media: cx231xx: fix use-after-free when unregistering the i2c_client for the dvb demod

Calling i2c_unregister_device for a demod driver destroys the frontend object.
Later it is accessed by calling dvb_unregister_frontend and
dvb_frontend_detach.

In some cases this leads to a general protection fault with this
callstack:

  dvb_unregister_frontend+0x25/0x50 [dvb_core]
  dvb_fini+0xdb/0x160 [cx231xx_dvb]
  cx231xx_unregister_extension+0x3d/0xb0 [cx231xx]
  cx231xx_dvb_unregister+0x10/0x809 [cx231xx_dvb]
  SyS_delete_module+0x18a/0x240
  ? exit_to_usermode_loop+0x7b/0x80
  entry_SYSCALL_64_fastpath+0x17/0x98
Signed-off-by: Matthias Schwarzott <zzam@gentoo.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>

drivers/media/usb/cx231xx/cx231xx-dvb.c

@@ -585,6 +585,9 @@ static void unregister_dvb(struct cx231xx_dvb *dvb)
 	dvb->demux.dmx.remove_frontend(&dvb->demux.dmx, &dvb->fe_hw);
 	dvb_dmxdev_release(&dvb->dmxdev);
 	dvb_dmx_release(&dvb->demux);
+	dvb_unregister_frontend(dvb->frontend);
+	dvb_frontend_detach(dvb->frontend);
+	dvb_unregister_adapter(&dvb->adapter);
 	/* remove I2C tuner */
 	client = dvb->i2c_client_tuner;
 	if (client) {
@@ -597,9 +600,6 @@ static void unregister_dvb(struct cx231xx_dvb *dvb)
 		module_put(client->dev.driver->owner);
 		i2c_unregister_device(client);
 	}
-	dvb_unregister_frontend(dvb->frontend);
-	dvb_frontend_detach(dvb->frontend);
-	dvb_unregister_adapter(&dvb->adapter);
 }
 
 static int dvb_init(struct cx231xx *dev)