From e136a4168ba08fbdd7b0d299238f2c78f72f8458 Mon Sep 17 00:00:00 2001 From: Andri Yngvason Date: Mon, 28 Dec 2020 15:10:42 +0000 Subject: [PATCH] types/seat: Clear focus in wlr_seat_destroy() This fixes use-after-free in surface destroy signal listeners. --- include/wlr/types/wlr_seat.h | 3 ++- types/seat/wlr_seat.c | 8 ++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/include/wlr/types/wlr_seat.h b/include/wlr/types/wlr_seat.h index 5094874c..b34d4a72 100644 --- a/include/wlr/types/wlr_seat.h +++ b/include/wlr/types/wlr_seat.h @@ -318,7 +318,8 @@ struct wlr_seat_keyboard_focus_change_event { */ struct wlr_seat *wlr_seat_create(struct wl_display *display, const char *name); /** - * Destroys a wlr_seat and removes its wl_seat global. + * Destroys a wlr_seat, removes its wl_seat global and clears focus for all + * devices belonging to the seat. */ void wlr_seat_destroy(struct wlr_seat *wlr_seat); /** diff --git a/types/seat/wlr_seat.c b/types/seat/wlr_seat.c index 9395a5b1..53d1db22 100644 --- a/types/seat/wlr_seat.c +++ b/types/seat/wlr_seat.c @@ -159,6 +159,14 @@ void wlr_seat_destroy(struct wlr_seat *seat) { return; } + wlr_seat_pointer_clear_focus(seat); + wlr_seat_keyboard_clear_focus(seat); + + struct wlr_touch_point *point; + wl_list_for_each(point, &seat->touch_state.touch_points, link) { + wlr_seat_touch_point_clear_focus(seat, 0, point->touch_id); + } + wlr_signal_emit_safe(&seat->events.destroy, seat); wl_list_remove(&seat->display_destroy.link);