HID: hiddev: Fix slab-out-of-bounds write in hiddev_ioctl_usage()
[linux/fpc-iii.git] / fs / char_dev.c
blob9154a2d7b195a8aa03fcae762e0af7530d2e38f8
1 /*
2 * linux/fs/char_dev.c
4 * Copyright (C) 1991, 1992 Linus Torvalds
5 */
7 #include <linux/init.h>
8 #include <linux/fs.h>
9 #include <linux/kdev_t.h>
10 #include <linux/slab.h>
11 #include <linux/string.h>
13 #include <linux/major.h>
14 #include <linux/errno.h>
15 #include <linux/module.h>
16 #include <linux/seq_file.h>
18 #include <linux/kobject.h>
19 #include <linux/kobj_map.h>
20 #include <linux/cdev.h>
21 #include <linux/mutex.h>
22 #include <linux/backing-dev.h>
23 #include <linux/tty.h>
25 #include "internal.h"
27 static struct kobj_map *cdev_map;
29 static DEFINE_MUTEX(chrdevs_lock);
31 static struct char_device_struct {
32 struct char_device_struct *next;
33 unsigned int major;
34 unsigned int baseminor;
35 int minorct;
36 char name[64];
37 struct cdev *cdev; /* will die */
38 } *chrdevs[CHRDEV_MAJOR_HASH_SIZE];
40 /* index in the above */
41 static inline int major_to_index(unsigned major)
43 return major % CHRDEV_MAJOR_HASH_SIZE;
46 #ifdef CONFIG_PROC_FS
48 void chrdev_show(struct seq_file *f, off_t offset)
50 struct char_device_struct *cd;
52 if (offset < CHRDEV_MAJOR_HASH_SIZE) {
53 mutex_lock(&chrdevs_lock);
54 for (cd = chrdevs[offset]; cd; cd = cd->next)
55 seq_printf(f, "%3d %s\n", cd->major, cd->name);
56 mutex_unlock(&chrdevs_lock);
60 #endif /* CONFIG_PROC_FS */
63 * Register a single major with a specified minor range.
65 * If major == 0 this functions will dynamically allocate a major and return
66 * its number.
68 * If major > 0 this function will attempt to reserve the passed range of
69 * minors and will return zero on success.
71 * Returns a -ve errno on failure.
73 static struct char_device_struct *
74 __register_chrdev_region(unsigned int major, unsigned int baseminor,
75 int minorct, const char *name)
77 struct char_device_struct *cd, **cp;
78 int ret = 0;
79 int i;
81 cd = kzalloc(sizeof(struct char_device_struct), GFP_KERNEL);
82 if (cd == NULL)
83 return ERR_PTR(-ENOMEM);
85 mutex_lock(&chrdevs_lock);
87 /* temporary */
88 if (major == 0) {
89 for (i = ARRAY_SIZE(chrdevs)-1; i > 0; i--) {
90 if (chrdevs[i] == NULL)
91 break;
94 if (i == 0) {
95 ret = -EBUSY;
96 goto out;
98 major = i;
101 cd->major = major;
102 cd->baseminor = baseminor;
103 cd->minorct = minorct;
104 strlcpy(cd->name, name, sizeof(cd->name));
106 i = major_to_index(major);
108 for (cp = &chrdevs[i]; *cp; cp = &(*cp)->next)
109 if ((*cp)->major > major ||
110 ((*cp)->major == major &&
111 (((*cp)->baseminor >= baseminor) ||
112 ((*cp)->baseminor + (*cp)->minorct > baseminor))))
113 break;
115 /* Check for overlapping minor ranges. */
116 if (*cp && (*cp)->major == major) {
117 int old_min = (*cp)->baseminor;
118 int old_max = (*cp)->baseminor + (*cp)->minorct - 1;
119 int new_min = baseminor;
120 int new_max = baseminor + minorct - 1;
122 /* New driver overlaps from the left. */
123 if (new_max >= old_min && new_max <= old_max) {
124 ret = -EBUSY;
125 goto out;
128 /* New driver overlaps from the right. */
129 if (new_min <= old_max && new_min >= old_min) {
130 ret = -EBUSY;
131 goto out;
134 if (new_min < old_min && new_max > old_max) {
135 ret = -EBUSY;
136 goto out;
141 cd->next = *cp;
142 *cp = cd;
143 mutex_unlock(&chrdevs_lock);
144 return cd;
145 out:
146 mutex_unlock(&chrdevs_lock);
147 kfree(cd);
148 return ERR_PTR(ret);
151 static struct char_device_struct *
152 __unregister_chrdev_region(unsigned major, unsigned baseminor, int minorct)
154 struct char_device_struct *cd = NULL, **cp;
155 int i = major_to_index(major);
157 mutex_lock(&chrdevs_lock);
158 for (cp = &chrdevs[i]; *cp; cp = &(*cp)->next)
159 if ((*cp)->major == major &&
160 (*cp)->baseminor == baseminor &&
161 (*cp)->minorct == minorct)
162 break;
163 if (*cp) {
164 cd = *cp;
165 *cp = cd->next;
167 mutex_unlock(&chrdevs_lock);
168 return cd;
172 * register_chrdev_region() - register a range of device numbers
173 * @from: the first in the desired range of device numbers; must include
174 * the major number.
175 * @count: the number of consecutive device numbers required
176 * @name: the name of the device or driver.
178 * Return value is zero on success, a negative error code on failure.
180 int register_chrdev_region(dev_t from, unsigned count, const char *name)
182 struct char_device_struct *cd;
183 dev_t to = from + count;
184 dev_t n, next;
186 for (n = from; n < to; n = next) {
187 next = MKDEV(MAJOR(n)+1, 0);
188 if (next > to)
189 next = to;
190 cd = __register_chrdev_region(MAJOR(n), MINOR(n),
191 next - n, name);
192 if (IS_ERR(cd))
193 goto fail;
195 return 0;
196 fail:
197 to = n;
198 for (n = from; n < to; n = next) {
199 next = MKDEV(MAJOR(n)+1, 0);
200 kfree(__unregister_chrdev_region(MAJOR(n), MINOR(n), next - n));
202 return PTR_ERR(cd);
206 * alloc_chrdev_region() - register a range of char device numbers
207 * @dev: output parameter for first assigned number
208 * @baseminor: first of the requested range of minor numbers
209 * @count: the number of minor numbers required
210 * @name: the name of the associated device or driver
212 * Allocates a range of char device numbers. The major number will be
213 * chosen dynamically, and returned (along with the first minor number)
214 * in @dev. Returns zero or a negative error code.
216 int alloc_chrdev_region(dev_t *dev, unsigned baseminor, unsigned count,
217 const char *name)
219 struct char_device_struct *cd;
220 cd = __register_chrdev_region(0, baseminor, count, name);
221 if (IS_ERR(cd))
222 return PTR_ERR(cd);
223 *dev = MKDEV(cd->major, cd->baseminor);
224 return 0;
228 * __register_chrdev() - create and register a cdev occupying a range of minors
229 * @major: major device number or 0 for dynamic allocation
230 * @baseminor: first of the requested range of minor numbers
231 * @count: the number of minor numbers required
232 * @name: name of this range of devices
233 * @fops: file operations associated with this devices
235 * If @major == 0 this functions will dynamically allocate a major and return
236 * its number.
238 * If @major > 0 this function will attempt to reserve a device with the given
239 * major number and will return zero on success.
241 * Returns a -ve errno on failure.
243 * The name of this device has nothing to do with the name of the device in
244 * /dev. It only helps to keep track of the different owners of devices. If
245 * your module name has only one type of devices it's ok to use e.g. the name
246 * of the module here.
