From: sashiko-bot@kernel.org
To: "Sumit Garg" <sumit.garg@kernel.org>
Cc: conor+dt@kernel.org, robh@kernel.org, devicetree@vger.kernel.org
Subject: Re: [PATCH v6 11/16] media: qcom: Switch to generic PAS TZ APIs
Date: Tue, 19 May 2026 07:34:04 +0000 [thread overview]
Message-ID: <20260519073406.4CA28C2BCB3@smtp.kernel.org> (raw)
In-Reply-To: <20260518072856.22790-12-sumit.garg@kernel.org>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] Unconditional use of SCM-specific API (qcom_scm_mem_protect_video_var) will cause a NULL pointer dereference when using a non-SCM TrustZone backend.
- [High] Migrating to the generic PAS API exposes a TOCTOU race and Use-After-Free due to a lack of backend provider lifetime management.
--
commit 2d2fe5038803b9390438e02f3c0f53b945cc9bdc
Author: Sumit Garg <sumit.garg@oss.qualcomm.com>
media: qcom: Switch to generic PAS TZ APIs
This commit switches the Qualcomm media client drivers to use the generic
PAS TZ APIs instead of the SCM-specific ones. This allows the drivers to
support multiple TrustZone backend implementations such as QTEE and OP-TEE.
> diff --git a/drivers/media/platform/qcom/iris/iris_firmware.c b/drivers/media/platform/qcom/iris/iris_firmware.c
> index 5f408024e967f..b3c5281aea919 100644
> --- a/drivers/media/platform/qcom/iris/iris_firmware.c
> +++ b/drivers/media/platform/qcom/iris/iris_firmware.c
[ ... ]
> @@ -79,7 +80,7 @@ int iris_fw_load(struct iris_core *core)
> return -ENOMEM;
> }
>
> - ret = qcom_scm_pas_auth_and_reset(core->iris_platform_data->pas_id);
> + ret = qcom_pas_auth_and_reset(core->iris_platform_data->pas_id);
Does moving to the generic PAS API introduce a race condition with module
unloading?
Looking at the generic PAS wrapper qcom_pas_auth_and_reset() in
drivers/firmware/qcom/qcom_pas.c:
int qcom_pas_auth_and_reset(u32 pas_id)
{
if (!ops_ptr)
return -ENODEV;
return ops_ptr->auth_and_reset(ops_ptr->dev, pas_id);
}
If the PAS backend module is unloaded concurrently, ops_ptr could be set to
null after the check but before the function pointer is invoked. Do the
client drivers need to hold a reference count to pin the backend provider
in memory before calling these APIs to avoid a use-after-free?
[ ... ]
> diff --git a/drivers/media/platform/qcom/venus/firmware.c b/drivers/media/platform/qcom/venus/firmware.c
> index 1de7436713ed9..3a38ff985822f 100644
> --- a/drivers/media/platform/qcom/venus/firmware.c
> +++ b/drivers/media/platform/qcom/venus/firmware.c
[ ... ]
> @@ -218,7 +219,7 @@ int venus_boot(struct venus_core *core)
> int ret;
>
> if (!IS_ENABLED(CONFIG_QCOM_MDT_LOADER) ||
> - (core->use_tz && !qcom_scm_is_available()))
> + (core->use_tz && !qcom_pas_is_available()))
> return -EPROBE_DEFER;
If the platform uses a non-SCM TrustZone backend like OP-TEE,
qcom_pas_is_available() will return true, but the qcom_scm subsystem
might not be probed.
Will this lead to a null pointer dereference later in venus_boot() when
it calls the SCM-specific API?
venus_boot() {
...
if (core->use_tz && res->cp_size) {
ret = qcom_scm_mem_protect_video_var(res->cp_start,
res->cp_size,
res->cp_nonpixel_start,
res->cp_nonpixel_size);
}
...
}
Looking at qcom_scm_mem_protect_video_var(), it executes
qcom_scm_call(__scm->dev, ...). If __scm is null because the SCM
subsystem is absent, this dereference might cause a panic.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260518072856.22790-1-sumit.garg@kernel.org?part=11
next prev parent reply other threads:[~2026-05-19 7:34 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-18 7:28 [PATCH v6 00/16] firmware: qcom: Add OP-TEE PAS service support Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-18 7:28 ` [PATCH v6 01/16] arm64: dts: qcom: kodiak: Add EL2 overlay Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:33 ` sashiko-bot
2026-05-22 8:00 ` Sumit Garg
2026-05-18 7:28 ` [PATCH v6 02/16] firmware: qcom: Add a generic PAS service Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:33 ` sashiko-bot
2026-05-22 8:13 ` Sumit Garg
2026-05-18 7:28 ` [PATCH v6 03/16] firmware: qcom_scm: Migrate to " Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:33 ` sashiko-bot
2026-05-22 8:02 ` Sumit Garg
2026-05-18 7:28 ` [PATCH v6 04/16] firmware: qcom: Add a PAS TEE service Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:33 ` sashiko-bot
2026-05-22 10:39 ` Sumit Garg
2026-05-18 7:28 ` [PATCH v6 05/16] remoteproc: qcom_q6v5_pas: Switch over to generic PAS TZ APIs Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:33 ` sashiko-bot
2026-05-22 10:44 ` Sumit Garg
2026-05-18 7:28 ` [PATCH v6 06/16] remoteproc: qcom_q6v5_mss: Switch " Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:33 ` sashiko-bot
2026-05-18 7:28 ` [PATCH v6 07/16] soc: qcom: mdtloader: " Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:33 ` sashiko-bot
2026-05-18 7:28 ` [PATCH v6 08/16] remoteproc: qcom_wcnss: " Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:33 ` sashiko-bot
2026-05-18 7:28 ` [PATCH v6 09/16] remoteproc: qcom: Select QCOM_PAS generic service Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-18 7:28 ` [PATCH v6 10/16] drm/msm: Switch to generic PAS TZ APIs Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:34 ` sashiko-bot
2026-05-18 7:28 ` [PATCH v6 11/16] media: qcom: " Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:34 ` sashiko-bot [this message]
2026-05-22 7:14 ` Sumit Garg
2026-05-21 6:40 ` Vikash Garodia
2026-05-22 7:25 ` Sumit Garg
2026-05-22 7:25 ` Sumit Garg via OP-TEE
2026-05-18 7:28 ` [PATCH v6 12/16] media: qcom: Pass proper PAS ID to set_remote_state API Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:34 ` sashiko-bot
2026-05-22 7:28 ` Sumit Garg
2026-05-21 6:30 ` Vikash Garodia
2026-05-18 7:28 ` [PATCH v6 13/16] net: ipa: Switch to generic PAS TZ APIs Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-18 7:28 ` [PATCH v6 14/16] wifi: ath12k: " Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:34 ` sashiko-bot
2026-05-22 10:51 ` Sumit Garg
2026-05-18 7:28 ` [PATCH v6 15/16] firmware: qcom_scm: Remove SCM PAS wrappers Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-18 7:28 ` [PATCH v6 16/16] MAINTAINERS: Add maintainer entry for Qualcomm PAS TZ service Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 19:29 ` [PATCH v6 00/16] firmware: qcom: Add OP-TEE PAS service support Vignesh Viswanathan
2026-05-19 19:29 ` Vignesh Viswanathan via OP-TEE
2026-05-20 16:27 ` Jeff Johnson
2026-05-20 16:27 ` Jeff Johnson via OP-TEE
2026-05-22 7:43 ` Sumit Garg
2026-05-22 7:43 ` Sumit Garg via OP-TEE
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260519073406.4CA28C2BCB3@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=sumit.garg@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.