From: Stefan Eissing <stefan@eissing.org>
Date: Mon, 12 May 2025 08:08:21 +0000 (+0200)
Subject: asny-thrdd: fix detach from running thread
X-Git-Tag: curl-8_14_0~100
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2e1040fa5ce6c02f2ccedb2b29cda381ccd849c1;p=thirdparty%2Fcurl.git

asny-thrdd: fix detach from running thread

When cancelling a threaded resolve and the thread is
still running, detach from it under the mutex lock.

Otherwise, the detach might happen after the thread finished
and access already freed memory.

Fixes #17256
Reported-by: Mathieu Garaud
Closes #17320
---

diff --git a/lib/asyn-thrdd.c b/lib/asyn-thrdd.c
index 3e705425f8..a95c736b65 100644
--- a/lib/asyn-thrdd.c
+++ b/lib/asyn-thrdd.c
@@ -323,14 +323,14 @@ static void async_thrdd_destroy(struct Curl_easy *data)
     CURL_TRC_DNS(data, "resolve, destroy async data, shared ref=%d",
                  addr->ref_count);
     done = !addr->ref_count;
-    Curl_mutex_release(&addr->mutx);
-
     if(!done) {
-      /* thread is still running. Detach the thread, it will
+      /* thread is still running. Detach the thread while mutexed, it will
        * trigger the cleanup when it releases its reference. */
       Curl_thread_destroy(&addr->thread_hnd);
     }
-    else {
+    Curl_mutex_release(&addr->mutx);
+
+    if(done) {
       /* thread has released its reference, join it and
        * release the memory we shared with it. */
       if(addr->thread_hnd != curl_thread_t_null)