Re: [PATCH V1] accel/amdxdna: Fix crash when destroying a suspended hardware context
From: Karol Wachowski
Date: Fri Feb 06 2026 - 01:53:07 EST
On 2/6/2026 7:03 AM, Lizhi Hou wrote:
> If userspace issues an ioctl to destroy a hardware context that has
> already been automatically suspended, the driver may crash because the
> mailbox channel pointer is NULL for the suspended context.
>
> Fix this by checking the mailbox channel pointer in aie2_destroy_context()
> before accessing it.
>
> Fixes: 97f27573837e ("accel/amdxdna: Fix potential NULL pointer dereference in context cleanup")
> Signed-off-by: Lizhi Hou <lizhi.hou@xxxxxxx>
> ---
> drivers/accel/amdxdna/aie2_message.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/accel/amdxdna/aie2_message.c b/drivers/accel/amdxdna/aie2_message.c
> index 7d7dcfeaf794..ab1178850c47 100644
> --- a/drivers/accel/amdxdna/aie2_message.c
> +++ b/drivers/accel/amdxdna/aie2_message.c
> @@ -318,6 +318,9 @@ int aie2_destroy_context(struct amdxdna_dev_hdl *ndev, struct amdxdna_hwctx *hwc
> struct amdxdna_dev *xdna = ndev->xdna;
> int ret;
>
> + if (!hwctx->priv->mbox_chann)
> + return 0;
> +
> xdna_mailbox_stop_channel(hwctx->priv->mbox_chann);
> ret = aie2_destroy_context_req(ndev, hwctx->fw_ctx_id);
> xdna_mailbox_destroy_channel(hwctx->priv->mbox_chann);
Reviewed-by: Karol Wachowski <karol.wachowski@xxxxxxxxxxxxxxx>