[PATCH V1] accel/amdxdna: Fix amdxdna_client lifetime race during device removal

Fri, 05 Jun 2026 10:54:11 -0700 

In amdxdna_remove(), all amdxdna_client structures are freed after
calling drm_dev_unplug(). However, drm_dev_unplug() does not force
existing file descriptors to be closed, so amdxdna_drm_close() may be
called after amdxdna_remove() has completed.

As a result, accessing client->pid for debug output in
amdxdna_drm_close() can lead to a use-after-free, since the access is
not protected by drm_dev_enter().

Fix this by decoupling hardware teardown from client cleanup.
amdxdna_remove() only performs hardware-related cleanup, while
per-client resources are released from amdxdna_drm_close() when the
corresponding file is closed.

Fixes: be462c97b7df ("accel/amdxdna: Add hardware context")
Signed-off-by: Lizhi Hou <[email protected]>
---
 drivers/accel/amdxdna/amdxdna_pci_drv.c | 16 ++--------------
 1 file changed, 2 insertions(+), 14 deletions(-)

diff --git a/drivers/accel/amdxdna/amdxdna_pci_drv.c 
b/drivers/accel/amdxdna/amdxdna_pci_drv.c
index 65489bb3f2b0..953f4807c739 100644
--- a/drivers/accel/amdxdna/amdxdna_pci_drv.c
+++ b/drivers/accel/amdxdna/amdxdna_pci_drv.c
@@ -174,18 +174,12 @@ static void amdxdna_drm_close(struct drm_device *ddev, 
struct drm_file *filp)
 {
        struct amdxdna_client *client = filp->driver_priv;
        struct amdxdna_dev *xdna = to_xdna_dev(ddev);
-       int idx;
 
        XDNA_DBG(xdna, "closing pid %d", client->pid);
 
-       if (!drm_dev_enter(&xdna->ddev, &idx))
-               return;
-
        mutex_lock(&xdna->dev_lock);
        amdxdna_client_cleanup(client);
        mutex_unlock(&xdna->dev_lock);
-
-       drm_dev_exit(idx);
 }
 
 static int amdxdna_drm_get_info_ioctl(struct drm_device *dev, void *data, 
struct drm_file *filp)
@@ -443,14 +437,8 @@ static void amdxdna_remove(struct pci_dev *pdev)
        amdxdna_sysfs_fini(xdna);
 
        mutex_lock(&xdna->dev_lock);
-       client = list_first_entry_or_null(&xdna->client_list,
-                                         struct amdxdna_client, node);
-       while (client) {
-               amdxdna_client_cleanup(client);
-
-               client = list_first_entry_or_null(&xdna->client_list,
-                                                 struct amdxdna_client, node);
-       }
+       list_for_each_entry(client, &xdna->client_list, node)
+               amdxdna_hwctx_remove_all(client);
 
        xdna->dev_info->ops->fini(xdna);
        mutex_unlock(&xdna->dev_lock);
-- 
2.34.1

Reply via email to