[UP] add some viki files, knowledge.

[arrow.git] / viki / kernel / ldd3 / ldd3-html.viki

<html>
  <head>
    <title>Linux Device Drivers 3</title>
    <meta Name="keywords" Content="Linux,device,drivers,kernel,kernel development,kernel modules,Jonathan Corbet,Alessandro Rubini,Greg Kroah-Hartman,char drivers,USB drivers,block drivers,network drivers,TTY drivers,PCI drivers">
    <style>
    pre         { font-family:Prestige, "Everson Mono", "MS Courier New", Courier; font-size:smaller; margin-left:.4in }
    font.fixd   { font-family:Prestige, "Everson Mono", "MS Courier New", Courier }
    div.warn    { text-align:justify; margin-left:.4in; margin-right:.4in; border:1px solid red; padding:6px 12px; }
    div.tip     { text-align:justify; margin-left:.4in; margin-right:.4in; border:1px solid blue; padding:6px 12px; }
    div.bq      { text-align:justify; margin-left:.4in }
    div.bql     { margin-left:.4in }
    a.toc       { font-variant:small-caps;font-weight:bold;font-size:larger;color:#7519FF }
    a.tocr      { font-variant:small-caps;font-weight:bold;font-size:larger;color:red }
    </style>
  </head>
<body style="text-align:justify;margin-left:5%;margin-right:5%"><br>
<br>
<center><font size="7">Linux Device Drivers</font><br>
<font size="4">Jonathan Corbet, Alessandro Rubini,<br>and Greg Kroah-Hartman.</font><br>
</center><br>
<font size="4">Web page format by </font><a href="http://linux.coconia.net" target="_blank"><font size="4">http://linux.coconia.net</font></a><br>
<br>
<div class="warn">If you redistribute this page you must not remove the attribution to the original authors, Corbet, Rubini and Kroah-Hartman, or, to linux.coconia.net.</div>
<br>
<table cellspacing="0" cellpadding="0" width="100%"><tr><td valign="top" width="50%">
<a href="#Index" class="tocr">Index</a><br>
<br>
<a href="#Numbers">Numbers</a><br>
<a href="#A">A</a> <a href="#B">B</a> <a href="#C">C</a> <a href="#D">D</a> <a href="#E">E</a> <a href="#F">F</a> <a href="#G">G</a> <a href="#I">I</a> <a href="#H">H</a> <a href="#J">J</a> <a href="#K">K</a> <a href="#L">L</a> <a href="#M">M</a><br>
<a href="#N">N</a> <a href="#O">O</a> <a href="#P">P</a> <a href="#Q">Q</a> <a href="#R">R</a> <a href="#S">S</a> <a href="#T">T</a> <a href="#U">U</a> <a href="#V">V</a> <a href="#W">W</a> <a href="#X">X</a> <a href="#Z">Z</a><br>
<br>
<a href="#Chapters" class="tocr">Chapters</a><br>
<br>
<a href="#CHAPTER1">1</a> <a href="#CHAPTER2">2</a> <a href="#CHAPTER3">3</a> <a href="#CHAPTER4">4</a> <a href="#CHAPTER5">5</a> <a href="#CHAPTER6">6</a> <a href="#CHAPTER7">7</a> <a href="#CHAPTER8">8</a> <a href="#CHAPTER9">9</a> <a href="#CHAPTER10">10</a> <a href="#CHAPTER11">11</a><br><a href="#CHAPTER12">12</a> <a href="#CHAPTER13">13</a> <a href="#CHAPTER14">14</a> <a href="#CHAPTER15">15</a> <a href="#CHAPTER16">16</a> <a href="#CHAPTER17">17</a> <a href="#CHAPTER18">18</a><br>
<br>
<a href="#Preface" class="tocr">Preface</a><br>
<br>
<a href="#JonsIntroduction">Jon's Introduction</a><br>
<a href="#AlessandrosIntroduction">Alessandro's Introduction</a><br>
<a href="#GregsIntroduction">Greg's Introduction</a><br>
<a href="#AudienceForThisBook">Audience for This Book</a><br>
<a href="#OrganizationOfTheMaterial">Organization of the Material</a><br>
<a href="#BackgroundInformation">Background Information</a><br>
<a href="#OnlineVersionAndLicense">Online Version and License</a><br>
<a href="#ConventionsUsedInThisBook">Conventions Used in This Book</a><br>
<a href="#UsingCodeExamplesbr">Using Code Examples</a><br>
<a href="#WedLikeToHearFromYou">We'd Like to Hear from You</a><br>
<a href="#SafariEnabled">Safari Enabled</a><br>
<a href="#Acknowledgments">Acknowledgments</a><br>
<a href="#Jon">Jon</a><br>
<a href="#Alessandro">Alessandro</a><br>
<a href="#Greg">Greg</a><br>
<br>
<a href="#CHAPTER1" class="toc">Chapter 1</a><br>
<a href="#AnIntroductionToDeviceDrivers" class="tocr">An Introduction to Device Drivers</a><br>
<br>
<a href="#TheRoleOfTheDeviceDriver">The Role of the Device Driver</a><br>
<a href="#SplittingTheKernel">Splitting the Kernel</a><br>
<a href="#LoadableModules">Loadable Modules</a><br>
<a href="#ClassesOfDevicesAndModules">Classes of Devices and Modules</a><br>
<a href="#SecurityIssues">Security Issues</a><br>
<a href="#VersionNumbering">Version Numbering</a><br>
<a href="#LicenseTerms">License Terms</a><br>
<a href="#JoiningTheKernelDevelopmentCommunity">Joining the Kernel Development Community</a><br>
<a href="#OverviewOfTheBook">Overview of the Book</a><br>
<br>
<a href="#CHAPTER2" class="toc">Chapter 2</a><br>
<a href="#BuildingAndRunningModules" class="tocr">Building and Running Modules</a><br>
<br>
<a href="#SettingUpYourTestSystem">Setting Up Your Test System</a><br>
<a href="#TheHelloWorldModule">The Hello World Module</a><br>
<a href="#KernelModulesVersusApplications">Kernel Modules Versus Applications</a><br>
<a href="#UserSpaceAndKernelSpace">User Space and Kernel Space</a><br>
<a href="#ConcurrencyInTheKernel">Concurrency in the Kernel</a><br>
<a href="#TheCurrentProcess">The Current Process</a><br>
<a href="#AFewOtherDetails">A Few Other Details</a><br>
<a href="#CompilingAndLoading">Compiling and Loading</a><br>
<a href="#CompilingModules">Compiling Modules</a><br>
<a href="#LoadingAndUnloadingModules">Loading and Unloading Modules</a><br>
<a href="#VersionDependency">Version Dependency</a><br>
<a href="#PlatformDependency">Platform Dependency</a><br>
<a href="#TheKernelSymbolTable">The Kernel Symbol Table</a><br>
<a href="#Preliminaries">Preliminaries</a><br>
<a href="#InitializationAndShutdown">Initialization and Shutdown</a><br>
<a href="#TheCleanupFunction">The Cleanup Function</a><br>
<a href="#ErrorHandlingDuringInitialization">Error Handling During Initialization</a><br>
<a href="#ModuleLoadingRaces">Module-Loading Races</a><br>
<a href="#ModuleParameters">Module Parameters</a><br>
<a href="#DoingItInUserSpace">Doing It in User Space</a><br>
<a href="#QuickReference2">Quick Reference</a><br>
<br>
<a href="#CHAPTER3" class="toc">Chapter 3</a><br>
<a href="#CharDrivers" class="tocr">Char Drivers</a><br>
<br>
<a href="#TheDesignOfScull">The Design of scull</a><br>
<a href="#MajorAndMinorNumbers">Major and Minor Numbers</a><br>
<a href="#TheInternalRepresentationOfDeviceNumbers">The Internal Representation of Device Numbers</a><br>
<a href="#AllocatingAndFreeingDeviceNumbers">Allocating and Freeing Device Numbers</a><br>
<a href="#DynamicAllocationOfMajorNumbers">Dynamic Allocation of Major Numbers</a><br>
<a href="#SomeImportantDataStructures">Some Important Data Structures</a><br>
<a href="#FileOperations">File Operations</a><br>
<a href="#TheFileStructure">The file Structure</a><br>
<a href="#TheInodeStructure">The inode Structure</a><br>
<a href="#CharDeviceRegistration">Char Device Registration</a><br>
<a href="#DeviceRegistrationInScull">Device Registration in scull</a><br>
<a href="#TheOlderWay">The Older Way</a><br>
<a href="#OpenAndRelease">open and release</a><br>
<a href="#TheOpenMethod">The open Method</a><br>
<a href="#TheReleaseMethod">The release Method</a><br>
<a href="#ScullsMemoryUsage">scull's Memory Usage</a><br>
<a href="#ReadAndWrite">read and write</a><br>
<a href="#TheReadMethod">The read Method</a><br>
<a href="#TheWriteMethod">The write Method</a><br>
<a href="#ReadvAndWritev">readv and writev</a><br>
<a href="#PlayingWithTheNewDevices">Playing with the New Devices</a><br>
<a href="#QuickReference3">Quick Reference</a><br>
<br>
<a href="#CHAPTER4" class="toc">Chapter 4</a><br>
<a href="#DebuggingTechniques" class="tocr">Debugging Techniques</a><br>
<br>
<a href="#DebuggingSupportInTheKernel">Debugging Support in the Kernel</a><br>
<a href="#DebuggingByPrinting">Debugging by Printing</a><br>
<a href="#Printk">printk</a><br>
<a href="#RedirectingConsoleMessages">Redirecting Console Messages</a><br>
<a href="#HowMessagesGetLogged">How Messages Get Logged</a><br>
<a href="#TurningTheMessagesOnAndOff">Turning the Messages On and Off</a><br>
<a href="#RateLimiting">Rate Limiting</a><br>
<a href="#PrintingDeviceNumbers">Printing Device Numbers</a><br>
<a href="#DebuggingByQuerying">Debugging by Querying</a><br>
<a href="#UsingTheProcFilesystem">Using the /proc Filesystem</a><br>
<a href="#ImplementingFilesInProc">Implementing files in /proc</a><br>
<a href="#AnOlderInterface">An older interface</a><br>
<a href="#CreatingYourProcFile">Creating your /proc file</a><br>
<a href="#TheSeqfileInterface">The seq_file interface</a><br>
<a href="#TheIoctlMethod">The ioctl Method</a><br>
<a href="#DebuggingByWatching">Debugging by Watching</a><br>
<a href="#DebuggingSystemFaults">Debugging System Faults</a><br>
<a href="#OopsMessages">Oops Messages</a><br>
<a href="#SystemHangs">System Hangs</a><br>
<a href="#DebuggersAndRelatedTools">Debuggers and Related Tools</a><br>
<a href="#UsingGdb">Using gdb</a><br>
<a href="#TheKdbKernelDebugger">The kdb Kernel Debugger</a><br>
<a href="#TheKgdbPatches">The kgdb Patches</a><br>
<a href="#TheUserModeLinuxPort">The User-Mode Linux Port</a><br>
<a href="#TheLinuxTraceToolkit">The Linux Trace Toolkit</a><br>
<a href="#DynamicProbes">Dynamic Probes</a><br>
<br>
<a href="#CHAPTER5" class="toc">Chapter 5</a><br>
<a href="#ConcurrencyAndRacebrConditions" class="tocr">Concurrency and Race Conditions</a><br>
<br>
<a href="#PitfallsInScull">Pitfalls in scull</a><br>
<a href="#ConcurrencyAndItsManagement">Concurrency and Its Management</a><br>
<a href="#SemaphoresAndMutexes">Semaphores and Mutexes</a><br>
<a href="#TheLinuxSemaphoreImplementation">The Linux Semaphore Implementation</a><br>
<a href="#UsingSemaphoresInScull">Using Semaphores in scull</a><br>
<a href="#ReaderWriterSemaphores">Reader/Writer Semaphores</a><br>
<a href="#Completions">Completions</a><br>
<a href="#Spinlocks">Spinlocks</a><br>
<a href="#IntroductionToTheSpinlockAPI">Introduction to the Spinlock API</a><br>
<a href="#SpinlocksAndAtomicContext">Spinlocks and Atomic Context</a><br>
<a href="#TheSpinlockFunctions">The Spinlock Functions</a><br>
<a href="#ReaderWriterSpinlocks">Reader/Writer Spinlocks</a><br>
<a href="#LockingTraps">Locking Traps</a><br>
<a href="#AmbiguousRules">Ambiguous Rules</a><br>
<a href="#LockOrderingRules">Lock Ordering Rules</a><br>
<a href="#FineVersusCoarseGrainedLocking">Fine- Versus Coarse-Grained Locking</a><br>
<a href="#AlternativesToLocking">Alternatives to Locking</a><br>
<a href="#LockFreeAlgorithms">Lock-Free Algorithms</a><br>
<a href="#AtomicVariables">Atomic Variables</a><br>
<a href="#BitOperations">Bit Operations</a><br>
