From mboxrd@z Thu Jan  1 00:00:00 1970
From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: firmware: qcom: Add a generic PAS service
Date: Mon, 09 Mar 2026 08:59:07 +1000
Message-ID: <review-patch2-20260306105027.290375-3-sumit.garg@kernel.org>
In-Reply-To: <20260306105027.290375-3-sumit.garg@kernel.org>
References: <20260306105027.290375-1-sumit.garg@kernel.org> <20260306105027.290375-3-sumit.garg@kernel.org>
X-Mailer: Claude Code Patch Reviewer
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

Patch Review

This is the core abstraction patch and has the most significant issues.

**Race condition in ops_ptr access.** Every API function does a bare pointe=
r check then dereference:

```c
int qcom_pas_init_image(u32 pas_id, const void *metadata, size_t size,
			struct qcom_pas_context *ctx)
{
	if (ops_ptr)
		return ops_ptr->init_image(ops_ptr->dev, pas_id,
					   metadata, size, ctx);
	return -ENODEV;
}
```

But `qcom_pas_ops_unregister()` can set `ops_ptr =3D NULL` concurrently. Th=
ere's no RCU, no mutex, no refcounting =E2=80=94 just `smp_store_release`/`=
smp_load_acquire` in the register/unregister/is_available paths. However, t=
he actual API functions use bare `ops_ptr` reads without acquire semantics.=
 This means a client could pass the `if (ops_ptr)` check, then the backend =
gets unregistered, and the `ops_ptr->init_image(...)` call dereferences fre=
ed/NULL memory. At minimum, all reads of `ops_ptr` in the API functions sho=
uld use `smp_load_acquire`, and ideally an `srcu_read_lock` / refcount shou=
ld protect the critical section.

**`qcom_pas_ops_register()` calls `qcom_pas_is_available()` which does `smp=
_load_acquire` but then the subsequent `smp_store_release` in the else bran=
ch is fine. However, two concurrent registrations are not protected =E2=80=
=94 there's no lock, just a TOCTOU check:**

```c
void qcom_pas_ops_register(struct qcom_pas_ops *ops)
{
	if (!qcom_pas_is_available())
		smp_store_release(&ops_ptr, ops);
	else
		pr_err("qcom_pas: ops already registered\n");
}
```

**`qcom_scm_pas_auth_and_reset` doc comment typo** =E2=80=94 the kernel-doc=
 says `qcom_scm_pas_auth_and_reset` but the function is `qcom_pas_auth_and_=
reset` (line 663 in the new file).

**Return type mismatch on `get_rsc_table` callback.** The ops struct declar=
es `void *(*get_rsc_table)(...)` but the public API `qcom_pas_get_rsc_table=
()` returns `struct resource_table *`. The implicit cast works but is incon=
sistent and should be explicit.

---
Generated by Claude Code Patch Reviewer