On 1/29/26 6:32 PM, Lizhi Hou wrote:
Running jobs on a hardware context while it is in the process of releasing resources can lead to use-after-free and crashes.Fix this by stopping job scheduling before calling aie2_release_resource() and restarting it after the release completes. Additionally, aie2_sched_job_run() now checks whether the hardware context is still active. Fixes: 4fd6ca90fc7f ("accel/amdxdna: Refactor hardware context destroy routine") Signed-off-by: Lizhi Hou <[email protected]>
Reviewed-by: Mario Limonciello (AMD) <[email protected]>
--- drivers/accel/amdxdna/aie2_ctx.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/accel/amdxdna/aie2_ctx.c b/drivers/accel/amdxdna/aie2_ctx.c index 5511ab2ef242..c4a58c00e442 100644 --- a/drivers/accel/amdxdna/aie2_ctx.c +++ b/drivers/accel/amdxdna/aie2_ctx.c @@ -315,6 +315,9 @@ aie2_sched_job_run(struct drm_sched_job *sched_job) struct dma_fence *fence; int ret;+ if (hwctx->status != HWCTX_STAT_READY)+ return NULL; + if (!mmget_not_zero(job->mm)) return ERR_PTR(-ESRCH);@@ -705,7 +708,10 @@ void aie2_hwctx_fini(struct amdxdna_hwctx *hwctx)aie2_hwctx_wait_for_idle(hwctx);/* Request fw to destroy hwctx and cancel the rest pending requests */+ drm_sched_stop(&hwctx->priv->sched, NULL); aie2_release_resource(hwctx); + hwctx->status = HWCTX_STAT_STOP; + drm_sched_start(&hwctx->priv->sched, 0);mutex_unlock(&xdna->dev_lock);drm_sched_entity_destroy(&hwctx->priv->entity);
