From 6c93112a7eaeb94ad40afe53e6e6e4dc286cd307 Mon Sep 17 00:00:00 2001 From: Robin Gareus Date: Tue, 27 Jan 2026 00:12:42 +0100 Subject: [PATCH] Fix crash when removing sends/listen When removing the monitor section, or any route that has sends to it, Session::remove_routes will remove those sends. Despite Route::remove_processor taking the process lock and removing the send safely. The send itself will only be destroyed later. Furthermore the send first calls ~BufferSet() on its BufferSet mixbufs, before it itself is destroyed. It was possible to still respond to CycleStart signal which accessed the mixbufs from the RT thread, causing a heap-use-after-free. --- libs/ardour/ardour/internal_send.h | 1 + libs/ardour/internal_send.cc | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/libs/ardour/ardour/internal_send.h b/libs/ardour/ardour/internal_send.h index a355ac22a0..3d1e423c33 100644 --- a/libs/ardour/ardour/internal_send.h +++ b/libs/ardour/ardour/internal_send.h @@ -73,6 +73,7 @@ private: bool _allow_feedback; PBD::ID _send_to_id; PBD::ScopedConnection connect_c; + PBD::ScopedConnection cycle_connection; PBD::ScopedConnection source_connection; PBD::ScopedConnectionList target_connections; diff --git a/libs/ardour/internal_send.cc b/libs/ardour/internal_send.cc index 9a0e78dd20..225e10ce27 100644 --- a/libs/ardour/internal_send.cc +++ b/libs/ardour/internal_send.cc @@ -69,11 +69,12 @@ InternalSend::InternalSend (Session& s, init_gain (); _send_from->DropReferences.connect_same_thread (source_connection, std::bind (&InternalSend::send_from_going_away, this)); - CycleStart.connect_same_thread (*this, std::bind (&InternalSend::cycle_start, this, _1)); + CycleStart.connect_same_thread (cycle_connection, std::bind (&InternalSend::cycle_start, this, _1)); } InternalSend::~InternalSend () { + cycle_connection.disconnect (); propagate_solo (); if (_send_to) { _send_to->remove_send_from_internal_return (this);