types/wlr_seat: finish keyboard_state during wlr_seat_destroy
Fixes a use-after-free issue when the wlr_seat
has been destroyed manually and destroying the display destroyed the associated wlr_keyboard
=================================================================
==11244==ERROR: AddressSanitizer: heap-use-after-free on address 0x618000007dd8 at pc 0x7f3c051f7f21 bp 0x7ffd64a704e0 sp 0x7ffd64a704d8
READ of size 8 at 0x618000007dd8 thread T0
#0 0x7f3c051f7f20 in handle_keyboard_destroy /home/simon/src/wxrc/build/../subprojects/wlroots/types/seat/wlr_seat_keyboard.c:116:31
#1 0x7f3c056e2ba0 in wl_signal_emit_mutable (/usr/lib/libwayland-server.so.0+0x9ba0)
#2 0x7f3c052c8744 in wlr_input_device_finish /home/simon/src/wxrc/build/../subprojects/wlroots/types/wlr_input_device.c:23:2
#3 0x7f3c052d483c in wlr_keyboard_finish /home/simon/src/wxrc/build/../subprojects/wlroots/types/wlr_keyboard.c:154:2
#4 0x7f3c051610be in destroy_wl_seats /home/simon/src/wxrc/build/../subprojects/wlroots/backend/wayland/seat.c:263:5
#5 0x7f3c0514dc52 in backend_destroy /home/simon/src/wxrc/build/../subprojects/wlroots/backend/wayland/backend.c:470:2
#6 0x7f3c050db184 in wlr_backend_destroy /home/simon/src/wxrc/build/../subprojects/wlroots/backend/backend.c:67:3
#7 0x7f3c05148765 in multi_backend_destroy /home/simon/src/wxrc/build/../subprojects/wlroots/backend/multi/backend.c:57:3
#8 0x7f3c05146607 in handle_display_destroy /home/simon/src/wxrc/build/../subprojects/wlroots/backend/multi/backend.c:125:2
#9 0x7f3c056e3dd0 (/usr/lib/libwayland-server.so.0+0xadd0)
#10 0x7f3c056e44a1 in wl_display_destroy (/usr/lib/libwayland-server.so.0+0xb4a1)
#11 0x55b4942eafbb in wxrc_server_finish /home/simon/src/wxrc/build/../wxrc/server.c:617:2
#12 0x55b4942a0144 in main /home/simon/src/wxrc/build/../wxrc/main.c:128:2
#13 0x7f3c057b49c9 in libc_start_main_stage2 /home/buildozer/aports/main/musl/src/v1.2.3/src/env/__libc_start_main.c:95:2
0x618000007dd8 is located 344 bytes inside of 880-byte region [0x618000007c80,0x618000007ff0)
freed by thread T0 here:
LLVMSymbolizer: error reading file: No such file or directory
#0 0x55b494195872 in __interceptor_free /home/buildozer/aports/main/llvm-runtimes/src/llvm-project-15.0.5.src/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
#1 0x7f3c0520f2a1 in wlr_seat_destroy /home/simon/src/wxrc/build/../subprojects/wlroots/types/seat/wlr_seat.c:216:2
#2 0x55b4942cd6c4 in wxrc_seat_destroy /home/simon/src/wxrc/build/../wxrc/seat.c:846:2
#3 0x55b4942eae75 in wxrc_server_finish /home/simon/src/wxrc/build/../wxrc/server.c:614:2
#4 0x55b4942a0144 in main /home/simon/src/wxrc/build/../wxrc/main.c:128:2
#5 0x7f3c057b49c9 in libc_start_main_stage2 /home/buildozer/aports/main/musl/src/v1.2.3/src/env/__libc_start_main.c:95:2
#6 0x7ffd64a72c64 ([stack]+0x20c64)
previously allocated by thread T0 here:
#0 0x55b494195b88 in __interceptor_calloc /home/buildozer/aports/main/llvm-runtimes/src/llvm-project-15.0.5.src/compiler-rt/lib/asan/asan_malloc_linux.cpp:77:3
#1 0x7f3c0520f2d1 in wlr_seat_create /home/simon/src/wxrc/build/../subprojects/wlroots/types/seat/wlr_seat.c:226:26
#2 0x55b4942cad93 in wxrc_seat_create /home/simon/src/wxrc/build/../wxrc/seat.c:792:15
#3 0x55b4942e494d in wxrc_server_init /home/simon/src/wxrc/build/../wxrc/server.c:229:17
#4 0x55b49429fe7d in main /home/simon/src/wxrc/build/../wxrc/main.c:101:7
#5 0x7f3c057b49c9 in libc_start_main_stage2 /home/buildozer/aports/main/musl/src/v1.2.3/src/env/__libc_start_main.c:95:2
#6 0x7ffd64a72c64 ([stack]+0x20c64)
SUMMARY: AddressSanitizer: heap-use-after-free /home/simon/src/wxrc/build/../subprojects/wlroots/types/seat/wlr_seat_keyboard.c:116:31 in handle_keyboard_destroy
Shadow bytes around the buggy address:
0x0c307fff8f60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c307fff8f70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
0x0c307fff8f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c307fff8f90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c307fff8fa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c307fff8fb0: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd
0x0c307fff8fc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c307fff8fd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c307fff8fe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c307fff8ff0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
0x0c307fff9000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==11244==ABORTING