drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
amdgpu_discovery_get_nps_info() internally allocates memory for ranges
using kvcalloc(), which may use vmalloc() for large allocation. Using
kfree() to release vmalloc memory will lead to a memory corruption.
Use kvfree() to safely handle both kmalloc and vmalloc allocations.
Compile tested only. Issue found using a prototype static analysis tool
and code review.
Fixes: b194d21b9bcc ("drm/amdgpu: Use NPS ranges from discovery table")
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c
index 7e623f91f2d7..cb0d1ac148e9 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c
@@ -1382,7 +1382,7 @@ int amdgpu_gmc_get_nps_memranges(struct amdgpu_device *adev,
if (!*exp_ranges)
*exp_ranges = range_cnt;
err:
- kfree(ranges);
+ kvfree(ranges);
return ret;
}
--
2.34.1On 1/29/26 10:05, Zilin Guan wrote:
> amdgpu_discovery_get_nps_info() internally allocates memory for ranges
> using kvcalloc(), which may use vmalloc() for large allocation. Using
> kfree() to release vmalloc memory will lead to a memory corruption.
>
> Use kvfree() to safely handle both kmalloc and vmalloc allocations.
>
> Compile tested only. Issue found using a prototype static analysis tool
> and code review.
>
> Fixes: b194d21b9bcc ("drm/amdgpu: Use NPS ranges from discovery table")
> Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Good catch!
But i think we rather need to question why amdgpu_discovery_get_nps_info() is using kvcalloc()? I have strong doubts that we need vmalloc() here.
Regards,
Christian.
> ---
> drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c
> index 7e623f91f2d7..cb0d1ac148e9 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c
> @@ -1382,7 +1382,7 @@ int amdgpu_gmc_get_nps_memranges(struct amdgpu_device *adev,
> if (!*exp_ranges)
> *exp_ranges = range_cnt;
> err:
> - kfree(ranges);
> + kvfree(ranges);
>
> return ret;
> }
On 29-Jan-26 3:00 PM, Christian König wrote:
> On 1/29/26 10:05, Zilin Guan wrote:
>> amdgpu_discovery_get_nps_info() internally allocates memory for ranges
>> using kvcalloc(), which may use vmalloc() for large allocation. Using
>> kfree() to release vmalloc memory will lead to a memory corruption.
>>
>> Use kvfree() to safely handle both kmalloc and vmalloc allocations.
>>
>> Compile tested only. Issue found using a prototype static analysis tool
>> and code review.
>>
>> Fixes: b194d21b9bcc ("drm/amdgpu: Use NPS ranges from discovery table")
>> Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
>
> Good catch!
>
> But i think we rather need to question why amdgpu_discovery_get_nps_info() is using kvcalloc()? I have strong doubts that we need vmalloc() here.
>
Yes, vmalloc is enough. That change can be made separately or modified
along with this.
As for this as a standalone change -
Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
Thanks,
Lijo
> Regards,
> Christian.
>
>> ---
>> drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c
>> index 7e623f91f2d7..cb0d1ac148e9 100644
>> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c
>> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c
>> @@ -1382,7 +1382,7 @@ int amdgpu_gmc_get_nps_memranges(struct amdgpu_device *adev,
>> if (!*exp_ranges)
>> *exp_ranges = range_cnt;
>> err:
>> - kfree(ranges);
>> + kvfree(ranges);
>>
>> return ret;
>> }
>
On Thu, Jan 29, 2026 at 5:12 AM Lazar, Lijo <lijo.lazar@amd.com> wrote:
>
>
>
> On 29-Jan-26 3:00 PM, Christian König wrote:
> > On 1/29/26 10:05, Zilin Guan wrote:
> >> amdgpu_discovery_get_nps_info() internally allocates memory for ranges
> >> using kvcalloc(), which may use vmalloc() for large allocation. Using
> >> kfree() to release vmalloc memory will lead to a memory corruption.
> >>
> >> Use kvfree() to safely handle both kmalloc and vmalloc allocations.
> >>
> >> Compile tested only. Issue found using a prototype static analysis tool
> >> and code review.
> >>
> >> Fixes: b194d21b9bcc ("drm/amdgpu: Use NPS ranges from discovery table")
> >> Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
> >
> > Good catch!
> >
> > But i think we rather need to question why amdgpu_discovery_get_nps_info() is using kvcalloc()? I have strong doubts that we need vmalloc() here.
> >
>
> Yes, vmalloc is enough. That change can be made separately or modified
> along with this.
>
> As for this as a standalone change -
> Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
Applied. Thanks!
Alex
>
> Thanks,
> Lijo
>
>
> > Regards,
> > Christian.
> >
> >> ---
> >> drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c | 2 +-
> >> 1 file changed, 1 insertion(+), 1 deletion(-)
> >>
> >> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c
> >> index 7e623f91f2d7..cb0d1ac148e9 100644
> >> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c
> >> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c
> >> @@ -1382,7 +1382,7 @@ int amdgpu_gmc_get_nps_memranges(struct amdgpu_device *adev,
> >> if (!*exp_ranges)
> >> *exp_ranges = range_cnt;
> >> err:
> >> - kfree(ranges);
> >> + kvfree(ranges);
> >>
> >> return ret;
> >> }
> >
>
© 2016 - 2026 Red Hat, Inc.