From 463b6be13342b0d58bf1cc8674fcee4fc4bcc9c0 Mon Sep 17 00:00:00 2001
From: Cameron Gutman <[EMAIL REDACTED]>
Date: Thu, 9 Apr 2026 23:26:15 -0500
Subject: [PATCH] kmsdrm: Fix order of GBM and EGL teardown
All locked front buffers must be released prior to destroying
the EGL surface to avoid causing a UAF in libnvidia-egl-gbm.so.
---
src/video/kmsdrm/SDL_kmsdrmvideo.c | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/src/video/kmsdrm/SDL_kmsdrmvideo.c b/src/video/kmsdrm/SDL_kmsdrmvideo.c
index 7b5c10f92ce5d..d0910c8a39206 100644
--- a/src/video/kmsdrm/SDL_kmsdrmvideo.c
+++ b/src/video/kmsdrm/SDL_kmsdrmvideo.c
@@ -1692,17 +1692,6 @@ static void KMSDRM_DestroySurfaces(SDL_VideoDevice *_this, SDL_Window *window)
SDL_LogError(SDL_LOG_CATEGORY_VIDEO, "Could not restore CRTC");
}
- /***************************/
- // Destroy the EGL surface
- /***************************/
-
- SDL_EGL_MakeCurrent(_this, EGL_NO_SURFACE, EGL_NO_CONTEXT);
-
- if (windata->egl_surface != EGL_NO_SURFACE) {
- SDL_EGL_DestroySurface(_this, windata->egl_surface);
- windata->egl_surface = EGL_NO_SURFACE;
- }
-
/***************************/
// Destroy the GBM buffers
/***************************/
@@ -1719,6 +1708,17 @@ static void KMSDRM_DestroySurfaces(SDL_VideoDevice *_this, SDL_Window *window)
windata->next_bo = NULL;
}
+ /***************************/
+ // Destroy the EGL surface
+ /***************************/
+
+ SDL_EGL_MakeCurrent(_this, EGL_NO_SURFACE, EGL_NO_CONTEXT);
+
+ if (windata->egl_surface != EGL_NO_SURFACE) {
+ SDL_EGL_DestroySurface(_this, windata->egl_surface);
+ windata->egl_surface = EGL_NO_SURFACE;
+ }
+
/***************************/
// Destroy the GBM surface
/***************************/