msm: adsprpc: destroy mutex before file free

Destroy mutex before file free, to avoid use after free of mutex.

Change-Id: I4ff73dc17b15043eacbb299219a379bfd1a8efa6
Acked-by: Himateja Reddy <hmreddy@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>

diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
index c078760..165c570 100644 (file)
--- a/drivers/char/adsprpc.c
+++ b/drivers/char/adsprpc.c
@@ -2318,8 +2318,7 @@ static int fastrpc_file_free(struct fastrpc_file *fl)
        spin_unlock(&fl->apps->hlock);
 
        if (!fl->sctx) {
-               kfree(fl);
-               return 0;
+               goto bail;
        }
 
        spin_lock(&fl->hlock);
@@ -2337,6 +2336,8 @@ static int fastrpc_file_free(struct fastrpc_file *fl)
                fastrpc_session_free(&fl->apps->channel[cid], fl->sctx);
        if (fl->secsctx)
                fastrpc_session_free(&fl->apps->channel[cid], fl->secsctx);
+bail:
+       mutex_destroy(&fl->map_mutex);
        kfree(fl);
        return 0;
 }
@@ -2348,7 +2349,7 @@ static int fastrpc_device_release(struct inode *inode, struct file *file)
        if (fl) {
                if (fl->debugfs_file != NULL)
                        debugfs_remove(fl->debugfs_file);
-               mutex_destroy(&fl->map_mutex);
+
                fastrpc_file_free(fl);
                file->private_data = NULL;
        }