ALSA: bcd2000: Fix a UAF bug on the error path of probing

jira VULN-70295
cve CVE-2022-50229
commit-author Zheyu Ma <[email protected]>
commit ffb2759

When the driver fails in snd_card_register() at probe time, it will free
the 'bcd2k->midi_out_urb' before killing it, which may cause a UAF bug.

The following log can reveal it:

[   50.727020] BUG: KASAN: use-after-free in bcd2000_input_complete+0x1f1/0x2e0 [snd_bcd2000]
[   50.727623] Read of size 8 at addr ffff88810fab0e88 by task swapper/4/0
[   50.729530] Call Trace:
[   50.732899]  bcd2000_input_complete+0x1f1/0x2e0 [snd_bcd2000]

Fix this by adding usb_kill_urb() before usb_free_urb().

Fixes: b47a222 ("ALSA: MIDI driver for Behringer BCD2000 USB device")
	Signed-off-by: Zheyu Ma <[email protected]>
	Cc: <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
	Signed-off-by: Takashi Iwai <[email protected]>
(cherry picked from commit ffb2759)
	Signed-off-by: Roxana Nicolescu <[email protected]>
Signed-off-by: Roxana Nicolescu <[email protected]>

Author: roxanan1996

sound/usb/bcd2000/bcd2000.c

@@ -348,7 +348,8 @@ static int bcd2000_init_midi(struct bcd2000 *bcd2k)
 static void bcd2000_free_usb_related_resources(struct bcd2000 *bcd2k,
 						struct usb_interface *interface)
 {
-	/* usb_kill_urb not necessary, urb is aborted automatically */
+	usb_kill_urb(bcd2k->midi_out_urb);
+	usb_kill_urb(bcd2k->midi_in_urb);
 
 	usb_free_urb(bcd2k->midi_out_urb);
 	usb_free_urb(bcd2k->midi_in_urb);