248 int __register_chrdev(unsigned int major, unsigned int baseminor,
249 unsigned int count, const char *name,
250 const struct file_operations *fops)
252 struct char_device_struct *cd;
253 struct cdev *cdev;
254 int err = -ENOMEM;
256 cd = __register_chrdev_region(major, baseminor, count, name);
257 if (IS_ERR(cd))
258 return PTR_ERR(cd);
260 cdev = cdev_alloc();
261 if (!cdev)
262 goto out2;
264 cdev->owner = fops->owner;
265 cdev->ops = fops;
266 kobject_set_name(&cdev->kobj, "%s", name);
268 err = cdev_add(cdev, MKDEV(cd->major, baseminor), count);
269 if (err)
270 goto out;
272 cd->cdev = cdev;
274 return major ? 0 : cd->major;
275 out:
276 kobject_put(&cdev->kobj);
277 out2:
278 kfree(__unregister_chrdev_region(cd->major, baseminor, count));
279 return err;
283 * unregister_chrdev_region() - unregister a range of device numbers
284 * @from: the first in the range of numbers to unregister
285 * @count: the number of device numbers to unregister
287 * This function will unregister a range of @count device numbers,
288 * starting with @from. The caller should normally be the one who
289 * allocated those numbers in the first place...
291 void unregister_chrdev_region(dev_t from, unsigned count)
293 dev_t to = from + count;
294 dev_t n, next;
296 for (n = from; n < to; n = next) {
297 next = MKDEV(MAJOR(n)+1, 0);
298 if (next > to)
299 next = to;
300 kfree(__unregister_chrdev_region(MAJOR(n), MINOR(n), next - n));
305 * __unregister_chrdev - unregister and destroy a cdev
306 * @major: major device number
307 * @baseminor: first of the range of minor numbers
308 * @count: the number of minor numbers this cdev is occupying
309 * @name: name of this range of devices
311 * Unregister and destroy the cdev occupying the region described by
312 * @major, @baseminor and @count. This function undoes what
313 * __register_chrdev() did.
315 void __unregister_chrdev(unsigned int major, unsigned int baseminor,
316 unsigned int count, const char *name)
318 struct char_device_struct *cd;
320 cd = __unregister_chrdev_region(major, baseminor, count);
321 if (cd && cd->cdev)
322 cdev_del(cd->cdev);
323 kfree(cd);
326 static DEFINE_SPINLOCK(cdev_lock);
328 static struct kobject *cdev_get(struct cdev *p)
330 struct module *owner = p->owner;
331 struct kobject *kobj;
333 if (owner && !try_module_get(owner))
334 return NULL;
335 kobj = kobject_get_unless_zero(&p->kobj);
336 if (!kobj)
337 module_put(owner);
338 return kobj;
341 void cdev_put(struct cdev *p)
343 if (p) {
344 struct module *owner = p->owner;
345 kobject_put(&p->kobj);
346 module_put(owner);
351 * Called every time a character special file is opened
353 static int chrdev_open(struct inode *inode, struct file *filp)
355 const struct file_operations *fops;
356 struct cdev *p;
357 struct cdev *new = NULL;
358 int ret = 0;
360 spin_lock(&cdev_lock);
361 p = inode->i_cdev;
362 if (!p) {
363 struct kobject *kobj;
364 int idx;
365 spin_unlock(&cdev_lock);
366 kobj = kobj_lookup(cdev_map, inode->i_rdev, &idx);
367 if (!kobj)
368 return -ENXIO;
369 new = container_of(kobj, struct cdev, kobj);
370 spin_lock(&cdev_lock);
371 /* Check i_cdev again in case somebody beat us to it while
372 we dropped the lock. */
373 p = inode->i_cdev;
374 if (!p) {
375 inode->i_cdev = p = new;
376 list_add(&inode->i_devices, &p->list);
377 new = NULL;
378 } else if (!cdev_get(p))
379 ret = -ENXIO;
380 } else if (!cdev_get(p))
381 ret = -ENXIO;
382 spin_unlock(&cdev_lock);
383 cdev_put(new);
384 if (ret)
385 return ret;
387 ret = -ENXIO;
388 fops = fops_get(p->ops);
389 if (!fops)
390 goto out_cdev_put;
392 replace_fops(filp, fops);
393 if (filp->f_op->open) {
394 ret = filp->f_op->open(inode, filp);
395 if (ret)
396 goto out_cdev_put;
399 return 0;
401 out_cdev_put:
402 cdev_put(p);
403 return ret;
406 void cd_forget(struct inode *inode)
408 spin_lock(&cdev_lock);
409 list_del_init(&inode->i_devices);
410 inode->i_cdev = NULL;
411 spin_unlock(&cdev_lock);
414 static void cdev_purge(struct cdev *cdev)
416 spin_lock(&cdev_lock);
417 while (!list_empty(&cdev->list)) {
418 struct inode *inode;
419 inode = container_of(cdev->list.next, struct inode, i_devices);
420 list_del_init(&inode->i_devices);
421 inode->i_cdev = NULL;
423 spin_unlock(&cdev_lock);
427 * Dummy default file-operations: the only thing this does
428 * is contain the open that then fills in the correct operations
429 * depending on the special file...
