From mboxrd@z Thu Jan  1 00:00:00 1970
From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: accel/qaic: Protect perf stats BO state with bo->lock
Date: Mon, 25 May 2026 17:54:33 +1000
Message-ID: <review-overall-6a115824.a0bed9bd.3c0137.9edf@mx.google.com>
In-Reply-To: <6a115824.a0bed9bd.3c0137.9edf@mx.google.com>
References: <6a115824.a0bed9bd.3c0137.9edf@mx.google.com>
X-Mailer: Claude Code Patch Reviewer
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0

Overall Series Review

Subject: accel/qaic: Protect perf stats BO state with bo->lock
Author: Shuvam Pandey <shuvampandey1@gmail.com>
Patches: 1
Reviewed: 2026-05-25T17:54:33.288980

---

This is a single-patch series that fixes a real TOCTOU race condition in the QAIC accelerator driver. The `qaic_perf_stats_bo_ioctl()` function reads `bo->sliced` and `bo->dbc` without holding `bo->lock`, while the detach path (`detach_slice_bo` -> `qaic_init_bo` / `qaic_unprepare_bo`) modifies these fields under `bo->lock`. The fix correctly acquires `bo->lock` before validating and reading the BO state.

The fix is **correct and well-structured**. The locking scope is appropriate -- it protects both the validation checks (`bo->sliced`, `bo->dbc->id`) and the perf stats reads (`bo->perf_stats.*`, `bo->total_slice_nents`). The error-path refactoring is clean: it collapses duplicate `drm_gem_object_put` calls into a single site, using the `unlock_bo` / `put_obj` label chain consistently.

One minor concern below, but overall this is a good fix.

---
Generated by Claude Code Patch Reviewer