disp: msm: sde: add event to event_list after register is successful

Add event to event_list after msm_register_event is successful to avoid
use-after-free vulnerability.

Change-Id: I34fb39c99051978cbab64a852851964691a5ea9e
Signed-off-by: Ping Li <pingli@codeaurora.org>

msm/msm_drv.c

@@ -1351,24 +1351,27 @@ static int msm_ioctl_register_event(struct drm_device *dev, void *data,
 	 * calls add to client list and return.
 	 */
 	count = msm_event_client_count(dev, req_event, false);
-	/* Add current client to list */
+	if (count) {
-	spin_lock_irqsave(&dev->event_lock, flag);
+		/* Add current client to list */
-	list_add_tail(&client->base.link, &priv->client_event_list);
+		spin_lock_irqsave(&dev->event_lock, flag);
-	spin_unlock_irqrestore(&dev->event_lock, flag);
+		list_add_tail(&client->base.link, &priv->client_event_list);
-
+		spin_unlock_irqrestore(&dev->event_lock, flag);
-	if (count)
 		return 0;
+	}
 
 	ret = msm_register_event(dev, req_event, file, true);
 	if (ret) {
 		DRM_ERROR("failed to enable event %x object %x object id %d\n",
 			req_event->event, req_event->object_type,
 			req_event->object_id);
-		spin_lock_irqsave(&dev->event_lock, flag);
-		list_del(&client->base.link);
-		spin_unlock_irqrestore(&dev->event_lock, flag);
 		kfree(client);
+	} else {
+		/* Add current client to list */
+		spin_lock_irqsave(&dev->event_lock, flag);
+		list_add_tail(&client->base.link, &priv->client_event_list);
+		spin_unlock_irqrestore(&dev->event_lock, flag);
 	}
+
 	return ret;
 }