backend/wayland: don't cache next item when destroying buffers

Because wl_buffer.release is per-buffer and not per-commit, the Wayland backend might create multiple struct wlr_wl_buffer per struct wlr_buffer. As a result, the wlr_buffer_unlock() call inside destroy_wl_buffer() can cause another struct wlr_wl_buffer to be destroyed. In backend_destroy() we were iterating the list of buffers with wl_list_for_each_safe(), which is actually not safe in this case: the next buffer is cached, but might be destroyed as a side-effect of calling destroy_wl_buffer(). Closes: https://gitlab.freedesktop.org/wlroots/wlroots/-/issues/3572
2 years ago · c88ad532ad
parent 911648f430
commit c88ad532ad
1 changed files with 4 additions and 2 deletions
--- a/backend/wayland/backend.c
+++ b/backend/wayland/backend.c
@ -451,8 +451,10 @@ static void backend_destroy(struct wlr_backend *backend) {
 		wlr_output_destroy(&output->wlr_output);
 	}
-	struct wlr_wl_buffer *buffer, *tmp_buffer;
+	// Avoid using wl_list_for_each_safe() here: destroying a buffer may
-	wl_list_for_each_safe(buffer, tmp_buffer, &wl->buffers, link) {
+	// have the side-effect of destroying the next one in the list
 	while (!wl_list_empty(&wl->buffers)) {
 		struct wlr_wl_buffer *buffer = wl_container_of(wl->buffers.next, buffer, link);
 		destroy_wl_buffer(buffer);
 	}