From: Dawei Feng <dawei.feng@seu.edu.cn>
To: alexander.deucher@amd.com
Cc: christian.koenig@amd.com, airlied@gmail.com, simona@ffwll.ch,
amd-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org,
linux-kernel@vger.kernel.org, jianhao.xu@seu.edu.cn,
Dawei Feng <dawei.feng@seu.edu.cn>,
stable@vger.kernel.org, Zilin Guan <zilin@seu.edu.cn>
Subject: [PATCH] drm/radeon: Use kvfree instead of kfree in radeon_gpu_reset
Date: Fri, 22 May 2026 11:32:54 +0800 [thread overview]
Message-ID: <20260522033254.3602281-1-dawei.feng@seu.edu.cn> (raw)
radeon_ring_backup() internally allocates ring_data buffers using
kvmalloc_array(), which may use vmalloc() for large allocations. Using
kfree() to release vmalloc-backed ring_data buffers in
radeon_gpu_reset() will lead to memory corruption.
Use kvfree() to safely handle both kmalloc and vmalloc allocations.
The bug was first flagged by an experimental analysis tool we are
developing for kernel memory-management bugs while analyzing
v6.13-rc1. The tool is still under development and is not yet publicly
available. Manual inspection confirms that the bug is still
present in v7.1-rc3.
Runtime validation was not attempted because a targeted reproducer for
this GPU reset error path was not available. Compile-tested only.
Fixes: 2098105ec65c ("drm: drop drm_[cm]alloc* helpers")
Cc: stable@vger.kernel.org
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
---
drivers/gpu/drm/radeon/radeon_device.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c
index 705c012fcf9e..1f0f0d0eb673 100644
--- a/drivers/gpu/drm/radeon/radeon_device.c
+++ b/drivers/gpu/drm/radeon/radeon_device.c
@@ -1800,7 +1800,7 @@ int radeon_gpu_reset(struct radeon_device *rdev)
ring_sizes[i], ring_data[i]);
} else {
radeon_fence_driver_force_completion(rdev, i);
- kfree(ring_data[i]);
+ kvfree(ring_data[i]);
}
}
--
2.34.1
next reply other threads:[~2026-05-22 14:41 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-22 3:32 Dawei Feng [this message]
2026-05-22 7:37 ` [PATCH] drm/radeon: Use kvfree instead of kfree in radeon_gpu_reset Christian König
2026-05-25 9:20 ` Claude review: " Claude Code Review Bot
2026-05-25 9:20 ` Claude Code Review Bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260522033254.3602281-1-dawei.feng@seu.edu.cn \
--to=dawei.feng@seu.edu.cn \
--cc=airlied@gmail.com \
--cc=alexander.deucher@amd.com \
--cc=amd-gfx@lists.freedesktop.org \
--cc=christian.koenig@amd.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=jianhao.xu@seu.edu.cn \
--cc=linux-kernel@vger.kernel.org \
--cc=simona@ffwll.ch \
--cc=stable@vger.kernel.org \
--cc=zilin@seu.edu.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox