From 32c30481d397d545b368ee0e328f485923c0e8c6 Mon Sep 17 00:00:00 2001
From: Simon Ser <contact@emersion.fr>
Date: Sat, 16 Jan 2021 09:07:56 +0100
Subject: [PATCH] render/egl: fix gbm_device use-after-free

The GBM device needs to be destroyed after the EGL display.

    ==50931==ERROR: AddressSanitizer: SEGV on unknown address 0x7fe40a000049 (pc 0x7fe446121d30 bp 0x60400001bbd0 sp 0x7ffc99c774d0 T0)
    ==50931==The signal is caused by a READ memory access.
        #0 0x7fe446121d30  (/usr/lib/dri/radeonsi_dri.so+0x5f0d30)
        #1 0x7fe4474717bd  (/usr/lib/../lib/libEGL_mesa.so.0+0x177bd)
        #2 0x7fe4474677d9  (/usr/lib/../lib/libEGL_mesa.so.0+0xd7d9)
        #3 0x7fe44cca7b6f in wlr_egl_destroy ../subprojects/wlroots/render/egl.c:379
        #4 0x7fe44ccc2626 in gles2_destroy ../subprojects/wlroots/render/gles2/renderer.c:705
        #5 0x7fe44ccb5041 in wlr_renderer_destroy ../subprojects/wlroots/render/wlr_renderer.c:37
        #6 0x7fe44cd17850 in backend_destroy ../subprojects/wlroots/backend/wayland/backend.c:296
        #7 0x7fe44ccca4de in wlr_backend_destroy ../subprojects/wlroots/backend/backend.c:48
        #8 0x7fe44cd11b21 in multi_backend_destroy ../subprojects/wlroots/backend/multi/backend.c:58
        #9 0x7fe44cd125b0 in handle_display_destroy ../subprojects/wlroots/backend/multi/backend.c:125
        #10 0x7fe44c315e0e  (/usr/lib/libwayland-server.so.0+0x8e0e)
        #11 0x7fe44c3165a6 in wl_display_destroy (/usr/lib/libwayland-server.so.0+0x95a6)
        #12 0x55a2c8870683 in server_fini ../sway/server.c:203
        #13 0x55a2c886cbf2 in main ../sway/main.c:436
        #14 0x7fe44b77c151 in __libc_start_main (/usr/lib/libc.so.6+0x28151)
        #15 0x55a2c883172d in _start (/home/simon/src/sway/build/sway/sway+0x33472d)
---
 render/egl.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/render/egl.c b/render/egl.c
index 9fa1068f..c1734a36 100644
--- a/render/egl.c
+++ b/render/egl.c
@@ -363,10 +363,6 @@ void wlr_egl_destroy(struct wlr_egl *egl) {
 		return;
 	}
 
-	if (egl->gbm_device) {
-		gbm_device_destroy(egl->gbm_device);
-	}
-
 	wlr_drm_format_set_finish(&egl->dmabuf_render_formats);
 	wlr_drm_format_set_finish(&egl->dmabuf_texture_formats);
 
@@ -379,6 +375,11 @@ void wlr_egl_destroy(struct wlr_egl *egl) {
 	eglDestroyContext(egl->display, egl->context);
 	eglTerminate(egl->display);
 	eglReleaseThread();
+
+	if (egl->gbm_device) {
+		gbm_device_destroy(egl->gbm_device);
+	}
+
 	free(egl);
 }