From e98aae7e7e79da599d03e643b652ca4f9512eeb4 Mon Sep 17 00:00:00 2001
From: Hayodea Hekol <hayodea@protonmail.com>
Date: Thu, 5 Mar 2026 20:02:55 -0400
Subject: [PATCH] Qutex:backoff: Fix use after free

---
 src/qutex.cpp | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/qutex.cpp b/src/qutex.cpp
index d73cc0f..070773c 100644
--- a/src/qutex.cpp
+++ b/src/qutex.cpp
@@ -253,7 +253,7 @@ void Qutex::backoff(
 #ifdef CONFIG_ENABLE_DEBUG_LOCKS
 	currOwner = nullptr;
 #endif
-	LockerAndInvokerBase &newFront = *queue.front();
+	std::shared_ptr<LockerAndInvokerBase> newFront = queue.front();
 
 	lock.release();
 
@@ -268,7 +268,7 @@ void Qutex::backoff(
 	 * Hence there ought to be no way for the failedAcquirer to be at the front
 	 * of the queue at this point UNLESS the queue has only one item in it.
 	 */
-	if (newFront == failedAcquirer && nQItems > 1)
+	if (*newFront == failedAcquirer && nQItems > 1)
 	{
 		throw std::runtime_error(
 			std::string(__func__) +
@@ -304,7 +304,7 @@ void Qutex::backoff(
 	 * is backing off of a qutex within which it's the only waiter.
 	 */
 	if (nQItems > 1) {
-		newFront.awaken();
+		newFront->awaken();
 	}
 }