From d2e278e4e2a155a74ca6f3e072bc53eb05bda5f7 Mon Sep 17 00:00:00 2001
From: Giulio Camuffo <giulio.camuffo@jollamobile.com>
Date: Sat, 6 Dec 2014 19:57:39 +0200
Subject: [PATCH] Fix possible double free when hiding a window

There was a race condition between the gui and the wayland event thread
which could lead to double freeing the QWaylandShmBackingStore's frame
callback. Protect the wl_callback_destroy calls using a mutex.

Change-Id: Ia70ebac208a6d4450328ba5254a850be26d84d6d
Reviewed-by: Laszlo Agocs <laszlo.agocs@theqtcompany.com>
---
 src/plugins/platforms/wayland/qwaylandshmbackingstore.cpp | 3 +++
 src/plugins/platforms/wayland/qwaylandshmbackingstore_p.h | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/src/plugins/platforms/wayland/qwaylandshmbackingstore.cpp b/src/plugins/platforms/wayland/qwaylandshmbackingstore.cpp
index d407335d3f7..6ca65f053aa 100644
--- a/src/plugins/platforms/wayland/qwaylandshmbackingstore.cpp
+++ b/src/plugins/platforms/wayland/qwaylandshmbackingstore.cpp
@@ -46,6 +46,7 @@
 
 #include <QtCore/qdebug.h>
 #include <QtGui/QPainter>
+#include <QMutexLocker>
 
 #include <wayland-client.h>
 #include <unistd.h>
@@ -180,6 +181,7 @@ void QWaylandShmBackingStore::endPaint()
 
 void QWaylandShmBackingStore::hidden()
 {
+    QMutexLocker lock(&mMutex);
     if (mFrameCallback) {
         wl_callback_destroy(mFrameCallback);
         mFrameCallback = Q_NULLPTR;
@@ -341,6 +343,7 @@ void QWaylandShmBackingStore::done(void *data, wl_callback *callback, uint32_t t
             static_cast<QWaylandShmBackingStore *>(data);
     if (callback != self->mFrameCallback) // others, like QWaylandWindow, may trigger callbacks too
         return;
+    QMutexLocker lock(&self->mMutex);
     QWaylandWindow *window = self->waylandWindow();
     wl_callback_destroy(self->mFrameCallback);
     self->mFrameCallback = 0;
diff --git a/src/plugins/platforms/wayland/qwaylandshmbackingstore_p.h b/src/plugins/platforms/wayland/qwaylandshmbackingstore_p.h
index 1212e52fe33..c0d730deead 100644
--- a/src/plugins/platforms/wayland/qwaylandshmbackingstore_p.h
+++ b/src/plugins/platforms/wayland/qwaylandshmbackingstore_p.h
@@ -47,6 +47,7 @@
 #include <qpa/qplatformbackingstore.h>
 #include <QtGui/QImage>
 #include <qpa/qplatformwindow.h>
+#include <QMutex>
 
 QT_BEGIN_NAMESPACE
 
@@ -106,6 +107,7 @@ private:
     QWaylandShmBuffer *mBackBuffer;
     bool mFrontBufferIsDirty;
     bool mPainting;
+    QMutex mMutex;
 
     QSize mRequestedSize;
     Qt::WindowFlags mCurrentWindowFlags;