venus: fix use-after-free in proxy_context sync thread

Signed-off-by: Ryan Neph <ryanneph@google.com> Reviewed-by: Chia-I Wu <olvaffe@gmail.com> Reviewed-by: Yiwei Zhang <zzyiwei@chromium.org>
3 years ago · bcb3866f66
parent 323aaa3b6e
commit bcb3866f66
1 changed files with 10 additions and 10 deletions
--- a/src/proxy/proxy_context.c
+++ b/src/proxy/proxy_context.c
@ -435,6 +435,16 @@ proxy_context_destroy(struct virgl_context *base)
   if (!proxy_client_destroy_context(ctx->client, ctx->base.ctx_id))
      proxy_log("failed to destroy ctx %d", ctx->base.ctx_id);

+   if (ctx->sync_thread.fence_eventfd >= 0) {
+      if (ctx->sync_thread.created) {
+         ctx->sync_thread.stop = true;
+         write_eventfd(ctx->sync_thread.fence_eventfd, 1);
+         thrd_join(ctx->sync_thread.thread, NULL);
+      }
+
+      close(ctx->sync_thread.fence_eventfd);
+   }
+
   if (ctx->shmem.ptr)
      munmap(ctx->shmem.ptr, ctx->shmem.size);
   if (ctx->shmem.fd >= 0)
@ -453,16 +463,6 @@ proxy_context_destroy(struct virgl_context *base)
      free(fence);
   mtx_destroy(&ctx->free_fences_mutex);

-   if (ctx->sync_thread.fence_eventfd >= 0) {
-      if (ctx->sync_thread.created) {
-         ctx->sync_thread.stop = true;
-         write_eventfd(ctx->sync_thread.fence_eventfd, 1);
-         thrd_join(ctx->sync_thread.thread, NULL);
-      }
-
-      close(ctx->sync_thread.fence_eventfd);
-   }
-
   proxy_socket_fini(&ctx->socket);

   free(ctx);