accel/qaic: Ensure entry belongs to DBC in qaic_perf_stats_bo_ioctl()

struct qaic_perf_stats is defined to have a DBC specified in the header,
followed by struct qaic_perf_stats_entry instances, each pointing to a BO
that is associated with the DBC. Currently, qaic_perf_stats_bo_ioctl() does
not check if the entries belong to the DBC specified in the header.
Therefore, add checks to ensure that each entry in the request is sliced
and belongs to hdr.dbc_id.

Co-developed-by: Carl Vanderlip <carl.vanderlip@oss.qualcomm.com>
Signed-off-by: Carl Vanderlip <carl.vanderlip@oss.qualcomm.com>
Signed-off-by: Youssef Samir <quic_yabdulra@quicinc.com>
Signed-off-by: Youssef Samir <youssef.abdulrahman@oss.qualcomm.com>
Reviewed-by: Jeff Hugo <jeff.hugo@oss.qualcomm.com>
Reviewed-by: Carl Vanderlip <carl.vanderlip@oss.qualcomm.com>
Signed-off-by: Jeff Hugo <jeff.hugo@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20251007221212.559474-1-youssef.abdulrahman@oss.qualcomm.com

diff --git a/drivers/accel/qaic/qaic_data.c b/drivers/accel/qaic/qaic_data.c
index 45f065488fdb4185333616f1f15fa800175976fd..8ac2761e763fe7770826c771256ed5296d8174ff 100644 (file)
--- a/drivers/accel/qaic/qaic_data.c
+++ b/drivers/accel/qaic/qaic_data.c
@@ -1789,6 +1789,16 @@ int qaic_perf_stats_bo_ioctl(struct drm_device *dev, void *data, struct drm_file
                        goto free_ent;
                }
                bo = to_qaic_bo(obj);
+               if (!bo->sliced) {
+                       drm_gem_object_put(obj);
+                       ret = -EINVAL;
+                       goto free_ent;
+               }
+               if (bo->dbc->id != args->hdr.dbc_id) {
+                       drm_gem_object_put(obj);
+                       ret = -EINVAL;
+                       goto free_ent;
+               }
                /*
                 * perf stats ioctl is called before wait ioctl is complete then
                 * the latency information is invalid.