From: sashiko-bot@kernel.org
To: "Ben Levinsky" <ben.levinsky@amd.com>
Cc: devicetree@vger.kernel.org, conor+dt@kernel.org, robh@kernel.org
Subject: Re: [PATCH v4 2/2] remoteproc: add AMD BRAM-based remote processor driver
Date: Mon, 29 Jun 2026 18:59:11 +0000 [thread overview]
Message-ID: <20260629185911.94DDF1F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260629164003.3940208-3-ben.levinsky@amd.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
New issues:
- [High] Missing `.find_loaded_rsc_table` callback in `rproc_ops` breaks firmware IPC initialization.
- [Low] Undefined functions used in driver cause immediate build failure.
Pre-existing issues:
- [Critical] Integer overflow in `rproc_coredump()` leads to a massive heap buffer overflow.
--
commit 114ec0b0402b4fa78538fad8bece1af5eac1df59
Author: Ben Levinsky <ben.levinsky@amd.com>
remoteproc: add AMD BRAM-based remote processor driver
Add a remoteproc driver for AMD soft-core processor subsystems using BRAM
for firmware storage. The driver parses the memory window from devicetree,
registers the carveout, and controls the processor via reset GPIO and clock.
> diff --git a/drivers/remoteproc/amd_bram_rproc.c b/drivers/remoteproc/amd_bram_rproc.c
> new file mode 100644
> index 0000000000000..a595875f9ce8c
> --- /dev/null
> +++ b/drivers/remoteproc/amd_bram_rproc.c
[ ... ]
> +static int amd_bram_rproc_prepare(struct rproc *rproc)
> +{
[ ... ]
> + mem = rproc_mem_entry_init(priv->dev, NULL, (dma_addr_t)res.start,
> + resource_size(&res), da,
> + rproc_mem_entry_ioremap_wc,
> + rproc_mem_entry_iounmap,
> + dev_name(priv->dev));
[Severity: Low]
Are rproc_mem_entry_ioremap_wc and rproc_mem_entry_iounmap defined anywhere
in the kernel tree? It appears these functions are missing, which would cause
the driver to fail to compile and link.
> + if (!mem)
> + return -ENOMEM;
> +
> + rproc_add_carveout(rproc, mem);
> + rproc_coredump_add_segment(rproc, da, resource_size(&res));
[Severity: Critical]
This is a pre-existing issue, but does adding an unbounded coredump segment
size here risk an integer overflow in the remoteproc core?
In drivers/remoteproc/remoteproc_coredump.c:rproc_coredump(), segment sizes
are accumulated into data_size without overflow checks:
if (dump_conf == RPROC_COREDUMP_ENABLED)
data_size += segment->size;
If a massive size (approaching U32_MAX on 32-bit systems) is provided from
the devicetree reg property, this could wrap around, leading to a much
smaller vmalloc allocation. Later, rproc_copy_segment() is called with the
original massive size, writing blindly into the undersized heap buffer.
> +
> + return 0;
> +}
[ ... ]
> +static int amd_bram_rproc_parse_fw(struct rproc *rproc,
> + const struct firmware *fw)
> +{
> + rproc_elf_load_rsc_table_optional(rproc, fw, dev_dbg,
> + "no resource table found\n");
[Severity: Low]
Is rproc_elf_load_rsc_table_optional defined anywhere? Similar to the
allocator callbacks above, this function appears to be missing from the tree.
> + return 0;
> +}
> +
> +static const struct rproc_ops amd_bram_rproc_ops = {
> + .prepare = amd_bram_rproc_prepare,
> + .start = amd_bram_rproc_start,
> + .stop = amd_bram_rproc_stop,
> + .load = rproc_elf_load_segments,
> + .sanity_check = rproc_elf_sanity_check,
> + .get_boot_addr = rproc_elf_get_boot_addr,
> + .parse_fw = amd_bram_rproc_parse_fw,
> +};
[Severity: High]
Will firmware IPC initialize correctly without a .find_loaded_rsc_table
callback?
When the core loads a firmware with a resource table, rproc_fw_boot() calls
rproc_find_loaded_rsc_table(). Since .find_loaded_rsc_table is omitted here,
it returns NULL. This causes the core to silently skip copying the updated
rproc->cached_table to the device's loaded table in memory, leaving the
firmware to use uninitialized or FW_RSC_ADDR_ANY addresses for
communication.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260629164003.3940208-1-ben.levinsky@amd.com?part=2
prev parent reply other threads:[~2026-06-29 18:59 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-29 16:40 [PATCH v4 0/2] remoteproc: add AMD BRAM-based remote processor driver Ben Levinsky
2026-06-29 16:40 ` [PATCH v4 1/2] dt-bindings: remoteproc: document AMD BRAM-based rproc Ben Levinsky
2026-06-30 6:53 ` Krzysztof Kozlowski
2026-06-30 13:47 ` Ben Levinsky
2026-06-30 14:27 ` Krzysztof Kozlowski
2026-06-30 14:38 ` Ben Levinsky
2026-06-29 16:40 ` [PATCH v4 2/2] remoteproc: add AMD BRAM-based remote processor driver Ben Levinsky
2026-06-29 18:59 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260629185911.94DDF1F00A3A@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=ben.levinsky@amd.com \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox