From: sashiko-bot@kernel.org
To: "Ben Levinsky" <ben.levinsky@amd.com>
Cc: devicetree@vger.kernel.org, conor+dt@kernel.org, robh@kernel.org
Subject: Re: [PATCH v4 2/2] remoteproc: add AMD BRAM-based remote processor driver
Date: Mon, 29 Jun 2026 18:59:11 +0000 [thread overview]
Message-ID: <20260629185911.94DDF1F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260629164003.3940208-3-ben.levinsky@amd.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
New issues:
- [High] Missing `.find_loaded_rsc_table` callback in `rproc_ops` breaks firmware IPC initialization.
- [Low] Undefined functions used in driver cause immediate build failure.
Pre-existing issues:
- [Critical] Integer overflow in `rproc_coredump()` leads to a massive heap buffer overflow.
--
commit 114ec0b0402b4fa78538fad8bece1af5eac1df59
Author: Ben Levinsky <ben.levinsky@amd.com>
remoteproc: add AMD BRAM-based remote processor driver
Add a remoteproc driver for AMD soft-core processor subsystems using BRAM
for firmware storage. The driver parses the memory window from devicetree,
registers the carveout, and controls the processor via reset GPIO and clock.
> diff --git a/drivers/remoteproc/amd_bram_rproc.c b/drivers/remoteproc/amd_bram_rproc.c
> new file mode 100644
> index 0000000000000..a595875f9ce8c
> --- /dev/null
> +++ b/drivers/remoteproc/amd_bram_rproc.c
[ ... ]
> +static int amd_bram_rproc_prepare(struct rproc *rproc)
> +{
[ ... ]
> + mem = rproc_mem_entry_init(priv->dev, NULL, (dma_addr_t)res.start,
> + resource_size(&res), da,
> + rproc_mem_entry_ioremap_wc,
> + rproc_mem_entry_iounmap,
> + dev_name(priv->dev));
[Severity: Low]
Are rproc_mem_entry_ioremap_wc and rproc_mem_entry_iounmap defined anywhere
in the kernel tree? It appears these functions are missing, which would cause
the driver to fail to compile and link.
> + if (!mem)
> + return -ENOMEM;
> +
> + rproc_add_carveout(rproc, mem);
> + rproc_coredump_add_segment(rproc, da, resource_size(&res));
[Severity: Critical]
This is a pre-existing issue, but does adding an unbounded coredump segment
size here risk an integer overflow in the remoteproc core?
In drivers/remoteproc/remoteproc_coredump.c:rproc_coredump(), segment sizes
are accumulated into data_size without overflow checks:
if (dump_conf == RPROC_COREDUMP_ENABLED)
data_size += segment->size;
If a massive size (approaching U32_MAX on 32-bit systems) is provided from
the devicetree reg property, this could wrap around, leading to a much
smaller vmalloc allocation. Later, rproc_copy_segment() is called with the
original massive size, writing blindly into the undersized heap buffer.
> +
> + return 0;
> +}
[ ... ]
> +static int amd_bram_rproc_parse_fw(struct rproc *rproc,
> + const struct firmware *fw)
> +{
> + rproc_elf_load_rsc_table_optional(rproc, fw, dev_dbg,
> + "no resource table found\n");
[Severity: Low]
Is rproc_elf_load_rsc_table_optional defined anywhere? Similar to the
allocator callbacks above, this function appears to be missing from the tree.
> + return 0;
> +}
> +
> +static const struct rproc_ops amd_bram_rproc_ops = {
> + .prepare = amd_bram_rproc_prepare,
> + .start = amd_bram_rproc_start,
> + .stop = amd_bram_rproc_stop,
> + .load = rproc_elf_load_segments,
> + .sanity_check = rproc_elf_sanity_check,
> + .get_boot_addr = rproc_elf_get_boot_addr,
> + .parse_fw = amd_bram_rproc_parse_fw,
> +};
[Severity: High]
Will firmware IPC initialize correctly without a .find_loaded_rsc_table
callback?
When the core loads a firmware with a resource table, rproc_fw_boot() calls
rproc_find_loaded_rsc_table(). Since .find_loaded_rsc_table is omitted here,
it returns NULL. This causes the core to silently skip copying the updated
rproc->cached_table to the device's loaded table in memory, leaving the
firmware to use uninitialized or FW_RSC_ADDR_ANY addresses for
communication.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260629164003.3940208-1-ben.levinsky@amd.com?part=2
next prev parent reply other threads:[~2026-06-29 18:59 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-29 16:40 [PATCH v4 0/2] remoteproc: add AMD BRAM-based remote processor driver Ben Levinsky
2026-06-29 16:40 ` [PATCH v4 1/2] dt-bindings: remoteproc: document AMD BRAM-based rproc Ben Levinsky
2026-06-30 6:53 ` Krzysztof Kozlowski
2026-06-30 13:47 ` Ben Levinsky
2026-06-30 14:27 ` Krzysztof Kozlowski
2026-06-30 14:38 ` Ben Levinsky
2026-06-29 16:40 ` [PATCH v4 2/2] remoteproc: add AMD BRAM-based remote processor driver Ben Levinsky
2026-06-29 18:59 ` sashiko-bot [this message]
2026-07-03 16:39 ` Mathieu Poirier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260629185911.94DDF1F00A3A@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=ben.levinsky@amd.com \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.