From 1c4ea7da642955643383c5be81ebe37ebda8635d Mon Sep 17 00:00:00 2001
From: Cameron Gutman <[EMAIL REDACTED]>
Date: Fri, 10 Apr 2026 19:26:43 -0500
Subject: [PATCH] kmsdrm: Fix order of GBM and EGL teardown
All locked front buffers must be released prior to destroying
the EGL surface to avoid causing a UAF in libnvidia-egl-gbm.so.
(cherry picked from commit 9cc2f248f5437daaf090e3ef6afb4f6dc88068ac)
---
src/video/kmsdrm/SDL_kmsdrmvideo.c | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/src/video/kmsdrm/SDL_kmsdrmvideo.c b/src/video/kmsdrm/SDL_kmsdrmvideo.c
index 518b4348191a7..c0fc106c37260 100644
--- a/src/video/kmsdrm/SDL_kmsdrmvideo.c
+++ b/src/video/kmsdrm/SDL_kmsdrmvideo.c
@@ -1113,17 +1113,6 @@ static void KMSDRM_DestroySurfaces(_THIS, SDL_Window *window)
SDL_LogError(SDL_LOG_CATEGORY_VIDEO, "Could not restore CRTC");
}
- /***************************/
- /* Destroy the EGL surface */
- /***************************/
-
- SDL_EGL_MakeCurrent(_this, EGL_NO_SURFACE, EGL_NO_CONTEXT);
-
- if (windata->egl_surface != EGL_NO_SURFACE) {
- SDL_EGL_DestroySurface(_this, windata->egl_surface);
- windata->egl_surface = EGL_NO_SURFACE;
- }
-
/***************************/
/* Destroy the GBM buffers */
/***************************/
@@ -1138,6 +1127,17 @@ static void KMSDRM_DestroySurfaces(_THIS, SDL_Window *window)
windata->next_bo = NULL;
}
+ /***************************/
+ /* Destroy the EGL surface */
+ /***************************/
+
+ SDL_EGL_MakeCurrent(_this, EGL_NO_SURFACE, EGL_NO_CONTEXT);
+
+ if (windata->egl_surface != EGL_NO_SURFACE) {
+ SDL_EGL_DestroySurface(_this, windata->egl_surface);
+ windata->egl_surface = EGL_NO_SURFACE;
+ }
+
/***************************/
/* Destroy the GBM surface */
/***************************/