mirror of
				git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
				synced 2025-09-18 22:14:16 +00:00 
			
		
		
		
	 68faa679b8
			
		
	
	
		68faa679b8
		
	
	
	
	
		
			
			'chrdev_open()' calls 'cdev_get()' to obtain a reference to the 'struct cdev *' stashed in the 'i_cdev' field of the target inode structure. If the pointer is NULL, then it is initialised lazily by looking up the kobject in the 'cdev_map' and so the whole procedure is protected by the 'cdev_lock' spinlock to serialise initialisation of the shared pointer. Unfortunately, it is possible for the initialising thread to fail *after* installing the new pointer, for example if the subsequent '->open()' call on the file fails. In this case, 'cdev_put()' is called, the reference count on the kobject is dropped and, if nobody else has taken a reference, the release function is called which finally clears 'inode->i_cdev' from 'cdev_purge()' before potentially freeing the object. The problem here is that a racing thread can happily take the 'cdev_lock' and see the non-NULL pointer in the inode, which can result in a refcount increment from zero and a warning: | ------------[ cut here ]------------ | refcount_t: addition on 0; use-after-free. | WARNING: CPU: 2 PID: 6385 at lib/refcount.c:25 refcount_warn_saturate+0x6d/0xf0 | Modules linked in: | CPU: 2 PID: 6385 Comm: repro Not tainted 5.5.0-rc2+ #22 | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 | RIP: 0010:refcount_warn_saturate+0x6d/0xf0 | Code: 05 55 9a 15 01 01 e8 9d aa c8 ff 0f 0b c3 80 3d 45 9a 15 01 00 75 ce 48 c7 c7 00 9c 62 b3 c6 08 | RSP: 0018:ffffb524c1b9bc70 EFLAGS: 00010282 | RAX: 0000000000000000 RBX: ffff9e9da1f71390 RCX: 0000000000000000 | RDX: ffff9e9dbbd27618 RSI: ffff9e9dbbd18798 RDI: ffff9e9dbbd18798 | RBP: 0000000000000000 R08: 000000000000095f R09: 0000000000000039 | R10: 0000000000000000 R11: ffffb524c1b9bb20 R12: ffff9e9da1e8c700 | R13: ffffffffb25ee8b0 R14: 0000000000000000 R15: ffff9e9da1e8c700 | FS: 00007f3b87d26700(0000) GS:ffff9e9dbbd00000(0000) knlGS:0000000000000000 | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 | CR2: 00007fc16909c000 CR3: 000000012df9c000 CR4: 00000000000006e0 | DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 | DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 | Call Trace: | kobject_get+0x5c/0x60 | cdev_get+0x2b/0x60 | chrdev_open+0x55/0x220 | ? cdev_put.part.3+0x20/0x20 | do_dentry_open+0x13a/0x390 | path_openat+0x2c8/0x1470 | do_filp_open+0x93/0x100 | ? selinux_file_ioctl+0x17f/0x220 | do_sys_open+0x186/0x220 | do_syscall_64+0x48/0x150 | entry_SYSCALL_64_after_hwframe+0x44/0xa9 | RIP: 0033:0x7f3b87efcd0e | Code: 89 54 24 08 e8 a3 f4 ff ff 8b 74 24 0c 48 8b 3c 24 41 89 c0 44 8b 54 24 08 b8 01 01 00 00 89 f4 | RSP: 002b:00007f3b87d259f0 EFLAGS: 00000293 ORIG_RAX: 0000000000000101 | RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3b87efcd0e | RDX: 0000000000000000 RSI: 00007f3b87d25a80 RDI: 00000000ffffff9c | RBP: 00007f3b87d25e90 R08: 0000000000000000 R09: 0000000000000000 | R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffe188f504e | R13: 00007ffe188f504f R14: 00007f3b87d26700 R15: 0000000000000000 | ---[ end trace 24f53ca58db8180a ]--- Since 'cdev_get()' can already fail to obtain a reference, simply move it over to use 'kobject_get_unless_zero()' instead of 'kobject_get()', which will cause the racing thread to return -ENXIO if the initialising thread fails unexpectedly. Cc: Hillf Danton <hdanton@sina.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Al Viro <viro@zeniv.linux.org.uk> Reported-by: syzbot+82defefbbd8527e1c2cb@syzkaller.appspotmail.com Signed-off-by: Will Deacon <will@kernel.org> Cc: stable <stable@vger.kernel.org> Link: https://lore.kernel.org/r/20191219120203.32691-1-will@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		
			
				
	
	
		
			682 lines
		
	
	
	
		
			16 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			682 lines
		
	
	
	
		
			16 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| // SPDX-License-Identifier: GPL-2.0
 | |
| /*
 | |
|  *  linux/fs/char_dev.c
 | |
|  *
 | |
|  *  Copyright (C) 1991, 1992  Linus Torvalds
 | |
|  */
 | |
| 
 | |
| #include <linux/init.h>
 | |
| #include <linux/fs.h>
 | |
| #include <linux/kdev_t.h>
 | |
| #include <linux/slab.h>
 | |
| #include <linux/string.h>
 | |
| 
 | |
| #include <linux/major.h>
 | |
| #include <linux/errno.h>
 | |
| #include <linux/module.h>
 | |
| #include <linux/seq_file.h>
 | |
| 
 | |
| #include <linux/kobject.h>
 | |
| #include <linux/kobj_map.h>
 | |
| #include <linux/cdev.h>
 | |
| #include <linux/mutex.h>
 | |
| #include <linux/backing-dev.h>
 | |
| #include <linux/tty.h>
 | |
| 
 | |
| #include "internal.h"
 | |
| 
 | |
| static struct kobj_map *cdev_map;
 | |
| 
 | |
| static DEFINE_MUTEX(chrdevs_lock);
 | |
| 
 | |
| #define CHRDEV_MAJOR_HASH_SIZE 255
 | |
| 
 | |
| static struct char_device_struct {
 | |
| 	struct char_device_struct *next;
 | |
| 	unsigned int major;
 | |
| 	unsigned int baseminor;
 | |
| 	int minorct;
 | |
| 	char name[64];
 | |
| 	struct cdev *cdev;		/* will die */
 | |
| } *chrdevs[CHRDEV_MAJOR_HASH_SIZE];
 | |
| 
 | |
| /* index in the above */
 | |
| static inline int major_to_index(unsigned major)
 | |
| {
 | |
| 	return major % CHRDEV_MAJOR_HASH_SIZE;
 | |
| }
 | |
| 
 | |
| #ifdef CONFIG_PROC_FS
 | |
| 
 | |
| void chrdev_show(struct seq_file *f, off_t offset)
 | |
| {
 | |
| 	struct char_device_struct *cd;
 | |
| 
 | |
| 	mutex_lock(&chrdevs_lock);
 | |
| 	for (cd = chrdevs[major_to_index(offset)]; cd; cd = cd->next) {
 | |
| 		if (cd->major == offset)
 | |
| 			seq_printf(f, "%3d %s\n", cd->major, cd->name);
 | |
| 	}
 | |
| 	mutex_unlock(&chrdevs_lock);
 | |
| }
 | |
| 
 | |
| #endif /* CONFIG_PROC_FS */
 | |
| 
 | |
| static int find_dynamic_major(void)
 | |
| {
 | |
| 	int i;
 | |
| 	struct char_device_struct *cd;
 | |
| 
 | |
| 	for (i = ARRAY_SIZE(chrdevs)-1; i >= CHRDEV_MAJOR_DYN_END; i--) {
 | |
| 		if (chrdevs[i] == NULL)
 | |
| 			return i;
 | |
| 	}
 | |
| 
 | |
| 	for (i = CHRDEV_MAJOR_DYN_EXT_START;
 | |
| 	     i >= CHRDEV_MAJOR_DYN_EXT_END; i--) {
 | |
| 		for (cd = chrdevs[major_to_index(i)]; cd; cd = cd->next)
 | |
| 			if (cd->major == i)
 | |
| 				break;
 | |
| 
 | |
| 		if (cd == NULL)
 | |
| 			return i;
 | |
| 	}
 | |
| 
 | |
| 	return -EBUSY;
 | |
| }
 | |
| 
 | |
| /*
 | |
|  * Register a single major with a specified minor range.
 | |
|  *
 | |
|  * If major == 0 this function will dynamically allocate an unused major.
 | |
|  * If major > 0 this function will attempt to reserve the range of minors
 | |
|  * with given major.
 | |
|  *
 | |
|  */
 | |
| static struct char_device_struct *
 | |
| __register_chrdev_region(unsigned int major, unsigned int baseminor,
 | |
| 			   int minorct, const char *name)
 | |
| {
 | |
| 	struct char_device_struct *cd, *curr, *prev = NULL;
 | |
| 	int ret;
 | |
| 	int i;
 | |
| 
 | |
| 	if (major >= CHRDEV_MAJOR_MAX) {
 | |
| 		pr_err("CHRDEV \"%s\" major requested (%u) is greater than the maximum (%u)\n",
 | |
| 		       name, major, CHRDEV_MAJOR_MAX-1);
 | |
| 		return ERR_PTR(-EINVAL);
 | |
| 	}
 | |
| 
 | |
| 	if (minorct > MINORMASK + 1 - baseminor) {
 | |
| 		pr_err("CHRDEV \"%s\" minor range requested (%u-%u) is out of range of maximum range (%u-%u) for a single major\n",
 | |
| 			name, baseminor, baseminor + minorct - 1, 0, MINORMASK);
 | |
| 		return ERR_PTR(-EINVAL);
 | |
| 	}
 | |
| 
 | |
| 	cd = kzalloc(sizeof(struct char_device_struct), GFP_KERNEL);
 | |
| 	if (cd == NULL)
 | |
| 		return ERR_PTR(-ENOMEM);
 | |
| 
 | |
| 	mutex_lock(&chrdevs_lock);
 | |
| 
 | |
| 	if (major == 0) {
 | |
| 		ret = find_dynamic_major();
 | |
| 		if (ret < 0) {
 | |
| 			pr_err("CHRDEV \"%s\" dynamic allocation region is full\n",
 | |
| 			       name);
 | |
| 			goto out;
 | |
| 		}
 | |
| 		major = ret;
 | |
| 	}
 | |
| 
 | |
| 	ret = -EBUSY;
 | |
| 	i = major_to_index(major);
 | |
| 	for (curr = chrdevs[i]; curr; prev = curr, curr = curr->next) {
 | |
| 		if (curr->major < major)
 | |
| 			continue;
 | |
| 
 | |
| 		if (curr->major > major)
 | |
| 			break;
 | |
| 
 | |
| 		if (curr->baseminor + curr->minorct <= baseminor)
 | |
| 			continue;
 | |
| 
 | |
| 		if (curr->baseminor >= baseminor + minorct)
 | |
| 			break;
 | |
| 
 | |
| 		goto out;
 | |
| 	}
 | |
| 
 | |
| 	cd->major = major;
 | |
| 	cd->baseminor = baseminor;
 | |
| 	cd->minorct = minorct;
 | |
| 	strlcpy(cd->name, name, sizeof(cd->name));
 | |
| 
 | |
| 	if (!prev) {
 | |
| 		cd->next = curr;
 | |
| 		chrdevs[i] = cd;
 | |
| 	} else {
 | |
| 		cd->next = prev->next;
 | |
| 		prev->next = cd;
 | |
| 	}
 | |
| 
 | |
| 	mutex_unlock(&chrdevs_lock);
 | |
| 	return cd;
 | |
| out:
 | |
| 	mutex_unlock(&chrdevs_lock);
 | |
| 	kfree(cd);
 | |
| 	return ERR_PTR(ret);
 | |
| }
 | |
| 
 | |
| static struct char_device_struct *
 | |
| __unregister_chrdev_region(unsigned major, unsigned baseminor, int minorct)
 | |
| {
 | |
| 	struct char_device_struct *cd = NULL, **cp;
 | |
| 	int i = major_to_index(major);
 | |
| 
 | |
| 	mutex_lock(&chrdevs_lock);
 | |
| 	for (cp = &chrdevs[i]; *cp; cp = &(*cp)->next)
 | |
| 		if ((*cp)->major == major &&
 | |
| 		    (*cp)->baseminor == baseminor &&
 | |
| 		    (*cp)->minorct == minorct)
 | |
| 			break;
 | |
| 	if (*cp) {
 | |
| 		cd = *cp;
 | |
| 		*cp = cd->next;
 | |
| 	}
 | |
| 	mutex_unlock(&chrdevs_lock);
 | |
| 	return cd;
 | |
| }
 | |
| 
 | |
| /**
 | |
|  * register_chrdev_region() - register a range of device numbers
 | |
|  * @from: the first in the desired range of device numbers; must include
 | |
|  *        the major number.
 | |
|  * @count: the number of consecutive device numbers required
 | |
|  * @name: the name of the device or driver.
 | |
|  *
 | |
|  * Return value is zero on success, a negative error code on failure.
 | |
|  */
 | |
| int register_chrdev_region(dev_t from, unsigned count, const char *name)
 | |
| {
 | |
| 	struct char_device_struct *cd;
 | |
| 	dev_t to = from + count;
 | |
| 	dev_t n, next;
 | |
| 
 | |
| 	for (n = from; n < to; n = next) {
 | |
| 		next = MKDEV(MAJOR(n)+1, 0);
 | |
| 		if (next > to)
 | |
| 			next = to;
 | |
| 		cd = __register_chrdev_region(MAJOR(n), MINOR(n),
 | |
| 			       next - n, name);
 | |
| 		if (IS_ERR(cd))
 | |
| 			goto fail;
 | |
| 	}
 | |
| 	return 0;
 | |
| fail:
 | |
| 	to = n;
 | |
| 	for (n = from; n < to; n = next) {
 | |
| 		next = MKDEV(MAJOR(n)+1, 0);
 | |
| 		kfree(__unregister_chrdev_region(MAJOR(n), MINOR(n), next - n));
 | |
| 	}
 | |
| 	return PTR_ERR(cd);
 | |
| }
 | |
| 
 | |
| /**
 | |
|  * alloc_chrdev_region() - register a range of char device numbers
 | |
|  * @dev: output parameter for first assigned number
 | |
|  * @baseminor: first of the requested range of minor numbers
 | |
|  * @count: the number of minor numbers required
 | |
|  * @name: the name of the associated device or driver
 | |
|  *
 | |
|  * Allocates a range of char device numbers.  The major number will be
 | |
|  * chosen dynamically, and returned (along with the first minor number)
 | |
|  * in @dev.  Returns zero or a negative error code.
 | |
|  */
 | |
| int alloc_chrdev_region(dev_t *dev, unsigned baseminor, unsigned count,
 | |
| 			const char *name)
 | |
| {
 | |
| 	struct char_device_struct *cd;
 | |
| 	cd = __register_chrdev_region(0, baseminor, count, name);
 | |
| 	if (IS_ERR(cd))
 | |
| 		return PTR_ERR(cd);
 | |
| 	*dev = MKDEV(cd->major, cd->baseminor);
 | |
| 	return 0;
 | |
| }
 | |
| 
 | |
| /**
 | |
|  * __register_chrdev() - create and register a cdev occupying a range of minors
 | |
|  * @major: major device number or 0 for dynamic allocation
 | |
|  * @baseminor: first of the requested range of minor numbers
 | |
|  * @count: the number of minor numbers required
 | |
|  * @name: name of this range of devices
 | |
|  * @fops: file operations associated with this devices
 | |
|  *
 | |
|  * If @major == 0 this functions will dynamically allocate a major and return
 | |
|  * its number.
 | |
|  *
 | |
|  * If @major > 0 this function will attempt to reserve a device with the given
 | |
|  * major number and will return zero on success.
 | |
|  *
 | |
|  * Returns a -ve errno on failure.
 | |
|  *
 | |
|  * The name of this device has nothing to do with the name of the device in
 | |
|  * /dev. It only helps to keep track of the different owners of devices. If
 | |
|  * your module name has only one type of devices it's ok to use e.g. the name
 | |
|  * of the module here.
 | |
|  */
 | |
| int __register_chrdev(unsigned int major, unsigned int baseminor,
 | |
| 		      unsigned int count, const char *name,
 | |
| 		      const struct file_operations *fops)
 | |
| {
 | |
| 	struct char_device_struct *cd;
 | |
| 	struct cdev *cdev;
 | |
| 	int err = -ENOMEM;
 | |
| 
 | |
| 	cd = __register_chrdev_region(major, baseminor, count, name);
 | |
| 	if (IS_ERR(cd))
 | |
| 		return PTR_ERR(cd);
 | |
| 
 | |
| 	cdev = cdev_alloc();
 | |
| 	if (!cdev)
 | |
| 		goto out2;
 | |
| 
 | |
| 	cdev->owner = fops->owner;
 | |
| 	cdev->ops = fops;
 | |
| 	kobject_set_name(&cdev->kobj, "%s", name);
 | |
| 
 | |
| 	err = cdev_add(cdev, MKDEV(cd->major, baseminor), count);
 | |
