This commit amends my old commit fe35637b ("[media] dvb_frontend:
eliminate blocking wait in dvb_unregister_frontend()"), which added
kref to struct dvb_frontend_private.  It turned out that there are
several use-after-free bugs left, which affect the struct
dvb_frontend.  Protecting it with kref also protects struct
dvb_frontend_private, so we can simply move it.

This is how the use-after-free looks like in KASAN:

    BUG: KASAN: use-after-free in string+0x60/0xb1 at addr ffff880033bd9fc0
    Read of size 1 by task kworker/0:2/617
    CPU: 0 PID: 617 Comm: kworker/0:2 Not tainted 4.8.0-rc1-hosting+ #60
    Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
    Workqueue: usb_hub_wq hub_event
     0000000000000000 ffff880033757218 ffffffff81394e50 ffff880033bd9fd0
     ffff880035c03b00 ffff880033757240 ffffffff811f271d ffff880033bd9fc0
     1ffff1000677b3f8 ffffed000677b3f8 ffff8800337572b8 ffffffff811f2afe
    Call Trace:
     [...]
     [<ffffffff813a2d2f>] vsnprintf+0x39d/0x7e9
     [<ffffffff813993f9>] add_uevent_var+0x10f/0x1dc
     [<ffffffff814fe5ca>] rc_dev_uevent+0x55/0x6f
     [<ffffffff814438f8>] dev_uevent+0x2e1/0x316
     [<ffffffff81399744>] kobject_uevent_env+0x27e/0x701
     [<ffffffff81399bd2>] kobject_uevent+0xb/0xd
     [<ffffffff81443445>] device_del+0x322/0x383
     [<ffffffff81500c0c>] rc_unregister_device+0x98/0xc3
     [<ffffffff81508fb4>] dvb_usb_remote_exit+0x7a/0x90
     [<ffffffff81506157>] dvb_usb_exit+0x1d/0xe5
     [<ffffffff81506e90>] dvb_usb_device_exit+0x69/0x7d
     [<ffffffff8150a181>] pctv452e_usb_disconnect+0x7b/0x80
     [...]
    Object at ffff880033bd9fc0, in cache kmalloc-16 size: 16
    Allocated:
     [...]
    Freed:
    PID = 617
     [...]
     [<ffffffff811f034c>] kfree+0xd9/0x166
     [<ffffffff814fe513>] ir_free_table+0x2f/0x51
     [<ffffffff81500bc1>] rc_unregister_device+0x4d/0xc3
     [<ffffffff81508fb4>] dvb_usb_remote_exit+0x7a/0x90
     [<ffffffff81506157>] dvb_usb_exit+0x1d/0xe5
     [<ffffffff81506e90>] dvb_usb_device_exit+0x69/0x7d
     [<ffffffff8150a181>] pctv452e_usb_disconnect+0x7b/0x80

Another one:

    BUG: KASAN: use-after-free in do_sys_poll+0x336/0x6b8 at addr ffff88003563fcc0
    Read of size 8 by task tuner on fronte/1042
    CPU: 1 PID: 1042 Comm: tuner on fronte Tainted: G    B           4.8.0-rc1-hosting+ #60
    Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
     0000000000000000 ffff88003353f910 ffffffff81394e50 ffff88003563fd80
     ffff880035c03200 ffff88003353f938 ffffffff811f271d ffff88003563fc80
     1ffff10006ac7f98 ffffed0006ac7f98 ffff88003353f9b0 ffffffff811f2afe
    Call Trace:
     [...]
     [<ffffffff812289b3>] do_sys_poll+0x336/0x6b8
     [...]
     [<ffffffff81228ed9>] SyS_poll+0xa9/0x194
     [...]
    Object at ffff88003563fc80, in cache kmalloc-256 size: 256
    Allocated:
     [...]
    Freed:
    PID = 617
     [...]
     [<ffffffff811f034c>] kfree+0xd9/0x166
     [<ffffffff814eb60d>] dvb_unregister_device+0xd6/0xe5
     [<ffffffff814fa4ed>] dvb_unregister_frontend+0x4b/0x66
     [<ffffffff8150810b>] dvb_usb_adapter_frontend_exit+0x69/0xac
     [<ffffffff8150617d>] dvb_usb_exit+0x43/0xe5
     [<ffffffff81506e90>] dvb_usb_device_exit+0x69/0x7d
     [<ffffffff8150a181>] pctv452e_usb_disconnect+0x7b/0x80
Signed-off-by: Max Kellermann <max.kellermann@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>