disp: msm: sde: add null check for drm file in msm_release

Drm file is not set to NULL after freeing it from drm
release. This can result in use-after-free issues in
some scenarios. Add a mutex lock and other proper null
checks to prevent such issues.

Change-Id: Ic35b0a76166b0f47a354b1737e6f4c3ac1437ed4
Signed-off-by: Krishna Manikandan <mkrishn@codeaurora.org>

msm/msm_drv.c

@@ -87,6 +87,8 @@
 			(ktime_compare_safe(exp_ktime, cur_ktime) > 0));\
 	} while (0)
 
+static DEFINE_MUTEX(msm_release_lock);
+
 static void msm_fb_output_poll_changed(struct drm_device *dev)
 {
 	struct msm_drm_private *priv = NULL;
@@ -1445,13 +1447,25 @@ void msm_mode_object_event_notify(struct drm_mode_object *obj,
 static int msm_release(struct inode *inode, struct file *filp)
 {
 	struct drm_file *file_priv = filp->private_data;
-	struct drm_minor *minor = file_priv->minor;
-	struct drm_device *dev = minor->dev;
-	struct msm_drm_private *priv = dev->dev_private;
+	struct drm_minor *minor;
+	struct drm_device *dev;
+	struct msm_drm_private *priv;
 	struct msm_drm_event *node, *temp, *tmp_node;
 	u32 count;
 	unsigned long flags;
 	LIST_HEAD(tmp_head);
+	int ret = 0;
+
+	mutex_lock(&msm_release_lock);
+
+	if (!file_priv) {
+		ret = -EINVAL;
+		goto end;
+	}
+
+	minor = file_priv->minor;
+	dev = minor->dev;
+	priv = dev->dev_private;
 
 	spin_lock_irqsave(&dev->event_lock, flags);
 	list_for_each_entry_safe(node, temp, &priv->client_event_list,
@@ -1489,7 +1503,11 @@ static int msm_release(struct inode *inode, struct file *filp)
 	if (drm_is_current_master(file_priv))
 		msm_preclose(dev, file_priv);
 
-	return drm_release(inode, filp);
+	ret = drm_release(inode, filp);
+	filp->private_data = NULL;
+end:
+	mutex_unlock(&msm_release_lock);
+	return ret;
 }
 
 /**