| 	if (err)
 | |
| 		goto out;
 | |
| 
 | |
| 	cd->cdev = cdev;
 | |
| 
 | |
| 	return major ? 0 : cd->major;
 | |
| out:
 | |
| 	kobject_put(&cdev->kobj);
 | |
| out2:
 | |
| 	kfree(__unregister_chrdev_region(cd->major, baseminor, count));
 | |
| 	return err;
 | |
| }
 | |
| 
 | |
| /**
 | |
|  * unregister_chrdev_region() - unregister a range of device numbers
 | |
|  * @from: the first in the range of numbers to unregister
 | |
|  * @count: the number of device numbers to unregister
 | |
|  *
 | |
|  * This function will unregister a range of @count device numbers,
 | |
|  * starting with @from.  The caller should normally be the one who
 | |
|  * allocated those numbers in the first place...
 | |
|  */
 | |
| void unregister_chrdev_region(dev_t from, unsigned count)
 | |
| {
 | |
| 	dev_t to = from + count;
 | |
| 	dev_t n, next;
 | |
| 
 | |
| 	for (n = from; n < to; n = next) {
 | |
| 		next = MKDEV(MAJOR(n)+1, 0);
 | |
| 		if (next > to)
 | |
| 			next = to;
 | |
| 		kfree(__unregister_chrdev_region(MAJOR(n), MINOR(n), next - n));
 | |
| 	}
 | |
| }
 | |
| 
 | |
| /**
 | |
|  * __unregister_chrdev - unregister and destroy a cdev
 | |
|  * @major: major device number
 | |
|  * @baseminor: first of the range of minor numbers
 | |
|  * @count: the number of minor numbers this cdev is occupying
 | |
|  * @name: name of this range of devices
 | |
|  *
 | |
|  * Unregister and destroy the cdev occupying the region described by
 | |
|  * @major, @baseminor and @count.  This function undoes what
 | |
|  * __register_chrdev() did.
 | |
|  */
 | |
| void __unregister_chrdev(unsigned int major, unsigned int baseminor,
 | |
| 			 unsigned int count, const char *name)
 | |
| {
 | |
| 	struct char_device_struct *cd;
 | |
| 
 | |
| 	cd = __unregister_chrdev_region(major, baseminor, count);
 | |
| 	if (cd && cd->cdev)
 | |
| 		cdev_del(cd->cdev);
 | |
| 	kfree(cd);
 | |
| }
 | |
| 
 | |
| static DEFINE_SPINLOCK(cdev_lock);
 | |
| 
 | |
| static struct kobject *cdev_get(struct cdev *p)
 | |
| {
 | |
| 	struct module *owner = p->owner;
 | |
| 	struct kobject *kobj;
 | |
| 
 | |
| 	if (owner && !try_module_get(owner))
 | |
| 		return NULL;
 | |
| 	kobj = kobject_get_unless_zero(&p->kobj);
 | |
| 	if (!kobj)
 | |
| 		module_put(owner);
 | |
| 	return kobj;
 | |
| }
 | |
| 
 | |
| void cdev_put(struct cdev *p)
 | |
| {
 | |
| 	if (p) {
 | |
| 		struct module *owner = p->owner;
 | |
| 		kobject_put(&p->kobj);
 | |
| 		module_put(owner);
 | |
| 	}
 | |
| }
 | |
| 
 | |
| /*
 | |
|  * Called every time a character special file is opened
 | |
|  */
 | |
| static int chrdev_open(struct inode *inode, struct file *filp)
 | |
| {
 | |
| 	const struct file_operations *fops;
 | |
| 	struct cdev *p;
 | |
| 	struct cdev *new = NULL;
 | |
| 	int ret = 0;
 | |
| 
 | |
| 	spin_lock(&cdev_lock);
 | |
| 	p = inode->i_cdev;
 | |
| 	if (!p) {
 | |
| 		struct kobject *kobj;
 | |
| 		int idx;
 | |
| 		spin_unlock(&cdev_lock);
 | |
| 		kobj = kobj_lookup(cdev_map, inode->i_rdev, &idx);
 | |
| 		if (!kobj)
 | |
| 			return -ENXIO;
 | |
| 		new = container_of(kobj, struct cdev, kobj);
 | |
| 		spin_lock(&cdev_lock);
