mei: bus: Check for still connected devices in mei_cl_bus_dev_release()

JIRA: https://issues.redhat.com/browse/RHEL-113185

commit 35e8a42
Author: Hans de Goede <hansg@kernel.org>
Date:   Mon Jun 23 10:50:52 2025 +0200

    mei: bus: Check for still connected devices in mei_cl_bus_dev_release()

    mei_cl_bus_dev_release() also frees the mei-client (struct mei_cl)
    belonging to the device being released.

    If there are bugs like the just fixed bug in the ACE/CSI2 mei drivers,
    the mei-client being freed might still be part of the mei_device's
    file_list and iterating over this list after the freeing will then trigger
    a use-afer-free bug.

    Add a check to mei_cl_bus_dev_release() to make sure that the to-be-freed
    mei-client is not on the mei_device's file_list.

    Signed-off-by: Hans de Goede <hansg@kernel.org>
    Link: https://lore.kernel.org/r/20250623085052.12347-11-hansg@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Signed-off-by: Steve Best <sbest@redhat.com>

Author: sfbest

drivers/misc/mei/bus.c

@@ -1300,10 +1300,16 @@ static void mei_dev_bus_put(struct mei_device *bus)
 static void mei_cl_bus_dev_release(struct device *dev)
 {
 	struct mei_cl_device *cldev = to_mei_cl_device(dev);
+	struct mei_device *mdev = cldev->cl->dev;
+	struct mei_cl *cl;
 
 	mei_cl_flush_queues(cldev->cl, NULL);
 	mei_me_cl_put(cldev->me_cl);
 	mei_dev_bus_put(cldev->bus);
+
+	list_for_each_entry(cl, &mdev->file_list, link)
+		WARN_ON(cl == cldev->cl);
+
 	kfree(cldev->cl);
 	kfree(cldev);
 }