RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-24 20:47:43 +00:00
Code Issues Activity Actions

Kernel: Close a Thread tid lookup race

Browse source 
There is a window between dropping a thread's last reference and it
being removed from the list.

Found in #5541
This commit is contained in:
Tom 2021-05-20 13:58:36 -06:00 committed by Andreas Kling
parent adfdfd6aba
commit 9dcc7a67e5
1 changed files with 10 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

13
Kernel/Thread.cpp
View file

@ -1034,9 +1034,16 @@ RefPtr<Thread> Thread::from_tid(ThreadID tid)
RefPtr<Thread> found_thread; RefPtr<Thread> found_thread;
{ {
ScopedSpinLock lock(g_tid_map_lock); ScopedSpinLock lock(g_tid_map_lock);
auto it = g_tid_map->find(tid); if (auto it = g_tid_map->find(tid); it != g_tid_map->end()) {
if (it != g_tid_map->end()) // We need to call try_ref() here as there is a window between
found_thread = it->value; // dropping the last reference and calling the Thread's destructor!
// We shouldn't remove the threads from that list until it is truly
// destructed as it may stick around past finalization in order to
// be able to wait() on it!
if (it->value->try_ref()) {
found_thread = adopt_ref(*it->value);
}
}
} }
return found_thread; return found_thread;
} }