Bug#1016822: intel-media-va-driver: segfault in mos_bo_wait_rendering()

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1016822: intel-media-va-driver: segfault in mos_bo_wait_rendering()
From: Marc Bevand <m@zorinaq.com>
Date: Sun, 07 Aug 2022 16:34:15 -0700
Message-id: <[🔎] W1eYn4f2PnG.A.ZFH.r0E8iB@bendel>
Reply-to: Marc Bevand <m@zorinaq.com>, 1016822@bugs.debian.org

Package: intel-media-va-driver
Version: 22.4.3+dfsg1-1
Severity: normal

Hi all, on my system when I try to play an H.264 file with VLC, it crashes with a Segmentation Fault in iHD_drv_video.so.
With debug symbols, the stack trace reported by gdb is:

#0  mos_bo_wait_rendering(mos_linux_bo*) (bo=0x0) at ./media_driver/linux/common/os/i915/mos_bufmgr_api.c:138
#1  0x00007fff15a4e3b1 in DdiMediaDecode::CreateBuffer(VABufferType, unsigned int, unsigned int, void*, unsigned int*)
    (this=0x7fff543aab10, type=VASliceDataBufferType, size=<optimized out>, numElements=1, data=0x7fffc019dc73, bufId=0x7fff65f49a9c)
    at ./media_driver/linux/common/codec/ddi/media_ddi_decode_base.cpp:1099
#2  0x00007fff15a0e279 in DdiMedia_CreateBuffer(VADriverContext*, unsigned int, VABufferType, unsigned int, unsigned int, void*, unsigned int*)
    (bufId=0x7fff65f49a9c, data=0x7fffc019dc73, num_elements=1, size=16175, type=VASliceDataBufferType, context=268435456, ctx=0x7fff54237160)
    at ./media_driver/linux/common/ddi/media_libva.cpp:3247
#3  DdiMedia_CreateBuffer(VADriverContext*, unsigned int, VABufferType, unsigned int, unsigned int, void*, unsigned int*)
    (ctx=0x7fff54237160, context=268435456, type=VASliceDataBufferType, size=16175, num_elements=1, data=0x7fffc019dc73, bufId=0x7fff65f49a9c)
    at ./media_driver/linux/common/ddi/media_libva.cpp:3215
#4  0x00007fff6c193193 in vaCreateBuffer () at /lib/x86_64-linux-gnu/libva.so.2
#5  0x00007fff4074cb85 in  () at /usr/lib/x86_64-linux-gnu/vdpau/libvdpau_va_gl.so.1
#6  0x00007fff4074d2ac in  () at /usr/lib/x86_64-linux-gnu/vdpau/libvdpau_va_gl.so.1
#7  0x00007fff4074d879 in  () at /usr/lib/x86_64-linux-gnu/vdpau/libvdpau_va_gl.so.1
#8  0x00007fff6e911808 in  () at /lib/x86_64-linux-gnu/libavcodec.so.59
#9  0x00007fff6e911c68 in  () at /lib/x86_64-linux-gnu/libavcodec.so.59
#10 0x00007fff6e4b25e6 in  () at /lib/x86_64-linux-gnu/libavcodec.so.59
#11 0x00007fff6e4c78e1 in  () at /lib/x86_64-linux-gnu/libavcodec.so.59
#12 0x00007fff6e782f3b in  () at /lib/x86_64-linux-gnu/libavcodec.so.59
#13 0x00007ffff7f6dd80 in start_thread (arg=0x7fff65f4b640) at pthread_create.c:481
#14 0x00007ffff7e81baf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

I interpret this as "buf->bo" being NULL on line 1117 in media_ddi_decode_base.cpp:
https://github.com/intel/media-driver/blob/a47db3905e6f77b0666c6f10e3b9642cac9fafc8/media_driver/linux/common/codec/ddi/media_ddi_decode_base.cpp#L1117

1115  if( true == buf->bCFlushReq )
1116  {
1117      mos_bo_wait_rendering(buf->bo);
1118  }

Since mos_bo_wait_rendering() is passed the NULL argument, a SIGSEGV is raised when "bo" is dereferenced on line 116 in mos_bufmgr_api_mock.c:
https://github.com/intel/media-driver/blob/master/media_driver/linux/ult/libdrm_mock/mos_bufmgr_api_mock.c#L116

114   mos_bo_wait_rendering(struct mos_linux_bo *bo)
115   {
116      bo->bufmgr->bo_wait_rendering(bo);
117   }

My system info:

CPU: Intel(R) Core(TM) i5-10210U CPU @ 1.60GHz

$ vainfo
libva info: VA-API version 1.15.0
libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so
libva info: Found init function __vaDriverInit_1_14
libva info: va_openDriver() returns 0
vainfo: VA-API version: 1.15 (libva 2.12.0)
vainfo: Driver version: Intel iHD driver for Intel(R) Gen Graphics - 22.4.3 ()
vainfo: Supported profile and entrypoints
      VAProfileMPEG2Simple            :	VAEntrypointVLD
      VAProfileMPEG2Main              :	VAEntrypointVLD
      VAProfileH264Main               :	VAEntrypointVLD
      VAProfileH264Main               :	VAEntrypointEncSliceLP
      VAProfileH264High               :	VAEntrypointVLD
      VAProfileH264High               :	VAEntrypointEncSliceLP
      VAProfileJPEGBaseline           :	VAEntrypointVLD
      VAProfileJPEGBaseline           :	VAEntrypointEncPicture
      VAProfileH264ConstrainedBaseline:	VAEntrypointVLD
      VAProfileH264ConstrainedBaseline:	VAEntrypointEncSliceLP
      VAProfileVP8Version0_3          :	VAEntrypointVLD
      VAProfileHEVCMain               :	VAEntrypointVLD
      VAProfileHEVCMain10             :	VAEntrypointVLD
      VAProfileVP9Profile0            :	VAEntrypointVLD
      VAProfileVP9Profile2            :	VAEntrypointVLD

-- System Information:
Debian Release: bookworm/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.18.0-3-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE

  Note: my kernel is tainted because I install the ZFS kernel module via zfs-dkms

Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages intel-media-va-driver depends on:
ii  libc6                           2.33-8
ii  libgcc-s1                       12.1.0-7
ii  libigdgmm12                     22.1.5+ds1-1
ii  libstdc++6                      12.1.0-7
ii  libva2 [libva-driver-abi-1.14]  2.15.0-1

intel-media-va-driver recommends no packages.

intel-media-va-driver suggests no packages.

-- no debconf information

Reply to:

Prev by Date: BAJA
Next by Date: Processed: [bts-link] source package src:milkytracker
Previous by thread: BAJA
Next by thread: [bts-link] source package src:milkytracker
Index(es):
- Date
- Thread