Add malloc_dump_to_file() and malloc_log_to_file() functions to write
heap dumps and malloc traffic logs to host files. This is useful for
debugging memory leaks in sandbox by allowing comparison of before/after
heap states with external tools like diff.
These functions are only available in sandbox builds since they use
host-filesystem access.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Backtrace collection is relatively expensive and can significantly slow
down malloc()-heavy code when mcheck is enabled.
Add a new CONFIG_MCHECK_BACKTRACE option (default y) to allow disabling
backtrace collection while keeping the other mcheck features (canaries,
double-free detection, etc.) enabled. This allows using mcheck with less
overhead when caller information is not needed.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Add malloc_log_dump() to print all recorded malloc/free/realloc calls
with their addresses, sizes, and caller information. This provides a
way to inspect the log after recording.
The dump shows a summary line with entry counts, followed by a table
with sequence number, operation type, pointer, size, and caller for
each recorded operation.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Add a malloc()-traffic log that records all malloc()-related calls with
their addresses, sizes, and caller information. This is useful for
debugging allocation patterns and finding the source of allocations that
lack caller info in heap dumps.
Each entry stores:
- Operation type (alloc/free/realloc/memalign)
- Pointer address
- Size (and old size for realloc)
- Full caller backtrace string
On sandbox, the log buffer is allocated from host memory using
os_malloc(), so it does not affect U-Boot's heap. The size is
controlled by CONFIG_MCHECK_LOG_SIZE (default 512K entries).
If the log fills up, it wraps around (circular buffer) and a warning
is shown when dumping to indicate how many entries were lost.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Replace direct printf calls in malloc_dump() with an output callback
function. This introduces dump_out_fn type and dump_to_console() helper,
with malloc_dump_impl() taking the callback and context pointer.
This allows the same implementation logic to be reused for different
output destinations such as writing to a file.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
The malloc_very_large() test fails when mcheck is enabled with large
CONFIG_MCHECK_CALLER_LEN because the 64K margin does not account for
the per-allocation overhead (header + canaries).
Use a larger margin (256K) when mcheck is enabled to ensure the test
passes regardless of the mcheck caller length setting.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
When mcheck is enabled, malloc_usable_size() returns incorrect results
because mem2chunk() is called on the offset user pointer rather than the
actual chunk.
The pointer returned to the user is offset by the mcheck header, but
malloc_usable_size() is unaware of this. Add a wrapper that returns the
user-requested size stored in the mcheck header. This fixes test
failures when CONFIG_MCHECK_CALLER_LEN is set to larger values.
Also add a wrapper for the case where MALLOC_DEBUG is enabled without
MCHECK_HEAP_PROTECTION, since MALLOC_DEBUG makes
dlmalloc_usable_size_impl() static but no public dlmalloc_usable_size
exists outside the mcheck block.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
In some cases longer function names mean that 48 characters is not
enough to determine the call path. Increase the default to 64 to handle
this.
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Add a _base suffix to this test so that it is easier to run it by
itself with test.py without also getting dm_test_host_dup()
Signed-off-by: Simon Glass <simon.glass@canonical.com>
When copying partial framebuffer regions line by line, there is overhead
from multiple memcpy() calls.
Optimise video_flush_copy() to detect when entire lines are being copied
(damage spans full width) and perform a single memcpy() for the whole
region instead of looping line by line.
Also invert the early-exit check to reduce nesting.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
The stb_truetype library performs around 5 allocations per character
rendered, totalling approximately 26KB of temporary memory. This creates
significant malloc/free overhead and heap fragmentation.
Add a scratch buffer mechanism that pre-allocates memory once during
probe and reuses it for each character. The buffer is reset at the start
of each putc_xy() call, and allocations come from this buffer using a
simple bump allocator with 8-byte alignment.
If the scratch buffer is exhausted (e.g. for very complex glyphs), the
allocator falls back to malloc transparently.
The scratch buffer is controlled by two new Kconfig options:
- CONSOLE_TRUETYPE_SCRATCH: Enable/disable the feature (default y)
- CONSOLE_TRUETYPE_SCRATCH_SIZE: Buffer size in bytes (default 32KB)
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
This was last updated in 2023. The updates are minimal but we may as
well keep it up to date.
Bring in the latest version:
f1c79c0 ("Merge pull request #1851 from jeffrbig2/master"_
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Add a command-line option (-M or --no_mcheck) to disable mcheck heap
protection at runtime. When mcheck is disabled, the wrapper functions
pass through directly to the underlying allocator without adding
headers or checking for corruption.
This is useful for debugging when mcheck interferes with test results,
such as when memory-leak detection reports false positives due to
accumulated allocations from other tests.
Changes:
- Add disable_mcheck flag to sandbox_state
- Add mcheck_set_disabled() function to mcheck API
- Modify dlmalloc wrappers to bypass mcheck when disabled
- Add stub for when MCHECK_HEAP_PROTECTION is not enabled
- Document the new option in sandbox.rst
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Add a GPROF=1 build option to enable gprof profiling for sandbox. This
adds the -pg flag to both compiler and linker when GPROF=1 is set,
following the same pattern as the existing FTRACE option.
Usage:
make GPROF=1 sandbox_defconfig all
./u-boot -T -c "ut dm"
...
gprof u-boot gmon.out
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
The run_test_nand() function allocates buf and gold buffers but never
frees them, leaking about 2MB per test run.
Fixes: bc8e8a4bfa ("nand: Add sandbox driver")
Co-developed-by: Claude Opus 4.5 <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
The scratch buffer and glyph buffer are allocated during probe but never
freed. Add a remove callback to free these buffers when the truetype
console device is removed.
Fixes: 159af15074f2 ("video: truetype: Add a scratch buffer to use malloc() less")
Fixes: 69d2f4ab58 ("video: truetype: Use pre-allocated buffer for glyph rendering")
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
The cursor save_data buffer is allocated when the cursor is enabled but
never freed. Add a pre_remove callback to free this buffer when the
vidconsole device is removed.
Fixes: aebedeac44 ("video: Provide a buffer to hold pixels behind the cursor")
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
The vidconsole device name is allocated with strdup() but never marked
as allocated, so it is not freed when the device is removed. This causes
a memory leak on every video device probe/remove cycle.
Mark the name as allocated so driver model frees it on device removal,
and free it on the error path.
Fixes: 83510766c9 ("dm: video: Add a uclass for the text console")
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
When IDE mode is enabled (-I), warnings are not shown because:
1. The process_result() function only shows output in verbose mode,
not IDE mode
2. When there are warnings (stderr output), the build is considered
"failed" and retried. The retry finds the object files already up
to date from the first build, so make does not recompile them and
produces no warnings. The second result (with empty stderr) then
overwrites the first, losing the warnings.
Fix this by:
- Adding IDE mode handling in process_result() to write stderr directly
- Changing the retry logic to only retry on actual failures
(return_code != 0), not on warnings
Fixes: 6a30a2666008 ("buildman: Support running from an IDE")
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Add a newline parameter to all output functions (info, error, warning,
notice, detail, debug, user_output, do_output) to allow suppressing the
trailing newline. This is useful for progress output where multiple
calls should appear on the same line.
Example:
tout.info('Processing...', newline=False)
tout.info('done')
Also fix typos in docstrings (msg; -> msg:).
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Call to_output() before raising CommandExc so that callers catching
the exception get string output rather than bytes. This avoids the need
for callers to handle bytes decoding themselves.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Enable the new ext4l filesystem (Linux ext4 port) for sandbox testing.
Series-to: concept
Series-cc: heinrich
Cover-letter:
ext4l: Add write support (part L)
This series adds write support to the new ext4l filesystem driver,
supporting file creation, modification, and deletion.
