usbdmx: Fix use after free hazard in AsyncUsb* destructor

DanielG · DanielG · commit 6147c2e459e5 · 2021-11-28T20:21:39.000+01:00
diff --git a/plugins/usbdmx/AVLdiyD512.cpp b/plugins/usbdmx/AVLdiyD512.cpp
@@ -124,7 +124,6 @@ class AVLdiyAsyncUsbSender : public AsyncUsbSender {
   }
 
   ~AVLdiyAsyncUsbSender() {
-    CancelTransfer();
     delete[] m_control_setup_buffer;
   }
 
diff --git a/plugins/usbdmx/AnymauDMX.cpp b/plugins/usbdmx/AnymauDMX.cpp
@@ -124,7 +124,6 @@ class AnymaAsyncUsbSender : public AsyncUsbSender {
   }
 
   ~AnymaAsyncUsbSender() {
-    CancelTransfer();
     delete[] m_control_setup_buffer;
   }
 
diff --git a/plugins/usbdmx/AsyncUsbReceiver.cpp b/plugins/usbdmx/AsyncUsbReceiver.cpp
@@ -36,6 +36,8 @@ AsyncUsbReceiver::AsyncUsbReceiver(ola::usb::LibUsbAdaptor *adaptor,
 }
 
 AsyncUsbReceiver::~AsyncUsbReceiver() {
+  ola::thread::MutexLocker locker(&m_mutex);
+  CancelTransfer();
   if (!m_inited_with_handle) {
     m_adaptor->Close(m_usb_handle);
   }
diff --git a/plugins/usbdmx/AsyncUsbSender.cpp b/plugins/usbdmx/AsyncUsbSender.cpp
@@ -37,6 +37,8 @@ AsyncUsbSender::AsyncUsbSender(LibUsbAdaptor *adaptor,
 }
 
 AsyncUsbSender::~AsyncUsbSender() {
+  ola::thread::MutexLocker locker(&m_mutex);
+  CancelTransfer();
   m_adaptor->Close(m_usb_handle);
 }
 
diff --git a/plugins/usbdmx/AsyncUsbTransceiverBase.cpp b/plugins/usbdmx/AsyncUsbTransceiverBase.cpp
@@ -63,6 +63,13 @@ void AsyncUsbTransceiverBase::TransferCompleteInternal(
   }
 
   TransferComplete(transfer);
+
+  {
+    ola::thread::MutexLocker locker(&m_mutex);
+    if (m_inflight.empty()) {
+      m_cond.Signal();
+    }
+  }
 }
 
 AsyncUsbTransceiverBase::AsyncUsbTransceiverBase(LibUsbAdaptor *adaptor,
@@ -82,8 +89,6 @@ AsyncUsbTransceiverBase::AsyncUsbTransceiverBase(LibUsbAdaptor *adaptor,
 AsyncUsbTransceiverBase::~AsyncUsbTransceiverBase() {
   ola::thread::MutexLocker locker(&m_mutex);
 
-  CancelTransfer();
-
   m_adaptor->UnrefDevice(m_usb_device);
 
   while (!m_idle.empty()) {
@@ -121,6 +126,13 @@ void AsyncUsbTransceiverBase::CancelTransfer() {
           << m_adaptor->ErrorCodeToString(ret);
     }
   }
+
+  while (!m_inflight.empty()) {
+    /* Wait for cancelled transfers to complete. Not waiting for the
+     * callbacks to happen is undefined behaviour according to libusb
+     * docs. */
+    m_cond.Wait(&m_mutex);
+  }
 }
 
 struct libusb_transfer *AsyncUsbTransceiverBase::CurrentTransfer() {
diff --git a/plugins/usbdmx/AsyncUsbTransceiverBase.h b/plugins/usbdmx/AsyncUsbTransceiverBase.h
@@ -101,7 +101,7 @@ class AsyncUsbTransceiverBase {
   virtual void PostTransferHook() {}
 
   /**
-   * @brief Cancel any pending transfers.
+   * @brief Cancel any pending transfers and wait for them to complete.
    */
   void CancelTransfer();
 
@@ -139,6 +139,7 @@ class AsyncUsbTransceiverBase {
   std::queue<struct libusb_transfer*> m_idle;  // GUARDED_BY(m_mutex);
 
   ola::thread::Mutex m_mutex;
+  ola::thread::ConditionVariable m_cond;
 
  private:
   /**
diff --git a/plugins/usbdmx/DMXCProjectsNodleU1.cpp b/plugins/usbdmx/DMXCProjectsNodleU1.cpp
@@ -338,7 +338,6 @@ class DMXCProjectsNodleU1AsyncUsbReceiver : public AsyncUsbReceiver {
   }
 
   ~DMXCProjectsNodleU1AsyncUsbReceiver() {
-    CancelTransfer();
   }
 
   libusb_device_handle* SetupHandle() {
@@ -393,7 +392,6 @@ class DMXCProjectsNodleU1AsyncUsbSender : public AsyncUsbSender {
   }
 
   ~DMXCProjectsNodleU1AsyncUsbSender() {
-    CancelTransfer();
   }
 
   libusb_device_handle* SetupHandle() {
diff --git a/plugins/usbdmx/DMXCreator512Basic.cpp b/plugins/usbdmx/DMXCreator512Basic.cpp
@@ -193,7 +193,6 @@ class DMXCreator512BasicAsyncUsbSender : public AsyncUsbSender {
   }
 
   ~DMXCreator512BasicAsyncUsbSender() {
-    CancelTransfer();
   }
 
   libusb_device_handle* SetupHandle() {
diff --git a/plugins/usbdmx/EurolitePro.cpp b/plugins/usbdmx/EurolitePro.cpp
@@ -224,7 +224,6 @@ class EuroliteProAsyncUsbSender : public AsyncUsbSender {
   }
 
