From: Christian König <christian.koenig@amd.com>
To: Dawei Feng <dawei.feng@seu.edu.cn>, alexander.deucher@amd.com
Cc: airlied@gmail.com, simona@ffwll.ch,
amd-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org,
linux-kernel@vger.kernel.org, jianhao.xu@seu.edu.cn,
stable@vger.kernel.org, Zilin Guan <zilin@seu.edu.cn>
Subject: Re: [PATCH] drm/radeon: Use kvfree instead of kfree in radeon_gpu_reset
Date: Fri, 22 May 2026 09:37:00 +0200 [thread overview]
Message-ID: <b2d8b281-a8e3-43a7-a4a8-b112526070e2@amd.com> (raw)
In-Reply-To: <20260522033254.3602281-1-dawei.feng@seu.edu.cn>
On 5/22/26 05:32, Dawei Feng wrote:
> radeon_ring_backup() internally allocates ring_data buffers using
> kvmalloc_array(), which may use vmalloc() for large allocations. Using
> kfree() to release vmalloc-backed ring_data buffers in
> radeon_gpu_reset() will lead to memory corruption.
>
> Use kvfree() to safely handle both kmalloc and vmalloc allocations.
>
> The bug was first flagged by an experimental analysis tool we are
> developing for kernel memory-management bugs while analyzing
> v6.13-rc1. The tool is still under development and is not yet publicly
> available. Manual inspection confirms that the bug is still
> present in v7.1-rc3.
>
> Runtime validation was not attempted because a targeted reproducer for
> this GPU reset error path was not available. Compile-tested only.
>
> Fixes: 2098105ec65c ("drm: drop drm_[cm]alloc* helpers")
> Cc: stable@vger.kernel.org
> Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
> Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
Good catch, Reviewed-by: Christian König <christian.koenig@amd.com>
> ---
> drivers/gpu/drm/radeon/radeon_device.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c
> index 705c012fcf9e..1f0f0d0eb673 100644
> --- a/drivers/gpu/drm/radeon/radeon_device.c
> +++ b/drivers/gpu/drm/radeon/radeon_device.c
> @@ -1800,7 +1800,7 @@ int radeon_gpu_reset(struct radeon_device *rdev)
> ring_sizes[i], ring_data[i]);
> } else {
> radeon_fence_driver_force_completion(rdev, i);
> - kfree(ring_data[i]);
> + kvfree(ring_data[i]);
> }
> }
>
> --
> 2.34.1
>
next prev parent reply other threads:[~2026-05-22 7:37 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-22 3:32 [PATCH] drm/radeon: Use kvfree instead of kfree in radeon_gpu_reset Dawei Feng
2026-05-22 7:37 ` Christian König [this message]
2026-05-25 9:20 ` Claude review: " Claude Code Review Bot
2026-05-25 9:20 ` Claude Code Review Bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b2d8b281-a8e3-43a7-a4a8-b112526070e2@amd.com \
--to=christian.koenig@amd.com \
--cc=airlied@gmail.com \
--cc=alexander.deucher@amd.com \
--cc=amd-gfx@lists.freedesktop.org \
--cc=dawei.feng@seu.edu.cn \
--cc=dri-devel@lists.freedesktop.org \
--cc=jianhao.xu@seu.edu.cn \
--cc=linux-kernel@vger.kernel.org \
--cc=simona@ffwll.ch \
--cc=stable@vger.kernel.org \
--cc=zilin@seu.edu.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox