From: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date: Sat, 15 Jan 2022 20:30:17 +0000 (+0100)
Subject: htl: Clear kernel_thread field before releasing the thread structure
X-Git-Tag: glibc-2.35~80
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c1105e34aced53b26f02176b973079eb30fc54b1;p=thirdparty%2Fglibc.git

htl: Clear kernel_thread field before releasing the thread structure

Otherwise this is a use-after-free.
---

diff --git a/sysdeps/mach/htl/pt-thread-terminate.c b/sysdeps/mach/htl/pt-thread-terminate.c
index 0cf72b330f3..9bd6c3434d0 100644
--- a/sysdeps/mach/htl/pt-thread-terminate.c
+++ b/sysdeps/mach/htl/pt-thread-terminate.c
@@ -62,15 +62,15 @@ __pthread_thread_terminate (struct __pthread *thread)
       ? __mig_get_reply_port () : MACH_PORT_NULL;
   __mach_port_deallocate (__mach_task_self (), self_ktid);
 
+  /* The kernel thread won't be there any more.  */
+  thread->kernel_thread = MACH_PORT_DEAD;
+
   /* Finally done with the thread structure.  */
   __pthread_dealloc (thread);
 
   /* The wake up port is now no longer needed.  */
   __mach_port_destroy (__mach_task_self (), wakeup_port);
 
-  /* The kernel thread won't be there any more.  */
-  thread->kernel_thread = MACH_PORT_DEAD;
-
   /* Terminate and release all that's left.  */
   err = __thread_terminate_release (kernel_thread, mach_task_self (),
 				    kernel_thread, reply_port,