From: sashiko-bot@kernel.org
To: "Gregor Herburger" <gregor.herburger@linutronix.de>
Cc: devicetree@vger.kernel.org, robh@kernel.org, conor+dt@kernel.org
Subject: Re: [PATCH v5 5/8] firmware: raspberrypi: register nvmem driver
Date: Wed, 20 May 2026 17:20:18 +0000 [thread overview]
Message-ID: <20260520172018.86FF71F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260520-rpi-otp-driver-v5-5-b26e5908eeac@linutronix.de>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Lockless access to `platform_get_drvdata` in `rpi_firmware_get` leads to a TOCTOU Use-After-Free race with driver unbind.
--
commit 4d3a36b9dad7b2f3acf0486917ea6908b89eb46f
Author: Gregor Herburger <gregor.herburger@linutronix.de>
firmware: raspberrypi: register nvmem driver
The Raspberry Pi firmware exposes two regions with otp registers. The
first region called "customer otp" is available on all Raspberry Pi
models. The second is only available on the Raspberry Pi 5 (bcm2712).
> diff --git a/drivers/firmware/raspberrypi.c b/drivers/firmware/raspberrypi.c
> index 0aa322e9a2e73..e24636feae0ea 100644
> --- a/drivers/firmware/raspberrypi.c
> +++ b/drivers/firmware/raspberrypi.c
[ ... ]
> @@ -327,12 +373,23 @@ static void rpi_firmware_remove(struct platform_device *pdev)
> rpi_hwmon = NULL;
> platform_device_unregister(rpi_clk);
> rpi_clk = NULL;
> + platform_device_unregister(rpi_otp_customer);
> + rpi_otp_customer = NULL;
> + platform_device_unregister(rpi_otp_private);
> + rpi_otp_private = NULL;
>
> rpi_firmware_put(fw);
[Severity: High]
This isn't a bug introduced by this patch, but I wanted to ask about a
potential pre-existing race condition here with driver unbind.
When the driver is unbound (e.g., via sysfs), rpi_firmware_remove() is
called, which drops the reference count here and frees the firmware object.
Could a concurrent call to rpi_firmware_get() retrieve the fw pointer via
platform_get_drvdata() without holding the device_lock before the drvdata
is cleared?
If rpi_firmware_get() does not serialize with driver unbind, would it be
possible for it to execute kref_get_unless_zero() after the firmware
object has already been freed by rpi_firmware_put(), leading to a
use-after-free?
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260520-rpi-otp-driver-v5-0-b26e5908eeac@linutronix.de?part=5
next prev parent reply other threads:[~2026-05-20 17:20 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-20 14:27 [PATCH v5 0/8] nvmem: Add Raspberry Pi OTP nvmem driver Gregor Herburger
2026-05-20 14:27 ` [PATCH v5 1/8] soc: bcm2835: Use IS_REACHABLE for function declaration Gregor Herburger
2026-05-20 14:40 ` sashiko-bot
2026-05-20 14:27 ` [PATCH v5 2/8] nvmem: core: Enforce stride and alignment checks for nvmem_device functions Gregor Herburger
2026-05-20 16:08 ` sashiko-bot
2026-05-20 14:27 ` [PATCH v5 3/8] dt-bindings: raspberrypi,bcm2835-firmware: Add bcm2712-firmware compatible Gregor Herburger
2026-05-20 14:27 ` [PATCH v5 4/8] nvmem: Add the Raspberry Pi OTP driver Gregor Herburger
2026-05-20 16:50 ` sashiko-bot
2026-05-20 14:27 ` [PATCH v5 5/8] firmware: raspberrypi: register nvmem driver Gregor Herburger
2026-05-20 17:20 ` sashiko-bot [this message]
2026-05-20 14:27 ` [PATCH v5 6/8] arm64: dts: broadcom: bcm2712: add raspberrypi,bcm2712-firmware compatible Gregor Herburger
2026-05-20 14:27 ` [PATCH v5 7/8] dt-bindings: raspberrypi,bcm2835-firmware: Drop unnecessary select Gregor Herburger
2026-05-20 14:28 ` [PATCH v5 8/8] arm64: defconfig: Enable the raspberrypi otp driver as module Gregor Herburger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260520172018.86FF71F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=gregor.herburger@linutronix.de \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox