From: Peter Hawkins <phawkins@google.com>
Date: Thu, 6 Feb 2025 18:49:29 +0000 (-0500)
Subject: gh-129732: Fix race on `shared->array` in qsbr code under free-threading (gh-129738)
X-Git-Tag: v3.14.0a5~82
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b4ff8b22b3066b814c3758f87eaddfa923e657ed;p=thirdparty%2FPython%2Fcpython.git

gh-129732: Fix race on `shared->array` in qsbr code under free-threading (gh-129738)

The read of `shared->array` should happen under the lock to avoid a race.
---

diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2025-02-06-17-57-33.gh-issue-129732.yl97oq.rst b/Misc/NEWS.d/next/Core_and_Builtins/2025-02-06-17-57-33.gh-issue-129732.yl97oq.rst
new file mode 100644
index 000000000000..a4b104af6169
--- /dev/null
+++ b/Misc/NEWS.d/next/Core_and_Builtins/2025-02-06-17-57-33.gh-issue-129732.yl97oq.rst
@@ -0,0 +1 @@
+Fixed a race in ``_Py_qsbr_reserve`` in the free threading build.
diff --git a/Python/qsbr.c b/Python/qsbr.c
index a40219acfe2c..0df1285cc8e0 100644
--- a/Python/qsbr.c
+++ b/Python/qsbr.c
@@ -205,15 +205,15 @@ _Py_qsbr_reserve(PyInterpreterState *interp)
         }
         _PyEval_StartTheWorld(interp);
     }
-    PyMutex_Unlock(&shared->mutex);
-
-    if (qsbr == NULL) {
-        return -1;
-    }
 
     // Return an index rather than the pointer because the array may be
     // resized and the pointer invalidated.
-    return (struct _qsbr_pad *)qsbr - shared->array;
+    Py_ssize_t index = -1;
+    if (qsbr != NULL) {
+        index = (struct _qsbr_pad *)qsbr - shared->array;
+    }
+    PyMutex_Unlock(&shared->mutex);
+    return index;
 }
 
 void