On 2/6/2026 7:03 AM, Lizhi Hou wrote:
> If userspace issues an ioctl to destroy a hardware context that has
> already been automatically suspended, the driver may crash because the
> mailbox channel pointer is NULL for the suspended context.
>
> Fix this by checking the mailbox channel pointer in aie2_destroy_context()
> before accessing it.
>
> Fixes: 97f27573837e ("accel/amdxdna: Fix potential NULL pointer dereference
> in context cleanup")
> Signed-off-by: Lizhi Hou <[email protected]>
> ---
> drivers/accel/amdxdna/aie2_message.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/accel/amdxdna/aie2_message.c
> b/drivers/accel/amdxdna/aie2_message.c
> index 7d7dcfeaf794..ab1178850c47 100644
> --- a/drivers/accel/amdxdna/aie2_message.c
> +++ b/drivers/accel/amdxdna/aie2_message.c
> @@ -318,6 +318,9 @@ int aie2_destroy_context(struct amdxdna_dev_hdl *ndev,
> struct amdxdna_hwctx *hwc
> struct amdxdna_dev *xdna = ndev->xdna;
> int ret;
>
> + if (!hwctx->priv->mbox_chann)
> + return 0;
> +
> xdna_mailbox_stop_channel(hwctx->priv->mbox_chann);
> ret = aie2_destroy_context_req(ndev, hwctx->fw_ctx_id);
> xdna_mailbox_destroy_channel(hwctx->priv->mbox_chann);
Reviewed-by: Karol Wachowski <[email protected]>
