drm/vc4: Protect madv read in vc4_gem_object_mmap() with madv_lock

[ Upstream commit 338c56050d8e892604da97f67bfa8cc4015a955f ]

The mmap callback reads bo->madv without holding madv_lock, racing with
concurrent DRM_IOCTL_VC4_GEM_MADVISE calls that modify the field under
the same lock. Add the missing locking to prevent the data race.

Fixes: b9f19259b84d ("drm/vc4: Add the DRM_IOCTL_VC4_GEM_MADVISE ioctl")
Reviewed-by: Melissa Wen <mwen@igalia.com>
Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-4-92defc940a29@igalia.com
Signed-off-by: Maíra Canal <mcanal@igalia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/gpu/drm/vc4/vc4_bo.c b/drivers/gpu/drm/vc4/vc4_bo.c
index 46b4474ac41d46f836f0896b3b5f57f09629e24e..44b1f2b00f9b057acc5cf1a151c434c02be4a325 100644 (file)
--- a/drivers/gpu/drm/vc4/vc4_bo.c
+++ b/drivers/gpu/drm/vc4/vc4_bo.c
@@ -739,12 +739,15 @@ static int vc4_gem_object_mmap(struct drm_gem_object *obj, struct vm_area_struct
                return -EINVAL;
        }
 
+       mutex_lock(&bo->madv_lock);
        if (bo->madv != VC4_MADV_WILLNEED) {
                DRM_DEBUG("mmapping of %s BO not allowed\n",
                          bo->madv == VC4_MADV_DONTNEED ?
                          "purgeable" : "purged");
+               mutex_unlock(&bo->madv_lock);
                return -EINVAL;
        }
+       mutex_unlock(&bo->madv_lock);
 
        return drm_gem_dma_mmap(&bo->base, vma);
 }