From 81de2c2913a73fe2487c880112cf3815b802a5ed Mon Sep 17 00:00:00 2001
From: Sebastian Keller <skeller@gnome.org>
Date: Sat, 1 Feb 2020 02:28:12 +0100
Subject: [PATCH] backends/x11: Fix use after free on device removal

The devices_by_id hash table is responsible for managing the reference
to the devices. In remove_device however, for non-core devices there are
additional calls to dispose/unref, after the last reference has
already been dropped by the hash table.

https://gitlab.gnome.org/GNOME/mutter/merge_requests/1032
---
 src/backends/x11/meta-seat-x11.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/backends/x11/meta-seat-x11.c b/src/backends/x11/meta-seat-x11.c
index 9a43a2762..4c2395351 100644
--- a/src/backends/x11/meta-seat-x11.c
+++ b/src/backends/x11/meta-seat-x11.c
@@ -698,12 +698,11 @@ remove_device (MetaSeatX11 *seat_x11,
         {
           seat_x11->devices = g_list_remove (seat_x11->devices, device);
           g_signal_emit_by_name (seat_x11, "device-removed", device);
-          g_hash_table_remove (seat_x11->devices_by_id,
-                               GINT_TO_POINTER (device_id));
         }
 
       g_object_run_dispose (G_OBJECT (device));
-      g_object_unref (device);
+      g_hash_table_remove (seat_x11->devices_by_id,
+                           GINT_TO_POINTER (device_id));
     }
 }