[nrf fromtree] drivers: nrf_qspi_nor: Fix EXTXIP + Flash write race c…#4060
Open
nvlsianpu wants to merge 3503 commits into
Open
[nrf fromtree] drivers: nrf_qspi_nor: Fix EXTXIP + Flash write race c…#4060nvlsianpu wants to merge 3503 commits into
nvlsianpu wants to merge 3503 commits into
Conversation
This reverts commit 21ee827. Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
This reverts commit 1b9636e. Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
Those Kconfig options have been removed upstream, but we are temporarily keeping them (reverted the change) as we have not yet updated to Mbed TLS 4. We now include this file even when NRF_SECURITY is in use and MBEDTLS_BUILTIN is disabled, so make sure that we don't inflate build sizes for nothing. Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
…TION Upstream PR #: 106660 To have a way to tell whether PS rollback protection is enabled and also possibly to turn it off. The Kconfig option is put in a new Kconfig file dedicated to the Protected Storage, just as we have for the Crypto modules. `if BUILD_WITH_TFM` is moved to the main Kconfig file so that we don't have it in every subfile. `Kconfig.tfm.crypto_modules` is renamed to `Kconfig.tfm.crypto` for consistency with the partition name. A CMake macro is introduced to more easily pass boolean Kconfig options to TF-M and is applied to relevant places. Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
…ression tests Upstream PR #: 106660 "tfm_regression_test" sample used TF-M default testing method where an external OS (named RTX) is used to run non-secure regression tests. In this scenario Zephyr OS is completely ignored. This commit replaces RTX with Zephyr's app as container of the NS code. This pattern reflects what usually happens in Zephyr when a NS application is built. Signed-off-by: Valerio Setti <vsetti@baylibre.com> Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
… by default Upstream PR #: 106660 - Move selection of the isolation level to individual test cases. - Slightly reshape tests naming in "testcase.yaml". Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Upstream PR #: 106660 remove unnecessary Kconfigs from the configuration file Signed-off-by: Valerio Setti <vsetti@baylibre.com> Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
…to TF-M build Upstream PR #: 106660 In order to properly build non-regression tests for the TF-M secure side we need to pass 2 additional parameters: - tf-m-tests build folder - secure test configuration file Previously these values were added from 'samples/tfm_integration/tfm_regression_tests' sample. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Upstream PR #: 106660 These were only used in 'samples/tfm_integration/tfm_regression_test' and when that application is built they are both assumed to be enabled, so it's not really meaningful to have these Kconfigs. Extra parameters that need to be passed to the TF-M's CMake build are now added from 'samples/tfm_integration/tfm_regression_test/CMakeLists.txt'. In this way regression testing is self contained in that folder and it doesn't pollute the main TF-M build. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Upstream PR #: 106660 Set stack size to 2048 bytes in order to allow all the tests to complete successfully on real hardware. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
…tion Upstream PR #: 106660 This really is a test, so move it appropriately. The README file is deleted as there is no need for extra (outdated) documentation. Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
…interrupts Explicitly disable VBUSDETECTED and VBUSREMOVED regulator interrupts. Signed-off-by: Johann Fischer <johann.fischer@nordicsemi.no> (cherry picked from commit 37010a3)
… is used Without this we can have scenarios where PSA Crypto headers are not found under certain configurations. Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no> (cherry picked from commit e02ccae)
…_hw_config Removing the pointer cast on dev->api breaks building C++ files that include ethernet.h Signed-off-by: Jacob Schloss <jacob.schloss@suburbanmarine.io> (cherry picked from commit 4935080)
…sed RNG Test is using random API from interrupt context and some entropy drivers don't support it. It's a test so pseudo-rng is ok. Signed-off-by: Krzysztof Chruściński <krzysztof.chruscinski@nordicsemi.no> (cherry picked from commit 12bffe6)
…_TFM_USE_NS_APP" This reverts commit 06dd00c. This change is still causing undefined refernece to tfm_platform_gpio_pin_mcu_select from soc/nordic/common/soc_secure.c for the 5340. It's too central a place that cannot be disabled with a Kconfig option. Revert this commit until we update to Mbed TLS 4. Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
Upstream PR #: 108017 Add a help text to their Kconfig options to warn about that. In addition, make CONFIG_PSA_WANT_ALG_MD5 select NOT_SECURE but not CONFIG_PSA_WANT_ALG_SHA_1 because for instance HMAC-SHA1 is still considered secure, which means SHA-1 usage might not necessarily be insecure. Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
The hfxo and lfxo clocks are used by both cpuapp and cpunet cores, but the hfxo and lfxo nodes are only present in devicetree for the cpuapp core. This prevents the cpunet build from knowing if there is an hfxo and/or lfxo present. Therefore add the lfxo and hfxo clocks to nrf5340_cpunet.dtsi All boards in tree have both the hfxo and lfxo present. The only information that needs to be made available to cpunet is the hfxo's presence and startup time, and lfxo's presence. Upstream PR #: 105558 Signed-off-by: Bjarki Arge Andreasen <bjarki.andreasen@nordicsemi.no> Signed-off-by: Ivan Iushkov <ivan.iushkov@nordicsemi.no>
Add defines for UUIDs used by the HID SCI (Shorter Connection Intervals) feature. Signed-off-by: Artur Hadasz <artur.hadasz@nordicsemi.no> (cherry picked from commit 76862fa)
Add nrf54lm20b target to the platform_allow list. Signed-off-by: Sebastian Głąb <sebastian.glab@nordicsemi.no> (cherry picked from commit 68ad2ab)
…0b device Add overlay required to run the nrf_sys_event sample on nrf54lm20b device. Signed-off-by: Sebastian Głąb <sebastian.glab@nordicsemi.no> (cherry picked from commit 933e84f)
…ed TLS 4" This reverts commit 9ee6019. Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
Temporarily bring back the CMake logic that compiled Mbed TLS 3.6 before we actually update to Mbed TLS 4 in NCS. This is a revert of 393350f and subsequent changes affecting the Mbed TLS integration. Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
All handshakes within the test suite are PSK-based, therefore it's only needed to enable MBEDTLS_CIPHERSUITE_TLS_PSK_WITH_AES_256_CBC_SHA384, MBEDTLS_CIPHERSUITE_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 is not needed or used in tests so it only increases the overall image size. For the few tests verifying the certificate validation, it's enough to enable X509 certificate parsing and a few dependencies. Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no> (cherry picked from commit 9f299be)
Specify what cipher suite to use for TLS/DTLS at runtime for consistent results. Otherwise, in case additional mbed TLS features are enabled (for instance with TFM enabled), different cipher suite may be chosen for TLS/DTLS by mbed TLS, affecting the tests outcome. Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no> (cherry picked from commit 9a2b669)
…PSA_CRYPTO_C This is actually a fromtree of upstream PR # 108256 (commit 21e55f2) but the cherry-pick conflicts too badly. This will be reverted and cherry-picked properly from upstream in the Mbed TLS update PR. Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
The standard way to enable PSA Crypto is to enable CONFIG_PSA_CRYPTO and not CONFIG_MBEDTLS_PSA_CRYPTO_C directly. Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no> Upstream PR #: 108469
It should not depend on CONFIG_MBEDTLS nor CONFIG_MBEDTLS_PSA_CRYPTO_C as a PSA Crypto provider other than Mbed TLS may be enabled. In fact, it doesn't even need to depend on CONFIG_PSA_CRYPTO because CONFIG_PSA_WANT_ALG_SHA_1 is already guarded behind CONFIG_PSA_CRYPTO_CLIENT. At the same time, replace all the `depends on UUID` by a single if which is the standard way to do. Also turn CONFIG_UUID into a menuconfig instead of creating a menu manually. Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no> Upstream PR #: 108469
…ILTIN Otherwise the CMake library may not exist and the linker command would wrongfully get populated with `-lmbedTLS`. Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no> Upstream PR #: 108469
… DHCPv4 start Add a new Kconfig option WIFI_STA_AUTO_DHCPV4 to allow applications to control whether DHCPv4 client should be automatically started by the Wi-Fi driver or supplicant after STA connection is established. This addresses the use case where applications need to switch between static IP addressing and DHCP, or prefer to manually control when the DHCP client starts. When CONFIG_WIFI_STA_AUTO_DHCPV4=n, the application layer becomes responsible for either manually starting the DHCPv4 client or configuring a static IPv4 address after Wi-Fi connection is established. The option defaults to 'y' to maintain backward compatibility with existing behavior. Signed-off-by: Maochen Wang <maochen.wang@nxp.com> (cherry picked from commit 742b0e7)
nvlsianpu
pushed a commit
to NordicBuilder/sdk-nrf
that referenced
this pull request
May 25, 2026
Automatically created by action-manifest-pr GH action from PR: nrfconnect/sdk-zephyr#4060 Signed-off-by: Nordic Builder <pylon@nordicsemi.no>
Add mount_flags to zms_fs structure to be able to control the mount operation. If ZMS_MOUNT_FLAG_NO_FORMAT flag is enabled, no header will be added to an erased memory and it will return -ENOTSUP error. Signed-off-by: Riadh Ghaddab <riadh.ghaddab@nordicsemi.no> (cherry picked from commit a5e7080)
Add tests for the ZMS_MOUNT_FLAG_NO_FORMAT flag when mounting a storage Signed-off-by: Riadh Ghaddab <riadh.ghaddab@nordicsemi.no> (cherry picked from commit 0a93151)
Updtae the documentation and describe the usage of the mount_flags. Detail the ZMS_MOUNT_FLAG_NO_FORMAT optional flag. Signed-off-by: Riadh Ghaddab <riadh.ghaddab@nordicsemi.no> (cherry picked from commit 9f7802e)
…oard target Fix number of writes to trigger a GC for native_sim/native/64 board as it has a different sector size. Fix the returned value for zms_free_space when ate_wra < data_wra. Skip test_zms_gc_3sectors for targets that have a sector size different than 1KB. Signed-off-by: Riadh Ghaddab <riadh.ghaddab@nordicsemi.no> (cherry picked from commit 64997e4)
When executing this test with flash simulator some flash_write are manually injected to simulate data corruption. Add a flash_erase before these writes to fix the test. Signed-off-by: Riadh Ghaddab <riadh.ghaddab@nordicsemi.no> (cherry picked from commit f331ee5)
...which calculates the maximum number of times a single ZMS sector has been recycled. This is to enable estimation of an RRAM lifetime based on a set of tests. Signed-off-by: Damian Krolik <damian.krolik@nordicsemi.no> Signed-off-by: Mircea Caprioru <mcaprioru@baylibre.com> (cherry picked from commit 72032cb)
…r erase In zms_gc(), the sector erase at zms_flash_erase_sector() destroyed the empty ATE holding full_cycle_cnt before zms_add_empty_ate() could read it, causing zms_get_full_sector_cycle() to always return -ENOENT and resetting the count to 0 (stored as 1). The counter could never exceed 1. Fix by reading full_cycle_cnt before erasing and passing the saved value to zms_add_empty_ate() via a new prev_cycle_cnt parameter. Apply the same read-before-erase pattern in zms_init() recovery paths. Signed-off-by: Mircea Caprioru <mcaprioru@baylibre.com> (cherry picked from commit 893f3dd)
Add zms_get_sector_num_cycles() to retrieve the 32-bit cycle count for a specific sector. Signed-off-by: Mircea Caprioru <mcaprioru@baylibre.com> (cherry picked from commit 9196b58)
Add a sample that exercises zms_get_num_cycles() by advancing sectors in a loop and verifying the counter increments correctly, including past the uint8_t wraparound boundary at 256. Signed-off-by: Mircea Caprioru <mcaprioru@baylibre.com> (cherry picked from commit 134cc43)
…fix wipe In zms_add_empty_ate(), use zms_get_sector_cycle() for the 8-bit cycle_cnt (data validity) independently from the 32-bit full_cycle_cnt (erase tracking). Previously cycle_cnt was derived from full_cycle_cnt which broke when zms_verify_and_increment_cycle_cnt double-incremented cycle_cnt. In zms_wipe_partition(), read each sector's full_cycle_cnt before erasing so the count is preserved. This is needed for RRAM/MRAM devices where zms_flash_erase_sector is a no-op. Signed-off-by: Mircea Caprioru <mcaprioru@baylibre.com> (cherry picked from commit a3c7d23)
List of added tests : - zms.test_zms_cycle_count_input_validation - zms.test_zms_cycle_count_increments - zms.test_zms_cycle_count_persistence Signed-off-by: Mircea Caprioru <mcaprioru@baylibre.com> (cherry picked from commit cce771e)
…4-bit mode The 64-bit ATE format only has a 4-byte payload union after the 8-byte id, so empty_ate.full_cycle_cnt and empty_ate.metadata alias the same 4 bytes. zms_add_empty_ate() wrote both — metadata first (needed for format/version detection on mount) then full_cycle_cnt — and the second write silently clobbered the first. As a result, every empty ATE in 64-bit ID mode lost its magic/version, zms_init() failed to recognise sectors on remount, and tests including test_zms_gc, test_zms_full_sector and test_zms_id_64bit failed silently. In 64-bit ID mode, skip the empty_ate.full_cycle_cnt write entirely so metadata stays intact. The 8-bit empty_ate.cycle_cnt (a separate field at byte offset 1, with no aliasing) is now seeded from prev_cycle_cnt on the just-erased path so it accumulates across recycles modulo 256 and doubles as the cumulative wear counter exposed by zms_get_num_cycles() / zms_get_sector_num_cycles(). The 32-bit ID codepath keeps the existing 32-bit full_cycle_cnt range and behaviour. Trade-off: in 64-bit ID mode the cycle counter wraps every 256 cycles instead of every ~4 billion. The 32-bit ID format is unchanged. Signed-off-by: Mircea Caprioru <mcaprioru@baylibre.com> (cherry picked from commit cd38efa)
The field is no longer written in 64-bit mode, so remove it from the struct. Signed-off-by: Mircea Caprioru <mcaprioru@baylibre.com> (cherry picked from commit b2620ba)
Match zms_get_sector_num_cycles(): return int and pass the value through an output pointer. Signed-off-by: Mircea Caprioru <mcaprioru@baylibre.com> (cherry picked from commit 63568b7)
Extend test_zms_cycle_count_persistence to call zms_clear() between the advances and the remount and check the counter is preserved. Signed-off-by: Mircea Caprioru <mcaprioru@baylibre.com> (cherry picked from commit fa07d33)
nvlsianpu
pushed a commit
to NordicBuilder/sdk-nrf
that referenced
this pull request
May 25, 2026
Automatically created by action-manifest-pr GH action from PR: nrfconnect/sdk-zephyr#4060 Signed-off-by: Nordic Builder <pylon@nordicsemi.no>
…validity checks In prov_msg_recv(), the protocol timer was reset unconditionally at the top of the function, before the FCS check and before the ADV_LINK_INVALID check. When the link has been marked invalid (e.g. after a provisioning failure), any incoming PB-ADV packet with a passing FCS would still reset the timer, preventing protocol_timeout() from firing and closing the link via prov_link_close(). Move k_work_reschedule() to after the ADV_LINK_INVALID check so the timer is only reset for valid PDUs on an active, non-failed link. Move the FCS check before the timer reset for the same reason. Once ADV_LINK_INVALID is set the protocol timer is no longer extended by incoming packets, and the link is closed by protocol_timeout() as intended, after which the unprovisioned device beacon and PB-ADV link acceptance are restored. Signed-off-by: Aleksandr Khromykh <aleksandr.khromykh@nordicsemi.no> (cherry picked from commit 3f3c37e)
…connect When a PB-GATT or GATT Proxy connection disconnects on a device with CONFIG_BT_MAX_CONN=1, the mesh stack attempts to restart connectable advertising from the disconnected callback. This fails with -ENOMEM because the BLE host still holds a reference to the connection object at that point, and bt_le_ext_adv_start() cannot pre-allocate a new connection slot. Fix this by using the bt_conn_cb.recycled callback to trigger advertising restart. The recycled callback fires only after the connection object is fully released, guaranteeing a free slot is available for connectable advertising. Remove bt_mesh_adv_gatt_update() from bt_mesh_proxy_role_cleanup() and instead set an adv_restart_pending flag in the disconnected handler. The recycled callback checks this flag to avoid unnecessary advertising restart attempts from unrelated disconnections. Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Aleksandr Khromykh <aleksandr.khromykh@nordicsemi.no> (cherry picked from commit 311153e)
