Devicetree
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Gregor Herburger" <gregor.herburger@linutronix.de>
Cc: robh@kernel.org, conor+dt@kernel.org, devicetree@vger.kernel.org
Subject: Re: [PATCH v2 4/4] arm64: dts: broadcom: bcm2712: Add reboot modes to firmware node
Date: Tue, 30 Jun 2026 21:09:55 +0000	[thread overview]
Message-ID: <20260630210956.5468C1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260630-rpi-tryboot-v2-4-f68d2dc6aa27@linutronix.de>

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:

Pre-existing issues:
- [High] Use-After-Free in devm_reboot_mode_unregister during driver unbind
- [High] Endianness bug in reboot mode magic value parsing
--

commit 29798275c02dc4226f698253632e8ea76033c96b
Author: Gregor Herburger <gregor.herburger@linutronix.de>

arm64: dts: broadcom: bcm2712: Add reboot modes to firmware node

The raspberry pi firmware driver allows the tryboot reboot mode. Add
this mode and normal boot mode to the node.

> diff --git a/arch/arm64/boot/dts/broadcom/bcm2712-rpi-5-b-base.dtsi b/arch/arm64/boot/dts/broadcom/bcm2712-rpi-5-b-base.dtsi
> index b7a6bc34ae1ab..67095c7ff770d 100644
> --- a/arch/arm64/boot/dts/broadcom/bcm2712-rpi-5-b-base.dtsi
> +++ b/arch/arm64/boot/dts/broadcom/bcm2712-rpi-5-b-base.dtsi
> @@ -49,6 +49,8 @@ firmware: rpi-firmware {
>  			compatible = "raspberrypi,bcm2835-firmware", "simple-mfd";
>  
>  			mboxes = <&mailbox>;
> +			mode-normal = <0>;
> +			mode-tryboot = <1>;

[Severity: High]
This is a pre-existing issue, but enabling the reboot mode in the device
tree exposes a use-after-free during driver unbind.

The reboot mode is registered using devres, but is embedded in a manually
refcounted struct:

drivers/firmware/raspberrypi.c:rpi_firmware_probe() {
    ...
    fw->reboot_mode.dev = dev;
    fw->reboot_mode.write = rpi_firmware_reboot_mode_write;
    ret = devm_reboot_mode_register(dev, &fw->reboot_mode);
    ...
}

When the driver is unbound, rpi_firmware_remove() drops the final reference
to fw, freeing it before devres cleanup runs:

drivers/firmware/raspberrypi.c:rpi_firmware_remove() {
    ...
    rpi_firmware_put(fw);
    ...
}

Will this cause memory corruption when the driver core later invokes
devm_reboot_mode_release() and accesses &fw->reboot_mode?


[Severity: High]
This is a pre-existing issue, but does this feature work correctly on
big-endian kernels?

The CPU-endian magic variable is passed by reference to the hardware
communication layer without cpu_to_le32() conversion:

drivers/firmware/raspberrypi.c:rpi_firmware_reboot_mode_write() {
    ...
    if (magic)
        ret = rpi_firmware_property(fw, RPI_FIRMWARE_SET_REBOOT_FLAGS,
                                    &magic, sizeof(magic));
    ...
}

Since the reboot-mode framework parses the device tree property into a
CPU-endian unsigned int, passing it directly to rpi_firmware_property() will
send the wrong value to the little-endian VideoCore firmware.

Should magic be converted to little-endian before it is sent to the firmware?

>  
>  			firmware_clocks: clocks {
>  				compatible = "raspberrypi,firmware-clocks";

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260630-rpi-tryboot-v2-0-f68d2dc6aa27@linutronix.de?part=4

      reply	other threads:[~2026-06-30 21:09 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-30 20:59 [PATCH v2 0/4] firmware: raspberrypi: Add support for the tryboot mode Gregor Herburger
2026-06-30 20:59 ` [PATCH v2 1/4] firmware: raspberrypi: reorder rpi_firmware_property_tag enum Gregor Herburger
2026-06-30 20:59 ` [PATCH v2 2/4] dt-bindings: raspberrypi,bcm2835-firmware: Include 'reboot-mode.yaml' Gregor Herburger
2026-06-30 21:12   ` sashiko-bot
2026-07-01  7:24   ` Krzysztof Kozlowski
2026-06-30 20:59 ` [PATCH v2 3/4] firmware: raspberrypi: Add reboot mode support Gregor Herburger
2026-06-30 21:13   ` sashiko-bot
2026-06-30 21:57   ` Stefan Wahren
2026-07-02  7:50     ` Gregor Herburger
2026-06-30 20:59 ` [PATCH v2 4/4] arm64: dts: broadcom: bcm2712: Add reboot modes to firmware node Gregor Herburger
2026-06-30 21:09   ` sashiko-bot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260630210956.5468C1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=conor+dt@kernel.org \
    --cc=devicetree@vger.kernel.org \
    --cc=gregor.herburger@linutronix.de \
    --cc=robh@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox