From b1cd6cec19de46540db497137e2b93fee5c9ff17 Mon Sep 17 00:00:00 2001
From: Liam <byteslice@airmail.cc>
Date: Mon, 10 Oct 2022 19:22:26 -0400
Subject: [PATCH] syncpoint_manager: ensure handle is removable before removing

---
 src/video_core/host1x/syncpoint_manager.cpp | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/video_core/host1x/syncpoint_manager.cpp b/src/video_core/host1x/syncpoint_manager.cpp
index 326e8355ad..a44fc83d3d 100644
--- a/src/video_core/host1x/syncpoint_manager.cpp
+++ b/src/video_core/host1x/syncpoint_manager.cpp
@@ -36,7 +36,17 @@ SyncpointManager::ActionHandle SyncpointManager::RegisterAction(
 void SyncpointManager::DeregisterAction(std::list<RegisteredAction>& action_storage,
                                         ActionHandle& handle) {
     std::unique_lock lk(guard);
-    action_storage.erase(handle);
+
+    // We want to ensure the iterator still exists prior to erasing it
+    // Otherwise, if an invalid iterator was passed in then it could lead to UB
+    // It is important to avoid UB in that case since the deregister isn't called from a locked
+    // context
+    for (auto it = action_storage.begin(); it != action_storage.end(); it++) {
+        if (it == handle) {
+            action_storage.erase(it);
+            return;
+        }
+    }
 }
 
 void SyncpointManager::DeregisterGuestAction(u32 syncpoint_id, ActionHandle& handle) {