The bus rescan function creates bus devices for all clients.
The fixup routine is executed on all devices, unneeded
devices are removed and fully initialized once set
is_added flag to 1.

If link to firmware is reset right after all devices are
initialized, but before fixup is executed, the rescan tries
to remove devices.
The is_added flag is not set and the mei_cl_bus_dev_destroy
returns prematurely.
Allow to clean up device when is_added flag is unset to
account for above scenario.

Fixes: 6009595a66e4 ("mei: bus: link client devices instead of host clients")
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
---
 drivers/misc/mei/bus.c | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/drivers/misc/mei/bus.c b/drivers/misc/mei/bus.c
index 67176caf5416..f2e5d550c6b4 100644
--- a/drivers/misc/mei/bus.c
+++ b/drivers/misc/mei/bus.c
@@ -1430,17 +1430,14 @@ static void mei_cl_bus_dev_stop(struct mei_cl_device *cldev)
  */
 static void mei_cl_bus_dev_destroy(struct mei_cl_device *cldev)
 {
-
 	WARN_ON(!mutex_is_locked(&cldev->bus->cl_bus_lock));
 
-	if (!cldev->is_added)
-		return;
-
-	device_del(&cldev->dev);
+	if (cldev->is_added) {
+		device_del(&cldev->dev);
+		cldev->is_added = 0;
+	}
 
 	list_del_init(&cldev->bus_list);
-
-	cldev->is_added = 0;
 	put_device(&cldev->dev);
 }
 
-- 
2.43.0

On Tue, Jun 24, 2025 at 02:05:20PM +0300, Alexander Usyskin wrote:
> The bus rescan function creates bus devices for all clients.
> The fixup routine is executed on all devices, unneeded
> devices are removed and fully initialized once set
> is_added flag to 1.

I don't understand why the mei bus is so special that it has to have
this type of flag, when no other bus has that for its devices.  The bus
code should know if the device has been properly added or not, if not,
then no release function can be called and the structure isn't even
viable to be used or touched at all.

So why is this needed?

> 
> If link to firmware is reset right after all devices are
> initialized, but before fixup is executed, the rescan tries
> to remove devices.
> The is_added flag is not set and the mei_cl_bus_dev_destroy
> returns prematurely.
> Allow to clean up device when is_added flag is unset to
> account for above scenario.
> 
> Fixes: 6009595a66e4 ("mei: bus: link client devices instead of host clients")
> Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
> ---
>  drivers/misc/mei/bus.c | 11 ++++-------
>  1 file changed, 4 insertions(+), 7 deletions(-)
> 
> diff --git a/drivers/misc/mei/bus.c b/drivers/misc/mei/bus.c
> index 67176caf5416..f2e5d550c6b4 100644
> --- a/drivers/misc/mei/bus.c
> +++ b/drivers/misc/mei/bus.c
> @@ -1430,17 +1430,14 @@ static void mei_cl_bus_dev_stop(struct mei_cl_device *cldev)
>   */
>  static void mei_cl_bus_dev_destroy(struct mei_cl_device *cldev)
>  {
> -
>  	WARN_ON(!mutex_is_locked(&cldev->bus->cl_bus_lock));
>  
> -	if (!cldev->is_added)
> -		return;
> -
> -	device_del(&cldev->dev);
> +	if (cldev->is_added) {
> +		device_del(&cldev->dev);
> +		cldev->is_added = 0;
> +	}

How can destroy be called here if the device has not been added before?
How can it be hanging around in memory at all if the device_add() call
was not successful when it was originally called?

confused,

greg k-h

> Subject: Re: [char-misc-next v2] mei: bus: fix device leak
> 
> On Tue, Jun 24, 2025 at 02:05:20PM +0300, Alexander Usyskin wrote:
> > The bus rescan function creates bus devices for all clients.
> > The fixup routine is executed on all devices, unneeded
> > devices are removed and fully initialized once set
> > is_added flag to 1.
> 
> I don't understand why the mei bus is so special that it has to have
> this type of flag, when no other bus has that for its devices.  The bus
> code should know if the device has been properly added or not, if not,
> then no release function can be called and the structure isn't even
> viable to be used or touched at all.
> 
> So why is this needed?

