[PATCH] drm/radeon: Use kvfree instead of kfree in radeon_gpu

public inbox for drm-ai-reviews@public-inbox.freedesktop.org
 help / color / mirror / Atom feed

* [PATCH] drm/radeon: Use kvfree instead of kfree in radeon_gpu_reset
@ 2026-05-22  3:32 Dawei Feng
  2026-05-22  7:37 ` Christian König
  0 siblings, 1 reply; 4+ messages in thread
From: Dawei Feng @ 2026-05-22  3:32 UTC (permalink / raw)
  To: alexander.deucher
  Cc: christian.koenig, airlied, simona, amd-gfx, dri-devel,
	linux-kernel, jianhao.xu, Dawei Feng, stable, Zilin Guan

radeon_ring_backup() internally allocates ring_data buffers using
kvmalloc_array(), which may use vmalloc() for large allocations. Using
kfree() to release vmalloc-backed ring_data buffers in
radeon_gpu_reset() will lead to memory corruption.

Use kvfree() to safely handle both kmalloc and vmalloc allocations.

The bug was first flagged by an experimental analysis tool we are
developing for kernel memory-management bugs while analyzing
v6.13-rc1. The tool is still under development and is not yet publicly
available. Manual inspection confirms that the bug is still
present in v7.1-rc3.

Runtime validation was not attempted because a targeted reproducer for
this GPU reset error path was not available. Compile-tested only.

Fixes: 2098105ec65c ("drm: drop drm_[cm]alloc* helpers")
Cc: stable@vger.kernel.org
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
---
 drivers/gpu/drm/radeon/radeon_device.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c
index 705c012fcf9e..1f0f0d0eb673 100644
--- a/drivers/gpu/drm/radeon/radeon_device.c
+++ b/drivers/gpu/drm/radeon/radeon_device.c
@@ -1800,7 +1800,7 @@ int radeon_gpu_reset(struct radeon_device *rdev)
 					    ring_sizes[i], ring_data[i]);
 		} else {
 			radeon_fence_driver_force_completion(rdev, i);
-			kfree(ring_data[i]);
+			kvfree(ring_data[i]);
 		}
 	}

-- 
2.34.1

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] drm/radeon: Use kvfree instead of kfree in radeon_gpu_reset
  2026-05-22  3:32 [PATCH] drm/radeon: Use kvfree instead of kfree in radeon_gpu_reset Dawei Feng
@ 2026-05-22  7:37 ` Christian König
  2026-05-25  9:20   ` Claude review: " Claude Code Review Bot
  2026-05-25  9:20   ` Claude Code Review Bot
  0 siblings, 2 replies; 4+ messages in thread
From: Christian König @ 2026-05-22  7:37 UTC (permalink / raw)
  To: Dawei Feng, alexander.deucher
  Cc: airlied, simona, amd-gfx, dri-devel, linux-kernel, jianhao.xu,
	stable, Zilin Guan

On 5/22/26 05:32, Dawei Feng wrote:
> radeon_ring_backup() internally allocates ring_data buffers using
> kvmalloc_array(), which may use vmalloc() for large allocations. Using
> kfree() to release vmalloc-backed ring_data buffers in
> radeon_gpu_reset() will lead to memory corruption.
> 
> Use kvfree() to safely handle both kmalloc and vmalloc allocations.
> 
> The bug was first flagged by an experimental analysis tool we are
> developing for kernel memory-management bugs while analyzing
> v6.13-rc1. The tool is still under development and is not yet publicly
> available. Manual inspection confirms that the bug is still
> present in v7.1-rc3.
> 
> Runtime validation was not attempted because a targeted reproducer for
> this GPU reset error path was not available. Compile-tested only.
> 
> Fixes: 2098105ec65c ("drm: drop drm_[cm]alloc* helpers")
> Cc: stable@vger.kernel.org
> Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
> Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>

