drivers/bus/mhi/host/boot.c | 2 -- 1 file changed, 2 deletions(-)
Commit [1] converted mhi_buffer into a flexible array embedded in
image_info by switching to kzalloc_flex(). As a result, mhi_buffer is no
longer a standalone allocation and must not be freed independently. While
the error path was updated accordingly, the normal teardown path still
explicitly frees mhi_buffer, leading to an invalid kfree() and the
following warning:
BUG kmalloc-64 (Tainted: G W ): Invalid object pointer 0xffff8b05dfb91c50
Slab 0xffffd490857ee400 objects=32 used=22 fp=0xffff8b05dfb90b40 flags=0x200000000000240(workingset|head|node=0|zone=2)
WARNING: mm/slub.c:1227 at __slab_err+0x37/0x40, CPU#2: kworker/u113:0/205
Call Trace:
slab_err
free_to_partial_list
__slab_free
kfree
mhi_fw_load_handler
mhi_pm_st_worker
Remove the explicit free of mhi_buffer so that the memory is released
together with its parent image_info allocation.
Fixes: 2f5ae4827e94 ("bus: mhi: host: Use kzalloc_flex") # [1]
Signed-off-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
---
drivers/bus/mhi/host/boot.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/bus/mhi/host/boot.c b/drivers/bus/mhi/host/boot.c
index e1d77cecd75e..19c84913cfb9 100644
--- a/drivers/bus/mhi/host/boot.c
+++ b/drivers/bus/mhi/host/boot.c
@@ -308,7 +308,6 @@ static void mhi_free_bhi_buffer(struct mhi_controller *mhi_cntrl,
struct mhi_buf *mhi_buf = image_info->mhi_buf;
dma_free_coherent(mhi_cntrl->cntrl_dev, mhi_buf->len, mhi_buf->buf, mhi_buf->dma_addr);
- kfree(image_info->mhi_buf);
kfree(image_info);
}
@@ -322,7 +321,6 @@ void mhi_free_bhie_table(struct mhi_controller *mhi_cntrl,
dma_free_coherent(mhi_cntrl->cntrl_dev, mhi_buf->len,
mhi_buf->buf, mhi_buf->dma_addr);
- kfree(image_info->mhi_buf);
kfree(image_info);
}
---
base-commit: 702847e8cfd51856836a282db2073defd7cfd80c
change-id: 20260317-mhi-invalid-free-mhi-buffers-ba490b94969e
Best regards,
--
Baochen Qiang <baochen.qiang@oss.qualcomm.com>On Tue, Mar 17, 2026 at 02:12:46PM +0800, Baochen Qiang wrote:
> Commit [1] converted mhi_buffer into a flexible array embedded in
> image_info by switching to kzalloc_flex(). As a result, mhi_buffer is no
> longer a standalone allocation and must not be freed independently. While
> the error path was updated accordingly, the normal teardown path still
> explicitly frees mhi_buffer, leading to an invalid kfree() and the
> following warning:
>
> BUG kmalloc-64 (Tainted: G W ): Invalid object pointer 0xffff8b05dfb91c50
> Slab 0xffffd490857ee400 objects=32 used=22 fp=0xffff8b05dfb90b40 flags=0x200000000000240(workingset|head|node=0|zone=2)
> WARNING: mm/slub.c:1227 at __slab_err+0x37/0x40, CPU#2: kworker/u113:0/205
> Call Trace:
> slab_err
> free_to_partial_list
> __slab_free
> kfree
> mhi_fw_load_handler
> mhi_pm_st_worker
>
> Remove the explicit free of mhi_buffer so that the memory is released
> together with its parent image_info allocation.
>
> Fixes: 2f5ae4827e94 ("bus: mhi: host: Use kzalloc_flex") # [1]
> Signed-off-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
Squashed with the offending commit, thanks!
- Mani
> ---
> drivers/bus/mhi/host/boot.c | 2 --
> 1 file changed, 2 deletions(-)
>
> diff --git a/drivers/bus/mhi/host/boot.c b/drivers/bus/mhi/host/boot.c
> index e1d77cecd75e..19c84913cfb9 100644
> --- a/drivers/bus/mhi/host/boot.c
> +++ b/drivers/bus/mhi/host/boot.c
> @@ -308,7 +308,6 @@ static void mhi_free_bhi_buffer(struct mhi_controller *mhi_cntrl,
> struct mhi_buf *mhi_buf = image_info->mhi_buf;
>
> dma_free_coherent(mhi_cntrl->cntrl_dev, mhi_buf->len, mhi_buf->buf, mhi_buf->dma_addr);
> - kfree(image_info->mhi_buf);
> kfree(image_info);
> }
>
> @@ -322,7 +321,6 @@ void mhi_free_bhie_table(struct mhi_controller *mhi_cntrl,
> dma_free_coherent(mhi_cntrl->cntrl_dev, mhi_buf->len,
> mhi_buf->buf, mhi_buf->dma_addr);
>
> - kfree(image_info->mhi_buf);
> kfree(image_info);
> }
>
>
> ---
> base-commit: 702847e8cfd51856836a282db2073defd7cfd80c
> change-id: 20260317-mhi-invalid-free-mhi-buffers-ba490b94969e
>
> Best regards,
> --
> Baochen Qiang <baochen.qiang@oss.qualcomm.com>
>
--
மணிவண்ணன் சதாசிவம்
© 2016 - 2026 Red Hat, Inc.