Devicetree
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Sumit Garg" <sumit.garg@kernel.org>
Cc: conor+dt@kernel.org, dri-devel@lists.freedesktop.org,
	devicetree@vger.kernel.org, robh@kernel.org
Subject: Re: [PATCH v9 01/14] firmware: qcom: Add a generic PAS service
Date: Fri, 03 Jul 2026 12:02:45 +0000	[thread overview]
Message-ID: <20260703120245.EF0B31F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260702115835.167602-2-sumit.garg@kernel.org>

Thank you for your contribution! Sashiko AI review found 5 potential issue(s) to consider:
- [High] TOCTOU data race and missing memory barriers in PAS wrapper functions.
- [High] Check-then-set race condition in qcom_pas_ops_register() allows concurrent overwrites and unsafe reads.
- [High] Missing module lifecycle management and reference counting for the PAS backend provider.
- [Medium] Resource leak when calling qcom_pas_metadata_release after provider unregistration.
- [Medium] Missing NULL pointer validation for mandatory ops callbacks before execution.
--

Note: This review is provided in a free-form summary format without direct
patch quotes due to system recitation restrictions.

[Severity: High]
In wrapper functions like qcom_pas_init_image() and qcom_pas_get_rsc_table(),
the code checks if ops_ptr is NULL using a plain load, and then subsequently
dereferences ops_ptr to call the provider.

Since these loads are not protected by a mechanism to fetch into a local
variable, could the compiler fetch the pointer multiple times from memory?
If the provider module is unloaded concurrently, might ops_ptr become NULL
between the check and the dereference, leading to a crash?

[Severity: High]
Looking at qcom_pas_ops_register(), there appears to be a check-then-set race
condition. If two threads call this simultaneously, both might check the
availability, see NULL, and both perform the store release, allowing
concurrent registrations to overwrite each other.

Additionally, in the error path for this function, it directly reads the
driver name from ops_ptr. If qcom_pas_ops_unregister() is called concurrently,
could this pointer become NULL and cause a crash when printing the error?

[Severity: High]
The qcom_pas_ops structure lacks a module owner field for lifecycle
management.

When wrapper functions like qcom_pas_auth_and_reset() invoke these callbacks,
they do not appear to pin the provider module in memory using a reference
count. If the backend provider module is unloaded while its callbacks are
actively executing, will the kernel jump to unmapped memory?

[Severity: Medium]
In qcom_pas_metadata_release(), there is an early return if the operations
pointer is NULL.

If the backend provider is unregistered before the client releases its context,
this bypasses the metadata release callback entirely. Does this early return
permanently leak resources, such as DMA mappings or shared memory, that were
allocated by the client during initialization?

[Severity: Medium]
Wrapper functions like qcom_pas_shutdown() directly execute callbacks from the
operations pointer without verifying if the specific function pointer is
populated.

If a registered backend provider fails to populate all mandatory callback
function pointers during registration, could this lead to a NULL pointer
dereference when the wrapper attempts to execute them?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260702115835.167602-1-sumit.garg@kernel.org?part=1

  reply	other threads:[~2026-07-03 12:02 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-02 11:58 [PATCH v9 00/14] firmware: qcom: Add OP-TEE PAS service support Sumit Garg
2026-07-02 11:58 ` [PATCH v9 01/14] firmware: qcom: Add a generic PAS service Sumit Garg
2026-07-03 12:02   ` sashiko-bot [this message]
2026-07-02 11:58 ` [PATCH v9 02/14] firmware: qcom_scm: Migrate to " Sumit Garg
2026-07-02 11:58 ` [PATCH v9 03/14] firmware: qcom: Add a PAS TEE service Sumit Garg
2026-07-03 12:02   ` sashiko-bot
2026-07-02 11:58 ` [PATCH v9 04/14] remoteproc: qcom_q6v5_pas: Switch over to generic PAS TZ APIs Sumit Garg
2026-07-03 12:02   ` sashiko-bot
2026-07-02 11:58 ` [PATCH v9 05/14] remoteproc: qcom_q6v5_mss: Switch " Sumit Garg
2026-07-03 12:02   ` sashiko-bot
2026-07-02 11:58 ` [PATCH v9 06/14] remoteproc: qcom_wcnss: " Sumit Garg
2026-07-03 12:02   ` sashiko-bot
2026-07-02 11:58 ` [PATCH v9 07/14] remoteproc: qcom: Select QCOM_PAS generic service Sumit Garg
2026-07-03 12:02   ` sashiko-bot
2026-07-02 11:58 ` [PATCH v9 08/14] drm/msm: Switch to generic PAS TZ APIs Sumit Garg
2026-07-03 12:02   ` sashiko-bot
2026-07-02 11:58 ` [PATCH v9 09/14] media: qcom: " Sumit Garg
2026-07-03 12:02   ` sashiko-bot
2026-07-02 11:58 ` [PATCH v9 10/14] media: qcom: Pass proper PAS ID to set_remote_state API Sumit Garg
2026-07-02 12:23   ` Konrad Dybcio
2026-07-02 11:58 ` [PATCH v9 11/14] net: ipa: Switch to generic PAS TZ APIs Sumit Garg
2026-07-03 12:02   ` sashiko-bot
2026-07-02 11:58 ` [PATCH v9 12/14] wifi: ath12k: " Sumit Garg
2026-07-02 12:34   ` Konrad Dybcio
2026-07-03 12:02   ` sashiko-bot
2026-07-02 11:58 ` [PATCH v9 13/14] firmware: qcom_scm: Remove SCM PAS wrappers Sumit Garg
2026-07-03 12:02   ` sashiko-bot
2026-07-02 11:58 ` [PATCH v9 14/14] MAINTAINERS: Add maintainer entry for Qualcomm PAS TZ service Sumit Garg
2026-07-02 19:14 ` [PATCH v9 00/14] firmware: qcom: Add OP-TEE PAS service support Mathieu Poirier
2026-07-03  4:13   ` Sumit Garg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260703120245.EF0B31F00A3A@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=conor+dt@kernel.org \
    --cc=devicetree@vger.kernel.org \
    --cc=dri-devel@lists.freedesktop.org \
    --cc=robh@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=sumit.garg@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox