POSIX leaves the signedness of time_t and clock_t unspecified, but
mainstream implementations (Linux glibc/musl, the BSDs, macOS, RTEMS,
Zephyr's POSIX layer, Windows _time64) expose time_t as signed 64-bit.
NuttX has historically used uint64_t only because it was tied to the
CONFIG_SYSTEM_TIME64 knob; with that gone, switch:
time_t : uint64_t -> int64_t
clock_t : uint64_t -> int64_t
CLOCK_MAX: UINT64_MAX -> INT64_MAX
This lets (time_t)-1 sentinels, negative tick deltas, and host-side
headers behave as on every other POSIX system without source churn.
Headers updated:
- include/sys/types.h, include/limits.h, include/nuttx/clock.h
- include/nuttx/fs/hostfs.h (nuttx_time_t alias)
- include/nuttx/{mqueue.h,wdog.h,wqueue.h,timers/clkcnt.h}
Because clock_t is now signed 64-bit, the NuttX-internal sclock_t
alias becomes redundant: every sclock_t/SCLOCK_MAX use is folded
back to clock_t/CLOCK_MAX (notably in sched/wdog, sched/mqueue,
sched/sched, sched/clock, sched/timer, libs/libc/time, fs/vfs and
the drivers/arch consumers below).
Tick/period constants (NSEC_PER_SEC, USEC_PER_SEC, MSEC_PER_SEC,
SEC_PER_MIN, ...) in include/nuttx/clock.h are retyped from "long"
literals to INT64_C(...) so that 64-bit arithmetic no longer
depends on the host's long width.
Strip now-redundant (time_t)/(clock_t)/(unsigned long) casts and
unsigned-only branches across the tree:
- arch RTC / oneshot / tickless lowerhalfs:
arm: cxd56xx, efm32, imxrt, lc823450, max326xx, sam34, sama5,
samd5e5, samv7, stm32, stm32f7, stm32h7, stm32l4, stm32wb,
xmc4
mips: pic32mz sparc: bm3803 x86_64: intel64
risc-v/xtensa: espressif (esp_i2c[_slave], esp_rtc,
esp32c3{_i2c,_rtc,_wifi_adapter}, esp32{,s2,s3}_*),
mpfs_perf
- drivers: audio/tone, input/aw86225, power/pm/{activity,
stability}_governor, rpmsg/rpmsg_ping,
timers/{ds3231,mcp794xx,pcf85263,rx8010},
wireless/ieee80211/bcm43xxx, wireless/spirit/spirit_spi
- core: fs/vfs/{fs_poll,fs_timerfd}, mm/iob/iob_alloc,
libs/libc/{netdb/lib_dnscache,time/{lib_calendar2utc,
lib_time}}, net/icmp/icmp_pmtu, net/icmpv6/icmpv6_pmtu,
net/ipfrag, net/tcp/{tcp.h,tcp_timer},
net/utils/net_snoop, net/mld/mld_query (drop the now-dead
mld_mrc2mrd helper since signed math handles it directly),
sched/clock/{clock,clock_initialize},
sched/sched/{sched_profil,sched_setparam,sched_setscheduler},
sched/pthread/pthread_create,
sched/wdog/{wd_gettime,wd_start,wdog.h},
sched/timer/timer_gettime, sched/mqueue/*
Flip the few in-tree printf format strings that assumed an
unsigned 64-bit tv_sec:
* drivers/rpmsg/rpmsg_ping.c PRIu64 -> PRId64
* arch/xtensa/src/esp32{,s2,s3}/esp32*_oneshot_lowerhalf.c
PRIu32 (already wrong) -> PRId64
Signed-off-by: Xiang Xiao <xiaoxiang@xiaomi.com>
Add inode_checkperm() and integrate it into file_vopen()
to enforce UNIX-style read/write permission checks for
pseudoFS inodes using effective uid/gid credentials.
Skip permission enforcement for mountpoint inodes and
allow kernel threads to bypass checks.
Signed-off-by: Abhishek Mishra <mishra.abhishek2808@gmail.com>
Preserve only the existing file type bits (S_IFMT) and
replace permission bits from inode->i_mode instead of
merging them with |= semantics.
This fixes pseudoFS stat()/ls mode reporting after
chmod() updates.
Signed-off-by: Abhishek Mishra <mishra.abhishek2808@gmail.com>
This commit fixes a regression introduced by
89df084b0e. That commit
added a check to ensure iov_base is not NULL, assuming NULL
always represents an inaccessible address.
However, in CONFIG_BUILD_KERNEL mode where CONFIG_ARCH_TEXT_VBASE
is set to 0, address zero is a valid virtual address for the
user-space text segment. The previous check caused libelf to
fail with -EFAULT when attempting to load ELF program headers
into the base of the user address space.
This patch wraps the safety check in a conditional to ensure it is
only executed when address zero is not considered a valid
executable base.
Signed-off-by: Lwazi Dube <lwazeh@gmail.com>
When CONFIG_FS_BACKTRACE is enabled, collecting a stack trace for every
new file descriptor adds overhead to fast path operations like open(),
dup(), and socket().
This patch adds a new configuration option CONFIG_FS_BACKTRACE_DEFAULT.
When enabled (default behavior), the GROUP_FLAG_FD_BACKTRACE flag is
automatically set during group allocation, causing backtrace to be
captured for all tasks globally, preserving the original diagnostic
capability.
When disabled, backtrace capture is zero-cost by default and must be
explicitly enabled per task group using GROUP_FLAG_FD_BACKTRACE.
Signed-off-by: zhanxiaoqi <zhanxiaoqi@bytedance.com>
Allow to close the lock even the dying task is in
signal handler context. Also the file type check can
be ignored as they are already validated in create phase.
Signed-off-by: Jari Nippula <jari.nippula@tii.ae>
This adds a kernel-level performance profiler for the VFS.
By enabling CONFIG_FS_PROFILER, the core VFS system calls
(file_read, file_write, file_open, and file_close) are
instrumented to track high-resolution execution times using
clock_systime_timespec() seamlessly.
The collected statistics are exposed dynamically via a new
procfs node at /proc/fs/profile, allowing CI regression
testing without needing external debugging tools.
Signed-off-by: Sumit6307 <sumitkesar6307@gmail.com>
In proxy_fstat(), the write permission bits for a block driver proxy
were gated on `i_ops->read` instead of `i_ops->write`:
The effect is that a driver implementing read but not write would have
S_IWOTH | S_IWGRP | S_IWUSR incorrectly set in the fstat() result,
reporting the file as writable when it is not.
Fix: replace `->read` with `->write` in the write check condition.
Signed-off-by: Abhishek Mishra <mishra.abhishek2808@gmail.com>
debug.h is a NuttX-specific, non-POSIX header. Placing it in the
top-level include/ directory creates naming conflicts with external
projects that define their own debug.h.
This commit moves the canonical header to include/nuttx/debug.h,
following the NuttX convention for non-POSIX/non-standard headers,
and updates all in-tree references.
A backward-compatibility shim is left at include/debug.h that
emits a deprecation #warning and re-includes <nuttx/debug.h>,
allowing out-of-tree code to continue building while migrating.
Signed-off-by: Piyush Patle <piyushpatle228@gmail.com>
Fix 269 occurrences of duplicate "the" word typo found in 209 files
across source code, header files, and configuration.
Signed-off-by: Huang Qi <huangqi3@xiaomi.com>
Implement Linux-compatible TFD_TIMER_CANCEL_ON_SET flag for timerfd to
allow applications to detect discontinuous changes to CLOCK_REALTIME.
Background:
According to Linux timerfd_create(2) man page, when a timerfd is created
with CLOCK_REALTIME and TFD_TIMER_CANCEL_ON_SET flag is specified, the
read() operation should fail with ECANCELED if the real-time clock
undergoes a discontinuous change. This allows applications to detect
and respond to system time changes.
Implementation:
1. Add clock notifier infrastructure (clock_notifier.h/c) to notify
interested parties when system time changes
2. Implement TFD_TIMER_CANCEL_ON_SET flag support in timerfd
3. Register timerfd with clock notifier when flag is set
4. Cancel timer and return ECANCELED when clock change is detected
5. Notify clock changes in:
- clock_settime()
- clock_initialize()
- clock_timekeeping_set_wall_time()
- rpmsg_rtc time synchronization
Changes include:
- New files: include/nuttx/clock_notifier.h, sched/clock/clock_notifier.c
- Modified: fs/vfs/fs_timerfd.c to handle TFD_TIMER_CANCEL_ON_SET
- Modified: clock subsystem to call notifier chain on time changes
- Modified: rpmsg_rtc to notify time changes during sync
Use case example:
Applications using timerfd with absolute time can now detect when
system time is adjusted (e.g., NTP sync, manual time change) and
take appropriate action such as recalculating timeouts or updating
scheduled events.
Reference: https://man7.org/linux/man-pages/man2/timerfd_create.2.html
Signed-off-by: dongjiuzhu1 <dongjiuzhu1@xiaomi.com>
For re-enter case, the inode information may unlock with not filled,
and get by other user. that lead to the error behavior.
Especially SMP scene.
Signed-off-by: buxiasen <buxiasen@xiaomi.com>
Fix MISRA Rule 10.3 exist clock to sclock cause wide type implicit conversion to narrow type, NSEC_PER_USEC to l
Signed-off-by: jiangtao16 <jiangtao16@xiaomi.com>
Signals in NuttX serve two primary purposes:
1. Synchronization and wake-up:
Signals can be used to block threads on specific signal sets and later
wake them up by delivering the corresponding signals to those threads.
2. Asynchronous notification:
Signals can also be used to install callback handlers for specific signals, allowing threads to
asynchronously invoke those handlers when the signals are delivered.
This change introduces the ability to disable all signal functionality to reduce footprint for NuttX.
Signed-off-by: Chengdong Wang wangchengdong@lixiang.com
issue description:
task A: NSH:
1.open-> reboot->sync->task_fsfsync
2.nx_vopen-> context switch
3.fdlist_allocate: ----> 4.fsync->file_sync->assert(inode or priv is empty)
(new fd with empty filep)
5.file_vopen:
(init empty filep)
6.return fd
Task A allocates a new fd with an empty filep in fdlist_allocate. Before
it can fully initialize the filep in file_vopen, the NSH task triggers a
file - system sync operation. The sync operation encounters the empty
filep associated with the newly allocated fd, causing the assertion to
fail and the system to crash.
To resolve this race condition, we should modify the fd allocation
process. Instead of allocating a new fd with an empty filep first and
then initializing it later, we should use the file_allocate_from_inode
function. This function allows us to initialize the file structure first
and then bind it to the new filep when allocating the fd. By doing so,
we ensure that the filep is always properly initialized before it is
used in any file - system operations, thus preventing the assertion
failure and the subsequent system crash.
Signed-off-by: dongjiuzhu1 <dongjiuzhu1@xiaomi.com>
Issue:
When using a stack-allocated file structure, the sequence:
1. file_open() initializes the stack file structure
2. file_mmap() creates memory mapping and increments reference count
3. file_munmap() decrements reference count and may free the file structure
4. file_close() attempts to close already freed structure → crash
Root cause:
The memory mapping operations (fs_reffilep/fs_putfilep) manage reference counts
independently and can free the stack-allocated file structure prematurely.
Solution:
- Add reference count protection during file_open() for stack-allocated files
- Clear reference count appropriately during file_close()
- This ensures the file structure remains valid throughout its lifetime
Signed-off-by: dongjiuzhu1 <dongjiuzhu1@xiaomi.com>
When a thread is terminated via pthread_exit() while blocked in epoll_wait(),
the file reference taken at the beginning of epoll_wait() is not properly
released, leading to resource leaks.
