gfx/drivers_context/{wayland,w,x}_vk_ctx: fix UAF + double-free + CI

Found during the audit of the Vulkan context shims after f5c7df5.
Adds an AddressSanitizer regression test under samples/gfx/
vulkan_ctx_double_free/ wired into the Linux-samples-gfx CI
workflow as a sixth step.

Three of the five Vulkan context drivers' set_video_mode hooks
called their own destroy() (or destroy_resources() + free()) on
ctx_data before returning false:

  wayland_vk_ctx.c:218  gfx_ctx_wl_destroy(data)
  w_vk_ctx.c:229        gfx_ctx_w_vk_destroy(data)
  x_vk_ctx.c:489-499    destroy_resources + free

The caller in gfx/drivers/vulkan.c::vulkan_init treats a false
return from set_video_mode (line 4938) as a failed in-flight
vk_t construction and `goto error`s into vulkan_free() (line
5120), which at line 4665 calls

   vk->ctx_driver->destroy(vk->ctx_data);

-- on the very pointer the inner set_video_mode just freed.
The ctx_driver->destroy hook then walks the freed struct
(gfx_ctx_wl_destroy_resources / gfx_ctx_x_vk_destroy_resources
dereference fields off the freed pointer) and free()s the same
pointer a second time.

On glibc with default malloc the second free is detected
(`double free or corruption`) and the process aborts.  Under
jemalloc / mimalloc / older glibc the second free silently
corrupts the heap, with a write-what-where primitive controlled
by the allocator's freelist layout.

Reachability: vulkan_surface_create() failure (missing extension
or driver-level Vulkan error), Wayland's set_video_mode_common_*
helpers failing, X11's XGetVisualInfo returning NULL or
x11_input_ctx_new failing, win32_set_video_mode failing.  None
are common but all are reachable on misconfigured systems,
headless tests, or CI environments without a working display.

* gfx/drivers_context/wayland_vk_ctx.c
* gfx/drivers_context/w_vk_ctx.c
* gfx/drivers_context/x_vk_ctx.c

  Drop the destroy/free call from each set_video_mode error
  path.  Cocoa (cocoa_vk_ctx.m) and Android (android_vk_ctx.c)
  already implement this correctly: just `return false` and
  let the caller's vulkan_free chain do the single cleanup.
  This makes the other three match.

  X11's local XFree(vi) and `g_x11_screen = 0` reset are
  preserved -- those are local-resource and global-state
  cleanups respectively, not duplicates of the upper-layer
  destroy.  Wayland and Win32 had no such locals to preserve.

  Each error-path edit carries an inline comment naming the
  upper-layer cleanup site (gfx/drivers/vulkan.c::vulkan_free
  line 4665) so a future maintainer who wonders why the inner
  destroy is absent doesn't reintroduce it.

* samples/gfx/vulkan_ctx_double_free/,
  .github/workflows/Linux-samples-gfx.yml

  Regression test following the convention of the v3 vulkan/
  tests, the v4 slang test, the v5 mailbox-leak test, and the
  security regression tests under samples/tasks/.  Models the
  lifecycle contract abstractly rather than building any one
  driver -- the bug is the shape of the cleanup flow, not a
  driver-specific quirk.

  Five probes: post-fix success path (1 alloc / 1 destroy);
  post-fix failure path (the smoking gun: 1 alloc / 1 destroy,
  no double-free, no UAF); 16 back-to-back failures (no
  accumulation, no leaks); interleaved success/failure; and a
  documentation probe describing how a maintainer can swap the
  function pointer to re-trigger the pre-fix UAF.

  Verified pre/post-patch discrimination: under the pre-fix
  shape ASan reports `double-free` at the upper-layer destroy
  with the freed allocation traced back to set_video_mode's
  inner destroy.  Under the post-fix shape all five probes
  pass clean.

  Wires into Linux-samples-gfx.yml as a sixth step, modeled on
  the existing five with the same per-step explanation of what
  the test is regression-testing and the "verbatim copy must
  follow" reminder.

