[Bug]: double free abort in media workloads when given KMD uAPI support is not enabled in media driver

eero-t commented 2 months ago

Which component impacted?

Not sure

Is it regression? Good in old configuration?

None

What happened?

Latest kernel DKMS driver from Intel repositories (i.e. using prelim uAPI), and latest media driver release that is built without prelim API support.

On Arc 0x56a0 HW Glibc aborts media process to double-free:

$ vainfo
error: XDG_RUNTIME_DIR not set in the environment.
error: can't connect to X server!
libva info: VA-API version 1.21.0
libva info: User environment variable requested driver 'iHD'
libva info: Trying to open /usr/local/lib/dri/iHD_drv_video.so
libva info: Found init function __vaDriverInit_1_21
double free or corruption (!prev)

What's the usage scenario when you are seeing the problem?

Transcode for media delivery, Playback, Others

What impacted?

All media use-cases are impacted, as this happens on driver initialization.

Users can easily mix accidentally kernel and user-space drivers with different uAPI.

Expected behavior in this case is media-driver returning error to application, instead of crashing the application.

Driver could also log that that given kernel driver is not supported so that user knows what's the problem.

(Ideally driver should support both prelim & upstream uAPIs at the same time like Intel compute driver does, but at least it should not crash.)

Debug Information

I'm using latest available tags:

libdrm: libdrm-2.4.120
libva: 2.21.0
GMMlib: intel-gmmlib-22.3.19
Media: intel-media-24.2.1

Buffer mapping gets abort due to double-free:

$ strace -f -k vainfo
...
ioctl(3, DRM_IOCTL_I915_GEM_CONTEXT_DESTROY, 0x7ffce151a1c0) = 0
 > /usr/lib/x86_64-linux-gnu/libc.so.6(ioctl+0x3f) [0x11a94f]
 > /usr/local/lib/libdrm.so.2.4.0(drmIoctl+0x30) [0x8160]
 > /usr/local/lib/dri/iHD_drv_video.so(mos_gem_bo_map(mos_linux_bo*, int)+0xee9) [0x172b19]
 > /usr/local/lib/dri/iHD_drv_video.so() [0x14e44e]
 > /usr/local/lib/dri/iHD_drv_video.so(void std::vector<unsigned char, std::allocator<unsigned char> >::_M_realloc_insert<unsigned char const&>(__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char const&)+0x94ff4) [0x6955b4]
 > /usr/local/lib/dri/iHD_drv_video.so(std::pair<std::_Rb_tree_iterator<std::pair<unsigned int const, unsigned int> >, bool> std::_Rb_tree<unsigned int, std::pair<unsigned int const, unsigned int>, std::_Select1st<std::pair<unsigned int const, unsigned int> >, std::less<unsigned int>, std::allocator<std::pair<unsigned int const, unsigned int> > >::_M_emplace_unique<std::pair<unsigned int, unsigned int> >(std::pair<unsigned int, unsigned int>&&)+0x438eb) [0x315b2b]
 > /usr/local/lib/dri/iHD_drv_video.so(std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, unsigned int>, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, unsigned int> >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, unsigned int> > >::_M_get_insert_hint_unique_pos(std::_Rb_tree_const_iterator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, unsigned int> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)+0x105f7) [0x3a2717]
 > /usr/local/lib/dri/iHD_drv_video.so() [0x154fb0]
 > /usr/local/lib/dri/iHD_drv_video.so(std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, unsigned char>, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, unsigned char> >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, unsigned char> > >::find(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)+0x12b6) [0x189cb6]
 > /usr/local/lib/dri/iHD_drv_video.so(DdiMedia_MapBuffer2+0x23cf) [0x356def]
 > /usr/local/lib/dri/iHD_drv_video.so(__vaDriverInit_1_21+0x53) [0x357d93]
 > /usr/local/lib/libva.so.2.2100.0(vaInitialize+0x5cd) [0x499d]
 > /usr/bin/vainfo() [0x28e0]
 > /usr/lib/x86_64-linux-gnu/libc.so.6(__libc_init_first+0x90) [0x29d90]
 > /usr/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0x80) [0x29e40]
 > /usr/bin/vainfo() [0x2e75]
writev(2, [{iov_base="double free or corruption (!prev"..., iov_len=33}, {iov_base="\n", iov_len=1}], 2double free or corruption (!prev)

By enabling prelim uAPI support, the crash goes away (and media workloads actually work).

Do you want to contribute a patch to fix the issue?

No.

Jexu commented 2 months ago

Looks that multi variable points to osInterface and try to delete a wild pointer...

intel-mediadev commented 2 months ago

Auto Created VSMGWL-73217 for further analysis.

intel / media-driver