[VideoCapture] invalidate GpuMemoryBuffer id before sending through IPC

In the GPU process, GpuMemoryBuffer is stored and referenced using (buffer_id, client_id), where client_id is essentially the process that allocates (and usually owns) the GpuMemoryBuffer. When passing a GpuMemoryBuffer handle allocated by the Chrome OS video capture device, we need to invalidate the GpuMemoryBuffer id of the cloned handle before passing to the remote process to make sure we don't collide with another GpuMemoryBuffer allocated by the remote process that happens to have the same buffer_id. This CL invalidates the GpuMemoryBufferId before passing a GMB buffer from the browser to the renderer process. When the renderer process creates a SharedImage from the received GMB buffer, the GPU process will look up the real native pixmap handle through the DMA-buf fds in [1] because of the invalid GpuMemoryBufferId, instead of re-using a wrong pixmap handle in the cache. [1]: https://tinyurl.com/yymtv22y Bug: 993265 Change-Id: I58047207c53fa9dccb5b6c06166464b600aefbd8 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2368641 Commit-Queue: Ricky Liang <jcliang@chromium.org> Commit-Queue: Shik Chen <shik@chromium.org> Auto-Submit: Ricky Liang <jcliang@chromium.org> Reviewed-by: Shik Chen <shik@chromium.org> Cr-Commit-Position: refs/heads/master@{#827680}

[VideoCapture] invalidate GpuMemoryBuffer id before sending through IPC
In the GPU process, GpuMemoryBuffer is stored and referenced using (buffer_id, client_id), where client_id is essentially the process that allocates (and usually owns) the GpuMemoryBuffer. When passing a GpuMemoryBuffer handle allocated by the Chrome OS video capture device, we need to invalidate the GpuMemoryBuffer id of the cloned handle before passing to the remote process to make sure we don't collide with another GpuMemoryBuffer allocated by the remote process that happens to have the same buffer_id. This CL invalidates the GpuMemoryBufferId before passing a GMB buffer from the browser to the renderer process. When the renderer process creates a SharedImage from the received GMB buffer, the GPU process will look up the real native pixmap handle through the DMA-buf fds in [1] because of the invalid GpuMemoryBufferId, instead of re-using a wrong pixmap handle in the cache. [1]: https://tinyurl.com/yymtv22y Bug: 993265 Change-Id: I58047207c53fa9dccb5b6c06166464b600aefbd8 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2368641 Commit-Queue: Ricky Liang <jcliang@chromium.org> Commit-Queue: Shik Chen <shik@chromium.org> Auto-Submit: Ricky Liang <jcliang@chromium.org> Reviewed-by: Shik Chen <shik@chromium.org> Cr-Commit-Position: refs/heads/master@{#827680}
1848ee83 · Ricky Liang · Commit Bot · e8d6fd19 · 1848ee83
Commit 1848ee83 authored Nov 16, 2020 by Ricky Liang Committed by Commit Bot Nov 16, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 13 additions and 1 deletion

media/capture/video/chromeos/gpu_memory_buffer_tracker.cc media/capture/video/chromeos/gpu_memory_buffer_tracker.cc +13 -1

No files found.
--- a/media/capture/video/chromeos/gpu_memory_buffer_tracker.cc
+++ b/media/capture/video/chromeos/gpu_memory_buffer_tracker.cc
@@ -72,7 +72,19 @@ mojo::ScopedSharedBufferHandle GpuMemoryBufferTracker::DuplicateAsMojoBuffer() {

 gfx::GpuMemoryBufferHandle GpuMemoryBufferTracker::GetGpuMemoryBufferHandle() {
  DCHECK(buffer_);
-  return buffer_->CloneHandle();
+  // Overriding the GpuMemoryBuffer id to an invalid id to avoid buffer
+  // collision in GpuMemoryBufferFactoryNativePixmap when we pass the handle
+  // to a different process. (crbug.com/993265)
+  //
+  // This will force the GPU process to look up the real native pixmap handle
+  // through the DMA-buf fds in [1] when creating SharedImage, instead of
+  // re-using a wrong pixmap handle in the cache.
+  //
+  // [1]: https://tinyurl.com/yymtv22y
+  constexpr int kInvalidId = -1;
+  gfx::GpuMemoryBufferHandle handle = buffer_->CloneHandle();
+  handle.id = gfx::GpuMemoryBufferId(kInvalidId);
+  return handle;
 }

 uint32_t GpuMemoryBufferTracker::GetMemorySizeInBytes() {