<a href="#Seqlocks">seqlocks</a><br>
<a href="#ReadCopyUpdate">Read-Copy-Update</a><br>
<a href="#QuickReference5">Quick Reference</a><br>
<br>
<a href="#CHAPTER6" class="toc">Chapter 6</a><br>
<a href="#AdvancedCharDriverOperations" class="tocr">Advanced Char Driver Operations</a><br>
<br>
<a href="#Ioctl">ioctl</a><br>
<a href="#ChoosingTheIoctlCommands">Choosing the ioctl Commands</a><br>
<a href="#TheReturnValue">The Return Value</a><br>
<a href="#ThePredefinedCommands">The Predefined Commands</a><br>
<a href="#UsingTheIoctlArgument">Using the ioctl Argument</a><br>
<a href="#CapabilitiesAndRestrictedOperations">Capabilities and Restricted Operations</a><br>
<a href="#TheImplementationOfTheIoctlCommands">The Implementation of the ioctl Commands</a><br>
<a href="#DeviceControlWithoutIoctl">Device Control Without ioctl</a><br>
<a href="#BlockingIO">Blocking I/O</a><br>
<a href="#IntroductionToSleeping">Introduction to Sleeping</a><br>
<a href="#SimpleSleeping">Simple Sleeping</a><br>
<a href="#BlockingAndNonblockingOperations">Blocking and Nonblocking Operations</a><br>
<a href="#ABlockingIOExample">A Blocking I/O Example</a><br>
<a href="#AdvancedSleeping">Advanced Sleeping</a><br>
<a href="#HowAProcessSleeps">How a process sleeps</a><br>
<a href="#ManualSleeps">Manual sleeps</a><br>
<a href="#ExclusiveWaits">Exclusive waits</a><br>
<a href="#TheDetailsOfWakingUp">The details of waking up</a><br>
<a href="#AncientHistorySleepon">Ancient history: sleep_on</a><br>
<a href="#TestingTheScullpipeDriver">Testing the Scullpipe Driver</a><br>
<a href="#PollAndSelect">poll and select</a><br>
<a href="#InteractionWithReadAndWrite">Interaction with read and write</a><br>
<a href="#ReadingDataFromTheDevice">Reading data from the device</a><br>
<a href="#WritingToTheDevice">Writing to the device</a><br>
<a href="#FlushingPendingOutput">Flushing pending output</a><br>
<a href="#TheUnderlyingDataStructure">The Underlying Data Structure</a><br>
<a href="#AsynchronousNotification">Asynchronous Notification</a><br>
<a href="#TheDriversPointOfView">The Driver's Point of View</a><br>
<a href="#SeekingADevice">Seeking a Device</a><br>
<a href="#TheLlseekImplementation">The llseek Implementation</a><br>
<a href="#AccessControlOnADeviceFile">Access Control on a Device File</a><br>
<a href="#SingleOpenDevices">Single-Open Devices</a><br>
<a href="#RestrictingAccessToASingleUserAtATime">Restricting Access to a Single User at a Time</a><br>
<a href="#BlockingOpenAsAnAlternativeToEBUSY">Blocking open as an Alternative to EBUSY</a><br>
<a href="#CloningTheDeviceOnOpen">Cloning the Device on open</a><br>
<a href="#QuickReference6">Quick Reference</a><br>
<br>
<a href="#CHAPTER7" class="toc">Chapter 7</a><br>
<a href="#TimeDelaysAndDeferredWork" class="tocr">Time, Delays, and Deferred Work</a><br>
<br>
<a href="#MeasuringTimeLapses">Measuring Time Lapses</a><br>
<a href="#UsingTheJiffiesCounter">Using the jiffies Counter</a><br>
<a href="#ProcessorSpecificRegisters">Processor-Specific Registers</a><br>
<a href="#KnowingTheCurrentTime">Knowing the Current Time</a><br>
<a href="#DelayingExecution">Delaying Execution</a><br>
<a href="#LongDelays">Long Delays</a><br>
<a href="#BusyWaiting">Busy waiting</a><br>
<a href="#YieldingTheProcessor">Yielding the processor</a><br>
<a href="#Timeouts">Timeouts</a><br>
<a href="#ShortDelays">Short Delays</a><br>
<a href="#KernelTimers">Kernel Timers</a><br>
<a href="#TheTimerAPI">The Timer API</a><br>
<a href="#TheImplementationOfKernelTimers">The Implementation of Kernel Timers</a><br>
<a href="#Tasklets">Tasklets</a><br>
<a href="#Workqueues">Workqueues</a><br>
<a href="#TheSharedQueue">The Shared Queue</a><br>
<a href="#QuickReference7">Quick Reference</a><br>
<a href="#Timekeeping">Timekeeping</a><br>
<a href="#Delays">Delays</a><br>
<a href="#KernelTimers2">Kernel Timers</a><br>
<a href="#Tasklets2">Tasklets</a><br>
<a href="#Workqueues2">Workqueues</a><br>
<br>
<a href="#CHAPTER8" class="toc">Chapter 8</a><br>
<a href="#AllocatingMemory" class="tocr">Allocating Memory</a><br>
<br>
<a href="#TheRealStoryOfKmalloc">The Real Story of kmalloc</a><br>
<a href="#TheFlagsArgument">The Flags Argument</a><br>
<a href="#MemoryZones">Memory zones</a><br>
<a href="#TheSizeArgument">The Size Argument</a><br>
<a href="#LookasideCaches">Lookaside Caches</a><br>
<a href="#AScullBasedOnTheSlabCachesScullc">A scull Based on the Slab Caches: scullc</a><br>
<a href="#MemoryPools">Memory Pools</a><br>
<a href="#GetfreepageAndFriends">get_free_page and Friends</a><br>
<a href="#AScullUsingWholePagesScullp">A scull Using Whole Pages: scullp</a><br>
<a href="#TheAllocpagesInterface">The alloc_pages Interface</a><br>
<a href="#VmallocAndFriends">vmalloc and Friends</a><br>
<a href="#AScullUsingVirtualAddressesScullv">A scull Using Virtual Addresses: scullv</a><br>
<a href="#PerCPUVariables">Per-CPU Variables</a><br>
<a href="#ObtainingLargeBuffers">Obtaining Large Buffers</a><br>
<a href="#AcquiringADedicatedBufferAtBootTime">Acquiring a Dedicated Buffer at Boot Time</a><br>
<a href="#QuickReference8">Quick Reference</a><br>
<br>
<a href="#CHAPTER9" class="toc">Chapter 9</a><br>
<a href="#CommunicatingWithHardware" class="tocr">Communicating with Hardware</a><br>
<br>
<a href="#IOPortsAndIOMemory">I/O Ports and I/O Memory</a><br>
<a href="#IORegistersAndConventionalMemory">I/O Registers and Conventional Memory</a><br>
<a href="#UsingIOPorts">Using I/O Ports</a><br>
<a href="#IOPortAllocation">I/O Port Allocation</a><br>
<a href="#ManipulatingIOPorts">Manipulating I/O ports</a><br>
<a href="#IOPortAccessFromUserSpace">I/O Port Access from User Space</a><br>
<a href="#StringOperations">String Operations</a><br>
<a href="#PausingIO">Pausing I/O</a><br>
<a href="#PlatformDependencies">Platform Dependencies</a><br>
<a href="#AnIOPortExample">An I/O Port Example</a><br>
<a href="#AnOverviewOfTheParallelPort">An Overview of the Parallel Port</a><br>
<a href="#ASampleDriver">A Sample Driver</a><br>
<a href="#UsingIOMemory">Using I/O Memory</a><br>
<a href="#IOMemoryAllocationAndMapping">I/O Memory Allocation and Mapping</a><br>
<a href="#AccessingIOMemory">Accessing I/O Memory</a><br>
<a href="#PortsAsIOMemory">Ports as I/O Memory</a><br>
<a href="#ReusingShortForIOMemory">Reusing short for I/O Memory</a><br>
<a href="#ISAMemoryBelow1MB">ISA Memory Below 1 MB</a><br>
<a href="#IsareadbAndFriends">isa_readb and Friends</a><br>
<a href="#QuickReference9">Quick Reference</a><br>
<br>
<a href="#CHAPTER10" class="toc">Chapter 10</a><br>
<a href="#InterruptHandling" class="tocr">Interrupt Handling</a><br>
<br>
<a href="#PreparingTheParallelPort">Preparing the Parallel Port</a><br>
<a href="#InstallingAnInterruptHandler">Installing an Interrupt Handler</a><br>
<a href="#TheProcInterface">The /proc Interface</a><br>
<a href="#AutodetectingTheIRQNumber">Auto-Detecting the IRQ Number</a><br>
<a href="#KernelassistedProbing">Kernel-assisted probing</a><br>
<a href="#DoityourselfProbing">Do-it-yourself probing</a><br>
<a href="#FastAndSlowHandlers">Fast and Slow Handlers</a><br>
<a href="#TheInternalsOfInterruptHandlingOnTheX86">The internals of interrupt handling on the x86</a><br>
<a href="#ImplementingAHandler">Implementing a Handler</a><br>
<a href="#HandlerArgumentsAndReturnValue">Handler Arguments and Return Value</a><br>
<a href="#EnablingAndDisablingInterrupts">Enabling and Disabling Interrupts</a><br>
<a href="#DisablingASingleInterrupt">Disabling a single interrupt</a><br>
<a href="#DisablingAllInterrupts">Disabling all interrupts</a><br>
<a href="#TopAndBottomHalves">Top and Bottom Halves</a><br>
<a href="#Tasklets3">Tasklets</a><br>
<a href="#Workqueues3">Workqueues</a><br>
<a href="#InterruptSharing">Interrupt Sharing</a><br>
<a href="#InstallingASharedHandler">Installing a Shared Handler</a><br>
<a href="#RunningTheHandler">Running the Handler</a><br>
<a href="#TheProcInterfaceAndSharedInterrupts">The /proc Interface and Shared Interrupts</a><br>
<a href="#InterruptDrivenIO">Interrupt-Driven I/O</a><br>
<a href="#AWriteBufferingExample">A Write-Buffering Example</a><br>
<a href="#QuickReference10">Quick Reference</a><br>
</td><td align="right" valign="top" width="50%">
<a href="#CHAPTER11" class="toc">Chapter 11</a><br>
<a href="#DataTypesInThebrKernel" class="tocr">Data Types in the Kernel</a><br>
<br>
<a href="#UseOfStandardCTypes">Use of Standard C Types</a><br>
<a href="#AssigningAnExplicitSizeToDataItems">Assigning an Explicit Size to Data Items</a><br>
<a href="#InterfaceSpecificTypes">Interface-Specific Types</a><br>
<a href="#OtherPortabilityIssues">Other Portability Issues</a><br>
<a href="#TimeIntervals">Time Intervals</a><br>
<a href="#PageSize">Page Size</a><br>
<a href="#ByteOrder">Byte Order</a><br>
<a href="#DataAlignment">Data Alignment</a><br>
<a href="#PointersAndErrorValues">Pointers and Error Values</a><br>
<a href="#LinkedLists">Linked Lists</a><br>
<a href="#QuickReference11">Quick Reference</a><br>
<br>
<a href="#CHAPTER12" class="toc">Chapter 12</a><br>
<a href="#PCIDrivers" class="tocr">PCI Drivers</a><br>
<br>
<a href="#ThePCIInterface">The PCI Interface</a><br>
<a href="#PCIAddressing">PCI Addressing</a><br>
<a href="#BootTime">Boot Time</a><br>
<a href="#ConfigurationRegistersAndInitialization">Configuration Registers and Initialization</a><br>
<a href="#MODULEDEVICETABLE">MODULE_DEVICE_TABLE</a><br>
<a href="#RegisteringAPCIDriver">Registering a PCI Driver</a><br>
<a href="#OldStylePCIProbing">Old-Style PCI Probing</a><br>
<a href="#EnablingThePCIDevice">Enabling the PCI Device</a><br>
<a href="#AccessingTheConfigurationSpace">Accessing the Configuration Space</a><br>
<a href="#AccessingTheIOAndMemorySpaces">Accessing the I/O and Memory Spaces</a><br>
<a href="#PCIInterrupts">PCI Interrupts</a><br>
<a href="#HardwareAbstractions">Hardware Abstractions</a><br>
<a href="#ALookBackISA">A Look Back: ISA</a><br>
<a href="#HardwareResources">Hardware Resources</a><br>
<a href="#ISAProgramming">ISA Programming</a><br>
<a href="#ThePlugandPlaySpecification">The Plug-and-Play Specification</a><br>
<a href="#PC104AndPC104">PC/104 and PC/104+</a><br>
<a href="#OtherPCBuses">Other PC Buses</a><br>
<a href="#MCA">MCA</a><br>
<a href="#EISA">EISA</a><br>
<a href="#VLB">VLB</a><br>
<a href="#SBus">SBus</a><br>
<a href="#NuBus">NuBus</a><br>
<a href="#ExternalBuses">External Buses</a><br>
<a href="#QuickReference12">Quick Reference</a><br>
<br>
<a href="#CHAPTER13" class="toc">Chapter 13</a><br>
<a href="#USBDrivers" class="tocr">USB Drivers</a><br>
<br>