The main additions are:
- File write with journalling support
- File deletion (unlink)
- Directory creation (mkdir)
- Symbolic link creation (ln)
- File and directory rename
Infrastructure improvements include proper cleanup of journal references
when unmounting, safeguards to handle probe without explicit close, and
prevention of use-after-free issues with buffer_heads that have active
journal_heads.
Unlike Linux, which does not need to meticulously free every resource on
unmount (since it can do so later as needed), U-Boot must fully clean up.
The bootloader may mount and unmount filesystems multiple times during a
session, such as loading a kernel from one partition and a device tree
from another, or when running tests. Memory leaks accumulate and cause
failures, so ext4l includes extra cleanup code that the Linux ext4 driver
does not require.
The series also enables ext4l for sandbox testing and allows the use of
metadata_csum checksums which the existing ext4 driver does not support.
Some other tweaks are included:
- a fix for mcheck to avoid filling up pre-relocation malloc()
- use the correct logo for readthedocs
- add a flag to avoid using the video console in tests
- a fallback option for finding persistent data-dir
At this point ext4l is useable, but there is more work needed,
including:
- Add MAINTAINERS entry
- Add more Kconfig options for various features (to reduce code size)
- Enable for ARM and x86 targets
- Documentation
- Tests for failure cases (to check that the journal is doing its job)
END
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Series-links: 1:98
The ext4l driver supports metadata_csum checksums, unlike the old ext4
driver. Only disable metadata_csum when CONFIG_FS_EXT4L is not enabled,
allowing ext4l to use modern ext4 filesystem features.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Add ext4l_rename() to rename files and directories, including moves
across directories. This uses the Linux ext4_rename() function.
Also fix the symlink test to verify reading through symlinks works
correctly, since ext4l_resolve_path follows symlinks (stat behavior).
Add Python test wrappers for mkdir, ln, and rename tests.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
The ext4l_ln() function returned -EEXIST when creating a symlink where
a file already exists. This differs from the old ext4 implementation
which deletes any existing file before creating the symlink (like ln -sf
behaviour).
Update ext4l_ln() to match this behaviour by calling __ext4_unlink() to
remove any existing non-directory file before creating the symlink.
Directories cannot be replaced with symlinks and return -EISDIR.
This allows test_symlink3 to pass.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Add ext4l_ln() to create symbolic links. This uses the Linux ext4_symlink()
function which supports both fast symlinks (stored in inode) and regular
symlinks (stored in data blocks).
Fix the fscrypt_prepare_symlink() stub to properly init the disk_link
structure with the symlink target, which is required for symlink creation
to work correctly.
Add some notes about U-Boot's argument ordering with symlinks.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Implement ext4l_mkdir() to create directories on ext4 filesystems.
The function parses the path to extract the parent directory and
basename, resolves the parent inode, checks for existing entries,
and calls the Linux ext4_mkdir() function to create the directory.
Hook ext4l_mkdir into the filesystem layer via the .mkdir callback
in fs_legacy.c, enabling the standard 'mkdir' command to work with
ext4l filesystems.
Add a unit test that verifies directory creation, duplicate detection
(-EEXIST), nested directory creation, and error handling for
non-existent parent directories (-ENOENT).
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Implement ext4l_unlink() to delete files from ext4 filesystems. This
enables the 'rm' command to work with ext4l.
The implementation:
- Resolves the parent directory and target file
- Verifies the target is not a directory (use rmdir for that)
- Calls ext4_unlink() to remove the directory entry
- Uses journal transactions for crash safety
Add ext4l_op_ptr() macro to select between ext4l_unlink() and the
fallback based on CONFIG_EXT4_WRITE
Call ext4_commit_super() to ensure the changes are written to disk.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Add the ability to write files to ext4 filesystems using the ext4l
driver. This enables the 'save' command to work with ext4l.
