From: sashiko-bot@kernel.org
To: "Sumit Garg" <sumit.garg@kernel.org>
Cc: conor+dt@kernel.org, robh@kernel.org,
dri-devel@lists.freedesktop.org, devicetree@vger.kernel.org
Subject: Re: [PATCH v9 03/14] firmware: qcom: Add a PAS TEE service
Date: Fri, 03 Jul 2026 12:02:46 +0000 [thread overview]
Message-ID: <20260703120246.EEE1A1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260702115835.167602-4-sumit.garg@kernel.org>
Thank you for your contribution! Sashiko AI review found 6 potential issue(s) to consider:
- [High] qcom_pas_tee_remove() unconditionally unregisters the global PAS ops, which can corrupt system state by deregistering another active backend.
- [High] qcom_pas_tee_get_rsc_table() fails with -EINVAL and aborts initialization when handling a zero-sized resource table.
- [High] Broken TEE size-query logic in qcom_pas_tee_get_rsc_table() aborts on TEEC_ERROR_SHORT_BUFFER and passes a NULL buffer with a non-zero size.
- [High] qcom_pas_tee_get_rsc_table() silently discards the resource table if the TA requests a size smaller than input_rt_size.
- [High] Lack of synchronization and module refcounting on the global ops_ptr leads to TOCTOU and Use-After-Free bugs.
- [High] Unvalidated TA-provided size leads to an out-of-bounds read of kernel memory in qcom_pas_tee_get_rsc_table().
--
Note: The format of this report is altered due to system recitation
restrictions. Instead of inline diff quotes, a free-form summary of the
findings is provided below.
commit c175d6ee38b74c2a77d95052360287597c771c21
Author: Sumit Garg <sumit.garg@oss.qualcomm.com>
Subject: firmware: qcom: Add a PAS TEE service
This commit adds support for the Peripheral Authentication Service (PAS)
driver based on the TEE bus with OP-TEE. It provides the backend PAS service
implementation.
[Severity: High]
In drivers/firmware/qcom/qcom_pas_tee.c during driver removal, does
qcom_pas_tee_remove() forcefully unregister the global PAS ops even if
this driver wasn't the one that successfully registered them?
Looking at qcom_pas_tee_probe(), it calls qcom_pas_ops_register() which
returns void and only logs an error if another provider (like qcom_scm)
is already registered. This allows the probe to succeed without aborting.
However, upon module removal, qcom_pas_tee_remove() unconditionally calls
qcom_pas_ops_unregister() which wipes the global pointer, potentially
breaking subsequent operations for the actual active backend.
[Severity: High]
Does qcom_pas_tee_get_rsc_table() fail the initialization sequence for
peripherals without dynamic resource requirements?
If input_rt_size is 0 and the TA also returns a required size of 0, the
driver allocates a 0-sized shared memory object and calls
tee_shm_get_va(rt_shm, 0). This triggers a size check failure internally
in the TEE subsystem because the offset (0) is not less than the size (0),
returning -EINVAL and aborting the setup sequence.
[Severity: High]
Could the TEE size-query logic in qcom_pas_tee_get_rsc_table() pass a NULL
buffer with a non-zero size to the TA?
During the initial invocation, the driver sets the parameter size to
input_rt_size but does not allocate a shared memory buffer, passing NULL.
Additionally, if the TA correctly responds with TEEC_ERROR_SHORT_BUFFER
to request a larger buffer, the driver treats any non-zero return code as
a fatal error and aborts instead of proceeding to allocate the buffer.
[Severity: High]
Will qcom_pas_tee_get_rsc_table() silently discard the resource table if
the TA requires a smaller size than the original input_rt_size?
If the TA optimizes or removes entries and returns a required size strictly
less than input_rt_size, the driver falls into the else block, sets the
output size to 0, and returns NULL. This causes the original static resource
table to be lost.
[Severity: High]
Are there missing concurrency protections for the global ops_ptr in the new
core driver design?
In wrappers like qcom_pas_shutdown(), the global ops_ptr is read twice
(first to check for NULL, then to dereference) without any locking or RCU.
If qcom_pas_tee_remove() is called concurrently, it sets ops_ptr to NULL,
which could cause a NULL pointer dereference. Furthermore, since the
operations structure lacks an owner field to pin the module in memory,
the backend module could be unloaded while its functions are actively
executing on another CPU.
[Severity: High]
Can qcom_pas_tee_get_rsc_table() read out of bounds from kernel memory if
the TA provides an unexpectedly large size?
During the second TA invocation, the driver unconditionally trusts the
size returned by the TA and uses it in kmemdup(). If the returned size
exceeds the originally allocated size of the rt_shm buffer, kmemdup()
will read past the bounds of the buffer on the kernel heap, leaking
sensitive memory.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260702115835.167602-1-sumit.garg@kernel.org?part=3
next prev parent reply other threads:[~2026-07-03 12:02 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-02 11:58 [PATCH v9 00/14] firmware: qcom: Add OP-TEE PAS service support Sumit Garg
2026-07-02 11:58 ` [PATCH v9 01/14] firmware: qcom: Add a generic PAS service Sumit Garg
2026-07-03 12:02 ` sashiko-bot
2026-07-03 15:06 ` Konrad Dybcio
2026-07-02 11:58 ` [PATCH v9 02/14] firmware: qcom_scm: Migrate to " Sumit Garg
2026-07-02 11:58 ` [PATCH v9 03/14] firmware: qcom: Add a PAS TEE service Sumit Garg
2026-07-03 12:02 ` sashiko-bot [this message]
2026-07-02 11:58 ` [PATCH v9 04/14] remoteproc: qcom_q6v5_pas: Switch over to generic PAS TZ APIs Sumit Garg
2026-07-03 12:02 ` sashiko-bot
2026-07-02 11:58 ` [PATCH v9 05/14] remoteproc: qcom_q6v5_mss: Switch " Sumit Garg
2026-07-03 12:02 ` sashiko-bot
2026-07-02 11:58 ` [PATCH v9 06/14] remoteproc: qcom_wcnss: " Sumit Garg
2026-07-03 12:02 ` sashiko-bot
2026-07-02 11:58 ` [PATCH v9 07/14] remoteproc: qcom: Select QCOM_PAS generic service Sumit Garg
2026-07-03 12:02 ` sashiko-bot
2026-07-02 11:58 ` [PATCH v9 08/14] drm/msm: Switch to generic PAS TZ APIs Sumit Garg
2026-07-03 12:02 ` sashiko-bot
2026-07-02 11:58 ` [PATCH v9 09/14] media: qcom: " Sumit Garg
2026-07-03 12:02 ` sashiko-bot
2026-07-02 11:58 ` [PATCH v9 10/14] media: qcom: Pass proper PAS ID to set_remote_state API Sumit Garg
2026-07-02 12:23 ` Konrad Dybcio
2026-07-02 11:58 ` [PATCH v9 11/14] net: ipa: Switch to generic PAS TZ APIs Sumit Garg
2026-07-03 12:02 ` sashiko-bot
2026-07-02 11:58 ` [PATCH v9 12/14] wifi: ath12k: " Sumit Garg
2026-07-02 12:34 ` Konrad Dybcio
2026-07-03 12:02 ` sashiko-bot
2026-07-02 11:58 ` [PATCH v9 13/14] firmware: qcom_scm: Remove SCM PAS wrappers Sumit Garg
2026-07-03 12:02 ` sashiko-bot
2026-07-02 11:58 ` [PATCH v9 14/14] MAINTAINERS: Add maintainer entry for Qualcomm PAS TZ service Sumit Garg
2026-07-02 19:14 ` [PATCH v9 00/14] firmware: qcom: Add OP-TEE PAS service support Mathieu Poirier
2026-07-03 4:13 ` Sumit Garg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260703120246.EEE1A1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=sumit.garg@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox