System with an MTI GeForce GT 1030 Looking at the Crash Handler Thread 1 (Thread 0x7f964ac3bf00 (LWP 3255)): [KCrash Handler] #5 0x00007f9635c9130d in gm200_validate_sample_locations (nvc0=0x55cfb2953750, ms=15689) at ../src/gallium/drivers/nouveau/nvc0/nvc0_state_validate.c:75 const uint8_t (*ptr)[2] = nvc0_get_sample_locations(ms); for (i = 0; i < 16; i++) { sample_locations[i][0] = ptr[i % ms][0]; // this is line 75 sample_locations[i][1] = ptr[i % ms][1]; ptr comes from here const void * nvc0_get_sample_locations(unsigned sample_count) { static const uint8_t ms1[1][2] = { { 0x8, 0x8 } }; static const uint8_t ms2[2][2] = { { 0x4, 0x4 }, { 0xc, 0xc } }; /* surface coords (0,0), (1,0) */ static const uint8_t ms4[4][2] = { { 0x6, 0x2 }, { 0xe, 0x6 }, /* (0,0), (1,0) */ { 0x2, 0xa }, { 0xa, 0xe } }; /* (0,1), (1,1) */ static const uint8_t ms8[8][2] = { { 0x1, 0x7 }, { 0x5, 0x3 }, /* (0,0), (1,0) */ { 0x3, 0xd }, { 0x7, 0xb }, /* (0,1), (1,1) */ { 0x9, 0x5 }, { 0xf, 0x1 }, /* (2,0), (3,0) */ { 0xb, 0xf }, { 0xd, 0x9 } }; /* (2,1), (3,1) */ const uint8_t (*ptr)[2]; switch (sample_count) { case 0: case 1: ptr = ms1; break; case 2: ptr = ms2; break; case 4: ptr = ms4; break; case 8: ptr = ms8; break; default: assert(0); return NULL; /* bad sample count -> undefined locations */ } return ptr; } In the crash ms has a value of 15689. nvc0_get_sample_locations only handles sample_count values that are from 0 to 8. So it returns NULL and gm200_validate_sample_locations dereferences the NULL pointer. Why the wildly wrong value of ms? That heads off down a rabbit hole in util_framebuffer_get_num_samples which needs more than just a bit of code browsing. Reproducible: Always Steps to Reproduce: 1. Boot 2. Login 3. kwin crashes 3 times Expected Results: No kwin crashes
Created attachment 2115987 [details] backtrace from Crash Handler