From 816f41c00d22ca157eed273183f0711d9f1b41c7 Mon Sep 17 00:00:00 2001
From: David Redondo <qt@david-redondo.de>
Date: Wed, 2 Aug 2023 16:43:29 +0200
Subject: [PATCH] client: Set queued buffer busy

From the outside it doesn't matter if the buffer was really committed
or queued, it still in use. If it is not marked  busy QWaylandShmBackingStore
will delete when it is resized which can happen when the surface changes
screens or receives a new fractional scale resulting in a use after free
producing a crash or protocol error.

Pick-to: 6.6
Change-Id: I8abc4edbd8990af5114aa0b36c8ecedb37a4f0f6
Reviewed-by: David Edmundson <davidedmundson@kde.org>
Reviewed-by: Kai Uwe Broulik <kde@privat.broulik.de>
---
 src/plugins/platforms/wayland/qwaylandbuffer_p.h | 2 +-
 src/plugins/platforms/wayland/qwaylandwindow.cpp | 6 +++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/plugins/platforms/wayland/qwaylandbuffer_p.h b/src/plugins/platforms/wayland/qwaylandbuffer_p.h
index 381debc8140..3798ef3ebbf 100644
--- a/src/plugins/platforms/wayland/qwaylandbuffer_p.h
+++ b/src/plugins/platforms/wayland/qwaylandbuffer_p.h
@@ -37,7 +37,7 @@ public:
     virtual QSize size() const = 0;
     virtual int scale() const { return 1; }
 
-    void setBusy() { mBusy = true; }
+    void setBusy(bool busy) { mBusy = busy; }
     bool busy() const { return mBusy; }
 
     void setCommitted() { mCommitted = true; }
diff --git a/src/plugins/platforms/wayland/qwaylandwindow.cpp b/src/plugins/platforms/wayland/qwaylandwindow.cpp
index d7bb6c6529a..c5316542e02 100644
--- a/src/plugins/platforms/wayland/qwaylandwindow.cpp
+++ b/src/plugins/platforms/wayland/qwaylandwindow.cpp
@@ -681,7 +681,7 @@ void QWaylandWindow::attach(QWaylandBuffer *buffer, int x, int y)
     if (buffer) {
         Q_ASSERT(!buffer->committed());
         handleUpdate();
-        buffer->setBusy();
+        buffer->setBusy(true);
 
         mSurface->attach(buffer->buffer(), x, y);
     } else {
@@ -713,7 +713,11 @@ void QWaylandWindow::safeCommit(QWaylandBuffer *buffer, const QRegion &damage)
     if (isExposed()) {
         commit(buffer, damage);
     } else {
+        if (mQueuedBuffer) {
+            mQueuedBuffer->setBusy(false);
+        }
         mQueuedBuffer = buffer;
+        mQueuedBuffer->setBusy(true);
         mQueuedBufferDamage = damage;
     }
 }