From: sashiko-bot@kernel.org
To: "George Moussalem via B4 Relay"
<devnull+george.moussalem.outlook.com@kernel.org>
Cc: robh@kernel.org, conor+dt@kernel.org, devicetree@vger.kernel.org
Subject: Re: [PATCH v2 3/6] firmware: qcom: scm: Add support for setting Bluetooth power modes
Date: Tue, 30 Jun 2026 13:02:08 +0000 [thread overview]
Message-ID: <20260630130209.0F81C1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260629-ipq5018-bluetooth-v2-3-02770f03b6bb@outlook.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Command ID collision causing false positive availability check and potential TrustZone memory corruption.
--
commit ad188a38cad8a7f123b53d24cb2303340d519071
Author: George Moussalem <george.moussalem@outlook.com>
firmware: qcom: scm: Add support for setting Bluetooth power modes
This commit adds support for configuring the Bluetooth subsystem power
optimization mode on the IPQ5018 SoC. It introduces a new SCM call to
TrustZone and checks for the call's availability before invoking it.
> diff --git a/drivers/firmware/qcom/qcom_scm.c b/drivers/firmware/qcom/qcom_scm.c
> --- a/drivers/firmware/qcom/qcom_scm.c
> +++ b/drivers/firmware/qcom/qcom_scm.c
[ ... ]
> +static int __qcom_scm_pas_set_bluetooth_power_mode(u32 pas_id, u32 val)
> +{
> + struct qcom_scm_desc desc = {
> + .svc = QCOM_SCM_SVC_PIL,
> + .cmd = QCOM_SCM_PIL_PAS_BT_PWR_MODE,
> + .arginfo = QCOM_SCM_ARGS(2),
[ ... ]
> +int qcom_scm_pas_set_bluetooth_power_mode(u32 pas_id, u32 val)
> +{
> + if (!__qcom_scm_is_call_available(__scm->dev, QCOM_SCM_SVC_PIL,
> + QCOM_SCM_PIL_PAS_BT_PWR_MODE))
> + return -EOPNOTSUPP;
[ ... ]
> diff --git a/drivers/firmware/qcom/qcom_scm.h b/drivers/firmware/qcom/qcom_scm.h
> --- a/drivers/firmware/qcom/qcom_scm.h
> +++ b/drivers/firmware/qcom/qcom_scm.h
> @@ -105,6 +105,7 @@ int qcom_scm_shm_bridge_enable(struct device *scm_dev);
> #define QCOM_SCM_PIL_PAS_SHUTDOWN 0x06
> #define QCOM_SCM_PIL_PAS_IS_SUPPORTED 0x07
> #define QCOM_SCM_PIL_PAS_MSS_RESET 0x0a
> +#define QCOM_SCM_PIL_PAS_BT_PWR_MODE 0x21
> #define QCOM_SCM_PIL_PAS_GET_RSCTABLE 0x21
[Severity: High]
Could this command ID overlap cause a false positive in the availability check
and trigger unintended behavior in TrustZone?
Because QCOM_SCM_PIL_PAS_BT_PWR_MODE and QCOM_SCM_PIL_PAS_GET_RSCTABLE are
both defined as 0x21 under the same service (QCOM_SCM_SVC_PIL), the call
to __qcom_scm_is_call_available() in qcom_scm_pas_set_bluetooth_power_mode()
will return true on any platform that supports getting the resource table,
even if it does not actually support the Bluetooth power mode command.
If the function proceeds, it will invoke command 0x21 with only 2 arguments
instead of the 5 expected by the GET_RSCTABLE handler. Since the unprovided
arguments default to 0, might this cause TrustZone to read or write at
physical address 0x0, potentially resulting in a Secure World crash or
memory corruption?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260629-ipq5018-bluetooth-v2-0-02770f03b6bb@outlook.com?part=3
next prev parent reply other threads:[~2026-06-30 13:02 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-29 13:01 [PATCH v2 0/6] Add support for IPQ5018 Bluetooth George Moussalem via B4 Relay
2026-06-29 13:01 ` [PATCH v2 1/6] dt-bindings: net: bluetooth: Document Qualcomm IPQ5018 Bluetooth controller George Moussalem via B4 Relay
2026-06-30 7:15 ` Krzysztof Kozlowski
2026-06-30 7:31 ` George Moussalem
2026-06-30 7:40 ` Krzysztof Kozlowski
2026-06-30 7:55 ` George Moussalem
2026-06-30 8:20 ` Krzysztof Kozlowski
2026-06-30 9:06 ` Konrad Dybcio
2026-06-30 9:09 ` Krzysztof Kozlowski
2026-06-30 8:20 ` Krzysztof Kozlowski
2026-06-29 13:01 ` [PATCH v2 2/6] Bluetooth: btqca: Add IPQ5018 support George Moussalem via B4 Relay
2026-07-01 9:59 ` Bartosz Golaszewski
2026-06-29 13:01 ` [PATCH v2 3/6] firmware: qcom: scm: Add support for setting Bluetooth power modes George Moussalem via B4 Relay
2026-06-30 13:02 ` sashiko-bot [this message]
2026-07-01 9:58 ` Bartosz Golaszewski
2026-07-01 10:40 ` Konrad Dybcio
2026-07-01 13:15 ` George Moussalem
2026-07-01 13:31 ` Konrad Dybcio
2026-06-29 13:01 ` [PATCH v2 4/6] Bluetooth: Introduce Qualcomm IPQ5018 IPC based HCI driver George Moussalem via B4 Relay
2026-06-30 13:02 ` sashiko-bot
2026-07-01 11:19 ` Konrad Dybcio
2026-06-29 13:01 ` [PATCH v2 5/6] arm64: dts: qcom: ipq5018: add nodes required for Bluetooth support George Moussalem via B4 Relay
2026-06-30 11:40 ` Konrad Dybcio
2026-06-30 12:09 ` George Moussalem
2026-06-30 12:12 ` Konrad Dybcio
2026-06-30 13:02 ` sashiko-bot
2026-06-29 13:01 ` [PATCH v2 6/6] MAINTAINERS: Add entry for Qualcomm IPQ5018 Bluetooth driver George Moussalem via B4 Relay
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260630130209.0F81C1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=devnull+george.moussalem.outlook.com@kernel.org \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox