CVE-2025-71308
Description
In the Linux kernel, the following vulnerability has been resolved:
accel/amdxdna: Fix potential NULL pointer dereference in context cleanup
aie_destroy_context() is invoked during error handling in aie2_create_context(). However, aie_destroy_context() assumes that the context's mailbox channel pointer is non-NULL. If mailbox channel creation fails, the pointer remains NULL and calling aie_destroy_context() can lead to a NULL pointer dereference.
In aie2_create_context(), replace aie_destroy_context() with a function which request firmware to remove the context created previously.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, a NULL pointer dereference may occur in the accel/amdxdna driver when aie_destroy_context() is called during error handling after a mailbox channel creation failure.
Vulnerability
A NULL pointer dereference vulnerability exists in the accel/amdxdna driver in the Linux kernel. In aie2_create_context(), if the mailbox channel creation fails, the context's mailbox channel pointer remains NULL. When error handling invokes aie_destroy_context(), it dereferences this NULL pointer, leading to a potential crash. Affected versions include Linux kernel versions prior to the fix commit [1].
Exploitation
An attacker would need to trigger an error condition during aie2_create_context() such that the mailbox channel creation fails, while the subsequent error path calls aie_destroy_context(). This requires either local access to the system or the ability to influence the driver's operations. The exact sequence of steps to cause this error is not detailed in the available references.
Impact
Successful exploitation results in a NULL pointer dereference, causing a kernel oops or crash (denial of service). There is no indication of privilege escalation or data disclosure.
Mitigation
The fix is implemented in commit 97f27573837e in the Linux kernel stable tree [1]. Users should update to a kernel version containing this commit. No workaround is provided in the available references. The vulnerability is not listed on CISA KEV.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
42611c9616cb5accel/amdxdna: Fix potential NULL pointer dereference in context cleanup
1 file changed · +26 −25
drivers/accel/amdxdna/aie2_message.c+26 −25 modifieddiff --git a/drivers/accel/amdxdna/aie2_message.c b/drivers/accel/amdxdna/aie2_message.c index e64dc3152c8841..9e55e66830eadd 100644 --- a/drivers/accel/amdxdna/aie2_message.c +++ b/drivers/accel/amdxdna/aie2_message.c @@ -185,6 +185,19 @@ int aie2_query_firmware_version(struct amdxdna_dev_hdl *ndev, return 0; } +static int aie2_destroy_context_req(struct amdxdna_dev_hdl *ndev, u32 id) +{ + DECLARE_AIE2_MSG(destroy_ctx, MSG_OP_DESTROY_CONTEXT); + struct amdxdna_dev *xdna = ndev->xdna; + int ret; + + req.context_id = id; + ret = aie2_send_mgmt_msg_wait(ndev, &msg); + if (ret) + XDNA_WARN(xdna, "Destroy context failed, ret %d", ret); + + return ret; +} int aie2_create_context(struct