nvs_gc does not verify the crc8 of close_ate before using
close_ate.offset. This means that close_ate.offset could contain an
offset that points beyond valid ate's in the sector. For example, there
might be a valid ate at offset 0x100 but close_ate.offset is 0x200.
If that is the case that value will not be moved and so it will be lost.
Solve this by refactoring the recovery loop from nvs_prev_ate into
nvs_recover_last_ate and use that function in nvs_gc if a corrupt
close_ate is found.
The crc8 of gc_ate is not checked before trying to find another ate
with the same id. If there are no valid ate with that id in the whole
fs the inner while(1)-loop will never stop since the break condition
includes a check for a correct crc8.
Solve this by skipping gc_ate's with an invalid crc8.
Fixes#26407
Signed-off-by: Tobias Svehagen <tobias.svehagen@gmail.com>
Pointer to flash_parameters have been added to nvs_fs structure and it
is no longer needed to store write_block_size within the nvs_fs.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
The current code truncates the size_t block size to a u8_t, which
causes a 256 or 512 byte block size to be truncated to zero and
passing the size check.
Check as a size_t then truncate once the check passes.
Signed-off-by: Michael Hope <mlhx@google.com>
Replace all occurences of BUILD_ASSERT_MSG() with BUILD_ASSERT()
as a result of merging BUILD_ASSERT() and BUILD_ASSERT_MSG().
Signed-off-by: Oleg Zhurakivskyy <oleg.zhurakivskyy@intel.com>
This reverts commit 8739517107.
Pull Request #23437 was merged by mistake with an invalid manifest.
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
Replace all occurences of BUILD_ASSERT_MSG() with BUILD_ASSERT()
as a result of merging BUILD_ASSERT() and BUILD_ASSERT_MSG().
Signed-off-by: Oleg Zhurakivskyy <oleg.zhurakivskyy@intel.com>
In nvs writing addresses are u32_t. Coverty reports two situations
where the address could be converted (unwanted) to a signed value.
Both have been corrected.
There is however a general problem with flash API where the addresses
are defined as off_t which is a s32_t. These are converted in the flash
hal to u32_t. As a result of this only half of the possible range can
be used.
Solves #20867 and #20866
Signed-off-by: Laczen JMS <laczenjms@gmail.com>
Use this short header style in all Kconfig files:
# <description>
# <copyright>
# <license>
...
Also change all <description>s from
# Kconfig[.extension] - Foo-related options
to just
# Foo-related options
It's clear enough that it's about Kconfig.
The <description> cleanup was done with this command, along with some
manual cleanup (big letter at the start, etc.)
git ls-files '*Kconfig*' | \
xargs sed -i -E '1 s/#\s*Kconfig[\w.-]*\s*-\s*/# /'
Signed-off-by: Ulf Magnusson <Ulf.Magnusson@nordicsemi.no>
Unused since commit 7d2e59813f ("subsys: fs/nvs: Rewrite for improved
robustness").
Found with a script.
Signed-off-by: Ulf Magnusson <Ulf.Magnusson@nordicsemi.no>
When overwriting an NVS item with data that was a truncated version of
the existing data, the "is this already saved" logic was ignoring the
differing lengths and not saving the new item because the data matched.
Fixes#19250
Signed-off-by: Justin Brzozoski <justin.brzozoski@signal-fire.com>
Make sure that the last entry added is deleted correctly by storing the
fact that one was found in a local variable.
Fix by Laczen JMS <laczenjms@gmail.com>
Fixes#18813.
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
No need to write deletion entry for non-existing entry.
Furthermore such a write to filled up storage will make another
writes impossible as it occupied delete nvs_ate space, but it
does not remove anything.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
During initialization NVS analyzes open sector for
find write addresses. It was possible to infinite loop
in case when there was no space for any new ATE in the sector.
This patch introduce check for space available in the sector which
fix the issue.
fixes#17891
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
NVS always leave space for deletion ate in a full sector.
Even that it was not possible to write delete nvs_ate to the
full sector. Because of that it was possible to fill up NVS,
and be able to delete nothing.
This patch introduce recognition of case
the delete ate is writing, and allow to write such nvs_ate to
opened full sector.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Previous ATE searching is accelerate by reading sector
close ate, which allow to skip reading whole storage.
ATE is already covered by crc8. That patch introduce
check on correctness offset read form close ate. This
increases meta-data integrity check level.
This also preserves against possible looping when read
incorrect or not a NVS storage image.
fixes#16899
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
The sector size is 0 will pass "fs->sector_size % info.size" then start
a loop in nvs_startup() and never return. So retrun an error if the
sector size is 0.
