From nobody Tue Apr 7 01:08:19 2026 Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2A140372693 for ; Tue, 17 Mar 2026 06:12:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.180.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773727974; cv=none; b=mCP+rHb2Vq9N1IvtTfQb0efzOShB28zUT8kuG046Nlt/pbpl7qAJ+Wz1Q/q4DNGfMC3/Aaz6CUQTDBjasr9w0EqOw5n2a3mHSlWcLFe+5bJE7ChLEqnUCqpMcAoiX84snD/ouDqJ+cJRcapoT/HROu0F3VL/KJKt0ZK8H5qeiec= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773727974; c=relaxed/simple; bh=05tbdlBlkRu+01VdTCGRGeQ/hSfOdjmtktuELANbCqI=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc; b=U25+Q3xyrYtOzGRwnlx/4y+IkeDpoNEPBJS+YE9qe7lxlSi5nz2UcwZPA69QW1p/kRN/UOLJywrx1o+NMTRqSUBnBr6QRRx62jBpFAsjsAA4U9I1oxzjSmR9n9jrjy9b1Mx3+YIsCx6ayVHPvd1FT+4BXtHIYzopEP5DJ+Ks6fM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com; spf=pass smtp.mailfrom=oss.qualcomm.com; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b=QeMxCgk2; dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com header.b=DlSx2UKL; arc=none smtp.client-ip=205.220.180.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b="QeMxCgk2"; dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com header.b="DlSx2UKL" Received: from pps.filterd (m0279872.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 62H0ZFGY2314565 for ; Tue, 17 Mar 2026 06:12:52 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualcomm.com; h= cc:content-transfer-encoding:content-type:date:from:message-id :mime-version:subject:to; s=qcppdkim1; bh=YSM2SMwhyaI38MfGxlBh+X RUxBiv2hS8quwXmgbaogE=; b=QeMxCgk22UAwpYc2YyQh6ZAsDB42vln4ieOJKu 6IvBjOvgtIK2AbhBVAXqBxZ/6/CvfCdUus+LscVFORpuzdK3d1Hq45kfKNL+7uxH ZVgEnSeYKW7lAg/Y2vN0i5r3ZM+CzkQFx1ED+F7dwXfgkgIYUJ7MVU/SpG+5GTl9 vh5Lpjf+CYXLf933MKNLTxaGkzuDDF+oXKrIttxz8Jo0GcQyOq6/0UahgSoOQpF9 S9OqvXjdnO5x3IARXHmB8tLgvIxih7m21QIt3v/dSm4BwvC9RKxBZS7S4DSU01/H +4leMnnbTeYCxSk08HZqyPUE9jSWwLCc+VPVcCbEYOp84mBA== Received: from mail-pg1-f200.google.com (mail-pg1-f200.google.com [209.85.215.200]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 4cxmf2agmn-1 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NOT) for ; Tue, 17 Mar 2026 06:12:52 +0000 (GMT) Received: by mail-pg1-f200.google.com with SMTP id 41be03b00d2f7-c73935acff2so3094320a12.2 for ; Mon, 16 Mar 2026 23:12:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oss.qualcomm.com; s=google; t=1773727971; x=1774332771; darn=vger.kernel.org; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:from:to:cc:subject:date:message-id:reply-to; bh=YSM2SMwhyaI38MfGxlBh+XRUxBiv2hS8quwXmgbaogE=; b=DlSx2UKLIwCVT6t4vEbz+SCvLoRBV2/AccTdR5O3EcfuBESokIJL8tn1x33I6AxmRw MPwfD8ULzOMVzSdg5iaypkD3Bhm1/BKsaR1Kb5h75r2v7qygcXnaLzjDaNwJkDk2dO1H FGat+dpRdbvoUEKNDXMCPAbMMt+wd4mrFOkmni1jGkH1bpZiiUxZlaIwqXvtMmytkk2r 4IHq4wBjtVL/UzhWs/2eKz+O+iUBJ/vd5S2d6xIPJrEmhSL1fzsMdp5w9I2mSDqOzO+2 KrSTsL0ARNJ3f5o/Jq1AR72UyQdAznrqO8GbSJWgLlprE4CqaSAEv1S7tsnn+bgRbMPP u0tQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1773727971; x=1774332771; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=YSM2SMwhyaI38MfGxlBh+XRUxBiv2hS8quwXmgbaogE=; b=q66Fa3oOwX2LClJ8JWZAj5rcx/Fvbkam/+WfPITKlIhEQiu623EtlTTYLDBcEoKH/y Tv8jALzz0I9Z6Zg3pUUqXZMqxr5CtKT3QQu+YmWVvpUeq35ycfxSz3hcjBwt7X/Klgu6 eYLhR6UpPWCkrRikBo4F8AOzVTwDXRBrP/UbJX2cj8TjLH8mJiK22U0CAPmQhuYnUOi/ bR1qMdHIpJQT+VYyQSKwv9CFZMuSFwJ9+QyA8A+57dW33hV56HxknuMazHpc+e0GCUZ/ 1NopM+Zlu1X7WpfCQR9yjxfNgojRw+H+HWSS/YRuAqKp02OOhnzqbd2FN6pDL0otLhqU Ni5g== X-Forwarded-Encrypted: i=1; AJvYcCUf/7p7Voc4zITjgU8vD4xul5f4gvpXL3jEhjLpzdWRqgYYPTshNMGxZA0EPB6Q1r1C+mKDXGxdXOfasq0=@vger.kernel.org X-Gm-Message-State: AOJu0YwwcgIwoiu7CwrfvjMMt47rdSJLgnxxt40Nlgeo9/WLfodQysgs myWRlKi1DYIfgJXz77CKdPUemnvsPORirWiuENb+krkLinxrrHQjojYOpX1sm5POAzLrC5RBbRs O1SNhm2mf5oO4JwqBWN/QsNHQNQdfFAyF8b8v0VAzxDV8CHi65XXLw3JcEToS+5+HONY= X-Gm-Gg: ATEYQzyOEvf2+dQ2CGJ/MZrutOGzErU67Ymm7bxq4uzY+5ULZnuPmevY5z1bvVmqoQJ 03czXPWANi0DobmlVTvFZN5GVTTQqYBFv6k7KEoZ4FDSMrpJd7GoOnIsZj7IuuG53TnazbbaHui /U1sBdyVr0lDd8yL4mKDKfcKo/irTvCE1eFJt9ENSDhaIe7hVQv9dcFjBsw1eGSQPEEbh4L4AZO BiEYQc2dJkGFlXbPc3Jyeh4W3mBkeL8ia40KWg00iw9PLUmhWs/e2wxDhi7RmY0Moc9OtC7ssGu 12dPALHXzZsgdtutZwHszUlLKS/1xtOhuNuXjhHg2B28WSU9ru+CmNhBgNsuyqAMv9iR0/iTR6O 2Lft5+ho+8zT68tfEcBvKXUGWQI5JmRiAYiiWN6dzFwCBrrzOL+O+p+gZx52n/DvMoHtHBH1PRQ k= X-Received: by 2002:a05:6a20:3d88:b0:398:7357:bb92 with SMTP id adf61e73a8af0-398ec9e200amr15746677637.5.1773727970924; Mon, 16 Mar 2026 23:12:50 -0700 (PDT) X-Received: by 2002:a05:6a20:3d88:b0:398:7357:bb92 with SMTP id adf61e73a8af0-398ec9e200amr15746656637.5.1773727970434; Mon, 16 Mar 2026 23:12:50 -0700 (PDT) Received: from [127.0.1.1] (tpe-colo-wan-fw-bordernet.qualcomm.com. [103.229.16.4]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-82a0727e581sm14434149b3a.27.2026.03.16.23.12.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 16 Mar 2026 23:12:50 -0700 (PDT) From: Baochen Qiang Date: Tue, 17 Mar 2026 14:12:46 +0800 Subject: [PATCH] bus: mhi: host: fix invalid free of BHI/BHIe buffers Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260317-mhi-invalid-free-mhi-buffers-v1-1-8418a3ad604f@oss.qualcomm.com> X-B4-Tracking: v=1; b=H4sIAN3wuGkC/x3MQQqDMBBG4avIrB2IVizxKsVFYv7UgTaWCUohe HeDy+8tXqEMFWSamkKKQ7JsqaJrG1pWl95gCdXUm340j+7J31VY0uE+EjgqcAe/xwjN7N1gjbe DHS2oLn6KKP97/5rP8wK+RxBnbgAAAA== X-Change-ID: 20260317-mhi-invalid-free-mhi-buffers-ba490b94969e To: Manivannan Sadhasivam , Rosen Penev Cc: Manivannan Sadhasivam , mhi@lists.linux.dev, linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org, Baochen Qiang X-Mailer: b4 0.14.3 X-Proofpoint-ORIG-GUID: s9BVdBS0iziwTp8p41S2-PDfZaWysR2c X-Proofpoint-GUID: s9BVdBS0iziwTp8p41S2-PDfZaWysR2c X-Authority-Analysis: v=2.4 cv=FvcIPmrq c=1 sm=1 tr=0 ts=69b8f0e4 cx=c_pps a=oF/VQ+ItUULfLr/lQ2/icg==:117 a=nuhDOHQX5FNHPW3J6Bj6AA==:17 a=IkcTkHD0fZMA:10 a=Yq5XynenixoA:10 a=s4-Qcg_JpJYA:10 a=VkNPw1HP01LnGYTKEx00:22 a=u7WPNUs3qKkmUXheDGA7:22 a=yx91gb_oNiZeI1HMLzn7:22 a=EUspDBNiAAAA:8 a=foqD8dz_Jm88mIy5WCoA:9 a=QEXdDO2ut3YA:10 a=3WC7DwWrALyhR5TkjVHa:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMzE3MDA1MiBTYWx0ZWRfXzmWOz1MUDG/3 +isEK5GPpcSYsaRkTw5eyJ6nkGfiG0zMrjTgPFcna4gBBi2JRWgPUWcusJJyBe3biJ0mbwpJuVA fEhMav+GSvv8ymhUUmNr46NM3OzjTV7RniZZG4zfttSrmbGbAEE6lC8ydjOQr33A4XVc9hC5VyU /t1liIL4Vbu5nRj9zWABqiFI1+HTtJhglV3Acvb1MSvIjQ/b1qdvwuQVN++LGDXBN+zdoxi0vRi FVXah/Q1U1UYWuqHLbtZBqMXjcTDT5USlnhO7/Uup9haIokFVzgTzax1lGONu+zlgSSIzC9NR9P It8ma/1kDXCp0tKvp+dM19cyDfrMTwZmWiEfEObfq7bqugTHdSGEuiAttJx9CFkiZMVN7bQtz8+ Bb+2OBqPaKOEUs8MsJYaHu+tZcUe1m7tG9n3oxGimAR0T1tSN4fJXjMCwLC5B7qsPjj8u9dKUe1 pYlZlLCph6lGh6dsOvA== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-03-17_01,2026-03-16_06,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 priorityscore=1501 suspectscore=0 phishscore=0 lowpriorityscore=0 bulkscore=0 spamscore=0 clxscore=1015 malwarescore=0 adultscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2603170052 Commit [1] converted mhi_buffer into a flexible array embedded in image_info by switching to kzalloc_flex(). As a result, mhi_buffer is no longer a standalone allocation and must not be freed independently. While the error path was updated accordingly, the normal teardown path still explicitly frees mhi_buffer, leading to an invalid kfree() and the following warning: BUG kmalloc-64 (Tainted: G W ): Invalid object pointer 0xff= ff8b05dfb91c50 Slab 0xffffd490857ee400 objects=3D32 used=3D22 fp=3D0xffff8b05dfb90b40 flag= s=3D0x200000000000240(workingset|head|node=3D0|zone=3D2) WARNING: mm/slub.c:1227 at __slab_err+0x37/0x40, CPU#2: kworker/u113:0/205 Call Trace: slab_err free_to_partial_list __slab_free kfree mhi_fw_load_handler mhi_pm_st_worker Remove the explicit free of mhi_buffer so that the memory is released together with its parent image_info allocation. Fixes: 2f5ae4827e94 ("bus: mhi: host: Use kzalloc_flex") # [1] Signed-off-by: Baochen Qiang --- drivers/bus/mhi/host/boot.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/drivers/bus/mhi/host/boot.c b/drivers/bus/mhi/host/boot.c index e1d77cecd75e..19c84913cfb9 100644 --- a/drivers/bus/mhi/host/boot.c +++ b/drivers/bus/mhi/host/boot.c @@ -308,7 +308,6 @@ static void mhi_free_bhi_buffer(struct mhi_controller *= mhi_cntrl, struct mhi_buf *mhi_buf =3D image_info->mhi_buf; =20 dma_free_coherent(mhi_cntrl->cntrl_dev, mhi_buf->len, mhi_buf->buf, mhi_b= uf->dma_addr); - kfree(image_info->mhi_buf); kfree(image_info); } =20 @@ -322,7 +321,6 @@ void mhi_free_bhie_table(struct mhi_controller *mhi_cnt= rl, dma_free_coherent(mhi_cntrl->cntrl_dev, mhi_buf->len, mhi_buf->buf, mhi_buf->dma_addr); =20 - kfree(image_info->mhi_buf); kfree(image_info); } =20 --- base-commit: 702847e8cfd51856836a282db2073defd7cfd80c change-id: 20260317-mhi-invalid-free-mhi-buffers-ba490b94969e Best regards, --=20 Baochen Qiang