2006/11/10, Mike McCormack <mike@codeweavers.com>:

Eric Pouech wrote:
> IIRC, the issue in this code is that you access in _SAFE macro the next
> field in the current cursor *after* the current cursor has been freed
> the issue is not that the next item has been freed while itering on the
> current cursor
> (this was at least the issue I had)

It looks like kill_thread can recurse  if another thread is waiting on
the current thread we're killing.

wake_up -> wake_thread -> send_thread_wakeup -> kill_thread

If the waiting thread is in the current process, and it's later in the
list, I'm not sure anything stops it from being free'd.
 
well, the kill_thread in that case in only done when the waiting thread also died while waiting (ie has been killed by some other way) (in normal cases, the wait operation on the waiting side would just return an error code)
the I'm not still conviced this path is actually executed in that case
what lead you to write the patch ?
A+

--
Eric Pouech