Signed-off-by: Harry Jiang <explora26@gmail.com>
move flash.h to drivers/flash.h and
create a shim for backward-compatibility.
No functional changes to the headers.
A warning in the shim can be controlled with CONFIG_COMPAT_INCLUDES.
Related to #16539
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
move crc.h to sys/crc.h and
create a shim for backward-compatibility.
No functional changes to the headers.
A warning in the shim can be controlled with CONFIG_COMPAT_INCLUDES.
Related to #16539
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
move nvs/nvs.h to fs/nvs.h and
create a shim for backward-compatibility.
No functional changes to the headers.
A warning in the shim can be controlled with CONFIG_COMPAT_INCLUDES.
Related to #16539
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
This patch fixes following bug:
After first GC operation the 1st sector had become scratch
and the 2nd sector had became write sector. After that NVS
was initialize (via reboot) again - it recognized the 1st
sector as write sector and 2nd as undone GC destination sector,
therefore it cleared 2nd sector and re-run GC, which implied data loss.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Aligned format specifiers for the NVS FS. Now, the format specifier
matches the variable type for qemu_x86 types.
Signed-off-by: Kamil Piszczek <Kamil.Piszczek@nordicsemi.no>
Update the files which contain no license information with the
'Apache-2.0' SPDX license identifier. Many source files in the tree are
missing licensing information, which makes it harder for compliance
tools to determine the correct license.
By default all files without license information are under the default
license of Zephyr, which is Apache version 2.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
Rename reserved function names in the subsys/ subdirectory except
for static _mod_pub_set and _mod_unbind functions in bluetooth mesh
cfg_srv.c which clash with the similarly named global functions.
Signed-off-by: Patrik Flykt <patrik.flykt@intel.com>
This patch removes the free space calculation from nvs initialization.
The available space can be calculated if required using the routine
nvs_calc_free_space.
This patch also removes the locked state of nvs, it is not possible to
get in a locked state.
This patch adds an extra check on the sector_size configuration and only
allows operation on nvs when nvs has been initialized.
This patch also solves issue #13369, the usage of FLASH_ERASE_BLOCK_SIZE
has been replaced with the flash page api.
Changes:
Removed locked state and free_space from the nvs structure.
nvs_reinit(): has been replaced with by an internal only function
_nvs_startup().
nvs_write(): removed the possibility to place the file system in a
locked state, if to many gc operations are required it will return
-ENOSPC.
ssize_t nvs_calc_free_space(): introduced, calculates the free space
that is available in the nvs file system.
Removed define LOG_LEVEL.
Rebased to current master.
Signed-off-by: Laczen JMS <laczenjms@gmail.com>
This patch removes the free space calculation from nvs initialization.
The available space can be calculated if required using the routine
nvs_calc_free_space.
This patch also removes the locked state of nvs, it is not possible to
get in a locked state.
Changes:
Removed locked state and free_space from the nvs structure.
nvs_reinit(): has been replaced with by an internal only function
_nvs_startup().
nvs_write(): removed the possibility to place the file system in a
locked state, if to many gc operations are required it will return
-ENOSPC.
ssize_t nvs_calc_free_space(): introduced, calculates the free space
that is available in the nvs file system.
Signed-off-by: Laczen JMS <laczenjms@gmail.com>
There are issues using lowercase min and max macros when compiling a C++
application with a third-party toolchain such as GNU ARM Embedded when
using some STL headers i.e. <chrono>.
This is because there are actual C++ functions called min and max
defined in some of the STL headers and these macros interfere with them.
By changing the macros to UPPERCASE, which is consistent with almost all
other pre-processor macros this naming conflict is avoided.
All files that use these macros have been updated.
Signed-off-by: Carlos Stuart <carlosstuart1970@gmail.com>
Commit 41f86c3db2 ("nvs: fix warnings in logger") wrongly changed the
"%d" into "%x" while it was only supposed to suppress the warning.
This patch switches back the format string to "%x".
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
When compiling NVS with NEWLIB_LIBC=y, GCC outputs the following
warning:
In file included from $ZEPHYR/include/logging/log.h:11:0,
from $ZEPHYR/subsys/fs/nvs/nvs.c:17:
$ZEPHYR/subsys/fs/nvs/nvs.c: In function 'nvs_init':
$ZEPHYR/subsys/fs/nvs/nvs.c:748:10: warning: format '%lx' expects
argument of type 'long unsigned int', but argument 3 has type 'u32_t
{aka unsigned int}' [-Wformat=]
LOG_INF("alloc wra: %d, %" PRIx32 "",
^
fs->ate_wra and fs->data_wra are both defined as u32_t, so they need to
be printed with '%d'.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Following the recent NVS changes, the following warning now appear with
GCC 7.3 when building with -O2:
ZEPHYROOT/subsys/fs/nvs/nvs.c: In function 'nvs_reinit':
ZEPHYROOT/subsys/fs/nvs/nvs.c:92:36: warning: 'addr' may be used
uninitialized in this function [-Wmaybe-uninitialized]
offset += fs->sector_size * (addr >> ADDR_SECT_SHIFT);
~~~~~~^~~~~~~~~~~~~~~~~~~
ZEPHYROOT/subsys/fs/nvs/nvs.c:606:8: note: 'addr' was declared here
u32_t addr;
^~~~
This was already reported by Coverity earlier as CID:187903.
In practice this can only happen if fs->sector_count equals 0, which is
not possible as checked in nvs_init(). At least in the GCC case, it
believes that k_mutex_lock(&fs->nvs_lock, K_FOREVER) could modify
fs->sector_count.
Workaround the issue by initializing addr to 0.
Fixes#9767
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
The current NVS code checks for an empty ATE using th
_nvs_flash_cmp_const() function. This function loads the data and
compare them to a value. This means that when executed multiple on the
same area, the data get reloaded multiple time. This might have a
noticeable performance impact with an SPI flash.
Instead define a function _nvs_ate_cmp_const to compare an already read
struct nvs_ate with a constant value. Then replace the calls to
_nvs_flash_cmp_const() on struct nvs_ate by _nvs_flash_ate_rd() followed
by _nvs_ate_cmp_const(). This also has the advantage of explicitly
checking for errors instead of testing the error and the result of the
comparison at the same time.
Tested on a Nucleo L432KC board with the nvs sample. The maximum
initialization time (ie just before running the first garbage collector)
goes down to 6213 µs from 7350 µs.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
NVS with modified flash layout. At the end of a sector a special ate is
placed that points to the last ate that was written. This special ate
is written when a sector is closed. This allows nvs to travel through
the fs much quicker as it doesn't have to search for the last ate in
a sector.
This modification also speeds up the nvs_init procedure that was very
slow on external (spi) flash.
Remark: As the layout of data in flash is changed old data in the flash
cannot be recovered. It is advised to erase the nvs flash area before
using the changed nvs.
Modification after review by @nvlsianpu applied
Modification after review by @aurel32:
_nvs_prev_ate(): provide a backup search of a valid ate when the sector
close_ate has a bad CRC8. Tested on nrf81522 by making flash writing
bad data to the sector closing ate. Also validated that if a valid ate
is overwritten the filesystem keeps working.
_nvs_gc(): return error if _nvs_flash_cmp_const() is < 0.
Signed-off-by: Laczen JMS <laczenjms@gmail.com>
The Atmel SAM E70 flash has a 16-byte write block size. Increase the
NVS_BLOCK_SIZE a bit and take some margin. This might also improve the
performances by reducing the calls to the flash driver when moving data
during garbage collection.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
When the write block size is bigger than sizeof(nvs_ate), which is 8
bytes, we should not read or write more than the ATE. The
_nvs_flash_al_wrt() function will take care of padding the write with
0xff up to write_block_size. Of course the addresses should still be
incremented by write_block_size.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
VLA are usually not recommended and are a MISRA C violation. Replace
fs->write_block_size by NVS_BLOCK_SIZE as we now have a check at
initialization that ensures that fs->write_block_size <= NVS_BLOCK_SIZE.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
In case the write block size is bigger than NVS_BLOCK_SIZE, some
functions end up in an endless loop. Detect the unsupported cases
at initialization.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Under GNU C, sizeof(void) = 1. This commit merely makes it explicit u8.
Pointer arithmetics over void types is:
* A GNU C extension
* Not supported by Clang
* Illegal across all ISO C standards
See also: https://gcc.gnu.org/onlinedocs/gcc/Pointer-Arith.html
Signed-off-by: Mark Ruvald Pedersen <mped@oticon.com>
In case a write to the flash failed, do not leave the flash unprotected.
Always call flash_write_protection_set in that case.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Avoid unsetting and setting the flash protection if there is nothing to
write to the flash. This happens for example when deleting data from the
flash using nvs_delete.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
In case a sector is not empty nor properly closed (ie it never contains
8 times 0xff nor 0x00), the _nvs_prev_ate will loop indefinitely and
will start adressing memory outside of the flash area.
Fix that by stopping the loop when the address matches the beginning of
the sector.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Instead of forcing the crc8 entry to 0xff for the crc8 computation, just
ignore this field in the computation as it is the last one. This avoid
having to set it back to the original value for _nvs_ate_crc8_check.
Add a build assertion to ensure crc8 is kept last.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Michael Hope
