From babdd6ccf757f18ef15b50d9f16c55031a7c1944 Mon Sep 17 00:00:00 2001
From: emersion <contact@emersion.fr>
Date: Tue, 30 Jan 2018 19:45:57 +0100
Subject: [PATCH] backend: fix use-after-free when destroying backends

The backend destroy signal is emitted before the output_remove
signal is. When the destroy signal is emitted listeners remove
their output_remove listener, so the output_remove signal is never
received and listeners have an invalid output pointer.

The correct way to solve this would be to remove the output_remove
signal completely and use the wlr_output.events.destroy signal
instead. This isn't yet possible because wl_signal_emit is unsafe
and listeners cannot be removed in listeners.
---
 backend/backend.c          | 1 -
 backend/drm/backend.c      | 2 ++
 backend/headless/backend.c | 2 ++
 backend/headless/output.c  | 2 --
 backend/libinput/backend.c | 8 +++++---
 backend/multi/backend.c    | 5 +++++
 backend/wayland/backend.c  | 8 +++++---
 backend/wayland/output.c   | 9 +++++----
 backend/x11/backend.c      | 2 ++
 types/wlr_output.c         | 1 +
 10 files changed, 27 insertions(+), 13 deletions(-)

diff --git a/backend/backend.c b/backend/backend.c
index a71cf6b8..98b94c5c 100644
--- a/backend/backend.c
+++ b/backend/backend.c
@@ -37,7 +37,6 @@ void wlr_backend_destroy(struct wlr_backend *backend) {
 		return;
 	}
 
-	wl_signal_emit(&backend->events.destroy, backend);
 	if (backend->impl && backend->impl->destroy) {
 		backend->impl->destroy(backend);
 	} else {
diff --git a/backend/drm/backend.c b/backend/drm/backend.c
index de69dad5..dc6757a5 100644
--- a/backend/drm/backend.c
+++ b/backend/drm/backend.c
@@ -34,6 +34,8 @@ static void wlr_drm_backend_destroy(struct wlr_backend *backend) {
 		wlr_output_destroy(&conn->output);
 	}
 
+	wl_signal_emit(&backend->events.destroy, backend);
+
 	wl_list_remove(&drm->display_destroy.link);
 	wl_list_remove(&drm->session_signal.link);
 	wl_list_remove(&drm->drm_invalidated.link);
diff --git a/backend/headless/backend.c b/backend/headless/backend.c
index 61409d41..0bf5ec28 100644
--- a/backend/headless/backend.c
+++ b/backend/headless/backend.c
@@ -51,6 +51,8 @@ static void backend_destroy(struct wlr_backend *wlr_backend) {
 		wlr_input_device_destroy(&input_device->wlr_input_device);
 	}
 
+	wl_signal_emit(&wlr_backend->events.destroy, backend);
+
 	wlr_egl_finish(&backend->egl);
 	free(backend);
 }
diff --git a/backend/headless/output.c b/backend/headless/output.c
index 46f9d212..aac7cc20 100644
--- a/backend/headless/output.c
+++ b/backend/headless/output.c
@@ -62,8 +62,6 @@ static bool output_swap_buffers(struct wlr_output *wlr_output) {
 static void output_destroy(struct wlr_output *wlr_output) {
 	struct wlr_headless_output *output =
 		(struct wlr_headless_output *)wlr_output;
-	wl_signal_emit(&output->backend->backend.events.output_remove,
-		&output->wlr_output);
 
 	wl_list_remove(&output->link);
 
diff --git a/backend/libinput/backend.c b/backend/libinput/backend.c
index c9352051..86477947 100644
--- a/backend/libinput/backend.c
+++ b/backend/libinput/backend.c
@@ -95,12 +95,12 @@ static bool wlr_libinput_backend_start(struct wlr_backend *_backend) {
 	return true;
 }
 
-static void wlr_libinput_backend_destroy(struct wlr_backend *_backend) {
-	if (!_backend) {
+static void wlr_libinput_backend_destroy(struct wlr_backend *wlr_backend) {
+	if (!wlr_backend) {
 		return;
 	}
 	struct wlr_libinput_backend *backend =
-		(struct wlr_libinput_backend *)_backend;
+		(struct wlr_libinput_backend *)wlr_backend;
 
 	for (size_t i = 0; i < backend->wlr_device_lists.length; i++) {
 		struct wl_list *wlr_devices = backend->wlr_device_lists.items[i];
@@ -112,6 +112,8 @@ static void wlr_libinput_backend_destroy(struct wlr_backend *_backend) {
 		free(wlr_devices);
 	}
 
+	wl_signal_emit(&wlr_backend->events.destroy, wlr_backend);
+
 	wl_list_remove(&backend->display_destroy.link);
 	wl_list_remove(&backend->session_signal.link);
 
diff --git a/backend/multi/backend.c b/backend/multi/backend.c
index 1e574475..78f5c63b 100644
--- a/backend/multi/backend.c
+++ b/backend/multi/backend.c
@@ -42,11 +42,16 @@ static void subbackend_state_destroy(struct subbackend_state *sub) {
 
 static void multi_backend_destroy(struct wlr_backend *wlr_backend) {
 	struct wlr_multi_backend *backend = (struct wlr_multi_backend *)wlr_backend;
+
 	wl_list_remove(&backend->display_destroy.link);
+
 	struct subbackend_state *sub, *next;
 	wl_list_for_each_safe(sub, next, &backend->backends, link) {
 		wlr_backend_destroy(sub->backend);
 	}
+
+	// Destroy this backend only after removing all sub-backends
+	wl_signal_emit(&wlr_backend->events.destroy, backend);
 	free(backend);
 }
 
diff --git a/backend/wayland/backend.c b/backend/wayland/backend.c
index eca79350..458c9dd0 100644
--- a/backend/wayland/backend.c
+++ b/backend/wayland/backend.c
@@ -64,9 +64,9 @@ static bool wlr_wl_backend_start(struct wlr_backend *_backend) {
 	return true;
 }
 
-static void wlr_wl_backend_destroy(struct wlr_backend *_backend) {
-	struct wlr_wl_backend *backend = (struct wlr_wl_backend *)_backend;
-	if (!_backend) {
+static void wlr_wl_backend_destroy(struct wlr_backend *wlr_backend) {
+	struct wlr_wl_backend *backend = (struct wlr_wl_backend *)wlr_backend;
+	if (backend == NULL) {
 		return;
 	}
 
@@ -80,6 +80,8 @@ static void wlr_wl_backend_destroy(struct wlr_backend *_backend) {
 		wlr_input_device_destroy(input_device);
 	}
 
+	wl_signal_emit(&wlr_backend->events.destroy, wlr_backend);
+
 	wl_list_remove(&backend->local_display_destroy.link);
 
 	free(backend->seat_name);
diff --git a/backend/wayland/output.c b/backend/wayland/output.c
index 4a8fb0bf..a9140ff7 100644
--- a/backend/wayland/output.c
+++ b/backend/wayland/output.c
@@ -161,11 +161,12 @@ static bool wlr_wl_output_set_cursor(struct wlr_output *_output,
 	return true;
 }
 
-static void wlr_wl_output_destroy(struct wlr_output *_output) {
+static void wlr_wl_output_destroy(struct wlr_output *wlr_output) {
 	struct wlr_wl_backend_output *output =
-		(struct wlr_wl_backend_output *)_output;
-	wl_signal_emit(&output->backend->backend.events.output_remove,
-		&output->wlr_output);
+		(struct wlr_wl_backend_output *)wlr_output;
+	if (output == NULL) {
+		return;
+	}
 
 	wl_list_remove(&output->link);
 
diff --git a/backend/x11/backend.c b/backend/x11/backend.c
index 3bad8d61..44e29be1 100644
--- a/backend/x11/backend.c
+++ b/backend/x11/backend.c
@@ -259,6 +259,8 @@ static void wlr_x11_backend_destroy(struct wlr_backend *backend) {
 		xkb_state_unref(x11->keyboard_dev.keyboard->xkb_state);
 	}
 
+	wl_signal_emit(&backend->events.destroy, backend);
+
 	wl_list_remove(&x11->display_destroy.link);
 
 	wl_event_source_remove(x11->frame_timer);
diff --git a/types/wlr_output.c b/types/wlr_output.c
index 54f4baf8..1878dbb3 100644
--- a/types/wlr_output.c
+++ b/types/wlr_output.c
@@ -286,6 +286,7 @@ void wlr_output_destroy(struct wlr_output *output) {
 	wlr_output_destroy_global(output);
 	wlr_output_set_fullscreen_surface(output, NULL);
 
+	wl_signal_emit(&output->backend->events.output_remove, output);
 	wl_signal_emit(&output->events.destroy, output);
 
 	struct wlr_output_mode *mode, *tmp_mode;