<html>
    <head>
      <base href="https://bugs.freedesktop.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - wl_resource_destroy use-heap-after-free which destroied by weston_seat_release"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=94519">94519</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>wl_resource_destroy use-heap-after-free which destroied by weston_seat_release
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>Wayland
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>weston
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>wayland-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>comicfans44@gmail.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>I'm trying weston with rdp backend, after rdp session disconnect, weston crash.

seems weston_seat_release already calls

weston_keyboard_destroy(seat->keyboardstate)

but later 
wl_resource_destroy->destroy_resource->wl_list_remove 
access this memory



address sanitizer report :

==10695==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000020d50
at pc 0x7f05e9f6c567 bp 0x7ffee886bf10 sp 0x7ffee886bf00
WRITE of size 8 at 0x611000020d50 thread T0
    #0 0x7f05e9f6c566 in wl_list_remove
/usr/src/debug/dev-libs/wayland-9999/wayland-9999/src/wayland-util.c:57
    #1 0x7f05e9f5df7a in destroy_resource
/usr/src/debug/dev-libs/wayland-9999/wayland-9999/src/wayland-server.c:571
    #2 0x7f05e9f5f89e in wl_resource_destroy
/usr/src/debug/dev-libs/wayland-9999/wayland-9999/src/wayland-server.c:584
    #3 0x7f05e84cae2f in ffi_call_unix64 (/usr/lib64/libffi.so.6+0xce2f)
    #4 0x7f05e84c9a2d in ffi_call (/usr/lib64/libffi.so.6+0xba2d)
    #5 0x7f05e9f6af75 in wl_closure_invoke
/usr/src/debug/dev-libs/wayland-9999/wayland-9999/src/connection.c:949
    #6 0x7f05e9f603b5 in wl_client_connection_data
/usr/src/debug/dev-libs/wayland-9999/wayland-9999/src/wayland-server.c:337
    #7 0x7f05e9f650d1 in wl_event_loop_dispatch
/usr/src/debug/dev-libs/wayland-9999/wayland-9999/src/event-loop.c:421
    #8 0x7f05e9f611af in wl_display_run
/usr/src/debug/dev-libs/wayland-9999/wayland-9999/src/wayland-server.c:1051
    #9 0x40a333 in main src/main.c:859
    #10 0x7f05e8ea459f in __libc_start_main (/lib64/libc.so.6+0x2059f)
    #11 0x40a8c8 in _start (/usr/bin/weston+0x40a8c8)

0x611000020d50 is located 16 bytes inside of 232-byte region
[0x611000020d40,0x611000020e28)
freed by thread T0 here:
    #0 0x7f05ea1d455f in __interceptor_free
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/libasan.so.1+0x5755f)
    #1 0x42c92c in weston_seat_release src/input.c:2675

previously allocated by thread T0 here:
    #0 0x7f05ea1d4935 in calloc
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/libasan.so.1+0x57935)
    #1 0x423e6f in zalloc shared/zalloc.h:38
    #2 0x423e6f in weston_keyboard_create src/input.c:756</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>