Devicetree
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Gaurav Kohli" <gaurav.kohli@oss.qualcomm.com>
Cc: devicetree@vger.kernel.org, conor+dt@kernel.org, robh@kernel.org
Subject: Re: [PATCH v4 07/10] arm64: dts: qcom: lemans: Enable CDSP cooling
Date: Fri, 03 Jul 2026 05:18:03 +0000	[thread overview]
Message-ID: <20260703051804.6B4191F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260703-qmi-tmd-v4-7-3882189c1f83@oss.qualcomm.com>

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] Missing NULL reset of tmd->cdev on registration failure causes invalid pointer dereference during unregistration and breaks subsequent registrations.
- [High] Destroying the QMI handle before unregistering the thermal cooling devices introduces a race condition with userspace resulting in a Use-After-Free.
--

commit 68055a14c90dc23e8743fc49a13b0805f601355b
Author: Gaurav Kohli <gaurav.kohli@oss.qualcomm.com>
Subject: arm64: dts: qcom: lemans: Enable CDSP cooling

This commit sets up CDSP cooling for both instances in the lemans device tree.
It configures the cooling maps and cooling devices to throttle the CDSP when it
reaches 105°C.

> diff --git a/arch/arm64/boot/dts/qcom/lemans.dtsi b/arch/arm64/boot/dts/qcom/lemans.dtsi
> index 353a6e6fd3acb..89fa25e9d3c6d 100644
> --- a/arch/arm64/boot/dts/qcom/lemans.dtsi
> +++ b/arch/arm64/boot/dts/qcom/lemans.dtsi
[ ... ]
> @@ -8764,7 +8769,7 @@ nsp-0-0-0-thermal {
>  			thermal-sensors = <&tsens2 5>;
>  
>  			trips {
> -				trip-point0 {
> +				nsp_0_0_0_alert0: trip-point0 {
>  					temperature = <105000>;
>  					hysteresis = <5000>;
>  					type = "passive";
> @@ -8776,6 +8781,14 @@ trip-point1 {
>  					type = "passive";
>  				};
>  			};
> +
> +			cooling-maps {
> +				map0 {
> +					trip = <&nsp_0_0_0_alert0>;
> +					cooling-device = <&remoteproc_cdsp0 QCOM_CDSP_TMD_CDSP_SW
> +							 THERMAL_NO_LIMIT THERMAL_NO_LIMIT>;
> +				};
> +			};
>  		};

[Severity: High]
Does enabling this cooling device expose a regression involving an invalid
pointer dereference in qmi_tmd_register()?

If thermal_of_cooling_device_register() fails, tmd->cdev holds an ERR_PTR:

drivers/soc/qcom/qmi_tmd.c:qmi_tmd_register() {
    ...
	tmd->cdev = thermal_of_cooling_device_register(dev->of_node, index,
						       label, tmd, &qmi_tmd_cooling_ops);
	if (IS_ERR(tmd->cdev))
		return PTR_ERR(tmd->cdev);
    ...
}

Because tmd->cdev is not reset to NULL, qmi_tmd_unregister() will pass this
ERR_PTR to thermal_cooling_device_unregister(), which expects a valid
pointer or NULL:

drivers/soc/qcom/qmi_tmd.c:qmi_tmd_unregister() {
    ...
		if (!tmd->cdev)
			continue;

		thermal_cooling_device_unregister(tmd->cdev);
    ...
}

Will this cause a kernel panic when the thermal core dereferences the
invalid pointer?

Additionally, if the QMI service restarts, would a stale error pointer
silently skip registration entirely?

[ ... ]
> @@ -8784,7 +8797,7 @@ nsp-0-1-0-thermal {
>  			thermal-sensors = <&tsens2 6>;
>  
>  			trips {
> -				trip-point0 {
> +				nsp_0_1_0_alert0: trip-point0 {
>  					temperature = <105000>;
>  					hysteresis = <5000>;
>  					type = "passive";
> @@ -8796,6 +8809,14 @@ trip-point1 {
>  					type = "passive";
>  				};
>  			};
> +
> +			cooling-maps {
> +				map0 {
> +					trip = <&nsp_0_1_0_alert0>;
> +					cooling-device = <&remoteproc_cdsp0 QCOM_CDSP_TMD_CDSP_SW
> +							 THERMAL_NO_LIMIT THERMAL_NO_LIMIT>;
> +				};
> +			};
>  		};

[Severity: High]
Could exposing these cooling devices to userspace trigger a use-after-free
regression during teardown?

