--- /dev/null
+From c08eadca1bdfa099e20a32f8fa4b52b2f672236d Mon Sep 17 00:00:00 2001
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+Date: Sat, 22 Jan 2022 15:44:59 +0800
+Subject: media: em28xx: initialize refcount before kref_get
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+commit c08eadca1bdfa099e20a32f8fa4b52b2f672236d upstream.
+
+The commit 47677e51e2a4("[media] em28xx: Only deallocate struct
+em28xx after finishing all extensions") adds kref_get to many init
+functions (e.g., em28xx_audio_init). However, kref_init is called too
+late in em28xx_usb_probe, since em28xx_init_dev before will invoke
+those init functions and call kref_get function. Then refcount bug
+occurs in my local syzkaller instance.
+
+Fix it by moving kref_init before em28xx_init_dev. This issue occurs
+not only in dev but also dev->dev_next.
+
+Fixes: 47677e51e2a4 ("[media] em28xx: Only deallocate struct em28xx after finishing all extensions")
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+[DP: drop changes related to dev->dev_next as second tuner functionality was added in 4.16]
+Signed-off-by: Dragos-Marian Panait <dragos.panait@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/em28xx/em28xx-cards.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/usb/em28xx/em28xx-cards.c
++++ b/drivers/media/usb/em28xx/em28xx-cards.c
+@@ -3644,6 +3644,8 @@ static int em28xx_usb_probe(struct usb_i
+ goto err_free;
+ }
+
++ kref_init(&dev->ref);
++
+ dev->devno = nr;
+ dev->model = id->driver_info;
+ dev->alt = -1;
+@@ -3730,8 +3732,6 @@ static int em28xx_usb_probe(struct usb_i
+ dev->dvb_xfer_bulk ? "bulk" : "isoc");
+ }
+
+- kref_init(&dev->ref);
+-
+ request_modules(dev);
+
+ /*
projects / thirdparty / kernel / stable-queue.git / commitdiff
