From 9406664a540ab8068899b438c6b9c87f20ae8ad5 Mon Sep 17 00:00:00 2001
From: Jeffy Chen <jeffy.chen@rock-chips.com>
Date: Wed, 21 Feb 2024 09:30:56 +0800
Subject: [PATCH] backend-drm: Cleanup output's disable head list when
 destroying it

Avoid memory use-after-free when the trying to remove entries from an
already freed list later.

Also add missing removal in drm_output_detach_head() and drm_head_destroy().

Signed-off-by: Jeffy Chen <jeffy.chen@rock-chips.com>
---
 libweston/backend-drm/drm.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libweston/backend-drm/drm.c b/libweston/backend-drm/drm.c
index 9876059b0..a5af37d91 100644
--- a/libweston/backend-drm/drm.c
+++ b/libweston/backend-drm/drm.c
@@ -1686,6 +1686,7 @@ drm_output_detach_head(struct weston_output *output_base,
 		return;
 
 	/* Drop connectors that should no longer be driven on next repaint. */
+	wl_list_remove(&head->disable_head_link);
 	wl_list_insert(&output->disable_head, &head->disable_head_link);
 }
 
@@ -2381,6 +2382,8 @@ drm_output_destroy(struct weston_output *base)
 
 	assert(output->hdr_output_metadata_blob_id == 0);
 
+	wl_list_remove(&output->disable_head);
+
 	free(output);
 }
 
@@ -2704,6 +2707,8 @@ drm_head_destroy(struct weston_head *base)
 	if (head->backlight)
 		backlight_destroy(head->backlight);
 
+	wl_list_remove(&head->disable_head_link);
+
 	free(head->display_data);
 	free(head);
 }