From: Mattijs Korpershoek <mkorpershoek@kernel.org>
To: Colin Pinnell McAllister <colin.mcallister@garmin.com>,
u-boot@lists.denx.de
Cc: Colin Pinnell McAllister <colin.mcallister@garmin.com>
Subject: Re: [PATCH] android_ab: fix slot selection
Date: Thu, 09 Apr 2026 12:21:18 +0200 [thread overview]
Message-ID: <87zf3ccu3l.fsf@kernel.org> (raw)
In-Reply-To: <20260313201415.255744-1-colin.mcallister@garmin.com>
Hi Colin,
Thank you for the patch.
Sorry for the late review. For some reason I have not been cc'ed so I
missed this.
Please use ./scripts/get_maintainer.pl -f boot/android_ab.c next time
you send a patch.
See: https://docs.u-boot.org/en/latest/CONTRIBUTE.html#contributions
On Fri, Mar 13, 2026 at 15:14, Colin Pinnell McAllister <colin.mcallister@garmin.com> wrote:
> The boot selection rules state that a slot is bootable if it is not
> corrupted and either has tries remaining or has already booted
> successfully. However, slots that have tries_remaining == 0 and
> successful_boot == 1 will be disregarded when picking the slot to
> attempt.
Can you please give me more references to the boot selection rules?
Is this just the code comment that's mentioned (boot/android_ab.c:276) ?
I've checked:
* https://source.android.com/docs/core/ota/ab
* https://source.android.com/docs/core/ota/ab/ab_implement
and it's unclear to me from that.
Then, I've looked a bit at the default bootcontrol AIDL hal at:
https://android.googlesource.com/platform/hardware/interfaces/+/refs/heads/main/boot/aidl/default/Android.bp
It seems to be using libboot_control as a static library.
libboot_control tells us that a slot is considered unbootable when:
tries_remaining != 0;
See:
https://cs.android.com/android/platform/superproject/+/android-latest-release:hardware/interfaces/boot/1.1/default/boot_control/libboot_control.cpp;l=332?q=libboot_control
>
> Update the selection logic so slots marked successful remain eligible
> even when their tries counter is zero. Also include the successful_boot
> state in the unbootable-slot debug output.
What happens if the tries counter is zero and we attempt to boot with
dec_tries=true? In that case, we will decrement tries_remaining which is
an uint8_t (see: android_bootloader_message.h).
>
> Signed-off-by: Colin Pinnell McAllister <colin.mcallister@garmin.com>
> ---
>
> An alternative would be to keep the existing behavior and update the
> comment in boot/android_ab.c:276 to remove the successful_boot
> condition. I do prefer updating the logic to match the documented rules.
> Currently, the userspace AB code will need to increment the tries
> counter for a slot that has booted successfully but has no tries left.
>
> boot/android_ab.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/boot/android_ab.c b/boot/android_ab.c
> index 13e82dbcb7f..93e74f81d4b 100644
> --- a/boot/android_ab.c
> +++ b/boot/android_ab.c
> @@ -289,11 +289,14 @@ int ab_select_slot(struct blk_desc *dev_desc, struct disk_partition *part_info,
> slot = -1;
> for (i = 0; i < abc->nb_slot; ++i) {
> if (abc->slot_info[i].verity_corrupted ||
> - !abc->slot_info[i].tries_remaining) {
> + (!abc->slot_info[i].tries_remaining &&
> + !abc->slot_info[i].successful_boot)) {
> log_debug("ANDROID: unbootable slot %d tries: %d, ",
> i, abc->slot_info[i].tries_remaining);
> - log_debug("corrupt: %d\n",
> + log_debug("corrupt: %d, ",
> abc->slot_info[i].verity_corrupted);
> + log_debug("successful: %d\n",
> + abc->slot_info[i].successful_boot);
> continue;
> }
> log_debug("ANDROID: bootable slot %d pri: %d, tries: %d, ",
> --
> 2.53.0
>
>
> ________________________________
>
> CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient(s) and contain information that may be Garmin confidential and/or Garmin legally privileged. If you have received this email in error, please notify the sender by reply email and delete the message. Any disclosure, copying, distribution or use of this communication (including attachments) by someone other than the intended recipient is prohibited. Thank you.
>
> ________________________________
>
> CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient(s) and contain information that may be Garmin confidential and/or Garmin legally privileged. If you have received this email in error, please notify the sender by reply email and delete the message. Any disclosure, copying, distribution or use of this communication (including attachments) by someone other than the intended recipient is prohibited. Thank you.
next prev parent reply other threads:[~2026-04-09 10:21 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-13 20:14 [PATCH] android_ab: fix slot selection Colin Pinnell McAllister
2026-04-09 10:21 ` Mattijs Korpershoek [this message]
2026-04-09 15:34 ` Pinnell McAllister, Colin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87zf3ccu3l.fsf@kernel.org \
--to=mkorpershoek@kernel.org \
--cc=colin.mcallister@garmin.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox