accel/qaic: Ensure entry belongs to DBC in qaic_perf_stats_bo_ioctl()

struct qaic_perf_stats is defined to have a DBC specified in the header,
followed by struct qaic_perf_stats_entry instances, each pointing to a BO
that is associated with the DBC. Currently, qaic_perf_stats_bo_ioctl() does
not check if the entries belong to the DBC specified in the header.
Therefore, add checks to ensure that each entry in the request is sliced
and belongs to hdr.dbc_id.

Co-developed-by: Carl Vanderlip <carl.vanderlip@oss.qualcomm.com>
Signed-off-by: Carl Vanderlip <carl.vanderlip@oss.qualcomm.com>
Signed-off-by: Youssef Samir <quic_yabdulra@quicinc.com>
Signed-off-by: Youssef Samir <youssef.abdulrahman@oss.qualcomm.com>
Reviewed-by: Jeff Hugo <jeff.hugo@oss.qualcomm.com>
Reviewed-by: Carl Vanderlip <carl.vanderlip@oss.qualcomm.com>
Signed-off-by: Jeff Hugo <jeff.hugo@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20251007221212.559474-1-youssef.abdulrahman@oss.qualcomm.com

1 files changed, 10 insertions, 0 deletions

diff --git a/drivers/accel/qaic/qaic_data.c b/drivers/accel/qaic/qaic_data.c
index 45f065488fdb..8ac2761e763f 100644
--- a/drivers/accel/qaic/qaic_data.c
+++ b/drivers/accel/qaic/qaic_data.c
@@ -1789,6 +1789,16 @@ int qaic_perf_stats_bo_ioctl(struct drm_device *dev, void *data, struct drm_file
 			goto free_ent;
 		}
 		bo = to_qaic_bo(obj);
+		if (!bo->sliced) {
+			drm_gem_object_put(obj);
+			ret = -EINVAL;
+			goto free_ent;
+		}
+		if (bo->dbc->id != args->hdr.dbc_id) {
+			drm_gem_object_put(obj);
+			ret = -EINVAL;
+			goto free_ent;
+		}
 		/*
 		 * perf stats ioctl is called before wait ioctl is complete then
 		 * the latency information is invalid.