Re: [PATCH v8 08/14] drm/msm: Switch to generic PAS TZ APIs

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] Infinite probe deferral on platforms without PAS firmware support.
- [High] TOCTOU race leading to NULL pointer dereference or UAF due to lockless `ops_ptr` access in the generic PAS wrappers.
--

commit 58fde983bce7410af49e9cbf67e95a22f4ec47cb
Author: Sumit Garg <sumit.garg@oss.qualcomm.com>

drm/msm: Switch to generic PAS TZ APIs

Switch drm/msm client drivers over to generic PAS TZ APIs. Generic PAS TZ
service allows to support multiple TZ implementation backends like QTEE
based SCM PAS service, OP-TEE based PAS service and any further future TZ
backend service.

> diff --git a/drivers/gpu/drm/msm/adreno/adreno_gpu.c b/drivers/gpu/drm/msm/adreno/adreno_gpu.c
> index c62c45bb0ddbb..c36382b23310a 100644
> --- a/drivers/gpu/drm/msm/adreno/adreno_gpu.c
> +++ b/drivers/gpu/drm/msm/adreno/adreno_gpu.c
[ ... ]
> @@ -146,10 +147,10 @@ static int zap_shader_load_mdt(struct msm_gpu *gpu, const char *fwname,
>  		goto out;
>  
>  	/* Send the image to the secure world */
> -	ret = qcom_scm_pas_auth_and_reset(pasid);
> +	ret = qcom_pas_auth_and_reset(pasid);

[Severity: High]
Does this new PAS API wrapper introduce a race condition?

Looking at qcom_pas_auth_and_reset() in drivers/firmware/qcom/qcom_pas.c, it
evaluates ops_ptr without try_module_get() or RCU protection:

int qcom_pas_auth_and_reset(u32 pas_id)
{
	if (!ops_ptr)
		return -ENODEV;

	return ops_ptr->auth_and_reset(ops_ptr->dev, pas_id);
}

If the backend module (like qcom-pas-tee) is unloaded concurrently, could
ops_ptr become NULL after the check but before the dereference, leading to
a NULL pointer dereference or use-after-free?

[ ... ]
> @@ -175,9 +176,9 @@ int adreno_zap_shader_load(struct msm_gpu *gpu, u32 pasid)
>  	if (!zap_available)
>  		return -ENODEV;
>  
> -	/* We need SCM to be able to load the firmware */
> -	if (!qcom_scm_is_available()) {
> -		DRM_DEV_ERROR(&pdev->dev, "SCM is not available\n");
> +	/* We need PAS to be able to load the firmware */
> +	if (!qcom_pas_is_available()) {
> +		DRM_DEV_ERROR(&pdev->dev, "Qcom PAS is not available\n");
>  		return -EPROBE_DEFER;
>  	}

[Severity: High]
Will this cause an infinite probe deferral on platforms without PAS firmware
support?

If a platform lacks both a zap shader node in the device tree and PAS
firmware support, qcom_pas_is_available() will return false. This causes
an immediate -EPROBE_DEFER before we can reach zap_shader_load_mdt(), which
is where we would normally check the device tree and gracefully return
-ENODEV.

With the previous qcom_scm implementation, the SCM subsystem would probe
and be available, allowing this check to pass so the code could proceed to
the graceful fallback.

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260626133440.692849-1-sumit.garg@kernel.org?part=8