From: sashiko-bot@kernel.org
To: "Gregor Herburger" <gregor.herburger@linutronix.de>
Cc: robh@kernel.org, conor+dt@kernel.org, devicetree@vger.kernel.org
Subject: Re: [PATCH v2 4/4] arm64: dts: broadcom: bcm2712: Add reboot modes to firmware node
Date: Tue, 30 Jun 2026 21:09:55 +0000 [thread overview]
Message-ID: <20260630210956.5468C1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260630-rpi-tryboot-v2-4-f68d2dc6aa27@linutronix.de>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
Pre-existing issues:
- [High] Use-After-Free in devm_reboot_mode_unregister during driver unbind
- [High] Endianness bug in reboot mode magic value parsing
--
commit 29798275c02dc4226f698253632e8ea76033c96b
Author: Gregor Herburger <gregor.herburger@linutronix.de>
arm64: dts: broadcom: bcm2712: Add reboot modes to firmware node
The raspberry pi firmware driver allows the tryboot reboot mode. Add
this mode and normal boot mode to the node.
> diff --git a/arch/arm64/boot/dts/broadcom/bcm2712-rpi-5-b-base.dtsi b/arch/arm64/boot/dts/broadcom/bcm2712-rpi-5-b-base.dtsi
> index b7a6bc34ae1ab..67095c7ff770d 100644
> --- a/arch/arm64/boot/dts/broadcom/bcm2712-rpi-5-b-base.dtsi
> +++ b/arch/arm64/boot/dts/broadcom/bcm2712-rpi-5-b-base.dtsi
> @@ -49,6 +49,8 @@ firmware: rpi-firmware {
> compatible = "raspberrypi,bcm2835-firmware", "simple-mfd";
>
> mboxes = <&mailbox>;
> + mode-normal = <0>;
> + mode-tryboot = <1>;
[Severity: High]
This is a pre-existing issue, but enabling the reboot mode in the device
tree exposes a use-after-free during driver unbind.
The reboot mode is registered using devres, but is embedded in a manually
refcounted struct:
drivers/firmware/raspberrypi.c:rpi_firmware_probe() {
...
fw->reboot_mode.dev = dev;
fw->reboot_mode.write = rpi_firmware_reboot_mode_write;
ret = devm_reboot_mode_register(dev, &fw->reboot_mode);
...
}
When the driver is unbound, rpi_firmware_remove() drops the final reference
to fw, freeing it before devres cleanup runs:
drivers/firmware/raspberrypi.c:rpi_firmware_remove() {
...
rpi_firmware_put(fw);
...
}
Will this cause memory corruption when the driver core later invokes
devm_reboot_mode_release() and accesses &fw->reboot_mode?
[Severity: High]
This is a pre-existing issue, but does this feature work correctly on
big-endian kernels?
The CPU-endian magic variable is passed by reference to the hardware
communication layer without cpu_to_le32() conversion:
drivers/firmware/raspberrypi.c:rpi_firmware_reboot_mode_write() {
...
if (magic)
ret = rpi_firmware_property(fw, RPI_FIRMWARE_SET_REBOOT_FLAGS,
&magic, sizeof(magic));
...
}
Since the reboot-mode framework parses the device tree property into a
CPU-endian unsigned int, passing it directly to rpi_firmware_property() will
send the wrong value to the little-endian VideoCore firmware.
Should magic be converted to little-endian before it is sent to the firmware?
>
> firmware_clocks: clocks {
> compatible = "raspberrypi,firmware-clocks";
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260630-rpi-tryboot-v2-0-f68d2dc6aa27@linutronix.de?part=4
prev parent reply other threads:[~2026-06-30 21:09 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-30 20:59 [PATCH v2 0/4] firmware: raspberrypi: Add support for the tryboot mode Gregor Herburger
2026-06-30 20:59 ` [PATCH v2 1/4] firmware: raspberrypi: reorder rpi_firmware_property_tag enum Gregor Herburger
2026-06-30 20:59 ` [PATCH v2 2/4] dt-bindings: raspberrypi,bcm2835-firmware: Include 'reboot-mode.yaml' Gregor Herburger
2026-06-30 21:12 ` sashiko-bot
2026-07-01 7:24 ` Krzysztof Kozlowski
2026-06-30 20:59 ` [PATCH v2 3/4] firmware: raspberrypi: Add reboot mode support Gregor Herburger
2026-06-30 21:13 ` sashiko-bot
2026-06-30 21:57 ` Stefan Wahren
2026-07-02 7:50 ` Gregor Herburger
2026-06-30 20:59 ` [PATCH v2 4/4] arm64: dts: broadcom: bcm2712: Add reboot modes to firmware node Gregor Herburger
2026-06-30 21:09 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260630210956.5468C1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=gregor.herburger@linutronix.de \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox