Fix missing static const qualifier on the version number
look up array declaration.
Without this fix, str was an automatic array inside
bt_hci_get_ver_str(), consuming stack on each call.
Signed-off-by: Vinayak Kariappa Chettimada <vich@nordicsemi.no>
The limit check on mq_attr used && instead of ||, so a request
exceeding only one of CONFIG_MSG_SIZE_MAX or CONFIG_POSIX_MQ_OPEN_MAX
was accepted. The buffer was then allocated as
msg_size * max_msgs without overflow checking, allowing the
multiplication to wrap and produce an under-sized heap buffer
that a later mq_send() would overflow.
Reject when either limit is exceeded, and use size_mul_overflow()
before k_malloc().
Signed-off-by: Flavio Ceolin <flavio@hubblenetwork.com>
When `pm_device_runtime_put*()` is called on a device whose usage
count is already zero, `runtime_suspend()` emits "Unbalanced suspend"
at warning level. The message does not include the device name,
so on a system with many runtime-managed devices the warning gives
no hint which call site to fix.
Add `dev->name` to the log message, matching the style of the
neighbouring debug logs in the file.
Signed-off-by: Petr Hlineny <development@hlineny.cz>
The delay for multicast responses was calculated in seconds but
lorawan_services_schedule_uplink() expects milliseconds.
According to RP002-1.0.3 chapter 2.3, the intended delay is 2+-1
seconds (i.e. a random value in the range [1, 3] seconds). The fix
converts to milliseconds using MSEC_PER_SEC:
uint32_t delay_ms = MSEC_PER_SEC +
(sys_rand32_get() % (2 * MSEC_PER_SEC));
The variable is also renamed from delay to delay_ms to make the unit
explicit and consistent with the fix in frag_transport.c.
Without this fix, the response is delayed by only 1-3ms instead of
1-3s, which could cause uplink collisions when multiple devices
simultaneously respond to a multicast setup command.
Signed-off-by: Dwij Patel <dwijpatel7@gmail.com>
When converting from ticks to milliseconds for zsock_poll(), infinite
timeouts need to be checked before calling k_ticks_to_ms_ceil32().
The code previously used k_ticks_to_ms_floor32(), which likely hidden
the bug as the timeout was rounded down to a very large number, but with
rounding up, an infinite timeout was converted to 0, which caused
zsock_poll() to exit immediately and report timeout.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Treat missing TX crypto context for Handshake and Application packet
protection as a transient not-ready condition instead of an invalid key
error.
This matches the earlier RX-side handling and avoids counting benign
teardown and timing cases as invalid_key failures. In practice this
removes false tx-no-crypto-context statistics hits seen in qemu_x86
runs and keeps the QUIC test suite stable.
Assisted-by: Copilot:gpt-5.4
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
A reordered 1-RTT or long packet can arrive before this endpoint
finishes installing application keys from the peer's handshake
flight. Ignore it without charging invalid-key/drop statistics.
This fixes the issues seen in CI which is processing packets
slower than when running the same tests locally.
Assisted-by: Copilot:gpt-5.4
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Implement NEW_TOKEN handling in the Quic stack.
Add server-side NEW_TOKEN generation after handshake completion and
store received NEW_TOKEN values in a client-side cache for later use.
When the cache is full, replace older entries instead of dropping new
ones.
This also wires the NEW_TOKEN frame encoding to the existing varint
helpers so that emitted frames are built with the expected token
lengths.
Assisted-by: Copilot:gpt-5.4
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
The 64-bit ATE format only has a 4-byte payload union after the 8-byte
id, so empty_ate.full_cycle_cnt and empty_ate.metadata alias the same
4 bytes. zms_add_empty_ate() wrote both — metadata first (needed for
format/version detection on mount) then full_cycle_cnt — and the second
write silently clobbered the first. As a result, every empty ATE in
64-bit ID mode lost its magic/version, zms_init() failed to recognise
sectors on remount, and tests including test_zms_gc, test_zms_full_sector
and test_zms_id_64bit failed silently.
In 64-bit ID mode, skip the empty_ate.full_cycle_cnt write entirely so
metadata stays intact. The 8-bit empty_ate.cycle_cnt (a separate field
at byte offset 1, with no aliasing) is now seeded from prev_cycle_cnt
on the just-erased path so it accumulates across recycles modulo 256
and doubles as the cumulative wear counter exposed by
zms_get_num_cycles() / zms_get_sector_num_cycles(). The 32-bit ID
codepath keeps the existing 32-bit full_cycle_cnt range and behaviour.
Trade-off: in 64-bit ID mode the cycle counter wraps every 256 cycles
instead of every ~4 billion. The 32-bit ID format is unchanged.
Signed-off-by: Mircea Caprioru <mcaprioru@baylibre.com>
In zms_add_empty_ate(), use zms_get_sector_cycle() for the 8-bit
cycle_cnt (data validity) independently from the 32-bit full_cycle_cnt
(erase tracking). Previously cycle_cnt was derived from full_cycle_cnt
which broke when zms_verify_and_increment_cycle_cnt double-incremented
cycle_cnt.
In zms_wipe_partition(), read each sector's full_cycle_cnt before
erasing so the count is preserved. This is needed for RRAM/MRAM
devices where zms_flash_erase_sector is a no-op.
Signed-off-by: Mircea Caprioru <mcaprioru@baylibre.com>
In zms_gc(), the sector erase at zms_flash_erase_sector() destroyed
the empty ATE holding full_cycle_cnt before zms_add_empty_ate() could
read it, causing zms_get_full_sector_cycle() to always return -ENOENT
and resetting the count to 0 (stored as 1). The counter could never
exceed 1.
Fix by reading full_cycle_cnt before erasing and passing the saved
value to zms_add_empty_ate() via a new prev_cycle_cnt parameter.
Apply the same read-before-erase pattern in zms_init() recovery paths.
Signed-off-by: Mircea Caprioru <mcaprioru@baylibre.com>
...which calculates the maximum number of times a single
ZMS sector has been recycled. This is to enable estimation
of an RRAM lifetime based on a set of tests.
Signed-off-by: Damian Krolik <damian.krolik@nordicsemi.no>
Signed-off-by: Mircea Caprioru <mcaprioru@baylibre.com>
Add shell support for the bt_conn_br_change_packet_type() API:
- Add 'br change-packet-type <hex>' shell command to allow
changing ACL packet types on an established BR/EDR connection.
- Add br_packet_type_changed callback to print the
HCI_Connection_Packet_Type_Changed event result.
- Register the callback in conn_callbacks.
This addresses the review feedback requesting shell/test support
for the change connection packet type feature.
Signed-off-by: Kai Cheng <chengkai@xiaomi.com>
Add bt_conn_br_change_packet_type() API to dynamically change the
allowed packet types for an established BR/EDR connection. This
enables throughput optimization by selecting appropriate packet
types (DM/DH 1/3/5 slots) based on application requirements.
Signed-off-by: Kai Cheng <chengkai@xiaomi.com>
Reinitialize the per-service HTTP version flags before processing each
service in http_server_init().
The h1, h2, and h3 booleans were reused across the HTTP_SERVICE_FOREACH()
loop. Without resetting them, one service's protocol selection could
carry over to the next service and enable listeners for HTTP versions
that the later service did not request.
Clear the flags at the top of each iteration so every service is
evaluated independently from its own configuration.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Preserve partial data from peer control and QPACK unidirectional streams
across recv calls instead of parsing from a temporary buffer.
QUIC streams are byte streams, so the HTTP/3 stream type, frame header,
and frame payload can arrive split across multiple reads. The previous
code dropped incomplete control/QPACK data and could also lose bytes
received after the uni stream type during identification, which broke
SETTINGS and QPACK stream handling.
Add per-connection RX buffers for peer unidirectional streams, compact
unconsumed bytes when a frame is incomplete, retain bytes received after
the stream type varint, and defer peer uni identification to the normal
poll path so queued bytes flow through the buffered handlers.
Assisted-by: Copilot:gpt-5.4
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Do not clear POLLIN after handling an identified HTTP/3 peer
unidirectional stream.
The control and QPACK streams can deliver more data later on the same
fd. Clearing the poll events after the first successful read leaves the
stream registered but no longer observable, so subsequent data is never
processed.
Keep the stream poll slot readable until the stream closes or errors.
Assisted-by: Copilot:gpt-5.4
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Store HTTP/3 bidirectional request parsing state in the per-stream slot
instead of sharing the client-wide request buffer and metadata.
The HTTP/3 path reused client->buffer, client->data_len,
client->current_detail, client->url_buffer and client->method for every
active request stream on the connection. If one stream stopped on
partial frame data and another stream became readable, bytes and parsed
state from the two streams could be mixed, breaking request parsing and
dispatch.
Add per-stream HTTP/3 request state, restore it before handling a
stream, and save it back afterwards. Reset the slot state when streams
are added, closed, or cleaned up so reused slots start from a clean
state.
Assisted-by: Copilot:gpt-5.4
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Keep the HTTP/3 "headers sent" state in the per-stream context instead
of using a local variable in the response path.
Dynamic HTTP/3 handlers can be called multiple times on the same stream,
for example when request DATA arrives in multiple frames or when the
handler produces the response in chunks. With a local headers_sent flag,
each call starts from false and the server can emit HEADERS more than
once on the same stream.
Store the flag alongside the tracked H3 stream fds and look it up from
the current stream socket before sending a response. Reset the flag when
the stream slot is released so reused slots start cleanly.
Assisted-by: Copilot:gpt-5.4
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Handle HTTP/3 stream FIN as request completion instead of immediately
dropping the stream fd.
A bidirectional H3 request can legitimately stay open until the peer
closes the send side, especially for dynamic POST/PUT/PATCH handlers
that wait for end-of-stream before completing the transaction. Closing
the stream as soon as recv() returns 0 skips that final processing step
and can leave request completion callbacks unsent.
Process buffered H3 frames once more when FIN is observed, finalize
pending request bodies with an empty final DATA indication, and treat
FIN with incomplete frame data as an error. Also ignore POLLHUP-only
cleanup when POLLIN is present so the FIN path still gets a chance to
run.
Assisted-by: Copilot:gpt-5.4
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Distinguish accepted HTTP/3 streams that should be ignored from
accepted streams that still need polling.
accept_h3_stream() can accept a peer unidirectional stream before
enough data is available to identify its type. The poll loop treated
that -EAGAIN path as "no stream queued" and returned without adding
the accepted fd to the poll set.
Add a separate ignored-stream return code and register accepted
streams whenever a valid fd is returned. This keeps peer control and
QPACK streams in the poll set while preserving the existing handling
for server-initiated, push, and unknown unidirectional streams.
This prevents accepted peer uni stream fds from being left open and
untracked.
Assisted-by: GitHub Copilot:gpt-5.4
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
When printing http services, show also what HTTP protocol
version is supported for that service.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
If ALPN list is enabled, and if HTTP/3 is enabled, then the
default ALPN list might be too small. ALPN is mandatory
for HTTP/3 so we need to increase the max limit.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
The http_server_run() function is very large and hard to read,
refactor it into smaller pieces. There is no functionality
changes by this commit.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Use non-blocking cancellation when cancelling client inactivity
timer. This will avoid possible workqueue deadlock.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Print information what failed for setsockopt calls. This
way it is easier to try to solve the issue.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
If user wants to use HTTP/2 but it is disabled, then give
a warning. The condition is ignored atm.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
It is easier just check the NULL pointer in Chat module, so
the modem_cellular.c does not need to check the existence of
periodic scripts.
Signed-off-by: Seppo Takalo <seppo.takalo@nordicsemi.no>
When we linearize the incoming packet (when doing decryption),
we need to check that we are not receiving larger packet than
what is being configured in the system.
This is mainly concerning the case where user has lowered the
default value of CONFIG_WIREGUARD_BUF_LEN (1500 bytes) and we
are receiving data in Ethernet (MTU is 1500 bytes).
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
The ans_delay for FRAG_TRANSPORT_CMD_FRAG_STATUS was calculated in
seconds but lorawan_services_schedule_uplink() expects milliseconds.
According to the LoRa Alliance Fragmented Data Block Transport spec,
the actual delay SHALL be rand() * 2^(BlockAckDelay+4) seconds.
The correct fix computes the full window in milliseconds using
MSEC_PER_SEC and proper bracket ordering to avoid operator precedence
issues with the shift operator:
ans_delay_ms = sys_rand32_get() %
((1U << (ctx.block_ack_delay + 4)) * MSEC_PER_SEC);
The variable is also renamed from ans_delay to ans_delay_ms to make
the unit explicit and help avoid similar bugs in the future.
Without this fix, the delay window for e.g. BlockAckDelay=0 is 0-16ms
instead of 0-16s, causing all devices in a multicast group to respond
nearly simultaneously and defeating the collision avoidance mechanism.
Signed-off-by: Dwij Patel <dwijpatel7@gmail.com>
Move ctx->root assignment and clearing from event handlers
into usbh_device_connect() and usbh_device_disconnect().
This avoid dangling pointer issue.
Signed-off-by: Aiden Hu <weiwei.hu@nxp.com>
Introduce BT_RFCOMM_OVERHEAD_SIZE macro to calculate the RFCOMM frame
overhead, which includes the maximum header size, FCS size, and
credits size.
This refactoring:
- Defines BT_RFCOMM_CREDITS_SIZE (1 byte) as a public constant
- Consolidates overhead calculation in a single macro
- Updates all MTU calculations to use BT_RFCOMM_OVERHEAD_SIZE
- Removes redundant credits size adjustment in rfcomm_dlc_connected()
since the overhead is now accounted for upfront in session MTU
calculation
- Simplifies code in GOEP by using the new macro instead of manual
header size calculations
- Change the range of BT_GOEP_RFCOMM_MTU to [265, BT_RFCOMM_L2CAP_MTU]
The change ensures consistent MTU calculations across RFCOMM and
dependent profiles (HFP, GOEP) and accounts for the credits field in
CFC-supported scenarios from the start.
Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
Add Kconfig option USBD_CDC_ACM_BUF_POOL_SIZE to allow
configuring the CDC ACM buffer pool size instead of
using the fixed MPS value.
Signed-off-by: Aiden Hu <weiwei.hu@nxp.com>
The bDataInterface field is expected to contain the interface to use
for sending the data payloads, containing the BULK IN and OUT endpoints.
It is having a default value of 1 which fits USB descriptors at startup,
but once the stack renumbers the interfaces, it needs to be updated
with the numbers the host assigned.
Signed-off-by: Josuah Demangeon <me@josuah.net>
The LRU eviction algorithm tracks page access by transiently clearing
the Present bit on the page at the head of the eviction queue and
letting the next access trap. The fault handler then re-sets P and
moves the page back to the tail. This works only as long as no
memory that the exception dispatch path itself touches can ever be
at the head of the queue.
Under Zephyr's selective-pinning model
(CONFIG_LINKER_GENERIC_SECTIONS_PRESENT_AT_BOOT=n), only sections
explicitly tagged __pinned_* are guaranteed resident at runtime; the
rest — crucially including thread stacks allocated via
K_THREAD_STACK_DEFINE, which sit in the .user_stacks arena — is free
to be paged out and, on the way there, to be LRU-access-tracked.
On architectures that reach a thread stack during exception dispatch
— which is the norm: the CPU loads the privileged stack on a ring
3 -> ring 0 transition, or continues on the current kernel stack for
a ring 0 -> ring 0 fault — this is fatal. The LRU machinery flips a
stack page to P=0 while the thread is not running, the thread is
next scheduled, the very first stack access from inside the
exception entry cannot be completed, the CPU raises a second fault
while still dispatching the first, and the architecture escalates
(Double Fault on x86, nested abort elsewhere). Observed on
qemu_x86_tiny under LRU with kernel.memory_protection and
kernel.semaphore suites.
This is not specific to any one architecture. Any arch where the
exception handler touches memory that can be in the evictable pool
is vulnerable; only the mechanism of escalation differs. NRU
statistically avoids the issue because it never clears P and
hot stacks are always marked "recently used" by hardware at
eviction-select time, so they're never actually chosen as victims.
LRU makes the transition deterministic rather than fortuitous.
The principled fix is a dedicated per-CPU exception dispatch stack
(IST on x86-64, task gate on x86-32, dedicated SP_EL1 on ARM64),
which localises pinning to one stack per CPU rather than every
thread's privileged stack. That is a substantial architectural
change, out of scope for this commit.
In the meantime, gate EVICTION_LRU on
LINKER_GENERIC_SECTIONS_PRESENT_AT_BOOT. In that mode every kernel
page is resident at boot, __pinned_* tagging is effectively a no-op,
and the evictable pool contains only explicitly anonymously-mapped
pages — none of which are reached by exception dispatch. Under
selective pinning, the eviction choice falls back to NRU, which
matches the pre-LRU behaviour.
Also add an explicit depends on ARCH_SUPPORTS_EVICTION_TRACKING for
EVICTION_LRU so that the algorithm is hidden on platforms that do
not implement the tracking hooks, and fold the two ARM64/X86 choice
defaults into one expression driven by capability rather than by
architecture name.
Signed-off-by: Nicolas Pitre <npitre@baylibre.com>
The LRU eviction algorithm needs to catch the first access to a loaded
page in order to call k_mem_paging_eviction_accessed() and move that
page to the tail of the queue. On ARM64 this is done with the MMU's
Access Flag: clearing AF causes a distinct fault on the next access.
On x86 there is no access-flag fault. The Accessed bit (PTE bit 5) is
set by hardware on access but never traps. The only way to force a
fault is to clear the Present bit, which already encodes the
"paged out" state — so a new state is needed:
PTE == 0 -> unmapped
P=0, A=1, upper=location -> paged out
P=0, G=1, upper=PFN -> LRU-tracked (new)
P=1 -> normally mapped
Bit G (Global, bit 8) is never set by Zephyr on x86 (CR4.PGE is not
used), so it is free to use as a private marker when P=0. No existing
PTE state needs to be displaced. This stays out of the way of the
KPTI path (which uses the PAT bit) and of the permission-backup bits
(IGNORED0..2) used for memory domain handling.
arch_page_info_get(addr, NULL, clear_accessed=true) is overloaded
under CONFIG_EVICTION_LRU to both query the prior flags and transition
the page to the LRU-tracked state via a new helper that updates all
domain ptables. arch_page_location_get() recognizes the tracked state
as paged-in so the core demand-paging code treats the page as resident.
The page fault handler intercepts LRU-tracking faults in-line before
k_mem_page_fault() dispatch: restore P, clear the tracking bit, and
call k_mem_paging_eviction_accessed() directly. This avoids the risk
of recursing through do_page_fault() with z_mm_lock held.
KPTI co-exists with demand paging but its PTE encoding is not yet
wired up to the LRU state, so tracking is gated on !X86_KPTI for now.
Fixes: #75132
Signed-off-by: Nicolas Pitre <npitre@baylibre.com>
Both set_gc entries use row=0 which will result in the first entry being
overwritten and the configuration being deactivated. Activation takes
place only after the last entry has been configured.
Signed-off-by: Andre Heinemans <andre.heinemans@nxp.com>
Drop ZTEST_BENCHMARK_SETUP_TEARDOWN and
ZTEST_BENCHMARK_TIMED_SETUP_TEARDOWN and fold their signature into
ZTEST_BENCHMARK / ZTEST_BENCHMARK_TIMED. The no-hook variants set a bad
precedent: a meaningful benchmark should isolate the code under test from
surrounding state, so setup/teardown are now required at every call site.
Pass NULL when a benchmark genuinely needs neither.
Signed-off-by: Måns Ansgariusson <mansgariusson@gmail.com>
