Kernel: Close a Thread tid lookup race

There is a window between dropping a thread's last reference and it being removed from the list. Found in #5541
Author: https://github.com/tomuta Commit: https://github.com/SerenityOS/serenity/commit/9dcc7a67e5d Pull-request: https://github.com/SerenityOS/serenity/pull/7324
2021-05-20 13:58:36 -06:00 · 2021-05-20 13:58:36 -06:00 · 9dcc7a67e5 · 2024-07-18 17:41:00 +09:00
commit 9dcc7a67e5
parent adfdfd6aba
1 changed files with 10 additions and 3 deletions
--- a/Kernel/Thread.cpp
+++ b/Kernel/Thread.cpp
@ -1034,9 +1034,16 @@ RefPtr<Thread> Thread::from_tid(ThreadID tid)
    RefPtr<Thread> found_thread;
    {
        ScopedSpinLock lock(g_tid_map_lock);
-        auto it = g_tid_map->find(tid);
-        if (it != g_tid_map->end())
-            found_thread = it->value;
+        if (auto it = g_tid_map->find(tid); it != g_tid_map->end()) {
+            // We need to call try_ref() here as there is a window between
+            // dropping the last reference and calling the Thread's destructor!
+            // We shouldn't remove the threads from that list until it is truly
+            // destructed as it may stick around past finalization in order to
+            // be able to wait() on it!
+            if (it->value->try_ref()) {
+                found_thread = adopt_ref(*it->value);
+            }
+        }
    }
    return found_thread;
 }