Re: [PATCH] phy: core: fix potential UAF in of_phy_simple_xlate()
From: Dmitry Torokhov
Date: Thu Feb 19 2026 - 19:11:59 EST
On Thu, Feb 19, 2026 at 03:57:11PM -0800, Dmitry Torokhov wrote:
> The implementation put_device()s located device and then uses
> container_of() on the pointer. The device may disappear by that time,
> resulting in UAF.
>
> Fix the problem by keeping the reference to the framer device,
> avoiding getting an extra reference to it in framer_get(), and making
> sure to drop the reference in error path when we fail to get the module.
Hmm, I was too rash. There are bunch of other xlate functions that need
to be updated to take the reference.
>
> Fixes: e6625db66212 ("phy: core: Simplify API of_phy_simple_xlate() implementation")
> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@xxxxxxxxx>
> ---
> drivers/phy/phy-core.c | 7 +++----
> 1 file changed, 3 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/phy/phy-core.c b/drivers/phy/phy-core.c
> index 4ad396214d0c..cf62eb9ddca9 100644
> --- a/drivers/phy/phy-core.c
> +++ b/drivers/phy/phy-core.c
> @@ -682,10 +682,10 @@ struct phy *of_phy_get(struct device_node *np, const char *con_id)
> if (IS_ERR(phy))
> return phy;
>
> - if (!try_module_get(phy->ops->owner))
> + if (!try_module_get(phy->ops->owner)) {
> + put_device(&phy->dev);
> return ERR_PTR(-EPROBE_DEFER);
> -
> - get_device(&phy->dev);
> + }
>
> return phy;
> }
> @@ -765,7 +765,6 @@ struct phy *of_phy_simple_xlate(struct device *dev,
> if (!target_dev)
> return ERR_PTR(-ENODEV);
>
> - put_device(target_dev);
> return to_phy(target_dev);
> }
> EXPORT_SYMBOL_GPL(of_phy_simple_xlate);
> --
> 2.53.0.345.g96ddfc5eaa-goog
>
>
--
Dmitry