   ~EuroliteProAsyncUsbSender() {
-    CancelTransfer();
   }
 
   libusb_device_handle* SetupHandle() {
diff --git a/plugins/usbdmx/ShowJockeyDMXU1.cpp b/plugins/usbdmx/ShowJockeyDMXU1.cpp
@@ -277,7 +277,6 @@ class ShowJockeyDMXU1AsyncUsbSender : public AsyncUsbSender {
   }
 
   ~ShowJockeyDMXU1AsyncUsbSender() {
-    CancelTransfer();
     delete[] m_tx_frame;
   }
 
diff --git a/plugins/usbdmx/Sunlite.cpp b/plugins/usbdmx/Sunlite.cpp
@@ -173,7 +173,6 @@ class SunliteAsyncUsbSender : public AsyncUsbSender {
   }
 
   ~SunliteAsyncUsbSender() {
-    CancelTransfer();
   }
 
   libusb_device_handle* SetupHandle() {
diff --git a/plugins/usbdmx/VellemanK8062.cpp b/plugins/usbdmx/VellemanK8062.cpp
@@ -338,7 +338,6 @@ class VellemanAsyncUsbSender : public AsyncUsbSender {
   }
 
   ~VellemanAsyncUsbSender() {
-    CancelTransfer();
     if (m_packet) {
       delete[] m_packet;
     }

Original file line number	Diff line number	Diff line change
`@@ -124,7 +124,6 @@ class AVLdiyAsyncUsbSender : public AsyncUsbSender {`
`124`	`124`	`}`
`125`	`125`
`126`	`126`	`~AVLdiyAsyncUsbSender() {`
`127`		`- CancelTransfer();`
`128`	`127`	`delete[] m_control_setup_buffer;`
`129`	`128`	`}`
`130`	`129`
Original file line number	Diff line number	Diff line change
`@@ -124,7 +124,6 @@ class AnymaAsyncUsbSender : public AsyncUsbSender {`
`124`	`124`	`}`
`125`	`125`
`126`	`126`	`~AnymaAsyncUsbSender() {`
`127`		`- CancelTransfer();`
`128`	`127`	`delete[] m_control_setup_buffer;`
`129`	`128`	`}`
`130`	`129`
Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,8 @@ AsyncUsbReceiver::AsyncUsbReceiver(ola::usb::LibUsbAdaptor *adaptor,`
`36`	`36`	`}`
`37`	`37`
`38`	`38`	`AsyncUsbReceiver::~AsyncUsbReceiver() {`
	`39`	`+ ola::thread::MutexLocker locker(&m_mutex);`
	`40`	`+ CancelTransfer();`
`39`	`41`	`if (!m_inited_with_handle) {`
`40`	`42`	`m_adaptor->Close(m_usb_handle);`
`41`	`43`	`}`
Original file line number	Diff line number	Diff line change
`@@ -37,6 +37,8 @@ AsyncUsbSender::AsyncUsbSender(LibUsbAdaptor *adaptor,`
`37`	`37`	`}`
`38`	`38`
`39`	`39`	`AsyncUsbSender::~AsyncUsbSender() {`
	`40`	`+ ola::thread::MutexLocker locker(&m_mutex);`
	`41`	`+ CancelTransfer();`
`40`	`42`	`m_adaptor->Close(m_usb_handle);`
`41`	`43`	`}`
`42`	`44`
Original file line number	Diff line number	Diff line change
`@@ -338,7 +338,6 @@ class DMXCProjectsNodleU1AsyncUsbReceiver : public AsyncUsbReceiver {`
`338`	`338`	`}`
`339`	`339`
`340`	`340`	`~DMXCProjectsNodleU1AsyncUsbReceiver() {`
`341`		`- CancelTransfer();`
`342`	`341`	`}`
`343`	`342`
`344`	`343`	`libusb_device_handle* SetupHandle() {`
`@@ -393,7 +392,6 @@ class DMXCProjectsNodleU1AsyncUsbSender : public AsyncUsbSender {`
`393`	`392`	`}`
`394`	`393`
`395`	`394`	`~DMXCProjectsNodleU1AsyncUsbSender() {`
`396`		`- CancelTransfer();`
`397`	`395`	`}`
`398`	`396`
`399`	`397`	`libusb_device_handle* SetupHandle() {`
Original file line number	Diff line number	Diff line change
`@@ -193,7 +193,6 @@ class DMXCreator512BasicAsyncUsbSender : public AsyncUsbSender {`
`193`	`193`	`}`
`194`	`194`
`195`	`195`	`~DMXCreator512BasicAsyncUsbSender() {`
`196`		`- CancelTransfer();`
`197`	`196`	`}`
`198`	`197`
`199`	`198`	`libusb_device_handle* SetupHandle() {`
Original file line number	Diff line number	Diff line change
`@@ -224,7 +224,6 @@ class EuroliteProAsyncUsbSender : public AsyncUsbSender {`
`224`	`224`	`}`
`225`	`225`
`226`	`226`	`~EuroliteProAsyncUsbSender() {`
`227`		`- CancelTransfer();`
`228`	`227`	`}`
`229`	`228`
`230`	`229`	`libusb_device_handle* SetupHandle() {`
Original file line number	Diff line number	Diff line change
`@@ -277,7 +277,6 @@ class ShowJockeyDMXU1AsyncUsbSender : public AsyncUsbSender {`
`277`	`277`	`}`
`278`	`278`
`279`	`279`	`~ShowJockeyDMXU1AsyncUsbSender() {`
`280`		`- CancelTransfer();`
`281`	`280`	`delete[] m_tx_frame;`
`282`	`281`	`}`
`283`	`282`