Re: [PATCH] drm/radeon: Use kvfree instead of kfree in radeon_gpu_reset
From: Christian König
Date: Fri May 22 2026 - 03:42:04 EST
On 5/22/26 05:32, Dawei Feng wrote:
> radeon_ring_backup() internally allocates ring_data buffers using
> kvmalloc_array(), which may use vmalloc() for large allocations. Using
> kfree() to release vmalloc-backed ring_data buffers in
> radeon_gpu_reset() will lead to memory corruption.
>
> Use kvfree() to safely handle both kmalloc and vmalloc allocations.
>
> The bug was first flagged by an experimental analysis tool we are
> developing for kernel memory-management bugs while analyzing
> v6.13-rc1. The tool is still under development and is not yet publicly
> available. Manual inspection confirms that the bug is still
> present in v7.1-rc3.
>
> Runtime validation was not attempted because a targeted reproducer for
> this GPU reset error path was not available. Compile-tested only.
>
> Fixes: 2098105ec65c ("drm: drop drm_[cm]alloc* helpers")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Zilin Guan <zilin@xxxxxxxxxx>
> Signed-off-by: Dawei Feng <dawei.feng@xxxxxxxxxx>
Good catch, Reviewed-by: Christian König <christian.koenig@xxxxxxx>
> ---
> drivers/gpu/drm/radeon/radeon_device.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c
> index 705c012fcf9e..1f0f0d0eb673 100644
> --- a/drivers/gpu/drm/radeon/radeon_device.c
> +++ b/drivers/gpu/drm/radeon/radeon_device.c
> @@ -1800,7 +1800,7 @@ int radeon_gpu_reset(struct radeon_device *rdev)
> ring_sizes[i], ring_data[i]);
> } else {
> radeon_fence_driver_force_completion(rdev, i);
> - kfree(ring_data[i]);
> + kvfree(ring_data[i]);
> }
> }
>
> --
> 2.34.1
>