From 086a887058b24d97ef3091424a6bbedec359aeb5 Mon Sep 17 00:00:00 2001
From: John Lindgren <john@jlindgren.net>
Date: Thu, 15 Sep 2022 19:50:07 -0400
Subject: [PATCH] keyboard: Fix use-after-free in keyboard_finish()

---
 src/keyboard.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/keyboard.c b/src/keyboard.c
index 2d44a9db..364e8048 100644
--- a/src/keyboard.c
+++ b/src/keyboard.c
@@ -241,8 +241,15 @@ void
 keyboard_finish(struct seat *seat)
 {
 	if (seat->keyboard_group) {
+		/*
+		 * Caution - these event listeners are connected to
+		 * seat->keyboard_group->keyboard and must be
+		 * unregistered before wlr_keyboard_group_destroy(),
+		 * otherwise a use-after-free occurs.
+		 */
+		wl_list_remove(&seat->keyboard_key.link);
+		wl_list_remove(&seat->keyboard_modifiers.link);
 		wlr_keyboard_group_destroy(seat->keyboard_group);
+		seat->keyboard_group = NULL;
 	}
-	wl_list_remove(&seat->keyboard_key.link);
-	wl_list_remove(&seat->keyboard_modifiers.link);
 }