From 2a7a2693133209d99c353df8582fa382fd8bb5ae Mon Sep 17 00:00:00 2001
From: Zhao Yakui <yakui.zhao@intel.com>
Date: Thu, 21 Apr 2022 15:46:51 +0800
Subject: [PATCH] ACRN:DM:VDISPLAY:Fix the possible access after free

When virtio-gpu tries to submit the framebuffer based on
VIRTIO_GPU_CMD_2D, one pixman_image will be created. When the
sdl rendering_thread is terminated, the pixman_image will be
released. But its pointer is set to NULL. In the next reboot,
its access in vdpy_surface_set is incorrect.

Tracked-On: #7337
Acked-by: Wang Yu <yu1.wang@intel.com>
Signed-off-by: Zhao Yakui <yakui.zhao@intel.com>
---
 devicemodel/hw/vdisplay_sdl.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/devicemodel/hw/vdisplay_sdl.c b/devicemodel/hw/vdisplay_sdl.c
index 2d85fad6c..51125cb41 100644
--- a/devicemodel/hw/vdisplay_sdl.c
+++ b/devicemodel/hw/vdisplay_sdl.c
@@ -941,6 +941,7 @@ vdpy_sdl_display_thread(void *data)
 	}
 	vdpy.dpy_win = NULL;
 	vdpy.dpy_renderer = NULL;
+	vdpy.dpy_img = NULL;
 	vdpy.dpy_win = SDL_CreateWindow("ACRN_DM",
 					vdpy.org_x, vdpy.org_y,
 					vdpy.width, vdpy.height,
@@ -1010,8 +1011,10 @@ vdpy_sdl_display_thread(void *data)
 	/* SDL display_thread will exit because of DM request */
 	pthread_mutex_destroy(&vdpy.vdisplay_mutex);
 	pthread_cond_destroy(&vdpy.vdisplay_signal);
-	if (vdpy.dpy_img)
+	if (vdpy.dpy_img) {
 		pixman_image_unref(vdpy.dpy_img);
+		vdpy.dpy_img = NULL;
+	}
 	/* Continue to thread cleanup */
 
 	if (vdpy.dpy_texture) {