In qmi_tmd_exit(), the QMI handle is released before the cooling devices
are unregistered:

drivers/soc/qcom/qmi_tmd.c:qmi_tmd_exit() {
    ...
	qmi_handle_release(&qmi_tmd_cli->handle);
	qmi_tmd_unregister(qmi_tmd_cli);

	scoped_guard(mutex, &qmi_tmd_cli->mutex)
		qmi_tmd_cli->connection_active = false;
    ...
}

If a concurrent write to the thermal sysfs node invokes
qmi_tmd_set_cur_state() -> qmi_tmd_send_state_request() before the cooling
device is unregistered, the connection_active flag is still true.

Would this cause qmi_txn_init() and qmi_send_request() to operate on the
already destroyed qmi_tmd_cli->handle?

Should qmi_tmd_unregister() be called before releasing the QMI handle to
ensure pending sysfs operations are safely quiesced?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260703-qmi-tmd-v4-0-3882189c1f83@oss.qualcomm.com?part=7

  reply	other threads:[~2026-07-03  5:18 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-03  5:03 [PATCH v4 00/10] Add support for Qualcomm remoteproc subsystem cooling Gaurav Kohli
2026-07-03  5:03 ` [PATCH v4 01/10] dt-bindings: firmware: qcom: tmd: add TMD device type constants Gaurav Kohli
2026-07-03  7:47   ` Krzysztof Kozlowski
2026-07-03 10:14     ` Gaurav Kohli
2026-07-03  7:52   ` Krzysztof Kozlowski
2026-07-03 10:31     ` Gaurav Kohli
2026-07-03  7:53   ` Konrad Dybcio
2026-07-03 14:13     ` Gaurav Kohli
2026-07-03 15:42       ` Dmitry Baryshkov
2026-07-03  5:03 ` [PATCH v4 02/10] dt-bindings: remoteproc: qcom,pas: add #cooling-cells property Gaurav Kohli
2026-07-03  5:15   ` sashiko-bot
2026-07-03  7:49   ` Krzysztof Kozlowski
2026-07-03  5:03 ` [PATCH v4 03/10] soc: qcom: Add QMI TMD support for remote thermal mitigation Gaurav Kohli
2026-07-03  5:17   ` sashiko-bot
2026-07-03  8:03   ` Krzysztof Kozlowski
2026-07-03 18:09   ` Julian Braha
2026-07-03  5:03 ` [PATCH v4 04/10] remoteproc: qcom: pas: add support for TMD thermal cooling devices Gaurav Kohli
2026-07-03  5:22   ` sashiko-bot
2026-07-03  7:56   ` Krzysztof Kozlowski
2026-07-03  5:03 ` [PATCH v4 05/10] remoteproc: qcom_q6v5_pas: enable QMI TMD cooling support Gaurav Kohli
2026-07-03  5:23   ` sashiko-bot
2026-07-03  5:03 ` [PATCH v4 06/10] arm64: dts: qcom: kodiak: Enable CDSP & Modem cooling Gaurav Kohli
2026-07-03  7:51   ` Krzysztof Kozlowski
2026-07-03 15:48   ` Dmitry Baryshkov
2026-07-03  5:03 ` [PATCH v4 07/10] arm64: dts: qcom: lemans: Enable CDSP cooling Gaurav Kohli
2026-07-03  5:18   ` sashiko-bot [this message]
2026-07-03  5:03 ` [PATCH v4 08/10] arm64: dts: qcom: talos: " Gaurav Kohli
2026-07-03  5:03 ` [PATCH v4 09/10] arm64: dts: qcom: monaco: " Gaurav Kohli
2026-07-03  5:03 ` [PATCH v4 10/10] arm64: dts: qcom: hamoa: " Gaurav Kohli

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260703051804.6B4191F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=conor+dt@kernel.org \
    --cc=devicetree@vger.kernel.org \
    --cc=gaurav.kohli@oss.qualcomm.com \
    --cc=robh@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox