size-computation-for-EXT_texture_integ.patch
-Patch10023: 0024-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6.patch
-Patch10024: 0025-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch
-Patch10025: 0026-glx-Integer-overflow-protection-for-non-generated-re.patch
-Patch10026: 0027-glx-Top-level-length-checking-for-swapped-VendorPriv.patch
-Patch10027: 0028-glx-Request-length-checks-for-SetClientInfoARB-CVE-2.patch
-Patch10028: 0029-glx-Length-checking-for-non-generated-vendor-private.patch
-Patch10029: 0030-glx-Length-checking-for-non-generated-single-request.patch
-Patch10030: 0031-glx-Fix-mask-truncation-in-__glXGetAnswerBuffer-CVE-.patch
-Patch10031: 0032-glx-Length-checking-for-RenderLarge-requests-v2-CVE-.patch
-Patch10032: 0033-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch
-
-# CVE-2015-0255
-Patch11010: 0001-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch
-Patch11011: 0001-xkb-Check-strings-length-against-request-size.patch
+Patch9300: 0001-modesetting-Fix-the-error-check-from-DRM_IOCTL_MODE_.patch
+Patch9301: 0002-modesetting-Use-load_cursor_argb_check-for-sw-cursor.patch
+Patch9302: 0003-modesetting-Fix-hw-cursor-check-at-the-first-call.patch
+Patch9303: 0001-modesetting-Implement-32-24-bpp-conversion-in-shadow.patch
+Patch9304: 0001-kms-implement-a-double-buffered-shadow-mode.patch
+
+# Bug 1263989 - "Xorg -configure" command doesn't make xorg.conf.new file.
+Patch9305: 0001-modesetting-Claim-PCI-devices-as-PCI-not-platform.patch
 
 %global moduledir	%{_libdir}/xorg/modules
 %global drimoduledir	%{_libdir}/dri
@@ -198,7 +132,7 @@ Patch11011: 0001-xkb-Check-strings-length-against-request-size.patch
 %endif
 
 %global kdrive --enable-kdrive --enable-xephyr --disable-xfake --disable-xfbdev
-%global xservers --enable-xvfb --enable-xnest %{kdrive} %{enable_xorg}
+%global xservers --enable-xvfb --enable-xnest --enable-dmx %{kdrive} %{enable_xorg}
 
 BuildRequires: pam-devel
 BuildRequires: systemtap-sdt-devel
@@ -206,10 +140,10 @@ BuildRequires: git-core
 BuildRequires: automake autoconf libtool pkgconfig
 BuildRequires: xorg-x11-util-macros >= 1.17
 
-BuildRequires: xorg-x11-proto-devel >= 7.7-8
+BuildRequires: xorg-x11-proto-devel >= 7.7-12
 BuildRequires: xorg-x11-font-utils >= 7.2-11
-
-BuildRequires: xorg-x11-xtrans-devel >= 1.3.2
+BuildRequires: libepoxy-devel libxshmfence-devel
+BuildRequires: xorg-x11-xtrans-devel >= 1.3.5
 BuildRequires: libXfont-devel libXau-devel libxkbfile-devel libXres-devel
 BuildRequires: libfontenc-devel libXtst-devel libXdmcp-devel
 BuildRequires: libX11-devel libXext-devel
@@ -219,14 +153,10 @@ BuildRequires: libXinerama-devel libXi-devel
 BuildRequires: libXt-devel libdmx-devel libXmu-devel libXrender-devel
 BuildRequires: libXi-devel libXpm-devel libXaw-devel libXfixes-devel
 
-%if !0%{?rhel}
-BuildRequires: wayland-devel pkgconfig(wayland-client)
-BuildRequires: pkgconfig(xshmfence) >= 1.1
-%endif
 BuildRequires: libXv-devel
 BuildRequires: pixman-devel >= 0.30.0
 BuildRequires: libpciaccess-devel >= 0.13.1 openssl-devel byacc flex
-BuildRequires: mesa-libGL-devel >= 9.2
+BuildRequires: mesa-libGL-devel >= 9.2 mesa-libgbm-devel mesa-libEGL-devel
 # XXX silly...
 BuildRequires: libdrm-devel >= 2.4.0 kernel-headers
 
@@ -240,7 +170,7 @@ BuildRequires: libunwind-devel
 %endif
 
 BuildRequires: pkgconfig(xcb-aux) pkgconfig(xcb-image) pkgconfig(xcb-icccm)
-BuildRequires: pkgconfig(xcb-keysyms)
+BuildRequires: pkgconfig(xcb-keysyms) pkgconfig(xcb-renderutil)
 
 # All server subpackages have a virtual provide for the name of the server
 # they deliver.  The Xorg one is versioned, the others are intentionally
@@ -276,12 +206,10 @@ Provides: xserver-abi(videodrv-%{git_videodrv_major}) = %{git_videodrv_minor}
 Provides: xserver-abi(xinput-%{git_xinput_major}) = %{git_xinput_minor}
 Provides: xserver-abi(extension-%{git_extension_major}) = %{git_extension_minor}
 %endif
-%if !0%{?rhel}
-# this is expected to be temporary, since eventually it will be implied by
-# the server version.  the serial number here is just paranoia in case we
-# need to do something lockstep between now and upstream merge
-Provides: xserver-abi(xwayland) = 1
-%endif
+Obsoletes: xorg-x11-glamor < %{version}-%{release}
+Provides: xorg-x11-glamor = %{version}-%{release}
+Obsoletes: xorg-x11-drv-modesetting < %{version}-%{release}
+Provides: xorg-x11-drv-modesetting = %{version}-%{release}
 
 %if 0%{?fedora} > 17
 # Dropped from F18, use a video card instead
@@ -376,6 +304,8 @@ Requires: xorg-x11-util-macros
 Requires: xorg-x11-proto-devel
 Requires: pkgconfig pixman-devel libpciaccess-devel
 Provides: xorg-x11-server-static
+Obsoletes: xorg-x11-glamor-devel < %{version}-%{release}
+Provides: xorg-x11-glamor-devel = %{version}-%{release}
 
 
 %description devel
@@ -447,14 +377,13 @@ test `getminor extension` == %{extension_minor}
 %global default_font_path "catalogue:/etc/X11/fontpath.d,built-ins"
 
 %if %{with_hw_servers}
-%global dri_flags --with-dri-driver-path=%{drimoduledir} --enable-dri2 %{?!rhel:--enable-dri3}
+%global dri_flags --with-dri-driver-path=%{drimoduledir} --enable-dri2 %{?!rhel:--enable-dri3} --enable-glamor --enable-xshmfence
 %else
 %global dri_flags --disable-dri
 %endif
 
 %if 0%{?fedora}
 %global bodhi_flags --with-vendor-name="Fedora Project"
-%global wayland --with-wayland
 %endif
 
 # ick
@@ -468,6 +397,7 @@ autoreconf -f -v --install || exit 1
 # XXX without dtrace
 
 %configure --enable-maintainer-mode %{xservers} \
+	--enable-listen-tcp \
 	--disable-static \
 	--with-pic \
 	%{?no_int10} --with-int10=x86emu \
@@ -481,7 +411,6 @@ autoreconf -f -v --install || exit 1
 	--enable-xselinux --enable-record --enable-present \
 	--enable-config-udev \
 	--disable-unit-tests \
-	%{?wayland} \
 	%{dri_flags} %{?bodhi_flags} \
 	${CONFIGURE}
         
@@ -530,6 +459,7 @@ cp {,%{inst_srcdir}/}man/Xserver.man
 cp {,%{inst_srcdir}/}doc/smartsched
 cp {,%{inst_srcdir}/}hw/dmx/doxygen/doxygen.conf.in
 cp {,%{inst_srcdir}/}xserver.ent.in
+cp {,%{inst_srcdir}/}hw/xfree86/Xorg.sh.in
 cp xkb/README.compiled %{inst_srcdir}/xkb
 cp hw/xfree86/xorgconf.cpp %{inst_srcdir}/hw/xfree86
 
