A nested exception can occur in arm_m_exc_exit after interrupts are
re-enabled but before branching to the EXC_RETURN value. In that case,
the nested exception stacks an exception stack frame (ESF) on MSP.
arm_m_exc_tail() unconditionally rewrites the LR slot on the active
stack to redirect execution to arm_m_exc_exit. If a nested exception
has stacked an ESF on MSP, this rewrite corrupts the stacked xPSR
field, leading to a UsageFault ("Illegal use of EPSR") on exception
return.
Guard the LR rewrite so that it is only performed when the exception
is returning to Thread mode using PSP. This ensures that the rewrite
does not interfere with ESFs stacked on MSP during nested exceptions.
Signed-off-by: Sudan Landge <sudan.landge@arm.com>
The exit from the SVC exception used for syscalls back into the
calling thread is done without locking. This means that the
intermediate states can be interrupted while the kernel-mode code is
still managing thread state like the mode bit, leading to mismatches.
This seems mostly robust when used with PendSV (though I'm a little
dubious), but the new arch_switch() code needs to be able to suspend
such an interrupted thread and restore it without going through a full
interrupt entry/exit again, so it needs locking for sure.
Take the lock unconditionally before exiting the call, and release it
in the thread once the magic is finished, just before calling the
handler. Then take it again before swapping stacks and dropping
privilege.
Even then there is a one-cycle race where the interrupted thread has
dropped the lock but still has privilege (the nPRIV bit is clear in
CONTROL). This thread will be resumed later WITHOUT privilege, which
means that trying to set CONTROL will fail. So there's detection of
this 1-instruction race that will skip over it.
Signed-off-by: Andy Ross <andyross@google.com>
Late-arriving clang-format-demanded changes that are too hard to split
and squash into the original patches. No behavior changes.
Signed-off-by: Andy Ross <andyross@google.com>
When USE_SWITCH=y, the thread struct is now mostly degenerate. Only
the two words for ICI/IT state tracking are required. Eliminate all
the extra fields when not needed and save a bunch of SRAM.
Note a handful of spots in coredump/debug that need a location for the
new stack pointer (stored as the switch handle now) are also updated.
Signed-off-by: Andy Ross <andyross@google.com>
GCC/gas has a code generation bugglet on thumb. The R7 register is
the ABI-defined frame pointer, though it's usually unused in zephyr
due to -fomit-frame-pointer (and the fact the DWARF on ARM doesn't
really need it). But when it IS enabled, which sometimes seems to
happen due to toolchain internals, GCC is unable to allow its use in
the clobber list of an asm() block (I guess it can't generate
spill/fill code without using the frame?).
There is existing protection for this problem that sets
-fomit-frame-pointer unconditionally on the two files (sched.c and
init.c) that require it. But even with that, gcc sometimes gets
kicked back into "framed mode" due to internal state. Provide a
kconfig workaround that does an explicit spill/fill on the one
test/platform where we have trouble.
(I checked, btw: an ARM clang build appears not to have this
misfeature)
Signed-off-by: Andy Ross <andyross@google.com>
ARM Cortex M has what amounts to a design bug. The architecture
inherits several unpipelined/microcoded "ICI/IT" instruction forms
that take many cycles to complete (LDM/STM and the Thumb "IT"
conditional frame are the big ones). But out of a desire to minimize
interrupt latency, the CPU is allowed to halt and resume these
instructions mid-flight while they are partially completed. The
relevant bits of state are stored in the EPSR fields of the xPSR
register (see ARMv7-M manual B1.4.2). But (and this is the design
bug) those bits CANNOT BE WRITTEN BY SOFTWARE. They can only be
modified by exception return.
This means that if a Zephyr thread takes an interrupt
mid-ICI/IT-instruction, then switches to another thread on exit, and
then that thread is resumed by a cooperative switch and not an
interrupt, the instruction will lose the state and restart from
scratch. For LDM/STM that's generally idempotent for memory (but not
MMIO!), but for IT that means that the restart will re-execute
arbitrary instructions that may not be idempotent (e.g. "addeq r0, r0,
The fix is to check for this condition (which is very rare) on
interrupt exit when we are switching, and if we discover we've
interrupted such an instruction we swap the return address with a
trampoline that uses a UDF instruction to immediately trap to the
undefined instruction handler, which then recognizes the fixup address
as special and immediately returns back into the thread with the
correct EPSR value and resume PC (which have been stashed in the
thread struct). The overhead for the normal case is just a few cycles
for the test.
Signed-off-by: Andy Ross <andyross@google.com>
Integrate the new context layer, allowing it to be selected via the
pre-existing CONFIG_USE_SWITCH. Not a lot of changes, but notable
ones:
+ There was code in the MPU layer to adjust PSP on exception exit at a
stack overflow so that it remained inside the defined stack bounds.
With the new context layer though, exception exit will rewrite the
stack frame in a larger format, and needs PSP to be adjusted to make
room.
+ There was no such treatment in the PSPLIM case (the hardware prents
the SP from going that low), so I had to add similar code to
validate PSP at exit from fault handling.
+ The various return paths for fault/svc assembly handlers need to
call out to the switch code to do the needed scheduler work. Really
almost all of these can be replaced with C now, only userspace
syscall entry (which has to "return" into the privileged stack)
needs special treatment.
+ There is a gcc bug that prevents the arch_switch() inline assembly
from building when frame pointers are enabled (which they almost
never are on ARM): it disallows you from touching r7 (the thumb
frame pointer) entirely. But it's a context switch, we need to!
Worked around by enforcing -fomit-frame-pointer even in the two
scheduler files that can swap when NO_OPTIMIZATIONS=y.
Signed-off-by: Andy Ross <andyross@google.com>
Signed-off-by: Sudan Landge <sudan.landge@arm.com>
1. Mostly complete. Supports MPU, userspace, PSPLIM-based stack
guards, and FPU/DSP features. ARMv8-M secure mode "should" work but I
don't know how to test it.
2. Designed with an eye to uncompromising/best-in-industry cooperative
context switch performance. No PendSV exception nor hardware
stacking/unstacking, just a traditional "musical chairs" switch.
Context gets saved on process stacks only instead of split between
there and the thread struct. No branches in the core integer switch
code (and just one in the FPU bits that can't be avoided).
3. Minimal assembly use; arch_switch() itself is ALWAYS_INLINE, there
is an assembly stub for exception exit, and that's it beyond one/two
instruction inlines elsewhere.
4. Selectable at build time, interoperable with existing code. Just
use the pre-existing CONFIG_USE_SWITCH=y flag to enable it. Or turn
it off to evade regressions as this stabilizes.
5. Exception/interrupt returns in the common case need only a single C
function to be called at the tail, and then return naturally.
Effectively "all interrupts are direct now". This isn't a benefit
currently because the existing stubs haven't been removed (see #4),
but in the long term we can look at exploiting this. The boilerplate
previously required is now (mostly) empty.
6. No support for ARMv6 (Cortex M0 et. al.) thumb code. The expanded
instruction encodings in ARMv7 are a big (big) win, so the older cores
really need a separate port to avoid impacting newer hardware.
Thankfully there isn't that much code to port (see #3), so this should
be doable.
Signed-off-by: Andy Ross <andyross@google.com>
Only VIDEO_CID_ANALOGUE_GAIN and VIDEO_CID_GAIN were defined. Also add
the complementary VIDEO_CID_DIGITAL_GAIN.
Signed-off-by: Josuah Demangeon <me@josuah.net>
Add a function to translate the socket address family to the size of the
concrete socket address type.
Signed-off-by: Pieter De Gendt <pieter.degendt@basalte.be>
Remove redundant "interface" suffix from stepper groups and
update `@ingroup` references so `stepper.h` appears under the correct
group.
Signed-off-by: Shiven Kashyap <shivenkashyap24@gmail.com>
Add function to get an instance pointer by index.
This works the same as bt_tbs_client_get_by_ccid except that
it uses the index instead of the CCID.
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
Refactored the Stream End Point (SEP) callback mechanism to use a
unified bt_avdtp_sep_ops structure instead of individual function
pointers. This change consolidates the connected, disconnected, and
media_data_cb callbacks into a single operations structure. The stream
established callback should be called when the stream l2cap is
connected not the open cmd is finished.
Signed-off-by: Mark Wang <yichang.wang@nxp.com>
This PR adds a new driver for the QEMU Firmware Configuration Device.
It implements the device for both X86 and MMIO architectures (e.g. ARM).
It also supports the DMA interface for write support.
Signed-off-by: Maximilian Zimmermann <gitmz@posteo.de>
This file, added in 2cac70e099,
("dts: bindings: usb: Add enum to maximum-speed property"),
Seems to have no purpose. It's not included anywhere and it's not
valid DTS syntax so it doesn't belong in dt-bindings.
Just remove it.
Signed-off-by: Martí Bolívar <marti.bolivar@oss.qualcomm.com>
The comment is misleading -- it's not that it's unsupported,
it's that it's a syntax from a completely different language.
Signed-off-by: Martí Bolívar <marti.bolivar@oss.qualcomm.com>
This was added in 26334d691b802086942560e7171a827dbfa447d8:("drivers:
Add opamp API"). It is only included by zephyr/drivers/opamp.h.
Its content needs to be in zephyr/drivers/opamp.h. The dt-bindings
directory is for sharing C macros with C and devicetree. Since this
contains an enum, which is not valid devicetree syntax, it could never
have been used except from driver code etc. Put the code where it
belongs.
Signed-off-by: Martí Bolívar <marti.bolivar@oss.qualcomm.com>
Remove the k_is_user_context call from the Z_LOG_LEVEL_ALL_CHECK macro.
Add the Z_LOG_LEVEL_ALL_CHECK_BREAK macro, which safely checks whether
logging is performed in user context before checking the dynamic log level
that requires access to kernel structure.
Signed-off-by: Adrian Warecki <adrian.warecki@intel.com>
Add missing memory barriers after branching on k_is_user_context() to
prevent reordering possible of privileged memory access.
Signed-off-by: Adrian Warecki <adrian.warecki@intel.com>
Add WEP security support in Wi-Fi mgmt ops.
Need to enable Kconfig CONFIG_WIFI_NM_WPA_SUPPLICANT_WEP.
Signed-off-by: Kapil Bhatt <kapil.bhatt@nordicsemi.no>
A CoAP client should not be limited to a single destination address for all
requests.
Store the destination address for each request or use the existing socket
directly.
Signed-off-by: Pieter De Gendt <pieter.degendt@basalte.be>
Update the return type of the ICMP callback handler to enum net_verdict.
This fixes an issue where currently all ICMP handler are passed the same
pkt. Handlers could have modified the passed packet resulting in undefined
behavior.
Signed-off-by: Pieter De Gendt <pieter.degendt@basalte.be>
Setting SCR_ST_BIT actually traps CNTPS access to EL3, opposite
to what the comment says. Remove to allow secure EL1 access.
Also initialize CNTPS_CVAL_EL1 to prevent spurious interrupts.
Signed-off-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
Co-authored-by: Sudan Landge <sudan.landge@arm.com>
bt_mesh_suspend/resume now only re-enable provisioning bearers that
were previously active.
Adds internal bt_mesh_provisionee_suspend/resume APIs.
bt_mesh_suspend() now return -EBUSY if provisioning is active before any
suspend actions are performed.
Signed-off-by: Stine Åkredalen <stine.akredalen@nordicsemi.no>
Add Doxygen documentation to the battery devicetree bindings header so
that it appears in the generated public documentation.
Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
Add public API header for the RISC-V APLIC driver. Provides register
offset and bit-field defines, source configuration helpers, and
function declarations for domain enable, source config/enable, and
MSI routing (guarded by CONFIG_RISCV_APLIC_MSI).
Signed-off-by: Afonso Oliveira <afonso.oliveira707@gmail.com>
Remove the required_sec_level for struct bt_iso_chan and
all related automatic security machinery built around it
(iso_chan_connect_security, bt_iso_security_changed,
BT_ISO_STATE_ENCRYPT_PENDING and the CONFIG_BT_SMP checks
in iso.c)
Applications can just call bt_conn_set_security() on the
ACL connection before bt_iso_chan_connect() instead.
Fixes#104751
Signed-off-by: Vedant Malkar <vedantitsme@gmail.com>
The UUID library has been present as an experimental library in
the Zephyr code base since v4.2.
Since no need for major API changes has emerged in the last two
Zephyr version the library can be safely promoted to unstable.
Signed-off-by: Simone Orru <simone.orru@secomind.com>
Use doxygen driver_ops commands to properly document the required/optional
biometrics driver operations
Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
Add comprehensive Doxygen documentation for all micsr_* and micsr2_*
helper functions that provide atomic indirect CSR access. These
functions are critical for preventing race conditions when accessing
RISC-V indirect CSRs from interrupt contexts.
Signed-off-by: Alexios Lyrakis <alex_gfd@hotmail.com>
Add complete set of micsr2_* helper functions for atomic indirect CSR
access via MIREG2. These complement existing micsr_* helpers that
access via MIREG, providing support for CLIC registers that require
MIREG2 access (CLIC_INTIE, CLIC_INTATTR).
Signed-off-by: Alexios Lyrakis <alex_gfd@hotmail.com>
Don't send MLD report on join if the address was already joined,
only increase the ref count by calling net_if_ipv6_maddr_add().
On leave, only send report if the address was removed from the system
(i.e. is no longer in use).
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Don't send IGMP report on join if the address was already joined,
only increase the ref count by calling net_if_ipv6_maddr_add().
On leave, only send report if the address was removed from the system
(i.e. is no longer in use).
For IGMPv3 specifically, if the address with non-empty include/exclude
list was already registered, return an error as registering lists from
different sources is currently not supported.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Add ref counting for multicast addresses, so that if a multicast address
is registered from different subsystems, they won't interfere with each
other. That way, if one subsystem decides to remove a multicast address,
it won't affect other subsystems that may still need it.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Several places used CONFIG_BT_TBS_MAX_PROVIDER_NAME_LENGTH
instead of
CONFIG_BT_CCP_CALL_CONTROL_SERVER_PROVIDER_NAME_MAX_LENGTH.
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
Modify bt_ccp_call_control_server_get_bearer_provider_name to
store the bearer provider name in an output buffer, instead of just
providing the pointer.
The reason for this is to make the result thread safe, and
avoid the user/application having a direct pointer to
internal storage.
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
Extends the UAOL API with uaol_get_mapped_hda_link_stream_id() to get
the HDA link stream ID mapped in HW to its UAOL stream ID. The streams
mapping is stored in the device tree.
Signed-off-by: Serhiy Katsyuba <serhiy.katsyuba@intel.com>
