xen: Prevent buffer overflow in privcmd ioctl
[linux/fpc-iii.git] / fs / char_dev.c
blob44a240c4bb658149c2d2b5b527af35fbf1a95d49
1 /*
2 * linux/fs/char_dev.c
4 * Copyright (C) 1991, 1992 Linus Torvalds
5 */
7 #include <linux/init.h>
8 #include <linux/fs.h>
9 #include <linux/kdev_t.h>
10 #include <linux/slab.h>
11 #include <linux/string.h>
13 #include <linux/major.h>
14 #include <linux/errno.h>
15 #include <linux/module.h>
16 #include <linux/seq_file.h>
18 #include <linux/kobject.h>
19 #include <linux/kobj_map.h>
20 #include <linux/cdev.h>
21 #include <linux/mutex.h>
22 #include <linux/backing-dev.h>
23 #include <linux/tty.h>
25 #include "internal.h"
27 static struct kobj_map *cdev_map;
29 static DEFINE_MUTEX(chrdevs_lock);
31 static struct char_device_struct {
32 struct char_device_struct *next;
33 unsigned int major;
34 unsigned int baseminor;
35 int minorct;
36 char name[64];
37 struct cdev *cdev; /* will die */
38 } *chrdevs[CHRDEV_MAJOR_HASH_SIZE];
40 /* index in the above */
41 static inline int major_to_index(unsigned major)
43 return major % CHRDEV_MAJOR_HASH_SIZE;
46 #ifdef CONFIG_PROC_FS
48 void chrdev_show(struct seq_file *f, off_t offset)
50 struct char_device_struct *cd;
52 if (offset < CHRDEV_MAJOR_HASH_SIZE) {
53 mutex_lock(&chrdevs_lock);
54 for (cd = chrdevs[offset]; cd; cd = cd->next)
55 seq_printf(f, "%3d %s\n", cd->major, cd->name);
56 mutex_unlock(&chrdevs_lock);
60 #endif /* CONFIG_PROC_FS */
63 * Register a single major with a specified minor range.
65 * If major == 0 this functions will dynamically allocate a major and return
66 * its number.
68 * If major > 0 this function will attempt to reserve the passed range of
69 * minors and will return zero on success.
71 * Returns a -ve errno on failure.
73 static struct char_device_struct *
74 __register_chrdev_region(unsigned int major, unsigned int baseminor,
75 int minorct, const char *name)
77 struct char_device_struct *cd, **cp;
78 int ret = 0;
79 int i;
81 cd = kzalloc(sizeof(struct char_device_struct), GFP_KERNEL);
82 if (cd == NULL)
83 return ERR_PTR(-ENOMEM);
85 mutex_lock(&chrdevs_lock);
87 /* temporary */
88 if (major == 0) {
89 for (i = ARRAY_SIZE(chrdevs)-1; i > 0; i--) {
90 if (chrdevs[i] == NULL)
91 break;
94 if (i < CHRDEV_MAJOR_DYN_END)
95 pr_warn("CHRDEV \"%s\" major number %d goes below the dynamic allocation range\n",
96 name, i);
98 if (i == 0) {
99 ret = -EBUSY;
100 goto out;
102 major = i;
105 cd->major = major;
106 cd->baseminor = baseminor;
107 cd->minorct = minorct;
108 strlcpy(cd->name, name, sizeof(cd->name));
110 i = major_to_index(major);
112 for (cp = &chrdevs[i]; *cp; cp = &(*cp)->next)
113 if ((*cp)->major > major ||
114 ((*cp)->major == major &&
115 (((*cp)->baseminor >= baseminor) ||
116 ((*cp)->baseminor + (*cp)->minorct > baseminor))))
117 break;
119 /* Check for overlapping minor ranges. */
120 if (*cp && (*cp)->major == major) {
121 int old_min = (*cp)->baseminor;
122 int old_max = (*cp)->baseminor + (*cp)->minorct - 1;
123 int new_min = baseminor;
124 int new_max = baseminor + minorct - 1;
126 /* New driver overlaps from the left. */
127 if (new_max >= old_min && new_max <= old_max) {
128 ret = -EBUSY;
129 goto out;
132 /* New driver overlaps from the right. */
133 if (new_min <= old_max && new_min >= old_min) {
134 ret = -EBUSY;
135 goto out;
139 cd->next = *cp;
140 *cp = cd;
141 mutex_unlock(&chrdevs_lock);
142 return cd;
143 out:
144 mutex_unlock(&chrdevs_lock);
145 kfree(cd);
146 return ERR_PTR(ret);
149 static struct char_device_struct *
150 __unregister_chrdev_region(unsigned major, unsigned baseminor, int minorct)
152 struct char_device_struct *cd = NULL, **cp;
153 int i = major_to_index(major);
155 mutex_lock(&chrdevs_lock);
156 for (cp = &chrdevs[i]; *cp; cp = &(*cp)->next)
157 if ((*cp)->major == major &&
158 (*cp)->baseminor == baseminor &&
159 (*cp)->minorct == minorct)
160 break;
161 if (*cp) {
162 cd = *cp;
163 *cp = cd->next;
165 mutex_unlock(&chrdevs_lock);
166 return cd;
170 * register_chrdev_region() - register a range of device numbers
171 * @from: the first in the desired range of device numbers; must include
172 * the major number.
173 * @count: the number of consecutive device numbers required
174 * @name: the name of the device or driver.
176 * Return value is zero on success, a negative error code on failure.
178 int register_chrdev_region(dev_t from, unsigned count, const char *name)
180 struct char_device_struct *cd;
181 dev_t to = from + count;
182 dev_t n, next;
184 for (n = from; n < to; n = next) {
185 next = MKDEV(MAJOR(n)+1, 0);
186 if (next > to)
187 next = to;
188 cd = __register_chrdev_region(MAJOR(n), MINOR(n),
189 next - n, name);
190 if (IS_ERR(cd))
191 goto fail;
193 return 0;
194 fail:
195 to = n;
196 for (n = from; n < to; n = next) {
197 next = MKDEV(MAJOR(n)+1, 0);
198 kfree(__unregister_chrdev_region(MAJOR(n), MINOR(n), next - n));
200 return PTR_ERR(cd);
204 * alloc_chrdev_region() - register a range of char device numbers
205 * @dev: output parameter for first assigned number
206 * @baseminor: first of the requested range of minor numbers
207 * @count: the number of minor numbers required
208 * @name: the name of the associated device or driver
210 * Allocates a range of char device numbers. The major number will be
211 * chosen dynamically, and returned (along with the first minor number)
212 * in @dev. Returns zero or a negative error code.
214 int alloc_chrdev_region(dev_t *dev, unsigned baseminor, unsigned count,
215 const char *name)
217 struct char_device_struct *cd;
218 cd = __register_chrdev_region(0, baseminor, count, name);
219 if (IS_ERR(cd))
220 return PTR_ERR(cd);
221 *dev = MKDEV(cd->major, cd->baseminor);
222 return 0;
226 * __register_chrdev() - create and register a cdev occupying a range of minors
227 * @major: major device number or 0 for dynamic allocation
228 * @baseminor: first of the requested range of minor numbers
229 * @count: the number of minor numbers required
230 * @name: name of this range of devices
231 * @fops: file operations associated with this devices
233 * If @major == 0 this functions will dynamically allocate a major and return
234 * its number.
236 * If @major > 0 this function will attempt to reserve a device with the given
237 * major number and will return zero on success.
239 * Returns a -ve errno on failure.
241 * The name of this device has nothing to do with the name of the device in
242 * /dev. It only helps to keep track of the different owners of devices. If
243 * your module name has only one type of devices it's ok to use e.g. the name
244 * of the module here.
246 int __register_chrdev(unsigned int major, unsigned int baseminor,
247 unsigned int count, const char *name,
248 const struct file_operations *fops)
250 struct char_device_struct *cd;
251 struct cdev *cdev;
252 int err = -ENOMEM;
254 cd = __register_chrdev_region(major, baseminor, count, name);
255 if (IS_ERR(cd))
256 return PTR_ERR(cd);
258 cdev = cdev_alloc();
259 if (!cdev)
260 goto out2;
262 cdev->owner = fops->owner;
263 cdev->ops = fops;
264 kobject_set_name(&cdev->kobj, "%s", name);
266 err = cdev_add(cdev, MKDEV(cd->major, baseminor), count);
267 if (err)
268 goto out;
270 cd->cdev = cdev;
272 return major ? 0 : cd->major;
273 out:
274 kobject_put(&cdev->kobj);
275 out2:
276 kfree(__unregister_chrdev_region(cd->major, baseminor, count));
277 return err;
281 * unregister_chrdev_region() - unregister a range of device numbers
282 * @from: the first in the range of numbers to unregister
283 * @count: the number of device numbers to unregister
285 * This function will unregister a range of @count device numbers,
286 * starting with @from. The caller should normally be the one who
287 * allocated those numbers in the first place...
289 void unregister_chrdev_region(dev_t from, unsigned count)
291 dev_t to = from + count;
292 dev_t n, next;
294 for (n = from; n < to; n = next) {
295 next = MKDEV(MAJOR(n)+1, 0);
296 if (next > to)
297 next = to;
298 kfree(__unregister_chrdev_region(MAJOR(n), MINOR(n), next - n));
303 * __unregister_chrdev - unregister and destroy a cdev
304 * @major: major device number
305 * @baseminor: first of the range of minor numbers
306 * @count: the number of minor numbers this cdev is occupying
307 * @name: name of this range of devices
309 * Unregister and destroy the cdev occupying the region described by
310 * @major, @baseminor and @count. This function undoes what
311 * __register_chrdev() did.
313 void __unregister_chrdev(unsigned int major, unsigned int baseminor,
314 unsigned int count, const char *name)
316 struct char_device_struct *cd;
318 cd = __unregister_chrdev_region(major, baseminor, count);
319 if (cd && cd->cdev)
320 cdev_del(cd->cdev);
321 kfree(cd);
324 static DEFINE_SPINLOCK(cdev_lock);
326 static struct kobject *cdev_get(struct cdev *p)
328 struct module *owner = p->owner;
329 struct kobject *kobj;
331 if (owner && !try_module_get(owner))
332 return NULL;
333 kobj = kobject_get(&p->kobj);
334 if (!kobj)
335 module_put(owner);
336 return kobj;
339 void cdev_put(struct cdev *p)
341 if (p) {
342 struct module *owner = p->owner;
343 kobject_put(&p->kobj);
344 module_put(owner);
349 * Called every time a character special file is opened
351 static int chrdev_open(struct inode *inode, struct file *filp)
353 const struct file_operations *fops;
354 struct cdev *p;
355 struct cdev *new = NULL;
356 int ret = 0;
358 spin_lock(&cdev_lock);
359 p = inode->i_cdev;
360 if (!p) {
361 struct kobject *kobj;
362 int idx;
363 spin_unlock(&cdev_lock);
364 kobj = kobj_lookup(cdev_map, inode->i_rdev, &idx);
365 if (!kobj)
366 return -ENXIO;
367 new = container_of(kobj, struct cdev, kobj);
368 spin_lock(&cdev_lock);
369 /* Check i_cdev again in case somebody beat us to it while
370 we dropped the lock. */
371 p = inode->i_cdev;
372 if (!p) {
373 inode->i_cdev = p = new;
374 list_add(&inode->i_devices, &p->list);
375 new = NULL;
376 } else if (!cdev_get(p))
377 ret = -ENXIO;
378 } else if (!cdev_get(p))
379 ret = -ENXIO;
380 spin_unlock(&cdev_lock);
381 cdev_put(new);
382 if (ret)
383 return ret;
385 ret = -ENXIO;
386 fops = fops_get(p->ops);
387 if (!fops)
388 goto out_cdev_put;
390 replace_fops(filp, fops);
391 if (filp->f_op->open) {
392 ret = filp->f_op->open(inode, filp);
393 if (ret)
394 goto out_cdev_put;
397 return 0;
399 out_cdev_put:
400 cdev_put(p);
401 return ret;
404 void cd_forget(struct inode *inode)
406 spin_lock(&cdev_lock);
407 list_del_init(&inode->i_devices);
408 inode->i_cdev = NULL;
409 inode->i_mapping = &inode->i_data;
410 spin_unlock(&cdev_lock);
413 static void cdev_purge(struct cdev *cdev)
415 spin_lock(&cdev_lock);
416 while (!list_empty(&cdev->list)) {
417 struct inode *inode;
418 inode = container_of(cdev->list.next, struct inode, i_devices);
419 list_del_init(&inode->i_devices);
420 inode->i_cdev = NULL;
422 spin_unlock(&cdev_lock);
426 * Dummy default file-operations: the only thing this does
427 * is contain the open that then fills in the correct operations
428 * depending on the special file...