<a href="#USBDeviceBasics">USB Device Basics</a><br>
<a href="#Endpoints">Endpoints</a><br>
<a href="#Interfaces">Interfaces</a><br>
<a href="#Configurations">Configurations</a><br>
<a href="#USBAndSysfs">USB and Sysfs</a><br>
<a href="#USBUrbs">USB Urbs</a><br>
<a href="#StructUrb">struct urb</a><br>
<a href="#CreatingAndDestroyingUrbs">Creating and Destroying Urbs</a><br>
<a href="#InterruptUrbs">Interrupt urbs</a><br>
<a href="#BulkUrbs">Bulk urbs</a><br>
<a href="#ControlUrbs">Control urbs</a><br>
<a href="#IsochronousUrbs">Isochronous urbs</a><br>
<a href="#SubmittingUrbs">Submitting Urbs</a><br>
<a href="#CompletingUrbsTheCompletionCallbackHandler">Completing Urbs: The Completion Callback Handler</a><br>
<a href="#CancelingUrbs">Canceling Urbs</a><br>
<a href="#WritingAUSBDriver">Writing a USB Driver</a><br>
<a href="#WhatDevicesDoesTheDriverSupport">What Devices Does the Driver Support?</a><br>
<a href="#RegisteringAUSBDriver">Registering a USB Driver</a><br>
<a href="#ProbeAndDisconnectInDetail">probe and disconnect in Detail</a><br>
<a href="#SubmittingAndControllingAUrb">Submitting and Controlling a Urb</a><br>
<a href="#USBTransfersWithoutUrbs">USB Transfers Without Urbs</a><br>
<a href="#Usbbulkmsg">usb_bulk_msg</a><br>
<a href="#Usbcontrolmsg">usb_control_msg</a><br>
<a href="#OtherUSBDataFunctions">Other USB Data Functions</a><br>
<a href="#QuickReference13">Quick Reference</a><br>
<br>
<a href="#CHAPTER14" class="toc">Chapter 14</a><br>
<a href="#TheLinuxDeviceModel" class="tocr">The Linux Device Model</a><br>
<br>
<a href="#KobjectsKsetsAndSubsystems">Kobjects, Ksets, and Subsystems</a><br>
<a href="#KobjectBasics">Kobject Basics</a><br>
<a href="#EmbeddingKobjects">Embedding kobjects</a><br>
<a href="#KobjectInitialization">Kobject initialization</a><br>
<a href="#ReferenceCountManipulation">Reference count manipulation</a><br>
<a href="#ReleaseFunctionsAndKobjectTypes">Release functions and kobject types</a><br>
<a href="#KobjectHierarchiesKsetsAndSubsystems">Kobject Hierarchies, Ksets, and Subsystems</a><br>
<a href="#Ksets">Ksets</a><br>
<a href="#OperationsOnKsets">Operations on ksets</a><br>
<a href="#Subsystems">Subsystems</a><br>
<a href="#LowLevelSysfsOperations">Low-Level Sysfs Operations</a><br>
<a href="#DefaultAttributes">Default Attributes</a><br>
<a href="#NondefaultAttributes">Nondefault Attributes</a><br>
<a href="#BinaryAttributes">Binary Attributes</a><br>
<a href="#SymbolicLinks">Symbolic Links</a><br>
<a href="#HotplugEventGeneration">Hotplug Event Generation</a><br>
<a href="#HotplugOperations">Hotplug Operations</a><br>
<a href="#BusesDevicesAndDrivers">Buses, Devices, and Drivers</a><br>
<a href="#Buses">Buses</a><br>
<a href="#BusRegistration">Bus registration</a><br>
<a href="#BusMethods">Bus methods</a><br>
<a href="#IteratingOverDevicesAndDrivers">Iterating over devices and drivers</a><br>
<a href="#BusAttributes">Bus attributes</a><br>
<a href="#Devices">Devices</a><br>
<a href="#DeviceRegistration">Device registration</a><br>
<a href="#DeviceAttributes">Device attributes</a><br>
<a href="#DeviceStructureEmbedding">Device structure embedding</a><br>
<a href="#DeviceDrivers">Device Drivers</a><br>
<a href="#DriverStructureEmbedding">Driver structure embedding</a><br>
<a href="#Classes">Classes</a><br>
<a href="#TheClasssimpleInterface">The class_simple Interface</a><br>
<a href="#TheFullClassInterface">The Full Class Interface</a><br>
<a href="#ManagingClasses">Managing classes</a><br>
<a href="#ClassDevices">Class devices</a><br>
<a href="#ClassInterfaces">Class interfaces</a><br>
<a href="#PuttingItAllTogether">Putting It All Together</a><br>
<a href="#AddADevice">Add a Device</a><br>
<a href="#RemoveADevice">Remove a Device</a><br>
<a href="#AddADriver">Add a Driver</a><br>
<a href="#RemoveADriver">Remove a Driver</a><br>
<a href="#Hotplug">Hotplug</a><br>
<a href="#DynamicDevices">Dynamic Devices</a><br>
<a href="#TheSbinhotplugUtility">The /sbin/hotplug Utility</a><br>
<a href="#IEEE1394FireWire">IEEE1394 (FireWire)</a><br>
<a href="#Networking">Networking</a><br>
<a href="#PCI">PCI</a><br>
<a href="#Input">Input</a><br>
<a href="#USB">USB</a><br>
<a href="#SCSI">SCSI</a><br>
<a href="#LaptopDockingStations">Laptop docking stations</a><br>
<a href="#S390AndZSeries">S/390 and zSeries</a><br>
<a href="#UsingSbinhotplug">Using /sbin/hotplug</a><br>
<a href="#LinuxHotplugScripts">Linux hotplug scripts</a><br>
<a href="#Udev">udev</a><br>
<a href="#DealingWithFirmware">Dealing with Firmware</a><br>
<a href="#TheKernelFirmwareInterface">The Kernel Firmware Interface</a><br>
<a href="#HowItWorks">How It Works</a><br>
<a href="#QuickReference14">Quick Reference</a><br>
<a href="#Kobjects">Kobjects</a><br>
<a href="#SysfsOperations">Sysfs Operations</a><br>
<a href="#BusesDevicesAndDrivers2">Buses, Devices, and Drivers</a><br>
<a href="#Classes2">Classes</a><br>
<a href="#Firmware">Firmware</a><br>
<br>
<a href="#CHAPTER15" class="toc">Chapter 15</a><br>
<a href="#MemoryMappingbrandDMA" class="tocr">Memory Mapping and DMA</a><br>
<br>
<a href="#MemoryManagementInLinux">Memory Management in Linux</a><br>
<a href="#AddressTypes">Address Types</a><br>
<a href="#PhysicalAddressesAndPages">Physical Addresses and Pages</a><br>
<a href="#HighAndLowMemory">High and Low Memory</a><br>
<a href="#TheMemoryMapAndStructPage">The Memory Map and Struct Page</a><br>
<a href="#PageTables">Page Tables</a><br>
<a href="#VirtualMemoryAreas">Virtual Memory Areas</a><br>
<a href="#TheVmareastructStructure">The vm_area_struct structure</a><br>
<a href="#TheProcessMemoryMap">The Process Memory Map</a><br>
<a href="#TheMmapDeviceOperation">The mmap Device Operation</a><br>
<a href="#UsingRemappfnrange">Using remap_pfn_range</a><br>
<a href="#ASimpleImplementation">A Simple Implementation</a><br>
<a href="#AddingVMAOperations">Adding VMA Operations</a><br>
<a href="#MappingMemoryWithNopage">Mapping Memory with nopage</a><br>
<a href="#RemappingSpecificIORegions">Remapping Specific I/O Regions</a><br>
<a href="#RemappingRAM">Remapping RAM</a><br>
<a href="#RemappingRAMWithTheNopageMethod">Remapping RAM with the nopage method</a><br>
<a href="#RemappingKernelVirtualAddresses">Remapping Kernel Virtual Addresses</a><br>
<a href="#PerformingDirectIO">Performing Direct I/O</a><br>
<a href="#AsynchronousIO">Asynchronous I/O</a><br>
<a href="#AnAsynchronousIOExample">An asynchronous I/O example</a><br>
<a href="#DirectMemoryAccess">Direct Memory Access</a><br>
<a href="#OverviewOfADMADataTransfer">Overview of a DMA Data Transfer</a><br>
<a href="#AllocatingTheDMABuffer">Allocating the DMA Buffer</a><br>
<a href="#DoityourselfAllocation">Do-it-yourself allocation</a><br>
<a href="#BusAddresses">Bus Addresses</a><br>
<a href="#TheGenericDMALayer">The Generic DMA Layer</a><br>
<a href="#DealingWithDifficultHardware">Dealing with difficult hardware</a><br>
<a href="#DMAMappings">DMA mappings</a><br>
<a href="#SettingUpCoherentDMAMappings">Setting up coherent DMA mappings</a><br>
<a href="#DMAPools">DMA pools</a><br>
<a href="#SettingUpStreamingDMAMappings">Setting up streaming DMA mappings</a><br>
<a href="#SinglepageStreamingMappings">Single-page streaming mappings</a><br>
<a href="#ScattergatherMappings">Scatter/gather mappings</a><br>
<a href="#PCIDoubleaddressCycleMappings">PCI double-address cycle mappings</a><br>
<a href="#ASimplePCIDMAExample">A simple PCI DMA example</a><br>
<a href="#DMAForISADevices">DMA for ISA Devices</a><br>
<a href="#RegisteringDMAUsage">Registering DMA usage</a><br>
<a href="#TalkingToTheDMAController">Talking to the DMA controller</a><br>
<a href="#QuickReference15">Quick Reference</a><br>
<a href="#IntroductoryMaterial">Introductory Material</a><br>
<a href="#ImplementingMmap">Implementing mmap</a><br>
<a href="#ImplementingDirectIO">Implementing Direct I/O</a><br>
<a href="#DirectMemoryAccess2">Direct Memory Access</a><br>
<br>
<a href="#CHAPTER16" class="toc">Chapter 16</a><br>
<a href="#BlockDrivers" class="tocr">Block Drivers</a><br>
<br>
<a href="#Registration">Registration</a><br>
<a href="#BlockDriverRegistration">Block Driver Registration</a><br>
<a href="#DiskRegistration">Disk Registration</a><br>
<a href="#BlockDeviceOperations">Block device operations</a><br>
<a href="#TheGendiskStructure">The gendisk structure</a><br>
<a href="#InitializationInSbull">Initialization in sbull</a><br>
<a href="#ANoteOnSectorSizes">A Note on Sector Sizes</a><br>
<a href="#TheBlockDeviceOperations">The Block Device Operations</a><br>
<a href="#TheOpenAndReleaseMethods">The open and release Methods</a><br>
<a href="#SupportingRemovableMedia">Supporting Removable Media</a><br>
<a href="#TheIoctlMethod2">The ioctl Method</a><br>
<a href="#RequestProcessing">Request Processing</a><br>
<a href="#IntroductionToTheRequestMethod">Introduction to the request Method</a><br>
<a href="#ASimpleRequestMethod">A Simple request Method</a><br>
<a href="#RequestQueues">Request Queues</a><br>
<a href="#QueueCreationAndDeletion">Queue creation and deletion</a><br>
<a href="#QueueingFunctions">Queueing functions</a><br>
<a href="#QueueControlFunctions">Queue control functions</a><br>
<a href="#TheAnatomyOfARequest">The Anatomy of a Request</a><br>
<a href="#TheBioStructure">The bio structure</a><br>
<a href="#RequestStructureFields">request structure fields</a><br>
<a href="#BarrierRequests">Barrier requests</a><br>
<a href="#NonretryableRequests">Nonretryable requests</a><br>
<a href="#RequestCompletionFunctions">Request Completion Functions</a><br>
<a href="#WorkingWithBios">Working with bios</a><br>
<a href="#BlockRequestsAndDMA">Block requests and DMA</a><br>
<a href="#DoingWithoutARequestQueue">Doing without a request queue</a><br>
<a href="#SomeOtherDetails">Some Other Details</a><br>
<a href="#CommandPrePreparation">Command Pre-Preparation</a><br>
<a href="#TaggedCommandQueueing">Tagged Command Queueing</a><br>
<a href="#QuickReference16">Quick Reference</a><br>
<br>
<a href="#CHAPTER17" class="toc">Chapter 17</a><br>
<a href="#NetworkDrivers" class="tocr">Network Drivers</a><br>
<br>
<a href="#HowSnullIsDesigned">How snull Is Designed</a><br>
<a href="#AssigningIPNumbers">Assigning IP Numbers</a><br>
<a href="#ThePhysicalTransportOfPackets">The Physical Transport of Packets</a><br>
<a href="#ConnectingToTheKernel">Connecting to the Kernel</a><br>
<a href="#DeviceRegistration17">Device Registration</a><br>
<a href="#InitializingEachDevice">Initializing Each Device</a><br>
<a href="#ModuleUnloading">Module Unloading</a><br>
<a href="#TheNetdeviceStructureInDetail">The net_device Structure in Detail</a><br>
<a href="#GlobalInformation">Global Information</a><br>
<a href="#HardwareInformation">Hardware Information</a><br>
<a href="#InterfaceInformation">Interface Information</a><br>
<a href="#TheDeviceMethods">The Device Methods</a><br>
<a href="#UtilityFields">Utility Fields</a><br>
<a href="#OpeningAndClosing">Opening and Closing</a><br>
<a href="#PacketTransmission">Packet Transmission</a><br>
<a href="#ControllingTransmissionConcurrency">Controlling Transmission Concurrency</a><br>
<a href="#TransmissionTimeouts">Transmission Timeouts</a><br>
<a href="#ScatterGatherIO">Scatter/Gather I/O</a><br>
<a href="#PacketReception">Packet Reception</a><br>
<a href="#TheInterruptHandler">The Interrupt Handler</a><br>
<a href="#ReceiveInterruptMitigation">Receive Interrupt Mitigation</a><br>
<a href="#ChangesInLinkState">Changes in Link State</a><br>
<a href="#TheSocketBuffers">The Socket Buffers</a><br>
<a href="#TheImportantFields">The Important Fields</a><br>
<a href="#FunctionsActingOnSocketBuffers">Functions Acting on Socket Buffers</a><br>
<a href="#MACAddressResolution">MAC Address Resolution</a><br>
<a href="#UsingARPWithEthernet">Using ARP with Ethernet</a><br>
<a href="#OverridingARP">Overriding ARP</a><br>
<a href="#NonEthernetHeaders">Non-Ethernet Headers</a><br>
<a href="#CustomIoctlCommands">Custom ioctl Commands</a><br>
<a href="#StatisticalInformation">Statistical Information</a><br>
<a href="#Multicast">Multicast</a><br>
<a href="#KernelSupportForMulticasting">Kernel Support for Multicasting</a><br>
<a href="#ATypicalImplementation">A Typical Implementation</a><br>
<a href="#AFewOtherDetails17">A Few Other Details</a><br>
<a href="#MediaIndependentInterfaceSupport">Media Independent Interface Support</a><br>
<a href="#EthtoolSupport">Ethtool Support</a><br>
<a href="#Netpoll">Netpoll</a><br>
<a href="#QuickReference17">Quick Reference</a><br>
<br>
<a href="#CHAPTER18" class="toc">Chapter 18</a><br>
<a href="#TTYDrivers" class="tocr">TTY Drivers</a><br>
<br>
<a href="#ASmallTTYDriver">A Small TTY Driver</a><br>
<a href="#StructTermios">struct termios</a><br>
<a href="#TtydriverFunctionPointers">tty_driver Function Pointers</a><br>
<a href="#OpenAndClose">open and close</a><br>
<a href="#FlowOfData">Flow of Data</a><br>
<a href="#OtherBufferingFunctions">Other Buffering Functions</a><br>
<a href="#NoReadFunction">No read Function?</a><br>
<a href="#TTYLineSettings">TTY Line Settings</a><br>
<a href="#Settermios">set_termios</a><br>
<a href="#TiocmgetAndTiocmset">tiocmget and tiocmset</a><br>
<a href="#Ioctls">ioctls</a><br>
<a href="#ProcAndSysfsHandlingOfTTYDevices">proc and sysfs Handling of TTY Devices</a><br>
<a href="#TheTtydriverStructureInDetail">The tty_driver Structure in Detail</a><br>
<a href="#TheTtyoperationsStructureInDetail">The tty_operations Structure in Detail</a><br>
<a href="#TheTtystructStructureInDetail">The tty_struct Structure in Detail</a><br>
<a href="#QuickReference18">Quick Reference</a><br>
</td></tr></table>
<br>
<div style="text-align:center;margin-left:.4in; margin-right:.4in; border:1px solid blue; padding:6px 12px;">To go directly to, say, page 467, add #467 to the URL, and press enter.</div>
<br>
<A name="xi"></a><font color="blue">PAGE xi</font><br>
<br>
<a name="Preface"></a><font color="red"><b>Preface</b></font><br>
<br>
This is, on the surface, a book about writing device drivers for the Linux system.
That is a worthy goal, of course; the flow of new hardware products is not likely to
slow down anytime soon, and somebody is going to have to make all those new gadgets
work with Linux. But this book is also about how the Linux kernel works and
how to adapt its workings to your needs or interests. Linux is an open system; with
this book, we hope, it is more open and accessible to a larger community of developers.<br>
<br>
This is the third edition of <i>Linux Device Drivers</i>. The kernel has changed greatly
since this book was first published, and we have tried to evolve the text to match.
This edition covers the 2.6.10 kernel as completely as we are able. We have, this time
around, elected to omit the discussion of backward compatibility with previous kernel
versions. The changes from 2.4 are simply too large, and the 2.4 interface
remains well documented in the (freely available) second edition.<br>
<br>
This edition contains quite a bit of new material relevant to the 2.6 kernel. The discussion
of locking and concurrency has been expanded and moved into its own
chapter. The Linux device model, which is new in 2.6, is covered in detail. There are
new chapters on the USB bus and the serial driver subsystem; the chapter on PCI has
also been enhanced. While the organization of the rest of the book resembles that of
the earlier editions, every chapter has been thoroughly updated.<br>
<br>
We hope you enjoy reading this book as much as we have enjoyed writing it.<br>
<br>
<a name="JonsIntroduction"></a><font color="red"><b>Jon's Introduction</b></font><br>
<br>
The publication of this edition coincides with my twelth year of working with Linux
and, shockingly, my twenty-fifth year in the computing field. Computing seemed like
a fast-moving field back in 1980, but things have sped up a lot since then. Keeping
<i>Linux Device Drivers </i>up to date is increasingly a challenge; the Linux kernel hackers
continue to improve their code, and they have little patience for documentation that
fails to keep up.<br>
<br>
<A name="xii"></a><font color="blue">PAGE xii</font><br>
<br>
Linux continues to succeed in the market and, more importantly, in the hearts and
minds of developers worldwide. The success of Linux is clearly a testament to its
technical quality and to the numerous benefits of free software in general. But the
true key to its success, in my opinion, lies in the fact that it has brought the fun back
to computing. With Linux, anybody can get their hands into the system and play in a
sandbox where contributions from any direction are welcome, but where technical
excellence is valued above all else. Linux not only provides us with a top-quality
operating system; it gives us the opportunity to be part of its future development and
to have fun while we're at it.<br>
<br>
In my 25 years in the field, I have had many interesting opportunities, from programming
the first Cray computers (in Fortran, on punch cards) to seeing the minicomputer
and Unix workstation waves, through to the current, microprocessor-dominated
era. Never, though, have I seen the field more full of life, opportunity,
and fun. Never have we had such control over our own tools and their evolution.
Linux, and free software in general, is clearly the driving force behind those changes.<br>
<br>
My hope is that this edition helps to bring that fun and opportunity to a new set of
Linux developers. Whether your interests are in the kernel or in user space, I hope
you find this book to be a useful and interesting guide to just how the kernel works
with the hardware. I hope it helps and inspires you to fire up your editor and to
make our shared, free operating system even better. Linux has come a long way, but
it is also just beginning; it will be more than interesting to watch--and participate
in--what happens from here.<br>
<br>
<a name="AlessandrosIntroduction"></a><font color="red"><b>Alessandro's Introduction</b></font><br>
<br>
I've always enjoyed computers because they can talk to external hardware. So, after
soldering my devices for the Apple II and the ZX Spectrum, backed with the Unix
and free software expertise the university gave me, I could escape the DOS trap by
installing GNU/Linux on a fresh new 386 and by turning on the soldering iron once
again.<br>
<br>
Back then, the community was a small one, and there wasn't much documentation
about writing drivers around, so I started writing for Linux Journal. That's how
things started: when I later discovered I didn't like writing papers, I left the univeristy
and found myself with an O'Reilly contract in my hands.<br>
<br>
That was in 1996. Ages ago.<br>
<br>
The computing world is different now: free software looks like a viable solution,
both technically and politically, but there's a lot of work to do in both realms. I hope
this book furthers two aims: spreading technical knowledge and raising awareness
about the need to spread knowledge. That's why, after the first edition proved interesting
to the public, the two authors of the second edition switched to a free license,<br>
<br>
<A name="xiii"></a><font color="blue">PAGE xiii</font><br>
<br>
supported by our editor and our publisher. I'm betting this is the right approach to
information, and it's great to team up with other people sharing this vision.<br>
<br>
I'm excited by what I witness in the embedded arena, and I hope this text helps by
doing more; but ideas are moving fast these days, and it's already time to plan for the
fourth edition, and look for a fourth author to help.<br>
<br>
<a name="GregsIntroduction"></a><font color="red"><b>Greg's Introduction</b></font><br>
<br>
It seems like a long time ago that I picked up the first edition of this <i>Linux Device
Drivers </i>book in order to figure out how to write a real Linux driver. That first edition
was a great guide to helping me understand the internals of this operating system
that I had already been using for a number of years but whose kernel had never
taken the time to look into. With the knowledge gained from that book, and by reading
other programmers' code already present in the kernel, my first horribly buggy,
broken, and very SMP-unsafe driver was accepted by the kernel community into the
main kernel tree. Despite receiving my first bug report five minutes later, I was
hooked on wanting to do as much as I could to make this operating system the best
it could possibly be.<br>
<br>
I am honored that I've had the ability to contribute to this book. I hope that it
enables others to learn the details about the kernel, discover that driver development
is not a scary or forbidding place, and possibly encourage others to join in and help
in the collective effort of making this operating system work on every computing
platform with every type of device available. The development procedure is fun, the
community is rewarding, and everyone benefits from the effort involved.<br>
<br>
Now it's back to making this edition obsolete by fixing current bugs, changing APIs
to work better and be simpler to understand for everyone, and adding new features.
