usbdmx: Fix use after free hazard in destructor

Author: DanielG

plugins/usbdmx/AsyncUsbTransceiverBase.cpp

@@ -62,6 +62,12 @@ void AsyncUsbTransceiverBase::TransferCompleteInternal(
     m_device_disconnected = true;
 
   TransferComplete(transfer);
+
+  {
+    ola::thread::MutexLocker locker(&m_mutex);
+    if (m_inflight.empty())
+      m_cond.Signal();
+  }
 }
 
 AsyncUsbTransceiverBase::AsyncUsbTransceiverBase(LibUsbAdaptor *adaptor,
@@ -83,6 +89,14 @@ AsyncUsbTransceiverBase::~AsyncUsbTransceiverBase() {
 
   CancelTransfer();
 
+  while (!m_inflight.empty()) {
+    /* Wait for cancelled transfers to complete, freeing the transfers
+     * below before the callbacks happen is undefined behaviour according
+     * to libusb docs. Here's to hoping this destructor runs in a different
+     * thread than the one processing libusb callbacks. */
+    m_cond.Wait(&m_mutex);
+  }
+
   m_adaptor->UnrefDevice(m_usb_device);
 
   while (!m_idle.empty()) {

plugins/usbdmx/AsyncUsbTransceiverBase.h

@@ -134,6 +134,7 @@ class AsyncUsbTransceiverBase {
   std::queue<struct libusb_transfer*> m_idle;  // GUARDED_BY(m_mutex);
 
   ola::thread::Mutex m_mutex;
+  ola::thread::ConditionVariable m_cond;
 
  private:
   /**