 | |
| 		/* Check i_cdev again in case somebody beat us to it while
 | |
| 		   we dropped the lock. */
 | |
| 		p = inode->i_cdev;
 | |
| 		if (!p) {
 | |
| 			inode->i_cdev = p = new;
 | |
| 			list_add(&inode->i_devices, &p->list);
 | |
| 			new = NULL;
 | |
| 		} else if (!cdev_get(p))
 | |
| 			ret = -ENXIO;
 | |
| 	} else if (!cdev_get(p))
 | |
| 		ret = -ENXIO;
 | |
| 	spin_unlock(&cdev_lock);
 | |
| 	cdev_put(new);
 | |
| 	if (ret)
 | |
| 		return ret;
 | |
| 
 | |
| 	ret = -ENXIO;
 | |
| 	fops = fops_get(p->ops);
 | |
| 	if (!fops)
 | |
| 		goto out_cdev_put;
 | |
| 
 | |
| 	replace_fops(filp, fops);
 | |
| 	if (filp->f_op->open) {
 | |
| 		ret = filp->f_op->open(inode, filp);
 | |
| 		if (ret)
 | |
| 			goto out_cdev_put;
 | |
| 	}
 | |
| 
 | |
| 	return 0;
 | |
| 
 | |
|  out_cdev_put:
 | |
| 	cdev_put(p);
 | |
| 	return ret;
 | |
| }
 | |
| 
 | |
| void cd_forget(struct inode *inode)
 | |
| {
 | |
| 	spin_lock(&cdev_lock);
 | |
| 	list_del_init(&inode->i_devices);
 | |
| 	inode->i_cdev = NULL;
 | |
| 	inode->i_mapping = &inode->i_data;
 | |
| 	spin_unlock(&cdev_lock);
 | |
| }
 | |
| 
 | |
| static void cdev_purge(struct cdev *cdev)
 | |
| {
 | |
| 	spin_lock(&cdev_lock);
 | |
| 	while (!list_empty(&cdev->list)) {
 | |
| 		struct inode *inode;
 | |
| 		inode = container_of(cdev->list.next, struct inode, i_devices);
 | |
| 		list_del_init(&inode->i_devices);
 | |
| 		inode->i_cdev = NULL;
 | |
| 	}
 | |
| 	spin_unlock(&cdev_lock);
 | |
| }
 | |
| 
 | |
| /*
 | |
|  * Dummy default file-operations: the only thing this does
 | |
|  * is contain the open that then fills in the correct operations
 | |
|  * depending on the special file...
 | |
|  */
 | |
| const struct file_operations def_chr_fops = {
 | |
| 	.open = chrdev_open,
 | |
| 	.llseek = noop_llseek,
 | |
| };
 | |
| 
 | |
| static struct kobject *exact_match(dev_t dev, int *part, void *data)
 | |
| {
 | |
| 	struct cdev *p = data;
 | |
| 	return &p->kobj;
 | |
| }
 | |
| 
 | |
| static int exact_lock(dev_t dev, void *data)
 | |
| {
 | |
| 	struct cdev *p = data;
 | |
| 	return cdev_get(p) ? 0 : -1;
 | |
| }
 | |
| 
 | |
| /**
 | |
|  * cdev_add() - add a char device to the system
 | |
|  * @p: the cdev structure for the device
 | |
|  * @dev: the first device number for which this device is responsible
 | |
|  * @count: the number of consecutive minor numbers corresponding to this
 | |
|  *         device
 | |
|  *
 | |
|  * cdev_add() adds the device represented by @p to the system, making it
 | |
|  * live immediately.  A negative error code is returned on failure.
 | |
|  */
 | |
| int cdev_add(struct cdev *p, dev_t dev, unsigned count)
 | |
| {
 | |
| 	int error;
 | |
| 
 | |
| 	p->dev = dev;
 | |
| 	p->count = count;
 | |
| 
 | |
| 	error = kobj_map(cdev_map, dev, count, NULL,
 | |
| 			 exact_match, exact_lock, p);
 | |
| 	if (error)
 | |
| 		return error;
 | |
| 
 | |
| 	kobject_get(p->kobj.parent);
 | |
| 
 | |
| 	return 0;
 | |
| }
 | |
| 
 | |
| /**
 | |
|  * cdev_set_parent() - set the parent kobject for a char device
 | |
|  * @p: the cdev structure
 | |
