drm/vc4: Protect madv read in vc4_gem_object_mmap() with madv_lock

The mmap callback reads bo->madv without holding madv_lock, racing with
concurrent DRM_IOCTL_VC4_GEM_MADVISE calls that modify the field under
the same lock. Add the missing locking to prevent the data race.

Fixes: b9f19259b84d ("drm/vc4: Add the DRM_IOCTL_VC4_GEM_MADVISE ioctl")
Reviewed-by: Melissa Wen <mwen@igalia.com>
Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-4-92defc940a29@igalia.com
Signed-off-by: Maíra Canal <mcanal@igalia.com>

diff --git a/drivers/gpu/drm/vc4/vc4_bo.c b/drivers/gpu/drm/vc4/vc4_bo.c
index 1f93bc5a3d02ebfd3800c3892444a0b22bc08dd8..cb2b62a4197207cc704c2f08b6876f7eaa89c515 100644 (file)
--- a/drivers/gpu/drm/vc4/vc4_bo.c
+++ b/drivers/gpu/drm/vc4/vc4_bo.c
@@ -738,12 +738,15 @@ static int vc4_gem_object_mmap(struct drm_gem_object *obj, struct vm_area_struct
                return -EINVAL;
        }
 
+       mutex_lock(&bo->madv_lock);
        if (bo->madv != VC4_MADV_WILLNEED) {
                DRM_DEBUG("mmapping of %s BO not allowed\n",
                          bo->madv == VC4_MADV_DONTNEED ?
                          "purgeable" : "purged");
+               mutex_unlock(&bo->madv_lock);
                return -EINVAL;
        }
+       mutex_unlock(&bo->madv_lock);
 
        return drm_gem_dma_mmap(&bo->base, vma);
 }