at76c50x-usb: fix use after free on failure path in at76_probe()

After commit 174beab ("at76c50x-usb: Don't perform DMA from stack memory")
at76_delete_device() and usb_put_dev() are called both
if at76_init_new_device() fails in at76_probe().
But at76_delete_device() does usb_put_dev(priv->dev) itself
that means double usb_put_dev().

The patch avoids the problem by moving usb_put_dev() from
at76_delete_device() to at76_disconnect().

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Alexey Khoroshilov <[email protected]>
Signed-off-by: John W. Linville <[email protected]>

Author: khoroshilov

drivers/net/wireless/at76c50x-usb.c

@@ -2423,8 +2423,6 @@ static void at76_delete_device(struct at76_priv *priv)
 
 	kfree_skb(priv->rx_skb);
 
-	usb_put_dev(priv->udev);
-
 	at76_dbg(DBG_PROC_ENTRY, "%s: before freeing priv/ieee80211_hw",
 		 __func__);
 	ieee80211_free_hw(priv->hw);
@@ -2558,6 +2556,7 @@ static void at76_disconnect(struct usb_interface *interface)
 
 	wiphy_info(priv->hw->wiphy, "disconnecting\n");
 	at76_delete_device(priv);
+	usb_put_dev(priv->udev);
 	dev_info(&interface->dev, "disconnected\n");
 }