|
| 1 | +From c58f311df60f26df2efe1e0f9fc523bfa4b93936 Mon Sep 17 00:00:00 2001 |
| 2 | +From: Alexander Usyskin <alexander.usyskin@intel.com> |
| 3 | +Date: Sun, 2 Nov 2025 10:57:22 +0200 |
| 4 | +Subject: [PATCH] mei: fix error flow in probe |
| 5 | +MIME-Version: 1.0 |
| 6 | +Content-Type: text/plain; charset=UTF-8 |
| 7 | +Content-Transfer-Encoding: 8bit |
| 8 | + |
| 9 | +Dismantle class device last in probe error flow to avoid accessing freed memory like: |
| 10 | + |
| 11 | +[ 87.926774] WARNING: CPU: 9 PID: 518 at kernel/workqueue.c:4234 |
| 12 | +__flush_work+0x340/0x390 |
| 13 | +... |
| 14 | +[ 87.926912] Workqueue: async async_run_entry_fn |
| 15 | +[ 87.926918] RIP: e030:__flush_work+0x340/0x390 |
| 16 | +[ 87.926923] Code: 26 9d 05 00 65 48 8b 15 26 3c ca 02 48 85 db 48 8b |
| 17 | +04 24 48 89 54 24 58 0f 85 de fe ff ff e9 f6 fd ff ff 0f 0b e9 77 ff ff |
| 18 | +ff <0f> 0b e9 70 ff ff ff 0f 0b e9 19 ff ff ff e8 7d 8b 0e 01 48 89 de |
| 19 | +[ 87.926931] RSP: e02b:ffffc900412ebc00 EFLAGS: 00010246 |
| 20 | +[ 87.926936] RAX: 0000000000000000 RBX: ffff888103e55090 RCX: 0000000000000000 |
| 21 | +[ 87.926941] RDX: 000fffffffe00000 RSI: 0000000000000001 RDI: ffffc900412ebc60 |
| 22 | +[ 87.926945] RBP: ffff888103e55090 R08: ffffffffc1266ec8 R09: ffff8881109076e8 |
| 23 | +[ 87.926949] R10: 0000000080040003 R11: 0000000000000000 R12: ffff888103e54000 |
| 24 | +[ 87.926953] R13: ffffc900412ebc18 R14: 0000000000000001 R15: 0000000000000000 |
| 25 | +[ 87.926962] FS: 0000000000000000(0000) GS:ffff888233238000(0000) knlGS:0000000000000000 |
| 26 | +[ 87.926967] CS: e030 DS: 0000 ES: 0000 CR0: 0000000080050033 |
| 27 | +[ 87.926971] CR2: 00007e7923b32708 CR3: 00000001088df000 CR4: 0000000000050660 |
| 28 | +[ 87.926977] Call Trace: |
| 29 | +[ 87.926981] <TASK> |
| 30 | +[ 87.926987] ? __call_rcu_common.constprop.0+0x11e/0x310 |
| 31 | +[ 87.926993] cancel_work_sync+0x5e/0x80 |
| 32 | +[ 87.926999] mei_cancel_work+0x19/0x40 [mei] |
| 33 | +[ 87.927051] mei_me_probe+0x273/0x2b0 [mei_me] |
| 34 | +[ 87.927060] local_pci_probe+0x45/0x90 |
| 35 | +[ 87.927066] pci_call_probe+0x5b/0x180 |
| 36 | +[ 87.927070] pci_device_probe+0x95/0x140 |
| 37 | +[ 87.927074] ? driver_sysfs_add+0x57/0xc0 |
| 38 | +[ 87.927079] really_probe+0xde/0x340 |
| 39 | +[ 87.927083] ? pm_runtime_barrier+0x54/0x90 |
| 40 | +[ 87.927087] __driver_probe_device+0x78/0x110 |
| 41 | +[ 87.927092] driver_probe_device+0x1f/0xa0 |
| 42 | +[ 87.927095] __driver_attach_async_helper+0x5e/0xe0 |
| 43 | +[ 87.927100] async_run_entry_fn+0x34/0x130 |
| 44 | +[ 87.927104] process_one_work+0x18d/0x340 |
| 45 | +[ 87.927108] worker_thread+0x256/0x3a0 |
| 46 | +[ 87.927111] ? __pfx_worker_thread+0x10/0x10 |
| 47 | +[ 87.927115] kthread+0xfc/0x240 |
| 48 | +[ 87.927120] ? __pfx_kthread+0x10/0x10 |
| 49 | +[ 87.927124] ? __pfx_kthread+0x10/0x10 |
| 50 | +[ 87.927127] ret_from_fork+0xf5/0x110 |
| 51 | +[ 87.927132] ? __pfx_kthread+0x10/0x10 |
| 52 | +[ 87.927136] ret_from_fork_asm+0x1a/0x30 |
| 53 | +[ 87.927141] </TASK> |
| 54 | + |
| 55 | +Reported-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> |
| 56 | +Reported-by: Guenter Roeck <linux@roeck-us.net> |
| 57 | +Fixes: 7704e6be4ed2 ("mei: hook mei_device on class device") |
| 58 | +Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com> |
| 59 | +--- |
| 60 | + drivers/misc/mei/pci-me.c | 13 ++++++------- |
| 61 | + drivers/misc/mei/pci-txe.c | 13 ++++++------- |
| 62 | + drivers/misc/mei/platform-vsc.c | 11 +++++------ |
| 63 | + 3 files changed, 17 insertions(+), 20 deletions(-) |
| 64 | + |
| 65 | +diff --git a/drivers/misc/mei/pci-me.c b/drivers/misc/mei/pci-me.c |
| 66 | +index b017ff29dbd1..73cad914be9f 100644 |
| 67 | +--- a/drivers/misc/mei/pci-me.c |
| 68 | ++++ b/drivers/misc/mei/pci-me.c |
| 69 | +@@ -223,6 +223,10 @@ static int mei_me_probe(struct pci_dev *pdev, const struct pci_device_id *ent) |
| 70 | + hw->mem_addr = pcim_iomap_table(pdev)[0]; |
| 71 | + hw->read_fws = mei_me_read_fws; |
| 72 | + |
| 73 | ++ err = mei_register(dev, &pdev->dev); |
| 74 | ++ if (err) |
| 75 | ++ goto end; |
| 76 | ++ |
| 77 | + pci_enable_msi(pdev); |
| 78 | + |
| 79 | + hw->irq = pdev->irq; |
| 80 | +@@ -237,13 +241,9 @@ static int mei_me_probe(struct pci_dev *pdev, const struct pci_device_id *ent) |
| 81 | + if (err) { |
| 82 | + dev_err(&pdev->dev, "request_threaded_irq failure. irq = %d\n", |
| 83 | + pdev->irq); |
| 84 | +- goto end; |
| 85 | ++ goto deregister; |
| 86 | + } |
| 87 | + |
| 88 | +- err = mei_register(dev, &pdev->dev); |
| 89 | +- if (err) |
| 90 | +- goto release_irq; |
| 91 | +- |
| 92 | + if (mei_start(dev)) { |
| 93 | + dev_err(&pdev->dev, "init hw failure.\n"); |
| 94 | + err = -ENODEV; |
| 95 | +@@ -283,11 +283,10 @@ static int mei_me_probe(struct pci_dev *pdev, const struct pci_device_id *ent) |
| 96 | + return 0; |
| 97 | + |
| 98 | + deregister: |
| 99 | +- mei_deregister(dev); |
| 100 | +-release_irq: |
| 101 | + mei_cancel_work(dev); |
| 102 | + mei_disable_interrupts(dev); |
| 103 | + free_irq(pdev->irq, dev); |
| 104 | ++ mei_deregister(dev); |
| 105 | + end: |
| 106 | + dev_err(&pdev->dev, "initialization failed.\n"); |
| 107 | + return err; |
| 108 | +diff --git a/drivers/misc/mei/pci-txe.c b/drivers/misc/mei/pci-txe.c |
| 109 | +index 06b55a891c6b..98d1bc2c7f4b 100644 |
| 110 | +--- a/drivers/misc/mei/pci-txe.c |
