Skip to content
GitLab

Use-after-free crash innv50_ir::GCRA::RIG_Node::init()

System information

At Mozilla we've detected a series of use-after-free crashes happening in the the nouveau driver when using cards from the Tesla family. This is happening on a wide range of hardware on Debian, Ubuntu and Linux Mint. The crash seem to affect Mesa versions ranging from 18.3.6.0 to 20.0.6.0.

Describe the issue

A complete stack trace of the crash including register contents and line numbers can be found here:

https://crash-stats.mozilla.org/report/index/8f1b9cf2-8fdd-41b8-a949-bd7ed0200529

The first ten frames of the stack look like this:

0 nv50_ir::GCRA::RIG_Node::init(nv50_ir::RegisterSet const&, nv50_ir::LValue*)
1 nv50_ir::GCRA::allocateRegisters(nv50_ir::ArrayList&)
2 nv50_ir::RegAlloc::execFunc()
3 nv50_ir::RegAlloc::exec()
4 nv50_ir::Program::registerAllocation()
5 nv50_ir_generate_code()
6 nv50_program_translate()
7 nv50_sp_state_create()
8 st_create_fp_variant()
9 st_get_fp_variant()
10 1st_finalize_program()

The crash seems to have been triggered by an access from the rdi register which contains the poison pattern we use in Firefox to detect free()'d objects. I might be able to track down the variable corresponding to that register and I'll add a comment later if I do.

Regression

We have reports for this crash starting with Mesa 18.3.6.0 but a very similar issue goes all the way back to 13.0.6.0, here's the corresponding crash report:

https://crash-stats.mozilla.org/report/index/429e8137-8931-419e-9824-67e300200508

Any extra information would be greatly appreciated

Most users that experienced this crash hit it by visiting https://store.google.com with a recent version of Firefox (both release and ESR).

Edited by Gabriele Svelto
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information