The implementation uses the jbd2 journal for crash safety:
- ext4l_write() creates files if needed and writes data
- Journal transactions commit synchronously for durability
- Buffer cache syncs dirty buffers after write operations
The write path consists of the following steps:
1. Lookup or create file via ext4_create()
2. Start journal transaction
3. For each block: get/allocate block, copy data, sync to disk
4. Update inode size and commit transaction
5. Sync all dirty buffers
Add an ext4l_op_ptr() macro to select between a write operation and a
fallback based on CONFIG_EXT4_WRITE, avoiding #ifdefs in fstypes[].
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Some block devices, such as LUKS-encrypted volumes mounted via
blkmap_crypt, only support read access. When ext4l attempts to write
the superblock during mount, the write fails and causes mount to fail.
Add a way to detect this read-only device detection:
- Test writes during mount by writing back the superblock data; if the
write fails, mark the device as read-only
- Update bdev_read_only() to return the actual read_only status
- Update sb_rdonly() to check the SB_RDONLY flag
This allows ext4l to successfully mount read-only devices like LUKS
volumes for read access.
We could perhaps have a read-only flag in the block device, but that is
left for another day.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
When running filesystem tests back-to-back, buffer_heads could be freed
while journal_heads still reference them. This causes use-after-free
crashes when the journal code later accesses the stale b_bh pointer.
Add protection in free_buffer_head() to skip buffers with JBD attached,
since the journal owns a reference and will clean them up properly. Also
add protection in brelse() to prevent the ref count from dropping to
zero while JBD is still attached.
Update comments in ext4l_close_internal() to clarify why cache cleanup
is critical even during skip_io mode.
Fixes crashes when test_fs13 runs after test_fs11 in the same session.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
When running multiple filesystem tests in sequence, probe may be called
without an explicit close of the previous mount. The old device may have
been rebound to a different file, making I/O to it invalid.
Add a new ext4l_close_internal() function with a skip_io parameter to
handle this case. When skip_io is true, it skips journal-destroy
entirely since the device may be invalid. It will be recovered on next
mount.
Also call the ext4- and JBD2- cleanup functions to properly reset the
global state for subsequent mounts: ext4_exit_system_zone(),
ext4_exit_es(), ext4_exit_mballoc(), and jbd2_journal_exit_global()
This ensures the caches are destroyed, thus freeing all orphaned
journal_heads, even when skip_io is true.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Add bh_cache_release_jbd() to forcibly release any journal_heads still
attached to buffer_heads after journal destroy. This must be called
after journal destroy but before bh_cache_clear() to ensure all
journal_heads are properly released, even if journal destroy did not
fully clean up (e.g., on abort).
The function clears b_bh in each journal_head to prevent use-after-free
when the buffer_head is later freed, and resets transaction pointers.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
The ext4l driver requires the filesystem framework (FS) and rbtree
library (RBTREE) to build correctly. Add the first as an explicit
dependency and 'select' the second, to prevent build failures when ext4l
is enabled.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
The crc16() stub always returns 0, which causes group-descriptor
checksum-verification to fail for filesystems using the old CRC16
checksum algorithm (gdt_csum feature without metadata_csum).
Replace the stub with U-Boot's real CRC16 implementation to allow
mounting these filesystems.
Co-developed-by: Claude Opus 4.5 <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
The atomic_add() and atomic64_add() functions are now provided by
asm-generic/atomic.h so remove the duplicate declarations from
ext4_uboot.h and the implementation from stub.c
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Resources are not properly released on unmount, causing memory leaks
in long-running U-Boot sessions that remount filesystems.
Add ext4l_free_sb() to release all resources on unmount:
- Destroy journal and commit superblock
- Release superblock buffer and unregister lazy init
- Free mballoc data and release system zone
- Destroy xattr caches
- Free group descriptors and flex groups
- Evict all tracked inodes
- Free root dentry, sbi, and superblock structures
Also:
- Init the s_inodes list when allocating superblock
- Free mount context (ctx, fc) after successful mount
- Call destroy_inodecache() during global cleanup
- Clear folio cache on buddy cache inode before iput()
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Several buffer cache issues cause problems when remounting:
1. bh_cache_insert() only checks block number, but the same block can
be read with different sizes (e.g. superblock at 1K vs 4K). Check
both block number and size when determining if already cached.
