gpu: ion: Fix race condition with import

Consider two threads. Thread 1 has an fd linked to an ion buffer
and Thread 2 has a handle to the same buffer. The two came from
the same client

Thread 1                    Thread 2
-----------------------------------------
ion_import_fd
ion_import
mutex_lock(&client->lock)
                            ion_free
                            ion_handle_put
                            ion_handle_destroy
                            mutex_lock(&client->lock) <--- currently locked
ion_handle_lookup
<return reference to same handle>
mutex_unlock(&client->lock)
                            acquire client lock
                            free(handle)

Thread 1 is now holding a reference to an already freed handle.
The issue arises because thread 2 is attempting to destroy the
handle but the handle still exists on the clients list of handles.
This needs to be atomic. Fix this by taking the client lock
around ion_handle_put.

CRs-Fixed: 328348
Change-Id: I3ff5e6c50b5268fd42092bc1f2b99403e5fcd3cd
Signed-off-by: Laura Abbott <lauraa@codeaurora.org>

drivers/gpu/ion/ion.c

@@ -474,12 +474,12 @@ void ion_free(struct ion_client *client, struct ion_handle *handle)
 
 	mutex_lock(&client->lock);
 	valid_handle = ion_handle_validate(client, handle);
-	mutex_unlock(&client->lock);
-
 	if (!valid_handle) {
+		mutex_unlock(&client->lock);
 		WARN("%s: invalid handle passed to free.\n", __func__);
 		return;
 	}
+	mutex_unlock(&client->lock);
 	ion_handle_put(handle);
 }
 EXPORT_SYMBOL(ion_free);