Come along; we can always use the help.<br>
<br>
<a name="AudienceForThisBook"></a><font color="red"><b>Audience for This Book</b></font><br>
<br>
This book should be an interesting source of information both for people who want
to experiment with their computer and for technical programmers who face the need
to deal with the inner levels of a Linux box. Note that "a Linux box" is a wider concept
than "a PC running Linux," as many platforms are supported by our operating
system, and kernel programming is by no means bound to a specific platform. We
hope this book is useful as a starting point for people who want to become kernel
hackers but don't know where to start.<br>
<br>
On the technical side, this text should offer a hands-on approach to understanding
the kernel internals and some of the design choices made by the Linux developers.
Although the main, official target of the book is teaching how to write device drivers,
the material should give an interesting overview of the kernel implementation as well.<br>
<br>
<A name="xiv"></a><font color="blue">PAGE xiv</font><br>
<br>
Although real hackers can find all the necessary information in the official kernel
sources, usually a written text can be helpful in developing programming skills. The
text you are approaching is the result of hours of patient grepping through the kernel
sources, and we hope the final result is worth the effort it took.<br>
<br>
The Linux enthusiast should find in this book enough food for her mind to start
playing with the code base and should be able to join the group of developers that is
continuously working on new capabilities and performance enhancements. This
book does not cover the Linux kernel in its entirety, of course, but Linux device
driver authors need to know how to work with many of the kernel's subsystems.
Therefore, it makes a good introduction to kernel programming in general. Linux is
still a work in progress, and there's always a place for new programmers to jump into
the game.<br>
<br>
If, on the other hand, you are just trying to write a device driver for your own device,
and you don't want to muck with the kernel internals, the text should be modularized
enough to fit your needs as well. If you don't want to go deep into the details,
you can just skip the most technical sections, and stick to the standard API used by
device drivers to seamlessly integrate with the rest of the kernel.<br>
<br>
<a name="OrganizationOfTheMaterial"></a><font color="red"><b>Organization of the Material</b></font><br>
<br>
The book introduces its topics in ascending order of complexity and is divided into
two parts. The first part (Chapters 1-11) begins with the proper setup of kernel modules
and goes on to describe the various aspects of programming that you'll need in
order to write a full-featured driver for a char-oriented device. Every chapter covers a
distinct problem and includes a quick summary at the end, which can be used as a
reference during actual development.<br>
<br>
Throughout the first part of the book, the organization of the material moves roughly
from the software-oriented concepts to the hardware-related ones. This organization
is meant to allow you to test the software on your own computer as far as possible
without the need to plug external hardware into the machine. Every chapter includes
source code and points to sample drivers that you can run on any Linux computer.
In Chapters 9 and 10, however, we ask you to connect an inch of wire to the parallel
port in order to test out hardware handling, but this requirement should be manageable
by everyone.<br>
<br>
The second half of the book (Chapters 12-18) describes block drivers and network
interfaces and goes deeper into more advanced topics, such as working with the virtual
memory subsystem and with the PCI and USB buses. Many driver authors do
not need all of this material, but we encourage you to go on reading anyway. Much
of the material found there is interesting as a view into how the Linux kernel works,
even if you do not need it for a specific project.<br>
<br>
<A name="xv"></a><font color="blue">PAGE xv</font><br>
<br>
<a name="BackgroundInformation"></a><font color="red"><b>Background Information</b></font><br>
<br>
In order to be able to use this book, you need to be confident with C programming.
Some Unix expertise is needed as well, as we often refer to Unix semantics about system
calls, commands, and pipelines.<br>
<br>
At the hardware level, no previous expertise is required to understand the material in
this book, as long as the general concepts are clear in advance. The text isn't based
on specific PC hardware, and we provide all the needed information when we do
refer to specific hardware.<br>
<br>
Several free software tools are needed to build the kernel, and you often need specific
versions of these tools. Those that are too old can lack needed features, while
those that are too new can occasionally generate broken kernels. Usually, the tools
provided with any current distribution work just fine. Tool version requirements
vary from one kernel to the next; consult <i>Documentation/Changes </i>in the source tree
of the kernel you are using for exact requirements.<br>
<br>
<a name="OnlineVersionAndLicense"></a><font color="red"><b>Online Version and License</b></font><br>
<br>
<a href="http://www.oreilly.com/catalog/linuxdrive3" target="_blank"><i>http://www.oreilly.com/catalog/linuxdrive3</i></a><br>
<br>
The authors have chosen to make this book freely available under the Creative Commons
"Attribution-ShareAlike" license, Version 2.0:<br>
<br>
<div class="warn">
<b>Attribution-ShareAlike 2.0 <br>
<br>
You are free:</b><br>
<ul>
<li>to copy, distribute, display, and perform the work
<li>to make derivative works
<li>to make commercial use of the work
</ul>
<b>Under the following conditions:<br>
<br>
Attribution.</b> You must attribute the work in the manner specified by the author or licensor.<br>
<br>
<b>Share Alike.</b> If you alter, transform, or build upon this work, you may distribute the resulting work only under a license identical to this one.<br>
<ul>
<li>For any reuse or distribution, you must make clear to others the license terms of this work.
<li>Any of these conditions can be waived if you get permission from the copyright holder.
</ul>
Your fair use and other rights are in no way affected by the above.<br>
<br>
This is a human-readable summary of the Legal Code (<a href="http://creativecommons.org/licenses/by-sa/2.0/legalcode" target="_blank">the full license</a>).<br>
</div>
<br>
<a name="ConventionsUsedInThisBook"></a><font color="red"><b>Conventions Used in This Book</b></font><br>
<br>
The following is a list of the typographical conventions used in this book:<br>
<br>
<i>Italic</i><br>
<br>
Used for file and directory names, program and command names, command-line
options, URLs, and new terms<br>
<br>
<font class="fixd">Constant Width</font><br>
<br>
Used in examples to show the contents of files or the output from commands,
and in the text to indicate words that appear in C code or other literal strings<br>
<br>
<font class="fixd"><i>Constant Width Italic</i></font><br>
<br>
Used to indicate text within commands that the user replaces with an actual
value<br>
<br>
<font class="fixd"><b>Constant Width Bold</b></font><br>
<br>
Used in examples to show commands or other text that should be typed literally by the user<br>
<br>
<A name="xvi"></a><font color="blue">PAGE xvi</font><br>
<br>
Pay special attention to notes set apart from the text as following:<br>
<br>
<div class="tip">This is a tip. It contains useful supplementary information about the topic at hand.</div>
<br>
<div class="warn">This is a warning. It helps you solve and avoid annoying problems.</div>
<br>
<a name="UsingCodeExamplesbr"></a><font color="red"><b>Using Code Examples</b></font><br>
<br>
This book is here to help you get your job done. In general, you may use the code in
this book in your programs and documentation. The code samples are covered by a dual BSD/GPL license.<br>
<br>
We appreciate, but do not require, attribution. An attribution usually includes the
title, author, publisher, and ISBN. For example: "<i>Linux Device Drivers</i>, Third Edition,
by Jonathan Corbet, Alessandro Rubini, and Greg Kroah-Hartman. Copyright
2005 O'Reilly Media, Inc., 0-596-00590-3."<br>
<br>
<a name="WedLikeToHearFromYou"></a><font color="red"><b>We'd Like to Hear from You</b></font><br>
<br>
Please address comments and questions concerning this book to the publisher:<br>
<br>
<div class="bq">O'Reilly Media, Inc.<br>
1005 Gravenstein Highway<br>
North Sebastopol, CA 95472<br>
(800) 998-9938 (in the United States or Canada)<br>
(707) 829-0515 (international or local)<br>
(707) 829-0104 (fax)</div>
<br>
We have a web page for this book, where we list errata, examples, and any additional
information. You can access this page at:<br>
<br>
<a href="http://www.oreilly.com/catalog/linuxdrive3" target="_blank"><i>http://www.oreilly.com/catalog/linuxdrive3</i></a><br>
<br>
To comment or ask technical questions about this book, send email to:<br>
<br>
<a href="mailto:bookquestions@oreilly.com" target="_blank"><i>bookquestions@oreilly.com</i></a><br>
<br>
For more information about our books, conferences, Resource Centers, and the
O'Reilly Network, see our web site at:<br>
<br>
<a href="http://www.oreilly.com" target="_blank"><i>http://www.oreilly.com</i></a><br>
<br>
<a name="SafariEnabled"></a><font color="red"><b>Safari Enabled</b></font><br>
<br>
When you see a Safari® Enabled icon on the cover of your favorite technology
book, that means the book is available online through the
O'Reilly Network Safari Bookshelf.<br>
<br>
Safari offers a solution that's better than e-books. It's a virtual library that lets you
easily search thousands of top tech books, cut and paste code samples, download
chapters, and find quick answers when you need the most accurate, current information.
Try it for free at <a href="http://safari.oreilly.com" target="_blank"><i>http://safari.oreilly.com</i></a>.<br>
<br>
<a name="Acknowledgments"></a><font color="red"><b>Acknowledgments</b></font><br>
<br>
This book, of course, was not written in a vacuum; we would like to thank the many
people who have helped to make it possible.<br>
<br>
Thanks to our editor, Andy Oram; this book is a vastly better product as a result of
his efforts. And obviously we owe a lot to the smart people who have laid the philosophical
and practical foundations of the current free software renaissance.<br>
<br>
The first edition was technically reviewed by Alan Cox, Greg Hankins, Hans Lermen,
Heiko Eissfeldt, and Miguel de Icaza (in alphabetic order by first name). The
technical reviewers for the second edition were Allan B. Cruse, Christian Morgner,
Jake Edge, Jeff Garzik, Jens Axboe, Jerry Cooperstein, Jerome Peter Lynch, Michael
Kerrisk, Paul Kinzelman, and Raph Levien. Reviewers for the third edition were
Allan B. Cruse, Christian Morgner, James Bottomley, Jerry Cooperstein, Patrick
Mochel, Paul Kinzelman, and Robert Love. Together, these people have put a vast
amount of effort into finding problems and pointing out possible improvements to
our writing.<br>
<br>
Last but certainly not least, we thank the Linux developers for their relentless work.
