From 11063aa28b77fa83c40f85dfa6aff0ab88c56cfb Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Thu, 27 Nov 2025 09:15:34 +1000
Subject: [PATCH] tablet: when destroying a tablet, unlink the tablet tools

If a caller holds a ref to a tablet tool when the device is
destroyed, the tool didn't get removed from the tablet->tool_list.

Later on tool unref the list_remove() would try to reset the pointers
but the list head was long since freed, causing an invalid write.

(cherry picked from commit 7e8298e9ecf29ce922cba26b139be163dafbab86)

Part-of: <https://gitlab.freedesktop.org/libinput/libinput/-/merge_requests/1375>
---
 src/evdev-tablet.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/evdev-tablet.c b/src/evdev-tablet.c
index dfbed4cd..3a5a8393 100644
--- a/src/evdev-tablet.c
+++ b/src/evdev-tablet.c
@@ -2451,6 +2451,8 @@ tablet_destroy(struct evdev_dispatch *dispatch)
 	struct libinput *li = tablet_libinput_context(tablet);
 
 	list_for_each_safe(tool, &tablet->tool_list, link) {
+		list_remove(&tool->link);
+		list_init(&tool->link); /* unref may list_remove() too */
 		libinput_tablet_tool_unref(tool);
 	}