Problem scenario found during libuv test:
1. Echo server thread is blocked in epoll_wait()
2. Main task sends pthread_kill signal to the server thread
3. Signal handler calls pthread_exit() to terminate the thread
4. epoll_wait() is interrupted before reaching the file_put() call
5. The epoll fd reference count remains elevated
6. epoll_do_close() is never called, leaving fds in internal queues
7. File descriptors leak
Solution:
Register a TLS (Thread Local Storage) cleanup handler using tls_cleanup_push()
at the beginning of epoll_wait() blocking section. This ensures that if the
thread exits abnormally (via pthread_exit, pthread_cancel, etc.), the cleanup
handler (epoll_cleanup) will be called automatically to release the file
reference via file_put().
The cleanup handler is properly paired with tls_cleanup_pop() when epoll_wait()
completes normally, ensuring the handler is only invoked on abnormal exit.
This fix is applied to both epoll_wait() code paths (with and without extended
mode) to ensure consistent behavior.
Impact:
- Prevents epoll fd reference count leaks on thread cancellation
- Ensures proper cleanup even when epoll_wait() is interrupted by pthread_exit
- Critical for multi-threaded applications using signals and thread termination
- Works together with previous fix for teardown/oneshot list cleanup
Signed-off-by: dongjiuzhu1 <dongjiuzhu1@xiaomi.com>
When an epoll fd is closed, the file descriptors in the teardown and
oneshot lists were not being properly dereferenced, leading to fd leaks.
This fix ensures that all fds in the teardown and oneshot lists are
properly released via file_put() during epoll_do_close(), matching the
behavior for fds in the setup list.
Impact:
- Prevents fd leaks when epoll fd is closed
- Ensures proper cleanup of all tracked file descriptors
- Critical for applications using EPOLLONESHOT or fd removal operations
Signed-off-by: dongjiuzhu1 <dongjiuzhu1@xiaomi.com>
when i is zero and file_get is failed, num is -1,
it's uint32_max for nfds.
so remove num and simplify code logic.
Signed-off-by: dongjiuzhu1 <dongjiuzhu1@xiaomi.com>
nxsig_ismember() has a return type of int, but the current
implementation returns a boolean value, which is incorrect.
All callers should determine membership by checking whether
the return value is 1 or 0, which is also consistent with the POSIX sigismember() API.
Signed-off-by: Chengdong Wang wangchengdong@lixiang.com
It acts as register_driver but also populates the inode size.
This allows to return a non-zero size when calling stat() on an eeprom
driver.
The conditions (CONFIG_PSEUDOFS_FILE or CONFIG_FS_SHMFS) for the
declaration of the inode size field have also been removed so that other
drivers can populate this field in the future.
Signed-off-by: Antoine Juckler <6445757+ajuckler@users.noreply.github.com>
* Recurrency is removed from filesystem directory rename.
* Fixes use after free in buffer that was used as output and argument.
Signed-off-by: Tomasz 'CeDeROM' CEDRO <tomek@cedro.info>
To save more space (equivalent to the size of one erase sector of
MTD device) and to achieve faster read and write speeds, a method
for direct writing was introduced at the FTL layer.
This can be accomplished simply by using the following oflags during
the open operation:
1. O_DIRECT. when this flag is passed in, ftl internally uses
the direct write strategy and no read cache is used in ftl;
otherwise, each write will be executed with the minimum
granularity of flash erase sector size which means a
"sector read back - erase sector - write sector" operation
is performed by using a read cache buffer in heap.
2. O_SYNC. When this flag is passed in, we assume that the
flash has been erased in advance and no erasure operation
will be performed internally within ftl. O_SYNC will take
effect only when both O_DIRECT and O_SYNC are passed in
simultaneously.
3. For uniformity, we remapped the mount flag in mount.h and
unified it with the open flag in fcntl.h. The repetitive
parts of their definitions were reused, and the remaining
part of the mount flag redefine to the unused bit of open
flags.
Signed-off-by: jingfei <jingfei@xiaomi.com>
Double free occurred in lib_put_pathbuffer if CONFIG_FS_NOTIFY option
was enabled. The second if statement has to be called only if the
close operation returned error. The bug was introduced in 14f5c48
and was causing misc/lib_tempbuffer.c:141 debug assertion.
Signed-off-by: Michal Lenc <michallenc@seznam.cz>
these command FIOGCLEX/FIOCLEX/FIONCLEX are related to struct fd,
so need to use ioctl to implement.
Signed-off-by: dongjiuzhu1 <dongjiuzhu1@xiaomi.com>
This patch is a rework of the NuttX file descriptor implementation. The
goal is two-fold:
1. Improve POSIX compliance. The old implementation tied file description
to inode only, not the file struct. POSIX however dictates otherwise.
2. Fix a bug with descriptor duplication (dup2() and dup3()). There is
an existing race condition with this POSIX API that currently results
in a kernel side crash.
The crash occurs when a partially open / closed file descriptor is
duplicated. The reason for the crash is that even if the descriptor is
closed, the file might still be in use by the kernel (due to e.g. ongoing
write to file). The open file data is changed by file_dup3() and this
causes a crash in the device / drivers themselves as they lose access to
the inode and private data.
The fix is done by separating struct file into file and file descriptor
structs. The file struct can live on even if the descriptor is closed,
fixing the crash. This also fixes the POSIX issue, as two descriptors
can now point to the same file.
Signed-off-by: Ville Juven <ville.juven@unikie.com>
Signed-off-by: dongjiuzhu1 <dongjiuzhu1@xiaomi.com>
1. The call to file_close_without_clear in file_dup3 does not clear
the tag information, so there is no need to back it up.
2. file_dup3 don't need to copy tag information, tag is only valid for fd.
Signed-off-by: dongjiuzhu1 <dongjiuzhu1@xiaomi.com>
Currently the code is dumped into one massive file; fs_files. Move the
different logical parts into their own files.
Signed-off-by: Ville Juven <ville.juven@unikie.com>
Signed-off-by: dongjiuzhu1 <dongjiuzhu1@xiaomi.com>
When a new pseudofile is created, the inode reference count needs to
be bumped to protect the node.
Signed-off-by: Ville Juven <ville.juven@unikie.com>
Allow users to operate poll in the kernel using the file_poll
approach, as file is protected with reference counting,
making it more secure.
Signed-off-by: dongjiuzhu1 <dongjiuzhu1@xiaomi.com>
When we use fcntl for dup, an fd is directly passed. If we have opened FDCHECK. we need to restore this file descriptor.
open FDCHECK and test this:
`
int main(int ac, char **av)
{
int fd1= open("./1.txt", O_WRONLY | O_CREAT, 0666);
if (fd1 < 0)
{
printf("open err\n");
return fd1;
}
int fd2= open("./2.txt", O_WRONLY | O_CREAT, 0666);
if (fd2 < 0)
{
printf("open err\n");
close(fd1);
return fd2;
}
//close(fd2);
int fd3 = fcntl(fd1, F_DUPFD, fd2);
printf("fd3 = %d\n", fd3);
close(fd1);
close(fd3);
return 0;
}
`
Signed-off-by: zhangshoukui <zhangshoukui@xiaomi.com>
Add the noinstrument_function attribute to the poll_notify function
to avoid it being looped if -finstrument-functions is set to the
fs/vfs files.
Signed-off-by: Tiago Medicci Serrano <tiago.medicci@espressif.com>
Xiang Xiao
Abhishek Mishra
Lwazi Dube
zhanxiaoqi
Jari Nippula
Sumit6307
Piyush Patle
Huang Qi
dongjiuzhu1
buxiasen
jiangtao16
wangchengdong
guohao15
zhanghongyu
Antoine Juckler
chao an
Zhe Weng
Liu, Richard Jiayang
jingfei
Michal Lenc
Ville Juven
wangjianyu3
Lars Kruse
zhangshoukui
Tiago Medicci Serrano