From: sashiko-bot@kernel.org
To: "Sumit Garg" <sumit.garg@kernel.org>
Cc: conor+dt@kernel.org, robh@kernel.org, devicetree@vger.kernel.org
Subject: Re: [PATCH v6 02/16] firmware: qcom: Add a generic PAS service
Date: Tue, 19 May 2026 07:33:48 +0000 [thread overview]
Message-ID: <20260519073348.B9F5BC2BCC6@smtp.kernel.org> (raw)
In-Reply-To: <20260518072856.22790-3-sumit.garg@kernel.org>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
- [High] TOCTOU race condition and missing memory barriers on global `ops_ptr` accesses
- [High] Race condition in `qcom_pas_ops_register()` allows silent overwrites and NULL pointer dereference
- [High] Use-After-Free vulnerability due to missing module lifetime synchronization
--
commit 2f5e5371b4bb3e1c42fab23cd3a647eabe758865
Author: Sumit Garg <sumit.garg@oss.qualcomm.com>
firmware: qcom: Add a generic PAS service
This commit introduces a generic Peripheral Authentication Service layer for
Qualcomm platforms. It acts as a common interface for different TrustZone
backends to support both SCM and TEE bus-based PAS services.
Reviewed-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
Tested-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com> # Lemans
Reviewed-by: Harshal Dev <harshal.dev@oss.qualcomm.com>
Signed-off-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
> diff --git a/drivers/firmware/qcom/qcom_pas.c b/drivers/firmware/qcom/qcom_pas.c
> new file mode 100644
> index 0000000000000..bc6c42f2b3c61
> --- /dev/null
> +++ b/drivers/firmware/qcom/qcom_pas.c
[ ... ]
> +int qcom_pas_init_image(u32 pas_id, const void *metadata, size_t size,
> + struct qcom_pas_context *ctx)
> +{
> + if (!ops_ptr)
> + return -ENODEV;
> +
> + return ops_ptr->init_image(ops_ptr->dev, pas_id, metadata, size, ctx);
> +}
Could a race condition occur here if qcom_pas_ops_unregister() is called
concurrently? The global ops_ptr is read twice via plain C reads. If it
becomes NULL after the check, the second read might cause a NULL pointer
dereference.
Also, since there is no smp_load_acquire() or READ_ONCE() used to cache the
pointer locally, could weakly ordered architectures observe a non-NULL
ops_ptr but read uninitialized callback pointers?
[ ... ]
> +void qcom_pas_ops_register(struct qcom_pas_ops *ops)
> +{
> + if (!qcom_pas_is_available())
> + /* Paired with smp_load_acquire() in qcom_pas_is_available() */
> + smp_store_release(&ops_ptr, ops);
> + else
> + pr_err("qcom_pas: ops already registered by %s\n",
> + ops_ptr->drv_name);
> +}
What happens if two backend drivers attempt to register concurrently?
The check in qcom_pas_is_available() and the subsequent store do not seem
to be protected by a lock or atomic operation, which might allow the second
driver to silently overwrite the first.
Furthermore, if the else branch executes, and a concurrent thread
unregisters the ops immediately after the check, could ops_ptr->drv_name
trigger a NULL pointer dereference?
> diff --git a/drivers/firmware/qcom/qcom_pas.h b/drivers/firmware/qcom/qcom_pas.h
> new file mode 100644
> index 0000000000000..8643e2760602e
> --- /dev/null
> +++ b/drivers/firmware/qcom/qcom_pas.h
[ ... ]
> +struct qcom_pas_ops {
> + const char *drv_name;
> + struct device *dev;
> + bool (*supported)(struct device *dev, u32 pas_id);
Is there a risk of a use-after-free here if the backend module is unloaded
while its callbacks are actively executing?
It doesn't appear that the framework pins the backend module using an owner
field and try_module_get(), or waits for ongoing callbacks to finish before
unregistration completes.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260518072856.22790-1-sumit.garg@kernel.org?part=2
next prev parent reply other threads:[~2026-05-19 7:33 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-18 7:28 [PATCH v6 00/16] firmware: qcom: Add OP-TEE PAS service support Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-18 7:28 ` [PATCH v6 01/16] arm64: dts: qcom: kodiak: Add EL2 overlay Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:33 ` sashiko-bot
2026-05-22 8:00 ` Sumit Garg
2026-05-18 7:28 ` [PATCH v6 02/16] firmware: qcom: Add a generic PAS service Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:33 ` sashiko-bot [this message]
2026-05-22 8:13 ` Sumit Garg
2026-05-18 7:28 ` [PATCH v6 03/16] firmware: qcom_scm: Migrate to " Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:33 ` sashiko-bot
2026-05-22 8:02 ` Sumit Garg
2026-05-18 7:28 ` [PATCH v6 04/16] firmware: qcom: Add a PAS TEE service Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:33 ` sashiko-bot
2026-05-22 10:39 ` Sumit Garg
2026-05-18 7:28 ` [PATCH v6 05/16] remoteproc: qcom_q6v5_pas: Switch over to generic PAS TZ APIs Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:33 ` sashiko-bot
2026-05-22 10:44 ` Sumit Garg
2026-05-18 7:28 ` [PATCH v6 06/16] remoteproc: qcom_q6v5_mss: Switch " Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:33 ` sashiko-bot
2026-05-18 7:28 ` [PATCH v6 07/16] soc: qcom: mdtloader: " Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:33 ` sashiko-bot
2026-05-18 7:28 ` [PATCH v6 08/16] remoteproc: qcom_wcnss: " Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:33 ` sashiko-bot
2026-05-18 7:28 ` [PATCH v6 09/16] remoteproc: qcom: Select QCOM_PAS generic service Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-18 7:28 ` [PATCH v6 10/16] drm/msm: Switch to generic PAS TZ APIs Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:34 ` sashiko-bot
2026-05-18 7:28 ` [PATCH v6 11/16] media: qcom: " Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:34 ` sashiko-bot
2026-05-22 7:14 ` Sumit Garg
2026-05-21 6:40 ` Vikash Garodia
2026-05-22 7:25 ` Sumit Garg
2026-05-22 7:25 ` Sumit Garg via OP-TEE
2026-05-18 7:28 ` [PATCH v6 12/16] media: qcom: Pass proper PAS ID to set_remote_state API Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:34 ` sashiko-bot
2026-05-22 7:28 ` Sumit Garg
2026-05-21 6:30 ` Vikash Garodia
2026-05-18 7:28 ` [PATCH v6 13/16] net: ipa: Switch to generic PAS TZ APIs Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-18 7:28 ` [PATCH v6 14/16] wifi: ath12k: " Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:34 ` sashiko-bot
2026-05-22 10:51 ` Sumit Garg
2026-05-18 7:28 ` [PATCH v6 15/16] firmware: qcom_scm: Remove SCM PAS wrappers Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-18 7:28 ` [PATCH v6 16/16] MAINTAINERS: Add maintainer entry for Qualcomm PAS TZ service Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 19:29 ` [PATCH v6 00/16] firmware: qcom: Add OP-TEE PAS service support Vignesh Viswanathan
2026-05-19 19:29 ` Vignesh Viswanathan via OP-TEE
2026-05-20 16:27 ` Jeff Johnson
2026-05-20 16:27 ` Jeff Johnson via OP-TEE
2026-05-22 7:43 ` Sumit Garg
2026-05-22 7:43 ` Sumit Garg via OP-TEE
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260519073348.B9F5BC2BCC6@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=sumit.garg@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.