From c88ad532ad942c957fe69e7047d6fc5e84dc1a4a Mon Sep 17 00:00:00 2001
From: Simon Ser <contact@emersion.fr>
Date: Thu, 2 Feb 2023 11:43:00 +0100
Subject: [PATCH] backend/wayland: don't cache next item when destroying
 buffers

Because wl_buffer.release is per-buffer and not per-commit, the
Wayland backend might create multiple struct wlr_wl_buffer per
struct wlr_buffer. As a result, the wlr_buffer_unlock() call inside
destroy_wl_buffer() can cause another struct wlr_wl_buffer to be
destroyed.

In backend_destroy() we were iterating the list of buffers with
wl_list_for_each_safe(), which is actually not safe in this case:
the next buffer is cached, but might be destroyed as a side-effect
of calling destroy_wl_buffer().

Closes: https://gitlab.freedesktop.org/wlroots/wlroots/-/issues/3572
---
 backend/wayland/backend.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/backend/wayland/backend.c b/backend/wayland/backend.c
index 9cf4ed5e..720cecc5 100644
--- a/backend/wayland/backend.c
+++ b/backend/wayland/backend.c
@@ -451,8 +451,10 @@ static void backend_destroy(struct wlr_backend *backend) {
 		wlr_output_destroy(&output->wlr_output);
 	}
 
-	struct wlr_wl_buffer *buffer, *tmp_buffer;
-	wl_list_for_each_safe(buffer, tmp_buffer, &wl->buffers, link) {
+	// Avoid using wl_list_for_each_safe() here: destroying a buffer may
+	// have the side-effect of destroying the next one in the list
+	while (!wl_list_empty(&wl->buffers)) {
+		struct wlr_wl_buffer *buffer = wl_container_of(wl->buffers.next, buffer, link);
 		destroy_wl_buffer(buffer);
 	}