git.ipfire.org Git - thirdparty/Python/cpython.git/commit

author	Sam Gross <colesbury@gmail.com>
	Wed, 22 Apr 2026 18:56:24 +0000 (14:56 -0400)
committer	GitHub <noreply@github.com>
	Wed, 22 Apr 2026 18:56:24 +0000 (18:56 +0000)
commit	1b2301c009e4363d90aa3babcfde0b1a8489ae6b
tree	be66f6b4e25ecc241cf2049c3e593b1f85e2c8d6	tree \| snapshot
parent	95633d2aad4721e25e4dfd9f43dfb6e1edcbd741	commit \| diff

[3.13] gh-148820: Fix _PyRawMutex use-after-free on spurious semaphore wakeup (gh-148852) (#148885)

_PyRawMutex_UnlockSlow CAS-removes the waiter from the list and then
calls _PySemaphore_Wakeup, with no handshake. If _PySemaphore_Wait
returns Py_PARK_INTR, the waiter can destroy its stack-allocated
semaphore before the unlocker's Wakeup runs, causing a fatal error from
ReleaseSemaphore / sem_post.

Loop in _PyRawMutex_LockSlow until _PySemaphore_Wait returns Py_PARK_OK,
which is only signalled when a matching Wakeup has been observed.

Also include GetLastError() and the handle in the Windows fatal messages
in _PySemaphore_Init, _PySemaphore_Wait, and _PySemaphore_Wakeup to make
similar races easier to diagnose in the future.

(cherry picked from commit ad3c5b7958b890382f431a53349320cb7c84d405)

Misc/NEWS.d/next/Core_and_Builtins/2026-04-21-14-36-44.gh-issue-148820.XhOGhA.rst	[new file with mode: 0644]	blob
Python/lock.c		diff \| blob \| blame \| history
Python/parking_lot.c		diff \| blob \| blame \| history