From mboxrd@z Thu Jan  1 00:00:00 1970
From: bugzilla-daemon@freedesktop.org
Subject: [Bug 105368] Crash in ruvd_end_frame when calling
 vaBeginPicture/vaEndPicture without rendering anything
Date: Tue, 06 Mar 2018 13:01:14 +0000
Message-ID: <bug-105368-502@http.bugs.freedesktop.org/>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1585410766=="
Return-path: <dri-devel-bounces@lists.freedesktop.org>
Received: from culpepper.freedesktop.org (culpepper.freedesktop.org
 [131.252.210.165])
 by gabe.freedesktop.org (Postfix) with ESMTP id 7D3836E6BA
 for <dri-devel@lists.freedesktop.org>; Tue,  6 Mar 2018 13:01:14 +0000 (UTC)
List-Unsubscribe: <https://lists.freedesktop.org/mailman/options/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <https://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <https://lists.freedesktop.org/mailman/listinfo/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>
To: dri-devel@lists.freedesktop.org
List-Id: dri-devel@lists.freedesktop.org


--===============1585410766==
Content-Type: multipart/alternative; boundary="15203412740.163e48.22781"
Content-Transfer-Encoding: 7bit


--15203412740.163e48.22781
Date: Tue, 6 Mar 2018 13:01:14 +0000
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://bugs.freedesktop.org/
Auto-Submitted: auto-generated

https://bugs.freedesktop.org/show_bug.cgi?id=3D105368

            Bug ID: 105368
           Summary: Crash in ruvd_end_frame when calling
                    vaBeginPicture/vaEndPicture without rendering anything
           Product: Mesa
           Version: git
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: Drivers/Gallium/radeonsi
          Assignee: dri-devel@lists.freedesktop.org
          Reporter: k.philipp@gmail.com
        QA Contact: dri-devel@lists.freedesktop.org

VAAPI testing has revealed that ruvd_end_frame does not handle a particular
edge case (see below), i.e. it crashes.

Source of the crash is here:
https://cgit.freedesktop.org/mesa/mesa/tree/src/gallium/drivers/radeon/rade=
on_uvd.c?id=3De96e6f60f705c04a3d437eea9fe308826b494c67#n1246

The memset fails when you call vaBeginPicture/vaEndPicture without any rele=
vant
vaRenderPicture calls in-between and have previously decoded some frames us=
ing
the context. Then ruvd_begin_frame (triggered by data buffers) is not calle=
d to
set up a new bs_ptr, and the old pointer that was unmapped already is still
around, so memset will segfault. Inserting dec->bs_ptr =3D NULL after the
buffer_unmap works for me, but I don't know if this is the solution or just=
 a
workaround.

ffmpeg seems to do this under certain circumstances, which is how this bug
surfaced. The vaapi documentation does not seem to forbid this, even if it =
does
not make a lot of sense.

--=20
You are receiving this mail because:
You are the assignee for the bug.=

--15203412740.163e48.22781
Date: Tue, 6 Mar 2018 13:01:14 +0000
MIME-Version: 1.0
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://bugs.freedesktop.org/
Auto-Submitted: auto-generated

<html>
    <head>
      <base href=3D"https://bugs.freedesktop.org/">
    </head>
    <body><table border=3D"1" cellspacing=3D"0" cellpadding=3D"8">
        <tr>
          <th>Bug ID</th>
          <td><a class=3D"bz_bug_link=20
          bz_status_NEW "
   title=3D"NEW - Crash in ruvd_end_frame when calling vaBeginPicture/vaEnd=
Picture without rendering anything"
   href=3D"https://bugs.freedesktop.org/show_bug.cgi?id=3D105368">105368</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Crash in ruvd_end_frame when calling vaBeginPicture/vaEndPict=
ure without rendering anything
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>Mesa
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>git
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>Drivers/Gallium/radeonsi
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>dri-devel&#64;lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>k.philipp&#64;gmail.com
          </td>
        </tr>

        <tr>
          <th>QA Contact</th>
          <td>dri-devel&#64;lists.freedesktop.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>VAAPI testing has revealed that ruvd_end_frame does not handle=
 a particular
edge case (see below), i.e. it crashes.

Source of the crash is here:
<a href=3D"https://cgit.freedesktop.org/mesa/mesa/tree/src/gallium/drivers/=
radeon/radeon_uvd.c?id=3De96e6f60f705c04a3d437eea9fe308826b494c67#n1246">ht=
tps://cgit.freedesktop.org/mesa/mesa/tree/src/gallium/drivers/radeon/radeon=
_uvd.c?id=3De96e6f60f705c04a3d437eea9fe308826b494c67#n1246</a>

The memset fails when you call vaBeginPicture/vaEndPicture without any rele=
vant
vaRenderPicture calls in-between and have previously decoded some frames us=
ing
the context. Then ruvd_begin_frame (triggered by data buffers) is not calle=
d to
set up a new bs_ptr, and the old pointer that was unmapped already is still
around, so memset will segfault. Inserting dec-&gt;bs_ptr =3D NULL after the
buffer_unmap works for me, but I don't know if this is the solution or just=
 a
workaround.

ffmpeg seems to do this under certain circumstances, which is how this bug
surfaced. The vaapi documentation does not seem to forbid this, even if it =
does
not make a lot of sense.</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>=

--15203412740.163e48.22781--

--===============1585410766==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KZHJpLWRldmVs
IG1haWxpbmcgbGlzdApkcmktZGV2ZWxAbGlzdHMuZnJlZWRlc2t0b3Aub3JnCmh0dHBzOi8vbGlz
dHMuZnJlZWRlc2t0b3Aub3JnL21haWxtYW4vbGlzdGluZm8vZHJpLWRldmVsCg==

--===============1585410766==--