feat(host/windows): seal the host↔driver channels (frame + gamepad, proto v2)
Frame ring (pf-vdisplay) and both gamepad SHM channels move off named Global\ objects (openable by any sibling LocalService) to UNNAMED sections/events whose handles the host DuplicateHandles into the driver's verified WUDFHost with least access — frame delivery over the SYSTEM+admins-only IOCTL_SET_FRAME_CHANNEL, pads over a 32-byte named bootstrap mailbox (pid + handle value only, DoS-bounded; HID minidrivers have no control device). Driver-validated pad_index kills cross-pad redirects; v1↔v2 mixes fail closed with diagnosis logs on both sides. Sibling-LocalService denial proven empirically (design/idd-push-security.md, design/gamepad-channel-sealing.md). Driver-side raw ops now live behind pf-umdf-util (checked shm accessors, the forbid(unsafe_code) ChannelClient state machine, WDF request tokens) — the pad drivers' logic is 100% safe Rust; whole drivers workspace clippy-gated in CI. driver install --gamepad now sweeps SWD\punktfunk phantom devnodes: a re-created SwDevice REVIVES the old devnode with its previously-bound driver (never re-ranks), so an upgrade otherwise leaves the old driver serving — or, across the v1→v2 fence, a dead pad (found live on the RTX box). On-glass validated on the RTX 4090 box: frame path 7007 frames p50 2.06 ms cross-machine; DualSense + XUSB "sealed pad channel mapped"/proto=2 attach via both the test harness and a real streaming session; phantom-sweep repro. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
@@ -42,6 +42,10 @@ pub struct WinCaptureTarget {
|
||||
pub gdi_name: String,
|
||||
/// Stable SudoVDA target id — re-resolved to the current GDI name on every recovery.
|
||||
pub target_id: u32,
|
||||
/// The pf-vdisplay driver's WUDFHost pid (from the ADD reply) — the process the IDD-push capturer
|
||||
/// duplicates the sealed frame channel's handles INTO (`idd_push::ChannelBroker`). `0` = unknown
|
||||
/// (a pre-v2 pairing can't occur — the version handshake is hard — so this only guards misuse).
|
||||
pub wudf_pid: u32,
|
||||
}
|
||||
|
||||
/// A GPU-resident captured texture (future NVENC-D3D11 zero-copy path).
|
||||
|
||||
@@ -1,14 +1,20 @@
|
||||
//! P2 direct frame push (kill DDA) — HOST side. The pf-vdisplay driver's WUDFHost canNOT create named
|
||||
//! kernel objects, so — exactly like the gamepad UMDF drivers (`inject/dualsense_windows.rs`) — the
|
||||
//! HOST (privileged) CREATES the shared header + frame-ready event + ring of keyed-mutex textures
|
||||
//! (`Global\` names, scoped `D:(A;;GA;;;SY)(A;;GA;;;LS)` to SYSTEM + the driver's LocalService host —
|
||||
//! see `shared_object_sa`) on the discrete render GPU, and the driver only OPENS them and copies frames in. We then consume the ring
|
||||
//! straight into the zero-copy NVENC path — no DXGI Desktop Duplication, no `win32u` hook. Gated by
|
||||
//! `PUNKTFUNK_IDD_PUSH`. Driver counterpart: `packaging/windows/drivers/pf-vdisplay/src/
|
||||
//! P2 direct frame push (kill DDA) — HOST side, over the **sealed channel**
|
||||
//! (`design/idd-push-security.md`). The frame channel carries whole-desktop pixels, so its protection
|
||||
//! must match DDA's (where capturer and consumer are one process and there is no openable channel at
|
||||
//! all): the HOST (SYSTEM) creates the shared header + frame-ready event + ring of keyed-mutex textures
|
||||
//! **UNNAMED** on the discrete render GPU — nothing to enumerate, open by name, or pre-create
|
||||
//! ("squat") — then DUPLICATES the handles into the pf-vdisplay driver's WUDFHost process
|
||||
//! ([`ChannelBroker`]; SYSTEM can `DuplicateHandle` into the LocalService host, the reverse is
|
||||
//! correctly denied, which is why the HOST is the broker) and delivers the handle VALUES over the
|
||||
//! SYSTEM-only control device (`IOCTL_SET_FRAME_CHANNEL`). A handle value is meaningless outside the
|
||||
//! target process's handle table, so the bootstrap's ACL is not load-bearing; the only way to reach the
|
||||
//! frames is to already be one of the two endpoint processes. The driver copies frames in; we consume
|
||||
//! the ring straight into the zero-copy NVENC path — no DXGI Desktop Duplication, no `win32u` hook.
|
||||
//! Gated by `PUNKTFUNK_IDD_PUSH`. Driver counterpart: `packaging/windows/drivers/pf-vdisplay/src/
|
||||
//! frame_transport.rs`. The shared `SharedHeader` layout, `MAGIC`/`VERSION`/`RING_LEN`, the
|
||||
//! `DRV_STATUS_*` codes, the `Global\` name scheme and the publish token all come from
|
||||
//! [`pf_driver_proto::frame`] (which OWNS the contract, with `const` size asserts) — both sides
|
||||
//! `use` it, so drift is a compile error rather than a "must match" comment.
|
||||
//! `DRV_STATUS_*` codes, the channel-delivery struct and the publish token all come from
|
||||
//! [`pf_driver_proto`] (which OWNS the contract, with `const` size asserts) — both sides `use` it, so
|
||||
//! drift is a compile error rather than a "must match" comment.
|
||||
|
||||
// Every `unsafe` block in this file carries a `// SAFETY:` proof; enforce it (unsafe-proof program).
|
||||
#![deny(clippy::undocumented_unsafe_blocks)]
|
||||
@@ -16,12 +22,15 @@
|
||||
use super::dxgi::{make_device, D3d11Frame, HdrP010Converter, VideoConverter, WinCaptureTarget};
|
||||
use super::{CapturedFrame, Capturer, FramePayload, PixelFormat};
|
||||
use anyhow::{bail, Context, Result};
|
||||
use pf_driver_proto::frame;
|
||||
use pf_driver_proto::{control, frame};
|
||||
use std::os::windows::io::{AsRawHandle, FromRawHandle, OwnedHandle};
|
||||
use std::sync::atomic::{AtomicU32, AtomicU64, Ordering};
|
||||
use std::time::{Duration, Instant, SystemTime, UNIX_EPOCH};
|
||||
use windows::core::{w, Interface, HSTRING};
|
||||
use windows::Win32::Foundation::{HANDLE, INVALID_HANDLE_VALUE, LUID};
|
||||
use windows::core::{w, Interface, PCWSTR, PWSTR};
|
||||
use windows::Win32::Foundation::{
|
||||
DuplicateHandle, DUPLICATE_CLOSE_SOURCE, DUPLICATE_HANDLE_OPTIONS, DUPLICATE_SAME_ACCESS,
|
||||
HANDLE, INVALID_HANDLE_VALUE, LUID,
|
||||
};
|
||||
use windows::Win32::Graphics::Direct3D11::{
|
||||
ID3D11Device, ID3D11DeviceContext, ID3D11ShaderResourceView, ID3D11Texture2D,
|
||||
D3D11_BIND_RENDER_TARGET, D3D11_BIND_SHADER_RESOURCE, D3D11_RESOURCE_MISC_SHARED_KEYEDMUTEX,
|
||||
@@ -42,47 +51,43 @@ use windows::Win32::System::Memory::{
|
||||
CreateFileMappingW, MapViewOfFile, UnmapViewOfFile, FILE_MAP_ALL_ACCESS,
|
||||
MEMORY_MAPPED_VIEW_ADDRESS, PAGE_READWRITE,
|
||||
};
|
||||
use windows::Win32::System::Threading::{CreateEventW, WaitForSingleObject};
|
||||
use windows::Win32::System::Threading::{
|
||||
CreateEventW, GetCurrentProcess, OpenProcess, QueryFullProcessImageNameW, WaitForSingleObject,
|
||||
PROCESS_DUP_HANDLE, PROCESS_NAME_WIN32, PROCESS_QUERY_LIMITED_INFORMATION,
|
||||
};
|
||||
|
||||
// The frame-transport contract — `SharedHeader` layout, `MAGIC`/`VERSION`/`RING_LEN`, the
|
||||
// `DRV_STATUS_*` codes and the `Global\` name helpers — lives in `pf_driver_proto::frame`; both sides
|
||||
// `use frame::*`, so a layout/name/code drift is a compile error (the proto has `const` size asserts).
|
||||
// `DRV_STATUS_*` codes and the channel-delivery struct — lives in `pf_driver_proto`; both sides
|
||||
// `use` it, so a layout/code drift is a compile error (the proto has `const` size asserts).
|
||||
use frame::{
|
||||
event_name, header_name, texture_name, SharedHeader, DRV_STATUS_NO_DEVICE1, DRV_STATUS_OPENED,
|
||||
DRV_STATUS_TEX_FAIL, MAGIC, RING_LEN, VERSION,
|
||||
SharedHeader, DRV_STATUS_NO_DEVICE1, DRV_STATUS_OPENED, DRV_STATUS_TEX_FAIL, MAGIC, RING_LEN,
|
||||
VERSION,
|
||||
};
|
||||
|
||||
/// `DXGI_SHARED_RESOURCE_READ | _WRITE` for `CreateSharedHandle`/`OpenSharedResourceByName`. Local (not
|
||||
/// part of the proto contract — it is a DXGI sharing-API arg, mirrored on the driver side).
|
||||
const DXGI_SHARED_RESOURCE_RW: u32 = 0x8000_0000 | 0x1;
|
||||
|
||||
/// Least access the driver needs on the duplicated **header section**: map it read/write (it reads the
|
||||
/// layout + writes `driver_status`/`driver_render_luid`/the publish token). `SECTION_MAP_READ |
|
||||
/// SECTION_MAP_WRITE` (== the driver's `FILE_MAP_READ | FILE_MAP_WRITE` map flag). Duplicating with
|
||||
/// exactly this — instead of `DUPLICATE_SAME_ACCESS`, which would copy the host's full-access creator
|
||||
/// handle — is the "grant least privilege" discipline for unnamed shared objects (Raymond Chen,
|
||||
/// *"unnamed objects aren't safe just because they're unnamed"*): a compromised driver's handle can't
|
||||
/// `WRITE_DAC`/`WRITE_OWNER`/`DELETE` the object, only map it.
|
||||
const SECTION_MAP_RW: u32 = 0x0004 | 0x0002;
|
||||
/// Least access the driver needs on the duplicated **frame-ready event**: it only `SetEvent`s it, which
|
||||
/// requires `EVENT_MODIFY_STATE`. (The host holds `SYNCHRONIZE` on its own handle to wait.)
|
||||
const EVENT_MODIFY_STATE: u32 = 0x0002;
|
||||
|
||||
/// Host-owned output-ring depth: distinct NVENC-input textures rotated per frame so the in-flight
|
||||
/// encode of frame N and the convert/copy of frame N+1 never touch the same texture. 3 covers a
|
||||
/// pipeline depth of 2 with one slot of margin.
|
||||
const OUT_RING: usize = 3;
|
||||
|
||||
/// Bring-up debug block (fixed name) — the host creates it; the driver writes diagnostics into it
|
||||
/// independent of the per-target header. NOT part of `pf_driver_proto` (a host-side bring-up channel,
|
||||
/// not the data path); the matching `DebugBlock` lives in the OLD oracle driver's `frame_transport.rs`.
|
||||
#[repr(C)]
|
||||
struct DebugBlock {
|
||||
magic: u32,
|
||||
run_core_entries: u32,
|
||||
resolved_target_id: u32,
|
||||
header_open_attempts: u32,
|
||||
last_open_error: u32,
|
||||
header_opened: u32,
|
||||
render_luid_low: u32,
|
||||
render_luid_high: i32,
|
||||
frames_acquired: u32,
|
||||
_pad: u32,
|
||||
}
|
||||
const DBG_NAME: &str = "Global\\pfvd-dbg";
|
||||
const DBG_MAGIC: u32 = 0x4742_4450;
|
||||
|
||||
/// Monotonic per-process generation: each capturer instance stamps its ring-texture names with a
|
||||
/// fresh value so a retried/overlapping `open()` never collides with a previous attempt's not-yet-
|
||||
/// released shared-handle names (`DXGI_ERROR_NAME_ALREADY_EXISTS`). The driver reads it from the header.
|
||||
/// Monotonic per-process generation stamped into the header + every publish token, so the host rejects
|
||||
/// a stale-ring publish and the driver detects a recreate. (With unnamed textures there is no name
|
||||
/// collision to avoid — the generation's remaining job is the recreate/stale-publish handshake.)
|
||||
static IDD_GENERATION: AtomicU32 = AtomicU32::new(1);
|
||||
|
||||
fn now_ns() -> u64 {
|
||||
@@ -94,7 +99,7 @@ fn now_ns() -> u64 {
|
||||
|
||||
/// RAII wrapper for a file-mapping object + its mapped view: on drop the view is `UnmapViewOfFile`'d,
|
||||
/// THEN the [`OwnedHandle`] closes the underlying mapping object (order matters — unmap before close).
|
||||
/// A `header`/`dbg_block` raw pointer borrows into the view via [`ptr`](Self::ptr); the section must
|
||||
/// A `header` raw pointer borrows into the view via [`ptr`](Self::ptr); the section must
|
||||
/// outlive it (it's declared before it in [`IddPushCapturer`], and moving the section doesn't move the
|
||||
/// OS mapping, so the borrowed pointer stays valid).
|
||||
struct MappedSection {
|
||||
@@ -122,10 +127,9 @@ impl Drop for MappedSection {
|
||||
struct HostSlot {
|
||||
tex: ID3D11Texture2D,
|
||||
mutex: IDXGIKeyedMutex,
|
||||
/// The named shared-resource handle, held only to keep the resource alive (the driver opens it by
|
||||
/// NAME). An [`OwnedHandle`] so it closes on drop (was a manual `CloseHandle` in a `Drop` impl);
|
||||
/// never read directly — its sole purpose is the RAII close.
|
||||
#[allow(dead_code)]
|
||||
/// The UNNAMED shared-resource NT handle: keeps the resource alive for the session AND is the
|
||||
/// source the [`ChannelBroker`] duplicates into the driver's WUDFHost (the ONLY way the driver can
|
||||
/// reach this texture — there is no name to open). An [`OwnedHandle`] so it closes on drop.
|
||||
shared: OwnedHandle,
|
||||
/// SRV on the slot texture so the HDR path samples the FP16 slot DIRECTLY (no slot→scratch copy);
|
||||
/// the convert pass writes the output ring while holding the slot's keyed mutex. Unused for SDR
|
||||
@@ -168,28 +172,238 @@ impl Drop for KeyedMutexGuard<'_> {
|
||||
}
|
||||
}
|
||||
|
||||
/// Confirm the process is a genuine system WUDFHost — `%SystemRoot%\System32\WUDFHost.exe` — before a
|
||||
/// broker duplicates sensitive handles into it. The pid is driver-reported (the frame channel's
|
||||
/// [`control::AddReply::wudf_pid`], or the gamepad bootstrap's `driver_pid`); a spoofed devnode / a
|
||||
/// tampered mailbox could name an arbitrary process to receive the channel, so this is the
|
||||
/// confused-deputy gate. Best-effort image-path identity is proportionate: a fully-compromised REAL
|
||||
/// driver is already a channel endpoint, and any *other* process (attacker exe, a non-driver pid)
|
||||
/// fails this WUDFHost image check. `what` names the channel in the error (e.g. `"frame-channel"`);
|
||||
/// shared with the gamepad sealed channel (`inject/windows/gamepad_raii.rs`).
|
||||
///
|
||||
/// # Safety
|
||||
/// `process` must be a live process handle carrying `PROCESS_QUERY_LIMITED_INFORMATION`.
|
||||
pub(crate) unsafe fn verify_is_wudfhost(process: HANDLE, wudf_pid: u32, what: &str) -> Result<()> {
|
||||
let mut buf = [0u16; 512];
|
||||
let mut len = buf.len() as u32;
|
||||
// SAFETY: `process` carries QUERY_LIMITED per the contract; `buf`/`len` are a valid out-buffer and
|
||||
// its capacity, and on success `len` is updated to the count of UTF-16 units written (no NUL).
|
||||
unsafe {
|
||||
QueryFullProcessImageNameW(
|
||||
process,
|
||||
PROCESS_NAME_WIN32,
|
||||
PWSTR(buf.as_mut_ptr()),
|
||||
&mut len,
|
||||
)
|
||||
.with_context(|| format!("QueryFullProcessImageNameW on the {what} pid"))?;
|
||||
}
|
||||
let path = String::from_utf16_lossy(&buf[..len as usize]);
|
||||
let got = path.to_ascii_lowercase().replace('/', "\\");
|
||||
let sysroot = std::env::var("SystemRoot").unwrap_or_else(|_| r"C:\Windows".to_string());
|
||||
let expected = format!("{}\\system32\\wudfhost.exe", sysroot.to_ascii_lowercase());
|
||||
if got != expected {
|
||||
bail!(
|
||||
"{what} pid {wudf_pid} is not the system WUDFHost (image={path:?}, expected \
|
||||
{expected:?}) — refusing to duplicate the channel's handles into it (spoofed driver / \
|
||||
wrong devnode?)"
|
||||
);
|
||||
}
|
||||
Ok(())
|
||||
}
|
||||
|
||||
/// The sealed channel's handle-duplication broker (`design/idd-push-security.md`): the frame objects
|
||||
/// are unnamed, so the ONLY way the driver can reach them is handles this broker duplicates into its
|
||||
/// WUDFHost process and delivers — as bare handle VALUES — over the SYSTEM-only control device
|
||||
/// (`IOCTL_SET_FRAME_CHANNEL`). Ownership is a strict hand-off: on IOCTL success the DRIVER owns the
|
||||
/// duplicates (it closes them); on any failure [`Self::send`] reaps every duplicate it already made
|
||||
/// (`DUPLICATE_CLOSE_SOURCE`), so a half-delivered channel never leaks handles in WUDFHost.
|
||||
struct ChannelBroker {
|
||||
/// `PROCESS_DUP_HANDLE` handle to the driver's WUDFHost (pid from the ADD reply;
|
||||
/// `ProcessSharingDisabled` makes that process exclusively pf-vdisplay's).
|
||||
process: OwnedHandle,
|
||||
/// The pf-vdisplay control device — owned by the `VirtualDisplayManager`, never closed for the
|
||||
/// process lifetime, so holding the bare `HANDLE` is sound.
|
||||
control: HANDLE,
|
||||
}
|
||||
|
||||
impl ChannelBroker {
|
||||
/// Open the duplication target. Fails when the driver predates the sealed channel (`wudf_pid == 0`
|
||||
/// can't survive the v2 version handshake, but guard anyway) or the WUDFHost is gone (device
|
||||
/// restart mid-open) — either way the caller fails the capture open cleanly.
|
||||
///
|
||||
/// `wudf_pid` comes from the driver's ADD reply, so before we duplicate whole-desktop frame handles
|
||||
/// INTO it we VERIFY it is a genuine system WUDFHost ([`verify_is_wudfhost`]). Without that check a
|
||||
/// spoofed devnode (same interface GUID) could name an arbitrary process and receive the frames; a
|
||||
/// fully-compromised REAL pf_vdisplay driver is already a frame endpoint, so this specifically closes
|
||||
/// the reachable-without-owning-the-driver case (`design/idd-push-security.md` §hardening).
|
||||
fn open(wudf_pid: u32) -> Result<Self> {
|
||||
if wudf_pid == 0 {
|
||||
bail!("driver reported no WUDFHost pid for the frame channel");
|
||||
}
|
||||
let control = crate::vdisplay::manager::control_device_handle().context(
|
||||
"pf-vdisplay control device not open (monitor not created via the manager?)",
|
||||
)?;
|
||||
// SAFETY: plain FFI; `wudf_pid` is a copy. The handle (checked by `?`) is owned solely here and
|
||||
// moved into the `OwnedHandle` (single owner, closes on drop); `verify_is_wudfhost` borrows it
|
||||
// for the duration of the synchronous check and forms no lasting alias.
|
||||
let process = unsafe {
|
||||
let h = OpenProcess(
|
||||
PROCESS_DUP_HANDLE | PROCESS_QUERY_LIMITED_INFORMATION,
|
||||
false,
|
||||
wudf_pid,
|
||||
)
|
||||
.context("OpenProcess(PROCESS_DUP_HANDLE) on the driver's WUDFHost")?;
|
||||
let process = OwnedHandle::from_raw_handle(h.0 as _);
|
||||
verify_is_wudfhost(HANDLE(process.as_raw_handle()), wudf_pid, "frame-channel")?;
|
||||
process
|
||||
};
|
||||
Ok(Self { process, control })
|
||||
}
|
||||
|
||||
/// Duplicate `h` into the WUDFHost handle table, returning the handle VALUE valid there (and only
|
||||
/// there — the value is meaningless in any other process). `access = Some(rights)` grants the
|
||||
/// driver's handle exactly those rights (least privilege — see [`SECTION_MAP_RW`]);
|
||||
/// `access = None` copies the source handle's access (`DUPLICATE_SAME_ACCESS`), used only where the
|
||||
/// source is already scoped (the DXGI shared-texture handles, minted by `CreateSharedHandle` with
|
||||
/// just `DXGI_SHARED_RESOURCE_READ|WRITE`).
|
||||
///
|
||||
/// # Safety
|
||||
/// `h` must be a live handle of the current process.
|
||||
unsafe fn dup_into(&self, h: HANDLE, access: Option<u32>) -> Result<u64> {
|
||||
let mut out = HANDLE::default();
|
||||
let (desired, options) = match access {
|
||||
Some(rights) => (rights, DUPLICATE_HANDLE_OPTIONS(0)),
|
||||
None => (0, DUPLICATE_SAME_ACCESS),
|
||||
};
|
||||
// SAFETY: `h` is live per the contract; `self.process` is the live PROCESS_DUP_HANDLE target;
|
||||
// `&mut out` is a valid out-param. Either an explicit least-privilege access mask (options == 0)
|
||||
// or `DUPLICATE_SAME_ACCESS` (desired ignored) — never both.
|
||||
unsafe {
|
||||
DuplicateHandle(
|
||||
GetCurrentProcess(),
|
||||
h,
|
||||
HANDLE(self.process.as_raw_handle()),
|
||||
&mut out,
|
||||
desired,
|
||||
false,
|
||||
options,
|
||||
)
|
||||
}
|
||||
.context("DuplicateHandle into the driver's WUDFHost")?;
|
||||
Ok(out.0 as usize as u64)
|
||||
}
|
||||
|
||||
/// Close a handle VALUE inside the WUDFHost table (the failure-path reaper): `DUPLICATE_CLOSE_SOURCE`
|
||||
/// with no target closes the source handle regardless of the (ignored) result.
|
||||
fn close_remote(&self, value: u64) {
|
||||
if value == 0 {
|
||||
return;
|
||||
}
|
||||
// SAFETY: `self.process` is the live duplication target and `value` is a handle value THIS
|
||||
// broker just created in that process's table (callers only pass back `dup_into` results the
|
||||
// driver never received); closing it there cannot touch any other process's handles.
|
||||
unsafe {
|
||||
let _ = DuplicateHandle(
|
||||
HANDLE(self.process.as_raw_handle()),
|
||||
HANDLE(value as usize as *mut core::ffi::c_void),
|
||||
HANDLE::default(),
|
||||
std::ptr::null_mut(),
|
||||
0,
|
||||
false,
|
||||
DUPLICATE_CLOSE_SOURCE,
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
/// Duplicate the whole ring (header + event + every slot texture) into WUDFHost and deliver the
|
||||
/// values via `IOCTL_SET_FRAME_CHANNEL`. All-or-nothing: on any failure every duplicate already
|
||||
/// made is reaped remotely and an error returns (the caller fails the open / logs the recreate).
|
||||
/// The ownership contract with the driver is adopt-on-success only — it closes the handles iff the
|
||||
/// IOCTL succeeded, we reap them iff it didn't, so no value is ever closed twice.
|
||||
///
|
||||
/// # Safety
|
||||
/// `header` and `event` must be live handles of the current process (the capturer's own section +
|
||||
/// event, borrowed for this synchronous call).
|
||||
unsafe fn send(
|
||||
&self,
|
||||
target_id: u32,
|
||||
generation: u32,
|
||||
header: HANDLE,
|
||||
event: HANDLE,
|
||||
slots: &[HostSlot],
|
||||
) -> Result<()> {
|
||||
debug_assert!(slots.len() <= control::RING_LEN_USIZE);
|
||||
let mut req = control::SetFrameChannelRequest {
|
||||
target_id,
|
||||
generation,
|
||||
ring_len: slots.len() as u32,
|
||||
_pad: 0,
|
||||
header_handle: 0,
|
||||
event_handle: 0,
|
||||
texture_handles: [0; control::RING_LEN_USIZE],
|
||||
};
|
||||
// SAFETY: `header`/`event` are live per this fn's contract; each slot's `shared` is the live
|
||||
// `OwnedHandle` the slot keeps for exactly this purpose.
|
||||
let result = unsafe { self.duplicate_and_deliver(&mut req, header, event, slots) };
|
||||
if result.is_err() {
|
||||
// The driver never adopted the delivery — reap every remote duplicate so nothing lingers.
|
||||
self.close_remote(req.header_handle);
|
||||
self.close_remote(req.event_handle);
|
||||
for v in req.texture_handles {
|
||||
self.close_remote(v);
|
||||
}
|
||||
}
|
||||
result
|
||||
}
|
||||
|
||||
/// The fallible middle of [`Self::send`]: fill `req` with fresh duplicates, then issue the IOCTL.
|
||||
/// Split out so `send` can reap whatever landed in `req` when any step errors.
|
||||
///
|
||||
/// # Safety
|
||||
/// As [`Self::send`].
|
||||
unsafe fn duplicate_and_deliver(
|
||||
&self,
|
||||
req: &mut control::SetFrameChannelRequest,
|
||||
header: HANDLE,
|
||||
event: HANDLE,
|
||||
slots: &[HostSlot],
|
||||
) -> Result<()> {
|
||||
// SAFETY: forwarded from the caller's contract — `header`/`event`/each `slot.shared` are live
|
||||
// handles of this process, and `self.control` is the manager's control handle, never closed for
|
||||
// the process lifetime (`send_frame_channel`'s precondition).
|
||||
unsafe {
|
||||
// Least privilege per handle: the header maps read/write, the event is only signalled, and
|
||||
// the textures keep their already-scoped `CreateSharedHandle` access (see `dup_into`).
|
||||
req.header_handle = self.dup_into(header, Some(SECTION_MAP_RW))?;
|
||||
req.event_handle = self.dup_into(event, Some(EVENT_MODIFY_STATE))?;
|
||||
for (k, s) in slots.iter().enumerate() {
|
||||
req.texture_handles[k] = self.dup_into(HANDLE(s.shared.as_raw_handle()), None)?;
|
||||
}
|
||||
crate::vdisplay::pf_vdisplay::send_frame_channel(self.control, req)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/// Creates + owns the shared ring; yields the driver's frames as [`FramePayload::D3d11`].