@@ -542,12 +472,6 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete
 
 # Remove unwanted files/dirs
 {
-    rm -f $RPM_BUILD_ROOT%{_libdir}/X11/Options
-    rm -f $RPM_BUILD_ROOT%{_bindir}/in?
-    rm -f $RPM_BUILD_ROOT%{_bindir}/ioport
-    rm -f $RPM_BUILD_ROOT%{_bindir}/out?
-    rm -f $RPM_BUILD_ROOT%{_bindir}/pcitweak
-    rm -f $RPM_BUILD_ROOT%{_mandir}/man1/pcitweak.1*
     find $RPM_BUILD_ROOT -type f -name '*.la' | xargs rm -f -- || :
 %if !%{with_hw_servers}
     rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/xorg-server.pc
@@ -591,6 +515,7 @@ rm -rf $RPM_BUILD_ROOT
 %dir %{_libdir}/xorg
 %dir %{_libdir}/xorg/modules
 %dir %{_libdir}/xorg/modules/drivers
+%{_libdir}/xorg/modules/drivers/modesetting_drv.so
 %dir %{_libdir}/xorg/modules/extensions
 %{_libdir}/xorg/modules/extensions/libglx.so
 %if !0%{?rhel}
@@ -600,6 +525,7 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/xorg/modules/libfbdevhw.so
 %{_libdir}/xorg/modules/libexa.so
 %{_libdir}/xorg/modules/libfb.so
+%{_libdir}/xorg/modules/libglamoregl.so
 %{_libdir}/xorg/modules/libshadow.so
 %{_libdir}/xorg/modules/libshadowfb.so
 %{_libdir}/xorg/modules/libvgahw.so
@@ -613,6 +539,7 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man1/cvt.1*
 %{_mandir}/man4/fbdevhw.4*
 %{_mandir}/man4/exa.4*
+%{_mandir}/man4/modesetting.4*
 %{_mandir}/man5/xorg.conf.5*
 %{_mandir}/man5/xorg.conf.d.5*
 %dir %{_sysconfdir}/X11/xorg.conf.d
@@ -677,6 +604,53 @@ rm -rf $RPM_BUILD_ROOT
 %{xserver_source_dir}
 
 %changelog
+* Thu Oct 08 2015 Adam Jackson <ajax@redhat.com> 1.17.2-10
+- Make -devel Prov/Obs xorg-x11-glamor-devel
+
+* Thu Oct 01 2015 Adam Jackson <ajax@redhat.com> 1.17.2-9
+- Fix X -configure with the modesetting driver
+
+* Thu Aug 20 2015 Adam Jackson <ajax@redhat.com> 1.17.2-8
+- Add 32->24bpp downconversion and tile-based double buffering to the
+  shadow framebuffer support in modesetting
+
+* Tue Aug 11 2015 Adam Jackson <ajax@redhat.com> 1.17.2-7
+- Fix initial cursor setup's fallback to software cursor
+
+* Mon Aug 10 2015 Adam Jackson <ajax@redhat.com> 1.17.2-6
+- Fix glamor crash in software fallback on prime systems
+
+* Tue Aug 04 2015 Ray Strode <rstrode@redhat.com> 1.17.2-5
+- Unconditionally enable GLX_MESA_copy_sub_buffer
+
+* Wed Jul 29 2015 Adam Jackson <ajax@redhat.com> 1.17.2-4
+- Fix GLX extension setup with swrast
+
+* Tue Jul 21 2015 Adam Jackson <ajax@redhat.com> 1.17.2-3
+- xserver 1.17.2
+
+* Tue Jun 02 2015 Dave Airlie <airlied@redhat.com> 1.17.1-0.6
+- fix overlapping glamor composite operations
+
+* Thu May 28 2015 Adam Jackson <ajax@redhat.com> 1.17.1-0.5
+- Restore RHEL7 listen-on-tcp defaults
+
+* Mon May 18 2015 Olivier Fourdan <ofourdan@redhat.com> 1.17.1-0.4
+- Add a new command line option "--auto-display" to xvfb-run to take
+  advantage of the XServer's "-displayfd" option to get the display
+  number directly from Xfvb
+
+* Wed May 06 2015 Olivier Fourdan <ofourdan@redhat.com> 1.17.1-0.3
+- Add missing hw/xfree86/Xorg.sh.in to xorg-x11-server-source package.
+  This is needed to build packages depending on xorg-x11-server-source
+  (e.g. tigervnc), otherwise the build will fail.
+
+* Wed Apr 15 2015 Adam Jackson <ajax@redhat.com> 1.17.1-0.2
+- Sync with F22
+
+* Wed Mar 25 2015 Adam Jackson <ajax@redhat.com> 1.17.1-0.1
+- xserver 1.17.1
+
 * Fri Feb 06 2015 Peter Hutterer <peter.hutterer@redhat.com> 1.15.0-33
 - CVE fixes for CVE-2015-0255