From c1105e34aced53b26f02176b973079eb30fc54b1 Mon Sep 17 00:00:00 2001
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date: Sat, 15 Jan 2022 21:30:17 +0100
Subject: [PATCH] htl: Clear kernel_thread field before releasing the thread
 structure

Otherwise this is a use-after-free.
---
 sysdeps/mach/htl/pt-thread-terminate.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/sysdeps/mach/htl/pt-thread-terminate.c b/sysdeps/mach/htl/pt-thread-terminate.c
index 0cf72b330f3..9bd6c3434d0 100644
--- a/sysdeps/mach/htl/pt-thread-terminate.c
+++ b/sysdeps/mach/htl/pt-thread-terminate.c
@@ -62,15 +62,15 @@ __pthread_thread_terminate (struct __pthread *thread)
       ? __mig_get_reply_port () : MACH_PORT_NULL;
   __mach_port_deallocate (__mach_task_self (), self_ktid);
 
+  /* The kernel thread won't be there any more.  */
+  thread->kernel_thread = MACH_PORT_DEAD;
+
   /* Finally done with the thread structure.  */
   __pthread_dealloc (thread);
 
   /* The wake up port is now no longer needed.  */
   __mach_port_destroy (__mach_task_self (), wakeup_port);
 
-  /* The kernel thread won't be there any more.  */
-  thread->kernel_thread = MACH_PORT_DEAD;
-
   /* Terminate and release all that's left.  */
   err = __thread_terminate_release (kernel_thread, mach_task_self (),
 				    kernel_thread, reply_port,
-- 
2.47.2