[PATCH] phy: core: fix potential UAF in of_phy_simple_xlate()
Zijun Hu
zijun_hu at icloud.com
Fri Feb 27 19:44:34 PST 2026
On 2/20/26 07:57, Dmitry Torokhov wrote:
> The implementation put_device()s located device and then uses
> container_of() on the pointer. The device may disappear by that time,
> resulting in UAF.
>
> Fix the problem by keeping the reference to the framer device,
> avoiding getting an extra reference to it in framer_get(), and making
> sure to drop the reference in error path when we fail to get the module.
>
> Fixes: e6625db66212 ("phy: core: Simplify API of_phy_simple_xlate() implementation")
this fix tag is wrong as explained by below comments.
> Signed-off-by: Dmitry Torokhov <dmitry.torokhov at gmail.com>
> ---
> drivers/phy/phy-core.c | 7 +++----
> 1 file changed, 3 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/phy/phy-core.c b/drivers/phy/phy-core.c
> index 4ad396214d0c..cf62eb9ddca9 100644
> --- a/drivers/phy/phy-core.c
> +++ b/drivers/phy/phy-core.c
> @@ -682,10 +682,10 @@ struct phy *of_phy_get(struct device_node *np, const char *con_id)
> if (IS_ERR(phy))
> return phy;
>
> - if (!try_module_get(phy->ops->owner))
> + if (!try_module_get(phy->ops->owner)) {
> + put_device(&phy->dev);
> return ERR_PTR(-EPROBE_DEFER);
> -
> - get_device(&phy->dev);
> + }
>
> return phy;
> }
> @@ -765,7 +765,6 @@ struct phy *of_phy_simple_xlate(struct device *dev,
> if (!target_dev)
> return ERR_PTR(-ENODEV);
>
> - put_device(target_dev);
put reference count of @target_dev got by class_find_device_by_of_node()
so the following commit mentioned by the fix tag does not change the reference
count.
https://lore.kernel.org/all/20241213-phy_core_fix-v6-6-40ae28f5015a@quicinc.com/
> return to_phy(target_dev);
> }
> EXPORT_SYMBOL_GPL(of_phy_simple_xlate);
More information about the linux-phy
mailing list