[Backport] Security bug 1152645

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2563077:
viz: Destroy |gpu_memory_buffer_factory_| on IOThread

|gpu_memory_buffer_factory_| weak pointers are checked on the
IOThread.

Weak pointers should be invalidated on the same thread that
checks them.

This CL moves the destruction of |gpu_memory_buffer_factory_|
on the IOThread to avoid possible use after free issues.

Bug: 1152645

Change-Id: I0d42814f0e435a3746728515da1f32d08a1252cf
Commit-Queue: Daniele Castagna <[email protected]>
Reviewed-by: Andres Calderon Jaramillo <[email protected]>
Cr-Commit-Position: refs/heads/master@{#836827}
Reviewed-by: Allan Sandfeld Jensen <[email protected]>

Author: DCastagna

chromium/components/viz/service/gl/gpu_service_impl.cc

@@ -207,6 +207,26 @@ GpuServiceImpl::~GpuServiceImpl() {
 
   media_gpu_channel_manager_.reset();
   gpu_channel_manager_.reset();
+
+  // Destroy |gpu_memory_buffer_factory_| on the IO thread since its weakptrs
+  // are checked there.
+  {
+    base::WaitableEvent wait;
+    auto destroy_gmb_factory = base::BindOnce(
+        [](std::unique_ptr<gpu::GpuMemoryBufferFactory> gmb_factory,
+           base::WaitableEvent* wait) {
+          gmb_factory.reset();
+          wait->Signal();
+        },
+        std::move(gpu_memory_buffer_factory_), base::Unretained(&wait));
+    if (io_runner_->PostTask(FROM_HERE, std::move(destroy_gmb_factory))) {
+      // |gpu_memory_buffer_factory_| holds a raw pointer to
+      // |vulkan_context_provider_|. Waiting here enforces the correct order
+      // of destruction.
+      wait.Wait();
+    }
+  }
+
   owned_sync_point_manager_.reset();
 
   // Signal this event before destroying the child process. That way all