Skip to content

syscall: fcntl param3 type to uintptr_t#18810

Merged
acassis merged 1 commit intoapache:masterfrom
tiiuae:fix_fcntl_syscall_upstream
Apr 27, 2026
Merged

syscall: fcntl param3 type to uintptr_t#18810
acassis merged 1 commit intoapache:masterfrom
tiiuae:fix_fcntl_syscall_upstream

Conversation

@jnippula
Copy link
Copy Markdown
Contributor

@jnippula jnippula commented Apr 27, 2026

Summary

fcntl syscall causes crash in RV64 build. Casting int to uintptr_t causes
32-bit user side pointer to end up 0xffffffffc0xxxxxx instead of 0x000000c0xxxxxx.

The parm3 in fcntl syscall API shall be uintptr_t instead of int
"fcntl","fcntl.h","","int","int","int","...","uintptr_t"

Impact

Kernel crash in case of file lock used

[CPU1] riscv_exception: EXCEPTION: Load page fault. MCAUSE: 000000000000000d, EPC: 00000000a0012c22, MTVAL: ffffffffc2008e78
[CPU1] riscv_exception: PANIC!!! Exception = 000000000000000d
[CPU1] dump_assert_info: Current Version: NuttX  12.11.0 ee2c4a040a Apr 24 2026 16:25:00 risc-v
[CPU1] dump_assert_info: Assertion failed panic: at file: common/riscv_exception.c:134 task(CPU1): moi_agent_daemon process: moi_agent_daemon 0xc000013e
[CPU1] up_dump_register: EPC: 00000000a0012c22
[CPU1] up_dump_register: A0: 00000000a20af968 A1: ffffffffc2008e78 A2: 00000000a20a2d98 A3: 00000000000000ea
[CPU1] up_dump_register: A4: 0000000000000010 A5: ffffffffffffffe7 A6: 8000000200046022 A7: 0000000000000001
[CPU1] up_dump_register: T0: 0000000000000000 T1: 00000000a001b0b4 T2: 0000000000000000 T3: 000000000000000b
[CPU1] up_dump_register: T4: 0000000000000003 T5: 0000000000000000 T6: 00000000c2008d65
[CPU1] up_dump_register: S0: ffffffffc2008e78 S1: 000000000000000b S2: 0000000000000047 S3: 0000000000000001
[CPU1] up_dump_register: S4: 0000000000000000 S5: 0000000000000002 S6: 00000000a002a7e6 S7: 00000000a2001154
[CPU1] up_dump_register: S8: 00000000a20af968 S9: 0000000000000000 S10: 00000000a20aed38 S11: 0000000000000000
[CPU1] up_dump_register: SP: 00000000a20a2d78 FP: ffffffffc2008e78 TP: 0000000000000000 RA: 00000000a0012ea2
[CPU1] dump_stackinfo: Kernel Stack:
[CPU1] dump_stackinfo:   base: 0xa20a1040
[CPU1] dump_stackinfo:   size: 00008192
[CPU1] dump_stackinfo:     sp: 0xa20a2d78

Crash occurs in file_lock_normalize, where A1 contains incorrect address to reference.

00000000a0012c20 <file_lock_normalize>:
    a0012c20:   00059703                lh      a4,0(a1)

Conversion from int to uintptr_t in PROXY_fcntl.c causes upper word to be 0xffffffff because the 32-bit int 0xc0xxxxxx has bit31 set (negative value).

Testing

Build target: RISC-V mpfs based custom hardware.
File lock feature enabled (CONFIG_FS_LOCK_BUCKET_SIZE) and used to
protect against simultaneous accesses.

static int daemon_lock_acquire(void)
{
	size_t lock_name_len = sizeof(((struct sockaddr_un *)0)->sun_path);
	char lock_file[lock_name_len] = {0};

	snprintf(lock_file, lock_name_len, g_daemon_lock_file, basename(progname));

	int fd = open(lock_file, O_RDWR | O_CREAT | O_CLOEXEC, 0600);

	if (fd < 0) {
		perror("Unable to open daemon lock file");
		return -1;
	}

	struct flock lock = {
		.l_type = F_WRLCK,
		.l_whence = SEEK_SET,
		.l_start = 0,
		.l_len = 0,
	};

	if (fcntl(fd, F_SETLK, &lock) < 0) {
		if (errno == EACCES || errno == EAGAIN) {
			struct flock lock_owner = {
				.l_type = F_WRLCK,
				.l_whence = SEEK_SET,
				.l_start = 0,
				.l_len = 0,
			};

			if (fcntl(fd, F_GETLK, &lock_owner) >= 0 && lock_owner.l_type != F_UNLCK) {
				fprintf(stderr, "Daemon lock owner pid: %d (lock file: %s)\n", (int)lock_owner.l_pid, lock_file);
			}
			errno = EALREADY;
			perror("Daemon already running");

		} else {
			perror("Unable to acquire daemon lock");
		}

		close(fd);
		return -1;
	}

	g_daemon_lock_fd = fd;
	return 0;
}

Without the fix the kernel crash occurs:
[CPU1] riscv_exception: EXCEPTION: Load page fault. MCAUSE: 000000000000000d, EPC: 00000000a0012c22, MTVAL: ffffffffc2008e78

With fixed fcntl syscall the file lock works properly, no crash occurs.

@jnippula
syscall: fcntl param3 type to uintptr_t
04f3062 
Fixing incorrect 32->64bit pointer conversion

Signed-off-by: Jari Nippula <jari.nippula@tii.ae>
@github-actions github-actions Bot added Area: OS Components OS Components issues Size: XS The size of the change in this PR is very small labels Apr 27, 2026
xiaoxiang781216
xiaoxiang781216 approved these changes Apr 27, 2026
View reviewed changes
Comment thread syscall/syscall.csv
@acassis acassis merged commit d167819 into apache:master Apr 27, 2026
41 checks passed
@jnippula jnippula deleted the fix_fcntl_syscall_upstream branch April 28, 2026 05:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@acassis acassis acassis approved these changes

@xiaoxiang781216 xiaoxiang781216 xiaoxiang781216 approved these changes

@pussuw pussuw Awaiting requested review from pussuw pussuw is a code owner

Assignees

No one assigned

Labels

Area: OS Components OS Components issues Size: XS The size of the change in this PR is very small

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jnippula @acassis @xiaoxiang781216