Re: [PATCH v7 11/15] media: qcom: Pass proper PAS ID to set_remote_state API

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Sumit Garg" <sumit.garg@kernel.org>
Cc: conor+dt@kernel.org, robh@kernel.org, devicetree@vger.kernel.org,
	linux-media@vger.kernel.org
Subject: Re: [PATCH v7 11/15] media: qcom: Pass proper PAS ID to set_remote_state API
Date: Sat, 30 May 2026 00:46:41 +0000	[thread overview]
Message-ID: <20260530004641.D438D1F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260522115936.201208-12-sumit.garg@kernel.org>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Lockless access and TOCTOU (Time-Of-Check to Time-Of-Use) race on the global `ops_ptr` variable leading to a NULL pointer dereference.
--

commit cea57543db0155e85cd736ed70440a251d359393
Author: Sumit Garg <sumit.garg@oss.qualcomm.com>

media: qcom: Pass proper PAS ID to set_remote_state API

This commit updates the SCM backend calls in the iris and venus drivers
to pass the correct PAS ID to qcom_pas_set_remote_state() instead of 0,
which is used by OP-TEE for bookkeeping purposes.

> diff --git a/drivers/media/platform/qcom/iris/iris_firmware.c b/drivers/media/platform/qcom/iris/iris_firmware.c
> index b3c5281aea919..856fa6a79064c 100644
> --- a/drivers/media/platform/qcom/iris/iris_firmware.c
> +++ b/drivers/media/platform/qcom/iris/iris_firmware.c
> @@ -109,5 +109,5 @@ int iris_fw_unload(struct iris_core *core)
>  
>  int iris_set_hw_state(struct iris_core *core, bool resume)
>  {
> -	return qcom_pas_set_remote_state(resume, 0);
> +	return qcom_pas_set_remote_state(resume, core->iris_platform_data->pas_id);

[Severity: High]
This isn't a bug introduced by this patch, but since this code relies on the
underlying qcom_pas_set_remote_state() function, is there a race condition
in how ops_ptr is accessed?

Looking at qcom_pas_set_remote_state() in drivers/firmware/qcom/qcom_pas.c:

int qcom_pas_set_remote_state(u32 state, u32 pas_id)
{
	if (!ops_ptr)
		return -ENODEV;

	return ops_ptr->set_remote_state(ops_ptr->dev, state, pas_id);
}

If the provider driver is concurrently unbound (e.g., via qcom_pas_tee_remove)
or shut down, and qcom_pas_ops_unregister() sets ops_ptr = NULL, could ops_ptr
become NULL between the check and the dereference?

Since there appears to be no locking, RCU, or module reference counting
protecting ops_ptr, could this lead to a NULL pointer dereference, or an
invalid memory access if the provider module is unloaded and the memory
containing the callbacks is freed?

>  }

[ ... ]

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260522115936.201208-1-sumit.garg@kernel.org?part=11

next prev parent reply	other threads:[~2026-05-30  0:46 UTC|newest]

Thread overview: 50+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-22 11:59 [PATCH v7 00/15] firmware: qcom: Add OP-TEE PAS service support Sumit Garg via OP-TEE
2026-05-22 11:59 ` Sumit Garg
2026-05-22 11:59 ` [PATCH v7 01/15] arm64: dts: qcom: kodiak: Add EL2 overlay Sumit Garg
2026-05-22 11:59   ` Sumit Garg via OP-TEE
2026-05-30  0:46   ` sashiko-bot
2026-05-22 11:59 ` [PATCH v7 02/15] firmware: qcom: Add a generic PAS service Sumit Garg
2026-05-22 11:59   ` Sumit Garg via OP-TEE
2026-05-28  0:45   ` Amirreza Zarrabi
2026-05-28  0:45     ` Amirreza Zarrabi via OP-TEE
2026-05-28 13:11     ` Sumit Garg
2026-05-28 13:11       ` Sumit Garg via OP-TEE
2026-05-30  0:46   ` sashiko-bot
2026-05-22 11:59 ` [PATCH v7 03/15] firmware: qcom_scm: Migrate to " Sumit Garg
2026-05-22 11:59   ` Sumit Garg via OP-TEE
2026-05-30  0:46   ` sashiko-bot
2026-05-22 11:59 ` [PATCH v7 04/15] firmware: qcom: Add a PAS TEE service Sumit Garg
2026-05-22 11:59   ` Sumit Garg via OP-TEE
2026-05-30  0:46   ` sashiko-bot
2026-05-22 11:59 ` [PATCH v7 05/15] remoteproc: qcom_q6v5_pas: Switch over to generic PAS TZ APIs Sumit Garg
2026-05-22 11:59   ` Sumit Garg via OP-TEE
2026-05-30  0:46   ` sashiko-bot
2026-05-22 11:59 ` [PATCH v7 06/15] remoteproc: qcom_q6v5_mss: Switch " Sumit Garg
2026-05-22 11:59   ` Sumit Garg via OP-TEE
2026-05-30  0:46   ` sashiko-bot
2026-05-22 11:59 ` [PATCH v7 07/15] remoteproc: qcom_wcnss: " Sumit Garg
2026-05-22 11:59   ` Sumit Garg via OP-TEE
2026-05-30  0:46   ` sashiko-bot
2026-05-22 11:59 ` [PATCH v7 08/15] remoteproc: qcom: Select QCOM_PAS generic service Sumit Garg
2026-05-22 11:59   ` Sumit Garg via OP-TEE
2026-05-22 11:59 ` [PATCH v7 09/15] drm/msm: Switch to generic PAS TZ APIs Sumit Garg
2026-05-22 11:59   ` Sumit Garg via OP-TEE
2026-05-22 11:59 ` [PATCH v7 10/15] media: qcom: " Sumit Garg
2026-05-22 11:59   ` Sumit Garg via OP-TEE
2026-05-30  0:46   ` sashiko-bot
2026-05-22 11:59 ` [PATCH v7 11/15] media: qcom: Pass proper PAS ID to set_remote_state API Sumit Garg
2026-05-22 11:59   ` Sumit Garg via OP-TEE
2026-05-30  0:46   ` sashiko-bot [this message]
2026-05-22 11:59 ` [PATCH v7 12/15] net: ipa: Switch to generic PAS TZ APIs Sumit Garg
2026-05-22 11:59   ` Sumit Garg via OP-TEE
2026-05-30  0:46   ` sashiko-bot
2026-05-22 11:59 ` [PATCH v7 13/15] wifi: ath12k: " Sumit Garg
2026-05-22 11:59   ` Sumit Garg via OP-TEE
2026-05-30  0:46   ` sashiko-bot
2026-05-22 11:59 ` [PATCH v7 14/15] firmware: qcom_scm: Remove SCM PAS wrappers Sumit Garg
2026-05-22 11:59   ` Sumit Garg via OP-TEE
2026-05-22 11:59 ` [PATCH v7 15/15] MAINTAINERS: Add maintainer entry for Qualcomm PAS TZ service Sumit Garg
2026-05-22 11:59   ` Sumit Garg via OP-TEE
2026-05-26  0:06 ` [PATCH v7 00/15] firmware: qcom: Add OP-TEE PAS service support bod
2026-05-26  0:06   ` bod--- via OP-TEE
2026-05-26 16:13   ` Sumit Garg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260530004641.D438D1F00893@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=conor+dt@kernel.org \
    --cc=devicetree@vger.kernel.org \
    --cc=linux-media@vger.kernel.org \
    --cc=robh@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=sumit.garg@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.