From bd566225eacdda2b72b967fb5168314924871052 Mon Sep 17 00:00:00 2001
From: Simon Ser <contact@emersion.fr>
Date: Sun, 3 Aug 2025 17:28:13 +0200
Subject: [PATCH] scene/surface: fix NULL deref when source buffer is destroyed

Fixes the following crash, witnessed after a GPU reset:

    #0  0x00007fba9a32774c n/a (libc.so.6 + 0x9774c)
    #1  0x00007fba9a2cddc0 raise (libc.so.6 + 0x3ddc0)
    #2  0x00007fba9a2b557a abort (libc.so.6 + 0x2557a)
    #3  0x00007fba9a2b54e3 n/a (libc.so.6 + 0x254e3)
    #4  0x00007fba9a53fb78 wlr_linux_drm_syncobj_v1_state_signal_release_with_buffer (libwlroots-0.20.so + 0x26b78)
    #5  0x00007fba9a590846 surface_reconfigure (libwlroots-0.20.so + 0x77846)
    #6  0x00007fba9a590cbb scene_surface_set_clip (libwlroots-0.20.so + 0x77cbb)
    #7  0x00007fba9a590efa subsurface_tree_set_clip (libwlroots-0.20.so + 0x77efa)
    #8  0x00007fba9a590f1f subsurface_tree_set_clip (libwlroots-0.20.so + 0x77f1f)
    #9  0x00007fba9a590f1f subsurface_tree_set_clip (libwlroots-0.20.so + 0x77f1f)
    #10 0x00007fba9a590f8d wlr_scene_subsurface_tree_set_clip (libwlroots-0.20.so + 0x77f8d)

Reported-by: Hubert Hirtz <hubert@hirtz.pm>
---
 types/scene/surface.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/types/scene/surface.c b/types/scene/surface.c
index e1c424ccd..135ded6fd 100644
--- a/types/scene/surface.c
+++ b/types/scene/surface.c
@@ -245,7 +245,8 @@ static void surface_reconfigure(struct wlr_scene_surface *scene_surface) {
 			&surface->buffer->base, &options);
 
 		if (syncobj_surface_state != NULL &&
-				(surface->current.committed & WLR_SURFACE_STATE_BUFFER)) {
+				(surface->current.committed & WLR_SURFACE_STATE_BUFFER) &&
+				surface->buffer->source != NULL) {
 			wlr_linux_drm_syncobj_v1_state_signal_release_with_buffer(syncobj_surface_state,
 				surface->buffer->source);
 		}