runloop_event_deinit_core calls retro_unload_game and retro_deinit

LibretroAdmin · LibretroAdmin · commit 3eedad0aa558 · 2026-05-03T05:23:48.000+02:00
before uninit_libretro_symbols. The autosave_t-&gt;retro_buffer field
borrows a pointer from core_get_memory(), and the autosave worker
thread reads from it continuously via memcpy and intfstream_write.
If a worker is mid-read when retro_unload_game / retro_deinit frees
the underlying memory, the worker reads freed memory.

The standard MAIN_DEINIT path joins the autosave worker at
retroarch.c:8508 (autosave_deinit, gated on RUNLOOP_FLAG_USE_SRAM)
before reaching CMD_EVENT_CORE_DEINIT at line 8524. That path is
safe.

The error paths in retroarch_main_init are not safe. The dummy-core
fallback at retroarch.c:8314 and the error: label at retroarch.c:8414
both call CMD_EVENT_CORE_DEINIT directly without first joining the
autosave worker. event_init_content (the function whose failure
typically lands us in those error paths) calls
runloop_path_init_savefile -&gt; CMD_EVENT_AUTOSAVE_INIT, which can
start a worker thread before later steps in event_init_content fail.
That worker is still running when CMD_EVENT_CORE_DEINIT executes.

Make runloop_event_deinit_core join the autosave worker itself,
gated on RUNLOOP_FLAG_USE_SRAM to match the existing MAIN_DEINIT
gate. autosave_deinit is idempotent (loop is empty when
autosave_state.num is 0, free(NULL) is a no-op), so this is safe
to call from the standard path where the worker was already joined.

This makes the retro_buffer borrow lifetime contract local to
runloop_event_deinit_core rather than depending on call-site
discipline at every CMD_EVENT_CORE_DEINIT site.
diff --git a/runloop.c b/runloop.c
@@ -4063,6 +4063,25 @@ void runloop_event_deinit_core(void)
    runloop_state_t *runloop_st = &runloop_state;
    settings_t        *settings = config_get_ptr();
 
+#ifdef HAVE_THREADS
+   /* Defensive: ensure the autosave worker thread is joined
+    * before we touch core-owned memory. autosave_t->retro_buffer
+    * borrows a pointer from core_get_memory(); if a worker is
+    * mid-read when retro_unload_game / retro_deinit frees that
+    * region, the worker reads freed memory.
+    *
+    * The standard MAIN_DEINIT path already calls autosave_deinit
+    * before reaching here, so this is normally a no-op. The error
+    * paths in retroarch_main_init (the dummy-core fallback at
+    * retroarch.c:8314 and the error: label at retroarch.c:8414)
+    * reach CMD_EVENT_CORE_DEINIT without the explicit teardown,
+    * which can leave a worker alive if event_init_content failed
+    * after starting one. autosave_deinit is idempotent so the
+    * extra call is safe regardless of which path got us here. */
+   if (runloop_st->flags & RUNLOOP_FLAG_USE_SRAM)
+      autosave_deinit();
+#endif
+
    core_unload_game();
 
    /* Reset core sensor tracking — the core is going away */