This includes both the kernel programmers and the user-space people, who often get
forgotten. In this book, we chose never to call them by name in order to avoid being
unfair to someone we might forget. We sometimes made an exception to this rule
and called Linus by name; we hope he doesn't mind.<br>
<br>
<a name="Jon"></a><font color="red"><b>Jon</b></font><br>
<br>
I must begin by thanking my wife Laura and my children Michele and Giulia for filling
my life with joy and patiently putting up with my distraction while working on
this edition. The subscribers of LWN.net have, through their generosity, enabled
much of this work to happen. The Linux kernel developers have done me a great service
by letting me be a part of their community, answering my questions, and setting
me straight when I got confused. Thanks are due to readers of the second edition of
this book whose comments, offered at Linux gatherings over much of the world,<br>
<br>
<A name="xviii"></a><font color="blue">PAGE xviii</font><br>
<br>
have been gratifying and inspiring. And I would especially like to thank Alessandro
Rubini for starting this whole exercise with the first edition (and staying with it
through the current edition); and Greg Kroah-Hartman, who has brought his considerable
skills to bear on several chapters, with great results.<br>
<br>
<a name="Alessandro"></a><font color="red"><b>Alessandro</b></font><br>
<br>
I would like to thank the people that made this work possible. First of all, the incredible
patience of Federica, who went as far as letting me review the first edition during
our honeymoon, with a laptop in the tent. I want to thank Giorgio and Giulia,
who have been involved in later editions of the book and happily accepted to be sons
of "a gnu" who often works late in the night. I owe a lot to all the free-software
authors who actually taught me how to program by making their work available for
anyone to study. But for this edition, I'm mostly grateful to Jon and Greg, who have
been great mates in this work; it couldn't have existed without each and both of
them, as the code base is bigger and tougher, while my time is a scarcer resource,
always contended for by clients, free software issues, and expired deadlines. Jon has
been a great leader for this edition; both have been very productive and technically
invaluable in supplementing my small-scale and embedded view toward programming
with their expertise about SMP and number crunchers.<br>
<br>
<a name="Greg"></a><font color="red"><b>Greg</b></font><br>
<br>
I would like to thank my wife Shannon and my children Madeline and Griffin for
their understanding and patience while I took the time to work on this book. If it
were not for their support of my original Linux development efforts, I would not be
able to do this book at all. Thanks also to Alessandro and Jon for offering to let me
work on this book; I am honored that they let me participate in it. Much gratitude is
given to all of the Linux kernel programmers, who were unselfish enough to write
code in the public view, so that I and others could learn so much from just reading it.
Also, for everyone who has ever sent me bug reports, critiqued my code, and flamed
me for doing stupid things, you have all taught me so much about how to be a better
programmer and, throughout it all, made me feel very welcome to be part of this
community. Thank you.<br>
<br>
<A name="1"></a><font color="blue">PAGE 1</font><br>
<br>
<a name="CHAPTER1"></a><font color="red"><b>CHAPTER 1</b></font><br>
<br>
<a name="AnIntroductionToDeviceDrivers"></a><font color="#7519FF" size="+1"><b>An Introduction to Device Drivers</b></font><br>
<br>
One of the many advantages of free operating systems, as typified by Linux, is that
their internals are open for all to view. The operating system, once a dark and mysterious
area whose code was restricted to a small number of programmers, can now be
readily examined, understood, and modified by anybody with the requisite skills.
Linux has helped to democratize operating systems. The Linux kernel remains a
large and complex body of code, however, and would-be kernel hackers need an
entry point where they can approach the code without being overwhelmed by complexity.
Often, device drivers provide that gateway.<br>
<br>
Device drivers take on a special role in the Linux kernel. They are distinct "black
boxes" that make a particular piece of hardware respond to a well-defined internal
programming interface; they hide completely the details of how the device works.
User activities are performed by means of a set of standardized calls that are independent
of the specific driver; mapping those calls to device-specific operations that act
on real hardware is then the role of the device driver. This programming interface is
such that drivers can be built separately from the rest of the kernel and "plugged in"
at runtime when needed. This modularity makes Linux drivers easy to write, to the
point that there are now hundreds of them available.<br>
<br>
There are a number of reasons to be interested in the writing of Linux device drivers.
The rate at which new hardware becomes available (and obsolete!) alone guarantees
that driver writers will be busy for the foreseeable future. Individuals may need to
know about drivers in order to gain access to a particular device that is of interest to
them. Hardware vendors, by making a Linux driver available for their products, can
add the large and growing Linux user base to their potential markets. And the open
source nature of the Linux system means that if the driver writer wishes, the source
to a driver can be quickly disseminated to millions of users.<br>
<br>
This book teaches you how to write your own drivers and how to hack around in
related parts of the kernel. We have taken a device-independent approach; the programming
techniques and interfaces are presented, whenever possible, without being
tied to any specific device. Each driver is different; as a driver writer, you need to<br>
<br>
<A name="2"></a><font color="blue">PAGE 2</font><br>
<br>
understand your specific device well. But most of the principles and basic techniques
are the same for all drivers. This book cannot teach you about your device,
but it gives you a handle on the background you need to make your device work.<br>
<br>
As you learn to write drivers, you find out a lot about the Linux kernel in general;
this may help you understand how your machine works and why things aren't
always as fast as you expect or don't do quite what you want. We introduce new
ideas gradually, starting off with very simple drivers and building on them; every new
concept is accompanied by sample code that doesn't need special hardware to be
tested.<br>
<br>
This chapter doesn't actually get into writing code. However, we introduce some
background concepts about the Linux kernel that you'll be glad you know later,
when we do launch into programming.<br>
<br>
<a name="TheRoleOfTheDeviceDriver"></a><font color="red"><b>The Role of the Device Driver</b></font><br>
<br>
As a programmer, you are able to make your own choices about your driver, and
choose an acceptable trade-off between the programming time required and the flexibility
of the result. Though it may appear strange to say that a driver is "flexible," we
like this word because it emphasizes that the role of a device driver is providing
<i>mechanism</i>, not <i>policy</i>.<br>
<br>
The distinction between mechanism and policy is one of the best ideas behind the
Unix design. Most programming problems can indeed be split into two parts: "what
capabilities are to be provided" (the mechanism) and "how those capabilities can be
used" (the policy). If the two issues are addressed by different parts of the program,
or even by different programs altogether, the software package is much easier to
develop and to adapt to particular needs.<br>
<br>
For example, Unix management of the graphic display is split between the X server,
which knows the hardware and offers a unified interface to user programs, and the
window and session managers, which implement a particular policy without knowing
anything about the hardware. People can use the same window manager on different
hardware, and different users can run different configurations on the same
workstation. Even completely different desktop environments, such as KDE and
GNOME, can coexist on the same system. Another example is the layered structure
of TCP/IP networking: the operating system offers the socket abstraction, which
implements no policy regarding the data to be transferred, while different servers are
in charge of the services (and their associated policies). Moreover, a server like <i>ftpd
</i>provides the file transfer mechanism, while users can use whatever client they prefer;
both command-line and graphic clients exist, and anyone can write a new user interface
to transfer files.<br>
<br>
Where drivers are concerned, the same separation of mechanism and policy applies.
The floppy driver is policy free--its role is only to show the diskette as a continuous<br>
<br>
<A name="3"></a><font color="blue">PAGE 3</font><br>
<br>
array of data blocks. Higher levels of the system provide policies, such as who may
access the floppy drive, whether the drive is accessed directly or via a filesystem, and
whether users may mount filesystems on the drive. Since different environments usually
need to use hardware in different ways, it's important to be as policy free as
possible.<br>
<br>
When writing drivers, a programmer should pay particular attention to this fundamental
concept: write kernel code to access the hardware, but don't force particular
policies on the user, since different users have different needs. The driver should deal
with making the hardware available, leaving all the issues about <i>how </i>to use the hardware
to the applications. A driver, then, is flexible if it offers access to the hardware
capabilities without adding constraints. Sometimes, however, some policy decisions
must be made. For example, a digital I/O driver may only offer byte-wide access to
the hardware in order to avoid the extra code needed to handle individual bits.<br>
<br>
You can also look at your driver from a different perspective: it is a software layer
that lies between the applications and the actual device. This privileged role of the
driver allows the driver programmer to choose exactly how the device should appear:
different drivers can offer different capabilities, even for the same device. The actual
driver design should be a balance between many different considerations. For
instance, a single device may be used concurrently by different programs, and the
driver programmer has complete freedom to determine how to handle concurrency.
You could implement memory mapping on the device independently of its hardware
capabilities, or you could provide a user library to help application programmers
implement new policies on top of the available primitives, and so forth. One major
consideration is the trade-off between the desire to present the user with as many
options as possible and the time you have to write the driver, as well as the need to
keep things simple so that errors don't creep in.<br>
<br>
Policy-free drivers have a number of typical characteristics. These include support for
both synchronous and asynchronous operation, the ability to be opened multiple
times, the ability to exploit the full capabilities of the hardware, and the lack of software
layers to "simplify things" or provide policy-related operations. Drivers of this
sort not only work better for their end users, but also turn out to be easier to write
and maintain as well. Being policy-free is actually a common target for software
designers.<br>
<br>
Many device drivers, indeed, are released together with user programs to help with
configuration and access to the target device. Those programs can range from simple
utilities to complete graphical applications. Examples include the <i>tunelp </i>program,
which adjusts how the parallel port printer driver operates, and the graphical <i>cardctl
</i>utility that is part of the PCMCIA driver package. Often a client library is provided as
well, which provides capabilities that do not need to be implemented as part of the
driver itself.<br>
<br>
<A name="4"></a><font color="blue">PAGE 4</font><br>
<br>
The scope of this book is the kernel, so we try not to deal with policy issues or with
application programs or support libraries. Sometimes we talk about different policies
and how to support them, but we won't go into much detail about programs
using the device or the policies they enforce. You should understand, however, that
user programs are an integral part of a software package and that even policy-free
packages are distributed with configuration files that apply a default behavior to the
underlying mechanisms.<br>
<br>
<a name="SplittingTheKernel"></a><font color="red"><b>Splitting the Kernel</b></font><br>
<br>
In a Unix system, several concurrent <i>processes </i>attend to different tasks. Each process
asks for system resources, be it computing power, memory, network connectivity, or
some other resource. The <i>kernel </i>is the big chunk of executable code in charge of handling
all such requests. Although the distinction between the different kernel tasks
isn't always clearly marked, the kernel's role can be split (as shown in Figure 1-1)
into the following parts:<br>
<br>
<i>Process management</i><br>
<br>
The kernel is in charge of creating and destroying processes and handling their
connection to the outside world (input and output). Communication among different
processes (through signals, pipes, or interprocess communication primitives)
is basic to the overall system functionality and is also handled by the
kernel. In addition, the scheduler, which controls how processes share the CPU,
is part of process management. More generally, the kernel's process management
activity implements the abstraction of several processes on top of a single
CPU or a few of them.<br>
<br>
<i>Memory management</i><br>
<br>
The computer's memory is a major resource, and the policy used to deal with it
is a critical one for system performance. The kernel builds up a virtual addressing
space for any and all processes on top of the limited available resources. The
different parts of the kernel interact with the memory-management subsystem
through a set of function calls, ranging from the simple <i>malloc</i>/<i>free </i>pair to much
more complex functionalities.<br>
<br>
<i>Filesystems</i><br>
<br>
Unix is heavily based on the filesystem concept; almost everything in Unix can
be treated as a file. The kernel builds a structured filesystem on top of unstructured
hardware, and the resulting file abstraction is heavily used throughout the
whole system. In addition, Linux supports multiple filesystem types, that is, different
ways of organizing data on the physical medium. For example, disks may
be formatted with the Linux-standard ext3 filesystem, the commonly used FAT
filesystem or several others.<br>
<br>
<A name="5"></a><font color="blue">PAGE 5</font><br>
<br>
<i>Device control</i><br>
<br>
Almost every system operation eventually maps to a physical device. With the
exception of the processor, memory, and a very few other entities, any and all
device control operations are performed by code that is specific to the device
being addressed. That code is called a <i>device driver</i>. The kernel must have
embedded in it a device driver for every peripheral present on a system, from the
hard drive to the keyboard and the tape drive. This aspect of the kernel's functions
is our primary interest in this book.<br>
<br>
<i>Networking</i><br>
<br>
Networking must be managed by the operating system, because most network
operations are not specific to a process: incoming packets are asynchronous
events. The packets must be collected, identified, and dispatched before a process
takes care of them. The system is in charge of delivering data packets across
program and network interfaces, and it must control the execution of programs
according to their network activity. Additionally, all the routing and address resolution
issues are implemented within the kernel.<br>
<br>
<a name="LoadableModules"></a><font color="red"><b>Loadable Modules</b></font><br>
<br>
One of the good features of Linux is the ability to extend at runtime the set of features
offered by the kernel. This means that you can add functionality to the kernel
(and remove functionality as well) while the system is up and running.<br>
<br>
Each piece of code that can be added to the kernel at runtime is called a <i>module</i>. The
Linux kernel offers support for quite a few different types (or classes) of modules,
including, but not limited to, device drivers. Each module is made up of object code
(not linked into a complete executable) that can be dynamically linked to the running
kernel by the <i>insmod</i> program and can be unlinked by the <i>rmmod</i> program.<br>
<br>
Figure 1-1 identifies different classes of modules in charge of specific tasks--a module
is said to belong to a specific class according to the functionality it offers. The
placement of modules in Figure 1-1 covers the most important classes, but is far from
complete because more and more functionality in Linux is being modularized.<br>
<br>
<a name="ClassesOfDevicesAndModules"></a><font color="red"><b>Classes of Devices and Modules</b></font><br>
<br>
The Linux way of looking at devices distinguishes between three fundamental device
types. Each module usually implements one of these types, and thus is classifiable as a
<i>char module</i>, a <i>block module</i>, or a <i>network module</i>. This division of modules into different
types, or classes, is not a rigid one; the programmer can choose to build huge
modules implementing different drivers in a single chunk of code. Good programmers,
nonetheless, usually create a different module for each new functionality they
implement, because decomposition is a key element of scalability and extendability.<br>
<br>
<A name="6"></a><font color="blue">PAGE 6</font><br>
<br>
<center>
<img src="fig1-1.gif">
</center>
<br>
<i>Figure 1-1. A split view of the kernel</i><br>
<br>
The three classes are:<br>
<br>
<i>Character devices</i><br>
<br>
A character (char) device is one that can be accessed as a stream of bytes (like a
file); a char driver is in charge of implementing this behavior. Such a driver usually
implements at least the <i>open</i>, <i>close</i>, <i>read</i>, and <i>write </i>system calls. The text
console (<i>/dev/console</i>) and the serial ports (<i>/dev/ttyS0 </i>and friends) are examples
of char devices, as they are well represented by the stream abstraction. Char
devices are accessed by means of filesystem nodes, such as <i>/dev/tty1 </i>and <i>/dev/lp0</i>.
The only relevant difference between a char device and a regular file is that you
can always move back and forth in the regular file, whereas most char devices
are just data channels, which you can only access sequentially. There exist,
nonetheless, char devices that look like data areas, and you can move back and
forth in them; for instance, this usually applies to frame grabbers, where the
applications can access the whole acquired image using <i>mmap</i> or <i>lseek</i>.<br>
<br>
<A name="7"></a><font color="blue">PAGE 7</font><br>
<br>
<i>Block devices</i><br>
<br>
Like char devices, block devices are accessed by filesystem nodes in the <i>/dev
</i>directory. A block device is a device (e.g., a disk) that can host a filesystem. In
most Unix systems, a block device can only handle I/O operations that transfer
one or more whole blocks, which are usually 512 bytes (or a larger power of
two) bytes in length. Linux, instead, allows the application to read and write a
block device like a char device--it permits the transfer of any number of bytes at
a time. As a result, block and char devices differ only in the way data is managed
internally by the kernel, and thus in the kernel/driver software interface. Like a
char device, each block device is accessed through a filesystem node, and the difference
between them is transparent to the user. Block drivers have a completely
different interface to the kernel than char drivers.<br>
<br>
<i>Network interfaces</i><br>
<br>
Any network transaction is made through an interface, that is, a device that is
able to exchange data with other hosts. Usually, an <i>interface </i>is a hardware
device, but it might also be a pure software device, like the loopback interface. A
network interface is in charge of sending and receiving data packets, driven by
the network subsystem of the kernel, without knowing how individual transactions
map to the actual packets being transmitted. Many network connections
(especially those using TCP) are stream-oriented, but network devices are, usually,
designed around the transmission and receipt of packets. A network driver
knows nothing about individual connections; it only handles packets.<br>
<br>
Not being a stream-oriented device, a network interface isn't easily mapped to a
node in the filesystem, as <i>/dev/tty1 </i>is. The Unix way to provide access to interfaces
is still by assigning a unique name to them (such as eth0), but that name
doesn't have a corresponding entry in the filesystem. Communication between
the kernel and a network device driver is completely different from that used
with char and block drivers. Instead of <i>read </i>and <i>write</i>, the kernel calls functions
related to packet transmission.<br>
<br>
There are other ways of classifying driver modules that are orthogonal to the above
device types. In general, some types of drivers work with additional layers of kernel
support functions for a given type of device. For example, one can talk of universal
serial bus (USB) modules, serial modules, SCSI modules, and so on. Every USB
device is driven by a USB module that works with the USB subsystem, but the device
itself shows up in the system as a char device (a USB serial port, say), a block device
(a USB memory card reader), or a network device (a USB Ethernet interface).<br>
<br>
Other classes of device drivers have been added to the kernel in recent times, including
FireWire drivers and I2C drivers. In the same way that they handled USB and
SCSI drivers, kernel developers collected class-wide features and exported them to
driver implementers to avoid duplicating work and bugs, thus simplifying and
strengthening the process of writing such drivers.<br>
<br>
<A name="8"></a><font color="blue">PAGE 8</font><br>
<br>
In addition to device drivers, other functionalities, both hardware and software, are
modularized in the kernel. One common example is filesystems. A filesystem type
determines how information is organized on a block device in order to represent a
tree of directories and files. Such an entity is not a device driver, in that there's no
explicit device associated with the way the information is laid down; the filesystem
type is instead a software driver, because it maps the low-level data structures to
high-level data structures. It is the filesystem that determines how long a filename
can be and what information about each file is stored in a directory entry. The filesystem
module must implement the lowest level of the system calls that access directories
and files, by mapping filenames and paths (as well as other information, such
as access modes) to data structures stored in data blocks. Such an interface is completely
independent of the actual data transfer to and from the disk (or other
medium), which is accomplished by a block device driver.<br>
<br>
If you think of how strongly a Unix system depends on the underlying filesystem,
you'll realize that such a software concept is vital to system operation. The ability to
decode filesystem information stays at the lowest level of the kernel hierarchy and is
of utmost importance; even if you write a block driver for your new CD-ROM, it is
useless if you are not able to run <i>ls </i>or <i>cp </i>on the data it hosts. Linux supports the concept
of a filesystem module, whose software interface declares the different operations
that can be performed on a filesystem inode, directory, file, and superblock. It's
quite unusual for a programmer to actually need to write a filesystem module,
because the official kernel already includes code for the most important filesystem
types.<br>
<br>
<a name="SecurityIssues"></a><font color="red"><b>Security Issues</b></font><br>
<br>
Security is an increasingly important concern in modern times. We will discuss security-related
issues as they come up throughout the book. There are a few general concepts,
however, that are worth mentioning now.<br>
<br>
Any security check in the system is enforced by kernel code. If the kernel has security
holes, then the system as a whole has holes. In the official kernel distribution,
only an authorized user can load modules; the system call <i>init_module </i>checks if the
invoking process is authorized to load a module into the kernel. Thus, when running
an official kernel, only the superuser,* or an intruder who has succeeded in
becoming privileged, can exploit the power of privileged code.<br>
<br>
When possible, driver writers should avoid encoding security policy in their code.
Security is a policy issue that is often best handled at higher levels within the kernel,
under the control of the system administrator. There are always exceptions, however.<br>
<br>
* Technically, only somebody with the <font class="fixd">CAP_SYS_MODULE</font> capability 
can perform this operation. We discuss capabilities in Chapter 6.<br>
<br>
<A name="9"></a><font color="blue">PAGE 9</font><br>
<br>
As a device driver writer, you should be aware of situations in which some types of
device access could adversely affect the system as a whole and should provide adequate
controls. For example, device operations that affect global resources (such as
setting an interrupt line), which could damage the hardware (loading firmware, for
example), or that could affect other users (such as setting a default block size on a
tape drive), are usually only available to sufficiently privileged users, and this check
must be made in the driver itself.<br>
<br>
Driver writers must also be careful, of course, to avoid introducing security bugs.
The C programming language makes it easy to make several types of errors. Many
current security problems are created, for example, by <i>buffer overrun </i>errors, in which
the programmer forgets to check how much data is written to a buffer, and data ends
up written beyond the end of the buffer, thus overwriting unrelated data. Such errors
can compromise the entire system and must be avoided. Fortunately, avoiding these
errors is usually relatively easy in the device driver context, in which the interface to
the user is narrowly defined and highly controlled.<br>
<br>
Some other general security ideas are worth keeping in mind. Any input received
from user processes should be treated with great suspicion; never trust it unless you
can verify it. Be careful with uninitialized memory; any memory obtained from the
kernel should be zeroed or otherwise initialized before being made available to a user
process or device. Otherwise, information leakage (disclosure of data, passwords,
etc.) could result. If your device interprets data sent to it, be sure the user cannot
send anything that could compromise the system. Finally, think about the possible
effect of device operations; if there are specific operations (e.g., reloading the firmware
on an adapter board or formatting a disk) that could affect the system, those
operations should almost certainly be restricted to privileged users.<br>
<br>
Be careful, also, when receiving software from third parties, especially when the kernel
is concerned: because everybody has access to the source code, everybody can
break and recompile things. Although you can usually trust precompiled kernels
found in your distribution, you should avoid running kernels compiled by an
untrusted friend--if you wouldn't run a precompiled binary as root, then you'd better
not run a precompiled kernel. For example, a maliciously modified kernel could
allow anyone to load a module, thus opening an unexpected back door via <i>init_module</i>.<br>
<br>
Note that the Linux kernel can be compiled to have no module support whatsoever,
thus closing any module-related security holes. In this case, of course, all needed
drivers must be built directly into the kernel itself. It is also possible, with 2.2 and
later kernels, to disable the loading of kernel modules after system boot via the capability
mechanism.<br>
<br>
<A name="10"></a><font color="blue">PAGE 10</font><br>
<br>
<a name="VersionNumbering"></a><font color="red"><b>Version Numbering</b></font><br>
<br>
Before digging into programming, we should comment on the version numbering
scheme used in Linux and which versions are covered by this book.<br>
<br>
First of all, note that <i>every </i>software package used in a Linux system has its own
release number, and there are often interdependencies across them: you need a particular
version of one package to run a particular version of another package. The
creators of Linux distributions usually handle the messy problem of matching packages,
and the user who installs from a prepackaged distribution doesn't need to deal
with version numbers. Those who replace and upgrade system software, on the other
hand, are on their own in this regard. Fortunately, almost all modern distributions
support the upgrade of single packages by checking interpackage dependencies; the
distribution's package manager generally does not allow an upgrade until the dependencies
are satisfied.<br>
<br>
To run the examples we introduce during the discussion, you won't need particular
versions of any tool beyond what the 2.6 kernel requires; any recent Linux distribution
can be used to run our examples. We won't detail specific requirements,
because the file <i>Documentation/Changes </i>in your kernel sources is the best source of
such information if you experience any problems.<br>
<br>
As far as the kernel is concerned, the even-numbered kernel versions (i.e., 2.6.<i>x</i>) are
the stable ones that are intended for general distribution. The odd versions (such as
2.7.<i>x</i>), on the contrary, are development snapshots and are quite ephemeral; the latest
of them represents the current status of development, but becomes obsolete in a
few days or so.<br>
<br>
This book covers Version 2.6 of the kernel. Our focus has been to show all the features
available to device driver writers in 2.6.10, the current version at the time we
are writing. This edition of the book does not cover prior versions of the kernel. For
those of you who are interested, the second edition covered Versions 2.0 through 2.4
in detail. That edition is still available online at <a href="http://lwn.net/Kernel/LDD2/" target="_blank"><i>http://lwn.net/Kernel/LDD2/</i></a>.<br>
<br>
Kernel programmers should be aware that the development process changed with 2.6.
