accel/amdxdna: Remove drv_cmd tracing from job free callback

aie2_sched_job_free() accesses job->drv_cmd for tracing purposes. However,
job->drv_cmd is owned by the caller and may already have been freed when
the job free callback runs, leading to a potential use-after-free.

Remove the job->drv_cmd access from aie2_sched_job_free().

Fixes: 8711eb2dde2e ("accel/amdxdna: Improve tracing for job lifecycle and mailbox RX worker")
Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org>
Signed-off-by: Lizhi Hou <lizhi.hou@amd.com>
Link: https://patch.msgid.link/20260529152837.1973405-1-lizhi.hou@amd.com

diff --git a/drivers/accel/amdxdna/aie2_ctx.c b/drivers/accel/amdxdna/aie2_ctx.c
index 658a5fb1fda69821a1ca4d526a2609842f75a805..2ad343728782b1693a0aff738b70adccf92224fe 100644 (file)
--- a/drivers/accel/amdxdna/aie2_ctx.c
+++ b/drivers/accel/amdxdna/aie2_ctx.c
@@ -437,8 +437,9 @@ static void aie2_sched_job_free(struct drm_sched_job *sched_job)
        struct amdxdna_sched_job *job = drm_job_to_xdna_job(sched_job);
        struct amdxdna_hwctx *hwctx = job->hwctx;
 
+       /* job->drv_cmd could be freed, so use DEFAULT_IO */
        trace_xdna_job(sched_job, hwctx->name, "job free",
-                      job->seq, job->drv_cmd ? job->drv_cmd->opcode : DEFAULT_IO);
+                      job->seq, DEFAULT_IO);
        if (!job->job_done)
                up(&hwctx->priv->job_sem);