Claude review: drm/xe: gate observation streams with perf_allow_cpu()

[Claude Code Review Bot <claude-review@example.com>]

Patch Review

**Good design:** The introduction of `xe_observation_paranoid_check()` as a single gating function is clean:

```c
int xe_observation_paranoid_check(void)
{
	if (!xe_observation_paranoid)
		return 0;

	return perf_allow_cpu();
}
```

The `xe_observation_paranoid` sysctl remains as an escape hatch (when cleared, bypass all checks), but when enabled it delegates to the proper perf infrastructure instead of open-coding a partial check.

**Good: variable made static.** Since `xe_observation_paranoid` is now only accessed inside `xe_observation.c`, making it `static` and removing the `extern` from the header is the right cleanup:

```c
-u32 xe_observation_paranoid = true;
+static u32 xe_observation_paranoid = true;
```

**All call sites converted consistently.** The five open-coded sites (1 in `xe_eu_stall.c`, 4 in `xe_oa.c`) are all converted to `xe_observation_paranoid_check()`, and the return value is properly propagated instead of always using `-EACCES`. This is correct because `perf_allow_cpu()` itself returns `-EACCES` on the capability check, so the common case is unchanged, but the LSM hook could return a different error code.

**Behavioral change to note:** The `xe_oa_mmap()` path previously checked `xe_observation_paranoid && !perfmon_capable()` at mmap time. Now it calls `perf_allow_cpu()` which also invokes the LSM hook. This is appropriate -- the mmap exposes the same sensitive observation data, so gating it with the same policy is consistent. However, it's worth noting that a process that successfully opened an OA stream might then fail the mmap if the LSM policy changed between open and mmap. This is a theoretical TOCTOU edge case that also exists in the current perf infrastructure and isn't a concern in practice.

**Error code subtlety in xe_oa_stream_open_ioctl:** The restructuring of the privileged_op check is clean:

```c
-	if (privileged_op && xe_observation_paranoid && !perfmon_capable()) {
-		...
-		ret = -EACCES;
-		goto err_exec_q;
+	if (privileged_op) {
+		ret = xe_observation_paranoid_check();
+		if (ret) {
+			...
+			goto err_exec_q;
+		}
 	}
```

This correctly separates the "is this a privileged operation" decision from the "does the caller have permission" decision.

**Doc comment:** The function-level comment on `xe_observation_paranoid_check()` is thorough and accurately describes the behavior. It's on the verbose side for kernel style but not objectionable.

No blocking issues with this patch.

---
Generated by Claude Code Patch Reviewer