From 16a2f93629f75d182871f288f0396afe6cdc8504 Mon Sep 17 00:00:00 2001
From: Peter Todd <pete@petertodd.org>
Date: Tue, 10 Nov 2015 17:58:06 -0500
Subject: [PATCH] Fix incorrect locking of mempool during RBF replacement

Previously RemoveStaged() was called without pool.cs held.
---
 src/main.cpp | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/main.cpp b/src/main.cpp
index 79d4c91b7..e3527a83d 100644
--- a/src/main.cpp
+++ b/src/main.cpp
@@ -1006,10 +1006,13 @@ bool AcceptToMemoryPool(CTxMemPool& pool, CValidationState &state, const CTransa
         size_t nConflictingSize = 0;
         uint64_t nConflictingCount = 0;
         CTxMemPool::setEntries allConflicting;
+
+        // If we don't hold the lock allConflicting might be incomplete; the
+        // subsequent RemoveStaged() and addUnchecked() calls don't guarantee
+        // mempool consistency for us.
+        LOCK(pool.cs);
         if (setConflicts.size())
         {
-            LOCK(pool.cs);
-
             CFeeRate newFeeRate(nFees, nSize);
             set<uint256> setConflictsParents;
             const int maxDescendantsToVisit = 100;