Re: [PATCH v6 08/16] remoteproc: qcom_wcnss: Switch to generic PAS TZ APIs

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] The switch to the generic `qcom_pas` API exposes the driver to a lockless TOCTOU race condition and Use-After-Free if a backend module is unloaded concurrently.
--

commit e4aabb52d1f1c2288fe5314795bd4781f09c76b4
Author: Sumit Garg <sumit.garg@oss.qualcomm.com>

remoteproc: qcom_wcnss: Switch to generic PAS TZ APIs
    
This commit switches the qcom_wcnss client driver over to generic PAS TZ
APIs to support multiple TZ implementation backends like QTEE and OP-TEE.

> diff --git a/drivers/remoteproc/qcom_wcnss.c b/drivers/remoteproc/qcom_wcnss.c
> --- a/drivers/remoteproc/qcom_wcnss.c
> +++ b/drivers/remoteproc/qcom_wcnss.c
[ ... ]
> @@ -257,7 +257,7 @@ static int wcnss_start(struct rproc *rproc)
>  	wcnss_indicate_nv_download(wcnss);
>  	wcnss_configure_iris(wcnss);
>  
> -	ret = qcom_scm_pas_auth_and_reset(WCNSS_PAS_ID);
> +	ret = qcom_pas_auth_and_reset(WCNSS_PAS_ID);

By switching to the generic qcom_pas_auth_and_reset(), does this expose the
driver to a race condition if the PAS backend module is unloaded concurrently?

When using qcom_scm_pas_auth_and_reset(), the direct symbol dependency prevented
the backend module from being unloaded while the wcnss module was active.

The new qcom_pas_auth_and_reset() function appears to use a global ops pointer
without locks or module pinning:

drivers/firmware/qcom/qcom_pas.c:qcom_pas_auth_and_reset() {
	if (!ops_ptr)
		return -ENODEV;

	return ops_ptr->auth_and_reset(ops_ptr->dev, pas_id);
}

If an administrator unloads the backend module and ops_ptr is cleared right
after the check, could this result in a null pointer dereference or
use-after-free when calling ops_ptr->auth_and_reset()?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260518072856.22790-1-sumit.garg@kernel.org?part=8