|
||||
pub struct IddPushCapturer {
|
||||
device: ID3D11Device,
|
||||
context: ID3D11DeviceContext,
|
||||
target_id: u32,
|
||||
/// Owns the shared-header file mapping + its mapped view (RAII unmap-then-close). Declared BEFORE
|
||||
/// `header`, which is a raw pointer borrowed into this view via [`MappedSection::ptr`]. Never read
|
||||
/// directly (the `header` pointer is) — held purely so the mapping outlives the capturer.
|
||||
#[allow(dead_code)]
|
||||
/// `header`, which is a raw pointer borrowed into this view via [`MappedSection::ptr`]. Also the
|
||||
/// duplication source for the driver's header handle on every [`ChannelBroker::send`].
|
||||
section: MappedSection,
|
||||
header: *mut SharedHeader,
|
||||
event: OwnedHandle,
|
||||
/// Owns the bring-up debug section (mapping + view), or `None` when the debug block wasn't created.
|
||||
/// Never read directly (the `dbg_block` pointer is) — held purely for the RAII unmap/close.
|
||||
#[allow(dead_code)]
|
||||
dbg_section: Option<MappedSection>,
|
||||
dbg_block: *mut DebugBlock,
|
||||
/// The sealed channel's handle-duplication broker (WUDFHost process + control device); used at open
|
||||
/// and again on every ring recreate to deliver fresh duplicates.
|
||||
broker: ChannelBroker,
|
||||
width: u32,
|
||||
height: u32,
|
||||
slots: Vec<HostSlot>,
|
||||
/// The ring/texture generation, bumped every time the ring is recreated at a new format (the
|
||||
/// display's HDR mode flipped). Stamped into the texture names + the header so the driver re-attaches.
|
||||
/// display's HDR mode flipped). Stamped into the header + each delivery so the driver re-attaches
|
||||
/// (and so stale-ring publishes are rejected).
|
||||
generation: u32,
|
||||
/// The CLIENT's advertised 10-bit capability (= negotiated `bit_depth >= 10`). Only used at `open`
|
||||
/// to PROACTIVELY enable advanced color (so a 10-bit client gets HDR without a manual toggle); it
|
||||
@@ -228,25 +442,31 @@ pub struct IddPushCapturer {
|
||||
status_logged: bool,
|
||||
_keepalive: Box<dyn Send>,
|
||||
}
|
||||
// SAFETY: `IddPushCapturer` is `!Send` only because of its `*mut SharedHeader`/`*mut DebugBlock` raw
|
||||
// pointers (and the COM interfaces). It is created, used, and dropped by a SINGLE thread — the owning
|
||||
// capture/encode thread — never shared: the `ID3D11DeviceContext` is the device's IMMEDIATE context
|
||||
// (single-threaded by D3D11 contract) and is only ever touched from that thread, and the header/
|
||||
// dbg_block pointers (into mappings this struct owns) are only dereferenced there. `Send` transfers
|
||||
// ownership to one thread at a time with NO concurrent access; we do not (and must not) claim `Sync`.
|
||||
// SAFETY: `IddPushCapturer` is `!Send` only because of its `*mut SharedHeader` raw pointer (and the
|
||||
// COM interfaces / the broker's bare control `HANDLE`, which is process-global and never closed). It is
|
||||
// created, used, and dropped by a SINGLE thread — the owning capture/encode thread — never shared: the
|
||||
// `ID3D11DeviceContext` is the device's IMMEDIATE context (single-threaded by D3D11 contract) and is
|
||||
// only ever touched from that thread, and the header pointer (into the mapping this struct owns) is
|
||||
// only dereferenced there. `Send` transfers ownership to one thread at a time with NO concurrent
|
||||
// access; we do not (and must not) claim `Sync`.
|
||||
unsafe impl Send for IddPushCapturer {}
|
||||
|
||||
/// Build a `SECURITY_ATTRIBUTES` granting GENERIC_ALL to **SYSTEM** (the host creates+publishes the
|
||||
/// shared event + texture ring) and **LocalService** (the account the pf_vdisplay WUDFHost runs under,
|
||||
/// which consumes them) — `D:(A;;GA;;;SY)(A;;GA;;;LS)`, the same scoping as the gamepad section. The
|
||||
/// old SDDL granted **Everyone** (`WD`), which let any local user open the `Global\pfvd-*` objects and
|
||||
/// read captured screen frames (security-review 2026-06-28 #5). Verified on the RTX box (2026-06-29):
|
||||
/// the WUDFHost token is `S-1-5-19` (LocalService), SYSTEM integrity, zero restricted SIDs — so SY+LS
|
||||
/// suffices for the driver and excludes normal user processes. `psd` must outlive `sa`.
|
||||
/// Build a `SECURITY_ATTRIBUTES` granting GENERIC_ALL to **SYSTEM only** — `D:P(A;;GA;;;SY)`, protected
|
||||
/// (no inherited ACEs), `bInheritHandle: false`. The sealed channel makes this the strictly-minimal
|
||||
/// DACL: the objects are UNNAMED and the driver reaches them via **duplicated handles** (which carry the
|
||||
/// source handle's access — `OpenSharedResourceByName`/`OpenSharedResource1` on a handle does not
|
||||
/// re-check the object DACL against the opener), so the pf_vdisplay WUDFHost (LocalService) no longer
|
||||
/// needs a DACL ACE. Dropping the `LS` ACE removes the last theoretical surface where a leaked handle or
|
||||
/// a name-grown-by-accident could be opened by the (many-service-shared) LocalService SID. Empirically
|
||||
/// confirmed unreachable regardless: a LocalService token is DACL-denied `OpenProcess` on the WUDFHost
|
||||
/// (`PROCESS_DUP_HANDLE`/`VM_READ`/even `QUERY_LIMITED` → ACCESS_DENIED, tested on the RTX box
|
||||
/// 2026-07-03), so it cannot dup the handles out either. History: `Global\`-named + world-openable
|
||||
/// (`WD`, security-review 2026-06-28 #5) → SY+LS-scoped → nameless → now SY-only. `psd` must outlive
|
||||
/// `sa`. See `design/idd-push-security.md`.
|
||||
unsafe fn shared_object_sa() -> Result<(SECURITY_ATTRIBUTES, PSECURITY_DESCRIPTOR)> {
|
||||
let mut psd = PSECURITY_DESCRIPTOR::default();
|
||||
ConvertStringSecurityDescriptorToSecurityDescriptorW(
|
||||
w!("D:(A;;GA;;;SY)(A;;GA;;;LS)"),
|
||||
w!("D:P(A;;GA;;;SY)"),
|
||||
SDDL_REVISION_1,
|
||||
&mut psd,
|
||||
None,
|
||||
@@ -262,20 +482,18 @@ unsafe fn shared_object_sa() -> Result<(SECURITY_ATTRIBUTES, PSECURITY_DESCRIPTO
|
||||
|
||||
impl IddPushCapturer {
|
||||
/// Create the `RING_LEN` shared keyed-mutex textures for one ring generation, at `format` (matched
|
||||
/// to the display's composition format — FP16 in HDR, BGRA in SDR). Each is shared by the name
|
||||
/// `pfvd-tex-<target>-<generation>-<k>` so the driver opens it; a fresh generation gives fresh names
|
||||
/// (so a recreate never collides with the old ring's not-yet-released handles).
|
||||
/// to the display's composition format — FP16 in HDR, BGRA in SDR). Each is shared through an
|
||||
/// UNNAMED NT handle (nothing to open by name — the sealed channel); the driver reaches it only via
|
||||
/// the duplicate the [`ChannelBroker`] sends after the ring is published.
|
||||
unsafe fn create_ring_slots(
|
||||
device: &ID3D11Device,
|
||||
target_id: u32,
|
||||
generation: u32,
|
||||
w: u32,
|
||||
h: u32,
|
||||
format: DXGI_FORMAT,
|
||||
) -> Result<Vec<HostSlot>> {
|
||||
let (sa, _psd) = shared_object_sa()?;
|
||||
let mut slots = Vec::new();
|
||||
for k in 0..RING_LEN {
|
||||
for _ in 0..RING_LEN {
|
||||
let desc = D3D11_TEXTURE2D_DESC {
|
||||
Width: w,
|
||||
Height: h,
|
||||
@@ -304,7 +522,7 @@ impl IddPushCapturer {
|
||||
.CreateSharedHandle(
|
||||
Some(&sa as *const SECURITY_ATTRIBUTES),
|
||||
DXGI_SHARED_RESOURCE_RW,
|
||||
&HSTRING::from(texture_name(target_id, generation, k)),
|
||||
PCWSTR::null(), // UNNAMED — reachable only through the broker's duplicate
|
||||
)
|
||||
.context("CreateSharedHandle(IDD-push ring slot)")?;
|
||||
// Own the shared handle so the slot's `Drop` closes it via RAII (was a manual `CloseHandle`).
|
||||
@@ -381,22 +599,22 @@ impl IddPushCapturer {
|
||||
// `u32` target id; they read/flip CCD display config and return owned values, borrowing nothing.
|
||||
// - `CreateDXGIFactory1`, `EnumAdapterByLuid`, `make_device`, `shared_object_sa`, `CreateFileMappingW`,
|
||||
// `MapViewOfFile`, `CreateEventW`, and `create_ring_slots` are all `?`-checked, so every returned
|
||||
// interface/handle/view is non-error before use; `&sa`/`&adapter`/`&device`/the `&HSTRING` names
|
||||
// are live borrows that outlive each synchronous call, and `sa.lpSecurityDescriptor` stays valid
|
||||
// because its backing `_psd` is held in scope for the whole block.
|
||||
// interface/handle/view is non-error before use; `&sa`/`&adapter`/`&device` are live borrows that
|
||||
// outlive each synchronous call, and `sa.lpSecurityDescriptor` stays valid because its backing
|
||||
// `_psd` is held in scope for the whole block.
|
||||
// - The header mapping is created AND viewed at `bytes == size_of::<SharedHeader>().max(64)`; the
|
||||
// view's null is checked (`bail!` on failure, after which the owned `map` closes the mapping). The
|
||||
// OS view base is page-aligned, so `section.ptr::<SharedHeader>()` is suitably aligned for a
|
||||
// `SharedHeader`, and `write_bytes(.., 0, bytes)` plus the `(*header).field = ..` writes all stay
|
||||
// within those `bytes` and write THROUGH the raw pointer without forming any `&mut`. The debug
|
||||
// section is the same pattern at `dbg_bytes == size_of::<DebugBlock>()`, only entered when its
|
||||
// own view is non-null.
|
||||
// within those `bytes` and write THROUGH the raw pointer without forming any `&mut`.
|
||||
// - The `magic` publish stores through `addr_of!((*header).magic) as *const AtomicU32`: `addr_of!`
|
||||
// takes the field address without a reference; the field is a 4-aligned `u32` (valid for
|
||||
// `AtomicU32`), and the `Release` store after the `Release` fence is the cross-process handshake
|
||||
// that orders all preceding writes before the driver may observe `MAGIC`.
|
||||
// - `header`/`dbg_block` point into the OS mappings, NOT into the `MappedSection` structs, so moving
|
||||
// `section`/`dbg_section` into `me` leaves them valid (see the `MappedSection` doc comment).
|
||||
// - `broker.send` requires live `header`/`event` handles of this process: both borrow the just-
|
||||
// created owned section/event for the duration of that synchronous call.
|
||||
// - `header` points into the OS mapping, NOT into the `MappedSection` struct, so moving `section`
|
||||
// into `me` leaves it valid (see the `MappedSection` doc comment).
|
||||
unsafe {
|
||||
// If we ENABLE advanced color for a 10-bit client, trust it (the driver will compose FP16) and
|
||||
// size the ring FP16 directly — don't race the advanced_color_enabled poll, which may not have
|
||||
@@ -428,14 +646,14 @@ impl IddPushCapturer {
|
||||
let (sa, _psd) = shared_object_sa()?;
|
||||
let bytes = std::mem::size_of::<SharedHeader>().max(64);
|
||||
|
||||
// Header.
|
||||
// Header — UNNAMED (the sealed channel: the driver gets a duplicated handle, not a name).
|
||||
let map = CreateFileMappingW(
|
||||
INVALID_HANDLE_VALUE,
|
||||
Some(&sa),
|
||||
PAGE_READWRITE,
|
||||
0,
|
||||
bytes as u32,
|
||||
&HSTRING::from(header_name(target.target_id)),
|
||||
PCWSTR::null(),
|
||||
)
|
||||
.context("CreateFileMapping(IDD-push header)")?;
|
||||
// Own the mapping handle so it (and its view) free via `MappedSection` RAII even on bail.
|
||||
@@ -463,69 +681,45 @@ impl IddPushCapturer {
|
||||
// reads this into its `ring_format` and drops any surface that doesn't match.
|
||||
(*header).dxgi_format = ring_fmt.0 as u32;
|
||||
|
||||
// Frame-ready event (auto-reset).
|
||||
let event = CreateEventW(
|
||||
Some(&sa),
|
||||
false,
|
||||
false,
|
||||
&HSTRING::from(event_name(target.target_id)),
|
||||
)
|
||||
.context("CreateEvent(IDD-push)")?;
|
||||
// Frame-ready event (auto-reset) — UNNAMED, like everything on this channel.
|
||||
let event = CreateEventW(Some(&sa), false, false, PCWSTR::null())
|
||||
.context("CreateEvent(IDD-push)")?;
|
||||
let event = OwnedHandle::from_raw_handle(event.0 as _);
|
||||
|
||||
// Ring of shared keyed-mutex textures, format matched to the display's current mode.
|
||||
let slots =
|
||||
Self::create_ring_slots(&device, target.target_id, generation, w, h, ring_fmt)?;
|
||||
let slots = Self::create_ring_slots(&device, w, h, ring_fmt)?;
|
||||
|
||||
// Bring-up debug block (fixed name) — the driver writes diagnostics here. Best-effort.
|
||||
let dbg_bytes = std::mem::size_of::<DebugBlock>();
|
||||
let (dbg_section, dbg_block) = match CreateFileMappingW(
|
||||
INVALID_HANDLE_VALUE,
|
||||
Some(&sa),
|
||||
PAGE_READWRITE,
|
||||
0,
|
||||
dbg_bytes as u32,
|
||||
&HSTRING::from(DBG_NAME),
|
||||
) {
|
||||
Ok(dm) => {
|
||||
// Own the mapping handle so it (and its view) free via `MappedSection` RAII.
|
||||
let dm = OwnedHandle::from_raw_handle(dm.0 as _);
|
||||
let dv = MapViewOfFile(
|
||||
HANDLE(dm.as_raw_handle()),
|
||||
FILE_MAP_ALL_ACCESS,
|
||||
0,
|
||||
0,
|
||||
dbg_bytes,
|
||||
);
|
||||
if dv.Value.is_null() {
|
||||
(None, std::ptr::null_mut()) // `dm` drops → mapping closed
|
||||
} else {
|
||||
let section = MappedSection {
|
||||
handle: dm,
|
||||
view: dv,
|
||||
};
|
||||
let p = section.ptr::<DebugBlock>();
|
||||
std::ptr::write_bytes(p.cast::<u8>(), 0, dbg_bytes);
|
||||
(*p).magic = DBG_MAGIC;
|
||||
(Some(section), p)
|
||||
}
|
||||
}
|
||||
Err(_) => (None, std::ptr::null_mut()),
|
||||
};
|
||||
|
||||
// Publish: magic LAST (Release) — signals the driver the ring is ready to open.
|
||||
// Publish: magic LAST (Release) — the ring must be fully initialized before the driver
|
||||
// (which receives the channel strictly afterwards) can observe MAGIC.
|
||||
std::sync::atomic::fence(Ordering::Release);
|
||||
(*(std::ptr::addr_of!((*header).magic) as *const AtomicU32))
|
||||
.store(MAGIC, Ordering::Release);
|
||||
|
||||
// Deliver the sealed channel: duplicate header + event + every slot texture into the
|
||||
// driver's WUDFHost and hand it the values over the control device. All-or-nothing (the
|
||||
// broker reaps its remote duplicates on failure), and a failure fails the open — without
|
||||
// the delivery the driver can never attach.
|
||||
let broker = ChannelBroker::open(target.wudf_pid)?;
|
||||
broker
|
||||
.send(
|
||||
target.target_id,
|
||||
generation,
|
||||
HANDLE(section.handle.as_raw_handle()),
|
||||
HANDLE(event.as_raw_handle()),
|
||||
&slots,
|
||||
)
|
||||
.context("deliver IDD-push frame channel to the driver")?;
|
||||
|
||||
tracing::info!(
|
||||
target_id = target.target_id,
|
||||
wudf_pid = target.wudf_pid,
|
||||
render_luid = format!("{:08x}:{:08x}", luid.HighPart, luid.LowPart),
|
||||
mode = format!("{w}x{h}"),
|
||||
display_hdr,
|
||||
client_10bit,
|
||||
ring_fp16 = display_hdr,
|
||||
"IDD push(host): created shared ring; waiting for the driver to attach + publish"
|
||||
"IDD push(host): created sealed ring + delivered the channel; waiting for the driver \
|
||||
to attach + publish"
|
||||
);
|
||||
let me = Self {
|
||||
device,
|
||||
@@ -534,8 +728,7 @@ impl IddPushCapturer {
|
||||
section,
|
||||
header,
|
||||
event,
|
||||
dbg_section,
|
||||
dbg_block,
|
||||
broker,
|
||||
width: w,
|
||||
height: h,
|
||||
slots,
|
||||
@@ -659,34 +852,6 @@ impl IddPushCapturer {
|
||||
}
|
||||
}
|
||||
|
||||
/// Log the driver's bring-up diagnostics (the fixed-name debug block) — independent of the
|
||||
/// per-target header, so it tells us whether the swap-chain processor ran, what target_id it
|
||||
/// resolved, whether the header opened (+ error), and whether frames flowed.
|
||||
fn log_debug_block(&self) {
|
||||
if self.dbg_block.is_null() {
|
||||
tracing::warn!("IDD push DEBUG: no debug block");
|
||||
return;
|
||||
}
|
||||
// SAFETY: `self.dbg_block` was just checked non-null (the early return above); it points into the
|
||||
// owned `dbg_section` mapping sized exactly `size_of::<DebugBlock>()` and page-aligned, so it is
|
||||
// valid + aligned for `DebugBlock`. `d` is a short-lived SHARED reference used only to read the
|
||||
// fields below; we never form `&mut` into this region, and the driver's cross-process writes are
|
||||
// aligned `u32`s that don't tear (best-effort bring-up diagnostics).
|
||||
let d = unsafe { &*self.dbg_block };
|
||||
tracing::error!(
|
||||
run_core_entries = d.run_core_entries,
|
||||
resolved_target_id = d.resolved_target_id,
|
||||
header_open_attempts = d.header_open_attempts,
|
||||
last_open_error = format!("0x{:08x}", d.last_open_error),
|
||||
header_opened = d.header_opened,
|
||||
driver_render_luid = format!("{:08x}:{:08x}", d.render_luid_high, d.render_luid_low),
|
||||
frames_acquired = d.frames_acquired,
|
||||
"IDD push DEBUG: driver-reported diagnostics (run_core_entries=0 ⇒ swap-chain processor \
|
||||
never ran; resolved_target_id≠ours ⇒ name mismatch; last_open_error 0x80070002 ⇒ header \
|
||||
not found; frames_acquired=0 ⇒ idle display)"
|
||||
);
|
||||
}
|
||||
|
||||
/// The output texture format + the [`PixelFormat`] NVENC encodes, driven SOLELY by the DISPLAY's HDR
|
||||
/// state (like the WGC path): HDR → `P010` (BT.2020 PQ 10-bit limited) → NVENC Main10, and the client
|
||||
/// auto-detects PQ from the HEVC VUI; SDR → `Nv12` (BT.709 8-bit limited). Both are native YUV so
|
||||
@@ -712,9 +877,10 @@ impl IddPushCapturer {
|
||||
}
|
||||
|
||||
/// Recreate the ring at the format for `new_display_hdr` (the user flipped "Use HDR"). Bumps the
|
||||
/// generation so the driver re-attaches ([`is_stale`]) to the new-format textures; clears the
|
||||
/// header's `latest` so we don't consume a stale slot from the old ring; drops the conversion
|
||||
/// textures so they rebuild at the new format.
|
||||
/// generation so the driver re-attaches ([`is_stale`]) to the new-format textures and DELIVERS the
|
||||
/// new channel (fresh duplicates of the header + event + the new textures — every delivery is a
|
||||
/// self-contained handle set the driver owns); clears the header's `latest` so we don't consume a
|
||||
/// stale slot from the old ring; drops the conversion textures so they rebuild at the new format.
|
||||
fn recreate_ring(&mut self, new_display_hdr: bool, new_w: u32, new_h: u32) -> Result<()> {
|
||||
self.display_hdr = new_display_hdr;
|
||||
self.width = new_w;
|
||||
@@ -725,16 +891,8 @@ impl IddPushCapturer {
|
||||
// borrow of `self.device` (the capturer's own device, on which the slots are created) plus plain
|
||||
// `u32`/`DXGI_FORMAT` values, and `?` propagates any failure before the slots are used. Every
|
||||
// returned slot's texture + keyed mutex belongs to that same `self.device`.
|
||||
let new_slots = unsafe {
|
||||
Self::create_ring_slots(
|
||||
&self.device,
|
||||
self.target_id,
|
||||
new_gen,
|
||||
self.width,
|
||||
self.height,
|
||||
fmt,
|
||||
)?
|
||||
};
|
||||
let new_slots =
|
||||
unsafe { Self::create_ring_slots(&self.device, self.width, self.height, fmt)? };
|
||||
// SAFETY: `self.header` is the live, owned shared-header mapping (page-aligned, sized for a
|
||||
// `SharedHeader`). The `latest`/`generation` stores go through `addr_of!`-formed field pointers (no
|
||||
// references) of correctly-aligned `u64`/`u32` fields, valid for `AtomicU64`/`AtomicU32`; the
|
||||
@@ -759,6 +917,26 @@ impl IddPushCapturer {
|
||||
}
|
||||
self.slots = new_slots; // drops the old slots → closes their shared handles + SRVs
|
||||
self.generation = new_gen;
|
||||
// Deliver the new generation's channel. The driver's old publisher sees the generation bump
|
||||
// (`is_stale`), drops (closing its old handles), and re-attaches from this delivery. On failure
|
||||
// the broker already reaped its remote duplicates; the recover-or-drop window in `try_consume`
|
||||
// then ends the session cleanly (the driver can never attach to an undelivered ring).
|
||||
// SAFETY: `broker.send` requires live `header`/`event` handles of this process — both borrow the
|
||||
// owned `self.section.handle`/`self.event` for the duration of the synchronous call.
|
||||
if let Err(e) = unsafe {
|
||||
self.broker.send(
|
||||
self.target_id,
|
||||
new_gen,
|
||||
HANDLE(self.section.handle.as_raw_handle()),
|
||||
HANDLE(self.event.as_raw_handle()),
|
||||
&self.slots,
|
||||
)
|
||||
} {
|
||||
tracing::warn!(
|
||||
error = %format!("{e:#}"),
|
||||
"IDD push: frame-channel re-delivery failed after ring recreate"
|
||||
);
|
||||
}
|
||||
self.last_seq = 0;
|
||||
self.out_ring.clear(); // the output format changed → rebuild lazily at the new format
|
||||
self.video_conv = None; // converters are sized + HDR-specific → rebuild at the new mode
|
||||
@@ -982,44 +1160,6 @@ impl IddPushCapturer {
|
||||
}
|
||||
}
|
||||
|
||||
/// Diagnostic observer (O3.1): create the IDD-push ring + debug block as the SYSTEM host (LocalSystem
|
||||
/// — proper privileges, the gamepad pattern) ALONGSIDE the normal WGC path, which provides the
|
||||
/// presentation trigger. Logs whether the driver's `run_core` ran and pushed frames into a
|
||||
/// host-created ring — resolving the `run_core=0` ambiguity (a user-created ring may be unwritable by
|
||||
/// the driver). Gated by `PUNKTFUNK_IDD_PUSH_OBSERVE`; spawns a short-lived sampling thread.
|
||||
pub fn spawn_observer(target: WinCaptureTarget, preferred: Option<(u32, u32, u32)>) {
|
||||
std::thread::spawn(move || {
|
||||
let tid = target.target_id;
|
||||
tracing::info!(
|
||||
target_id = tid,
|
||||
"IDD push OBSERVER: creating host ring (LocalSystem) + debug block alongside WGC"
|
||||
);
|
||||
match IddPushCapturer::open(target, preferred, false, Box::new(())) {
|
||||
Ok(mut cap) => {
|
||||
let mut frames = 0u32;
|
||||
for _ in 0..40 {
|
||||
match cap.try_consume() {
|
||||
Ok(Some(_)) => frames += 1,
|
||||
Ok(None) => {}
|
||||
Err(e) => tracing::warn!("IDD push OBSERVER: consume error: {e:#}"),
|
||||
}
|
||||
std::thread::sleep(Duration::from_millis(750));
|
||||
}
|
||||
tracing::info!(
|
||||
target_id = tid,
|
||||
frames_from_ring = frames,
|
||||
"IDD push OBSERVER: sampling done"
|
||||
);
|
||||
cap.log_debug_block();
|
||||
}
|
||||
Err((e, _keep)) => tracing::warn!(
|
||||
target_id = tid,
|
||||
"IDD push OBSERVER: ring open failed: {e:#}"
|
||||
),
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
/// The selected render GPU LUID (where the encoder runs), falling back to the monitor's `OsAdapterLuid`.
|
||||
fn resolve_render_adapter_luid_or(fallback_packed: i64) -> LUID {
|
||||
if let Some(l) = crate::win_adapter::resolve_render_adapter_luid() {
|
||||
@@ -1046,7 +1186,6 @@ impl Capturer for IddPushCapturer {
|
||||
return Ok(f);
|
||||
}
|
||||
if Instant::now() > deadline {
|
||||
self.log_debug_block();
|
||||
// SAFETY: four in-bounds, aligned reads of the live, owned shared-header mapping — the same
|
||||
// best-effort diagnostic fields as `log_driver_status_once` (aligned word reads can't tear;
|
||||
// no reference into the shared region is formed).
|
||||
@@ -1093,8 +1232,10 @@ impl Capturer for IddPushCapturer {
|
||||
impl Drop for IddPushCapturer {
|
||||
fn drop(&mut self) {
|
||||
self.slots.clear();
|
||||
// The shared header + debug sections (`MappedSection`) and the frame-ready `event`
|
||||
// (`OwnedHandle`) free themselves via RAII (each unmaps its view, then closes its handle).
|
||||
// _keepalive drops after, REMOVEing the virtual display.
|
||||
// The shared header section (`MappedSection`), the frame-ready `event` (`OwnedHandle`) and the
|
||||
// broker's WUDFHost process handle free themselves via RAII (unmap view, then close handle) —
|
||||
// nothing of this session's channel outlives the capturer on the host side; the driver's
|
||||
// duplicates die with its publisher / monitor / WUDFHost (teardown invariant,
|
||||
// `design/idd-push-security.md`). _keepalive drops after, REMOVEing the virtual display.
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user