tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

bus: mhi: host: Use kzalloc_flex

Change kzalloc + kzalloc to just kzalloc with a flexible array member.

Add __counted_by for extra runtime analysis when requested.

Move counting assignment immediately after allocation as required by
__counted_by.

Move mhi_buf definition as a complete definition as needed for flex
arrays. It's not a pointer anymore.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
[mani: squashed https://lore.kernel.org/mhi/20260317-mhi-invalid-free-mhi-buffers-v1-1-8418a3ad604f@oss.qualcomm.com]
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
Link: https://patch.msgid.link/20260312045921.7663-1-rosenp@gmail.com

authored by

Rosen Penev and committed by
Manivannan Sadhasivam 37a23d6f f227b246

+20 -36
+3 -19
drivers/bus/mhi/host/boot.c
··· 308 308 struct mhi_buf *mhi_buf = image_info->mhi_buf; 309 309 310 310 dma_free_coherent(mhi_cntrl->cntrl_dev, mhi_buf->len, mhi_buf->buf, mhi_buf->dma_addr); 311 - kfree(image_info->mhi_buf); 312 311 kfree(image_info); 313 312 } 314 313 ··· 321 322 dma_free_coherent(mhi_cntrl->cntrl_dev, mhi_buf->len, 322 323 mhi_buf->buf, mhi_buf->dma_addr); 323 324 324 - kfree(image_info->mhi_buf); 325 325 kfree(image_info); 326 326 } 327 327 ··· 331 333 struct image_info *img_info; 332 334 struct mhi_buf *mhi_buf; 333 335 334 - img_info = kzalloc_obj(*img_info); 336 + img_info = kzalloc_flex(*img_info, mhi_buf, 1); 335 337 if (!img_info) 336 338 return -ENOMEM; 337 - 338 - /* Allocate memory for entry */ 339 - img_info->mhi_buf = kzalloc_obj(*img_info->mhi_buf); 340 - if (!img_info->mhi_buf) 341 - goto error_alloc_mhi_buf; 342 339 343 340 /* Allocate and populate vector table */ 344 341 mhi_buf = img_info->mhi_buf; ··· 351 358 return 0; 352 359 353 360 error_alloc_segment: 354 - kfree(mhi_buf); 355 - error_alloc_mhi_buf: 356 361 kfree(img_info); 357 362 358 363 return -ENOMEM; ··· 366 375 struct image_info *img_info; 367 376 struct mhi_buf *mhi_buf; 368 377 369 - img_info = kzalloc_obj(*img_info); 378 + img_info = kzalloc_flex(*img_info, mhi_buf, segments); 370 379 if (!img_info) 371 380 return -ENOMEM; 372 381 373 - /* Allocate memory for entries */ 374 - img_info->mhi_buf = kzalloc_objs(*img_info->mhi_buf, segments); 375 - if (!img_info->mhi_buf) 376 - goto error_alloc_mhi_buf; 382 + img_info->entries = segments; 377 383 378 384 /* Allocate and populate vector table */ 379 385 mhi_buf = img_info->mhi_buf; ··· 390 402 } 391 403 392 404 img_info->bhi_vec = img_info->mhi_buf[segments - 1].buf; 393 - img_info->entries = segments; 394 405 *image_info = img_info; 395 406 396 407 return 0; ··· 398 411 for (--i, --mhi_buf; i >= 0; i--, mhi_buf--) 399 412 dma_free_coherent(mhi_cntrl->cntrl_dev, mhi_buf->len, 400 413 mhi_buf->buf, mhi_buf->dma_addr); 401 - kfree(img_info->mhi_buf); 402 - 403 - error_alloc_mhi_buf: 404 414 kfree(img_info); 405 415 406 416 return -ENOMEM;
+17 -17
include/linux/mhi.h
··· 86 86 }; 87 87 88 88 /** 89 + * struct mhi_buf - MHI Buffer description 90 + * @buf: Virtual address of the buffer 91 + * @name: Buffer label. For offload channel, configurations name must be: 92 + * ECA - Event context array data 93 + * CCA - Channel context array data 94 + * @dma_addr: IOMMU address of the buffer 95 + * @len: # of bytes 96 + */ 97 + struct mhi_buf { 98 + void *buf; 99 + const char *name; 100 + dma_addr_t dma_addr; 101 + size_t len; 102 + }; 103 + 104 + /** 89 105 * struct image_info - Firmware and RDDM table 90 106 * @mhi_buf: Buffer for firmware and RDDM table 91 107 * @entries: # of entries in table 92 108 */ 93 109 struct image_info { 94 - struct mhi_buf *mhi_buf; 95 110 /* private: from internal.h */ 96 111 struct bhi_vec_entry *bhi_vec; 97 112 /* public: */ 98 113 u32 entries; 114 + struct mhi_buf mhi_buf[] __counted_by(entries); 99 115 }; 100 116 101 117 /** ··· 502 486 size_t bytes_xferd; 503 487 enum dma_data_direction dir; 504 488 int transaction_status; 505 - }; 506 - 507 - /** 508 - * struct mhi_buf - MHI Buffer description 509 - * @buf: Virtual address of the buffer 510 - * @name: Buffer label. For offload channel, configurations name must be: 511 - * ECA - Event context array data 512 - * CCA - Channel context array data 513 - * @dma_addr: IOMMU address of the buffer 514 - * @len: # of bytes 515 - */ 516 - struct mhi_buf { 517 - void *buf; 518 - const char *name; 519 - dma_addr_t dma_addr; 520 - size_t len; 521 489 }; 522 490 523 491 /**