Re: [PATCH] bus: mhi: host: fix invalid free of BHI/BHIe buffers

[Manivannan Sadhasivam]

On Tue, Mar 17, 2026 at 02:12:46PM +0800, Baochen Qiang wrote:
> Commit [1] converted mhi_buffer into a flexible array embedded in
> image_info by switching to kzalloc_flex(). As a result, mhi_buffer is no
> longer a standalone allocation and must not be freed independently. While
> the error path was updated accordingly, the normal teardown path still
> explicitly frees mhi_buffer, leading to an invalid kfree() and the
> following warning:
> 
> BUG kmalloc-64 (Tainted: G        W          ): Invalid object pointer 0xffff8b05dfb91c50
> Slab 0xffffd490857ee400 objects=32 used=22 fp=0xffff8b05dfb90b40 flags=0x200000000000240(workingset|head|node=0|zone=2)
> WARNING: mm/slub.c:1227 at __slab_err+0x37/0x40, CPU#2: kworker/u113:0/205
> Call Trace:
>  slab_err
>  free_to_partial_list
>  __slab_free
>  kfree
>  mhi_fw_load_handler
>  mhi_pm_st_worker
> 
> Remove the explicit free of mhi_buffer so that the memory is released
> together with its parent image_info allocation.
> 
> Fixes: 2f5ae4827e94 ("bus: mhi: host: Use kzalloc_flex") # [1]
> Signed-off-by: Baochen Qiang <baochen.qiang@xxxxxxxxxxxxxxxx>

Squashed with the offending commit, thanks!

- Mani

> ---
>  drivers/bus/mhi/host/boot.c | 2 --
>  1 file changed, 2 deletions(-)
> 
> diff --git a/drivers/bus/mhi/host/boot.c b/drivers/bus/mhi/host/boot.c
> index e1d77cecd75e..19c84913cfb9 100644
> --- a/drivers/bus/mhi/host/boot.c
> +++ b/drivers/bus/mhi/host/boot.c
> @@ -308,7 +308,6 @@ static void mhi_free_bhi_buffer(struct mhi_controller *mhi_cntrl,
>  	struct mhi_buf *mhi_buf = image_info->mhi_buf;
>  
>  	dma_free_coherent(mhi_cntrl->cntrl_dev, mhi_buf->len, mhi_buf->buf, mhi_buf->dma_addr);
> -	kfree(image_info->mhi_buf);
>  	kfree(image_info);
>  }
>  
> @@ -322,7 +321,6 @@ void mhi_free_bhie_table(struct mhi_controller *mhi_cntrl,
>  		dma_free_coherent(mhi_cntrl->cntrl_dev, mhi_buf->len,
>  				  mhi_buf->buf, mhi_buf->dma_addr);
>  
> -	kfree(image_info->mhi_buf);
>  	kfree(image_info);
>  }
>  
> 
> ---
> base-commit: 702847e8cfd51856836a282db2073defd7cfd80c
> change-id: 20260317-mhi-invalid-free-mhi-buffers-ba490b94969e
> 
> Best regards,
> -- 
> Baochen Qiang <baochen.qiang@xxxxxxxxxxxxxxxx>
> 

-- 
மணிவண்ணன் சதாசிவம்