Surface: hold onto dequeued buffers on disconnect.

This change prevents crashes caused by a client accessing an invalidated
buffer after an ANativeWindow surface is disconnected.

According to the ANativeWindow contract, surfaces can retain references
to dequeued buffers for an indeterminate amount of time.  This behavior
can lead to race conditions where a surface is disconnected by one part
of the system while another client is actively using it. When this
happens, the dequeued buffers are invalidated, causing the client to
crash on subsequent buffer operations.

To resolve this, this change introduces a "leaked" buffer set. When a
surface is disconnected, its dequeued buffers are moved to this set
instead of being immediately invalidated. These buffers are then safely
cleaned up during the next cancel or queue operation, including batched
transactions.

Bug: 432531444
Flag: EXEMPT bugfix
Test: new test

Change-Id: I5b601e5235923b50cb35691e8417e2e45fc4d673