If cancellation points are enabled, then the following logic is activated in sem_wait(). This causes ECANCELED to be returned every time that sem_wait is called.
int sem_wait(FAR sem_t *sem)
{
...
/* sem_wait() is a cancellation point */
if (enter_cancellation_point())
{
#ifdef CONFIG_CANCELLATION_POINTS
/* If there is a pending cancellation, then do not perform
* the wait. Exit now with ECANCELED.
*/
errcode = ECANCELED;
goto errout_with_cancelpt;
#endif
}
...
Normally this works fine. sem_wait() is the OS API called by the application and will cancel the thread just before it returns to the application. Since it is cancellation point, it should never be called from within the OS.
There there is is one perverse cases where sem_wait() may be nested within another cancellation point. If open() is called, it will attempt to lock a VFS data structure and will eventually call nxmutex_lock(). nxmutex_lock() waits on a semaphore:
int nxmutex_lock(FAR mutex_t *mutex)
{
...
for (; ; )
{
/* Take the semaphore (perhaps waiting) */
ret = _SEM_WAIT(&mutex->sem);
if (ret >= 0)
{
mutex->holder = _SCHED_GETTID();
break;
}
ret = _SEM_ERRVAL(ret);
if (ret != -EINTR && ret != -ECANCELED)
{
break;
}
}
...
}
In the FLAT build, _SEM_WAIT expands to sem_wait(). That causes the error in the logic: It should always expand to nxsem_wait(). That is because sem_wait() is cancellation point and should never be called from with the OS or the C library internally.
The failure occurs because the cancellation point logic in sem_wait() returns -ECANCELED (via _SEM_ERRVAL) because sem_wait() is nested; it needs to return the -ECANCELED error to the outermost cancellation point which is open() in this case. Returning -ECANCELED then causes an infinite loop to occur in nxmutex_lock().
The correct behavior in this case is to call nxsem_wait() instead of sem_wait(). nxsem_wait() is identical to sem_wait() except that it is not a cancelation point. It will return -ECANCELED if the thread is canceled, but only once. So no infinite loop results.
In addition, an nxsem_wait() system call was added to support the call from nxmutex_lock().
This resolves Issue #9695
In many cases, it is legal for the child process to use the fd
created by the parent process,
so to improve compatibility, we allow the child process
to use the fd of the Parent process.
Signed-off-by: hujun5 <hujun5@xiaomi.com>
In embedded development environments, due to the lack of address isolation between processes,
fd may be passed between processes and lead to misuse,
We have designed an fd cross-process automatic detection tool,
fdcheck_protect returns the fd containing the pid information,
indicating that the ownership of the current fd belongs to the pid and is not allowed to be used by other processes.
fdcheck_restore will obtain the true fd and check if the ownership of the fd is legal
For ease of understanding, let's give an example where
the following information is represented in 32-bit binary format
fd 00000000 00000000 00000000 10001010
pid 00000000 00000000 00000011 01010101
ret 00000000 00000011 01010101 10001010
Signed-off-by: hujun5 <hujun5@xiaomi.com>
FD (file descriptor) is widely used in system software development,
and almost all implementations of posix os (including nuttx) use FD as an index.
the value of fd needs to be allocated starting from the minimum available value of 3, and each process has a copy,
so the same fd value is very easy to reuse in the program.
In multi threaded or multi process environments without address isolation,
If the ownership, global variables, and competition relationships of fd are not properly handled,
there may be issues with fd duplication or accidental closure.
Further leading to the following issues, which are difficult to troubleshoot.
1. Security vulnerability: the fd we wrote is not the expected fd and will be accessed by hackers to obtain data
2. Program exceptions or crashes: write or read fd failures, and program logic errors
3. The structured file XML or database is damaged: the data format written to the database is not the expected format.
The implementation principle of fdsan is based on the implementation of Android
https://android.googlesource.com/platform/bionic/+/master/docs/fdsan.md
Signed-off-by: hujun5 <hujun5@xiaomi.com>
sim/rpserver
NuttShell (NSH) NuttX-12.0.0
server> cu
_assert: Current Version: NuttX server 12.0.0 3ead669e7a-dirty Feb 2 2023 23:53:48 sim
_assert: Assertion failed : at file: libs/libc/misc/lib_mutex.c:303 task: cu 0x5662fff4
Signed-off-by: chao an <anchao@xiaomi.com>
NuttX kernel should not use the syscall functions, especially after
enabling CONFIG_SCHED_INSTRUMENTATION_SYSCALL, all system functions
will be traced to backend, which will impact system performance.
Signed-off-by: chao an <anchao@xiaomi.com>
This PR adds the driver for Allwinner A64's MIPI Display Serial Interface (DSI) and MIPI Display Physical Layer (D-PHY).
This driver will be used by the upcoming Display Driver for PINE64 PinePhone.
- `include/nuttx/crc16.h`: Added 16-bit CRC-CCITT
- `libs/libc/misc/Make.defs`: Added 16-bit CRC-CCITT to Makefile
- `arch/arm64/src/a64/Kconfig`: Added the Kconfig option for "A64 Peripheral Selection > MIPI DSI" (`CONFIG_A64_MIPI_DSI`), which enables the MIPI DSI Driver
- `arch/arm64/src/a64/hardware/a64_memorymap.h`: Added the Base Address for MIPI DSI
- `arch/arm64/src/a64/Make.defs`: Added the MIPI DSI Driver to the Makefile
- `libs/libc/misc/lib_crc16ccitt.c`: Compute 16-bit CRC-CCITT
- `arch/arm64/src/a64/mipi_dsi.c`, `mipi_dsi.h`: Compose MIPI DSI Packets (Long, Short, Short with Parameter)
- `arch/arm64/src/a64/a64_mipi_dsi.c`, `a64_mipi_dsi.h`: MIPI DSI Driver for Allwinner A64
- `arch/arm64/src/a64/a64_mipi_dphy.c`, `a64_mipi_dphy.h`: MIPI D-PHY Driver for Allwinner A64
- `platforms/arm/a64/boards/pinephone/index.rst`: Added MIPI DSI as supported peripheral for PinePhone
Co-Authored-By: Petro Karashchenko <petro.karashchenko@gmail.com>
arm-none-eabi-ld: nuttx/staging/libc.a(lib_impure.o):(.data.impure_data+0x4): undefined reference to `__sf'
arm-none-eabi-ld: nuttx/staging/libc.a(lib_impure.o):(.data.impure_data+0x8): undefined reference to `__sf'
arm-none-eabi-ld: nuttx/staging/libc.a(lib_impure.o):(.data.impure_data+0xc): undefined reference to `__sf'
Toolchain:
Version: GNU Arm Embedded Toolchain to Version 11.3.Rel1(August 8, 2022)
Tar: arm-gnu-toolchain-11.3.rel1-x86_64-arm-none-eabi.tar.xz
Break change:
https://sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git;h=b0cb9f85ca3626e0e68fd451c3090d253ceb4300
Signed-off-by: chao an <anchao@xiaomi.com>
to ensure the generated key is unique from each other since only
root pseduo file system really support st_ino field after:
commit d35fbf534d51f7ef72382d9666a1f19e07c6f00f
Author: Xiang Xiao <xiaoxiang@xiaomi.com>
Date: Fri Sep 16 14:24:55 2022 +0800
fs: Allocate unique serial number for the root pseduo file system node
Signed-off-by: Xiang Xiao <xiaoxiang@xiaomi.com>
some toolchain provider remove const qualifier from global_impure_ptr
(e.g. Espressif) but other provider keep it(e.g. ARM or Cadence), so
let's define const to empty macro to pass the compile and more safety.
Signed-off-by: Xiang Xiao <xiaoxiang@xiaomi.com>
* libs/libc/misc/lib_getrandom.c, in function getrandom():
We were assigning the return value of _NX_READ() to nbytes, a
variable of the unsigned type size_t. Note that _NX_READ() resolves
to either read() or nx_read(), both of which return the signed type
ssize_t to indicate either the number of bytes read successfully
(>= 0) or an error (< 0). Then we were testing for a negative
size_t value, a condition that can never occur. The end result is
that if an error occured in _NX_READ(), it would never be detected
and getrandom() would return some large positive value. This bug is
corrected by assigning the return value of _NX_READ() to a new local
variable, ret, of size ssize_t.