zram: fix race condition while returning zram_entry refcount

With deduplication enabled, the duplicated zram objects are tracked
using the zram_entry backed by a refcount. The race condition while
decrementing the refcount through zram_dedup_put() is as follows:
Say Task A and task B share the same object and thus the
zram_entry->refcount = 2.
Task A				Task B

zram_dedup_put  		zram_dedup_put
				spin_lock(&hash->lock);
				entry->refcount--; (Now it is 1)
				spin_unlock(&hash->lock);
spin_lock(&hash->lock);
entry->refcount--; (Now it is 0)
spin_unlock(&hash->lock);

return entry->refcount		return entry->refcount

We return 0 in above steps thus leading to double free of the handle,
which is a slab object.

Change-Id: I8dd9bad27140a6e3a295905bf4411050d8eac931
Signed-off-by: Charan Teja Reddy <charante@codeaurora.org>
Signed-off-by: Marco Zanin <mrczn.bb@gmail.com>
Signed-off-by: snnbyyds <snnbyyds@gmail.com>

Author: Charan Teja Reddy

drivers/block/zram/zram_dedup.c

@@ -92,21 +92,22 @@ static unsigned long zram_dedup_put(struct zram *zram,
 {
 	struct zram_hash *hash;
 	u32 checksum;
+	unsigned long val;
 
 	checksum = entry->checksum;
 	hash = &zram->hash[checksum % zram->hash_size];
 
 	spin_lock(&hash->lock);
 
-	entry->refcount--;
+	val = --entry->refcount;
 	if (!entry->refcount)
 		rb_erase(&entry->rb_node, &hash->rb_root);
 	else
 		atomic64_sub(entry->len, &zram->stats.dup_data_size);
 
 	spin_unlock(&hash->lock);
 
-	return entry->refcount;
+	return val;
 }
 
 static struct zram_entry *__zram_dedup_get(struct zram *zram,