render/allocator: add missing wlr_buffer_finish() in destroy impls

Fixes use-after-free on exit of labwc running nested: ==50906== Invalid write of size 8 ==50906== at 0x4A85403: wl_list_remove (wayland-util.c:57) ==50906== by 0x40BBAF9: destroy_wl_buffer (output.c:146) ==50906== by 0x40B9B4F: backend_destroy (backend.c:488) ==50906== by 0x409E96F: wlr_backend_destroy (backend.c:68) ==50906== by 0x40B78A6: multi_backend_destroy (backend.c:62) ==50906== by 0x409E96F: wlr_backend_destroy (backend.c:68) ==50906== by 0x4043DA0: server_finish (server.c:788) ==50906== by 0x403AA85: main (main.c:277) ==50906== Address 0xb4435e8 is 40 bytes inside a block of size 136 free'd ==50906== at 0x4A3E8EF: free (vg_replace_malloc.c:989) ==50906== by 0x409C954: buffer_destroy (shm.c:28) ==50906== by 0x40E96F4: buffer_consider_destroy (buffer.c:42) ==50906== by 0x40E9754: wlr_buffer_drop (buffer.c:52) ==50906== by 0x41498DA: slot_reset (swapchain.c:44) ==50906== by 0x4149933: wlr_swapchain_destroy (swapchain.c:53) ==50906== by 0x40CB1FA: wlr_output_finish (output.c:410) ==50906== by 0x40BE00B: output_destroy (output.c:957) ==50906== by 0x40CB2FC: wlr_output_destroy (output.c:436) ==50906== by 0x40B9AFC: backend_destroy (backend.c:481) ==50906== by 0x409E96F: wlr_backend_destroy (backend.c:68) ==50906== by 0x40B78A6: multi_backend_destroy (backend.c:62) ==50906== Block was alloc'd at ==50906== at 0x4A42C13: calloc (vg_replace_malloc.c:1675) ==50906== by 0x409CA84: allocator_create_buffer (shm.c:68) ==50906== by 0x409C7BA: wlr_allocator_create_buffer (allocator.c:186) ==50906== by 0x4149B80: wlr_swapchain_acquire (swapchain.c:102) ==50906== by 0x40C90DA: render_cursor_buffer (cursor.c:246) ==50906== by 0x40C93DC: output_cursor_attempt_hardware (cursor.c:303) ==50906== by 0x40C9A61: output_cursor_set_texture (cursor.c:420) ==50906== by 0x40C9738: wlr_output_cursor_set_buffer (cursor.c:352) ==50906== by 0x40F13A0: output_cursor_set_xcursor_image (wlr_cursor.c:507) ==50906== by 0x40F1B28: cursor_output_cursor_update (wlr_cursor.c:630) ==50906== by 0x40F1C2A: cursor_update_outputs (wlr_cursor.c:657) ==50906== by 0x40F1CF9: wlr_cursor_set_xcursor (wlr_cursor.c:674) Fixes: 7963ba6a0d ("buffer: introduce wlr_buffer_finish()")
2026-02-05 04:06:11 -05:00 · 2025-12-20 14:57:24 -05:00 · 2025-12-20 14:57:24 -05:00 · 16cb509a6e
commit 16cb509a6e
parent 0ad8395ae6
2 changed files with 2 additions and 0 deletions
--- a/render/allocator/shm.c
+++ b/render/allocator/shm.c
@ -23,6 +23,7 @@ static struct wlr_shm_buffer *shm_buffer_from_buffer(

 static void buffer_destroy(struct wlr_buffer *wlr_buffer) {
 	struct wlr_shm_buffer *buffer = shm_buffer_from_buffer(wlr_buffer);
+	wlr_buffer_finish(wlr_buffer);
 	munmap(buffer->data, buffer->size);
 	close(buffer->shm.fd);
 	free(buffer);
--- a/render/allocator/udmabuf.c
+++ b/render/allocator/udmabuf.c
@ -31,6 +31,7 @@ static bool buffer_get_dmabuf(struct wlr_buffer *wlr_buffer, struct wlr_dmabuf_a

 static void buffer_destroy(struct wlr_buffer *wlr_buffer) {
 	struct wlr_udmabuf_buffer *buffer = wl_container_of(wlr_buffer, buffer, base);
+	wlr_buffer_finish(wlr_buffer);
 	wlr_dmabuf_attributes_finish(&buffer->dmabuf);
 	close(buffer->shm.fd);
 	free(buffer);