From: Sumit Garg <sumit.garg@kernel.org>
To: sashiko-reviews@lists.linux.dev
Cc: conor+dt@kernel.org, robh@kernel.org, devicetree@vger.kernel.org
Subject: Re: [PATCH v6 12/16] media: qcom: Pass proper PAS ID to set_remote_state API
Date: Fri, 22 May 2026 12:58:01 +0530 [thread overview]
Message-ID: <ahAFgc7WpadmRdOW@sumit-xelite> (raw)
In-Reply-To: <20260519073408.19739C2BCB3@smtp.kernel.org>
On Tue, May 19, 2026 at 07:34:07AM +0000, sashiko-bot@kernel.org wrote:
> Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
> - [Critical] Missing cancellation of the `sys_error_handler` delayed work in `iris_remove` leads to Use-After-Free and locking a destroyed mutex.
> - [High] Missing memory barrier (`smp_load_acquire` or `READ_ONCE`) when reading `ops_ptr` in PAS API wrappers creates a TOCTOU race and potential NULL pointer dereference or uninitialized memory access.
> --
>
> commit dc3a6dd9cf1f9278b9e5d984b574b26cf894a4e9
> Author: Sumit Garg <sumit.garg@oss.qualcomm.com>
>
> media: qcom: Pass proper PAS ID to set_remote_state API
>
> This commit modifies the set_hw_state functions for both iris and venus
> drivers to pass a specific PAS ID instead of 0 to qcom_pas_set_remote_state.
> This change allows the OP-TEE backend to utilize the PAS ID for proper
> bookkeeping.
>
> > diff --git a/drivers/media/platform/qcom/iris/iris_firmware.c b/drivers/media/platform/qcom/iris/iris_firmware.c
> > index b3c5281aea919..856fa6a79064c 100644
> > --- a/drivers/media/platform/qcom/iris/iris_firmware.c
> > +++ b/drivers/media/platform/qcom/iris/iris_firmware.c
> > @@ -109,5 +109,5 @@ int iris_fw_unload(struct iris_core *core)
> >
> > int iris_set_hw_state(struct iris_core *core, bool resume)
> > {
> > - return qcom_pas_set_remote_state(resume, 0);
> > + return qcom_pas_set_remote_state(resume, core->iris_platform_data->pas_id);
>
> This isn't a bug in this commit, but since we are modifying the state
> management for iris_core, there is a pre-existing issue with the
> sys_error_handler delayed work.
>
> Looking at iris_remove(), we explicitly destroy the core->lock and allow
> the core memory to be freed via devres:
>
> drivers/media/platform/qcom/iris/iris_probe.c:iris_remove() {
> ...
> mutex_destroy(&core->lock);
> }
>
> Could the delayed work execute after the module is unloaded or the device
> unbinds? If so, would iris_sys_error_handler() attempt to acquire the
> destroyed core->lock and access the freed core memory?
>
> Should we add cancel_delayed_work_sync(&core->sys_error_handler) before
> destroying the lock?
Not in scope of the current patch-set.
>
>
> This isn't a bug in this commit either, but since this function calls
> qcom_pas_set_remote_state(), I noticed a potential race condition in how
> the global ops_ptr is read in the API wrapper.
>
> Looking at qcom_pas_set_remote_state(), it performs lockless plain reads:
>
> drivers/firmware/qcom/qcom_pas.c:qcom_pas_set_remote_state() {
> if (!ops_ptr)
> return -ENODEV;
>
> return ops_ptr->set_remote_state(ops_ptr->dev, state, pas_id);
> }
>
> Because ops_ptr is read without READ_ONCE() or smp_load_acquire(), could
> the compiler reload the pointer?
>
> If qcom_pas_ops_unregister() clears ops_ptr concurrently, could the second
> read evaluate to NULL, causing a NULL pointer dereference? Furthermore,
> without a barrier, could the CPU reorder reads and observe uninitialized
> contents of the qcom_pas_ops structure?
The PAS backend isn't expected to unregister during the boot power
cycle.
-Sumit
>
> > }
>
> [ ... ]
>
> --
> Sashiko AI review · https://sashiko.dev/#/patchset/20260518072856.22790-1-sumit.garg@kernel.org?part=12
next prev parent reply other threads:[~2026-05-22 7:28 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-18 7:28 [PATCH v6 00/16] firmware: qcom: Add OP-TEE PAS service support Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-18 7:28 ` [PATCH v6 01/16] arm64: dts: qcom: kodiak: Add EL2 overlay Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:33 ` sashiko-bot
2026-05-22 8:00 ` Sumit Garg
2026-05-18 7:28 ` [PATCH v6 02/16] firmware: qcom: Add a generic PAS service Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:33 ` sashiko-bot
2026-05-22 8:13 ` Sumit Garg
2026-05-18 7:28 ` [PATCH v6 03/16] firmware: qcom_scm: Migrate to " Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:33 ` sashiko-bot
2026-05-22 8:02 ` Sumit Garg
2026-05-18 7:28 ` [PATCH v6 04/16] firmware: qcom: Add a PAS TEE service Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:33 ` sashiko-bot
2026-05-22 10:39 ` Sumit Garg
2026-05-18 7:28 ` [PATCH v6 05/16] remoteproc: qcom_q6v5_pas: Switch over to generic PAS TZ APIs Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:33 ` sashiko-bot
2026-05-22 10:44 ` Sumit Garg
2026-05-18 7:28 ` [PATCH v6 06/16] remoteproc: qcom_q6v5_mss: Switch " Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:33 ` sashiko-bot
2026-05-18 7:28 ` [PATCH v6 07/16] soc: qcom: mdtloader: " Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:33 ` sashiko-bot
2026-05-18 7:28 ` [PATCH v6 08/16] remoteproc: qcom_wcnss: " Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:33 ` sashiko-bot
2026-05-18 7:28 ` [PATCH v6 09/16] remoteproc: qcom: Select QCOM_PAS generic service Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-18 7:28 ` [PATCH v6 10/16] drm/msm: Switch to generic PAS TZ APIs Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:34 ` sashiko-bot
2026-05-18 7:28 ` [PATCH v6 11/16] media: qcom: " Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:34 ` sashiko-bot
2026-05-22 7:14 ` Sumit Garg
2026-05-21 6:40 ` Vikash Garodia
2026-05-22 7:25 ` Sumit Garg
2026-05-22 7:25 ` Sumit Garg via OP-TEE
2026-05-18 7:28 ` [PATCH v6 12/16] media: qcom: Pass proper PAS ID to set_remote_state API Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:34 ` sashiko-bot
2026-05-22 7:28 ` Sumit Garg [this message]
2026-05-21 6:30 ` Vikash Garodia
2026-05-18 7:28 ` [PATCH v6 13/16] net: ipa: Switch to generic PAS TZ APIs Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-18 7:28 ` [PATCH v6 14/16] wifi: ath12k: " Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 7:34 ` sashiko-bot
2026-05-22 10:51 ` Sumit Garg
2026-05-18 7:28 ` [PATCH v6 15/16] firmware: qcom_scm: Remove SCM PAS wrappers Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-18 7:28 ` [PATCH v6 16/16] MAINTAINERS: Add maintainer entry for Qualcomm PAS TZ service Sumit Garg
2026-05-18 7:28 ` Sumit Garg via OP-TEE
2026-05-19 19:29 ` [PATCH v6 00/16] firmware: qcom: Add OP-TEE PAS service support Vignesh Viswanathan
2026-05-19 19:29 ` Vignesh Viswanathan via OP-TEE
2026-05-20 16:27 ` Jeff Johnson
2026-05-20 16:27 ` Jeff Johnson via OP-TEE
2026-05-22 7:43 ` Sumit Garg
2026-05-22 7:43 ` Sumit Garg via OP-TEE
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ahAFgc7WpadmRdOW@sumit-xelite \
--to=sumit.garg@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.