Avoid beyond bounds copy while caching ACL
[zen-stable.git] / drivers / i2c / i2c-dev.c
blob10e7f1e7658610b8e2b697cf6e355a999aa4f5b6
1 /*
2 i2c-dev.c - i2c-bus driver, char device interface
4 Copyright (C) 1995-97 Simon G. Vogl
5 Copyright (C) 1998-99 Frodo Looijaard <frodol@dds.nl>
6 Copyright (C) 2003 Greg Kroah-Hartman <greg@kroah.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 /* Note that this is a complete rewrite of Simon Vogl's i2c-dev module.
24 But I have used so much of his original code and ideas that it seems
25 only fair to recognize him as co-author -- Frodo */
27 /* The I2C_RDWR ioctl code is written by Kolja Waschk <waschk@telos.de> */
29 #include <linux/kernel.h>
30 #include <linux/module.h>
31 #include <linux/device.h>
32 #include <linux/notifier.h>
33 #include <linux/fs.h>
34 #include <linux/slab.h>
35 #include <linux/init.h>
36 #include <linux/list.h>
37 #include <linux/i2c.h>
38 #include <linux/i2c-dev.h>
39 #include <linux/jiffies.h>
40 #include <linux/uaccess.h>
43 * An i2c_dev represents an i2c_adapter ... an I2C or SMBus master, not a
44 * slave (i2c_client) with which messages will be exchanged. It's coupled
45 * with a character special file which is accessed by user mode drivers.
47 * The list of i2c_dev structures is parallel to the i2c_adapter lists
48 * maintained by the driver model, and is updated using bus notifications.
50 struct i2c_dev {
51 struct list_head list;
52 struct i2c_adapter *adap;
53 struct device *dev;
56 #define I2C_MINORS 256
57 static LIST_HEAD(i2c_dev_list);
58 static DEFINE_SPINLOCK(i2c_dev_list_lock);
60 static struct i2c_dev *i2c_dev_get_by_minor(unsigned index)
62 struct i2c_dev *i2c_dev;
64 spin_lock(&i2c_dev_list_lock);
65 list_for_each_entry(i2c_dev, &i2c_dev_list, list) {
66 if (i2c_dev->adap->nr == index)
67 goto found;
69 i2c_dev = NULL;
70 found:
71 spin_unlock(&i2c_dev_list_lock);
72 return i2c_dev;
75 static struct i2c_dev *get_free_i2c_dev(struct i2c_adapter *adap)
77 struct i2c_dev *i2c_dev;
79 if (adap->nr >= I2C_MINORS) {
80 printk(KERN_ERR "i2c-dev: Out of device minors (%d)\n",
81 adap->nr);
82 return ERR_PTR(-ENODEV);
85 i2c_dev = kzalloc(sizeof(*i2c_dev), GFP_KERNEL);
86 if (!i2c_dev)
87 return ERR_PTR(-ENOMEM);
88 i2c_dev->adap = adap;
90 spin_lock(&i2c_dev_list_lock);
91 list_add_tail(&i2c_dev->list, &i2c_dev_list);
92 spin_unlock(&i2c_dev_list_lock);
93 return i2c_dev;
96 static void return_i2c_dev(struct i2c_dev *i2c_dev)
98 spin_lock(&i2c_dev_list_lock);
99 list_del(&i2c_dev->list);
100 spin_unlock(&i2c_dev_list_lock);
101 kfree(i2c_dev);
104 static ssize_t show_adapter_name(struct device *dev,
105 struct device_attribute *attr, char *buf)
107 struct i2c_dev *i2c_dev = i2c_dev_get_by_minor(MINOR(dev->devt));
109 if (!i2c_dev)
110 return -ENODEV;
111 return sprintf(buf, "%s\n", i2c_dev->adap->name);
113 static DEVICE_ATTR(name, S_IRUGO, show_adapter_name, NULL);
115 /* ------------------------------------------------------------------------- */
118 * After opening an instance of this character special file, a file
119 * descriptor starts out associated only with an i2c_adapter (and bus).
121 * Using the I2C_RDWR ioctl(), you can then *immediately* issue i2c_msg
122 * traffic to any devices on the bus used by that adapter. That's because
123 * the i2c_msg vectors embed all the addressing information they need, and
124 * are submitted directly to an i2c_adapter. However, SMBus-only adapters
125 * don't support that interface.
127 * To use read()/write() system calls on that file descriptor, or to use
128 * SMBus interfaces (and work with SMBus-only hosts!), you must first issue
129 * an I2C_SLAVE (or I2C_SLAVE_FORCE) ioctl. That configures an anonymous
130 * (never registered) i2c_client so it holds the addressing information
131 * needed by those system calls and by this SMBus interface.
134 static ssize_t i2cdev_read(struct file *file, char __user *buf, size_t count,
135 loff_t *offset)
137 char *tmp;
138 int ret;
140 struct i2c_client *client = file->private_data;
142 if (count > 8192)
143 count = 8192;
145 tmp = kmalloc(count, GFP_KERNEL);
146 if (tmp == NULL)
147 return -ENOMEM;
149 pr_debug("i2c-dev: i2c-%d reading %zu bytes.\n",
150 iminor(file->f_path.dentry->d_inode), count);
152 ret = i2c_master_recv(client, tmp, count);
153 if (ret >= 0)
154 ret = copy_to_user(buf, tmp, count) ? -EFAULT : ret;
155 kfree(tmp);
156 return ret;
159 static ssize_t i2cdev_write(struct file *file, const char __user *buf,
160 size_t count, loff_t *offset)
162 int ret;
163 char *tmp;
164 struct i2c_client *client = file->private_data;
166 if (count > 8192)
167 count = 8192;
169 tmp = memdup_user(buf, count);
170 if (IS_ERR(tmp))
171 return PTR_ERR(tmp);
173 pr_debug("i2c-dev: i2c-%d writing %zu bytes.\n",
174 iminor(file->f_path.dentry->d_inode), count);
176 ret = i2c_master_send(client, tmp, count);
177 kfree(tmp);
178 return ret;
181 static int i2cdev_check(struct device *dev, void *addrp)
183 struct i2c_client *client = i2c_verify_client(dev);
185 if (!client || client->addr != *(unsigned int *)addrp)
186 return 0;
188 return dev->driver ? -EBUSY : 0;
191 /* walk up mux tree */
192 static int i2cdev_check_mux_parents(struct i2c_adapter *adapter, int addr)
194 struct i2c_adapter *parent = i2c_parent_is_i2c_adapter(adapter);
195 int result;
197 result = device_for_each_child(&adapter->dev, &addr, i2cdev_check);
198 if (!result && parent)
199 result = i2cdev_check_mux_parents(parent, addr);
201 return result;
204 /* recurse down mux tree */
205 static int i2cdev_check_mux_children(struct device *dev, void *addrp)
207 int result;
209 if (dev->type == &i2c_adapter_type)
210 result = device_for_each_child(dev, addrp,
211 i2cdev_check_mux_children);
212 else
213 result = i2cdev_check(dev, addrp);
215 return result;
218 /* This address checking function differs from the one in i2c-core
219 in that it considers an address with a registered device, but no
220 driver bound to it, as NOT busy. */
221 static int i2cdev_check_addr(struct i2c_adapter *adapter, unsigned int addr)
223 struct i2c_adapter *parent = i2c_parent_is_i2c_adapter(adapter);
224 int result = 0;
226 if (parent)
227 result = i2cdev_check_mux_parents(parent, addr);
229 if (!result)
230 result = device_for_each_child(&adapter->dev, &addr,
231 i2cdev_check_mux_children);
233 return result;
236 static noinline int i2cdev_ioctl_rdrw(struct i2c_client *client,
237 unsigned long arg)
239 struct i2c_rdwr_ioctl_data rdwr_arg;
240 struct i2c_msg *rdwr_pa;
241 u8 __user **data_ptrs;
242 int i, res;
244 if (copy_from_user(&rdwr_arg,
245 (struct i2c_rdwr_ioctl_data __user *)arg,
246 sizeof(rdwr_arg)))
247 return -EFAULT;
249 /* Put an arbitrary limit on the number of messages that can
250 * be sent at once */
251 if (rdwr_arg.nmsgs > I2C_RDRW_IOCTL_MAX_MSGS)
252 return -EINVAL;
254 rdwr_pa = memdup_user(rdwr_arg.msgs,
255 rdwr_arg.nmsgs * sizeof(struct i2c_msg));
256 if (IS_ERR(rdwr_pa))
257 return PTR_ERR(rdwr_pa);
259 data_ptrs = kmalloc(rdwr_arg.nmsgs * sizeof(u8 __user *), GFP_KERNEL);
260 if (data_ptrs == NULL) {
261 kfree(rdwr_pa);
262 return -ENOMEM;
265 res = 0;
266 for (i = 0; i < rdwr_arg.nmsgs; i++) {
267 /* Limit the size of the message to a sane amount;
268 * and don't let length change either. */
269 if ((rdwr_pa[i].len > 8192) ||
270 (rdwr_pa[i].flags & I2C_M_RECV_LEN)) {
271 res = -EINVAL;
272 break;
274 data_ptrs[i] = (u8 __user *)rdwr_pa[i].buf;
275 rdwr_pa[i].buf = memdup_user(data_ptrs[i], rdwr_pa[i].len);
276 if (IS_ERR(rdwr_pa[i].buf)) {
277 res = PTR_ERR(rdwr_pa[i].buf);
278 break;
281 if (res < 0) {
282 int j;
283 for (j = 0; j < i; ++j)
284 kfree(rdwr_pa[j].buf);
285 kfree(data_ptrs);
286 kfree(rdwr_pa);
287 return res;
290 res = i2c_transfer(client->adapter, rdwr_pa, rdwr_arg.nmsgs);
291 while (i-- > 0) {
292 if (res >= 0 && (rdwr_pa[i].flags & I2C_M_RD)) {
293 if (copy_to_user(data_ptrs[i], rdwr_pa[i].buf,
294 rdwr_pa[i].len))
295 res = -EFAULT;
297 kfree(rdwr_pa[i].buf);
299 kfree(data_ptrs);
300 kfree(rdwr_pa);
301 return res;
304 static noinline int i2cdev_ioctl_smbus(struct i2c_client *client,
305 unsigned long arg)
307 struct i2c_smbus_ioctl_data data_arg;
308 union i2c_smbus_data temp;
309 int datasize, res;
311 if (copy_from_user(&data_arg,
312 (struct i2c_smbus_ioctl_data __user *) arg,
313 sizeof(struct i2c_smbus_ioctl_data)))
314 return -EFAULT;
315 if ((data_arg.size != I2C_SMBUS_BYTE) &&
316 (data_arg.size != I2C_SMBUS_QUICK) &&
317 (data_arg.size != I2C_SMBUS_BYTE_DATA) &&
318 (data_arg.size != I2C_SMBUS_WORD_DATA) &&
319 (data_arg.size != I2C_SMBUS_PROC_CALL) &&
320 (data_arg.size != I2C_SMBUS_BLOCK_DATA) &&
321 (data_arg.size != I2C_SMBUS_I2C_BLOCK_BROKEN) &&
322 (data_arg.size != I2C_SMBUS_I2C_BLOCK_DATA) &&
323 (data_arg.size != I2C_SMBUS_BLOCK_PROC_CALL)) {
324 dev_dbg(&client->adapter->dev,
325 "size out of range (%x) in ioctl I2C_SMBUS.\n",
326 data_arg.size);
327 return -EINVAL;
329 /* Note that I2C_SMBUS_READ and I2C_SMBUS_WRITE are 0 and 1,
330 so the check is valid if size==I2C_SMBUS_QUICK too. */
331 if ((data_arg.read_write != I2C_SMBUS_READ) &&
332 (data_arg.read_write != I2C_SMBUS_WRITE)) {
333 dev_dbg(&client->adapter->dev,
334 "read_write out of range (%x) in ioctl I2C_SMBUS.\n",
335 data_arg.read_write);
336 return -EINVAL;
339 /* Note that command values are always valid! */
341 if ((data_arg.size == I2C_SMBUS_QUICK) ||
342 ((data_arg.size == I2C_SMBUS_BYTE) &&
343 (data_arg.read_write == I2C_SMBUS_WRITE)))
344 /* These are special: we do not use data */
345 return i2c_smbus_xfer(client->adapter, client->addr,
346 client->flags, data_arg.read_write,
347 data_arg.command, data_arg.size, NULL);
349 if (data_arg.data == NULL) {
350 dev_dbg(&client->adapter->dev,
351 "data is NULL pointer in ioctl I2C_SMBUS.\n");
352 return -EINVAL;
355 if ((data_arg.size == I2C_SMBUS_BYTE_DATA) ||
356 (data_arg.size == I2C_SMBUS_BYTE))
357 datasize = sizeof(data_arg.data->byte);
358 else if ((data_arg.size == I2C_SMBUS_WORD_DATA) ||
359 (data_arg.size == I2C_SMBUS_PROC_CALL))
360 datasize = sizeof(data_arg.data->word);
361 else /* size == smbus block, i2c block, or block proc. call */
362 datasize = sizeof(data_arg.data->block);
364 if ((data_arg.size == I2C_SMBUS_PROC_CALL) ||
365 (data_arg.size == I2C_SMBUS_BLOCK_PROC_CALL) ||
366 (data_arg.size == I2C_SMBUS_I2C_BLOCK_DATA) ||
367 (data_arg.read_write == I2C_SMBUS_WRITE)) {
368 if (copy_from_user(&temp, data_arg.data, datasize))
369 return -EFAULT;
371 if (data_arg.size == I2C_SMBUS_I2C_BLOCK_BROKEN) {
372 /* Convert old I2C block commands to the new
373 convention. This preserves binary compatibility. */
374 data_arg.size = I2C_SMBUS_I2C_BLOCK_DATA;
375 if (data_arg.read_write == I2C_SMBUS_READ)
376 temp.block[0] = I2C_SMBUS_BLOCK_MAX;
378 res = i2c_smbus_xfer(client->adapter, client->addr, client->flags,
379 data_arg.read_write, data_arg.command, data_arg.size, &temp);
380 if (!res && ((data_arg.size == I2C_SMBUS_PROC_CALL) ||
381 (data_arg.size == I2C_SMBUS_BLOCK_PROC_CALL) ||
382 (data_arg.read_write == I2C_SMBUS_READ))) {
383 if (copy_to_user(data_arg.data, &temp, datasize))
384 return -EFAULT;
386 return res;
389 static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
391 struct i2c_client *client = file->private_data;
392 unsigned long funcs;
394 dev_dbg(&client->adapter->dev, "ioctl, cmd=0x%02x, arg=0x%02lx\n",
395 cmd, arg);
397 switch (cmd) {
398 case I2C_SLAVE:
399 case I2C_SLAVE_FORCE:
400 /* NOTE: devices set up to work with "new style" drivers
401 * can't use I2C_SLAVE, even when the device node is not
402 * bound to a driver. Only I2C_SLAVE_FORCE will work.
404 * Setting the PEC flag here won't affect kernel drivers,
405 * which will be using the i2c_client node registered with
406 * the driver model core. Likewise, when that client has
407 * the PEC flag already set, the i2c-dev driver won't see
408 * (or use) this setting.
410 if ((arg > 0x3ff) ||
411 (((client->flags & I2C_M_TEN) == 0) && arg > 0x7f))
412 return -EINVAL;
413 if (cmd == I2C_SLAVE && i2cdev_check_addr(client->adapter, arg))
414 return -EBUSY;
415 /* REVISIT: address could become busy later */
416 client->addr = arg;
417 return 0;
418 case I2C_TENBIT:
419 if (arg)
420 client->flags |= I2C_M_TEN;
421 else
422 client->flags &= ~I2C_M_TEN;
423 return 0;
424 case I2C_PEC:
425 if (arg)
426 client->flags |= I2C_CLIENT_PEC;
427 else
428 client->flags &= ~I2C_CLIENT_PEC;
429 return 0;
430 case I2C_FUNCS:
431 funcs = i2c_get_functionality(client->adapter);
432 return put_user(funcs, (unsigned long __user *)arg);
434 case I2C_RDWR:
435 return i2cdev_ioctl_rdrw(client, arg);
437 case I2C_SMBUS:
438 return i2cdev_ioctl_smbus(client, arg);
440 case I2C_RETRIES:
441 client->adapter->retries = arg;
442 break;
443 case I2C_TIMEOUT:
444 /* For historical reasons, user-space sets the timeout
445 * value in units of 10 ms.
447 client->adapter->timeout = msecs_to_jiffies(arg * 10);
448 break;
449 default:
450 /* NOTE: returning a fault code here could cause trouble
451 * in buggy userspace code. Some old kernel bugs returned
452 * zero in this case, and userspace code might accidentally
453 * have depended on that bug.
455 return -ENOTTY;
457 return 0;
460 static int i2cdev_open(struct inode *inode, struct file *file)
462 unsigned int minor = iminor(inode);
463 struct i2c_client *client;
464 struct i2c_adapter *adap;
465 struct i2c_dev *i2c_dev;
467 i2c_dev = i2c_dev_get_by_minor(minor);
468 if (!i2c_dev)
469 return -ENODEV;
471 adap = i2c_get_adapter(i2c_dev->adap->nr);
472 if (!adap)
473 return -ENODEV;
475 /* This creates an anonymous i2c_client, which may later be
476 * pointed to some address using I2C_SLAVE or I2C_SLAVE_FORCE.
478 * This client is ** NEVER REGISTERED ** with the driver model
479 * or I2C core code!! It just holds private copies of addressing
480 * information and maybe a PEC flag.
482 client = kzalloc(sizeof(*client), GFP_KERNEL);
483 if (!client) {
484 i2c_put_adapter(adap);
485 return -ENOMEM;
487 snprintf(client->name, I2C_NAME_SIZE, "i2c-dev %d", adap->nr);
489 client->adapter = adap;
490 file->private_data = client;
492 return 0;
495 static int i2cdev_release(struct inode *inode, struct file *file)
497 struct i2c_client *client = file->private_data;
499 i2c_put_adapter(client->adapter);
500 kfree(client);
501 file->private_data = NULL;
503 return 0;
506 static const struct file_operations i2cdev_fops = {
507 .owner = THIS_MODULE,
508 .llseek = no_llseek,
509 .read = i2cdev_read,
510 .write = i2cdev_write,
511 .unlocked_ioctl = i2cdev_ioctl,
512 .open = i2cdev_open,
513 .release = i2cdev_release,
516 /* ------------------------------------------------------------------------- */
518 static struct class *i2c_dev_class;
520 static int i2cdev_attach_adapter(struct device *dev, void *dummy)
522 struct i2c_adapter *adap;
523 struct i2c_dev *i2c_dev;
524 int res;
526 if (dev->type != &i2c_adapter_type)
527 return 0;
528 adap = to_i2c_adapter(dev);
530 i2c_dev = get_free_i2c_dev(adap);
531 if (IS_ERR(i2c_dev))
532 return PTR_ERR(i2c_dev);
534 /* register this i2c device with the driver core */
535 i2c_dev->dev = device_create(i2c_dev_class, &adap->dev,
536 MKDEV(I2C_MAJOR, adap->nr), NULL,
537 "i2c-%d", adap->nr);
538 if (IS_ERR(i2c_dev->dev)) {
539 res = PTR_ERR(i2c_dev->dev);
540 goto error;
542 res = device_create_file(i2c_dev->dev, &dev_attr_name);
543 if (res)
544 goto error_destroy;
546 pr_debug("i2c-dev: adapter [%s] registered as minor %d\n",
547 adap->name, adap->nr);
548 return 0;
549 error_destroy:
550 device_destroy(i2c_dev_class, MKDEV(I2C_MAJOR, adap->nr));
551 error:
552 return_i2c_dev(i2c_dev);
553 return res;
556 static int i2cdev_detach_adapter(struct device *dev, void *dummy)
558 struct i2c_adapter *adap;
559 struct i2c_dev *i2c_dev;
561 if (dev->type != &i2c_adapter_type)
562 return 0;
563 adap = to_i2c_adapter(dev);
565 i2c_dev = i2c_dev_get_by_minor(adap->nr);
566 if (!i2c_dev) /* attach_adapter must have failed */
567 return 0;
569 device_remove_file(i2c_dev->dev, &dev_attr_name);
570 return_i2c_dev(i2c_dev);
571 device_destroy(i2c_dev_class, MKDEV(I2C_MAJOR, adap->nr));
573 pr_debug("i2c-dev: adapter [%s] unregistered\n", adap->name);
574 return 0;
577 static int i2cdev_notifier_call(struct notifier_block *nb, unsigned long action,
578 void *data)
580 struct device *dev = data;
582 switch (action) {
583 case BUS_NOTIFY_ADD_DEVICE:
584 return i2cdev_attach_adapter(dev, NULL);
585 case BUS_NOTIFY_DEL_DEVICE:
586 return i2cdev_detach_adapter(dev, NULL);
589 return 0;
592 static struct notifier_block i2cdev_notifier = {
593 .notifier_call = i2cdev_notifier_call,
596 /* ------------------------------------------------------------------------- */
599 * module load/unload record keeping
602 static int __init i2c_dev_init(void)
604 int res;
606 printk(KERN_INFO "i2c /dev entries driver\n");
608 res = register_chrdev(I2C_MAJOR, "i2c", &i2cdev_fops);
609 if (res)
610 goto out;
612 i2c_dev_class = class_create(THIS_MODULE, "i2c-dev");
613 if (IS_ERR(i2c_dev_class)) {
614 res = PTR_ERR(i2c_dev_class);
615 goto out_unreg_chrdev;
618 /* Keep track of adapters which will be added or removed later */
619 res = bus_register_notifier(&i2c_bus_type, &i2cdev_notifier);
620 if (res)
621 goto out_unreg_class;
623 /* Bind to already existing adapters right away */
624 i2c_for_each_dev(NULL, i2cdev_attach_adapter);
626 return 0;
628 out_unreg_class:
629 class_destroy(i2c_dev_class);
630 out_unreg_chrdev:
631 unregister_chrdev(I2C_MAJOR, "i2c");
632 out:
633 printk(KERN_ERR "%s: Driver Initialisation failed\n", __FILE__);
634 return res;
637 static void __exit i2c_dev_exit(void)
639 bus_unregister_notifier(&i2c_bus_type, &i2cdev_notifier);
640 i2c_for_each_dev(NULL, i2cdev_detach_adapter);
641 class_destroy(i2c_dev_class);
642 unregister_chrdev(I2C_MAJOR, "i2c");
645 MODULE_AUTHOR("Frodo Looijaard <frodol@dds.nl> and "
646 "Simon G. Vogl <simon@tk.uni-linz.ac.at>");
647 MODULE_DESCRIPTION("I2C /dev entries driver");
648 MODULE_LICENSE("GPL");
650 module_init(i2c_dev_init);
651 module_exit(i2c_dev_exit);