Author: LibretroAdmin

.github/workflows/Linux-samples-gfx.yml

@@ -172,3 +172,36 @@ jobs:
           ASAN_OPTIONS=detect_leaks=1 timeout 60 \
              ./vulkan_mailbox_init_leak_test
           echo "[pass] vulkan_mailbox_init_leak_test"
+
+      - name: Build and run vulkan_ctx_double_free_test (ASan)
+        shell: bash
+        working-directory: samples/gfx/vulkan_ctx_double_free
+        run: |
+          set -eu
+          # Regression test for the double-free / use-after-free
+          # fix in the Vulkan context drivers' set_video_mode error
+          # paths: gfx/drivers_context/wayland_vk_ctx.c,
+          # w_vk_ctx.c, x_vk_ctx.c.  Pre-fix each set_video_mode
+          # called its own destroy()/destroy_resources()+free() on
+          # ctx_data before returning false; the caller in
+          # gfx/drivers/vulkan.c::vulkan_init then ran
+          # vulkan_free()->ctx_driver->destroy(ctx_data) on the
+          # already-freed pointer (UAF read of struct fields, then
+          # a second free of the same allocation).  Reachable from
+          # vulkan_surface_create() failure (missing extension /
+          # driver issue), Wayland's set_video_mode_common_*
+          # helpers failing, X11's XGetVisualInfo returning NULL,
+          # or win32_set_video_mode failing.  Cocoa (cocoa_vk_ctx)
+          # and Android (android_vk_ctx) already handle this
+          # correctly by returning false without freeing -- the
+          # fix makes Wayland/Win32/X11 match.  Build under
+          # AddressSanitizer so any reintroduction is caught at
+          # the bounds level (UAF + double-free both fire).  If
+          # any of the three context drivers amends the
+          # set_video_mode error path to once again destroy
+          # ctx_data, the verbatim copy in
+          # vulkan_ctx_double_free_test.c must follow.
+          make clean all SANITIZER=address
+          test -x vulkan_ctx_double_free_test
+          timeout 60 ./vulkan_ctx_double_free_test
+          echo "[pass] vulkan_ctx_double_free_test"

gfx/drivers_context/w_vk_ctx.c

@@ -226,7 +226,14 @@ static bool gfx_ctx_w_vk_set_video_mode(void *data,
    }
 
    RARCH_ERR("[Vulkan] win32_set_video_mode failed.\n");
-   gfx_ctx_w_vk_destroy(data);
+   /* Do not destroy `data` here.  The caller in
+    * gfx/drivers/vulkan.c::vulkan_init treats a false return
+    * from set_video_mode as a failure of the in-flight `vk_t`
+    * construction and runs vulkan_free() on it, which calls
+    * ctx_driver->destroy(ctx_data) -- i.e. gfx_ctx_w_vk_destroy()
+    * -- on the very pointer we already freed.  Leave cleanup
+    * to the caller's single normal-path destroy.  Cocoa /
+    * Android already do this; this matches them. */
    return false;
 }
 

gfx/drivers_context/wayland_vk_ctx.c

@@ -216,7 +216,16 @@ static bool gfx_ctx_wl_set_video_mode(void *data,
    return true;
 
 error:
-   gfx_ctx_wl_destroy(data);
+   /* Do not destroy `wl` here.  The caller in
+    * gfx/drivers/vulkan.c::vulkan_init treats a false return
+    * from set_video_mode as a failure of the in-flight `vk_t`
+    * construction and runs vulkan_free() on it, which calls
+    * ctx_driver->destroy(ctx_data) -- i.e. gfx_ctx_wl_destroy()
+    * -- on the very pointer we already freed.  That second call
+    * walks freed memory in gfx_ctx_wl_destroy_resources() and
+    * then free()s the same pointer again.  Leave cleanup to the
+    * caller's single normal-path destroy.  Cocoa / Android
+    * already do this; this matches them. */
    return false;
 }
 

gfx/drivers_context/x_vk_ctx.c

@@ -490,10 +490,16 @@ static bool gfx_ctx_x_vk_set_video_mode(void *data,
    if (vi)
       XFree(vi);
 
-   gfx_ctx_x_vk_destroy_resources(x);
-
-   if (x)
-      free(x);
+   /* Do not destroy `x` here.  The caller in
+    * gfx/drivers/vulkan.c::vulkan_init treats a false return
+    * from set_video_mode as a failure of the in-flight `vk_t`
+    * construction and runs vulkan_free() on it, which calls
+    * ctx_driver->destroy(ctx_data) -- i.e. gfx_ctx_x_vk_destroy()
+    * -- on the very pointer we already freed.  That second call
+    * walks freed memory in gfx_ctx_x_vk_destroy_resources() and
+    * then free()s the same pointer again.  Leave cleanup to the
+    * caller's single normal-path destroy.  Cocoa / Android
+    * already do this; this matches them. */
    g_x11_screen = 0;
 
    return false;

samples/gfx/vulkan_ctx_double_free/Makefile

@@ -0,0 +1,25 @@
+TARGET := vulkan_ctx_double_free_test
+
+SOURCES := vulkan_ctx_double_free_test.c
+
+OBJS := $(SOURCES:.c=.o)
+
+CFLAGS += -Wall -pedantic -std=gnu99 -g -O0
+
+ifneq ($(SANITIZER),)
+   CFLAGS  := -fsanitize=$(SANITIZER) -fno-omit-frame-pointer $(CFLAGS)
+   LDFLAGS := -fsanitize=$(SANITIZER) $(LDFLAGS)
+endif
+
+all: $(TARGET)
+
+%.o: %.c
+	$(CC) -c -o $@ $< $(CFLAGS)
+
+$(TARGET): $(OBJS)
+	$(CC) -o $@ $^ $(LDFLAGS)
+
+clean:
+	rm -f $(TARGET) $(OBJS)
+
+.PHONY: clean