From: Youssef Samir <quic_yabdu...@quicinc.com>
struct qaic_perf_stats is defined to have a DBC specified in the header,
followed by struct qaic_perf_stats_entry instances, each pointing to a BO
that is associated with the DBC. Currently, qaic_perf_stats_bo_ioctl() does
not check if the entries belong to the DBC specified in the header.
Therefore, add checks to ensure that each entry in the request is sliced
and belongs to hdr.dbc_id.
Co-developed-by: Carl Vanderlip <carl.vander...@oss.qualcomm.com>
Signed-off-by: Carl Vanderlip <carl.vander...@oss.qualcomm.com>
Signed-off-by: Youssef Samir <quic_yabdu...@quicinc.com>
Signed-off-by: Youssef Samir <youssef.abdulrah...@oss.qualcomm.com>
---
drivers/accel/qaic/qaic_data.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/accel/qaic/qaic_data.c b/drivers/accel/qaic/qaic_data.c
index 797289e9d780..bad587b56b1d 100644
--- a/drivers/accel/qaic/qaic_data.c
+++ b/drivers/accel/qaic/qaic_data.c
@@ -1781,6 +1781,16 @@ int qaic_perf_stats_bo_ioctl(struct drm_device *dev,
void *data, struct drm_file
goto free_ent;
}
bo = to_qaic_bo(obj);
+ if (!bo->sliced) {
+ drm_gem_object_put(obj);
+ ret = -EINVAL;
+ goto free_ent;
+ }
+ if (bo->dbc->id != args->hdr.dbc_id) {
+ drm_gem_object_put(obj);
+ ret = -EINVAL;
+ goto free_ent;
+ }
/*
* perf stats ioctl is called before wait ioctl is complete then
* the latency information is invalid.
--
2.43.0