430 const struct file_operations def_chr_fops = {
431 .open = chrdev_open,
432 .llseek = noop_llseek,
435 static struct kobject *exact_match(dev_t dev, int *part, void *data)
437 struct cdev *p = data;
438 return &p->kobj;
441 static int exact_lock(dev_t dev, void *data)
443 struct cdev *p = data;
444 return cdev_get(p) ? 0 : -1;
448 * cdev_add() - add a char device to the system
449 * @p: the cdev structure for the device
450 * @dev: the first device number for which this device is responsible
451 * @count: the number of consecutive minor numbers corresponding to this
452 * device
454 * cdev_add() adds the device represented by @p to the system, making it
455 * live immediately. A negative error code is returned on failure.
457 int cdev_add(struct cdev *p, dev_t dev, unsigned count)
459 int error;
461 p->dev = dev;
462 p->count = count;
464 error = kobj_map(cdev_map, dev, count, NULL,
465 exact_match, exact_lock, p);
466 if (error)
467 return error;
469 kobject_get(p->kobj.parent);
471 return 0;
474 static void cdev_unmap(dev_t dev, unsigned count)
476 kobj_unmap(cdev_map, dev, count);
480 * cdev_del() - remove a cdev from the system
481 * @p: the cdev structure to be removed
483 * cdev_del() removes @p from the system, possibly freeing the structure
484 * itself.
486 void cdev_del(struct cdev *p)
488 cdev_unmap(p->dev, p->count);
489 kobject_put(&p->kobj);
493 static void cdev_default_release(struct kobject *kobj)
495 struct cdev *p = container_of(kobj, struct cdev, kobj);
496 struct kobject *parent = kobj->parent;
498 cdev_purge(p);
499 kobject_put(parent);
502 static void cdev_dynamic_release(struct kobject *kobj)
504 struct cdev *p = container_of(kobj, struct cdev, kobj);
505 struct kobject *parent = kobj->parent;
507 cdev_purge(p);
508 kfree(p);
509 kobject_put(parent);
512 static struct kobj_type ktype_cdev_default = {
513 .release = cdev_default_release,
516 static struct kobj_type ktype_cdev_dynamic = {
517 .release = cdev_dynamic_release,
521 * cdev_alloc() - allocate a cdev structure
523 * Allocates and returns a cdev structure, or NULL on failure.
525 struct cdev *cdev_alloc(void)
527 struct cdev *p = kzalloc(sizeof(struct cdev), GFP_KERNEL);
528 if (p) {
529 INIT_LIST_HEAD(&p->list);
530 kobject_init(&p->kobj, &ktype_cdev_dynamic);
532 return p;
536 * cdev_init() - initialize a cdev structure
537 * @cdev: the structure to initialize
538 * @fops: the file_operations for this device
540 * Initializes @cdev, remembering @fops, making it ready to add to the
541 * system with cdev_add().
543 void cdev_init(struct cdev *cdev, const struct file_operations *fops)
545 memset(cdev, 0, sizeof *cdev);
546 INIT_LIST_HEAD(&cdev->list);
547 kobject_init(&cdev->kobj, &ktype_cdev_default);
548 cdev->ops = fops;
551 static struct kobject *base_probe(dev_t dev, int *part, void *data)
553 if (request_module("char-major-%d-%d", MAJOR(dev), MINOR(dev)) > 0)
554 /* Make old-style 2.4 aliases work */
555 request_module("char-major-%d", MAJOR(dev));
556 return NULL;
559 void __init chrdev_init(void)
561 cdev_map = kobj_map_init(base_probe, &chrdevs_lock);
565 /* Let modules do char dev stuff */
566 EXPORT_SYMBOL(register_chrdev_region);
567 EXPORT_SYMBOL(unregister_chrdev_region);
568 EXPORT_SYMBOL(alloc_chrdev_region);
569 EXPORT_SYMBOL(cdev_init);
570 EXPORT_SYMBOL(cdev_alloc);
571 EXPORT_SYMBOL(cdev_del);
572 EXPORT_SYMBOL(cdev_add);
573 EXPORT_SYMBOL(__register_chrdev);
574 EXPORT_SYMBOL(__unregister_chrdev);