From: sashiko-bot@kernel.org
To: "Sumit Garg" <sumit.garg@kernel.org>
Cc: robh@kernel.org, conor+dt@kernel.org, devicetree@vger.kernel.org,
linux-media@vger.kernel.org
Subject: Re: [PATCH v7 05/15] remoteproc: qcom_q6v5_pas: Switch over to generic PAS TZ APIs
Date: Sat, 30 May 2026 00:46:40 +0000 [thread overview]
Message-ID: <20260530004641.426441F00898@smtp.kernel.org> (raw)
In-Reply-To: <20260522115936.201208-6-sumit.garg@kernel.org>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
New issues:
- [High] Replacing `qcom_scm_is_available()` with `qcom_pas_is_available()` breaks probe ordering with the SCM driver, leading to a potential NULL pointer dereference in `qcom_scm_assign_mem()`.
- [High] Lockless access to the global `ops_ptr` combined with missing module reference counting allows the PAS backend module to be unloaded while in use, leading to a NULL pointer dereference or Use-After-Free.
Pre-existing issues:
- [High] The dtb firmware object requested via request_firmware() is never released on the success path of qcom_pas_load().
--
commit 3637c6003564ac65554a8805148bf9af6b138d86
Author: Sumit Garg <sumit.garg@oss.qualcomm.com>
Date: Fri May 22 11:59:26 2026 +0000
remoteproc: qcom_q6v5_pas: Switch over to generic PAS TZ APIs
Switch qcom_q6v5_pas client driver over to generic PAS TZ APIs. Generic PAS
TZ service allows to support multiple TZ implementation backends like QTEE
based SCM PAS service, OP-TEE based PAS service and any further future TZ
backend service.
Since qcom_q6v5_pas depends on MDT loader for PAS firmware loading, it
has to be switched over to generic PAS APIs in this commit to avoid any
build issues.
> diff --git a/drivers/remoteproc/qcom_q6v5_pas.c b/drivers/remoteproc/qcom_q6v5_pas.c
> index da27d1d3c9da6..847249c28c1be 100644
> --- a/drivers/remoteproc/qcom_q6v5_pas.c
> +++ b/drivers/remoteproc/qcom_q6v5_pas.c
[ ... ]
> @@ -228,9 +229,9 @@ static int qcom_pas_load(struct rproc *rproc, const struct firmware *fw)
> pas->firmware = fw;
>
> if (pas->lite_pas_id)
> - qcom_scm_pas_shutdown(pas->lite_pas_id);
> + qcom_pas_shutdown(pas->lite_pas_id);
[Severity: High]
Can the new generic PAS TZ APIs lead to a use-after-free or null pointer
dereference?
The backend implementation for qcom_pas_shutdown() and other generic APIs
seems to perform a lockless check of a global ops_ptr without any module
reference counting (e.g., try_module_get()) or synchronization.
If a user unloads the PAS backend module concurrently while a remoteproc
operation is in flight, could the pointer become null right after the check,
or the backing code be unmapped from memory?
> if (pas->lite_dtb_pas_id)
> - qcom_scm_pas_shutdown(pas->lite_dtb_pas_id);
> + qcom_pas_shutdown(pas->lite_dtb_pas_id);
>
> if (pas->dtb_pas_id) {
> ret = request_firmware(&pas->dtb_firmware, pas->dtb_firmware_name, pas->dev);
> @@ -250,7 +251,7 @@ static int qcom_pas_load(struct rproc *rproc, const struct firmware *fw)
> return 0;
[Severity: High]
This is a pre-existing issue, but does this function leak pas->dtb_firmware?
When request_firmware() succeeds for the DTB firmware, this function returns
0 without calling release_firmware(). There doesn't appear to be any
corresponding cleanup for this firmware object elsewhere in the driver's
lifecycle (e.g., in qcom_pas_unprepare() or qcom_pas_stop()).
Could this lead to gradual memory exhaustion every time the remoteproc is
loaded or restarted?
>
> release_dtb_metadata:
> - qcom_scm_pas_metadata_release(pas->dtb_pas_ctx);
> + qcom_pas_metadata_release(pas->dtb_pas_ctx);
> release_firmware(pas->dtb_firmware);
>
> return ret;
[ ... ]
> @@ -746,7 +747,7 @@ static int qcom_pas_probe(struct platform_device *pdev)
> if (!desc)
> return -EINVAL;
>
> - if (!qcom_scm_is_available())
> + if (!qcom_pas_is_available())
[Severity: High]
Does this change break probe ordering with the SCM driver?
If an alternative PAS backend (such as OP-TEE) probes before the SCM driver,
qcom_pas_probe() will now proceed instead of deferring.
However, for platforms that specify memory region assignments
(region_assign_idx), qcom_pas_assign_memory_region() is still called
during probe, which unconditionally invokes qcom_scm_assign_mem().
Since qcom_scm_assign_mem() dereferences SCM state without initialization
checks, could calling it before the SCM driver has fully probed lead to a null
pointer dereference?
> return -EPROBE_DEFER;
>
> fw_name = desc->firmware_name;
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260522115936.201208-1-sumit.garg@kernel.org?part=5
next prev parent reply other threads:[~2026-05-30 0:46 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-22 11:59 [PATCH v7 00/15] firmware: qcom: Add OP-TEE PAS service support Sumit Garg
2026-05-22 11:59 ` [PATCH v7 01/15] arm64: dts: qcom: kodiak: Add EL2 overlay Sumit Garg
2026-05-30 0:46 ` sashiko-bot
2026-05-22 11:59 ` [PATCH v7 02/15] firmware: qcom: Add a generic PAS service Sumit Garg
2026-05-28 0:45 ` Amirreza Zarrabi
2026-05-28 13:11 ` Sumit Garg
2026-05-30 0:46 ` sashiko-bot
2026-05-22 11:59 ` [PATCH v7 03/15] firmware: qcom_scm: Migrate to " Sumit Garg
2026-05-30 0:46 ` sashiko-bot
2026-05-22 11:59 ` [PATCH v7 04/15] firmware: qcom: Add a PAS TEE service Sumit Garg
2026-05-30 0:46 ` sashiko-bot
2026-05-22 11:59 ` [PATCH v7 05/15] remoteproc: qcom_q6v5_pas: Switch over to generic PAS TZ APIs Sumit Garg
2026-05-30 0:46 ` sashiko-bot [this message]
2026-05-22 11:59 ` [PATCH v7 06/15] remoteproc: qcom_q6v5_mss: Switch " Sumit Garg
2026-05-30 0:46 ` sashiko-bot
2026-05-22 11:59 ` [PATCH v7 07/15] remoteproc: qcom_wcnss: " Sumit Garg
2026-05-30 0:46 ` sashiko-bot
2026-05-22 11:59 ` [PATCH v7 08/15] remoteproc: qcom: Select QCOM_PAS generic service Sumit Garg
2026-05-22 11:59 ` [PATCH v7 09/15] drm/msm: Switch to generic PAS TZ APIs Sumit Garg
2026-05-22 11:59 ` [PATCH v7 10/15] media: qcom: " Sumit Garg
2026-05-30 0:46 ` sashiko-bot
2026-05-22 11:59 ` [PATCH v7 11/15] media: qcom: Pass proper PAS ID to set_remote_state API Sumit Garg
2026-05-30 0:46 ` sashiko-bot
2026-05-22 11:59 ` [PATCH v7 12/15] net: ipa: Switch to generic PAS TZ APIs Sumit Garg
2026-05-30 0:46 ` sashiko-bot
2026-05-22 11:59 ` [PATCH v7 13/15] wifi: ath12k: " Sumit Garg
2026-05-30 0:46 ` sashiko-bot
2026-05-22 11:59 ` [PATCH v7 14/15] firmware: qcom_scm: Remove SCM PAS wrappers Sumit Garg
2026-05-22 11:59 ` [PATCH v7 15/15] MAINTAINERS: Add maintainer entry for Qualcomm PAS TZ service Sumit Garg
2026-05-26 0:06 ` [PATCH v7 00/15] firmware: qcom: Add OP-TEE PAS service support bod
2026-05-26 16:13 ` Sumit Garg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260530004641.426441F00898@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=sumit.garg@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox