msm: eva: Fix DMA-BUF double free

msm_cvp_smem_put_dma_buf() releases the EVA driver's reference it uses
for DMA mappings, by decrementing the refcount of the underlying
struct file that all DMA-BUFs use for life cycle tracking. By
accident, the EVA driver held a direct reference to the underlying
file using the struct msm_cvp_smem->file variable. The EVA driver,
after releasing it's reference to the DMA-BUF, inadvertently called
fput() on the struct_cvp_smem->file variable, which leads to a double
free.

Resolve this by removing the struct msm_cvp_smmem->file variable, and
by removing the corresponding fput().

Change-Id: I108cd87509673008ff55fc94fda76aa21f21bd5d
Signed-off-by: Chris Goldsworthy <[email protected]>

msm/eva/msm_cvp_buf.c

@@ -214,7 +214,6 @@ int msm_cvp_map_buf_dsp(struct msm_cvp_inst *inst, struct eva_kmd_buffer *buf)
 	}
 
 	smem->dma_buf = dma_buf;
-	smem->file = file;
 	smem->bitmap_index = MAX_DMABUF_NUMS;
 	dprintk(CVP_MEM, "%s: dma_buf = %llx\n", __func__, dma_buf);
 	rc = msm_cvp_map_smem(inst, smem, "map dsp");
@@ -287,7 +286,6 @@ int msm_cvp_unmap_buf_dsp(struct msm_cvp_inst *inst, struct eva_kmd_buffer *buf)
 	if (cbuf->smem->device_addr) {
 		msm_cvp_unmap_smem(inst, cbuf->smem, "unmap dsp");
 		msm_cvp_smem_put_dma_buf(cbuf->smem->dma_buf);
-		fput(cbuf->smem->file);
 	}
 
 	mutex_lock(&inst->cvpdspbufs.lock);

msm/eva/msm_cvp_buf.h

@@ -68,7 +68,6 @@ struct msm_cvp_smem {
 	struct list_head list;
 	atomic_t refcount;
 	struct dma_buf *dma_buf;
-	struct file *file;
 	void *kvaddr;
 	u32 device_addr;
 	dma_addr_t dma_handle;