Good catch, Reviewed-by: Christian König <christian.koenig@amd.com>

> ---
>  drivers/gpu/drm/radeon/radeon_device.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c
> index 705c012fcf9e..1f0f0d0eb673 100644
> --- a/drivers/gpu/drm/radeon/radeon_device.c
> +++ b/drivers/gpu/drm/radeon/radeon_device.c
> @@ -1800,7 +1800,7 @@ int radeon_gpu_reset(struct radeon_device *rdev)
>                                             ring_sizes[i], ring_data[i]);
>                 } else {
>                         radeon_fence_driver_force_completion(rdev, i);
> -                       kfree(ring_data[i]);
> +                       kvfree(ring_data[i]);
>                 }
>         }
> 
> --
> 2.34.1
> 


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Claude review: Re: [PATCH] drm/radeon: Use kvfree instead of kfree in radeon_gpu_reset
  2026-05-22  7:37 ` Christian König
@ 2026-05-25  9:20   ` Claude Code Review Bot
  2026-05-25  9:20   ` Claude Code Review Bot
  1 sibling, 0 replies; 4+ messages in thread
From: Claude Code Review Bot @ 2026-05-25  9:20 UTC (permalink / raw)
  To: dri-devel-reviews

Overall Series Review

Subject: Re: [PATCH] drm/radeon: Use kvfree instead of kfree in radeon_gpu_reset
Author: =?UTF-8?Q?Christian_K=C3=B6nig?= <christian.koenig@amd.com>
Patches: 2
Reviewed: 2026-05-25T19:20:34.793947

---

This is a single-patch fix for a real bug: **`kfree()` used on memory allocated with `kvmalloc_array()`**. The analysis is correct and the fix is appropriate.

In `radeon_ring_backup()` (`radeon_ring.c:325`), ring data is allocated via `kvmalloc_array()`, which may fall back to `vmalloc()` for large allocations. On the success path, `radeon_ring_restore()` already correctly uses `kvfree()` (lines 360, 369). However, on the error/fallback path in `radeon_gpu_reset()` (`radeon_device.c:1803`), `kfree()` is used instead, which would cause memory corruption if `vmalloc()` was the underlying allocator.

The fix is minimal, correct, and appropriate for stable backport. **Recommend: Accept.**

---
Generated by Claude Code Patch Reviewer

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Claude review: Re: [PATCH] drm/radeon: Use kvfree instead of kfree in radeon_gpu_reset
  2026-05-22  7:37 ` Christian König
  2026-05-25  9:20   ` Claude review: " Claude Code Review Bot
@ 2026-05-25  9:20   ` Claude Code Review Bot
  1 sibling, 0 replies; 4+ messages in thread
From: Claude Code Review Bot @ 2026-05-25  9:20 UTC (permalink / raw)
  To: dri-devel-reviews

Patch Review

**Verdict: Correct fix, should be applied.**

The allocation in `radeon_ring_backup()`:
```c
*data = kvmalloc_array(size, sizeof(uint32_t), GFP_KERNEL);
```

The two free paths in `radeon_ring_restore()` already use `kvfree()`:
```c
kvfree(data);  /* line 360, on ring lock failure */
kvfree(data);  /* line 369, after successful restore */
```

But the error path in `radeon_gpu_reset()` uses the wrong free:
```c
} else {
    radeon_fence_driver_force_completion(rdev, i);
    kfree(ring_data[i]);  /* BUG: should be kvfree() */
}
```

The fix correctly changes this to `kvfree(ring_data[i])`, which safely handles both `kmalloc` and `vmalloc` backed allocations.

**Minor nits on the commit message (non-blocking):**
- The Fixes tag references `2098105ec65c ("drm: drop drm_[cm]alloc* helpers")`. This is the commit that introduced `kvmalloc_array` in `radeon_ring_backup` but left the `kfree` in `radeon_gpu_reset`, so the Fixes tag is appropriate.
- The commit message is well-written and clearly explains the provenance of the bug and testing limitations.
- The dual Signed-off-by chain (Zilin Guan found, Dawei Feng sent) is fine.

**No other issues.** The patch is a one-line, obviously correct fix with a clear allocation/free mismatch. Good candidate for stable.

---
Generated by Claude Code Patch Reviewer

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-05-25  9:20 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-22  3:32 [PATCH] drm/radeon: Use kvfree instead of kfree in radeon_gpu_reset Dawei Feng
2026-05-22  7:37 ` Christian König
2026-05-25  9:20   ` Claude review: " Claude Code Review Bot
2026-05-25  9:20   ` Claude Code Review Bot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox