From a3fbb52bb046de79336d540c8152b101a1dc6e8d Mon Sep 17 00:00:00 2001
From: John Lindgren <john@jlindgren.net>
Date: Thu, 15 Sep 2022 20:02:06 -0400
Subject: [PATCH] seat: Fix use-after-free in touch_finish()

---
 src/seat.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/seat.c b/src/seat.c
index 70a240e8..e19c663f 100644
--- a/src/seat.c
+++ b/src/seat.c
@@ -317,8 +317,13 @@ seat_finish(struct server *server)
 	struct seat *seat = &server->seat;
 	wl_list_remove(&seat->new_input.link);
 	keyboard_finish(seat);
-	cursor_finish(seat);
+	/*
+	 * Caution - touch_finish() unregisters event listeners from
+	 * seat->cursor and must come before cursor_finish(), otherwise
+	 * a use-after-free occurs.
+	 */
 	touch_finish(seat);
+	cursor_finish(seat);
 }
 
 void