[char-misc-next 0/3] mei: fix mei_device lifetime

From: Alexander Usyskin
Date: Wed Jun 18 2025 - 06:14:39 EST

Next message: Alexander Usyskin: "[char-misc-next 1/3] mei: refcount mei_device"
Previous message: Igor Korotin: "[PATCH v7 2/9] samples: rust: platform: don't call as_ref() repeatedly"
Next in thread: Alexander Usyskin: "[char-misc-next 2/3] mei: set parent for char device"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

mei_device data structure is allocated using devm_* functions
and hooked to the parent device.
It works for client systems where parent device is pci one.
When parent device is auxiliary bus device produced by
graphics driver, the parent can be destroyed before child
and on the way it cleans all allocated memory.
This leads to use-after-free if mei character is opened
when parent device is destroyed.
Introduce reference counting on mei_device and
decouple cdev from main structure to allow all memory
to be released when it is unused and not before.

Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/14201

Alexander Usyskin (3):
mei: refcount mei_device
mei: set parent for char device
mei: make char device control its own lifetime

drivers/misc/mei/bus.c | 10 ++++++---
drivers/misc/mei/gsc-me.c | 6 ++++--
drivers/misc/mei/hw-me.c | 2 +-
drivers/misc/mei/hw-txe.c | 2 +-
drivers/misc/mei/init.c | 35 +++++++++++++++++++++++++++++++
drivers/misc/mei/main.c | 37 ++++++++++++++++++++++-----------
drivers/misc/mei/mei_dev.h | 10 +++++++--
drivers/misc/mei/pci-me.c | 5 ++++-
drivers/misc/mei/pci-txe.c | 5 ++++-
drivers/misc/mei/platform-vsc.c | 7 ++++---
10 files changed, 93 insertions(+), 26 deletions(-)

--
2.43.0

Next message: Alexander Usyskin: "[char-misc-next 1/3] mei: refcount mei_device"
Previous message: Igor Korotin: "[PATCH v7 2/9] samples: rust: platform: don't call as_ref() repeatedly"
Next in thread: Alexander Usyskin: "[char-misc-next 2/3] mei: set parent for char device"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]