[PATCH 10/10] mei: bus: Check for still connected devices in mei_cl_bus_dev_release()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Hans de Goede <hansg@kernel.org>
To: Sakari Ailus <sakari.ailus@linux.intel.com>,
	Stanislaw Gruszka <stanislaw.gruszka@linux.intel.com>,
	Alexander Usyskin <alexander.usyskin@intel.com>
Cc: Hans de Goede <hansg@kernel.org>, Arnd Bergmann <arnd@arndb.de>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 10/10] mei: bus: Check for still connected devices in mei_cl_bus_dev_release()
Date: Mon, 23 Jun 2025 10:50:52 +0200	[thread overview]
Message-ID: <20250623085052.12347-11-hansg@kernel.org> (raw)
In-Reply-To: <20250623085052.12347-1-hansg@kernel.org>

mei_cl_bus_dev_release() also frees the mei-client (struct mei_cl)
belonging to the device being released.

If there are bugs like the just fixed bug in the ACE/CSI2 mei drivers,
the mei-client being freed might still be part of the mei_device's
file_list and iterating over this list after the freeing will then trigger
a use-afer-free bug.

Add a check to mei_cl_bus_dev_release() to make sure that the to-be-freed
mei-client is not on the mei_device's file_list.

Signed-off-by: Hans de Goede <hansg@kernel.org>
---
 drivers/misc/mei/bus.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/misc/mei/bus.c b/drivers/misc/mei/bus.c
index 67176caf5416..1958c043ac14 100644
--- a/drivers/misc/mei/bus.c
+++ b/drivers/misc/mei/bus.c
@@ -1301,10 +1301,16 @@ static void mei_dev_bus_put(struct mei_device *bus)
 static void mei_cl_bus_dev_release(struct device *dev)
 {
 	struct mei_cl_device *cldev = to_mei_cl_device(dev);
+	struct mei_device *mdev = cldev->cl->dev;
+	struct mei_cl *cl;
 
 	mei_cl_flush_queues(cldev->cl, NULL);
 	mei_me_cl_put(cldev->me_cl);
 	mei_dev_bus_put(cldev->bus);
+
+	list_for_each_entry(cl, &mdev->file_list, link)
+		WARN_ON(cl == cldev->cl);
+
 	kfree(cldev->cl);
 	kfree(cldev);
 }
-- 
2.49.0

next prev parent reply	other threads:[~2025-06-23  8:51 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-06-23  8:50 [PATCH 00/10] mei: vsc: Various bug-fixes Hans de Goede
2025-06-23  8:50 ` [PATCH 01/10] mei: vsc: Drop unused vsc_tp_request_irq() and vsc_tp_free_irq() Hans de Goede
2025-06-24  6:06   ` Usyskin, Alexander
2025-06-24  8:43     ` Hans de Goede
2025-06-23  8:50 ` [PATCH 02/10] mei: vsc: Don't re-init VSC from mei_vsc_hw_reset() on stop Hans de Goede
2025-06-24  7:00   ` Usyskin, Alexander
2025-06-23  8:50 ` [PATCH 03/10] mei: vsc: Don't call vsc_tp_reset() a second time on shutdown Hans de Goede
2025-06-25  7:59   ` Usyskin, Alexander
2025-06-23  8:50 ` [PATCH 04/10] mei: vsc: Use vsc_tp_remove() as shutdown handler Hans de Goede
2025-06-25  8:02   ` Usyskin, Alexander
2025-06-23  8:50 ` [PATCH 05/10] mei: vsc: Destroy mutex after freeing the IRQ Hans de Goede
2025-06-25  8:03   ` Usyskin, Alexander
2025-06-23  8:50 ` [PATCH 06/10] mei: vsc: Event notifier fixes Hans de Goede
2025-06-25  9:12   ` Usyskin, Alexander
2025-06-25  9:23     ` Hans de Goede
2025-06-25  9:26       ` Hans de Goede
2025-06-25  9:36         ` Usyskin, Alexander
2025-06-23  8:50 ` [PATCH 07/10] mei: vsc: Unset the event callback on remove and probe errors Hans de Goede
2025-06-25 10:01   ` Usyskin, Alexander
2025-06-23  8:50 ` [PATCH 08/10] mei: vsc: Run event callback from a workqueue Hans de Goede
2025-06-25 10:07   ` Usyskin, Alexander
2025-06-23  8:50 ` [PATCH 09/10] mei: vsc: Fix "BUG: Invalid wait context" lockdep error Hans de Goede
2025-06-25 10:12   ` Usyskin, Alexander
2025-06-23  8:50 ` Hans de Goede [this message]
2025-06-25 10:25   ` [PATCH 10/10] mei: bus: Check for still connected devices in mei_cl_bus_dev_release() Usyskin, Alexander
2025-06-25  9:52 ` [PATCH 00/10] mei: vsc: Various bug-fixes Sakari Ailus

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:67176caf541 dfblob:1958c043ac1 )
 OR (
bs:"[PATCH 10/10] mei: bus: Check for still connected devices in mei_cl_bus_dev_release()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250623085052.12347-11-hansg@kernel.org \
    --to=hansg@kernel.org \
    --cc=alexander.usyskin@intel.com \
    --cc=arnd@arndb.de \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=sakari.ailus@linux.intel.com \
    --cc=stanislaw.gruszka@linux.intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.