Bug 2415185
| Summary: | kwin crashes when I login | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Paul Floyd <pjfloyd> | ||||
| Component: | kwin | Assignee: | marcdeop | ||||
| Status: | NEW --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 43 | CC: | jgrulich, kde-sig, marcdeop, suraj.ghimire7, than | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | --- | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | Type: | --- | |||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 2115987 [details]
backtrace from Crash Handler
|
System with an MTI GeForce GT 1030 Looking at the Crash Handler Thread 1 (Thread 0x7f964ac3bf00 (LWP 3255)): [KCrash Handler] #5 0x00007f9635c9130d in gm200_validate_sample_locations (nvc0=0x55cfb2953750, ms=15689) at ../src/gallium/drivers/nouveau/nvc0/nvc0_state_validate.c:75 const uint8_t (*ptr)[2] = nvc0_get_sample_locations(ms); for (i = 0; i < 16; i++) { sample_locations[i][0] = ptr[i % ms][0]; // this is line 75 sample_locations[i][1] = ptr[i % ms][1]; ptr comes from here const void * nvc0_get_sample_locations(unsigned sample_count) { static const uint8_t ms1[1][2] = { { 0x8, 0x8 } }; static const uint8_t ms2[2][2] = { { 0x4, 0x4 }, { 0xc, 0xc } }; /* surface coords (0,0), (1,0) */ static const uint8_t ms4[4][2] = { { 0x6, 0x2 }, { 0xe, 0x6 }, /* (0,0), (1,0) */ { 0x2, 0xa }, { 0xa, 0xe } }; /* (0,1), (1,1) */ static const uint8_t ms8[8][2] = { { 0x1, 0x7 }, { 0x5, 0x3 }, /* (0,0), (1,0) */ { 0x3, 0xd }, { 0x7, 0xb }, /* (0,1), (1,1) */ { 0x9, 0x5 }, { 0xf, 0x1 }, /* (2,0), (3,0) */ { 0xb, 0xf }, { 0xd, 0x9 } }; /* (2,1), (3,1) */ const uint8_t (*ptr)[2]; switch (sample_count) { case 0: case 1: ptr = ms1; break; case 2: ptr = ms2; break; case 4: ptr = ms4; break; case 8: ptr = ms8; break; default: assert(0); return NULL; /* bad sample count -> undefined locations */ } return ptr; } In the crash ms has a value of 15689. nvc0_get_sample_locations only handles sample_count values that are from 0 to 8. So it returns NULL and gm200_validate_sample_locations dereferences the NULL pointer. Why the wildly wrong value of ms? That heads off down a rabbit hole in util_framebuffer_get_num_samples which needs more than just a bit of code browsing. Reproducible: Always Steps to Reproduce: 1. Boot 2. Login 3. kwin crashes 3 times Expected Results: No kwin crashes