From e42d7548436e98665a3f48cb3a11ef1937f52273 Mon Sep 17 00:00:00 2001
From: Derek Foreman <derekf@osg.samsung.com>
Date: Fri, 29 May 2015 10:46:44 -0500
Subject: [PATCH] desktop-shell: drop shell_client from the head of the surface
 list on destroy

This prevents a use after free when the surfaces are automatically cleaned
up later, as shell_client's freed node was still in the surface list.

Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Acked-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
---
 desktop-shell/shell.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/desktop-shell/shell.c b/desktop-shell/shell.c
index 487c3e73..05aa340d 100644
--- a/desktop-shell/shell.c
+++ b/desktop-shell/shell.c
@@ -5841,6 +5841,13 @@ handle_shell_client_destroy(struct wl_listener *listener, void *data)
 
 	if (sc->ping_timer)
 		wl_event_source_remove(sc->ping_timer);
+
+	/* Since we're about to free shell_client, we remove it from the
+	 * head of the surface list so we don't use that freed list node
+	 * during surface clean up later on.
+	 */
+	wl_list_remove(&sc->surface_list);
+
 	free(sc);
 }