From babdd6ccf757f18ef15b50d9f16c55031a7c1944 Mon Sep 17 00:00:00 2001
From: emersion <contact@emersion.fr>
Date: Tue, 30 Jan 2018 19:45:57 +0100
Subject: backend: fix use-after-free when destroying backends

The backend destroy signal is emitted before the output_remove
signal is. When the destroy signal is emitted listeners remove
their output_remove listener, so the output_remove signal is never
received and listeners have an invalid output pointer.

The correct way to solve this would be to remove the output_remove
signal completely and use the wlr_output.events.destroy signal
instead. This isn't yet possible because wl_signal_emit is unsafe
and listeners cannot be removed in listeners.
---
 backend/multi/backend.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'backend/multi/backend.c')

diff --git a/backend/multi/backend.c b/backend/multi/backend.c
index 1e574475..78f5c63b 100644
--- a/backend/multi/backend.c
+++ b/backend/multi/backend.c
@@ -42,11 +42,16 @@ static void subbackend_state_destroy(struct subbackend_state *sub) {
 
 static void multi_backend_destroy(struct wlr_backend *wlr_backend) {
 	struct wlr_multi_backend *backend = (struct wlr_multi_backend *)wlr_backend;
+
 	wl_list_remove(&backend->display_destroy.link);
+
 	struct subbackend_state *sub, *next;
 	wl_list_for_each_safe(sub, next, &backend->backends, link) {
 		wlr_backend_destroy(sub->backend);
 	}
+
+	// Destroy this backend only after removing all sub-backends
+	wl_signal_emit(&wlr_backend->events.destroy, backend);
 	free(backend);
 }
 
-- 
cgit v1.2.3