Devicetree
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Sumit Garg" <sumit.garg@kernel.org>
Cc: devicetree@vger.kernel.org, robh@kernel.org,
	dri-devel@lists.freedesktop.org, conor+dt@kernel.org
Subject: Re: [PATCH v9 11/14] net: ipa: Switch to generic PAS TZ APIs
Date: Fri, 03 Jul 2026 12:02:47 +0000	[thread overview]
Message-ID: <20260703120248.632BB1F00A3D@smtp.kernel.org> (raw)
In-Reply-To: <20260702115835.167602-12-sumit.garg@kernel.org>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Switching to the generic PAS API breaks the hard module dependency on the PAS backend driver, exposing a TOCTOU and Use-After-Free race condition against backend module unloading.
--

commit 6d60b150886ed8cbb76a8f5f11bec8a93730899c
Author: Sumit Garg <sumit.garg@oss.qualcomm.com>
Subject: net: ipa: Switch to generic PAS TZ APIs

This commit switches the IPA client driver to use the generic PAS TZ APIs.
The change allows the driver to support multiple TrustZone implementation
backends rather than being tied specifically to the QTEE based SCM PAS
service.

> diff --git a/drivers/net/ipa/ipa_main.c b/drivers/net/ipa/ipa_main.c
> --- a/drivers/net/ipa/ipa_main.c
> +++ b/drivers/net/ipa/ipa_main.c
> @@ -624,10 +624,13 @@ static int ipa_firmware_load(struct device *dev)
>  	}
>  
>  	ret = qcom_mdt_load(dev, fw, path, IPA_PAS_ID, virt, phys, size, NULL);
> -	if (ret)
> +	if (ret) {
>  		dev_err(dev, "error %d loading \"%s\"\n", ret, path);
> -	else if ((ret = qcom_scm_pas_auth_and_reset(IPA_PAS_ID)))
> -		dev_err(dev, "error %d authenticating \"%s\"\n", ret, path);
> +	} else {
> +		ret = qcom_pas_auth_and_reset(IPA_PAS_ID);

[Severity: High]
Does switching to the generic PAS API here break the hard module dependency
on the PAS backend driver?

By removing the direct symbol dependency on qcom_scm, it appears the backend
PAS module can now be concurrently unloaded. If the backend is unloaded during
this call, could it cause a use-after-free or NULL pointer dereference?

For example:
1. ipa_firmware_load() calls qcom_pas_auth_and_reset().
2. qcom_pas_auth_and_reset() checks if (!ops_ptr).
3. The backend PAS module is concurrently unloaded, and
   qcom_pas_ops_unregister() clears ops_ptr and frees the module memory.
4. qcom_pas_auth_and_reset() dereferences the now-freed ops_ptr memory.

Before this patch, the direct symbol call to qcom_scm_pas_auth_and_reset()
forced a strict module dependency that prevented backend removal.

> +		if (ret)
> +			dev_err(dev, "error %d authenticating \"%s\"\n", ret, path);
> +	}
>  
>  	memunmap(virt);

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260702115835.167602-1-sumit.garg@kernel.org?part=11

  reply	other threads:[~2026-07-03 12:02 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-02 11:58 [PATCH v9 00/14] firmware: qcom: Add OP-TEE PAS service support Sumit Garg
2026-07-02 11:58 ` [PATCH v9 01/14] firmware: qcom: Add a generic PAS service Sumit Garg
2026-07-03 12:02   ` sashiko-bot
2026-07-02 11:58 ` [PATCH v9 02/14] firmware: qcom_scm: Migrate to " Sumit Garg
2026-07-02 11:58 ` [PATCH v9 03/14] firmware: qcom: Add a PAS TEE service Sumit Garg
2026-07-03 12:02   ` sashiko-bot
2026-07-02 11:58 ` [PATCH v9 04/14] remoteproc: qcom_q6v5_pas: Switch over to generic PAS TZ APIs Sumit Garg
2026-07-03 12:02   ` sashiko-bot
2026-07-02 11:58 ` [PATCH v9 05/14] remoteproc: qcom_q6v5_mss: Switch " Sumit Garg
2026-07-03 12:02   ` sashiko-bot
2026-07-02 11:58 ` [PATCH v9 06/14] remoteproc: qcom_wcnss: " Sumit Garg
2026-07-03 12:02   ` sashiko-bot
2026-07-02 11:58 ` [PATCH v9 07/14] remoteproc: qcom: Select QCOM_PAS generic service Sumit Garg
2026-07-03 12:02   ` sashiko-bot
2026-07-02 11:58 ` [PATCH v9 08/14] drm/msm: Switch to generic PAS TZ APIs Sumit Garg
2026-07-03 12:02   ` sashiko-bot
2026-07-02 11:58 ` [PATCH v9 09/14] media: qcom: " Sumit Garg
2026-07-03 12:02   ` sashiko-bot
2026-07-02 11:58 ` [PATCH v9 10/14] media: qcom: Pass proper PAS ID to set_remote_state API Sumit Garg
2026-07-02 12:23   ` Konrad Dybcio
2026-07-02 11:58 ` [PATCH v9 11/14] net: ipa: Switch to generic PAS TZ APIs Sumit Garg
2026-07-03 12:02   ` sashiko-bot [this message]
2026-07-02 11:58 ` [PATCH v9 12/14] wifi: ath12k: " Sumit Garg
2026-07-02 12:34   ` Konrad Dybcio
2026-07-03 12:02   ` sashiko-bot
2026-07-02 11:58 ` [PATCH v9 13/14] firmware: qcom_scm: Remove SCM PAS wrappers Sumit Garg
2026-07-03 12:02   ` sashiko-bot
2026-07-02 11:58 ` [PATCH v9 14/14] MAINTAINERS: Add maintainer entry for Qualcomm PAS TZ service Sumit Garg
2026-07-02 19:14 ` [PATCH v9 00/14] firmware: qcom: Add OP-TEE PAS service support Mathieu Poirier
2026-07-03  4:13   ` Sumit Garg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260703120248.632BB1F00A3D@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=conor+dt@kernel.org \
    --cc=devicetree@vger.kernel.org \
    --cc=dri-devel@lists.freedesktop.org \
    --cc=robh@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=sumit.garg@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox