media: em28xx: initialize refcount before kref_get

jira VULN-8755
cve CVE-2022-3239
commit-author Dongliang Mu <mudongliangabcd@gmail.com>
commit c08eadc

The commit 47677e5("[media] em28xx: Only deallocate struct
em28xx after finishing all extensions") adds kref_get to many init
functions (e.g., em28xx_audio_init). However, kref_init is called too
late in em28xx_usb_probe, since em28xx_init_dev before will invoke
those init functions and call kref_get function. Then refcount bug
occurs in my local syzkaller instance.

Fix it by moving kref_init before em28xx_init_dev. This issue occurs
not only in dev but also dev->dev_next.

Fixes: 47677e5 ("[media] em28xx: Only deallocate struct em28xx after finishing all extensions")
	Reported-by: syzkaller <syzkaller@googlegroups.com>
	Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
	Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
(cherry picked from commit c08eadc)
	Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>

Author: bmastbergen

drivers/media/usb/em28xx/em28xx-cards.c

@@ -3838,6 +3838,8 @@ static int em28xx_usb_probe(struct usb_interface *intf,
 		goto err_free;
 	}
 
+	kref_init(&dev->ref);
+
 	dev->devno = nr;
 	dev->model = id->driver_info;
 	dev->alt   = -1;
@@ -3938,6 +3940,8 @@ static int em28xx_usb_probe(struct usb_interface *intf,
 	}
 
 	if (dev->board.has_dual_ts && em28xx_duplicate_dev(dev) == 0) {
+		kref_init(&dev->dev_next->ref);
+
 		dev->dev_next->ts = SECONDARY_TS;
 		dev->dev_next->alt   = -1;
 		dev->dev_next->is_audio_only = has_vendor_audio &&
@@ -3992,12 +3996,8 @@ static int em28xx_usb_probe(struct usb_interface *intf,
 			em28xx_write_reg(dev, 0x0b, 0x82);
 			mdelay(100);
 		}
-
-		kref_init(&dev->dev_next->ref);
 	}
 
-	kref_init(&dev->ref);
-
 	request_modules(dev);
 
 	/*