drivers/accel/amdxdna/amdxdna_pci_drv.c | 3 +++ drivers/accel/amdxdna/amdxdna_pci_drv.h | 1 + 2 files changed, 4 insertions(+)
Some tests trigger a crash in iommu_sva_unbind_device() due to
accessing iommu_mm after the associated mm structure has been
freed.
Fix this by taking an explicit reference to the mm structure
after successfully binding the device, and releasing it only
after the device is unbound. This ensures the mm remains valid
for the entire SVA bind/unbind lifetime.
Fixes: be462c97b7df ("accel/amdxdna: Add hardware context")
Signed-off-by: Lizhi Hou <lizhi.hou@amd.com>
---
drivers/accel/amdxdna/amdxdna_pci_drv.c | 3 +++
drivers/accel/amdxdna/amdxdna_pci_drv.h | 1 +
2 files changed, 4 insertions(+)
diff --git a/drivers/accel/amdxdna/amdxdna_pci_drv.c b/drivers/accel/amdxdna/amdxdna_pci_drv.c
index 45f5c12fc67f..fdefd9ec2066 100644
--- a/drivers/accel/amdxdna/amdxdna_pci_drv.c
+++ b/drivers/accel/amdxdna/amdxdna_pci_drv.c
@@ -82,6 +82,8 @@ static int amdxdna_drm_open(struct drm_device *ddev, struct drm_file *filp)
ret = -ENODEV;
goto unbind_sva;
}
+ client->mm = current->mm;
+ mmgrab(client->mm);
init_srcu_struct(&client->hwctx_srcu);
xa_init_flags(&client->hwctx_xa, XA_FLAGS_ALLOC);
mutex_init(&client->mm_lock);
@@ -116,6 +118,7 @@ static void amdxdna_client_cleanup(struct amdxdna_client *client)
drm_gem_object_put(to_gobj(client->dev_heap));
iommu_sva_unbind_device(client->sva);
+ mmdrop(client->mm);
kfree(client);
}
diff --git a/drivers/accel/amdxdna/amdxdna_pci_drv.h b/drivers/accel/amdxdna/amdxdna_pci_drv.h
index 6580cb5ec7e2..f08406b8fdf9 100644
--- a/drivers/accel/amdxdna/amdxdna_pci_drv.h
+++ b/drivers/accel/amdxdna/amdxdna_pci_drv.h
@@ -130,6 +130,7 @@ struct amdxdna_client {
struct iommu_sva *sva;
int pasid;
+ struct mm_struct *mm;
};
#define amdxdna_for_each_hwctx(client, hwctx_id, entry) \
--
2.34.1On 1/27/26 6:23 PM, Lizhi Hou wrote:
> Some tests trigger a crash in iommu_sva_unbind_device() due to
> accessing iommu_mm after the associated mm structure has been
> freed.
>
> Fix this by taking an explicit reference to the mm structure
> after successfully binding the device, and releasing it only
> after the device is unbound. This ensures the mm remains valid
> for the entire SVA bind/unbind lifetime.
>
> Fixes: be462c97b7df ("accel/amdxdna: Add hardware context")
> Signed-off-by: Lizhi Hou <lizhi.hou@amd.com>
Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org>
> ---
> drivers/accel/amdxdna/amdxdna_pci_drv.c | 3 +++
> drivers/accel/amdxdna/amdxdna_pci_drv.h | 1 +
> 2 files changed, 4 insertions(+)
>
> diff --git a/drivers/accel/amdxdna/amdxdna_pci_drv.c b/drivers/accel/amdxdna/amdxdna_pci_drv.c
> index 45f5c12fc67f..fdefd9ec2066 100644
> --- a/drivers/accel/amdxdna/amdxdna_pci_drv.c
> +++ b/drivers/accel/amdxdna/amdxdna_pci_drv.c
> @@ -82,6 +82,8 @@ static int amdxdna_drm_open(struct drm_device *ddev, struct drm_file *filp)
> ret = -ENODEV;
> goto unbind_sva;
> }
> + client->mm = current->mm;
> + mmgrab(client->mm);
> init_srcu_struct(&client->hwctx_srcu);
> xa_init_flags(&client->hwctx_xa, XA_FLAGS_ALLOC);
> mutex_init(&client->mm_lock);
> @@ -116,6 +118,7 @@ static void amdxdna_client_cleanup(struct amdxdna_client *client)
> drm_gem_object_put(to_gobj(client->dev_heap));
>
> iommu_sva_unbind_device(client->sva);
> + mmdrop(client->mm);
>
> kfree(client);
> }
> diff --git a/drivers/accel/amdxdna/amdxdna_pci_drv.h b/drivers/accel/amdxdna/amdxdna_pci_drv.h
> index 6580cb5ec7e2..f08406b8fdf9 100644
> --- a/drivers/accel/amdxdna/amdxdna_pci_drv.h
> +++ b/drivers/accel/amdxdna/amdxdna_pci_drv.h
> @@ -130,6 +130,7 @@ struct amdxdna_client {
>
> struct iommu_sva *sva;
> int pasid;
> + struct mm_struct *mm;
> };
>
> #define amdxdna_for_each_hwctx(client, hwctx_id, entry) \
Applied to drm-misc-next-fixes
On 1/30/26 11:39, Mario Limonciello wrote:
> On 1/27/26 6:23 PM, Lizhi Hou wrote:
>> Some tests trigger a crash in iommu_sva_unbind_device() due to
>> accessing iommu_mm after the associated mm structure has been
>> freed.
>>
>> Fix this by taking an explicit reference to the mm structure
>> after successfully binding the device, and releasing it only
>> after the device is unbound. This ensures the mm remains valid
>> for the entire SVA bind/unbind lifetime.
>>
>> Fixes: be462c97b7df ("accel/amdxdna: Add hardware context")
>> Signed-off-by: Lizhi Hou <lizhi.hou@amd.com>
> Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org>
>> ---
>> drivers/accel/amdxdna/amdxdna_pci_drv.c | 3 +++
>> drivers/accel/amdxdna/amdxdna_pci_drv.h | 1 +
>> 2 files changed, 4 insertions(+)
>>
>> diff --git a/drivers/accel/amdxdna/amdxdna_pci_drv.c
>> b/drivers/accel/amdxdna/amdxdna_pci_drv.c
>> index 45f5c12fc67f..fdefd9ec2066 100644
>> --- a/drivers/accel/amdxdna/amdxdna_pci_drv.c
>> +++ b/drivers/accel/amdxdna/amdxdna_pci_drv.c
>> @@ -82,6 +82,8 @@ static int amdxdna_drm_open(struct drm_device
>> *ddev, struct drm_file *filp)
>> ret = -ENODEV;
>> goto unbind_sva;
>> }
>> + client->mm = current->mm;
>> + mmgrab(client->mm);
>> init_srcu_struct(&client->hwctx_srcu);
>> xa_init_flags(&client->hwctx_xa, XA_FLAGS_ALLOC);
>> mutex_init(&client->mm_lock);
>> @@ -116,6 +118,7 @@ static void amdxdna_client_cleanup(struct
>> amdxdna_client *client)
>> drm_gem_object_put(to_gobj(client->dev_heap));
>> iommu_sva_unbind_device(client->sva);
>> + mmdrop(client->mm);
>> kfree(client);
>> }
>> diff --git a/drivers/accel/amdxdna/amdxdna_pci_drv.h
>> b/drivers/accel/amdxdna/amdxdna_pci_drv.h
>> index 6580cb5ec7e2..f08406b8fdf9 100644
>> --- a/drivers/accel/amdxdna/amdxdna_pci_drv.h
>> +++ b/drivers/accel/amdxdna/amdxdna_pci_drv.h
>> @@ -130,6 +130,7 @@ struct amdxdna_client {
>> struct iommu_sva *sva;
>> int pasid;
>> + struct mm_struct *mm;
>> };
>> #define amdxdna_for_each_hwctx(client, hwctx_id, entry) \
>
© 2016 - 2026 Red Hat, Inc.