| 111 | ++++ b/drivers/misc/mei/pci-txe.c |
| 112 | +@@ -87,6 +87,10 @@ static int mei_txe_probe(struct pci_dev *pdev, const struct pci_device_id *ent) |
| 113 | + hw = to_txe_hw(dev); |
| 114 | + hw->mem_addr = pcim_iomap_table(pdev); |
| 115 | + |
| 116 | ++ err = mei_register(dev, &pdev->dev); |
| 117 | ++ if (err) |
| 118 | ++ goto end; |
| 119 | ++ |
| 120 | + pci_enable_msi(pdev); |
| 121 | + |
| 122 | + /* clear spurious interrupts */ |
| 123 | +@@ -106,13 +110,9 @@ static int mei_txe_probe(struct pci_dev *pdev, const struct pci_device_id *ent) |
| 124 | + if (err) { |
| 125 | + dev_err(&pdev->dev, "mei: request_threaded_irq failure. irq = %d\n", |
| 126 | + pdev->irq); |
| 127 | +- goto end; |
| 128 | ++ goto deregister; |
| 129 | + } |
| 130 | + |
| 131 | +- err = mei_register(dev, &pdev->dev); |
| 132 | +- if (err) |
| 133 | +- goto release_irq; |
| 134 | +- |
| 135 | + if (mei_start(dev)) { |
| 136 | + dev_err(&pdev->dev, "init hw failure.\n"); |
| 137 | + err = -ENODEV; |
| 138 | +@@ -145,11 +145,10 @@ static int mei_txe_probe(struct pci_dev *pdev, const struct pci_device_id *ent) |
| 139 | + return 0; |
| 140 | + |
| 141 | + deregister: |
| 142 | +- mei_deregister(dev); |
| 143 | +-release_irq: |
| 144 | + mei_cancel_work(dev); |
| 145 | + mei_disable_interrupts(dev); |
| 146 | + free_irq(pdev->irq, dev); |
| 147 | ++ mei_deregister(dev); |
| 148 | + end: |
| 149 | + dev_err(&pdev->dev, "initialization failed.\n"); |
| 150 | + return err; |
| 151 | +diff --git a/drivers/misc/mei/platform-vsc.c b/drivers/misc/mei/platform-vsc.c |
| 152 | +index 288e7b72e942..9787b9cee71c 100644 |
| 153 | +--- a/drivers/misc/mei/platform-vsc.c |
| 154 | ++++ b/drivers/misc/mei/platform-vsc.c |
| 155 | +@@ -362,28 +362,27 @@ static int mei_vsc_probe(struct platform_device *pdev) |
| 156 | + |
| 157 | + ret = mei_register(mei_dev, dev); |
| 158 | + if (ret) |
| 159 | +- goto err_dereg; |
| 160 | ++ goto err; |
| 161 | + |
| 162 | + ret = mei_start(mei_dev); |
| 163 | + if (ret) { |
| 164 | + dev_err_probe(dev, ret, "init hw failed\n"); |
| 165 | +- goto err_cancel; |
| 166 | ++ goto err; |
| 167 | + } |
| 168 | + |
| 169 | + pm_runtime_enable(mei_dev->parent); |
| 170 | + |
| 171 | + return 0; |
| 172 | + |
| 173 | +-err_dereg: |
| 174 | +- mei_deregister(mei_dev); |
| 175 | +- |
| 176 | +-err_cancel: |
| 177 | ++err: |
| 178 | + mei_cancel_work(mei_dev); |
| 179 | + |
| 180 | + vsc_tp_register_event_cb(tp, NULL, NULL); |
| 181 | + |
| 182 | + mei_disable_interrupts(mei_dev); |
| 183 | + |
| 184 | ++ mei_deregister(mei_dev); |
| 185 | ++ |
| 186 | + return ret; |
| 187 | + } |
| 188 | + |
| 189 | +-- |
| 190 | +2.43.0 |
0 commit comments