From 89004a3a40cc88f7abb19650bc59a15ca35dcd46 Mon Sep 17 00:00:00 2001
From: Sergey Bugaev <bugaevc@serenityos.org>
Date: Mon, 8 Jun 2020 14:29:37 +0300
Subject: [PATCH] LibCore: Make sure to disable notifiers when closing a socket

RefPtr<Notifier> doesn't work quite like it appears to, since the notifier
is also a "child" of the socket, in Core::Object sense. Thus we have to both
remove it from the parent (socket) and drop the additional RefPtr<Notifier> for
it to actually go away.

A proper fix for this would be to untangle parent-child relashionship from
refcounting and inspectability.

This fixes use-after-close of client file descriptors in IPC servers.
---
 Libraries/LibCore/Socket.cpp | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/Libraries/LibCore/Socket.cpp b/Libraries/LibCore/Socket.cpp
index 5ce1e42ae8..e5d5411829 100644
--- a/Libraries/LibCore/Socket.cpp
+++ b/Libraries/LibCore/Socket.cpp
@@ -181,7 +181,14 @@ bool Socket::send(const ByteBuffer& data)
 void Socket::did_update_fd(int fd)
 {
     if (fd < 0) {
-        m_read_notifier = nullptr;
+        if (m_read_notifier) {
+             m_read_notifier->remove_from_parent();
+             m_read_notifier = nullptr;
+        }
+        if (m_notifier) {
+            m_notifier->remove_from_parent();
+            m_notifier = nullptr;
+        }
         return;
     }
     if (m_connected) {