From f055ba80b7d9d313fa0b2b2e23dc6cc5156745ec Mon Sep 17 00:00:00 2001
From: Jay Yang <jay.yang@intel.com>
Date: Tue, 28 May 2024 15:01:36 +0800
Subject: [PATCH] Fix double free crash when create mmd fail

Fix: #1795, #1789
Signed-off-by: Jay Yang <jay.yang@intel.com>
---
 .../media_interfaces/media_interfaces.cpp     |  8 +++-
 .../media_interfaces_dg2.cpp                  | 42 ++++++++++---------
 2 files changed, 30 insertions(+), 20 deletions(-)

diff --git a/media_driver/linux/common/media_interfaces/media_interfaces.cpp b/media_driver/linux/common/media_interfaces/media_interfaces.cpp
index 6090e62da3..ae3b117783 100644
--- a/media_driver/linux/common/media_interfaces/media_interfaces.cpp
+++ b/media_driver/linux/common/media_interfaces/media_interfaces.cpp
@@ -375,10 +375,16 @@ void* MmdDevice::CreateFactory(
     {
         MMD_FAILURE();
     }
+
+    // transfer ownership of osinterface. No need to delete osinterface from this point.
     device->Initialize(osInterface, mhwInterfaces);
     if (device->m_mmdDevice == nullptr)
     {
-        MMD_FAILURE();
+        mhwInterfaces->Destroy();
+        // no need to delete osinterface becauses it's already deleted in device->Initialize
+        MOS_Delete(mhwInterfaces);
+        MOS_Delete(device);
+        return nullptr;
     }
 
     void *mmdDevice = device->m_mmdDevice;
diff --git a/media_driver/media_interface/media_interfaces_dg2/media_interfaces_dg2.cpp b/media_driver/media_interface/media_interfaces_dg2/media_interfaces_dg2.cpp
index 12c63fed03..202004ec58 100644
--- a/media_driver/media_interface/media_interfaces_dg2/media_interfaces_dg2.cpp
+++ b/media_driver/media_interface/media_interfaces_dg2/media_interfaces_dg2.cpp
@@ -277,35 +277,38 @@ MOS_STATUS MmdDeviceXe_Hpm::Initialize(
     PMOS_INTERFACE osInterface,
     MhwInterfaces *mhwInterfaces)
 {
-#define MMD_FAILURE()                                       \
-{                                                           \
-    if (device != nullptr)                                  \
-    {                                                       \
-        MOS_Delete(device);                                 \
-    }                                                       \
-    return MOS_STATUS_NO_SPACE;                             \
-}
     MHW_FUNCTION_ENTER;
 
-    Mmd *device = nullptr;
-
-    if (mhwInterfaces->m_miInterface == nullptr)
+    if (mhwInterfaces->m_miInterface == nullptr || mhwInterfaces->m_veboxInterface == nullptr)
     {
-        MMD_FAILURE();
-    }
-
-    if (mhwInterfaces->m_veboxInterface == nullptr)
-    {
-        MMD_FAILURE();
+        if (osInterface != nullptr)
+        {
+            if (osInterface->pfnDestroy)
+            {
+                osInterface->pfnDestroy(osInterface, false);
+            }
+            MOS_FreeMemory(osInterface);
+        }
+        return MOS_STATUS_NULL_POINTER;
     }
 
+    Mmd *device = nullptr;
     device = MOS_New(Mmd);
 
     if (device == nullptr)
     {
-        MMD_FAILURE();
+        if (osInterface != nullptr)
+        {
+            if (osInterface->pfnDestroy)
+            {
+                osInterface->pfnDestroy(osInterface, false);
+            }
+            MOS_FreeMemory(osInterface);
+        }
+        return MOS_STATUS_NO_SPACE;
     }
 
+    // transfer ownership of osinterface to device. device will have exclusive ownership of osinterface and free it.
     if (device->Initialize(
         osInterface,
         mhwInterfaces->m_cpInterface,
@@ -317,7 +320,8 @@ MOS_STATUS MmdDeviceXe_Hpm::Initialize(
         mhwInterfaces->m_cpInterface = nullptr;
         mhwInterfaces->m_miInterface = nullptr;
         mhwInterfaces->m_veboxInterface = nullptr;
-        MMD_FAILURE();
+        MOS_Delete(device);
+        return MOS_STATUS_UNKNOWN;
     }
 
     m_mmdDevice = device;