[media.git/next] media: ivsc: Fix crash at shutdown due to missing mei_cldev_disable() calls

[media-ci]

On Sat Jun 21 16:00:52 2025 +0200, Hans de Goede wrote:
> Both the ACE and CSI driver are missing a mei_cldev_disable() call in
> their remove() function.
> 
> This causes the mei_cl client to stay part of the mei_device->file_list
> list even though its memory is freed by mei_cl_bus_dev_release() calling
> kfree(cldev->cl).
> 
> This leads to a use-after-free when mei_vsc_remove() runs mei_stop()
> which first removes all mei bus devices calling mei_ace_remove() and
> mei_csi_remove() followed by mei_cl_bus_dev_release() and then calls
> mei_cl_all_disconnect() which walks over mei_device->file_list dereferecing
> the just freed cldev->cl.
> 
> And mei_vsc_remove() it self is run at shutdown because of the
> platform_device_unregister(tp->pdev) in vsc_tp_shutdown()
> 
> When building a kernel with KASAN this leads to the following KASAN report:
> 
> [ 106.634504] 
> ==================================================================
> [ 106.634623] BUG: KASAN: slab-use-after-free in mei_cl_set_disconnected 
> (drivers/misc/mei/client.c:783) mei
> [ 106.634683] Read of size 4 at addr ffff88819cb62018 by task 
> systemd-shutdow/1
> [ 106.634729]
> [ 106.634767] Tainted: [E]=UNSIGNED_MODULE
> [ 106.634770] Hardware name: Dell Inc. XPS 16 9640/09CK4V, BIOS 1.12.0 
> 02/10/2025
> [ 106.634773] Call Trace:
> [ 106.634777]  <TASK>
> ...
> [ 106.634871] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:636)
> [ 106.634901] mei_cl_set_disconnected (drivers/misc/mei/client.c:783) mei
> [ 106.634921] mei_cl_all_disconnect (drivers/misc/mei/client.c:2165 
> (discriminator 4)) mei
> [ 106.634941] mei_reset (drivers/misc/mei/init.c:163) mei
> ...
> [ 106.635042] mei_stop (drivers/misc/mei/init.c:348) mei
> [ 106.635062] mei_vsc_remove (drivers/misc/mei/mei_dev.h:784 
> drivers/misc/mei/platform-vsc.c:393) mei_vsc
> [ 106.635066] platform_remove (drivers/base/platform.c:1424)
> 
> Add the missing mei_cldev_disable() calls so that the mei_cl gets removed
> from mei_device->file_list before it is freed to fix this.
> 
> Fixes: 78876f71b3e9 ("media: pci: intel: ivsc: Add ACE submodule")
> Fixes: 29006e196a56 ("media: pci: intel: ivsc: Add CSI submodule")
> Cc: sta...@vger.kernel.org
> Signed-off-by: Hans de Goede <ha...@kernel.org>
> Signed-off-by: Sakari Ailus <sakari.ai...@linux.intel.com>
> Signed-off-by: Hans Verkuil <hverk...@xs4all.nl>

Patch committed.

Thanks,
Hans Verkuil

 drivers/media/pci/intel/ivsc/mei_ace.c | 2 ++
 drivers/media/pci/intel/ivsc/mei_csi.c | 2 ++
 2 files changed, 4 insertions(+)

---

diff --git a/drivers/media/pci/intel/ivsc/mei_ace.c 
b/drivers/media/pci/intel/ivsc/mei_ace.c
index 3622271c71c8..50d18b627e15 100644
--- a/drivers/media/pci/intel/ivsc/mei_ace.c
+++ b/drivers/media/pci/intel/ivsc/mei_ace.c
@@ -529,6 +529,8 @@ static void mei_ace_remove(struct mei_cl_device *cldev)
 
        ace_set_camera_owner(ace, ACE_CAMERA_IVSC);
 
+       mei_cldev_disable(cldev);
+
        mutex_destroy(&ace->lock);
 }
 
diff --git a/drivers/media/pci/intel/ivsc/mei_csi.c 
b/drivers/media/pci/intel/ivsc/mei_csi.c
index 92d871a378ba..955f687e5d59 100644
--- a/drivers/media/pci/intel/ivsc/mei_csi.c
+++ b/drivers/media/pci/intel/ivsc/mei_csi.c
@@ -760,6 +760,8 @@ static void mei_csi_remove(struct mei_cl_device *cldev)
 
        pm_runtime_disable(&cldev->dev);
 
+       mei_cldev_disable(cldev);
+
        mutex_destroy(&csi->lock);
 }