From 44d1e3963908671fb5b7f804e0ff80c2d83e925d Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 26 Sep 2022 09:24:32 +0200
Subject: [PATCH] 4.14-stable patches

added patches:
	media-em28xx-initialize-refcount-before-kref_get.patch
---
 ...-initialize-refcount-before-kref_get.patch | 50 +++++++++++++++++++
 queue-4.14/series                             |  1 +
 2 files changed, 51 insertions(+)
 create mode 100644 queue-4.14/media-em28xx-initialize-refcount-before-kref_get.patch

diff --git a/queue-4.14/media-em28xx-initialize-refcount-before-kref_get.patch b/queue-4.14/media-em28xx-initialize-refcount-before-kref_get.patch
new file mode 100644
index 00000000000..649a63f3bec
--- /dev/null
+++ b/queue-4.14/media-em28xx-initialize-refcount-before-kref_get.patch
@@ -0,0 +1,50 @@
+From c08eadca1bdfa099e20a32f8fa4b52b2f672236d Mon Sep 17 00:00:00 2001
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+Date: Sat, 22 Jan 2022 15:44:59 +0800
+Subject: media: em28xx: initialize refcount before kref_get
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+commit c08eadca1bdfa099e20a32f8fa4b52b2f672236d upstream.
+
+The commit 47677e51e2a4("[media] em28xx: Only deallocate struct
+em28xx after finishing all extensions") adds kref_get to many init
+functions (e.g., em28xx_audio_init). However, kref_init is called too
+late in em28xx_usb_probe, since em28xx_init_dev before will invoke
+those init functions and call kref_get function. Then refcount bug
+occurs in my local syzkaller instance.
+
+Fix it by moving kref_init before em28xx_init_dev. This issue occurs
+not only in dev but also dev->dev_next.
+
+Fixes: 47677e51e2a4 ("[media] em28xx: Only deallocate struct em28xx after finishing all extensions")
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+[DP: drop changes related to dev->dev_next as second tuner functionality was added in 4.16]
+Signed-off-by: Dragos-Marian Panait <dragos.panait@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/em28xx/em28xx-cards.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/usb/em28xx/em28xx-cards.c
++++ b/drivers/media/usb/em28xx/em28xx-cards.c
+@@ -3644,6 +3644,8 @@ static int em28xx_usb_probe(struct usb_i
+ 		goto err_free;
+ 	}
+ 
++	kref_init(&dev->ref);
++
+ 	dev->devno = nr;
+ 	dev->model = id->driver_info;
+ 	dev->alt   = -1;
+@@ -3730,8 +3732,6 @@ static int em28xx_usb_probe(struct usb_i
+ 			dev->dvb_xfer_bulk ? "bulk" : "isoc");
+ 	}
+ 
+-	kref_init(&dev->ref);
+-
+ 	request_modules(dev);
+ 
+ 	/*
diff --git a/queue-4.14/series b/queue-4.14/series
index 74f597cde62..0bf818946d6 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -37,3 +37,4 @@ serial-tegra-use-uart_xmit_advance-fixes-icount.tx-accounting.patch
 s390-dasd-fix-oops-in-dasd_alias_get_start_dev-due-to-missing-pavgroup.patch
 drivers-hv-never-allocate-anything-besides-framebuff.patch
 ext4-make-directory-inode-spreading-reflect-flexbg-size.patch
+media-em28xx-initialize-refcount-before-kref_get.patch
-- 
2.47.3