From 2e18eec6f03cc4d9d5bf62853c65d341b363f4b3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <michel.daenzer@amd.com>
Date: Fri, 8 Mar 2019 18:49:04 +0100
Subject: [PATCH xserver] xwayland/present: Destroy sync_callback in
 xwl_present_cleanup

xwl_present_cleanup frees the struct xwl_present_window memory,
so if there's a pending callback, we have to destroy it to prevent
use-after-free in xwl_present_sync_callback.

Should fix issue #645.

Reviewed-by: Olivier Fourdan <ofourdan@redhat.com>
---
 hw/xwayland/xwayland-present.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/hw/xwayland/xwayland-present.c b/hw/xwayland/xwayland-present.c
index 192f59a653..a1b3109cc2 100644
--- a/hw/xwayland/xwayland-present.c
+++ b/hw/xwayland/xwayland-present.c
@@ -123,6 +123,11 @@ xwl_present_cleanup(WindowPtr window)
         xwl_present_window->frame_callback = NULL;
     }
 
+    if (xwl_present_window->sync_callback) {
+        wl_callback_destroy(xwl_present_window->sync_callback);
+        xwl_present_window->sync_callback = NULL;
+    }
+
     /* Clear remaining events */
     xorg_list_for_each_entry_safe(event, tmp, &xwl_present_window->event_list, list) {
         xorg_list_del(&event->list);
-- 
2.20.1