|  * @kobj: the kobject to take a reference to
 | |
|  *
 | |
|  * cdev_set_parent() sets a parent kobject which will be referenced
 | |
|  * appropriately so the parent is not freed before the cdev. This
 | |
|  * should be called before cdev_add.
 | |
|  */
 | |
| void cdev_set_parent(struct cdev *p, struct kobject *kobj)
 | |
| {
 | |
| 	WARN_ON(!kobj->state_initialized);
 | |
| 	p->kobj.parent = kobj;
 | |
| }
 | |
| 
 | |
| /**
 | |
|  * cdev_device_add() - add a char device and it's corresponding
 | |
|  *	struct device, linkink
 | |
|  * @dev: the device structure
 | |
|  * @cdev: the cdev structure
 | |
|  *
 | |
|  * cdev_device_add() adds the char device represented by @cdev to the system,
 | |
|  * just as cdev_add does. It then adds @dev to the system using device_add
 | |
|  * The dev_t for the char device will be taken from the struct device which
 | |
|  * needs to be initialized first. This helper function correctly takes a
 | |
|  * reference to the parent device so the parent will not get released until
 | |
|  * all references to the cdev are released.
 | |
|  *
 | |
|  * This helper uses dev->devt for the device number. If it is not set
 | |
|  * it will not add the cdev and it will be equivalent to device_add.
 | |
|  *
 | |
|  * This function should be used whenever the struct cdev and the
 | |
|  * struct device are members of the same structure whose lifetime is
 | |
|  * managed by the struct device.
 | |
|  *
 | |
|  * NOTE: Callers must assume that userspace was able to open the cdev and
 | |
|  * can call cdev fops callbacks at any time, even if this function fails.
 | |
|  */
 | |
| int cdev_device_add(struct cdev *cdev, struct device *dev)
 | |
| {
 | |
| 	int rc = 0;
 | |
| 
 | |
| 	if (dev->devt) {
 | |
| 		cdev_set_parent(cdev, &dev->kobj);
 | |
| 
 | |
| 		rc = cdev_add(cdev, dev->devt, 1);
 | |
| 		if (rc)
 | |
| 			return rc;
 | |
| 	}
 | |
| 
 | |
| 	rc = device_add(dev);
 | |
| 	if (rc)
 | |
| 		cdev_del(cdev);
 | |
| 
 | |
| 	return rc;
 | |
| }
 | |
| 
 | |
| /**
 | |
|  * cdev_device_del() - inverse of cdev_device_add
 | |
|  * @dev: the device structure
 | |
|  * @cdev: the cdev structure
 | |
|  *
 | |
|  * cdev_device_del() is a helper function to call cdev_del and device_del.
 | |
|  * It should be used whenever cdev_device_add is used.
 | |
|  *
 | |
|  * If dev->devt is not set it will not remove the cdev and will be equivalent
 | |
|  * to device_del.
 | |
|  *
 | |
|  * NOTE: This guarantees that associated sysfs callbacks are not running
 | |
|  * or runnable, however any cdevs already open will remain and their fops
 | |
|  * will still be callable even after this function returns.
 | |
|  */
 | |
| void cdev_device_del(struct cdev *cdev, struct device *dev)
 | |
| {
 | |
| 	device_del(dev);
 | |
| 	if (dev->devt)
 | |
| 		cdev_del(cdev);
 | |
| }
 | |
| 
 | |
| static void cdev_unmap(dev_t dev, unsigned count)
 | |
| {
 | |
| 	kobj_unmap(cdev_map, dev, count);
 | |
| }
 | |
| 
 | |
| /**
 | |
|  * cdev_del() - remove a cdev from the system
 | |
|  * @p: the cdev structure to be removed
 | |
|  *
 | |
|  * cdev_del() removes @p from the system, possibly freeing the structure
 | |
|  * itself.
 | |
|  *
 | |
|  * NOTE: This guarantees that cdev device will no longer be able to be
 | |
|  * opened, however any cdevs already open will remain and their fops will
 | |
|  * still be callable even after cdev_del returns.
 | |
|  */
 | |
| void cdev_del(struct cdev *p)
 | |
| {
 | |
| 	cdev_unmap(p->dev, p->count);
 | |
| 	kobject_put(&p->kobj);
 | |
| }
 | |
| 
 | |
| 
 | |
| static void cdev_default_release(struct kobject *kobj)
 | |
| {
 | |
| 	struct cdev *p = container_of(kobj, struct cdev, kobj);
 | |
| 	struct kobject *parent = kobj->parent;
 | |
| 
 | |
| 	cdev_purge(p);
 | |
| 	kobject_put(parent);
 | |
| }
 | |
| 
 | |
| static void cdev_dynamic_release(struct kobject *kobj)
 | |
| {
 | |
| 	struct cdev *p = container_of(kobj, struct cdev, kobj);
 | |
| 	struct kobject *parent = kobj->parent;
 | |
| 
 | |
| 	cdev_purge(p);
 | |
| 	kfree(p);
 | |
| 	kobject_put(parent);
 | |
| }
 | |
| 
 | |
| static struct kobj_type ktype_cdev_default = {
 | |
| 	.release	= cdev_default_release,
 | |
| };
 | |
| 
 | |
| static struct kobj_type ktype_cdev_dynamic = {
 | |
| 	.release	= cdev_dynamic_release,
 | |
| };
 | |
| 
 | |
| /**
 | |
|  * cdev_alloc() - allocate a cdev structure
 | |
|  *
 | |
|  * Allocates and returns a cdev structure, or NULL on failure.
 | |
|  */
 | |
| struct cdev *cdev_alloc(void)
 | |
| {
 | |
| 	struct cdev *p = kzalloc(sizeof(struct cdev), GFP_KERNEL);
 | |
| 	if (p) {
 | |
| 		INIT_LIST_HEAD(&p->list);
 | |
| 		kobject_init(&p->kobj, &ktype_cdev_dynamic);
 | |
| 	}
 | |
| 	return p;
 | |
| }
 | |
| 
 | |
| /**
 | |
|  * cdev_init() - initialize a cdev structure
 | |
|  * @cdev: the structure to initialize
 | |
|  * @fops: the file_operations for this device
 | |
|  *
 | |
|  * Initializes @cdev, remembering @fops, making it ready to add to the
 | |
|  * system with cdev_add().
 | |
|  */
 | |
| void cdev_init(struct cdev *cdev, const struct file_operations *fops)
 | |
| {
 | |
| 	memset(cdev, 0, sizeof *cdev);
 | |
| 	INIT_LIST_HEAD(&cdev->list);
 | |
| 	kobject_init(&cdev->kobj, &ktype_cdev_default);
 | |
| 	cdev->ops = fops;
 | |
| }
 | |
| 
 | |
| static struct kobject *base_probe(dev_t dev, int *part, void *data)
 | |
| {
 | |
| 	if (request_module("char-major-%d-%d", MAJOR(dev), MINOR(dev)) > 0)
 | |
| 		/* Make old-style 2.4 aliases work */
 | |
| 		request_module("char-major-%d", MAJOR(dev));
 | |
| 	return NULL;
 | |
| }
 | |
| 
 | |
| void __init chrdev_init(void)
 | |
| {
 | |
| 	cdev_map = kobj_map_init(base_probe, &chrdevs_lock);
 | |
| }
 | |
| 
 | |
| 
 | |
| /* Let modules do char dev stuff */
 | |
| EXPORT_SYMBOL(register_chrdev_region);
 | |
| EXPORT_SYMBOL(unregister_chrdev_region);
 | |
| EXPORT_SYMBOL(alloc_chrdev_region);
 | |
| EXPORT_SYMBOL(cdev_init);
 | |
| EXPORT_SYMBOL(cdev_alloc);
 | |
| EXPORT_SYMBOL(cdev_del);
 | |
| EXPORT_SYMBOL(cdev_add);
 | |
| EXPORT_SYMBOL(cdev_set_parent);
 | |
| EXPORT_SYMBOL(cdev_device_add);
 | |
| EXPORT_SYMBOL(cdev_device_del);
 | |
| EXPORT_SYMBOL(__register_chrdev);
 | |
| EXPORT_SYMBOL(__unregister_chrdev);
 |