Oopenvela-robotmm: Add double-free detection to delay list
| 文件 | 最后提交记录 | 最后更新时间 |
|---|---|---|
net/pkt: support option SO_TIMESTAMPING and MSG_ERRQUEUE Signed-off-by: wenquan1 <wenquan1@xiaomi.com> | 2 个月前 | |
kasan/unregister: Modify the logic of unpoison 1. When a region is not included in other regions, we will remove it from g_region. Unpoison is not needed afterward because mm->shadow will no longer be mapped after removal. 2. When a region is contained within other regions, we will unpoison it, The size passed in at this point is also complete. It will not be subtracted from the header of the Kasan region structure in the Kasan register. Signed-off-by: wangmingrong1 <wangmingrong1@xiaomi.com> | 2 个月前 | |
fix the compilation error error: implicit declaration of function 'DEBUGASSERT' [-Werror=implicit-function-declaration] Signed-off-by: v-tangmeng <v-tangmeng@xiaomi.com> | 2 个月前 | |
mm: Change mm_initialize_heap/mm_initialize_pool to return int, heap via out param - Change mm_initialize_heap and mm_initialize_pool to return int (0 on success, <0 on error), and return the heap pointer via the first argument (struct mm_heap_s **heap_out). - Update all callers to use the new interface - This improves error handling and avoids confusion with pointer return values. Signed-off-by: ligd <liguiding1@xiaomi.com> | 2 个月前 | |
mm/map: remove error log unmap It could cause deadlock because of the spin lock of uart. CPU0: (gdb) bt #0 0x402805ac in rspin_lock (lock=0x414cfd50 <g_uart0port+76>) at nuttx/include/nuttx/spinlock.h:692 #1 rspin_lock_irqsave (lock=0x414cfd50 <g_uart0port+76>) at nuttx/include/nuttx/spinlock.h:705 #2 rspin_lock_irqsave_nopreempt (lock=0x414cfd50 <g_uart0port+76>) at nuttx/include/nuttx/spinlock.h:724 #3 uart_spinlock (dev=dev@entry=0x414cfd04 <g_uart0port>, nopreempt=nopreempt@entry=true) at serial/serial.c:2046 #4 0x40221350 in up_putc (ch=91) at chip/r528_serial.c:1318 #5 0x402bfd38 in up_nputs (str=0x450a4ca9 "26/01/04 09:51:39] [CPU1] [657] [ap] mm_map_destroy: Driver munmap failed\n@\210٤A8٤A\215\263+@", str@entry=0x450a4ca8 "[26/01/04 09:51:39] [CPU1] [657] [ap] mm_map_destroy: Driver munmap failed\n@\210٤A8٤A\215\263+@", len=73, len@entry=74) at common/arm_nputs.c:44 #6 0x40283e86 in syslog_default_write (channel=<optimized out>, buffer=0x450a4ca8 "[26/01/04 09:51:39] [CPU1] [657] [ap] mm_map_destroy: Driver munmap failed\n@\210٤A8٤A\215\263+@", buflen=74) at syslog/syslog_channel.c:351 #7 0x402a2e00 in syslog_write_foreach (buffer=buffer@entry=0x450a4ca8 "[26/01/04 09:51:39] [CPU1] [657] [ap] mm_map_destroy: Driver munmap failed\n@\210٤A8٤A\215\263+@", buflen=buflen@entry=75, force=false) at syslog/syslog_write.c:148 #8 0x402a2ec2 in syslog_write (buffer=buffer@entry=0x450a4ca8 "[26/01/04 09:51:39] [CPU1] [657] [ap] mm_map_destroy: Driver munmap failed\n@\210٤A8٤A\215\263+@", buflen=buflen@entry=75) at syslog/syslog_write.c:253 #9 0x402b17a2 in syslograwstream_flush (self=self@entry=0x450a4c90) at stream/lib_syslograwstream.c:74 #10 0x402b196e in lib_syslograwstream_close (stream=stream@entry=0x450a4c90) at stream/lib_syslograwstream.c:330 #11 0x40283d90 in nx_vsyslog (priority=<optimized out>, fmt=0x4111c81c "%s: Driver munmap failed\n", ap=ap@entry=0x450a4ecc) at syslog/vsyslog.c:275 #12 0x402b2772 in vsyslog (priority=priority@entry=3, fmt=fmt@entry=0x450a4ee8 "L\266,A", ap=..., ap@entry=...) at syslog/lib_syslog.c:82 #13 0x402b278a in syslog (priority=priority@entry=3, fmt=0x4111c81c "%s: Driver munmap failed\n") at syslog/lib_syslog.c:115 #14 0x402bd504 in mm_map_destroy (mm=mm@entry=0x422605f8) at map/mm_map.c:172 #15 0x4026e87a in group_release (ttype=0, group=0x42260558) at group/group_leave.c:101 #16 group_leave (tcb=tcb@entry=0x42260450) at group/group_leave.c:193 #17 0x40271e7e in nxtask_exithook (tcb=tcb@entry=0x42260450, status=status@entry=0) at task/task_exithook.c:485 #18 0x4026c826 in _exit (status=80, status@entry=1109787728) at task/exit.c:106 #19 0x402aec9c in exit (status=1109787728) at stdlib/lib_exit.c:126 CPU1: (gdb) bt #0 0x4026a1a8 in rspin_lock (lock=<optimized out>) at nuttx/include/nuttx/spinlock.h:692 #1 rspin_lock_irqsave (lock=<optimized out>) at nuttx/include/nuttx/spinlock.h:705 #2 nxsem_post_slow (sem=sem@entry=0x414cfd20 <g_uart0port+28>) at semaphore/sem_post.c:145 #3 0x4027fc2e in nxsem_post (sem=<optimized out>) at nuttx/include/nuttx/semaphore.h:781 #4 uart_wakeup (sem=0x414cfd20 <g_uart0port+28>) at serial/serial.c:2026 #5 0x402828cc in uart_xmitchars (dev=dev@entry=0x414cfd04 <g_uart0port>) at serial/serial_io.c:121 #6 0x4022116a in uart_interrupt (irq=<optimized out>, context=<optimized out>, arg=0x414cfd04 <g_uart0port>) at chip/r528_serial.c:841 #7 0x40265dd8 in irq_dispatch (irq=irq@entry=34, context=context@entry=0x44194100) at irq/irq_dispatch.c:172 #8 0x4024ac3e in arm_doirq (irq=34, irq@entry=0, regs=0x44194100) at arm_a_r/arm_doirq.c:88 #9 0x40220246 in arm_decodeirq (regs=<optimized out>) at armv7-a/arm_gicv2.c:417 #10 0x40200118 in arm_vectorirq () at armv7-a/arm_vectors.S:242 #11 0x402bb916 in up_irq_restore (flags=31) at nuttx/include/arch/armv7-a/irq.h:438 #12 spin_unlock_irqrestore_notrace (flags=31, lock=0x44194150) at nuttx/include/nuttx/spinlock.h:923 #13 spin_unlock_irqrestore (flags=31, lock=0x44194150) at nuttx/include/nuttx/spinlock.h:961 #14 mempool_release (pool=0x44194100, blk=0x4261e810) at mempool/mempool.c:724 #15 0x402bca90 in mempool_multiple_free (mpool=<optimized out>, blk=<optimized out>, blk@entry=0x4261e810) at mempool/mempool_multiple.c:790 #16 0x402b8f6c in mm_forcefree (heap=0x41a4d4e8, mem=0x4261e810) at mm_heap/mm_free.c:118 #17 0x402b9394 in mm_free (heap=<optimized out>, mem=<optimized out>) at mm_heap/mm_free.c:285 #18 0x402ba2f0 in free (mem=<optimized out>) at umm_heap/umm_free.c:51 #19 0x40725dde in av_free (ptr=<optimized out>) at ffmpeg/libavutil/mem.c:243 #20 av_freep (arg=arg@entry=0x441942b4) at ffmpeg/libavutil/mem.c:253 #21 0x40722010 in av_frame_free (frame=frame@entry=0x441942b4) at ffmpeg/libavutil/frame.c:168 #22 0x40a194fc in media_player_on_event_cb (udata=0x441b3fc0, evt=<optimized out>, args=<optimized out>) at server/media_player.c:312 #23 0x406cbf7e in abufsrc_activate (ctx=0x41b1d0c0) at ffmpeg/libavfilter/asrc_abufsrc.c:329 #24 0x406cff04 in ff_filter_activate (filter=filter@entry=0x41b1d0c0) at ffmpeg/libavfilter/avfilter.c:1485 #25 0x40a25c2e in audio_graph_run_all (graph=0x41abca40) at server/audio_graph.c:635 #26 audio_graph_run_once (ctx=<optimized out>) at server/audio_graph.c:650 #27 0x40a17ede in mediad_main (argc=<optimized out>, argv=<optimized out>) at server/media_daemon.c:162 #28 0x402ad480 in nxtask_startup (entrypt=entrypt@entry=0x40a17c95 <mediad_main>, argc=<optimized out>, argv=<optimized out>) at sched/task_startup.c:66 #29 0x4026c194 in nxtask_start () at task/task_start.c:107 #30 0x00000000 in ?? () Signed-off-by: xuxingliang <xuxingliang@xiaomi.com> | 2 个月前 | |
mempool_multiple: coverity warning fix Signed-off-by: huojianchao <huojianchao@xiaomi.com> | 2 个月前 | |
mm_grantable.c: Fix infinite loop due to memory fragmentation The search algorithm does not work with the ctz approach at all, if there is a free range of granules that does not fit a specific allocation (i.e. the granule allocation is fragmented) it will cause an infinite loop as the algorithm will try to find free space from the same (free) starting granule, causing an infinite loop. The clz approach works for all cases, it will find the last used granule and the search will continue from the next free granule. Also, offsetting a full GAT must be sizeof(gat[0] - 1), which is 31 in this case. The reason is that the upper level search function increments the value by +1. Signed-off-by: hujun5 <hujun5@xiaomi.com> | 2 个月前 | |
mm: Add double-free detection to delay list When same memory is freed twice and both added to delay list (race condition in interrupt context), it causes crash later in mm_forcefree() when processing the delay list. This patch adds early detection in add_delaylist() using: 1. Magic value (addr ^ 0xDEADBEEF) for O(1) fast path 2. List traversal for confirmation when magic matches The double-free will be caught immediately with DEBUGASSERT instead of crashing later in free_delaylist() Changes: - Add MM_DELAY_MAGIC and magic field to mm_delaynode_s - Implement two-step detection in add_delaylist() - Sync implementation across mm_heap and tlsf allocators Signed-off-by: ligd <liguiding1@xiaomi.com> | 2 个月前 | |
fs/procfs: change procfs_register_meminfo to allocate entry dynamically Change procfs_meminfo_entry from embedded struct to dynamically allocated memory using kmm_zalloc/kmm_free. This prepares for adding reference counting in subsequent patches. Changes: 1. Update procfs_register_meminfo interface to accept individual parameters (name, heap, mallinfo handler, memdump handler) instead of a pre-filled entry struct, and return the allocated entry pointer. 2. Update procfs_unregister_meminfo to free the entry after removal. 3. Change mm_procfs field in all heap structures from embedded struct to pointer (struct procfs_meminfo_entry_s *mm_procfs). 4. Update all callers to use the new interface. 5. Add typedef for mm_mallinfo_handler_t and mm_memdump_handler_t. 6. Change the kmm and kumm initialize order, kmm should be intailized first to allow kmm_zalloc() when call kmm_initialize(). Signed-off-by: ligd <liguiding1@xiaomi.com> | 2 个月前 | |
Merge branch 'master' into vela apache/nuttx commit id: eb27ebba8adfe29644a7b890f86e6f16941921dc Signed-off-by: ligd <liguiding1@xiaomi.com> Signed-off-by: Xiang Xiao <xiaoxiang@xiaomi.com> | 2 个月前 | |
mm: Add double-free detection to delay list When same memory is freed twice and both added to delay list (race condition in interrupt context), it causes crash later in mm_forcefree() when processing the delay list. This patch adds early detection in add_delaylist() using: 1. Magic value (addr ^ 0xDEADBEEF) for O(1) fast path 2. List traversal for confirmation when magic matches The double-free will be caught immediately with DEBUGASSERT instead of crashing later in free_delaylist() Changes: - Add MM_DELAY_MAGIC and magic field to mm_delaynode_s - Implement two-step detection in add_delaylist() - Sync implementation across mm_heap and tlsf allocators Signed-off-by: ligd <liguiding1@xiaomi.com> | 2 个月前 | |
assert: remove its noreturn declaration Currently, sometimes we cannot view the function parameters before the __assert function. This is because __assert is declared with noreturn, the compiler will not save the callee-saved registers of caller, and gdb cannot parse through the coredump. Therefore, we need to remove the noreturn declaration. __assert will call abort at the end, and abort is actually a noreturn function, so this does not change the actual behavior of __assert. To ensure the semantics of the PANIC and ASSERT macros remain unchanged and to prevent the compiler from incorrectly analyzing the original code, I added logic_unreachable to minimize the impact on the original semantics. Signed-off-by: guoshengyuan1 <guoshengyuan1@xiaomi.com> | 2 个月前 | |
mm: Change mm_initialize_heap/mm_initialize_pool to return int, heap via out param - Change mm_initialize_heap and mm_initialize_pool to return int (0 on success, <0 on error), and return the heap pointer via the first argument (struct mm_heap_s **heap_out). - Update all callers to use the new interface - This improves error handling and avoids confusion with pointer return values. Signed-off-by: ligd <liguiding1@xiaomi.com> | 2 个月前 | |
Merge branch 'master' into vela apache/nuttx commit id: eb27ebba8adfe29644a7b890f86e6f16941921dc Signed-off-by: ligd <liguiding1@xiaomi.com> Signed-off-by: Xiang Xiao <xiaoxiang@xiaomi.com> | 2 个月前 | |
kmm/umm mempool config init for MM_POOL_MANAGER Signed-off-by: huojianchao <huojianchao@xiaomi.com> | 2 个月前 | |
MM_POOL_MANAGER feature, support mempool only for mm Signed-off-by: huojianchao <huojianchao@xiaomi.com> | 2 个月前 |