tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

driver core: get_dev_from_fwnode(): document potential race

Commit 9a4681a485ee ("driver core: Export get_dev_from_fwnode()") made
get_dev_from_fwnode() publicly available, but didn't document the
guarantees a caller must uphold:

get_dev_from_fwnode() obtains a reference count from the device pointer
stored in a struct fwnode_handle. While having its own reference count,
struct fwnode_handle does not keep a reference count of the device it
has a pointer to.

Consequently, a caller must guarantee that it is impossible that the
last device reference is dropped and the device is released concurrently
while calling get_dev_from_fwnode(), otherwise this is a potential UAF
and hence a bug.

Thus, document this potential race condition for get_dev_from_fwnode().

Cc: Ulf Hansson <ulf.hansson@linaro.org>
Cc: Saravana Kannan <saravanak@google.com>
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Link: https://lore.kernel.org/r/20250829205911.33142-1-dakr@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Danilo Krummrich and committed by
Greg Kroah-Hartman a86537ad 2b2d4c74

+19
+19
drivers/base/core.c
··· 5278 5278 } 5279 5279 EXPORT_SYMBOL_GPL(device_set_node); 5280 5280 5281 + /** 5282 + * get_dev_from_fwnode - Obtain a reference count of the struct device the 5283 + * struct fwnode_handle is associated with. 5284 + * @fwnode: The pointer to the struct fwnode_handle to obtain the struct device 5285 + * reference count of. 5286 + * 5287 + * This function obtains a reference count of the device the device pointer 5288 + * embedded in the struct fwnode_handle points to. 5289 + * 5290 + * Note that the struct device pointer embedded in struct fwnode_handle does 5291 + * *not* have a reference count of the struct device itself. 5292 + * 5293 + * Hence, it is a UAF (and thus a bug) to call this function if the caller can't 5294 + * guarantee that the last reference count of the corresponding struct device is 5295 + * not dropped concurrently. 5296 + * 5297 + * This is possible since struct fwnode_handle has its own reference count and 5298 + * hence can out-live the struct device it is associated with. 5299 + */ 5281 5300 struct device *get_dev_from_fwnode(struct fwnode_handle *fwnode) 5282 5301 { 5283 5302 return get_device((fwnode)->dev);