2. bh_cache_clear() leaves stale buffer references, causing memory
leaks. Force the reference count to 1 before releasing since ext4
code won't access these buffers after unmount.
3. brelse() frees buffer heads when the reference count reaches zero,
but cached buffer heads should only be freed by bh_cache_clear()
during unmount. This causes a double-free. Add a BH_Cached flag to
distinguish cached buffers from temporary ones: set BH_Cached in
bh_cache_insert() when adding to cache, and in brelse() only free
non-cached buffers when count reaches zero.
Also fix a bit conflict: BH_OwnsData was using BH_JBDPrivateStart which
conflicts with BH_BITMAP_UPTODATE in ext4.h. Move U-Boot private bits
to start at BH_JBDPrivateStart + 1.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
U-Boot does not track allocated inodes, causing memory leaks when
remounting filesystems.
Add s_inodes list to super_block and i_sb_list to inode structures to
track all allocated inodes, allowing proper eviction on unmount.
Co-developed-by: Claude Opus 4.5 <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Move the message buffer functions from interface.c to support.c since
they are internal support code rather than filesystem-interface
functions. This keeps interface.c focused on functions called from the
U-Boot filesystem layer.
Functions moved:
- ext4l_msg_init()
- ext4l_record_msg()
- ext4l_get_msg_buf()
- ext4l_print_msgs()
Co-developed-by: Claude Opus 4.5 <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Add documentation for the ext4l_msgs environment variable which
controls whether the ext4l filesystem driver prints mount messages
when probing an ext4 filesystem.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
The memory leaks were in fact not coming from the kmem cache, so let's
drop this unnecessary feature.
This reverts commit e63fc511c3.
Signed-off-by: Simon Glass <simon.glass@canonical.com>
When mcheck heap-protection is enabled, each allocation adds quite a
bit of overhead for headers and canaries. While this is needed for the
full allocator, it serves no purpose for pre-relocation allocations,
since:
1. Simple malloc is a bump allocator that cannot free memory
3. Mcheck's corruption-detection provides no benefit for non-freeable
memory
Since the pre-relocation heap space is limited (typically <16KB), this
overhead can exhaust the heap, causing boot failures.
Fix this by bypassing mcheck hooks in dlmalloc(), dlfree(),
dlmemalign() and dlcalloc() when called before relocation, directly
calling the simple malloc functions instead.
Co-developed-by: Claude Opus 4.5 <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
The mcheck heap protection stores a caller string in each allocation
header for debugging purposes. The length is hard-coded to 48 bytes in
mcheck_core.inc.h
Add a CONFIG_MCHECK_CALLER_LEN Kconfig option to make this configurable,
allowing users to adjust the trade-off between the amount of debugging
context and the memory overhead per allocation.
Co-developed-by: Claude Opus 4.5 <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Some blkmap slices (like blkmap_crypt) don't support writes and have
their write function set to NULL. The blkmap_blk_write_slice() function
calls the write function without checking if it's NULL, causing a crash
when attempting to write to such slices.
Add a NULL check before calling the write function. When the slice
doesn't support writes, return 0 to indicate no blocks were written.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Update the ReadTheDocs documentation to use the correct U-Boot logo
from the original 2023 website, stickers and coins. This includes the
project name.
Co-developed-by: Claude Opus 4.5 <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Add a pre_remove handler that unregisters the video_idle cyclic when
the last video device is removed. This ensures the cyclic won't run
after driver model is reinitialised by the test framework.
This complements the uclass_find() fix by properly cleaning up the
cyclic registration rather than just gracefully handling the orphaned
state.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
