backend: fix use-after-free when destroying backends

The backend destroy signal is emitted before the output_remove
signal is. When the destroy signal is emitted listeners remove
their output_remove listener, so the output_remove signal is never
received and listeners have an invalid output pointer.

The correct way to solve this would be to remove the output_remove
signal completely and use the wlr_output.events.destroy signal
instead. This isn't yet possible because wl_signal_emit is unsafe
and listeners cannot be removed in listeners.

backend/wayland/backend.c

@@ -64,9 +64,9 @@ static bool wlr_wl_backend_start(struct wlr_backend *_backend) {
 	return true;
 }
 
-static void wlr_wl_backend_destroy(struct wlr_backend *_backend) {
-	struct wlr_wl_backend *backend = (struct wlr_wl_backend *)_backend;
-	if (!_backend) {
+static void wlr_wl_backend_destroy(struct wlr_backend *wlr_backend) {
+	struct wlr_wl_backend *backend = (struct wlr_wl_backend *)wlr_backend;
+	if (backend == NULL) {
 		return;
 	}
 
@@ -80,6 +80,8 @@ static void wlr_wl_backend_destroy(struct wlr_backend *_backend) {
 		wlr_input_device_destroy(input_device);
 	}
 
+	wl_signal_emit(&wlr_backend->events.destroy, wlr_backend);
+
 	wl_list_remove(&backend->local_display_destroy.link);
 
 	free(backend->seat_name);

backend/wayland/output.c

@@ -161,11 +161,12 @@ static bool wlr_wl_output_set_cursor(struct wlr_output *_output,
 	return true;
 }
 
-static void wlr_wl_output_destroy(struct wlr_output *_output) {
+static void wlr_wl_output_destroy(struct wlr_output *wlr_output) {
 	struct wlr_wl_backend_output *output =
-		(struct wlr_wl_backend_output *)_output;
-	wl_signal_emit(&output->backend->backend.events.output_remove,
-		&output->wlr_output);
+		(struct wlr_wl_backend_output *)wlr_output;
+	if (output == NULL) {
+		return;
+	}
 
 	wl_list_remove(&output->link);