From a6e96ce78a41bc91ad7307f376f1b6785d0b1458 Mon Sep 17 00:00:00 2001
From: Christian Meissl <meissl.christian@gmail.com>
Date: Thu, 16 May 2024 21:04:28 +0200
Subject: [PATCH] shm: guard against pool destruction race condition

It might happen that a buffer is cached somewhere while the
pool has been set to null after a resize failed
---
 src/wayland/shm/pool.rs | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/src/wayland/shm/pool.rs b/src/wayland/shm/pool.rs
index 117b6866e4ea..5223aff7fddb 100644
--- a/src/wayland/shm/pool.rs
+++ b/src/wayland/shm/pool.rs
@@ -116,6 +116,13 @@ impl InnerPool {
 
         let pool_guard = self.map.read().unwrap();
 
+        // This should not happen, but in case a pool resize failed (which result in a protocol error
+        // and will kill the client) and the buffer got cached somewhere it is possible that we try to access
+        // a dead pool.
+        if pool_guard.ptr.is_null() {
+            return Err(());
+        }
+
         trace!(fd = ?self.fd, "Buffer access on shm pool");
 
         // Prepare the access
@@ -152,6 +159,13 @@ impl InnerPool {
 
         let pool_guard = self.map.write().unwrap();
 
+        // This should not happen, but in case a pool resize failed (which result in a protocol error
+        // and will kill the client) and the buffer got cached somewhere it is possible that we try to access
+        // a dead pool.
+        if pool_guard.ptr.is_null() {
+            return Err(());
+        }
+
         trace!(fd = ?self.fd, "Mutable buffer access on shm pool");
 
         // Prepare the access