[PATCH] android_ab: fix slot selection
Mattijs Korpershoek
mkorpershoek at kernel.org
Thu Apr 9 12:21:18 CEST 2026
Hi Colin,
Thank you for the patch.
Sorry for the late review. For some reason I have not been cc'ed so I
missed this.
Please use ./scripts/get_maintainer.pl -f boot/android_ab.c next time
you send a patch.
See: https://docs.u-boot.org/en/latest/CONTRIBUTE.html#contributions
On Fri, Mar 13, 2026 at 15:14, Colin Pinnell McAllister <colin.mcallister at garmin.com> wrote:
> The boot selection rules state that a slot is bootable if it is not
> corrupted and either has tries remaining or has already booted
> successfully. However, slots that have tries_remaining == 0 and
> successful_boot == 1 will be disregarded when picking the slot to
> attempt.
Can you please give me more references to the boot selection rules?
Is this just the code comment that's mentioned (boot/android_ab.c:276) ?
I've checked:
* https://source.android.com/docs/core/ota/ab
* https://source.android.com/docs/core/ota/ab/ab_implement
and it's unclear to me from that.
Then, I've looked a bit at the default bootcontrol AIDL hal at:
https://android.googlesource.com/platform/hardware/interfaces/+/refs/heads/main/boot/aidl/default/Android.bp
It seems to be using libboot_control as a static library.
libboot_control tells us that a slot is considered unbootable when:
tries_remaining != 0;
See:
https://cs.android.com/android/platform/superproject/+/android-latest-release:hardware/interfaces/boot/1.1/default/boot_control/libboot_control.cpp;l=332?q=libboot_control
>
> Update the selection logic so slots marked successful remain eligible
> even when their tries counter is zero. Also include the successful_boot
> state in the unbootable-slot debug output.
What happens if the tries counter is zero and we attempt to boot with
dec_tries=true? In that case, we will decrement tries_remaining which is
an uint8_t (see: android_bootloader_message.h).
>
> Signed-off-by: Colin Pinnell McAllister <colin.mcallister at garmin.com>
> ---
>
> An alternative would be to keep the existing behavior and update the
> comment in boot/android_ab.c:276 to remove the successful_boot
> condition. I do prefer updating the logic to match the documented rules.
> Currently, the userspace AB code will need to increment the tries
> counter for a slot that has booted successfully but has no tries left.
>
> boot/android_ab.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/boot/android_ab.c b/boot/android_ab.c
> index 13e82dbcb7f..93e74f81d4b 100644
> --- a/boot/android_ab.c
> +++ b/boot/android_ab.c
> @@ -289,11 +289,14 @@ int ab_select_slot(struct blk_desc *dev_desc, struct disk_partition *part_info,
> slot = -1;
> for (i = 0; i < abc->nb_slot; ++i) {
> if (abc->slot_info[i].verity_corrupted ||
> - !abc->slot_info[i].tries_remaining) {
> + (!abc->slot_info[i].tries_remaining &&
> + !abc->slot_info[i].successful_boot)) {
> log_debug("ANDROID: unbootable slot %d tries: %d, ",
> i, abc->slot_info[i].tries_remaining);
> - log_debug("corrupt: %d\n",
> + log_debug("corrupt: %d, ",
> abc->slot_info[i].verity_corrupted);
> + log_debug("successful: %d\n",
> + abc->slot_info[i].successful_boot);
> continue;
> }
> log_debug("ANDROID: bootable slot %d pri: %d, tries: %d, ",
> --
> 2.53.0
>
>
> ________________________________
>
> CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient(s) and contain information that may be Garmin confidential and/or Garmin legally privileged. If you have received this email in error, please notify the sender by reply email and delete the message. Any disclosure, copying, distribution or use of this communication (including attachments) by someone other than the intended recipient is prohibited. Thank you.
>
> ________________________________
>
> CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient(s) and contain information that may be Garmin confidential and/or Garmin legally privileged. If you have received this email in error, please notify the sender by reply email and delete the message. Any disclosure, copying, distribution or use of this communication (including attachments) by someone other than the intended recipient is prohibited. Thank you.
More information about the U-Boot
mailing list