From 2878b86ccf041ddcb122aa9ea78bacc567efe58c Mon Sep 17 00:00:00 2001
From: Emma Anholt <emma@anholt.net>
Date: Tue, 30 Dec 2025 16:40:49 -0800
Subject: [PATCH] tu: Fix use-after-free in device destruction on old kernels

tu_bo_make_zombie() accesses the queue.

Fixes: f6c7f16322de ("tu: Implement VK_EXT_multisampled_render_to_single_sampled")
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/39113>
---
 src/freedreno/vulkan/tu_device.cc | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/freedreno/vulkan/tu_device.cc b/src/freedreno/vulkan/tu_device.cc
index 3621056566f..57266533037 100644
--- a/src/freedreno/vulkan/tu_device.cc
+++ b/src/freedreno/vulkan/tu_device.cc
@@ -3183,6 +3183,11 @@ tu_DestroyDevice(VkDevice _device, const VkAllocationCallbacks *pAllocator)
       vk_free(&device->vk.alloc, device->trace_suballoc);
    }
 
+   if (device->msrtss_color_temporary)
+      tu_destroy_memory(device, device->msrtss_color_temporary);
+   if (device->msrtss_depth_temporary)
+      tu_destroy_memory(device, device->msrtss_depth_temporary);
+
    for (unsigned i = 0; i < TU_MAX_QUEUE_FAMILIES; i++) {
       for (unsigned q = 0; q < device->queue_count[i]; q++)
          tu_queue_finish(&device->queues[i][q]);
@@ -3190,11 +3195,6 @@ tu_DestroyDevice(VkDevice _device, const VkAllocationCallbacks *pAllocator)
          vk_free(&device->vk.alloc, device->queues[i]);
    }
 
-   if (device->msrtss_color_temporary)
-      tu_destroy_memory(device, device->msrtss_color_temporary);
-   if (device->msrtss_depth_temporary)
-      tu_destroy_memory(device, device->msrtss_depth_temporary);
-
    tu_drm_device_finish(device);
 
    if (device->physical_device->has_set_iova)