From: sashiko-bot@kernel.org
To: "Sumit Garg" <sumit.garg@kernel.org>
Cc: devicetree@vger.kernel.org, robh@kernel.org, conor+dt@kernel.org
Subject: Re: [PATCH v6 10/16] drm/msm: Switch to generic PAS TZ APIs
Date: Tue, 19 May 2026 07:34:03 +0000 [thread overview]
Message-ID: <20260519073403.AC07AC2BCF5@smtp.kernel.org> (raw)
In-Reply-To: <20260518072856.22790-11-sumit.garg@kernel.org>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] Infinite probe deferral on devices that do not support PAS.
- [High] Time-of-Check to Time-of-Use (TOCTOU) race leading to NULL pointer dereference or Use-After-Free.
--
commit 168f850440ba0271d11e8bfd4d88f6adbd042e93
Author: Sumit Garg <sumit.garg@oss.qualcomm.com>
drm/msm: Switch to generic PAS TZ APIs
This commit switches the drm/msm client drivers to use the generic PAS TZ
APIs instead of the SCM-specific ones. This allows the driver to support
multiple TrustZone implementation backends.
> diff --git a/drivers/gpu/drm/msm/adreno/adreno_gpu.c b/drivers/gpu/drm/msm/adreno/adreno_gpu.c
> index 66f80f2d12f95..6d68edf0578c2 100644
> --- a/drivers/gpu/drm/msm/adreno/adreno_gpu.c
> +++ b/drivers/gpu/drm/msm/adreno/adreno_gpu.c
> @@ -146,10 +147,10 @@ static int zap_shader_load_mdt(struct msm_gpu *gpu, const char *fwname,
> goto out;
>
> /* Send the image to the secure world */
> - ret = qcom_scm_pas_auth_and_reset(pasid);
> + ret = qcom_pas_auth_and_reset(pasid);
Could this introduce a race condition if the PAS backend is unbound
concurrently?
Looking at the new generic PAS APIs, they do not appear to protect the backend
operations pointer:
drivers/firmware/qcom/qcom_pas.c:qcom_pas_auth_and_reset() {
if (!ops_ptr)
return -ENODEV;
return ops_ptr->auth_and_reset(ops_ptr->dev, pas_id);
}
If a dynamic backend like qcom_pas_tee is unbound via sysfs between the check
and the dereference, ops_ptr could become NULL, leading to a NULL pointer
dereference.
Is there a mechanism preventing this race when switching from the SCM backend
to the generic PAS API?
[ ... ]
> @@ -175,9 +176,9 @@ int adreno_zap_shader_load(struct msm_gpu *gpu, u32 pasid)
> if (!zap_available)
> return -ENODEV;
>
> - /* We need SCM to be able to load the firmware */
> - if (!qcom_scm_is_available()) {
> - DRM_DEV_ERROR(&pdev->dev, "SCM is not available\n");
> + /* We need PAS to be able to load the firmware */
> + if (!qcom_pas_is_available()) {
> + DRM_DEV_ERROR(&pdev->dev, "Qcom PAS is not available\n");
> return -EPROBE_DEFER;
> }
Will this cause an infinite probe deferral on platforms that do not support
PAS hardware?
The SCM backend skips registering PAS ops if the hardware lacks PAS support.
If qcom_pas_is_available() is called on such a platform, it returns false
because no backend has registered.
Since this check happens before zap_shader_load_mdt() parses the device tree
to determine if a zap shader is actually needed (which is what updates the
zap_available flag), won't the GPU probe indefinitely defer instead of
failing gracefully?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260518072856.22790-1-sumit.garg@kernel.org?part=10
next prev parent reply other threads:[~2026-05-19 7:34 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-18 7:28 [PATCH v6 00/16] firmware: qcom: Add OP-TEE PAS service support Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-18 7:28 ` [PATCH v6 01/16] arm64: dts: qcom: kodiak: Add EL2 overlay Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:33 ` sashiko-bot
2026-05-22 8:00 ` Sumit Garg
2026-05-18 7:28 ` [PATCH v6 02/16] firmware: qcom: Add a generic PAS service Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:33 ` sashiko-bot
2026-05-22 8:13 ` Sumit Garg
2026-05-18 7:28 ` [PATCH v6 03/16] firmware: qcom_scm: Migrate to " Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:33 ` sashiko-bot
2026-05-22 8:02 ` Sumit Garg
2026-05-18 7:28 ` [PATCH v6 04/16] firmware: qcom: Add a PAS TEE service Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:33 ` sashiko-bot
2026-05-22 10:39 ` Sumit Garg
2026-05-18 7:28 ` [PATCH v6 05/16] remoteproc: qcom_q6v5_pas: Switch over to generic PAS TZ APIs Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:33 ` sashiko-bot
2026-05-22 10:44 ` Sumit Garg
2026-05-18 7:28 ` [PATCH v6 06/16] remoteproc: qcom_q6v5_mss: Switch " Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:33 ` sashiko-bot
2026-05-18 7:28 ` [PATCH v6 07/16] soc: qcom: mdtloader: " Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:33 ` sashiko-bot
2026-05-18 7:28 ` [PATCH v6 08/16] remoteproc: qcom_wcnss: " Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:33 ` sashiko-bot
2026-05-18 7:28 ` [PATCH v6 09/16] remoteproc: qcom: Select QCOM_PAS generic service Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-18 7:28 ` [PATCH v6 10/16] drm/msm: Switch to generic PAS TZ APIs Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:34 ` sashiko-bot [this message]
2026-05-18 7:28 ` [PATCH v6 11/16] media: qcom: " Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:34 ` sashiko-bot
2026-05-22 7:14 ` Sumit Garg
2026-05-21 6:40 ` Vikash Garodia
2026-05-22 7:25 ` Sumit Garg
2026-05-22 7:25 ` Sumit Garg via OP-TEE
2026-05-18 7:28 ` [PATCH v6 12/16] media: qcom: Pass proper PAS ID to set_remote_state API Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:34 ` sashiko-bot
2026-05-22 7:28 ` Sumit Garg
2026-05-21 6:30 ` Vikash Garodia
2026-05-18 7:28 ` [PATCH v6 13/16] net: ipa: Switch to generic PAS TZ APIs Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-18 7:28 ` [PATCH v6 14/16] wifi: ath12k: " Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:34 ` sashiko-bot
2026-05-22 10:51 ` Sumit Garg
2026-05-18 7:28 ` [PATCH v6 15/16] firmware: qcom_scm: Remove SCM PAS wrappers Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-18 7:28 ` [PATCH v6 16/16] MAINTAINERS: Add maintainer entry for Qualcomm PAS TZ service Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 19:29 ` [PATCH v6 00/16] firmware: qcom: Add OP-TEE PAS service support Vignesh Viswanathan
2026-05-19 19:29 ` Vignesh Viswanathan via OP-TEE
2026-05-20 16:27 ` Jeff Johnson
2026-05-20 16:27 ` Jeff Johnson via OP-TEE
2026-05-22 7:43 ` Sumit Garg
2026-05-22 7:43 ` Sumit Garg via OP-TEE
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260519073403.AC07AC2BCF5@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=sumit.garg@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.