Re: [PATCH net] net: wan: framer: fix potential UAF in framer_provider_simple_of_xlate()

[Jakub Kicinski]

On Fri, 20 Feb 2026 16:56:12 -0800 Dmitry Torokhov wrote:
> On Fri, Feb 20, 2026 at 04:25:53PM -0800, Jakub Kicinski wrote:
> > I have failed to understand what you are talking about after looking 
> > at this for 15min :S Please write better commit messages?  
> 
> Yeah, I should probably rephrase it, container_of() is not that
> important.
> 
> The core of the issue that once you do put_device() it may disappear,
> so when you do 
> 
> 	return dev_to_framer(target_dev);
> 
> the returned pointer may no longer point to the valid framer device. The
> memory may get used for something else entirely.
> 
> You have to hold on to the reference until you are completely done with
> the device.

I meant you should explain the code paths that are involved.

> > AFAICT this get_device() does not pair with the put_device() 
> > you are removing  
> 
> It does not "pair", but it tries to bump up a reference to the device we
> just did "put" on in framer_provider_simple_of_xlate(). If we remove put
> there as I propose then we do not need to do it here, or we'll end up
> with an extra reference.

Yes but there seem to be other callers to framer_get() which 
pair with framer_put() and no involvement of
framer_provider_simple_of_xlate(). framer_codec_probe() for example?

> > >  	if (!try_module_get(framer->ops->owner)) {
> > >  		ret = -EPROBE_DEFER;
> > >  		goto err_put_device;
> > > @@ -749,7 +747,6 @@ struct framer *framer_provider_simple_of_xlate(struct device *dev,
> > >  	if (!target_dev)
> > >  		return ERR_PTR(-ENODEV);
> > >  
> > > -	put_device(target_dev);
> > >  	return dev_to_framer(target_dev);  
> > 
> > The only caller of this function does not dereference the pointer
> > (no idea why it even calls it, for some setup validation?)  
> 
> The returned pointer ends up in framer_get() through a few layers.

Ack, I think I see it now, thru the ->of_xlate() saved in the provider.
This is the kind of basic detail that should be in the commit msg..

> > >  EXPORT_SYMBOL_GPL(framer_provider_simple_of_xlate);  
> > 
> > I'm kinda curious about the backstory for this patch..
> > What made you look at this code?  
> 
> I want to remove class_find_device_by_of_node() in favor of
> class_find_device_by_fwnode() so I happened to look at the code.

Good luck :)

BTW when you repost please make sure you CC Herve, looks like the
MAINTAINERS entry for framer only covers one driver :/