[char-misc-next v4 0/3] mei: fix mei_device lifetime

Alexander Usyskin posted 3 patches 2 months, 3 weeks ago
drivers/misc/mei/bus-fixup.c    |  16 ++--
drivers/misc/mei/bus.c          |  42 +++++-----
drivers/misc/mei/client.c       |  82 +++++++++----------
drivers/misc/mei/client.h       |   6 +-
drivers/misc/mei/dma-ring.c     |   8 +-
drivers/misc/mei/gsc-me.c       |  16 ++--
drivers/misc/mei/hbm.c          | 135 +++++++++++++++-----------------
drivers/misc/mei/hw-me.c        | 100 +++++++++++------------
drivers/misc/mei/hw-txe.c       |  60 +++++++-------
drivers/misc/mei/init.c         |  47 ++++++-----
drivers/misc/mei/interrupt.c    |  47 ++++++-----
drivers/misc/mei/main.c         | 135 +++++++++++++++++++-------------
drivers/misc/mei/mei_dev.h      |  12 +--
drivers/misc/mei/pci-me.c       |  20 ++---
drivers/misc/mei/pci-txe.c      |   4 +-
drivers/misc/mei/platform-vsc.c |  26 +++---
16 files changed, 390 insertions(+), 366 deletions(-)
[char-misc-next v4 0/3] mei: fix mei_device lifetime
Posted by Alexander Usyskin 2 months, 3 weeks ago
mei_device data structure is allocated using devm_* functions
and hooked to the parent device.
It works for client systems where parent device is pci one.
When parent device is auxiliary bus device produced by
graphics driver, the parent can be destroyed before child
and on the way it cleans all allocated memory.
This leads to use-after-free if mei character device is
opened when parent device is destroyed.

Connect mei_device structure lifteme to mei class device lifetime
by adding mei_device free to class device remove callback.
Decouple character device lifetime from parwnt structure lifetime.

As dev pointer in mei_device structure is converted to non-pointer
device all dev_* calls should be touched in this patch series.

Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/14201

V2: Make cdev patches first to avoid double refcounting
    in the middle of the series.
    Replace manual refcount with special device.

V3: Use existing class device by Greg's insight, thanks!

V4: Merge cdev patches into main patch as cdev patches do not fix
    lifetime by itself and can't be merged standalone.
    This creates confusion in review and possibility of broken
    driver if only cdev patches are merged anywhere.

Alexander Usyskin (3):
  mei: bus: use cldev in prints
  mei: more prints with client prefix
  mei: hook mei_device on class device

 drivers/misc/mei/bus-fixup.c    |  16 ++--
 drivers/misc/mei/bus.c          |  42 +++++-----
 drivers/misc/mei/client.c       |  82 +++++++++----------
 drivers/misc/mei/client.h       |   6 +-
 drivers/misc/mei/dma-ring.c     |   8 +-
 drivers/misc/mei/gsc-me.c       |  16 ++--
 drivers/misc/mei/hbm.c          | 135 +++++++++++++++-----------------
 drivers/misc/mei/hw-me.c        | 100 +++++++++++------------
 drivers/misc/mei/hw-txe.c       |  60 +++++++-------
 drivers/misc/mei/init.c         |  47 ++++++-----
 drivers/misc/mei/interrupt.c    |  47 ++++++-----
 drivers/misc/mei/main.c         | 135 +++++++++++++++++++-------------
 drivers/misc/mei/mei_dev.h      |  12 +--
 drivers/misc/mei/pci-me.c       |  20 ++---
 drivers/misc/mei/pci-txe.c      |   4 +-
 drivers/misc/mei/platform-vsc.c |  26 +++---
 16 files changed, 390 insertions(+), 366 deletions(-)

-- 
2.43.0
Re: [char-misc-next v4 0/3] mei: fix mei_device lifetime
Posted by Greg Kroah-Hartman 2 months, 2 weeks ago
On Thu, Jul 17, 2025 at 05:11:09PM +0300, Alexander Usyskin wrote:
> mei_device data structure is allocated using devm_* functions
> and hooked to the parent device.
> It works for client systems where parent device is pci one.
> When parent device is auxiliary bus device produced by
> graphics driver, the parent can be destroyed before child
> and on the way it cleans all allocated memory.
> This leads to use-after-free if mei character device is
> opened when parent device is destroyed.
> 
> Connect mei_device structure lifteme to mei class device lifetime
> by adding mei_device free to class device remove callback.
> Decouple character device lifetime from parwnt structure lifetime.
> 
> As dev pointer in mei_device structure is converted to non-pointer
> device all dev_* calls should be touched in this patch series.
> 
> Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/14201

I took the first 2 patches now, as they are "simple".  Give me some more
time to get a chance to review the last one, thanks.

greg k-h