Commit 37a23d6f authored by Rosen Penev's avatar Rosen Penev Committed by Manivannan Sadhasivam
Browse files

bus: mhi: host: Use kzalloc_flex 



Change kzalloc + kzalloc to just kzalloc with a flexible array member.

Add __counted_by for extra runtime analysis when requested.

Move counting assignment immediately after allocation as required by
__counted_by.

Move mhi_buf definition as a complete definition as needed for flex
arrays. It's not a pointer anymore.

Signed-off-by: default avatarRosen Penev <rosenp@gmail.com>
[mani: squashed https://lore.kernel.org/mhi/20260317-mhi-invalid-free-mhi-buffers-v1-1-8418a3ad604f@oss.qualcomm.com

]
Signed-off-by: default avatarManivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
Link: https://patch.msgid.link/20260312045921.7663-1-rosenp@gmail.com
parent f227b246

drivers/bus/mhi/host/boot.c

+3 −19
Original line number Diff line number Diff line
@@ -308,7 +308,6 @@ static void mhi_free_bhi_buffer(struct mhi_controller *mhi_cntrl, 
	struct mhi_buf *mhi_buf = image_info->mhi_buf;



	dma_free_coherent(mhi_cntrl->cntrl_dev, mhi_buf->len, mhi_buf->buf, mhi_buf->dma_addr);

	kfree(image_info->mhi_buf);

	kfree(image_info);

}
@@ -322,7 +321,6 @@ void mhi_free_bhie_table(struct mhi_controller *mhi_cntrl, 
		dma_free_coherent(mhi_cntrl->cntrl_dev, mhi_buf->len,

				  mhi_buf->buf, mhi_buf->dma_addr);



	kfree(image_info->mhi_buf);

	kfree(image_info);

}
@@ -333,15 +331,10 @@ static int mhi_alloc_bhi_buffer(struct mhi_controller *mhi_cntrl, 
	struct image_info *img_info;

	struct mhi_buf *mhi_buf;



	img_info = kzalloc_obj(*img_info);

	img_info = kzalloc_flex(*img_info, mhi_buf, 1);

	if (!img_info)

		return -ENOMEM;



	/* Allocate memory for entry */

	img_info->mhi_buf = kzalloc_obj(*img_info->mhi_buf);

	if (!img_info->mhi_buf)

		goto error_alloc_mhi_buf;



	/* Allocate and populate vector table */

	mhi_buf = img_info->mhi_buf;
@@ -358,8 +351,6 @@ static int mhi_alloc_bhi_buffer(struct mhi_controller *mhi_cntrl, 
	return 0;



error_alloc_segment:

	kfree(mhi_buf);

error_alloc_mhi_buf:

	kfree(img_info);



	return -ENOMEM;
@@ -375,14 +366,11 @@ int mhi_alloc_bhie_table(struct mhi_controller *mhi_cntrl, 
	struct image_info *img_info;

	struct mhi_buf *mhi_buf;



	img_info = kzalloc_obj(*img_info);

	img_info = kzalloc_flex(*img_info, mhi_buf, segments);

	if (!img_info)

		return -ENOMEM;



	/* Allocate memory for entries */

	img_info->mhi_buf = kzalloc_objs(*img_info->mhi_buf, segments);

	if (!img_info->mhi_buf)

		goto error_alloc_mhi_buf;

	img_info->entries = segments;



	/* Allocate and populate vector table */

	mhi_buf = img_info->mhi_buf;
@@ -402,7 +390,6 @@ int mhi_alloc_bhie_table(struct mhi_controller *mhi_cntrl, 
	}



	img_info->bhi_vec = img_info->mhi_buf[segments - 1].buf;

	img_info->entries = segments;

	*image_info = img_info;



	return 0;
@@ -411,9 +398,6 @@ int mhi_alloc_bhie_table(struct mhi_controller *mhi_cntrl, 
	for (--i, --mhi_buf; i >= 0; i--, mhi_buf--)

		dma_free_coherent(mhi_cntrl->cntrl_dev, mhi_buf->len,

				  mhi_buf->buf, mhi_buf->dma_addr);

	kfree(img_info->mhi_buf);



error_alloc_mhi_buf:

	kfree(img_info);



	return -ENOMEM;

include/linux/mhi.h

+17 −17
Original line number Diff line number Diff line
@@ -85,17 +85,33 @@ enum mhi_ch_type { 
	MHI_CH_TYPE_INBOUND_COALESCED = 3,

};



/**

 * struct mhi_buf - MHI Buffer description

 * @buf: Virtual address of the buffer

 * @name: Buffer label. For offload channel, configurations name must be:

 *        ECA - Event context array data

 *        CCA - Channel context array data

 * @dma_addr: IOMMU address of the buffer

 * @len: # of bytes

 */

struct mhi_buf {

	void *buf;

	const char *name;

	dma_addr_t dma_addr;

	size_t len;

};



/**

 * struct image_info - Firmware and RDDM table

 * @mhi_buf: Buffer for firmware and RDDM table

 * @entries: # of entries in table

 */

struct image_info {

	struct mhi_buf *mhi_buf;

	/* private: from internal.h */

	struct bhi_vec_entry *bhi_vec;

	/* public: */

	u32 entries;

	struct mhi_buf mhi_buf[] __counted_by(entries);

};



/**
@@ -488,22 +504,6 @@ struct mhi_result { 
	int transaction_status;

};



/**

 * struct mhi_buf - MHI Buffer description

 * @buf: Virtual address of the buffer

 * @name: Buffer label. For offload channel, configurations name must be:

 *        ECA - Event context array data

 *        CCA - Channel context array data

 * @dma_addr: IOMMU address of the buffer

 * @len: # of bytes

 */

struct mhi_buf {

	void *buf;

	const char *name;

	dma_addr_t dma_addr;

	size_t len;

};



/**

 * struct mhi_driver - Structure representing a MHI client driver

 * @probe: CB function for client driver probe function