usbdmx: Fix use after free hazard in AsyncUsb* destructor

DanielG · DanielG · commit 5b3c5c7d253c · 2021-02-22T09:24:48.000+01:00
diff --git a/plugins/usbdmx/AVLdiyD512.cpp b/plugins/usbdmx/AVLdiyD512.cpp
@@ -124,7 +124,6 @@ class AVLdiyAsyncUsbSender : public AsyncUsbSender {
   }
 
   ~AVLdiyAsyncUsbSender() {
-    CancelTransfer();
     delete[] m_control_setup_buffer;
   }
 
diff --git a/plugins/usbdmx/AnymauDMX.cpp b/plugins/usbdmx/AnymauDMX.cpp
@@ -124,7 +124,6 @@ class AnymaAsyncUsbSender : public AsyncUsbSender {
   }
 
   ~AnymaAsyncUsbSender() {
-    CancelTransfer();
     delete[] m_control_setup_buffer;
   }
 
diff --git a/plugins/usbdmx/AsyncUsbReceiver.cpp b/plugins/usbdmx/AsyncUsbReceiver.cpp
@@ -36,6 +36,8 @@ AsyncUsbReceiver::AsyncUsbReceiver(ola::usb::LibUsbAdaptor *adaptor,
 }
 
 AsyncUsbReceiver::~AsyncUsbReceiver() {
+  ola::thread::MutexLocker locker(&m_mutex);
+  CancelTransfer();
   if (!m_inited_with_handle) {
     m_adaptor->Close(m_usb_handle);
   }
diff --git a/plugins/usbdmx/AsyncUsbSender.cpp b/plugins/usbdmx/AsyncUsbSender.cpp
@@ -37,6 +37,8 @@ AsyncUsbSender::AsyncUsbSender(LibUsbAdaptor *adaptor,
 }
 
 AsyncUsbSender::~AsyncUsbSender() {
+  ola::thread::MutexLocker locker(&m_mutex);
+  CancelTransfer();
   m_adaptor->Close(m_usb_handle);
 }
 
diff --git a/plugins/usbdmx/AsyncUsbTransceiverBase.cpp b/plugins/usbdmx/AsyncUsbTransceiverBase.cpp
@@ -63,6 +63,12 @@ void AsyncUsbTransceiverBase::TransferCompleteInternal(
   }
 
   TransferComplete(transfer);
+
+  {
+    ola::thread::MutexLocker locker(&m_mutex);
+    if (m_inflight.empty())
+      m_cond.Signal();
+  }
 }
 
 AsyncUsbTransceiverBase::AsyncUsbTransceiverBase(LibUsbAdaptor *adaptor,
@@ -82,8 +88,6 @@ AsyncUsbTransceiverBase::AsyncUsbTransceiverBase(LibUsbAdaptor *adaptor,
 AsyncUsbTransceiverBase::~AsyncUsbTransceiverBase() {
   ola::thread::MutexLocker locker(&m_mutex);
 
-  CancelTransfer();
-
   m_adaptor->UnrefDevice(m_usb_device);
 
   while (!m_idle.empty()) {
@@ -118,6 +122,13 @@ void AsyncUsbTransceiverBase::CancelTransfer() {
                << m_adaptor->ErrorCodeToString(ret);
     }
   }
+
+  while (!m_inflight.empty()) {
+    /* Wait for cancelled transfers to complete. Not waiting for the
+     * callbacks to happen is undefined behaviour according to libusb
+     * docs. */
+    m_cond.Wait(&m_mutex);
+  }
 }
 
 struct libusb_transfer *AsyncUsbTransceiverBase::CurrentTransfer() {
diff --git a/plugins/usbdmx/AsyncUsbTransceiverBase.h b/plugins/usbdmx/AsyncUsbTransceiverBase.h
@@ -101,7 +101,7 @@ class AsyncUsbTransceiverBase {
   virtual void PostTransferHook() {}
 
   /**
-   * @brief Cancel any pending transfers.
+   * @brief Cancel any pending transfers and wait for them to complete.
    */
   void CancelTransfer();
 
@@ -139,6 +139,7 @@ class AsyncUsbTransceiverBase {
   std::queue<struct libusb_transfer*> m_idle;  // GUARDED_BY(m_mutex);
 
   ola::thread::Mutex m_mutex;
+  ola::thread::ConditionVariable m_cond;
 
  private:
   /**
diff --git a/plugins/usbdmx/DMXCProjectsNodleU1.cpp b/plugins/usbdmx/DMXCProjectsNodleU1.cpp
@@ -335,7 +335,6 @@ class DMXCProjectsNodleU1AsyncUsbReceiver : public AsyncUsbReceiver {
   }
 
   ~DMXCProjectsNodleU1AsyncUsbReceiver() {
-    CancelTransfer();
   }
 
   libusb_device_handle* SetupHandle() {
@@ -390,7 +389,6 @@ class DMXCProjectsNodleU1AsyncUsbSender : public AsyncUsbSender {
   }
 
   ~DMXCProjectsNodleU1AsyncUsbSender() {
-    CancelTransfer();
   }
 
   libusb_device_handle* SetupHandle() {
diff --git a/plugins/usbdmx/DMXCreator512Basic.cpp b/plugins/usbdmx/DMXCreator512Basic.cpp
@@ -193,7 +193,6 @@ class DMXCreator512BasicAsyncUsbSender : public AsyncUsbSender {
   }
 
   ~DMXCreator512BasicAsyncUsbSender() {
-    CancelTransfer();
   }
 
   libusb_device_handle* SetupHandle() {
diff --git a/plugins/usbdmx/EurolitePro.cpp b/plugins/usbdmx/EurolitePro.cpp
@@ -224,7 +224,6 @@ class EuroliteProAsyncUsbSender : public AsyncUsbSender {
   }
 
   ~EuroliteProAsyncUsbSender() {
-    CancelTransfer();
   }
 
   libusb_device_handle* SetupHandle() {
diff --git a/plugins/usbdmx/ShowJockeyDMXU1.cpp b/plugins/usbdmx/ShowJockeyDMXU1.cpp
@@ -277,7 +277,6 @@ class ShowJockeyDMXU1AsyncUsbSender : public AsyncUsbSender {
   }
 
   ~ShowJockeyDMXU1AsyncUsbSender() {
-    CancelTransfer();
     delete[] m_tx_frame;
   }
 
diff --git a/plugins/usbdmx/Sunlite.cpp b/plugins/usbdmx/Sunlite.cpp
@@ -173,7 +173,6 @@ class SunliteAsyncUsbSender : public AsyncUsbSender {
   }
 
   ~SunliteAsyncUsbSender() {
-    CancelTransfer();
   }
 
   libusb_device_handle* SetupHandle() {
diff --git a/plugins/usbdmx/VellemanK8062.cpp b/plugins/usbdmx/VellemanK8062.cpp
@@ -338,7 +338,6 @@ class VellemanAsyncUsbSender : public AsyncUsbSender {
   }
 
   ~VellemanAsyncUsbSender() {
-    CancelTransfer();
     if (m_packet) {
       delete[] m_packet;
     }

Original file line number	Diff line number	Diff line change
`@@ -124,7 +124,6 @@ class AVLdiyAsyncUsbSender : public AsyncUsbSender {`
`124`	`124`	`}`
`125`	`125`
`126`	`126`	`~AVLdiyAsyncUsbSender() {`
`127`		`- CancelTransfer();`
`128`	`127`	`delete[] m_control_setup_buffer;`
`129`	`128`	`}`
`130`	`129`
Original file line number	Diff line number	Diff line change
`@@ -124,7 +124,6 @@ class AnymaAsyncUsbSender : public AsyncUsbSender {`
`124`	`124`	`}`
`125`	`125`
`126`	`126`	`~AnymaAsyncUsbSender() {`
`127`		`- CancelTransfer();`
`128`	`127`	`delete[] m_control_setup_buffer;`
`129`	`128`	`}`
`130`	`129`
Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,8 @@ AsyncUsbReceiver::AsyncUsbReceiver(ola::usb::LibUsbAdaptor *adaptor,`
`36`	`36`	`}`
`37`	`37`
`38`	`38`	`AsyncUsbReceiver::~AsyncUsbReceiver() {`
	`39`	`+ ola::thread::MutexLocker locker(&m_mutex);`
	`40`	`+ CancelTransfer();`
`39`	`41`	`if (!m_inited_with_handle) {`
`40`	`42`	`m_adaptor->Close(m_usb_handle);`
`41`	`43`	`}`
Original file line number	Diff line number	Diff line change
`@@ -37,6 +37,8 @@ AsyncUsbSender::AsyncUsbSender(LibUsbAdaptor *adaptor,`
`37`	`37`	`}`
`38`	`38`
`39`	`39`	`AsyncUsbSender::~AsyncUsbSender() {`
	`40`	`+ ola::thread::MutexLocker locker(&m_mutex);`
	`41`	`+ CancelTransfer();`
`40`	`42`	`m_adaptor->Close(m_usb_handle);`
`41`	`43`	`}`
`42`	`44`
Original file line number	Diff line number	Diff line change
`@@ -63,6 +63,12 @@ void AsyncUsbTransceiverBase::TransferCompleteInternal(`
`63`	`63`	`}`
`64`	`64`
`65`	`65`	`TransferComplete(transfer);`
	`66`	`+`
	`67`	`+ {`
	`68`	`+ ola::thread::MutexLocker locker(&m_mutex);`
	`69`	`+ if (m_inflight.empty())`
	`70`	`+ m_cond.Signal();`
	`71`	`+ }`
`66`	`72`	`}`
`67`	`73`
`68`	`74`	`AsyncUsbTransceiverBase::AsyncUsbTransceiverBase(LibUsbAdaptor *adaptor,`
`@@ -82,8 +88,6 @@ AsyncUsbTransceiverBase::AsyncUsbTransceiverBase(LibUsbAdaptor *adaptor,`
`82`	`88`	`AsyncUsbTransceiverBase::~AsyncUsbTransceiverBase() {`
`83`	`89`	`ola::thread::MutexLocker locker(&m_mutex);`
`84`	`90`
`85`		`- CancelTransfer();`
`86`		`-`
`87`	`91`	`m_adaptor->UnrefDevice(m_usb_device);`
`88`	`92`
`89`	`93`	`while (!m_idle.empty()) {`
`@@ -118,6 +122,13 @@ void AsyncUsbTransceiverBase::CancelTransfer() {`
`118`	`122`	`<< m_adaptor->ErrorCodeToString(ret);`
`119`	`123`	`}`
`120`	`124`	`}`
	`125`	`+`
	`126`	`+ while (!m_inflight.empty()) {`
	`127`	`+ /* Wait for cancelled transfers to complete. Not waiting for the`
	`128`	`+ * callbacks to happen is undefined behaviour according to libusb`
	`129`	`+ * docs. */`
	`130`	`+ m_cond.Wait(&m_mutex);`
	`131`	`+ }`
`121`	`132`	`}`
`122`	`133`
`123`	`134`	`struct libusb_transfer *AsyncUsbTransceiverBase::CurrentTransfer() {`
Original file line number	Diff line number	Diff line change
`@@ -335,7 +335,6 @@ class DMXCProjectsNodleU1AsyncUsbReceiver : public AsyncUsbReceiver {`
`335`	`335`	`}`
`336`	`336`
`337`	`337`	`~DMXCProjectsNodleU1AsyncUsbReceiver() {`
`338`		`- CancelTransfer();`
`339`	`338`	`}`
`340`	`339`
`341`	`340`	`libusb_device_handle* SetupHandle() {`
`@@ -390,7 +389,6 @@ class DMXCProjectsNodleU1AsyncUsbSender : public AsyncUsbSender {`
`390`	`389`	`}`
`391`	`390`
`392`	`391`	`~DMXCProjectsNodleU1AsyncUsbSender() {`
`393`		`- CancelTransfer();`
`394`	`392`	`}`
`395`	`393`
`396`	`394`	`libusb_device_handle* SetupHandle() {`
Original file line number	Diff line number	Diff line change
`@@ -193,7 +193,6 @@ class DMXCreator512BasicAsyncUsbSender : public AsyncUsbSender {`
`193`	`193`	`}`
`194`	`194`
`195`	`195`	`~DMXCreator512BasicAsyncUsbSender() {`
`196`		`- CancelTransfer();`
`197`	`196`	`}`
`198`	`197`
`199`	`198`	`libusb_device_handle* SetupHandle() {`
Original file line number	Diff line number	Diff line change
`@@ -224,7 +224,6 @@ class EuroliteProAsyncUsbSender : public AsyncUsbSender {`
`224`	`224`	`}`
`225`	`225`
`226`	`226`	`~EuroliteProAsyncUsbSender() {`
`227`		`- CancelTransfer();`
`228`	`227`	`}`
`229`	`228`
`230`	`229`	`libusb_device_handle* SetupHandle() {`
Original file line number	Diff line number	Diff line change
`@@ -277,7 +277,6 @@ class ShowJockeyDMXU1AsyncUsbSender : public AsyncUsbSender {`
`277`	`277`	`}`
`278`	`278`
`279`	`279`	`~ShowJockeyDMXU1AsyncUsbSender() {`
`280`		`- CancelTransfer();`
`281`	`280`	`delete[] m_tx_frame;`
`282`	`281`	`}`
`283`	`282`