From 9cc2f248f5437daaf090e3ef6afb4f6dc88068ac Mon Sep 17 00:00:00 2001
From: Cameron Gutman <aicommander@gmail.com>
Date: Fri, 10 Apr 2026 19:26:43 -0500
Subject: [PATCH] kmsdrm: Fix order of GBM and EGL teardown

All locked front buffers must be released prior to destroying
the EGL surface to avoid causing a UAF in libnvidia-egl-gbm.so.
---
 src/video/kmsdrm/SDL_kmsdrmvideo.c | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/src/video/kmsdrm/SDL_kmsdrmvideo.c b/src/video/kmsdrm/SDL_kmsdrmvideo.c
index 518b434819..c0fc106c37 100644
--- a/src/video/kmsdrm/SDL_kmsdrmvideo.c
+++ b/src/video/kmsdrm/SDL_kmsdrmvideo.c
@@ -1113,17 +1113,6 @@ static void KMSDRM_DestroySurfaces(_THIS, SDL_Window *window)
         SDL_LogError(SDL_LOG_CATEGORY_VIDEO, "Could not restore CRTC");
     }
 
-    /***************************/
-    /* Destroy the EGL surface */
-    /***************************/
-
-    SDL_EGL_MakeCurrent(_this, EGL_NO_SURFACE, EGL_NO_CONTEXT);
-
-    if (windata->egl_surface != EGL_NO_SURFACE) {
-        SDL_EGL_DestroySurface(_this, windata->egl_surface);
-        windata->egl_surface = EGL_NO_SURFACE;
-    }
-
     /***************************/
     /* Destroy the GBM buffers */
     /***************************/
@@ -1138,6 +1127,17 @@ static void KMSDRM_DestroySurfaces(_THIS, SDL_Window *window)
         windata->next_bo = NULL;
     }
 
+    /***************************/
+    /* Destroy the EGL surface */
+    /***************************/
+
+    SDL_EGL_MakeCurrent(_this, EGL_NO_SURFACE, EGL_NO_CONTEXT);
+
+    if (windata->egl_surface != EGL_NO_SURFACE) {
+        SDL_EGL_DestroySurface(_this, windata->egl_surface);
+        windata->egl_surface = EGL_NO_SURFACE;
+    }
+
     /***************************/
     /* Destroy the GBM surface */
     /***************************/