Mir

Critical: Illegal type-casting of GBM buffers in clients

Bug #1248075 reported by Thomas Hellström
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mir
Fix Released
High
Alexandros Frantzis
mir (Ubuntu)
Fix Released
High
Unassigned

Bug Description

Found as part of bringing up Mir on vmwgfx.

It seems like Mir is using dma buffers in an illegal way:
1) Mir creates a GBM bufffer.
2) Mir uses Prime to export a dma_buf handle which it shares with its
clients.
3) The client imports the dma_buf handle and uses drm to turn it into a
drm buffer handle.
4) The buffer handle is typecast to a "dumb" buffer handle, and then
mmap'ed. in struct GBMMemoryRegion : mcl::MemoryRegion.

It's illegal to typecast a GBM buffer to a dumb buffer in this way. It
accidently happens to work on the major driver because deep inside, both
a GBM buffer and a dumb buffer is represented by a GEM buffer object.
With vmwgfx that's not the case either for a GBM buffer or a dumb
buffer, and they are different objects.

In fact, currently the only way to mmap() a GBM buffer (unless it's a
cursor buffer) is to export a dma_buf and use it's mmap() operation. But
that is not implemented by any of the major drivers since it's not
really desired. The reason is that a GBM buffer is completely opaque and
may not even reside in mappable memory. Hence any attempt to map it may
result in coherence issues and, in some cases, extremely costly
operations. This results in awkward driver code that attempts to guess
the usage-patterns of applications that mix mmap'ed cpu-access and
accelerated access to the same object.

The correct way to do this is to have the client import the buffer to
the appropriate API, perhaps as an EGLImage, and then use pixel write operations
or texSubImage operations on that image.

This makes the client or user think twice about what data is actually
being transferred and in what direction, rather than having the driver
guess and assume the worst case.

Tags: vmware

Related branches

tags: added: vmware
kevin gunn (kgunn72)
Changed in mir:
importance: Undecided → High
status: New → Triaged
assignee: nobody → Alexandros Frantzis (afrantzis)
Revision history for this message
Alexandros Frantzis (afrantzis) wrote :

This was fixed in lp:mir/devel revision 1261, by using shm buffers for the "software" buffer case.

Changed in mir:
status: Triaged → Fix Committed
Changed in mir:
milestone: none → 0.1.3
Changed in mir (Ubuntu):
status: New → Triaged
importance: Undecided → High
Changed in mir:
status: Fix Committed → Fix Released
Changed in mir (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.