Ubuntu
firefox package

Apparmor crashes GPU acceleration

Bug #2018439 reported by Daniel Tang
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Invalid
Undecided
Unassigned
firefox (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Apparmor crashes GPU acceleration

Firefox GPU acceleration started crashing after updating from Ubuntu 22.10 to 23.04.

$ lsb_release -rd
No LSB modules are available.
Description: Ubuntu 23.04
Release: 23.04

$ apt-cache policy firefox
firefox:
  Installed: 113.0+build1-0ubuntu0.23.04.1~mt1
  Candidate: 113.0+build1-0ubuntu0.23.04.1~mt1
  Version table:
     1:1snap1-0ubuntu3 500
        500 https://gpl.savoirfairelinux.net/pub/mirrors/ubuntu lunar/main amd64 Packages
 *** 113.0+build1-0ubuntu0.23.04.1~mt1 999
        500 https://ppa.launchpadcontent.net/mozillateam/ppa/ubuntu lunar/main amd64 Packages
        100 /var/lib/dpkg/status

$ apt-cache policy libglx-mesa0
libglx-mesa0:
  Installed: 23.0.3~kisak1~k
  Candidate: 23.0.3~kisak1~k
  Version table:
 *** 23.0.3~kisak1~k 500
        500 https://ppa.launchpadcontent.net/kisak/kisak-mesa/ubuntu kinetic/main amd64 Packages
        100 /var/lib/dpkg/status
     23.0.2-1ubuntu1 500
        500 https://gpl.savoirfairelinux.net/pub/mirrors/ubuntu lunar/main amd64 Packages

$ apt-cache policy apparmor
apparmor:
  Installed: 3.0.8-1ubuntu2
  Candidate: 3.0.8-1ubuntu2
  Version table:
 *** 3.0.8-1ubuntu2 500
        500 https://gpl.savoirfairelinux.net/pub/mirrors/ubuntu lunar/main amd64 Packages
        100 /var/lib/dpkg/status

# Expected behavior

Firefox should not crash in WebGL aquarium and continue to work properly like on 22.10. It should successfully use my GPU to make scrolling smooths and save battery when watching videos.

# Actual behavior

1. Startup takes a second or two longer than usual
2. Typing in the address bar is slow
3. Scrolling takes 400% CPU usage
4. Scrolling stutters
5. VAAPI on https://www.w3schools.com/html/html5_video.asp is no longer used as shown in intel_gpu_top
6. Fans start spinning and battery goes down fast
7. glxtest failures had to be manually deleted in about:config
8. Only a few fish in WebGL aquarium (https://webglsamples.org/aquarium/aquarium.html) load before Firefox force-closes with the message: "Mozilla Crash Reporter Firefox had a problem and crashed. Unfortunately, the crash reporter is unable to submit a crash report. Details: The application did not leave a crash dump file. Close"
9. The following lines are relevant in dmesg after clearing it:

[22157.695580] kauditd_printk_skb: 6 callbacks suppressed
[22157.695582] audit: type=1400 audit(1683153440.994:2583): apparmor="DENIED" operation="capable" class="cap" profile="firefox" pid=15898 comm="firefox" capability=21 capname="sys_admin"
[22157.739641] audit: type=1400 audit(1683153441.038:2584): apparmor="DENIED" operation="open" class="file" profile="firefox" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=15901 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[22157.739647] audit: type=1400 audit(1683153441.038:2585): apparmor="DENIED" operation="open" class="file" profile="firefox" name="/sys/devices/pci0000:00/0000:00:02.0/config" pid=15901 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[22157.739719] audit: type=1400 audit(1683153441.038:2586): apparmor="DENIED" operation="open" class="file" profile="firefox" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=15901 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[22157.739729] audit: type=1400 audit(1683153441.038:2587): apparmor="DENIED" operation="open" class="file" profile="firefox" name="/sys/devices/pci0000:00/0000:00:02.0/config" pid=15901 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[22157.769407] audit: type=1400 audit(1683153441.070:2588): apparmor="DENIED" operation="open" class="file" profile="firefox" name="/proc/15898/oom_score_adj" pid=15898 comm="firefox" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
[22157.773042] audit: type=1400 audit(1683153441.074:2589): apparmor="DENIED" operation="file_mmap" class="file" profile="firefox//lsb_release" name="/usr/bin/dash" pid=15934 comm="lsb_release" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[22157.974718] audit: type=1400 audit(1683153441.274:2590): apparmor="DENIED" operation="open" class="file" profile="firefox" name="/proc/15898/cgroup" pid=15898 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[22157.996255] audit: type=1400 audit(1683153441.298:2591): apparmor="DENIED" operation="open" class="file" profile="firefox" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=15898 comm="Renderer" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[22157.996260] audit: type=1400 audit(1683153441.298:2592): apparmor="DENIED" operation="open" class="file" profile="firefox" name="/sys/devices/pci0000:00/0000:00:02.0/config" pid=15898 comm="Renderer" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[22163.478994] kauditd_printk_skb: 84 callbacks suppressed
[22163.478997] audit: type=1400 audit(1683153446.778:2677): apparmor="DENIED" operation="file_lock" class="file" profile="firefox" name="/home/home/.cache/mesa_shader_cache/25/11491cb402d47ca04c0196ff7c4dc9684f1f97.tmp" pid=15898 comm="firefox:disk$0" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000
[22163.597737] audit: type=1400 audit(1683153446.898:2678): apparmor="DENIED" operation="open" class="file" profile="firefox" name="/proc/16052/oom_score_adj" pid=15898 comm="firefox" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
[22163.602664] audit: type=1400 audit(1683153446.902:2679): apparmor="DENIED" operation="open" class="file" profile="firefox" name="/proc/16019/oom_score_adj" pid=15898 comm="firefox" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
[22163.681703] audit: type=1400 audit(1683153446.982:2680): apparmor="DENIED" operation="file_lock" class="file" profile="firefox" name="/home/home/.cache/mesa_shader_cache/3c/8574ff630bb2056a665c574f9820f176d7913a.tmp" pid=15898 comm="firefox:disk$0" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000
[22163.716158] audit: type=1400 audit(1683153447.018:2681): apparmor="DENIED" operation="file_lock" class="file" profile="firefox" name="/home/home/.cache/mesa_shader_cache/24/20b4d21bcd624d71d3ce4f474b5be6b28bbc8e.tmp" pid=15898 comm="firefox:disk$0" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000
[22163.772912] audit: type=1400 audit(1683153447.074:2682): apparmor="DENIED" operation="file_lock" class="file" profile="firefox" name="/home/home/.cache/mesa_shader_cache/63/f955ef3504ae1f103040d7c24f2ccb6c2dc324.tmp" pid=15898 comm="firefox:disk$0" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000
[22163.821410] audit: type=1400 audit(1683153447.122:2683): apparmor="DENIED" operation="file_lock" class="file" profile="firefox" name="/home/home/.cache/mesa_shader_cache/cc/26d55b3b5c18f145b99c95928da4078d01e433.tmp" pid=15898 comm="firefox:disk$0" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000
[22163.934506] audit: type=1400 audit(1683153447.234:2684): apparmor="DENIED" operation="file_lock" class="file" profile="firefox" name="/home/home/.cache/mesa_shader_cache/71/7a666e633ee8a8408541d19257f35460da1921.tmp" pid=15898 comm="firefox:disk$0" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000
[22164.011166] audit: type=1400 audit(1683153447.310:2685): apparmor="DENIED" operation="file_lock" class="file" profile="firefox" name="/home/home/.cache/mesa_shader_cache/6f/a3c5a35037023fcb4630ee71df1e17107a0132.tmp" pid=15898 comm="firefox:disk$0" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000
[22164.049428] audit: type=1400 audit(1683153447.350:2686): apparmor="DENIED" operation="file_lock" class="file" profile="firefox" name="/home/home/.cache/mesa_shader_cache/cf/d8f7837a74690386158ffe0b8a009a74112c3e.tmp" pid=15898 comm="firefox:disk$0" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000

`apport-bug firefox` is not working: "Apport The problem cannot be reported: This problem report is damaged and cannot be processed. PermissionError(13, 'Permission denied')"
`LIBGL_ALWAYS_INDIRECT=1 firefox` stops the crashing but WebGL aquarium runs at 12 FPS instead of 60 FPS.

# Workaround

`sudo aa-teardown` fixes the problem until the next reboot. It's regrettable that this weakens security, but at least I won't get nauseous from stuttering scrolling.
---
ProblemType: Bug
AddonCompatCheckDisabled: False
ApportVersion: 2.26.1-0ubuntu2
Architecture: amd64
AudioDevicesInUse:
 USER PID ACCESS COMMAND
 /dev/snd/controlC0: home 1679 F.... wireplumber
 /dev/snd/seq: home 1678 F.... pipewire
BuildID: 20230501151611
CasperMD5CheckResult: unknown
Channel: release
CurrentDesktop: KDE
DefaultProfileExtensions: extensions.sqlite corrupt or missing
DefaultProfileIncompatibleExtensions: Unavailable (corrupt or non-existant compatibility.ini or extensions.sqlite)
DefaultProfileLocales: extensions.sqlite corrupt or missing
DefaultProfilePrefErrors: Unexpected character ',' before close parenthesis @ /usr/lib/firefox/omni.ja:greprefs.js:294
DefaultProfilePrefSources:
 /usr/lib/firefox/defaults/pref/vendor-gre.js
 /usr/lib/firefox/defaults/pref/channel-prefs.js
DefaultProfilePrefs: network.manage-offline-status: true (/usr/lib/firefox/defaults/pref/vendor-gre.js)
DefaultProfileThemes: extensions.sqlite corrupt or missing
DistroRelease: Ubuntu 23.04
ForcedLayersAccel: False
IfupdownConfig:
 # interfaces(5) file used by ifup(8) and ifdown(8)
 auto lo
 iface lo inet loopback
Package: firefox 113.0+build1-0ubuntu0.23.04.1~mt1 [origin: LP-PPA-mozillateam]
PackageArchitecture: amd64
ProcCmdline: BOOT_IMAGE=/vmlinuz-6.2.14-surface root=/dev/nvme0n1p8 ro text i915.enable_guc=3 usbcore.autosuspend=-1 reboot=pci
ProcVersionSignature: Error: [Errno 2] No such file or directory: '/proc/version_signature'
Profile0Extensions: extensions.sqlite corrupt or missing
Profile0IncompatibleExtensions: Unavailable (corrupt or non-existant compatibility.ini or extensions.sqlite)
Profile0Locales: extensions.sqlite corrupt or missing
Profile0PrefErrors: Unexpected character ',' before close parenthesis @ /usr/lib/firefox/omni.ja:greprefs.js:294
Profile0PrefSources:
 /usr/lib/firefox/defaults/pref/vendor-gre.js
 /usr/lib/firefox/defaults/pref/channel-prefs.js
 prefs.js
Profile0Themes: extensions.sqlite corrupt or missing
Profiles:
 Profile1 (Default) - LastVersion=None/None (Out of date)
 Profile0 - LastVersion=113.0/20230501151611 (In use)
PulseList: Error: command ['pacmd', 'list'] failed with exit code 1: No PulseAudio daemon running, or not running as session daemon.
RunningIncompatibleAddons: False
Tags: lunar third-party-packages wayland-session release-channel
Uname: Linux 6.2.14-surface x86_64
UnreportableReason: This does not seem to be an official Ubuntu package. Please retry after updating the indexes of available packages, if that does not work then remove related third party packages and try again.
UpgradeStatus: Upgraded to lunar on 2023-05-02 (1 days ago)
UserGroups: dialout docker kvm lpadmin lxd plugdev sudo systemd-journal video wireshark
_MarkForUpload: True
dmi.bios.date: 07/08/2022
dmi.bios.vendor: Microsoft Corporation
dmi.bios.version: 15.11.140
dmi.board.name: Surface Pro 7
dmi.board.vendor: Microsoft Corporation
dmi.chassis.type: 9
dmi.chassis.vendor: Microsoft Corporation
dmi.modalias: dmi:bvnMicrosoftCorporation:bvr15.11.140:bd07/08/2022:svnMicrosoftCorporation:pnSurfacePro7:pvr124I00046T000M0100000D0B07F0C05P48S1E0Y0K0U06R1:rvnMicrosoftCorporation:rnSurfacePro7:rvr:cvnMicrosoftCorporation:ct9:cvr:skuSurface_Pro_7_1866:
dmi.product.family: Surface
dmi.product.name: Surface Pro 7
dmi.product.sku: Surface_Pro_7_1866
dmi.product.version: 124I:00046T:000M:0100000D:0B:07F:0C:05P:48S:1E:0Y:0K:0U:06R:1
dmi.sys.vendor: Microsoft Corporation

