media: em28xx: initialize refcount before kref_get

stable inclusion from stable-v4.19.238 commit 0113fa98a49a8e46a19b0ad80f29c904c6feec23 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5RX5X CVE: CVE-2022-3239 --------------------------- [ Upstream commit c08eadca1bdfa099e20a32f8fa4b52b2f672236d ] The commit 47677e51("[media] em28xx: Only deallocate struct em28xx after finishing all extensions") adds kref_get to many init functions (e.g., em28xx_audio_init). However, kref_init is called too late in em28xx_usb_probe, since em28xx_init_dev before will invoke those init functions and call kref_get function. Then refcount bug occurs in my local syzkaller instance. Fix it by moving kref_init before em28xx_init_dev. This issue occurs not only in dev but also dev->dev_next. Fixes: 47677e51 ("[media] em28xx: Only deallocate struct em28xx after finishing all extensions") Reported-by: syzkaller <syzkaller@googlegroups.com> Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Guo Mengqi <guomengqi3@huawei.com> Reviewed-by: Xiu Jianfeng <xiujianfeng@huawei.com> Reviewed-by: Weilong Chen <chenweilong@huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>

media: em28xx: initialize refcount before kref_get
stable inclusion from stable-v4.19.238 commit 0113fa98a49a8e46a19b0ad80f29c904c6feec23 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5RX5X CVE: CVE-2022-3239 --------------------------- [ Upstream commit c08eadca1bdfa099e20a32f8fa4b52b2f672236d ] The commit 47677e51("[media] em28xx: Only deallocate struct em28xx after finishing all extensions") adds kref_get to many init functions (e.g., em28xx_audio_init). However, kref_init is called too late in em28xx_usb_probe, since em28xx_init_dev before will invoke those init functions and call kref_get function. Then refcount bug occurs in my local syzkaller instance. Fix it by moving kref_init before em28xx_init_dev. This issue occurs not only in dev but also dev->dev_next. Fixes: 47677e51 ("[media] em28xx: Only deallocate struct em28xx after finishing all extensions") Reported-by: syzkaller <syzkaller@googlegroups.com> Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Guo Mengqi <guomengqi3@huawei.com> Reviewed-by: Xiu Jianfeng <xiujianfeng@huawei.com> Reviewed-by: Weilong Chen <chenweilong@huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>
0f1d3387 · Dongliang Mu · Yongqiang Liu · b2297d93 · 0f1d3387
Commit 0f1d3387 authored 2 years ago by Dongliang Mu Committed by Yongqiang Liu 2 years ago
--- a/drivers/media/usb/em28xx/em28xx-cards.c
+++ b/drivers/media/usb/em28xx/em28xx-cards.c
@@ -3816,6 +3816,8 @@ static int em28xx_usb_probe(struct usb_interface *intf,
 		goto err_free;
 	}
+	kref_init(&dev->ref);
 	dev->devno = nr;
 	dev->model = id->driver_info;
 	dev->alt   = -1;
@@ -3916,6 +3918,8 @@ static int em28xx_usb_probe(struct usb_interface *intf,
 	}
 	if (dev->board.has_dual_ts && em28xx_duplicate_dev(dev) == 0) {
+		kref_init(&dev->dev_next->ref);
 		dev->dev_next->ts = SECONDARY_TS;
 		dev->dev_next->alt   = -1;
 		dev->dev_next->is_audio_only = has_vendor_audio &&
@@ -3970,12 +3974,8 @@ static int em28xx_usb_probe(struct usb_interface *intf,
 			em28xx_write_reg(dev, 0x0b, 0x82);
 			mdelay(100);
 		}
-		kref_init(&dev->dev_next->ref);
 	}
-	kref_init(&dev->ref);
 	request_modules(dev);
 	/*