From nobody Sun May 24 20:33:19 2026
Received: from mail-pg1-f178.google.com (mail-pg1-f178.google.com
 [209.85.215.178])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3BB36322522
	for <linux-kernel@vger.kernel.org>; Sat, 23 May 2026 07:32:53 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.178
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779521574; cv=none;
 b=KT4JZa51ohYfkokxcqPt3my2AqlWcvHsssLlYMDLplXy0Z9wTvNl3VEcqTxS69WQF8544s43Uc3oW+oFBcsjHBL/V8T+P25oh6uu0T8GW6Az7ty7pGWQHATWeqoZitPafGpaPJJWfRIx8rfQUhWsT6GVutS0LOiyFMi2VNkDqrY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779521574; c=relaxed/simple;
	bh=LI4SZvOrYB4t3FQlZ3gUc4AMAt3ZEplcuyrZ+eJM0cY=;
	h=Message-ID:From:Date:Subject:To:Cc;
 b=WgWEt4gcnQ0RKthFwoWIcxUZ2AOOcWibPfbHmzMMpXrrE7NJsraefCcmaPArAph+cJlEDxBh4ZCyH1d/1tRrk2wN2eDU3n1ns5RGnjKGWjrb5RvyJ6NWuGvIIlPt1ZXPwrryLChksHE5Y68xtDV33eazt3gs9jmb7wG/Ah3E0DI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=sj6TqP2W; arc=none smtp.client-ip=209.85.215.178
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="sj6TqP2W"
Received: by mail-pg1-f178.google.com with SMTP id
 41be03b00d2f7-c827313dac0so4155180a12.1
        for <linux-kernel@vger.kernel.org>;
 Sat, 23 May 2026 00:32:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1779521572; x=1780126372;
 darn=vger.kernel.org;
        h=cc:to:subject:date:from:message-id:from:to:cc:subject:date
         :message-id:reply-to;
        bh=H+KRTw9/sBNPjfGJSKTyHrcZ/0neRgH4YHpK/FuxGf0=;
        b=sj6TqP2WTUSn3A/SnUCwJ4TFvVrbJp6FGu9614h0SedmQS1tscbpQlbD+Fbu5kLLy2
         o47wjAjlbNS3kt0lgmk83BXV00i+QbU1J+bTP0yMowRcrzICp8PJqnH8/zm2B3rf/mEV
         IjpTjpvlTGZaGaS4fCVfXn0HP8wpoFogp3aaifv/LWOofv4VPpoB0NIhchfLf7GUCP5S
         /KHvDU+zkbnwrQy+iAPenWKUqhIp0wrpWJUq1IMeV4rr+GjrZc1an9Kc2MH/M8/8auBz
         UlR477uldY0WR3V/pI/I01Xn6/d7lnmWq/aOAFkBuZquBjrVr5oe/t65IaWkgBHfvrj4
         LS5w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779521572; x=1780126372;
        h=cc:to:subject:date:from:message-id:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=H+KRTw9/sBNPjfGJSKTyHrcZ/0neRgH4YHpK/FuxGf0=;
        b=s6Un/lR33oiNtqYBIlYJUNhgNIUH+7bDiAZuSYhyiV4SfHV/XJEGsfuwOoi7lsYbwY
         bwR+BTvo5dFVV3lqLVm7jjoIeYgwuuNEkJkWMDsTeWdYcZ/fJKb5PH3t9oXq8R9UEsT/
         A1kcpaSAkNbNkwfoItdacO/ZxjyXFLqZLMBmtr1zqonIk3DOEW3ZxgYkDhH0ePmDROmz
         TF3CYRi3gzymcVXtS767V9SzU8c/Uth1DeleZrA2i17pZtT3Tw6zYcCfilLjBIvA+m7H
         xDtuLwdq73LC2VmJBUvV+lv4aNnT9X29tBDS7bIQj8b2F+HfzfXPc6EoL3L7puaN33gB
         oJYg==
X-Forwarded-Encrypted: i=1;
 AFNElJ+fBjvfwsXnERuqyRi2kvq9m6QqUU4uXWBWusvKwyzs+i1vwkCWLdiUKawh3m6WTa37s5udCazqZGANExI=@vger.kernel.org
X-Gm-Message-State: AOJu0YyKPOOWOURHZXU2oKqgHGA62fnK+3MNjdO3h1G9P7AhVOlD3DSI
	NepTARKdQ87SV0CJIFChi183o5TofRS2SGdrIUuw30NHH/sdJi1YXKXO
X-Gm-Gg: Acq92OFPYosmJtzmnY5QU/vhBjh2nMDlnzBB95kAtjkkc28uMtAn26gDuX583yKl70w
	PG6s+kiMR98q+EzOHqSSMkgX2xv0H4IjKGdk1yep5hMeUN6vWX4yL/nSBZTx/piTQF51ndSHwXj
	lGNO6Y5OXkdaFIMzVIVfgoCAVubXs6e4ILVgP9zgDYrh8te0N+ggbVOZPh0JoPjPjCAVkRwIvgh
	ibLCbDxQjH8T+P0wL5JYpoxBXTTKDDgQtarD+vtfPcUmQECuStgLqxSb4gHuownM5dBJl71ofNk
	5zxzu82VPXQX7gSxp2INmmJi63jb5yQyZgSe4QUyKGxnLyg9WhSbK9onRFFBCEepVJ9HcY7PHTr
	ZGUKAIa5h+U+ILDZ/SfqWD8QrMUxXBasUff/348LAMy4nEpemo9hr5VpNRojZzuzWrlAT0m1yuu
	ml9gHd1S9KP7Xeb4t4AncdFlirBVjZ9nkA+j3A5litRov/rVgtZAfSDKXqKfAjhf5WKdJmAiods
	AqcfzbdGWe5k0Yr3XY4Bsk=
X-Received: by 2002:a17:903:fa7:b0:2bc:ac76:c1d0 with SMTP id
 d9443c01a7336-2beb088e3ecmr52736095ad.17.1779521572418;
        Sat, 23 May 2026 00:32:52 -0700 (PDT)
Received: from 1.0.0.127.in-addr.arpa ([103.129.134.214])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2beb58b387dsm38101085ad.50.2026.05.23.00.32.49
        (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
        Sat, 23 May 2026 00:32:52 -0700 (PDT)
Message-ID: <6a115824.a0bed9bd.3c0137.9edf@mx.google.com>
From: Shuvam Pandey <shuvampandey1@gmail.com>
Date: Sat, 23 May 2026 13:17:33 +0545
Subject: [PATCH] accel/qaic: Protect perf stats BO state with bo->lock
To: Jeff Hugo <jeff.hugo@oss.qualcomm.com>,
    Carl Vanderlip <carl.vanderlip@oss.qualcomm.com>,
    Oded Gabbay <ogabbay@kernel.org>
Cc: linux-arm-msm@vger.kernel.org,
    dri-devel@lists.freedesktop.org,
    linux-kernel@vger.kernel.org
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"

qaic_perf_stats_bo_ioctl() validates each BO by checking bo->sliced and
bo->dbc before returning its perf stats. These fields are changed by the
detach paths while holding bo->lock, but the perf stats ioctl reads them
without that lock.

A concurrent detach can clear bo->dbc and mark the BO unsliced while the
perf stats ioctl is validating the BO. Take bo->lock while checking the
BO state and copying the per-BO stats into the temporary result buffer.

Fixes: 4ddf4ddfceb4 ("accel/qaic: Ensure entry belongs to DBC in qaic_perf_=
stats_bo_ioctl()")
Signed-off-by: Shuvam Pandey <shuvampandey1@gmail.com>
---
 drivers/accel/qaic/qaic_data.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/drivers/accel/qaic/qaic_data.c b/drivers/accel/qaic/qaic_data.c
index 1e4c579d2..1d74c2ec3 100644
--- a/drivers/accel/qaic/qaic_data.c
+++ b/drivers/accel/qaic/qaic_data.c
@@ -1834,15 +1834,16 @@ int qaic_perf_stats_bo_ioctl(struct drm_device *dev=
, void *data, struct drm_file
 			goto free_ent;
 		}
 		bo =3D to_qaic_bo(obj);
+		ret =3D mutex_lock_interruptible(&bo->lock);
+		if (ret)
+			goto put_obj;
 		if (!bo->sliced) {
-			drm_gem_object_put(obj);
 			ret =3D -EINVAL;
-			goto free_ent;
+			goto unlock_bo;
 		}
 		if (bo->dbc->id !=3D args->hdr.dbc_id) {
-			drm_gem_object_put(obj);
 			ret =3D -EINVAL;
-			goto free_ent;
+			goto unlock_bo;
 		}
 		/*
 		 * perf stats ioctl is called before wait ioctl is complete then
@@ -1858,7 +1859,12 @@ int qaic_perf_stats_bo_ioctl(struct drm_device *dev,=
 void *data, struct drm_file
 						    bo->perf_stats.req_received_ts), 1000);
 		ent[i].queue_level_before =3D bo->perf_stats.queue_level_before;
 		ent[i].num_queue_element =3D bo->total_slice_nents;
+unlock_bo:
+		mutex_unlock(&bo->lock);
+put_obj:
 		drm_gem_object_put(obj);
+		if (ret)
+			goto free_ent;
 	}
=20
 	if (copy_to_user(u64_to_user_ptr(args->data), ent, args->hdr.count * size=
of(*ent)))
--=20
2.50.1 (Apple Git-155)