mirror/transmission
1
0
Fork 0
mirror of https://github.com/transmission/transmission synced 2025-01-03 05:25:52 +00:00
Code Issues Releases Wiki Activity

fix: crash in tr_torrent::VerifyMediator::on_verify_done() (#6918)

Browse source 
The crash will happen if the following series of events happened:
1. Torrent verification starts for a `tr_torrent` object.
2. The session thread starts executing `tr_torrentFreeInSessionThread()`, about to free this `tr_torrent` object.
3. `tr_torrent::VerifyMediator::on_verify_done()` queues a lambda that captures a pointer to the `tr_torrent` object.
4. The `tr_torrent` object is freed.
5. The session thread executes the lambda from Step 3, and crashes when dereferencing the dangling `tr_torrent` pointer.
This commit is contained in:
Yat Ho 2024-07-11 06:48:54 +08:00 committed by GitHub
parent 24f1e15767
commit 5e08164742
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 5 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
libtransmission/torrent.cc
View file

@ -1690,9 +1690,12 @@ void tr_torrent::VerifyMediator::on_verify_done(bool const aborted)
if (!aborted && !tor_->is_deleting_) if (!aborted && !tor_->is_deleting_)
{ {
tor_->session->run_in_session_thread( tor_->session->run_in_session_thread(
[tor = tor_]() // Do not capture the torrent pointer directly, or else we will crash if program
// execution reaches this point while the session thread is about to free this torrent.
[tor_id = tor_->id(), session = tor_->session]()
{ {
if (tor->is_deleting_) auto* const tor = session->torrents().get(tor_id);
if (tor == nullptr || tor->is_deleting_)
{ {
return; return;
} }