…disconnect paths With CONFIG_BT_MAX_CONN=1, restarting connectable advertising from the bt_conn_cb.disconnected callback fails with -ENOMEM because the BLE host still holds a connection reference at that point. The connection slot is only guaranteed free when bt_conn_cb.recycled fires. Two code paths in gatt_disconnected() called bt_mesh_adv_gatt_update() indirectly, triggering bt_le_ext_adv_start() before the connection slot was freed: pb_gatt_srv: on the provisioned path, bt_mesh_pb_gatt_srv_disable() was called, which internally triggers bt_mesh_adv_gatt_update(). proxy_srv: when the proxy service was not yet registered upon disconnect, bt_mesh_proxy_gatt_enable() was called, which also triggers bt_mesh_adv_gatt_update(). Extract prov_gatt_service_unregister() and proxy_gatt_service_register() as private helpers that perform only the GATT service operation without triggering advertising. Have gatt_disconnected() call these helpers and set adv_restart_pending = true in all branches, so conn_recycled() safely handles the advertising restart after the connection is freed. Assisted-by: GitHub Copilot:Claude Sonnet 4.6 Signed-off-by: Aleksandr Khromykh <aleksandr.khromykh@nordicsemi.no> (cherry picked from commit 3a308dc)
…rf-nfct-v2 Extend description for nfct-pins-as-gpios property in nrf-nfct-v2 binding. Signed-off-by: Krzysztof Chruściński <krzysztof.chruscinski@nordicsemi.no> (cherry picked from commit f5d88dd)
Use compatible which allows to set nfct-pins-as-gpios property for nrf54l and nrf71 series. Signed-off-by: Krzysztof Chruściński <krzysztof.chruscinski@nordicsemi.no> (cherry picked from commit 7e11e9b)
…devicetree Parse DT information regarding NFCT pins and pass it as compiler flags which are used by the MDK startup code. Signed-off-by: Bjarki Arge Andreasen <bjarki.andreasen@nordicsemi.no> Signed-off-by: Krzysztof Chruściński <krzysztof.chruscinski@nordicsemi.no> (cherry picked from commit c07bbb7)
The definitions of slot partitions and sram partition has been moved. Include corresponding headers. Fixes NCSDK-39370. Signed-off-by: Ravi Dondaputi <ravi.dondaputi@nordicsemi.no>
nvlsianpu
pushed a commit
to NordicBuilder/sdk-nrf
that referenced
this pull request
May 26, 2026
Automatically created by action-manifest-pr GH action from PR: nrfconnect/sdk-zephyr#4060 Signed-off-by: Nordic Builder <pylon@nordicsemi.no>
…ondition When parts of code are running from EXTXIP and at the same time QSPI external flash writes/erases are happenning there is a high risk of a race condition where a thread running EXTXIP code starts executing while an external flash operation is in progress; This can lead to execution stalling or bus faults/usage faults. The issue was observed when parts of MCUMGR were relocated to EXTXIP and DFU was performed. To fix the issue added the CONFIG_NORDIC_QSPI_NOR_XIP_FLASH_SCHED_LOCK option which should be used when executing parts of code from EXTXIP. It ensures the blocking variant of nrfx_qspi_ is used and that no preemption happens while an external flash write is in progress (by making qspi_wait_while_writing blocking) Signed-off-by: Artur Hadasz <artur.hadasz@nordicsemi.no> Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no> (cherry picked from commit 318948b)
anangl
force-pushed
the
pick_zephyr_108747
branch
from
e32dee0 to
304cf02
Compare
Contributor
|
rebased |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
…ondition
When parts of code are running from EXTXIP and at the same time QSPI external flash writes/erases are happenning there is a high risk of a race condition where a thread running EXTXIP code starts executing while an external flash operation is in progress; This can lead to execution stalling or bus faults/usage faults.
The issue was observed when parts of MCUMGR were relocated to EXTXIP and DFU was performed.
To fix the issue added the CONFIG_NORDIC_QSPI_NOR_XIP_FLASH_SCHED_LOCK option which should be used when executing parts of code from EXTXIP. It ensures the blocking variant of nrfx_qspi_ is used and that no preemption happens while an external flash write is in progress (by making qspi_wait_while_writing blocking)
Signed-off-by: Artur Hadasz artur.hadasz@nordicsemi.no
Signed-off-by: Andrzej Puzdrowski andrzej.puzdrowski@nordicsemi.no
Upstream PR #: 108747
ref.: NCSIDB-1895, NCSDK-39208