From: sashiko-bot@kernel.org
To: "Sumit Garg" <sumit.garg@kernel.org>
Cc: dri-devel@lists.freedesktop.org
Subject: Re: [PATCH v8 11/14] net: ipa: Switch to generic PAS TZ APIs
Date: Sat, 27 Jun 2026 13:42:26 +0000 [thread overview]
Message-ID: <20260627134226.735EF1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260626133440.692849-12-sumit.garg@kernel.org>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Switching to the generic PAS API exposes the IPA driver to a Time-of-Check to Time-of-Use (TOCTOU) race condition and Use-After-Free due to lockless access to the global `ops_ptr`.
--
commit dccc0e82eb171fead953bff95c97cce60f8a1717
Author: Sumit Garg <sumit.garg@oss.qualcomm.com>
net: ipa: Switch to generic PAS TZ APIs
This commit switches the ipa client driver to use the generic PAS TZ APIs
instead of the scm-specific implementation. This allows supporting multiple
TZ implementation backends.
> diff --git a/drivers/net/ipa/ipa_main.c b/drivers/net/ipa/ipa_main.c
> index 788dd99af2a4d..3cd9e44680e9f 100644
> --- a/drivers/net/ipa/ipa_main.c
> +++ b/drivers/net/ipa/ipa_main.c
[ ... ]
> @@ -624,10 +624,13 @@ static int ipa_firmware_load(struct device *dev)
> }
>
> ret = qcom_mdt_load(dev, fw, path, IPA_PAS_ID, virt, phys, size, NULL);
> - if (ret)
> + if (ret) {
> dev_err(dev, "error %d loading \"%s\"\n", ret, path);
> - else if ((ret = qcom_scm_pas_auth_and_reset(IPA_PAS_ID)))
> - dev_err(dev, "error %d authenticating \"%s\"\n", ret, path);
> + } else {
> + ret = qcom_pas_auth_and_reset(IPA_PAS_ID);
[Severity: High]
Does switching to qcom_pas_auth_and_reset() expose the driver to a race
condition if the PAS backend is unbound concurrently?
Looking at the underlying qcom_pas_auth_and_reset() implementation in
drivers/firmware/qcom/qcom_pas.c, it performs a lockless check:
if (!ops_ptr)
return -ENODEV;
return ops_ptr->auth_and_reset(ops_ptr->dev, pas_id);
If a privileged user unbinds the PAS backend or unloads its module after
ops_ptr is checked but before it is dereferenced, ops_ptr could be set to
NULL or the backend module memory could be freed.
Since qcom_pas.c doesn't appear to use synchronization or module reference
counting (like try_module_get()) to protect ops_ptr, could this result in
a NULL pointer dereference or a use-after-free by executing freed module text
when the dereference occurs?
> + if (ret)
> + dev_err(dev, "error %d authenticating \"%s\"\n", ret, path);
> + }
>
> memunmap(virt);
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260626133440.692849-1-sumit.garg@kernel.org?part=11
next prev parent reply other threads:[~2026-06-27 13:42 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-26 13:34 [PATCH v8 00/14] firmware: qcom: Add OP-TEE PAS service support Sumit Garg
2026-06-26 13:34 ` Sumit Garg via OP-TEE
2026-06-26 13:34 ` [PATCH v8 01/14] firmware: qcom: Add a generic PAS service Sumit Garg
2026-06-26 13:34 ` Sumit Garg via OP-TEE
2026-06-27 13:42 ` sashiko-bot
2026-06-26 13:34 ` [PATCH v8 02/14] firmware: qcom_scm: Migrate to " Sumit Garg
2026-06-26 13:34 ` Sumit Garg via OP-TEE
2026-06-26 17:05 ` Julian Braha
2026-06-27 13:42 ` sashiko-bot
2026-06-26 13:34 ` [PATCH v8 03/14] firmware: qcom: Add a PAS TEE service Sumit Garg
2026-06-26 13:34 ` Sumit Garg via OP-TEE
2026-06-27 13:42 ` sashiko-bot
2026-06-26 13:34 ` [PATCH v8 04/14] remoteproc: qcom_q6v5_pas: Switch over to generic PAS TZ APIs Sumit Garg via OP-TEE
2026-06-26 13:34 ` Sumit Garg
2026-06-27 13:42 ` sashiko-bot
2026-06-26 13:34 ` [PATCH v8 05/14] remoteproc: qcom_q6v5_mss: Switch " Sumit Garg via OP-TEE
2026-06-26 13:34 ` Sumit Garg
2026-06-27 13:42 ` sashiko-bot
2026-06-26 13:34 ` [PATCH v8 06/14] remoteproc: qcom_wcnss: " Sumit Garg via OP-TEE
2026-06-26 13:34 ` Sumit Garg
2026-06-27 13:42 ` sashiko-bot
2026-06-26 13:34 ` [PATCH v8 07/14] remoteproc: qcom: Select QCOM_PAS generic service Sumit Garg via OP-TEE
2026-06-26 13:34 ` Sumit Garg
2026-06-27 13:42 ` sashiko-bot
2026-06-26 13:34 ` [PATCH v8 08/14] drm/msm: Switch to generic PAS TZ APIs Sumit Garg via OP-TEE
2026-06-26 13:34 ` Sumit Garg
2026-06-27 13:42 ` sashiko-bot
2026-06-26 13:34 ` [PATCH v8 09/14] media: qcom: " Sumit Garg via OP-TEE
2026-06-26 13:34 ` Sumit Garg
2026-06-27 13:42 ` sashiko-bot
2026-06-26 13:34 ` [PATCH v8 10/14] media: qcom: Pass proper PAS ID to set_remote_state API Sumit Garg via OP-TEE
2026-06-26 13:34 ` Sumit Garg
2026-06-26 13:34 ` [PATCH v8 11/14] net: ipa: Switch to generic PAS TZ APIs Sumit Garg
2026-06-26 13:34 ` Sumit Garg via OP-TEE
2026-06-27 13:42 ` sashiko-bot [this message]
2026-06-26 13:34 ` [PATCH v8 12/14] wifi: ath12k: " Sumit Garg
2026-06-26 13:34 ` Sumit Garg via OP-TEE
2026-06-27 13:42 ` sashiko-bot
2026-06-26 13:34 ` [PATCH v8 13/14] firmware: qcom_scm: Remove SCM PAS wrappers Sumit Garg
2026-06-26 13:34 ` Sumit Garg via OP-TEE
2026-06-26 13:34 ` [PATCH v8 14/14] MAINTAINERS: Add maintainer entry for Qualcomm PAS TZ service Sumit Garg
2026-06-26 13:34 ` Sumit Garg via OP-TEE
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260627134226.735EF1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=sumit.garg@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.