From: Jose Ignacio Tornos Martinez <jtornosm@xxxxxxxxxx> commit ca68ce0d9f4bcd032fd1334441175ae399642a06 upstream. If there is an error during some initialization related to firmware, the buffers dp->tx_ring[i].tx_status are released. However this is released again when the device is unbinded (ath12k_pci), and we get: WARNING: CPU: 0 PID: 2098 at mm/slub.c:4689 free_large_kmalloc+0x4d/0x80 Call Trace: free_large_kmalloc ath12k_dp_free ath12k_core_deinit ath12k_pci_remove ... The issue is always reproducible from a VM because the MSI addressing initialization is failing. In order to fix the issue, just set the buffers to NULL after releasing in order to avoid the double free. cc: stable@xxxxxxxxxxxxxxx Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices") Signed-off-by: Jose Ignacio Tornos Martinez <jtornosm@xxxxxxxxxx> Link: https://patch.msgid.link/20241017181004.199589-3-jtornosm@xxxxxxxxxx Signed-off-by: Jeff Johnson <quic_jjohnson@xxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/net/wireless/ath/ath12k/dp.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/drivers/net/wireless/ath/ath12k/dp.c +++ b/drivers/net/wireless/ath/ath12k/dp.c @@ -1282,8 +1282,10 @@ void ath12k_dp_free(struct ath12k_base * ath12k_dp_rx_reo_cmd_list_cleanup(ab); - for (i = 0; i < ab->hw_params->max_tx_ring; i++) + for (i = 0; i < ab->hw_params->max_tx_ring; i++) { kfree(dp->tx_ring[i].tx_status); + dp->tx_ring[i].tx_status = NULL; + } ath12k_dp_rx_free(ab); /* Deinit any SOC level resource */ Patches currently in stable-queue which might be from jtornosm@xxxxxxxxxx are queue-6.12/wifi-ath12k-fix-crash-when-unbinding.patch queue-6.12/wifi-ath12k-fix-warning-when-unbinding.patch