Kernel: Lock weak pointer revocation during listed-ref-counted unref

When doing the last unref() on a listed-ref-counted object, we keep
the list locked while mutating the ref count. The destructor itself
is invoked after unlocking the list.

This was racy with weakable classes, since their weak pointer factory
still pointed to the object after we'd decided to destroy it. That
opened a small time window where someone could try to strong-ref a weak
pointer to an object after it was removed from the list, but just before
the destructor got invoked.

This patch closes the race window by explicitly revoking all weak
pointers while the list is locked.

Kernel/Net/TCPSocket.cpp

@@ -35,6 +35,7 @@ bool TCPSocket::unref() const
         if (deref_base())
             return false;
         table.remove(tuple());
+        const_cast<TCPSocket&>(*this).revoke_weak_ptrs();
         return true;
     });
     if (did_hit_zero) {