Race condition and potential Use-After-Free in `game_mode_context_auto_expire`

[Zhuocheng-Lang]

In gamemode-context.c , the game_mode_context_auto_expire function iterates through the clients and checks if a process has expired. When an expired process is found, it unlocks the rwlock before calling game_mode_context_unregister. However, it passes client->pid as an argument to unregister after the lock is released.

// daemon/gamemode-context.c:667-675
if (kill(client->pid, 0) != 0) {
    LOG_MSG("Removing expired game [%i]...\n", client->pid);
    pthread_rwlock_unlock(&self->rwlock);
    // BUG: `client` pointer is accessed here after the lock is released
    game_mode_context_unregister(self, client->pid, client->pid);
    removing = true;
    break;
}

Since the arguments in C are evaluated just before the function call, client->pid is read after pthread_rwlock_unlock. In a concurrent environment, another thread (e.g., handling a D-Bus UnregisterGame request) might have already acquired the write lock, unlinked the client, and called free(client) before client->pid is evaluated, resulting in a Use-After-Free (UAF).