From 1f0408fc9dc4e2947998337c315647ab5244877a Mon Sep 17 00:00:00 2001
From: Abhinav Parihar <quic_parihar@quicinc.com>
Date: Mon, 30 Dec 2024 14:48:16 +0530
Subject: [PATCH] msm: adsprpc: Avoid double free on map

Decrement and check the ref count of map
inside the lock. Otherwise, two threads may
free the same map.

Change-Id: I081b937bfd3e8da3e2480f062cad6966662994b5
Acked-by: Sharad Kumar <sharku@qti.qualcomm.com>
Signed-off-by: Abhinav Parihar <quic_parihar@quicinc.com>
---
 drivers/char/adsprpc.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
index 0355847f68b0..8bc094fd2d80 100644
--- a/drivers/char/adsprpc.c
+++ b/drivers/char/adsprpc.c
@@ -900,9 +900,11 @@ static void fastrpc_mmap_free(struct fastrpc_mmap *map, uint32_t flags)
 			map->refs--;
 		if (!map->refs)
 			hlist_del_init(&map->hn);
-		spin_unlock(&me->hlock);
-		if (map->refs > 0)
+		if (map->refs > 0) {
+			spin_unlock(&me->hlock);
 			return;
+		}
+		spin_unlock(&me->hlock);
 	} else {
 		if (map->refs)
 			map->refs--;