Re: [PATCH net] net: wan: framer: fix potential UAF in framer_provider_simple_of_xlate()

[Dmitry Torokhov]

On Fri, Feb 20, 2026 at 04:25:53PM -0800, Jakub Kicinski wrote:
> On Thu, 19 Feb 2026 15:40:57 -0800 Dmitry Torokhov wrote:
> > The implementation put_device()s located device and then uses
> > container_of() on the pointer. The device may disappear by that time,
> > resulting in UAF.
> > 
> > Fix the problem by keeping the reference to the framer device, and
> > avoid getting an extra reference to it in framer_get().
> 
> I have failed to understand what you are talking about after looking 
> at this for 15min :S Please write better commit messages?

Yeah, I should probably rephrase it, container_of() is not that
important.

The core of the issue that once you do put_device() it may disappear,
so when you do 

	return dev_to_framer(target_dev);

the returned pointer may no longer point to the valid framer device. The
memory may get used for something else entirely.

You have to hold on to the reference until you are completely done with
the device.

> 
> > Fixes: dcacb364772e ("net: wan: framer: Simplify API framer_provider_simple_of_xlate() implementation")
> > Signed-off-by: Dmitry Torokhov <dmitry.torokhov@xxxxxxxxx>
> > ---
> >  drivers/net/wan/framer/framer-core.c | 3 ---
> >  1 file changed, 3 deletions(-)
> > 
> > diff --git a/drivers/net/wan/framer/framer-core.c b/drivers/net/wan/framer/framer-core.c
> > index bf7ac7dd2804..397fabc3da4e 100644
> > --- a/drivers/net/wan/framer/framer-core.c
> > +++ b/drivers/net/wan/framer/framer-core.c
> > @@ -482,8 +482,6 @@ struct framer *framer_get(struct device *dev, const char *con_id)
> >  	if (IS_ERR(framer))
> >  		return framer;
> >  
> > -	get_device(&framer->dev);
> 
> AFAICT this get_device() does not pair with the put_device() 
> you are removing

It does not "pair", but it tries to bump up a reference to the device we
just did "put" on in framer_provider_simple_of_xlate(). If we remove put
there as I propose then we do not need to do it here, or we'll end up
with an extra reference.

> 
> >  	if (!try_module_get(framer->ops->owner)) {
> >  		ret = -EPROBE_DEFER;
> >  		goto err_put_device;
> > @@ -749,7 +747,6 @@ struct framer *framer_provider_simple_of_xlate(struct device *dev,
> >  	if (!target_dev)
> >  		return ERR_PTR(-ENODEV);
> >  
> > -	put_device(target_dev);
> >  	return dev_to_framer(target_dev);
> 
> The only caller of this function does not dereference the pointer
> (no idea why it even calls it, for some setup validation?)

The returned pointer ends up in framer_get() through a few layers.

> Calling container_of() on a stale pointer is safe.

But using what it returns isn't. And I am sure there is an arcane C
rule that disallows container_of and gives compiler a license to kill a
kitten.

> 
> >  }
> >  EXPORT_SYMBOL_GPL(framer_provider_simple_of_xlate);
> 
> I'm kinda curious about the backstory for this patch..
> What made you look at this code?

I want to remove class_find_device_by_of_node() in favor of
class_find_device_by_fwnode() so I happened to look at the code.

Thanks.

-- 
Dmitry