keyboard: Fix use-after-free in keyboard_finish()

diff --git a/src/keyboard.c b/src/keyboard.c
index 2d44a9dbb39bb0a3075c9e7be6d1faa83d0d12dd..364e80486284ba4bae7bb17bf012532a5c466d64 100644 (file)
--- a/src/keyboard.c
+++ b/src/keyboard.c
@@ -241,8 +241,15 @@ void
 keyboard_finish(struct seat *seat)
 {
        if (seat->keyboard_group) {
+               /*
+                * Caution - these event listeners are connected to
+                * seat->keyboard_group->keyboard and must be
+                * unregistered before wlr_keyboard_group_destroy(),
+                * otherwise a use-after-free occurs.
+                */
+               wl_list_remove(&seat->keyboard_key.link);
+               wl_list_remove(&seat->keyboard_modifiers.link);
                wlr_keyboard_group_destroy(seat->keyboard_group);
+               seat->keyboard_group = NULL;
        }
-       wl_list_remove(&seat->keyboard_key.link);
-       wl_list_remove(&seat->keyboard_modifiers.link);
 }