See original description
Revision history for this message
Daniel Tang (daniel-z-tg) wrote : AlsaInfo.txt

apport information

tags: added: apport-collected lunar release-channel third-party-packages wayland-session
description: updated
Revision history for this message
Daniel Tang (daniel-z-tg) wrote : CurrentDmesg.txt

apport information

Revision history for this message
Daniel Tang (daniel-z-tg) wrote : Dependencies.txt

apport information

Revision history for this message
Daniel Tang (daniel-z-tg) wrote : HookError_source_firefox.txt

apport information

Revision history for this message
Daniel Tang (daniel-z-tg) wrote : IpAddr.txt

apport information

Revision history for this message
Daniel Tang (daniel-z-tg) wrote : IpRoute.txt

apport information

Revision history for this message
Daniel Tang (daniel-z-tg) wrote : Lspci.txt

apport information

Revision history for this message
Daniel Tang (daniel-z-tg) wrote : PaInfo.txt

apport information

Revision history for this message
Daniel Tang (daniel-z-tg) wrote : PciNetwork.txt

apport information

Revision history for this message
Daniel Tang (daniel-z-tg) wrote : ProcCpuinfoMinimal.txt

apport information

Revision history for this message
Daniel Tang (daniel-z-tg) wrote : ProcEnviron.txt

apport information

Revision history for this message
Daniel Tang (daniel-z-tg) wrote : Profile0Prefs.txt

apport information

Revision history for this message
Daniel Tang (daniel-z-tg) wrote : RelatedPackageVersions.txt

apport information

Revision history for this message
Georgia Garcia (georgiag) wrote :

Hi Daniel. Thanks for the report!

Could you try the following commands and let me know if they fix the issue?

sudo sh -c "echo 'include <abstractions/mesa>' >> /etc/apparmor.d/local/usr.bin.firefox"
sudo apparmor_parser -r /etc/apparmor.d/usr.bin.firefox

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Changed in firefox (Ubuntu):
status: New → Confirmed
Revision history for this message
Daniel Tang (daniel-z-tg) wrote :

Hi georgiag, thank you for your command suggestion. Yes, it does fix my issue.

I had a bunch of tabs open for months and finally closed them. After updating Firefox and not restarting today, it seems that the postinst autoloaded the AppArmor profile despite apparmor.service being disabled, so I had to manually aa-teardown. I then tried to reproduce both with and without your line added. What was frustrating was that the broken behavior failed to appear in these cases:
1. When I added exactly 1 hash to try to comment out your line: s/include/#include/ . Turns out you need to add two hashes ( s/include/##include/ ) for the comment to work. vim confused me as it showed it as a green comment anyway
2. When I did mv local/usr.bin.firefox local/bak.usr.bin.firefox the profile did not load
Anyway, when I fell back to adding and removing your entire line manually, I could consistently confirm that your solution works. I feel safer today now that I can reenable apparmor.service .

Revision history for this message
Georgia Garcia (georgiag) wrote :

Hi Daniel!
Thanks for testing and making sure. As you were able to figure out, the AppArmor parser accepts both include and #includes, although we are deprecating the latter.

Since the AppArmor policy is distributed by the Mozilla Team's firefox, they need to add this permission to their AppArmor profile in the package.

Changed in apparmor (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.