From 5fcce5d5800a60957141f1d963edfd199480bfcb Mon Sep 17 00:00:00 2001
From: Pascal Brand <pascal.brand@st.com>
Date: Tue, 5 Jan 2016 09:00:23 +0100
Subject: [PATCH] Fix freed memory use in tee_session_close_and_destroy()

The following code is wrong as shm->tee is unpredictable
because of the former free():
    devm_kfree(_DEV(tee), sess);
    [...]
    mutex_unlock(&sess->ctx->tee->lock);

It is fixed in
    devm_kfree(_DEV(tee), sess);
    [...]
    mutex_unlock(&tee->lock);

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Pascal Brand <pascal.brand@st.com>
---
 core/tee_session.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/tee_session.c b/core/tee_session.c
index d68bd69..98a70ea 100644
--- a/core/tee_session.c
+++ b/core/tee_session.c
@@ -385,14 +385,14 @@ int tee_session_close_and_destroy(struct tee_session *sess)
 
 	ret = tee_session_close_be(sess);
 
-	mutex_lock(&sess->ctx->tee->lock);
+	mutex_lock(&tee->lock);
 	tee_dec_stats(&tee->stats[TEE_STATS_SESSION_IDX]);
 	list_del(&sess->entry);
 
 	devm_kfree(_DEV(tee), sess);
 	tee_context_put(ctx);
 	tee_put(tee);
-	mutex_unlock(&sess->ctx->tee->lock);
+	mutex_unlock(&tee->lock);
 
 	dev_dbg(_DEV(tee), "%s: <\n", __func__);
 	return ret;