431 const struct file_operations def_chr_fops = {
432 .open = chrdev_open,
433 .llseek = noop_llseek,
436 static struct kobject *exact_match(dev_t dev, int *part, void *data)
438 struct cdev *p = data;
439 return &p->kobj;
442 static int exact_lock(dev_t dev, void *data)
444 struct cdev *p = data;
445 return cdev_get(p) ? 0 : -1;
449 * cdev_add() - add a char device to the system
450 * @p: the cdev structure for the device
451 * @dev: the first device number for which this device is responsible
452 * @count: the number of consecutive minor numbers corresponding to this
453 * device
455 * cdev_add() adds the device represented by @p to the system, making it
456 * live immediately. A negative error code is returned on failure.
458 int cdev_add(struct cdev *p, dev_t dev, unsigned count)
460 int error;
462 p->dev = dev;
463 p->count = count;
465 error = kobj_map(cdev_map, dev, count, NULL,
466 exact_match, exact_lock, p);
467 if (error)
468 return error;
470 kobject_get(p->kobj.parent);
472 return 0;
476 * cdev_set_parent() - set the parent kobject for a char device
477 * @p: the cdev structure
478 * @kobj: the kobject to take a reference to
480 * cdev_set_parent() sets a parent kobject which will be referenced
481 * appropriately so the parent is not freed before the cdev. This
482 * should be called before cdev_add.
484 void cdev_set_parent(struct cdev *p, struct kobject *kobj)
486 WARN_ON(!kobj->state_initialized);
487 p->kobj.parent = kobj;
491 * cdev_device_add() - add a char device and it's corresponding
492 * struct device, linkink
493 * @dev: the device structure
494 * @cdev: the cdev structure
496 * cdev_device_add() adds the char device represented by @cdev to the system,
497 * just as cdev_add does. It then adds @dev to the system using device_add
498 * The dev_t for the char device will be taken from the struct device which
499 * needs to be initialized first. This helper function correctly takes a
500 * reference to the parent device so the parent will not get released until
501 * all references to the cdev are released.
503 * This helper uses dev->devt for the device number. If it is not set
504 * it will not add the cdev and it will be equivalent to device_add.
506 * This function should be used whenever the struct cdev and the
507 * struct device are members of the same structure whose lifetime is
508 * managed by the struct device.
510 * NOTE: Callers must assume that userspace was able to open the cdev and
511 * can call cdev fops callbacks at any time, even if this function fails.
513 int cdev_device_add(struct cdev *cdev, struct device *dev)
515 int rc = 0;
517 if (dev->devt) {
518 cdev_set_parent(cdev, &dev->kobj);
520 rc = cdev_add(cdev, dev->devt, 1);
521 if (rc)
522 return rc;
525 rc = device_add(dev);
526 if (rc)
527 cdev_del(cdev);
529 return rc;
533 * cdev_device_del() - inverse of cdev_device_add
534 * @dev: the device structure
535 * @cdev: the cdev structure
537 * cdev_device_del() is a helper function to call cdev_del and device_del.
538 * It should be used whenever cdev_device_add is used.
540 * If dev->devt is not set it will not remove the cdev and will be equivalent
541 * to device_del.
543 * NOTE: This guarantees that associated sysfs callbacks are not running
544 * or runnable, however any cdevs already open will remain and their fops
545 * will still be callable even after this function returns.
547 void cdev_device_del(struct cdev *cdev, struct device *dev)
549 device_del(dev);
550 if (dev->devt)
551 cdev_del(cdev);
554 static void cdev_unmap(dev_t dev, unsigned count)
556 kobj_unmap(cdev_map, dev, count);
560 * cdev_del() - remove a cdev from the system
561 * @p: the cdev structure to be removed
563 * cdev_del() removes @p from the system, possibly freeing the structure
564 * itself.
566 * NOTE: This guarantees that cdev device will no longer be able to be
567 * opened, however any cdevs already open will remain and their fops will
568 * still be callable even after cdev_del returns.
570 void cdev_del(struct cdev *p)
572 cdev_unmap(p->dev, p->count);
573 kobject_put(&p->kobj);
577 static void cdev_default_release(struct kobject *kobj)
579 struct cdev *p = container_of(kobj, struct cdev, kobj);
580 struct kobject *parent = kobj->parent;
582 cdev_purge(p);
583 kobject_put(parent);
586 static void cdev_dynamic_release(struct kobject *kobj)
588 struct cdev *p = container_of(kobj, struct cdev, kobj);
589 struct kobject *parent = kobj->parent;
591 cdev_purge(p);
592 kfree(p);
593 kobject_put(parent);
596 static struct kobj_type ktype_cdev_default = {
597 .release = cdev_default_release,
600 static struct kobj_type ktype_cdev_dynamic = {
601 .release = cdev_dynamic_release,
605 * cdev_alloc() - allocate a cdev structure
607 * Allocates and returns a cdev structure, or NULL on failure.
609 struct cdev *cdev_alloc(void)
611 struct cdev *p = kzalloc(sizeof(struct cdev), GFP_KERNEL);
612 if (p) {
613 INIT_LIST_HEAD(&p->list);
614 kobject_init(&p->kobj, &ktype_cdev_dynamic);
616 return p;
620 * cdev_init() - initialize a cdev structure
621 * @cdev: the structure to initialize
622 * @fops: the file_operations for this device
624 * Initializes @cdev, remembering @fops, making it ready to add to the
625 * system with cdev_add().
627 void cdev_init(struct cdev *cdev, const struct file_operations *fops)
629 memset(cdev, 0, sizeof *cdev);
630 INIT_LIST_HEAD(&cdev->list);
631 kobject_init(&cdev->kobj, &ktype_cdev_default);
632 cdev->ops = fops;
635 static struct kobject *base_probe(dev_t dev, int *part, void *data)
637 if (request_module("char-major-%d-%d", MAJOR(dev), MINOR(dev)) > 0)
638 /* Make old-style 2.4 aliases work */
639 request_module("char-major-%d", MAJOR(dev));
640 return NULL;
643 void __init chrdev_init(void)
645 cdev_map = kobj_map_init(base_probe, &chrdevs_lock);
649 /* Let modules do char dev stuff */
650 EXPORT_SYMBOL(register_chrdev_region);
651 EXPORT_SYMBOL(unregister_chrdev_region);
652 EXPORT_SYMBOL(alloc_chrdev_region);
653 EXPORT_SYMBOL(cdev_init);
654 EXPORT_SYMBOL(cdev_alloc);
655 EXPORT_SYMBOL(cdev_del);
656 EXPORT_SYMBOL(cdev_add);
657 EXPORT_SYMBOL(cdev_set_parent);
658 EXPORT_SYMBOL(cdev_device_add);
659 EXPORT_SYMBOL(cdev_device_del);
660 EXPORT_SYMBOL(__register_chrdev);
661 EXPORT_SYMBOL(__unregister_chrdev);