From 2dce7352c1edfb13c90a8a3b858d113e3a9300b2 Mon Sep 17 00:00:00 2001 From: Wendi Gan Date: Sat, 4 Apr 2026 13:37:48 +0800 Subject: Fix occasional UAF crashes in KConfig::sync() during exit Previously, c035e95 introduced `QtConcurrent::run` to execute `KConfig::sync()` in a separate thread. However, this introduced thread-safety issue: BUG 518433 (UAF caused by RC): During application exit, the main thread frees the old `s_sessionConfig` in `KMWSessionManager::saveState()` to create a new one. Meanwhile, the worker thread is still iterating over the old instance's entryMap during `KConfig::sync()`, leading to a Use-After-Free (UAF) crash. Changes: Copy the `config` in the main thread so `KConfig::sync()` can safely run in the worker. BUG: 518433 BUG: 516481 CCBUG: 425627 --- src/dolphinmainwindow.cpp | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/dolphinmainwindow.cpp b/src/dolphinmainwindow.cpp index e6da0f5e0..615e52480 100644 --- a/src/dolphinmainwindow.cpp +++ b/src/dolphinmainwindow.cpp @@ -87,6 +87,7 @@ #include #include #include +#include #include #include #include @@ -788,8 +789,10 @@ void DolphinMainWindow::slotSaveSession() KConfigGroup group = config->group(QStringLiteral("Number")); group.writeEntry("NumberOfWindows", 1); // Makes session restore aware that there is a window to restore. - auto future = QtConcurrent::run([config]() { - config->sync(); + // Copy the config in the main thread so sync() can safely run in the worker. + QSharedPointer configCopy(config->copyTo(config->name())); + auto future = QtConcurrent::run([configCopy]() { + configCopy->sync(); }); m_sessionSaveWatcher->setFuture(future); } -- cgit v1.3