Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
New issues: - [High] The generic qcom_pas API lacks synchronization against concurrent registration and backend unregistration, leading to TOCTOU races and Use-After-Free. - [High] Blindly trusting param[1].u.memref.size from the second TEE invocation in qcom_pas_tee_get_rsc_table() leads to an out-of-bounds read and kernel memory leak. Pre-existing issues: - [High] The wcnss_probe() function fails to clean up sysmon and smd subdevices on error paths, leading to memory/socket leaks and dangling pointers in a global notifier chain. -- commit f9552b7475ea1af7226f210e3b4d0e315d46e17d Author: Sumit Garg <[email protected]> remoteproc: qcom_wcnss: Switch to generic PAS TZ APIs Switch qcom_wcnss client driver over to generic PAS TZ APIs. Generic PAS TZ service allows to support multiple TZ implementation backends like QTEE based SCM PAS service, OP-TEE based PAS service and any further future TZ backend service. > Switch qcom_wcnss client driver over to generic PAS TZ APIs. Generic PAS > TZ service allows to support multiple TZ implementation backends like QTEE > based SCM PAS service, OP-TEE based PAS service and any further future TZ > backend service. [Severity: High] Is there an out-of-bounds read and kernel memory leak in the OP-TEE PAS service? In drivers/firmware/qcom/qcom_pas_tee.c:qcom_pas_tee_get_rsc_table(), a shared memory buffer is allocated based on the size from the first TEE invocation. In the second TEE invocation, the TEE can modify param[1].u.memref.size. The function then blindly trusts this size: *output_rt_size = param[1].u.memref.size; rt_buf = kmemdup(rt_shm_va, *output_rt_size, GFP_KERNEL); Can a compromised TrustZone environment return an increased size, causing an out-of-bounds read from the originally allocated buffer? > diff --git a/drivers/remoteproc/qcom_wcnss.c b/drivers/remoteproc/qcom_wcnss.c > index 4add9037dbd5a..0dbdd18ab3dd9 100644 > --- a/drivers/remoteproc/qcom_wcnss.c > +++ b/drivers/remoteproc/qcom_wcnss.c [ ... ] > @@ -257,7 +257,7 @@ static int wcnss_start(struct rproc *rproc) > wcnss_indicate_nv_download(wcnss); > wcnss_configure_iris(wcnss); > > - ret = qcom_scm_pas_auth_and_reset(WCNSS_PAS_ID); > + ret = qcom_pas_auth_and_reset(WCNSS_PAS_ID); [Severity: High] Can this introduce a TOCTOU race window? If multiple PAS backends probe concurrently, qcom_pas_ops_register() in drivers/firmware/qcom/qcom_pas.c performs a lockless read-modify-write of ops_ptr: if (!qcom_pas_is_available()) smp_store_release(&ops_ptr, ops); This allows one backend to silently overwrite another. Additionally, when this driver calls qcom_pas_auth_and_reset(), it lacks RCU or try_module_get() protection: if (!ops_ptr) return -ENODEV; return ops_ptr->auth_and_reset(ops_ptr->dev, pas_id); If the backend module is unloaded concurrently, ops_ptr is unregistered and the module memory is freed, leaving this driver to dereference a dangling function pointer. Is there a way to serialize these registrations and protect the backend access? [ ... ] > @@ -557,10 +557,10 @@ static int wcnss_probe(struct platform_device *pdev) > > data = of_device_get_match_data(&pdev->dev); > > - if (!qcom_scm_is_available()) > + if (!qcom_pas_is_available()) > return -EPROBE_DEFER; [Severity: High] This is a pre-existing issue, but does wcnss_probe() fail to clean up subdevices on error paths? Earlier in wcnss_probe(), qcom_add_sysmon_subdev() and qcom_add_smd_subdev() are called. If qcom_iris_probe() subsequently fails (e.g., returning -EPROBE_DEFER because regulators are not ready), the error path jumps to detach_pds: if (IS_ERR(wcnss->iris)) { ret = PTR_ERR(wcnss->iris); goto detach_pds; } And the cleanup path skips subdevice removal entirely: remove_iris: qcom_iris_remove(wcnss->iris); detach_pds: wcnss_release_pds(wcnss); Since qcom_add_sysmon_subdev() allocates memory, creates a QMI socket, and registers a notifier on the global sysmon_notifiers chain, does this leak these resources on every probe deferral? Furthermore, sysmon->dev caches the platform device pointer, which becomes a dangling pointer if the device is ultimately removed. Could this lead to a use-after-free when sysmon_notify iterates over the leaked notifiers? -- Sashiko AI review ยท https://sashiko.dev/#/patchset/[email protected]?part=6