It seems that is_added can be replaced by device_is_registered().
Am I right?
I'll send separate patch for this.

> 
> >
> > If link to firmware is reset right after all devices are
> > initialized, but before fixup is executed, the rescan tries
> > to remove devices.
> > The is_added flag is not set and the mei_cl_bus_dev_destroy
> > returns prematurely.
> > Allow to clean up device when is_added flag is unset to
> > account for above scenario.
> >
> > Fixes: 6009595a66e4 ("mei: bus: link client devices instead of host clients")
> > Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
> > ---
> >  drivers/misc/mei/bus.c | 11 ++++-------
> >  1 file changed, 4 insertions(+), 7 deletions(-)
> >
> > diff --git a/drivers/misc/mei/bus.c b/drivers/misc/mei/bus.c
> > index 67176caf5416..f2e5d550c6b4 100644
> > --- a/drivers/misc/mei/bus.c
> > +++ b/drivers/misc/mei/bus.c
> > @@ -1430,17 +1430,14 @@ static void mei_cl_bus_dev_stop(struct
> mei_cl_device *cldev)
> >   */
> >  static void mei_cl_bus_dev_destroy(struct mei_cl_device *cldev)
> >  {
> > -
> >  	WARN_ON(!mutex_is_locked(&cldev->bus->cl_bus_lock));
> >
> > -	if (!cldev->is_added)
> > -		return;
> > -
> > -	device_del(&cldev->dev);
> > +	if (cldev->is_added) {
> > +		device_del(&cldev->dev);
> > +		cldev->is_added = 0;
> > +	}
> 
> How can destroy be called here if the device has not been added before?
> How can it be hanging around in memory at all if the device_add() call
> was not successful when it was originally called?
> 

Mei bus uses device_initialize() and device_add() pair, and in this corner case
only device_initialize() was called, so we should call put_device() without device_del().

> confused,
> 
> greg k-h

- - 
Thanks,
Sasha

On Mon, Jun 30, 2025 at 10:52:08AM +0000, Usyskin, Alexander wrote:
> > Subject: Re: [char-misc-next v2] mei: bus: fix device leak
> > 
> > On Tue, Jun 24, 2025 at 02:05:20PM +0300, Alexander Usyskin wrote:
> > > The bus rescan function creates bus devices for all clients.
> > > The fixup routine is executed on all devices, unneeded
> > > devices are removed and fully initialized once set
> > > is_added flag to 1.
> > 
> > I don't understand why the mei bus is so special that it has to have
> > this type of flag, when no other bus has that for its devices.  The bus
> > code should know if the device has been properly added or not, if not,
> > then no release function can be called and the structure isn't even
> > viable to be used or touched at all.
> > 
> > So why is this needed?
> 
> It seems that is_added can be replaced by device_is_registered().

Again, why do you need to track that?

But yes, that should work, although using it is usually a sign that
something is a bit broken in the design.

thanks

greg k-h

> Subject: Re: [char-misc-next v2] mei: bus: fix device leak
> 
> On Mon, Jun 30, 2025 at 10:52:08AM +0000, Usyskin, Alexander wrote:
> > > Subject: Re: [char-misc-next v2] mei: bus: fix device leak
> > >
> > > On Tue, Jun 24, 2025 at 02:05:20PM +0300, Alexander Usyskin wrote:
> > > > The bus rescan function creates bus devices for all clients.
> > > > The fixup routine is executed on all devices, unneeded
> > > > devices are removed and fully initialized once set
> > > > is_added flag to 1.
> > >
> > > I don't understand why the mei bus is so special that it has to have
> > > this type of flag, when no other bus has that for its devices.  The bus
> > > code should know if the device has been properly added or not, if not,
> > > then no release function can be called and the structure isn't even
> > > viable to be used or touched at all.
> > >
> > > So why is this needed?
> >
> > It seems that is_added can be replaced by device_is_registered().
> 
> Again, why do you need to track that?
> 
> But yes, that should work, although using it is usually a sign that
> something is a bit broken in the design.
> 

Mei bus uses device_initialize() and device_add() pair.
After device_initialize() there are different hooks and filters called,
that may lead to dropping the device or adding with device_add().
Thus, we should track if device_add() is called when destroying the device.
Not sure if this can be re-architected to use device_register().

> thanks
> 
> greg k-h


- - 
Thanks,
Sasha

On Mon, Jun 30, 2025 at 11:27:14AM +0000, Usyskin, Alexander wrote:
> > Subject: Re: [char-misc-next v2] mei: bus: fix device leak
> > 
> > On Mon, Jun 30, 2025 at 10:52:08AM +0000, Usyskin, Alexander wrote:
> > > > Subject: Re: [char-misc-next v2] mei: bus: fix device leak
> > > >
> > > > On Tue, Jun 24, 2025 at 02:05:20PM +0300, Alexander Usyskin wrote:
> > > > > The bus rescan function creates bus devices for all clients.
> > > > > The fixup routine is executed on all devices, unneeded
> > > > > devices are removed and fully initialized once set
> > > > > is_added flag to 1.
> > > >
> > > > I don't understand why the mei bus is so special that it has to have
> > > > this type of flag, when no other bus has that for its devices.  The bus
> > > > code should know if the device has been properly added or not, if not,
> > > > then no release function can be called and the structure isn't even
> > > > viable to be used or touched at all.
> > > >
> > > > So why is this needed?
> > >
> > > It seems that is_added can be replaced by device_is_registered().
> > 
> > Again, why do you need to track that?
> > 
> > But yes, that should work, although using it is usually a sign that
> > something is a bit broken in the design.
> > 
> 
> Mei bus uses device_initialize() and device_add() pair.
> After device_initialize() there are different hooks and filters called,
> that may lead to dropping the device or adding with device_add().
> Thus, we should track if device_add() is called when destroying the device.
> Not sure if this can be re-architected to use device_register().

You don't need to use device_register() but perhaps stop it with the
"rescan the bus and attempt to add all devices again" logic that is in
mei_cl_bus_rescan()?  There's no need to call device_add() on a device
and then way later attempt to initialize it, right?

Just find any new devices that you don't already have on your list of
registered devices, and then only add/initialize them, should be a lot
simpler logic overall than what the code is currently doing.

greg k-h

> Subject: Re: [char-misc-next v2] mei: bus: fix device leak
> 
> On Mon, Jun 30, 2025 at 11:27:14AM +0000, Usyskin, Alexander wrote:
> > > Subject: Re: [char-misc-next v2] mei: bus: fix device leak
> > >
> > > On Mon, Jun 30, 2025 at 10:52:08AM +0000, Usyskin, Alexander wrote:
> > > > > Subject: Re: [char-misc-next v2] mei: bus: fix device leak
> > > > >
> > > > > On Tue, Jun 24, 2025 at 02:05:20PM +0300, Alexander Usyskin wrote:
> > > > > > The bus rescan function creates bus devices for all clients.
> > > > > > The fixup routine is executed on all devices, unneeded
> > > > > > devices are removed and fully initialized once set
> > > > > > is_added flag to 1.
> > > > >
> > > > > I don't understand why the mei bus is so special that it has to have
> > > > > this type of flag, when no other bus has that for its devices.  The bus
> > > > > code should know if the device has been properly added or not, if not,
> > > > > then no release function can be called and the structure isn't even
> > > > > viable to be used or touched at all.
> > > > >
> > > > > So why is this needed?
> > > >
> > > > It seems that is_added can be replaced by device_is_registered().
> > >
> > > Again, why do you need to track that?
> > >
> > > But yes, that should work, although using it is usually a sign that
> > > something is a bit broken in the design.
> > >
> >
> > Mei bus uses device_initialize() and device_add() pair.
> > After device_initialize() there are different hooks and filters called,
> > that may lead to dropping the device or adding with device_add().
> > Thus, we should track if device_add() is called when destroying the device.
> > Not sure if this can be re-architected to use device_register().
> 
> You don't need to use device_register() but perhaps stop it with the
> "rescan the bus and attempt to add all devices again" logic that is in
> mei_cl_bus_rescan()?  There's no need to call device_add() on a device
> and then way later attempt to initialize it, right?
> 
> Just find any new devices that you don't already have on your list of
> registered devices, and then only add/initialize them, should be a lot
> simpler logic overall than what the code is currently doing.
> 
> greg k-h

This will require a big refactoring. I'll look how that can be done.
Meanwhile can this fix be merged on current codebase and
refactoring will be done separately?

- - 
Thanks,
Sasha

On Mon, Jul 07, 2025 at 07:08:33AM +0000, Usyskin, Alexander wrote:
> > Subject: Re: [char-misc-next v2] mei: bus: fix device leak
> > 
> > On Mon, Jun 30, 2025 at 11:27:14AM +0000, Usyskin, Alexander wrote:
> > > > Subject: Re: [char-misc-next v2] mei: bus: fix device leak
> > > >
> > > > On Mon, Jun 30, 2025 at 10:52:08AM +0000, Usyskin, Alexander wrote:
> > > > > > Subject: Re: [char-misc-next v2] mei: bus: fix device leak
> > > > > >
> > > > > > On Tue, Jun 24, 2025 at 02:05:20PM +0300, Alexander Usyskin wrote:
> > > > > > > The bus rescan function creates bus devices for all clients.
> > > > > > > The fixup routine is executed on all devices, unneeded
> > > > > > > devices are removed and fully initialized once set
> > > > > > > is_added flag to 1.
> > > > > >
> > > > > > I don't understand why the mei bus is so special that it has to have
> > > > > > this type of flag, when no other bus has that for its devices.  The bus
> > > > > > code should know if the device has been properly added or not, if not,
> > > > > > then no release function can be called and the structure isn't even
> > > > > > viable to be used or touched at all.
> > > > > >
> > > > > > So why is this needed?
> > > > >
> > > > > It seems that is_added can be replaced by device_is_registered().
> > > >
> > > > Again, why do you need to track that?
> > > >
> > > > But yes, that should work, although using it is usually a sign that
> > > > something is a bit broken in the design.
> > > >
> > >
> > > Mei bus uses device_initialize() and device_add() pair.
> > > After device_initialize() there are different hooks and filters called,
> > > that may lead to dropping the device or adding with device_add().
> > > Thus, we should track if device_add() is called when destroying the device.
> > > Not sure if this can be re-architected to use device_register().
> > 
> > You don't need to use device_register() but perhaps stop it with the
> > "rescan the bus and attempt to add all devices again" logic that is in
> > mei_cl_bus_rescan()?  There's no need to call device_add() on a device
> > and then way later attempt to initialize it, right?
> > 
> > Just find any new devices that you don't already have on your list of
> > registered devices, and then only add/initialize them, should be a lot
> > simpler logic overall than what the code is currently doing.
> > 
> > greg k-h
> 
> This will require a big refactoring. I'll look how that can be done.
> Meanwhile can this fix be merged on current codebase and
> refactoring will be done separately?

Why not do it properly just once?  What is urgent about this rare leak
now?

thanks,

greg k -h

> Subject: Re: [char-misc-next v2] mei: bus: fix device leak
> 
> On Mon, Jul 07, 2025 at 07:08:33AM +0000, Usyskin, Alexander wrote:
> > > Subject: Re: [char-misc-next v2] mei: bus: fix device leak
> > >
> > > On Mon, Jun 30, 2025 at 11:27:14AM +0000, Usyskin, Alexander wrote:
> > > > > Subject: Re: [char-misc-next v2] mei: bus: fix device leak
> > > > >
> > > > > On Mon, Jun 30, 2025 at 10:52:08AM +0000, Usyskin, Alexander
> wrote:
> > > > > > > Subject: Re: [char-misc-next v2] mei: bus: fix device leak
> > > > > > >
> > > > > > > On Tue, Jun 24, 2025 at 02:05:20PM +0300, Alexander Usyskin
> wrote:
> > > > > > > > The bus rescan function creates bus devices for all clients.
> > > > > > > > The fixup routine is executed on all devices, unneeded
> > > > > > > > devices are removed and fully initialized once set
> > > > > > > > is_added flag to 1.
> > > > > > >
> > > > > > > I don't understand why the mei bus is so special that it has to have
> > > > > > > this type of flag, when no other bus has that for its devices.  The bus
> > > > > > > code should know if the device has been properly added or not, if
> not,
> > > > > > > then no release function can be called and the structure isn't even
> > > > > > > viable to be used or touched at all.
> > > > > > >
> > > > > > > So why is this needed?
> > > > > >
> > > > > > It seems that is_added can be replaced by device_is_registered().
> > > > >
> > > > > Again, why do you need to track that?
> > > > >
> > > > > But yes, that should work, although using it is usually a sign that
> > > > > something is a bit broken in the design.
> > > > >
> > > >
> > > > Mei bus uses device_initialize() and device_add() pair.
> > > > After device_initialize() there are different hooks and filters called,
> > > > that may lead to dropping the device or adding with device_add().
> > > > Thus, we should track if device_add() is called when destroying the
> device.
> > > > Not sure if this can be re-architected to use device_register().
> > >
> > > You don't need to use device_register() but perhaps stop it with the
> > > "rescan the bus and attempt to add all devices again" logic that is in
> > > mei_cl_bus_rescan()?  There's no need to call device_add() on a device
> > > and then way later attempt to initialize it, right?
> > >
> > > Just find any new devices that you don't already have on your list of
> > > registered devices, and then only add/initialize them, should be a lot
> > > simpler logic overall than what the code is currently doing.
> > >
> > > greg k-h
> >
> > This will require a big refactoring. I'll look how that can be done.
> > Meanwhile can this fix be merged on current codebase and
> > refactoring will be done separately?
> 
> Why not do it properly just once?  What is urgent about this rare leak
> now?
> 
> thanks,
> 
> greg k -h

Wanted to close the gap for my peace of mind.
It may lead for parent device not been released with mei lifetime rewrite.
Will put it aside if you say so.

- - 
Thanks,
Sasha

On Tue, Jun 24, 2025 at 02:05:20PM +0300, Alexander Usyskin wrote:
> The bus rescan function creates bus devices for all clients.
> The fixup routine is executed on all devices, unneeded
> devices are removed and fully initialized once set
> is_added flag to 1.
> 
> If link to firmware is reset right after all devices are
> initialized, but before fixup is executed, the rescan tries
> to remove devices.
> The is_added flag is not set and the mei_cl_bus_dev_destroy
> returns prematurely.
> Allow to clean up device when is_added flag is unset to
> account for above scenario.
> 
> Fixes: 6009595a66e4 ("mei: bus: link client devices instead of host clients")
> Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
> ---
>  drivers/misc/mei/bus.c | 11 ++++-------
>  1 file changed, 4 insertions(+), 7 deletions(-)
> 
> diff --git a/drivers/misc/mei/bus.c b/drivers/misc/mei/bus.c
> index 67176caf5416..f2e5d550c6b4 100644
> --- a/drivers/misc/mei/bus.c
> +++ b/drivers/misc/mei/bus.c
> @@ -1430,17 +1430,14 @@ static void mei_cl_bus_dev_stop(struct mei_cl_device *cldev)
>   */
>  static void mei_cl_bus_dev_destroy(struct mei_cl_device *cldev)
>  {
> -
>  	WARN_ON(!mutex_is_locked(&cldev->bus->cl_bus_lock));
>  
> -	if (!cldev->is_added)
> -		return;
> -
> -	device_del(&cldev->dev);
> +	if (cldev->is_added) {
> +		device_del(&cldev->dev);
> +		cldev->is_added = 0;
> +	}
>  
>  	list_del_init(&cldev->bus_list);
> -
> -	cldev->is_added = 0;
>  	put_device(&cldev->dev);
>  }
>  
> -- 
> 2.43.0
> 

Hi,

This is the friendly patch-bot of Greg Kroah-Hartman.  You have sent him
a patch that has triggered this response.  He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created.  Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.

You are receiving this message because of the following common error(s)
as indicated below:

- This looks like a new version of a previously submitted patch, but you
  did not list below the --- line any changes from the previous version.
  Please read the section entitled "The canonical patch format" in the
  kernel file, Documentation/process/submitting-patches.rst for what
  needs to be done here to properly describe this.

If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.

thanks,

greg k-h's patch email bot

On Tue, Jun 24, 2025 at 02:05:20PM +0300, Alexander Usyskin wrote:
> The bus rescan function creates bus devices for all clients.
> The fixup routine is executed on all devices, unneeded
> devices are removed and fully initialized once set
> is_added flag to 1.
> 
> If link to firmware is reset right after all devices are
> initialized, but before fixup is executed, the rescan tries
> to remove devices.
> The is_added flag is not set and the mei_cl_bus_dev_destroy
> returns prematurely.
> Allow to clean up device when is_added flag is unset to
> account for above scenario.
> 
> Fixes: 6009595a66e4 ("mei: bus: link client devices instead of host clients")
> Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
> ---
>  drivers/misc/mei/bus.c | 11 ++++-------
>  1 file changed, 4 insertions(+), 7 deletions(-)
> 
> diff --git a/drivers/misc/mei/bus.c b/drivers/misc/mei/bus.c
> index 67176caf5416..f2e5d550c6b4 100644
> --- a/drivers/misc/mei/bus.c
> +++ b/drivers/misc/mei/bus.c
> @@ -1430,17 +1430,14 @@ static void mei_cl_bus_dev_stop(struct mei_cl_device *cldev)
>   */
>  static void mei_cl_bus_dev_destroy(struct mei_cl_device *cldev)
>  {
> -
>  	WARN_ON(!mutex_is_locked(&cldev->bus->cl_bus_lock));
>  
> -	if (!cldev->is_added)
> -		return;
> -
> -	device_del(&cldev->dev);
> +	if (cldev->is_added) {
> +		device_del(&cldev->dev);
> +		cldev->is_added = 0;
> +	}
>  
>  	list_del_init(&cldev->bus_list);
> -
> -	cldev->is_added = 0;
>  	put_device(&cldev->dev);
>  }
>  
> -- 
> 2.43.0
> 

Hi,

This is the friendly patch-bot of Greg Kroah-Hartman.  You have sent him
a patch that has triggered this response.  He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created.  Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.

You are receiving this message because of the following common error(s)
as indicated below:

- This looks like a new version of a previously submitted patch, but you
  did not list below the --- line any changes from the previous version.
  Please read the section entitled "The canonical patch format" in the
  kernel file, Documentation/process/submitting-patches.rst for what
  needs to be done here to properly describe this.

- You have marked a patch with a "Fixes:" tag for a commit that is in an
  older released kernel, yet you do not have a cc: stable line in the
  signed-off-by area at all, which means that the patch will not be
  applied to any older kernel releases.  To properly fix this, please
  follow the documented rules in the
  Documentation/process/stable-kernel-rules.rst file for how to resolve
  this.

If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.

thanks,

greg k-h's patch email bot