From: Dongliang Mu <mudongliangabcd@xxxxxxxxx>
[ Upstream commit c08eadca1bdfa099e20a32f8fa4b52b2f672236d ]
The commit 47677e51e2a4("[media] em28xx: Only deallocate struct
em28xx after finishing all extensions") adds kref_get to many init
functions (e.g., em28xx_audio_init). However, kref_init is called too
late in em28xx_usb_probe, since em28xx_init_dev before will invoke
those init functions and call kref_get function. Then refcount bug
occurs in my local syzkaller instance.
Fix it by moving kref_init before em28xx_init_dev. This issue occurs
not only in dev but also dev->dev_next.
Fixes: 47677e51e2a4 ("[media] em28xx: Only deallocate struct em28xx after finishing all extensions")
Reported-by: syzkaller <syzkaller@xxxxxxxxxxxxxxxx>
Signed-off-by: Dongliang Mu <mudongliangabcd@xxxxxxxxx>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xxxxxxxxx>
[DP: drop changes related to dev->dev_next as second tuner functionality was added in 4.16]
Signed-off-by: Dragos-Marian Panait <dragos.panait@xxxxxxxxxxxxx>
---
drivers/media/usb/em28xx/em28xx-cards.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/media/usb/em28xx/em28xx-cards.c b/drivers/media/usb/em28xx/em28xx-cards.c
index b736c027a0bd..23a9fe8d9d1e 100644
--- a/drivers/media/usb/em28xx/em28xx-cards.c
+++ b/drivers/media/usb/em28xx/em28xx-cards.c
@@ -3644,6 +3644,8 @@ static int em28xx_usb_probe(struct usb_interface *interface,
goto err_free;
}
+ kref_init(&dev->ref);
+
dev->devno = nr;
dev->model = id->driver_info;
dev->alt = -1;
@@ -3730,8 +3732,6 @@ static int em28xx_usb_probe(struct usb_interface *interface,
dev->dvb_xfer_bulk ? "bulk" : "isoc");
}
- kref_init(&dev->ref);
-
request_modules(dev);
/*
--
2.37.3