amdxdna_dev_hdl *ndev, struct amdxdna_hwctx *hwctx) { DECLARE_AIE2_MSG(create_ctx, MSG_OP_CREATE_CONTEXT); @@ -207,13 +220,14 @@ int aie2_create_context(struct amdxdna_dev_hdl *ndev, struct amdxdna_hwctx *hwct return ret; hwctx->fw_ctx_id = resp.context_id; - WARN_ONCE(hwctx->fw_ctx_id == -1, "Unexpected context id"); + if (WARN_ON_ONCE(hwctx->fw_ctx_id == -1)) + return -EINVAL; if (ndev->force_preempt_enabled) { ret = aie2_runtime_cfg(ndev, AIE2_RT_CFG_FORCE_PREEMPT, &hwctx->fw_ctx_id); if (ret) { XDNA_ERR(xdna, "failed to enable force preempt %d", ret); - return ret; + goto del_ctx_req; } } @@ -230,51 +244,39 @@ int aie2_create_context(struct amdxdna_dev_hdl *ndev, struct amdxdna_hwctx *hwct ret = pci_irq_vector(to_pci_dev(xdna->ddev.dev), resp.msix_id); if (ret == -EINVAL) { - XDNA_ERR(xdna, "not able to create channel"); - goto out_destroy_context; + XDNA_ERR(xdna, "Alloc IRQ failed %d", ret); + goto del_ctx_req; } intr_reg = i2x.mb_head_ptr_reg + 4; hwctx->priv->mbox_chann = xdna_mailbox_create_channel(ndev->mbox, &x2i, &i2x, intr_reg, ret); if (!hwctx->priv->mbox_chann) { - XDNA_ERR(xdna, "not able to create channel"); + XDNA_ERR(xdna, "Not able to create channel"); ret = -EINVAL; - goto out_destroy_context; + goto del_ctx_req; } ndev->hwctx_num++; - XDNA_DBG(xdna, "%s mailbox channel irq: %d, msix_id: %d", - hwctx->name, ret, resp.msix_id); - XDNA_DBG(xdna, "%s created fw ctx %d pasid %d", hwctx->name, - hwctx->fw_ctx_id, hwctx->client->pasid); + XDNA_DBG(xdna, "Mailbox channel irq: %d, msix_id: %d", ret, resp.msix_id); + XDNA_DBG(xdna, "Created fw ctx %d pasid %d", hwctx->fw_ctx_id, hwctx->client->pasid); return 0; -out_destroy_context: - aie2_destroy_context(ndev, hwctx); +del_ctx_req: + aie2_destroy_context_req(ndev, hwctx->fw_ctx_id); return ret; } int aie2_destroy_context(struct amdxdna_dev_hdl *ndev, struct amdxdna_hwctx *hwctx) { - DECLARE_AIE2_MSG(destroy_ctx, MSG_OP_DESTROY_CONTEXT); struct amdxdna_dev *xdna = ndev->xdna; int ret; - if (hwctx->fw_ctx_id == -1) - return 0; - xdna_mailbox_stop_channel(hwctx->priv->mbox_chann); - - req.context_id = hwctx->fw_ctx_id; - ret = aie2_send_mgmt_msg_wait(ndev, &msg); - if (ret) - XDNA_WARN(xdna, "%s destroy context failed, ret %d", hwctx->name, ret); - + ret = aie2_destroy_context_req(ndev, hwctx->fw_ctx_id); xdna_mailbox_destroy_channel(hwctx->priv->mbox_chann); - XDNA_DBG(xdna, "%s destroyed fw ctx %d", hwctx->name, - hwctx->fw_ctx_id); + XDNA_DBG(xdna, "Destroyed fw ctx %d", hwctx->fw_ctx_id); hwctx->priv->mbox_chann = NULL; hwctx->fw_ctx_id = -1; ndev->hwctx_num--; -- cgit 1.3-korg
97f27573837eaccel/amdxdna: Fix potential NULL pointer dereference in context cleanup
1 file changed · +26 −25
drivers/accel/amdxdna/aie2_message.c+26 −25 modifieddiff --git a/drivers/accel/amdxdna/aie2_message.c b/drivers/accel/amdxdna/aie2_message.c index 03b75757a6e6e0..9ec97302822121 100644 --- a/drivers/accel/amdxdna/aie2_message.c +++ b/drivers/accel/amdxdna/aie2_message.c @@ -192,6 +192,19 @@ int aie2_query_firmware_version(struct amdxdna_dev_hdl *ndev, return 0; } +static int aie2_destroy_context_req(struct amdxdna_dev_hdl *ndev, u32 id) +{ + DECLARE_AIE2_MSG(destroy_ctx, MSG_OP_DESTROY_CONTEXT); + struct amdxdna_dev *xdna = ndev->xdna; + int ret; + + req.context_id = id; + ret = aie2_send_mgmt_msg_wait(ndev, &msg); + if (ret) + XDNA_WARN(xdna, "Destroy context failed, ret %d", ret); + + return ret; +} int aie2_create_context(struct amdxdna_dev_hdl *ndev, struct amdxdna_hwctx *hwctx) { DECLARE_AIE2_MSG(create_ctx, MSG_OP_CREATE_CONTEXT); @@ -214,13 +227,14 @@ int aie2_create_context(struct amdxdna_dev_hdl *ndev, struct amdxdna_hwctx *hwct return ret; hwctx->fw_ctx_id = resp.context_id; - WARN_ONCE(hwctx->fw_ctx_id == -1, "Unexpected context id"); + if (WARN_ON_ONCE(hwctx->fw_ctx_id == -1)) + return -EINVAL; if (ndev->force_preempt_enabled) { ret = aie2_runtime_cfg(ndev, AIE2_RT_CFG_FORCE_PREEMPT, &hwctx->fw_ctx_id); if (ret) { XDNA_ERR(xdna, "failed to enable force preempt %d", ret); - return ret; + goto del_ctx_req; } } @@ -237,51 +251,39 @@ int aie2_create_context(struct amdxdna_dev_hdl *ndev, struct amdxdna_hwctx *hwct ret = pci_irq_vector(to_pci_dev(xdna->ddev.dev), resp.msix_id); if (ret == -EINVAL) { - XDNA_ERR(xdna, "not able to create channel"); - goto out_destroy_context; + XDNA_ERR(xdna, "Alloc IRQ failed %d", ret); + goto del_ctx_req; } intr_reg = i2x.mb_head_ptr_reg + 4; hwctx->priv->mbox_chann = xdna_mailbox_create_channel(ndev->mbox, &x2i, &i2x, intr_reg, ret); if (!hwctx->priv->mbox_chann) { - XDNA_ERR(xdna, "not able to create channel"); + XDNA_ERR(xdna, "Not able to create channel"); ret = -EINVAL; - goto out_destroy_context; + goto del_ctx_req; } ndev->hwctx_num++; - XDNA_DBG(xdna, "%s mailbox channel irq: %d, msix_id: %d", - hwctx->name, ret, resp.msix_id); - XDNA_DBG(xdna, "%s created fw ctx %d pasid %d", hwctx->name, - hwctx->fw_ctx_id, hwctx->client->pasid); + XDNA_DBG(xdna, "Mailbox channel irq: %d, msix_id: %d", ret, resp.msix_id); + XDNA_DBG(xdna, "Created fw ctx %d pasid %d", hwctx->fw_ctx_id, hwctx->client->pasid); return 0; -out_destroy_context: - aie2_destroy_context(ndev, hwctx); +del_ctx_req: + aie2_destroy_context_req(ndev, hwctx->fw_ctx_id); return ret; } int aie2_destroy_context(struct amdxdna_dev_hdl *ndev, struct amdxdna_hwctx *hwctx) { - DECLARE_AIE2_MSG(destroy_ctx, MSG_OP_DESTROY_CONTEXT); struct amdxdna_dev *xdna = ndev->xdna; int ret; - if (hwctx->fw_ctx_id == -1) - return 0; - xdna_mailbox_stop_channel(hwctx->priv->mbox_chann); - - req.context_id = hwctx->fw_ctx_id; - ret = aie2_send_mgmt_msg_wait(ndev, &msg); - if (ret) - XDNA_WARN(xdna, "%s destroy context failed, ret %d", hwctx->name, ret); - + ret = aie2_destroy_context_req(ndev, hwctx->fw_ctx_id); xdna_mailbox_destroy_channel(hwctx->priv->mbox_chann); - XDNA_DBG(xdna, "%s destroyed fw ctx %d", hwctx->name, - hwctx->fw_ctx_id); + XDNA_DBG(xdna, "Destroyed fw ctx %d", hwctx->fw_ctx_id); hwctx->priv->mbox_chann = NULL; hwctx->fw_ctx_id = -1; ndev->hwctx_num--; -- cgit 1.3-korg
2611c9616cb5accel/amdxdna: Fix potential NULL pointer dereference in context cleanup
1 file changed · +26 −25
drivers/accel/amdxdna/aie2_message.c+26 −25 modifieddiff --git a/drivers/accel/amdxdna/aie2_message.c b/drivers/accel/amdxdna/aie2_message.c index e64dc3152c8841..9e55e66830eadd 100644 --- a/drivers/accel/amdxdna/aie2_message.c +++ b/drivers/accel/amdxdna/aie2_message.c @@ -185,6 +185,19 @@ int aie2_query_firmware_version(struct amdxdna_dev_hdl *ndev, return 0; } +static int aie2_destroy_context_req(struct amdxdna_dev_hdl *ndev, u32 id) +{ + DECLARE_AIE2_MSG(destroy_ctx, MSG_OP_DESTROY_CONTEXT); + struct amdxdna_dev *xdna = ndev->xdna; + int ret; + + req.context_id = id; + ret = aie2_send_mgmt_msg_wait(ndev, &msg); + if (ret) + XDNA_WARN(xdna, "Destroy context failed, ret %d", ret); + + return ret; +} int aie2_create_context(struct amdxdna_dev_hdl *ndev, struct amdxdna_hwctx *hwctx) { DECLARE_AIE2_MSG(create_ctx, MSG_OP_CREATE_CONTEXT); @@ -207,13 +220,14 @@ int aie2_create_context(struct amdxdna_dev_hdl *ndev, struct amdxdna_hwctx *hwct return ret; hwctx->fw_ctx_id = resp.context_id; - WARN_ONCE(hwctx->fw_ctx_id == -1, "Unexpected context id"); + if (WARN_ON_ONCE(hwctx->fw_ctx_id == -1)) + return -EINVAL; if (ndev->force_preempt_enabled) { ret = aie2_runtime_cfg(ndev, AIE2_RT_CFG_FORCE_PREEMPT, &hwctx->fw_ctx_id); if (ret) { XDNA_ERR(xdna, "failed to enable force preempt %d", ret); - return ret; + goto del_ctx_req; } } @@ -230,51 +244,39 @@ int aie2_create_context(struct amdxdna_dev_hdl *ndev, struct amdxdna_hwctx *hwct ret = pci_irq_vector(to_pci_dev(xdna->ddev.dev), resp.msix_id); if (ret == -EINVAL) { - XDNA_ERR(xdna, "not able to create channel"); - goto out_destroy_context; + XDNA_ERR(xdna, "Alloc IRQ failed %d", ret); + goto del_ctx_req; } intr_reg = i2x.mb_head_ptr_reg + 4; hwctx->priv->mbox_chann = xdna_mailbox_create_channel(ndev->mbox, &x2i, &i2x, intr_reg, ret); if (!hwctx->priv->mbox_chann) { - XDNA_ERR(xdna, "not able to create channel"); + XDNA_ERR(xdna, "Not able to create channel"); ret = -EINVAL; - goto out_destroy_context; + goto del_ctx_req; } ndev->hwctx_num++; - XDNA_DBG(xdna, "%s mailbox channel irq: %d, msix_id: %d", - hwctx->name, ret, resp.msix_id); - XDNA_DBG(xdna, "%s created fw ctx %d pasid %d", hwctx->name, - hwctx->fw_ctx_id, hwctx->client->pasid); + XDNA_DBG(xdna, "Mailbox channel irq: %d, msix_id: %d", ret, resp.msix_id); + XDNA_DBG(xdna, "Created fw ctx %d pasid %d", hwctx->fw_ctx_id, hwctx->client->pasid); return 0; -out_destroy_context: - aie2_destroy_context(ndev, hwctx); +del_ctx_req: + aie2_destroy_context_req(ndev, hwctx->fw_ctx_id); return ret; } int aie2_destroy_context(struct amdxdna_dev_hdl *ndev, struct amdxdna_hwctx *hwctx) { - DECLARE_AIE2_MSG(destroy_ctx, MSG_OP_DESTROY_CONTEXT); struct amdxdna_dev *xdna = ndev->xdna; int ret; - if (hwctx->fw_ctx_id == -1) - return 0; - xdna_mailbox_stop_channel(hwctx->priv->mbox_chann); - - req.context_id = hwctx->fw_ctx_id; - ret = aie2_send_mgmt_msg_wait(ndev, &msg); - if (ret) - XDNA_WARN(xdna, "%s destroy context failed, ret %d", hwctx->name, ret); - + ret = aie2_destroy_context_req(ndev, hwctx->fw_ctx_id); xdna_mailbox_destroy_channel(hwctx->priv->mbox_chann); - XDNA_DBG(xdna, "%s destroyed fw ctx %d", hwctx->name, - hwctx->fw_ctx_id); + XDNA_DBG(xdna, "Destroyed fw ctx %d", hwctx->fw_ctx_id); hwctx->priv->mbox_chann = NULL; hwctx->fw_ctx_id = -1; ndev->hwctx_num--; -- cgit 1.3-korg
