[PATCH] bus: mhi: host: fix invalid free of BHI/BHIe buffers

[Baochen Qiang]

Commit [1] converted mhi_buffer into a flexible array embedded in
image_info by switching to kzalloc_flex(). As a result, mhi_buffer is no
longer a standalone allocation and must not be freed independently. While
the error path was updated accordingly, the normal teardown path still
explicitly frees mhi_buffer, leading to an invalid kfree() and the
following warning:

BUG kmalloc-64 (Tainted: G        W          ): Invalid object pointer 0xffff8b05dfb91c50
Slab 0xffffd490857ee400 objects=32 used=22 fp=0xffff8b05dfb90b40 flags=0x200000000000240(workingset|head|node=0|zone=2)
WARNING: mm/slub.c:1227 at __slab_err+0x37/0x40, CPU#2: kworker/u113:0/205
Call Trace:
 slab_err
 free_to_partial_list
 __slab_free
 kfree
 mhi_fw_load_handler
 mhi_pm_st_worker

Remove the explicit free of mhi_buffer so that the memory is released
together with its parent image_info allocation.

Fixes: 2f5ae4827e94 ("bus: mhi: host: Use kzalloc_flex") # [1]
Signed-off-by: Baochen Qiang <baochen.qiang@xxxxxxxxxxxxxxxx>
---
 drivers/bus/mhi/host/boot.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/drivers/bus/mhi/host/boot.c b/drivers/bus/mhi/host/boot.c
index e1d77cecd75e..19c84913cfb9 100644
--- a/drivers/bus/mhi/host/boot.c
+++ b/drivers/bus/mhi/host/boot.c
@@ -308,7 +308,6 @@ static void mhi_free_bhi_buffer(struct mhi_controller *mhi_cntrl,
 	struct mhi_buf *mhi_buf = image_info->mhi_buf;
 
 	dma_free_coherent(mhi_cntrl->cntrl_dev, mhi_buf->len, mhi_buf->buf, mhi_buf->dma_addr);
-	kfree(image_info->mhi_buf);
 	kfree(image_info);
 }
 
@@ -322,7 +321,6 @@ void mhi_free_bhie_table(struct mhi_controller *mhi_cntrl,
 		dma_free_coherent(mhi_cntrl->cntrl_dev, mhi_buf->len,
 				  mhi_buf->buf, mhi_buf->dma_addr);
 
-	kfree(image_info->mhi_buf);
 	kfree(image_info);
 }
 

---
base-commit: 702847e8cfd51856836a282db2073defd7cfd80c
change-id: 20260317-mhi-invalid-free-mhi-buffers-ba490b94969e

Best regards,
-- 
Baochen Qiang <baochen.qiang@xxxxxxxxxxxxxxxx>