From e365d5eaf044216594ad64232a29b296a7e2eb96 Mon Sep 17 00:00:00 2001
From: Johan Malm <jgm323@gmail.com>
Date: Sun, 29 Jun 2025 22:09:16 +0100
Subject: [PATCH] layers.c: fix UAF bug on TTY change

Call seat_set_focus_layer(seat, NULL) in node-destroy-handler to avoid
seat->focused_layer becoming invalid and causing UAF issues in certain
situations like when outputs (and therefore layer-trees) are destroyed.

Fixes: #2863

Helped-by: @Consolatis
---
 src/layers.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/layers.c b/src/layers.c
index d7d9624d..2ae560df 100644
--- a/src/layers.c
+++ b/src/layers.c
@@ -310,6 +310,17 @@ handle_node_destroy(struct wl_listener *listener, void *data)
 	struct lab_layer_surface *layer =
 		wl_container_of(listener, layer, node_destroy);
 
+	struct seat *seat = &layer->server->seat;
+
+	/*
+	 * If the surface of this node has the current keyboard focus, then we
+	 * have to deal with `seat->focused_layer` to avoid UAF bugs, for
+	 * example on TTY change. See issue #2863
+	 */
+	if (layer->layer_surface == seat->focused_layer) {
+		seat_set_focus_layer(seat, NULL);
+	}
+
 	/*
 	 * Important:
 	 *