97f27573837eaccel/amdxdna: Fix potential NULL pointer dereference in context cleanup
1 file changed · +26 −25
drivers/accel/amdxdna/aie2_message.c+26 −25 modifieddiff --git a/drivers/accel/amdxdna/aie2_message.c b/drivers/accel/amdxdna/aie2_message.c index 03b75757a6e6e0..9ec97302822121 100644 --- a/drivers/accel/amdxdna/aie2_message.c +++ b/drivers/accel/amdxdna/aie2_message.c @@ -192,6 +192,19 @@ int aie2_query_firmware_version(struct amdxdna_dev_hdl *ndev, return 0; } +static int aie2_destroy_context_req(struct amdxdna_dev_hdl *ndev, u32 id) +{ + DECLARE_AIE2_MSG(destroy_ctx, MSG_OP_DESTROY_CONTEXT); + struct amdxdna_dev *xdna = ndev->xdna; + int ret; + + req.context_id = id; + ret = aie2_send_mgmt_msg_wait(ndev, &msg); + if (ret) + XDNA_WARN(xdna, "Destroy context failed, ret %d", ret); + + return ret; +} int aie2_create_context(struct amdxdna_dev_hdl *ndev, struct amdxdna_hwctx *hwctx) { DECLARE_AIE2_MSG(create_ctx, MSG_OP_CREATE_CONTEXT); @@ -214,13 +227,14 @@ int aie2_create_context(struct amdxdna_dev_hdl *ndev, struct amdxdna_hwctx *hwct return ret; hwctx->fw_ctx_id = resp.context_id; - WARN_ONCE(hwctx->fw_ctx_id == -1, "Unexpected context id"); + if (WARN_ON_ONCE(hwctx->fw_ctx_id == -1)) + return -EINVAL; if (ndev->force_preempt_enabled) { ret = aie2_runtime_cfg(ndev, AIE2_RT_CFG_FORCE_PREEMPT, &hwctx->fw_ctx_id); if (ret) { XDNA_ERR(xdna, "failed to enable force preempt %d", ret); - return ret; + goto del_ctx_req; } } @@ -237,51 +251,39 @@ int aie2_create_context(struct amdxdna_dev_hdl *ndev, struct amdxdna_hwctx *hwct ret = pci_irq_vector(to_pci_dev(xdna->ddev.dev), resp.msix_id); if (ret == -EINVAL) { - XDNA_ERR(xdna, "not able to create channel"); - goto out_destroy_context; + XDNA_ERR(xdna, "Alloc IRQ failed %d", ret); + goto del_ctx_req; } intr_reg = i2x.mb_head_ptr_reg + 4; hwctx->priv->mbox_chann = xdna_mailbox_create_channel(ndev->mbox, &x2i, &i2x, intr_reg, ret); if (!hwctx->priv->mbox_chann) { - XDNA_ERR(xdna, "not able to create channel"); + XDNA_ERR(xdna, "Not able to create channel"); ret = -EINVAL; - goto out_destroy_context; + goto del_ctx_req; } ndev->hwctx_num++; - XDNA_DBG(xdna, "%s mailbox channel irq: %d, msix_id: %d", - hwctx->name, ret, resp.msix_id); - XDNA_DBG(xdna, "%s created fw ctx %d pasid %d", hwctx->name, - hwctx->fw_ctx_id, hwctx->client->pasid); + XDNA_DBG(xdna, "Mailbox channel irq: %d, msix_id: %d", ret, resp.msix_id); + XDNA_DBG(xdna, "Created fw ctx %d pasid %d", hwctx->fw_ctx_id, hwctx->client->pasid); return 0; -out_destroy_context: - aie2_destroy_context(ndev, hwctx); +del_ctx_req: + aie2_destroy_context_req(ndev, hwctx->fw_ctx_id); return ret; } int aie2_destroy_context(struct amdxdna_dev_hdl *ndev, struct amdxdna_hwctx *hwctx) { - DECLARE_AIE2_MSG(destroy_ctx, MSG_OP_DESTROY_CONTEXT); struct amdxdna_dev *xdna = ndev->xdna; int ret; - if (hwctx->fw_ctx_id == -1) - return 0; - xdna_mailbox_stop_channel(hwctx->priv->mbox_chann); - - req.context_id = hwctx->fw_ctx_id; - ret = aie2_send_mgmt_msg_wait(ndev, &msg); - if (ret) - XDNA_WARN(xdna, "%s destroy context failed, ret %d", hwctx->name, ret); - + ret = aie2_destroy_context_req(ndev, hwctx->fw_ctx_id); xdna_mailbox_destroy_channel(hwctx->priv->mbox_chann); - XDNA_DBG(xdna, "%s destroyed fw ctx %d", hwctx->name, - hwctx->fw_ctx_id); + XDNA_DBG(xdna, "Destroyed fw ctx %d", hwctx->fw_ctx_id); hwctx->priv->mbox_chann = NULL; hwctx->fw_ctx_id = -1; ndev->hwctx_num--; -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing NULL-pointer check before dereferencing the mailbox channel pointer in aie2_destroy_context() during error handling in aie2_create_context()."
Attack vector
An attacker who can trigger a failure in mailbox channel creation (e.g., by causing xdna_mailbox_create_channel() to return NULL) will cause aie2_create_context() to jump to the error label out_destroy_context, which calls aie2_destroy_context(). That function unconditionally calls xdna_mailbox_stop_channel(hwctx->priv->mbox_chann) without checking whether the pointer is NULL, leading to a NULL pointer dereference. The precondition is that the attacker can influence the device state such that mailbox channel allocation fails while a firmware context ID has already been assigned.
Affected code
The vulnerable code is in drivers/accel/amdxdna/aie2_message.c, in the functions aie2_create_context() and aie2_destroy_context(). The error label out_destroy_context in aie2_create_context() called aie2_destroy_context(), which unconditionally dereferenced hwctx->priv->mbox_chann via xdna_mailbox_stop_channel().
What the fix does
The patch introduces a new helper, aie2_destroy_context_req(), which sends a firmware message to destroy the context without touching the mailbox channel pointer. In aie2_create_context(), all error paths that previously jumped to out_destroy_context (which called aie2_destroy_context()) now jump to del_ctx_req, which calls only aie2_destroy_context_req(). This avoids the NULL dereference because the new helper does not call xdna_mailbox_stop_channel() or xdna_mailbox_destroy_channel(). The patch also changes the early return on fw_ctx_id == -1 to an explicit -EINVAL return, preventing entry into the error path with an invalid context ID.
Preconditions
- inputMailbox channel creation (xdna_mailbox_create_channel) must fail, leaving hwctx->priv->mbox_chann as NULL.
- inputA firmware context ID must have already been assigned (hwctx->fw_ctx_id != -1) so that the error path is reached after the firmware create-context step succeeded.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.