msm: adsprpc: Handle UAF in fastrpc_buf_free

Thread T1 add buffer to fl->cached_bufs and release fl->hlock and holding
buffer reference. Now thread T2 will aquire fl->hlock and free buffer in
fastrpc_cached_buf_list_free(). T1 will dereference the freed buffer.
Moving reference buffer uses for T1 inside fl->hlock to avoid UAF.

Change-Id: I5f08d5497099133f87d55f5879cfe50c2ba23ae6
Signed-off-by: Santosh Sakore <[email protected]>

dsp/adsprpc.c

@@ -714,8 +714,8 @@ static void fastrpc_buf_free(struct fastrpc_buf *buf, int cache)
 		}
 		hlist_add_head(&buf->hn, &fl->cached_bufs);
 		fl->num_cached_buf++;
-		spin_unlock(&fl->hlock);
 		buf->type = -1;
+		spin_unlock(&fl->hlock);
 		return;
 	}
 skip_buf_cache: