[v2] mei: fix mei_device lifetime

[char-misc-next v2 0/5] mei: fix mei_device lifetime

Alexander Usyskin posted 5 patches 3 months, 1 week ago

Diff against v1 v3 v4
Download series mbox

There is a newer version of this series

drivers/misc/mei/bus-fixup.c    |  16 ++--
drivers/misc/mei/bus.c          |  42 +++++-----
drivers/misc/mei/client.c       |  82 +++++++++----------
drivers/misc/mei/client.h       |   6 +-
drivers/misc/mei/dma-ring.c     |   8 +-
drivers/misc/mei/gsc-me.c       |  13 +--
drivers/misc/mei/hbm.c          | 135 +++++++++++++++-----------------
drivers/misc/mei/hw-me.c        | 101 ++++++++++++------------
drivers/misc/mei/hw-txe.c       |  62 +++++++--------
drivers/misc/mei/init.c         |  85 ++++++++++++++------
drivers/misc/mei/interrupt.c    |  47 ++++++-----
drivers/misc/mei/main.c         |  99 ++++++++++++-----------
drivers/misc/mei/mei_dev.h      |  15 ++--
drivers/misc/mei/pci-me.c       |  12 ++-
drivers/misc/mei/pci-txe.c      |  10 ++-
drivers/misc/mei/platform-vsc.c |  18 +++--
16 files changed, 404 insertions(+), 347 deletions(-)

Expand all Fold all

[char-misc-next v2 0/5] mei: fix mei_device lifetime

Posted by Alexander Usyskin 3 months, 1 week ago

mei_device data structure is allocated using devm_* functions
and hooked to the parent device.
It works for client systems where parent device is pci one.
When parent device is auxiliary bus device produced by
graphics driver, the parent can be destroyed before child
and on the way it cleans all allocated memory.
This leads to use-after-free if mei character device is
opened when parent device is destroyed.
Introduce device to hook the mei_device lifetime on it and
decouple cdev from main structure to allow all memory
to be released when it is unused and not before.

Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/14201

V2: Make cdev patches first to avoid double refcounting
    in the middle of the series.
    Replace manual refcount with special device.

Alexander Usyskin (5):
  mei: set parent for char device
  mei: make char device control its own lifetime
  mei: bus: use cldev in prints
  mei: more prints with client prefix
  mei: create dedicated device object

 drivers/misc/mei/bus-fixup.c    |  16 ++--
 drivers/misc/mei/bus.c          |  42 +++++-----
 drivers/misc/mei/client.c       |  82 +++++++++----------
 drivers/misc/mei/client.h       |   6 +-
 drivers/misc/mei/dma-ring.c     |   8 +-
 drivers/misc/mei/gsc-me.c       |  13 +--
 drivers/misc/mei/hbm.c          | 135 +++++++++++++++-----------------
 drivers/misc/mei/hw-me.c        | 101 ++++++++++++------------
 drivers/misc/mei/hw-txe.c       |  62 +++++++--------
 drivers/misc/mei/init.c         |  85 ++++++++++++++------
 drivers/misc/mei/interrupt.c    |  47 ++++++-----
 drivers/misc/mei/main.c         |  99 ++++++++++++-----------
 drivers/misc/mei/mei_dev.h      |  15 ++--
 drivers/misc/mei/pci-me.c       |  12 ++-
 drivers/misc/mei/pci-txe.c      |  10 ++-
 drivers/misc/mei/platform-vsc.c |  18 +++--
 16 files changed, 404 insertions(+), 347 deletions(-)

-- 
2.43.0

Re: [char-misc-next v2 0/5] mei: fix mei_device lifetime

Posted by Greg Kroah-Hartman 3 months, 1 week ago

On Mon, Jun 30, 2025 at 12:19:37PM +0300, Alexander Usyskin wrote:
> mei_device data structure is allocated using devm_* functions
> and hooked to the parent device.
> It works for client systems where parent device is pci one.
> When parent device is auxiliary bus device produced by
> graphics driver, the parent can be destroyed before child
> and on the way it cleans all allocated memory.
> This leads to use-after-free if mei character device is
> opened when parent device is destroyed.
> Introduce device to hook the mei_device lifetime on it and
> decouple cdev from main structure to allow all memory
> to be released when it is unused and not before.

How was any of this tested?