[Backport] Security issue 971904v5.13.2

Don't try to exit already exiting GPU process.

The exit_on_context_loss GPU driver bug workaround shouldn't be applied
when the GPU process is already exiting since it can trigger a
use-after-free.

Bug: 971904
Change-Id: I775c9fd29b1f9bdb71c28f0cb428951718001973
Commit-Queue: kylechar <kylechar@chromium.org>
Reviewed-by: Antoine Labour <piman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#668454}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>

1 files changed, 12 insertions, 7 deletions

diff --git a/chromium/components/viz/service/gl/gpu_service_impl.cc b/chromium/components/viz/service/gl/gpu_service_impl.cc
index 645131b48b7..d2414e94af4 100644
--- a/chromium/components/viz/service/gl/gpu_service_impl.cc
+++ b/chromium/components/viz/service/gl/gpu_service_impl.cc
@@ -169,6 +169,10 @@ GpuServiceImpl::GpuServiceImpl(
 
 GpuServiceImpl::~GpuServiceImpl() {
   DCHECK(main_runner_->BelongsToCurrentThread());
+
+  // Ensure we don't try to exit when already in the process of exiting.
+  is_exiting_.Set();
+
   bind_task_tracker_.TryCancelAll();
   logging::SetLogMessageHandler(nullptr);
   g_log_callback.Get().Reset();
@@ -807,14 +811,15 @@ void GpuServiceImpl::MaybeExit(bool for_context_loss) {
   if (in_host_process())
     return;
 
-  if (exit_callback_) {
-    if (for_context_loss) {
-      LOG(ERROR) << "Exiting GPU process because some drivers can't recover "
-                    "from errors. GPU process will restart shortly.";
-    }
-    is_exiting_.Set();
-    std::move(exit_callback_).Run();
+  if (IsExiting() || !exit_callback_)
+    return;
+
+  if (for_context_loss) {
+    LOG(ERROR) << "Exiting GPU process because some drivers can't recover "
+                  "from errors. GPU process will restart shortly.";
   }
+  is_exiting_.Set();
+  std::move(exit_callback_).Run();
 }
 
 }  // namespace viz