[mutter/gnome-3-36] backend: Keep a refcount on backend's current_device

[Georges Basile Stavracas Neto <gbsneto src gnome org>]

commit 7306bbf01f53ac1f3d6c62df2094e6eac6cac5e2
Author: Olivier Fourdan <ofourdan redhat com>
Date:   Mon Oct 26 18:34:05 2020 +0100

    backend: Keep a refcount on backend's current_device
    
    Otherwise we might run into a use-after-free and crash on (virtual)
    device removal:
    
     Invalid read of size 8
       at clutter_input_device_get_device_type (clutter-input-device.c:811)
       by update_last_device (meta-backend.c:1282)
       by g_main_dispatch (gmain.c:3325)
       by g_main_context_dispatch (gmain.c:4016)
       by g_main_context_iterate.constprop.0 (gmain.c:4092)
       by g_main_loop_run (gmain.c:4290)
       by meta_run_main_loop (main.c:708)
       by meta_run (main.c:723)
       by main (main.c:550)
     Address is 32 bytes inside a block of size 504 free'd
       at free (vg_replace_malloc.c:538)
       by g_type_free_instance (gtype.c:1939)
       by clutter_event_free (clutter-event.c:1420)
       by _clutter_stage_process_queued_events (clutter-stage.c:830)
       by handle_frame_clock_before_frame (clutter-stage-view.c:1064)
       by clutter_frame_clock_dispatch (clutter-frame-clock.c:405)
       by frame_clock_source_dispatch (clutter-frame-clock.c:456)
       by g_main_dispatch (gmain.c:3325)
       by g_main_context_dispatch (gmain.c:4016)
       by g_main_context_iterate.constprop.0 (gmain.c:4092)
       by g_main_loop_run (gmain.c:4290)
       by meta_run_main_loop (main.c:708)
       by meta_run (main.c:723)
     Block was alloc'd at
       at malloc (vg_replace_malloc.c:307)
       by g_malloc (gmem.c:106)
       by g_slice_alloc (gslice.c:1025)
       by g_slice_alloc0 (gslice.c:1051)
       by g_type_create_instance (gtype.c:1839)
       by g_object_new_internal (gobject.c:1939)
       by g_object_new_valist (gobject.c:2264)
       by g_object_new (gobject.c:1782)
       by meta_input_device_native_new_virtual (meta-input-device-native.c:1365)
       by meta_virtual_input_device_native_constructed (meta-virtual-input-device-native.c:705)
       by g_object_new_internal (gobject.c:1979)
       by g_object_new_valist (gobject.c:2264)
    
    Suggested-by: Carlos Garnacho <carlosg gnome org>
    https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1529
    (cherry picked from commit 8711d8d5914df8e19a907105d9fa7139221f21b4)

 src/backends/meta-backend.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
---
diff --git a/src/backends/meta-backend.c b/src/backends/meta-backend.c
index b1c6aa86cc..52b5b50e0d 100644
--- a/src/backends/meta-backend.c
+++ b/src/backends/meta-backend.c
@@ -201,6 +201,7 @@ meta_backend_finalize (GObject *object)
 
   g_list_free_full (priv->gpus, g_object_unref);
 
+  g_clear_object (&priv->current_device);
   g_clear_object (&priv->monitor_manager);
   g_clear_object (&priv->orientation_manager);
   g_clear_object (&priv->input_settings);
@@ -452,7 +453,7 @@ on_device_removed (ClutterSeat        *seat,
       gboolean has_touchscreen, has_pointing_device;
       ClutterInputDeviceType device_type;
 
-      priv->current_device = NULL;
+      g_clear_object (&priv->current_device);
       g_clear_handle_id (&priv->device_update_idle_id, g_source_remove);
 
       device_type = clutter_input_device_get_device_type (device);
@@ -1342,7 +1343,7 @@ meta_backend_update_last_device (MetaBackend        *backend,
       clutter_input_device_get_device_mode (device) == CLUTTER_INPUT_MODE_MASTER)
     return;
 
-  priv->current_device = device;
+  g_set_object (&priv->current_device, device);
 
   if (priv->device_update_idle_id == 0)
     {