The 2.6 series is now accepting changes that previously would have been considered
too large for a "stable" kernel. Among other things, that means that internal kernel
programming interfaces can change, thus potentially obsoleting parts of this book;
for this reason, the sample code accompanying the text is known to work with 2.6.10,
but some modules don't compile under earlier versions. Programmers wanting to
keep up with kernel programming changes are encouraged to join the mailing lists
and to make use of the web sites listed in the bibliography. There is also a web page
maintained at <a href="http://lwn.net/Articles/2.6-kernel-api/" target="_blank"><i>http://lwn.net/Articles/2.6-kernel-api/</i></a>, which contains information
about API changes that have happened since this book was published.<br>
<br>
<A name="11"></a><font color="blue">PAGE 11</font><br>
<br>
This text doesn't talk specifically about odd-numbered kernel versions. General users
never have a reason to run development kernels. Developers experimenting with new
features, however, want to be running the latest development release. They usually
keep upgrading to the most recent version to pick up bug fixes and new implementations
of features. Note, however, that there's no guarantee on experimental kernels,*
and nobody helps you if you have problems due to a bug in a noncurrent odd-numbered
kernel. Those who run odd-numbered versions of the kernel are usually skilled
enough to dig in the code without the need for a textbook, which is another reason
why we don't talk about development kernels here.<br>
<br>
Another feature of Linux is that it is a platform-independent operating system, not
just "a Unix clone for PC clones" anymore: it currently supports some 20 architectures.
This book is platform independent as far as possible, and all the code samples
have been tested on at least the x86 and x86-64 platforms. Because the code has been
tested on both 32-bit and 64-bit processors, it should compile and run on all other
platforms. As you might expect, the code samples that rely on particular hardware
don't work on all the supported platforms, but this is always stated in the source
code.<br>
<br>
<a name="LicenseTerms"></a><font color="red"><b>License Terms</b></font><br>
<br>
Linux is licensed under Version 2 of the GNU General Public License (GPL), a document
devised for the GNU project by the Free Software Foundation. The GPL allows
anybody to redistribute, and even sell, a product covered by the GPL, as long as the
recipient has access to the source and is able to exercise the same rights. Additionally,
any software product derived from a product covered by the GPL must, if it is
redistributed at all, be released under the GPL.<br>
<br>
The main goal of such a license is to allow the growth of knowledge by permitting
everybody to modify programs at will; at the same time, people selling software to
the public can still do their job. Despite this simple objective, there's a never-ending
discussion about the GPL and its use. If you want to read the license, you can find it
in several places in your system, including the top directory of your kernel source
tree in the <i>COPYING </i>file.<br>
<br>
Vendors often ask whether they can distribute kernel modules in binary form only.
The answer to that question has been deliberately left ambiguous. Distribution of
binary modules--as long as they adhere to the published kernel interface--has been
tolerated so far. But the copyrights on the kernel are held by many developers, and
not all of them agree that kernel modules are not derived products. If you or your
employer wish to distribute kernel modules under a nonfree license, you really need<br>
<br>
* Note that there's no guarantee on even-numbered kernels as well, unless you rely 
on a commercial provider that grants its own warranty.<br>
<br>
<A name="12"></a><font color="blue">PAGE 12</font><br>
<br>
to discuss the situation with your legal counsel. Please note also that the kernel
developers have no qualms against breaking binary modules between kernel releases,
even in the middle of a stable kernel series. If it is at all possible, both you and your
users are better off if you release your module as free software.<br>
<br>
If you want your code to go into the mainline kernel, or if your code requires patches
to the kernel, you <i>must </i>use a GPL-compatible license as soon as you release the code.
Although personal use of your changes doesn't force the GPL on you, if you distribute
your code, you must include the source code in the distribution--people acquiring
your package must be allowed to rebuild the binary at will.<br>
<br>
As far as this book is concerned, most of the code is freely redistributable, either in
source or binary form, and neither we nor O'Reilly retain any right on any derived
works. All the programs are available at <br>
<br>
<a href="ftp://ftp.ora.com/pub/examples/linux/drivers/" target="_blank"><i>ftp://ftp.ora.com/pub/examples/linux/drivers/</i></a>,<br>
<br>
and the exact license terms are stated in the <i>LICENSE</i> file in the same directory.<br>
<br>
<a name="JoiningTheKernelDevelopmentCommunity"></a><font color="red"><b>Joining the Kernel Development Community</b></font><br>
<br>
As you begin writing modules for the Linux kernel, you become part of a larger community
of developers. Within that community, you can find not only people engaged
in similar work, but also a group of highly committed engineers working toward
making Linux a better system. These people can be a source of help, ideas, and critical
review as well--they will be the first people you will likely turn to when you are
looking for testers for a new driver.<br>
<br>
The central gathering point for Linux kernel developers is the <i>linux-kernel </i>mailing
list. All major kernel developers, from Linus Torvalds on down, subscribe to this list.
Please note that the list is not for the faint of heart: traffic as of this writing can run
up to 200 messages per day or more. Nonetheless, following this list is essential for
those who are interested in kernel development; it also can be a top-quality resource
for those in need of kernel development help.<br>
<br>
To join the linux-kernel list, follow the instructions found in the linux-kernel mailing
list FAQ:<br>
<br>
<a href="http://www.tux.org/lkml" target="_blank"><i>http://www.tux.org/lkml</i></a>.<br>
<br>
Read the rest of the FAQ while you are at it;
there is a great deal of useful information there. Linux kernel developers are busy
people, and they are much more inclined to help people who have clearly done their
homework first.<br>
<br>
<a name="OverviewOfTheBook"></a><font color="red"><b>Overview of the Book</b></font><br>
<br>
From here on, we enter the world of kernel programming. Chapter 2 introduces
modularization, explaining the secrets of the art and showing the code for running
modules. Chapter 3 talks about char drivers and shows the complete code for a<br>
<br>
<A name="13"></a><font color="blue">PAGE 13</font><br>
<br>
memory-based device driver that can be read and written for fun. Using memory as
the hardware base for the device allows anyone to run the sample code without the
need to acquire special hardware.<br>
<br>
Debugging techniques are vital tools for the programmer and are introduced in
Chapter 4. Equally important for those who would hack on contemporary kernels is
the management of concurrency and race conditions. Chapter 5 concerns itself with
the problems posed by concurrent access to resources and introduces the Linux
mechanisms for controlling concurrency.<br>
<br>
With debugging and concurrency management skills in place, we move to advanced
features of char drivers, such as blocking operations, the use of <i>select</i>, and the important
<i>ioctl</i> call; these topics are the subject of Chapter 6.<br>
<br>
Before dealing with hardware management, we dissect a few more of the kernel's
software interfaces: Chapter 7 shows how time is managed in the kernel, and
Chapter 8 explains memory allocation.<br>
<br>
Next we focus on hardware. Chapter 9 describes the management of I/O ports and
memory buffers that live on the device; after that comes interrupt handling, in
Chapter 10. Unfortunately, not everyone is able to run the sample code for these
chapters, because some hardware support <i>is </i>actually needed to test the software
interface interrupts. We've tried our best to keep required hardware support to a
minimum, but you still need some simple hardware, such as a standard parallel port,
to work with the sample code for these chapters.<br>
<br>
Chapter 11 covers the use of data types in the kernel and the writing of portable
code.<br>
<br>
The second half of the book is dedicated to more advanced topics. We start by getting
deeper into the hardware and, in particular, the functioning of specific peripheral
buses. Chapter 12 covers the details of writing drivers for PCI devices, and
Chapter 13 examines the API for working with USB devices.<br>
<br>
With an understanding of peripheral buses in place, we can take a detailed look at the
Linux device model, which is the abstraction layer used by the kernel to describe the
hardware and software resources it is managing. Chapter 14 is a bottom-up look at
the device model infrastructure, starting with the kobject type and working up from
there. It covers the integration of the device model with real hardware; it then uses
that knowledge to cover topics like hot-pluggable devices and power management.<br>
<br>
In Chapter 15, we take a diversion into Linux memory management. This chapter
shows how to map kernel memory into user space (the <i>mmap </i>system call), map user
memory into kernel space (with <i>get_user_pages</i>), and how to map either kind of
memory into device space (to perform direct memory access [DMA] operations).<br>
<br>
<A name="14"></a><font color="blue">PAGE 14</font><br>
<br>
Our understanding of memory will be useful for the following two chapters, which
cover the other major driver classes. Chapter 16 introduces block drivers and shows
how they are different from the char drivers we have worked with so far. Then
Chapter 17 gets into the writing of network drivers. We finish up with a discussion
of serial drivers (Chapter 18) and a bibliography.<br>
<br>
<A name="15"></a><font color="blue">PAGE 15</font><br>
<br>
<a name="CHAPTER2"></a><font color="red"><b>CHAPTER 2</b></font><br>
<br>
<a name="BuildingAndRunningModules"></a><font color="#7519FF" size="+1"><b>Building and Running Modules</b></font><br>
<br>
It's almost time to begin programming. This chapter introduces all the essential concepts
about modules and kernel programming. In these few pages, we build and run
a complete (if relatively useless) module, and look at some of the basic code shared
by all modules. Developing such expertise is an essential foundation for any kind of
modularized driver. To avoid throwing in too many concepts at once, this chapter
talks only about modules, without referring to any specific device class.<br>
<br>
All the kernel items (functions, variables, header files, and macros) that are introduced
here are described in a reference section at the end of the chapter.<br>
<br>
<a name="SettingUpYourTestSystem"></a><font color="red"><b>Setting Up Your Test System</b></font><br>
<br>
Starting with this chapter, we present example modules to demonstrate programming
concepts. (All of these examples are available on O'Reilly's FTP site, as
explained in Chapter 1.) Building, loading, and modifying these examples are a good
way to improve your understanding of how drivers work and interact with the kernel.<br>
<br>
The example modules should work with almost any 2.6.x kernel, including those
provided by distribution vendors. However, we recommend that you obtain a "mainline"
kernel directly from the <i>kernel.org </i>mirror network, and install it on your system.
Vendor kernels can be heavily patched and divergent from the mainline; at
times, vendor patches can change the kernel API as seen by device drivers. If you are
writing a driver that must work on a particular distribution, you will certainly want
to build and test against the relevant kernels. But, for the purpose of learning about
driver writing, a standard kernel is best.<br>
<br>
Regardless of the origin of your kernel, building modules for 2.6.x requires that you
have a configured and built kernel tree on your system. This requirement is a change
from previous versions of the kernel, where a current set of header files was sufficient.
2.6 modules are linked against object files found in the kernel source tree; the
result is a more robust module loader, but also the requirement that those object files<br>
<br>
<A name="16"></a><font color="blue">PAGE 16</font><br>
<br>
be available. So your first order of business is to come up with a kernel source tree
(either from the <i>kernel.org </i>network or your distributor's kernel source package),
build a new kernel, and install it on your system. For reasons we'll see later, life is
generally easiest if you are actually running the target kernel when you build your
modules, though this is not required.<br>
<br>
<div class="warn">You should also give some thought to where you do your module
experimentation, development, and testing. We have done our best to
make our example modules safe and correct, but the possibility of
bugs is always present. Faults in kernel code can bring about the
demise of a user process or, occasionally, the entire system. They do
not normally create more serious problems, such as disk corruption.
Nonetheless, it is advisable to do your kernel experimentation on a
system that does not contain data that you cannot afford to lose, and
that does not perform essential services. Kernel hackers typically keep
a "sacrificial" system around for the purpose of testing new code.</div>
<br>
So, if you do not yet have a suitable system with a configured and built kernel source
tree on disk, now would be a good time to set that up. We'll wait. Once that task is
taken care of, you'll be ready to start playing with kernel modules.<br>
<br>
<a name="TheHelloWorldModule"></a><font color="red"><b>The Hello World Module</b></font><br>
<br>
Many programming books begin with a "hello world" example as a way of showing
the simplest possible program. This book deals in kernel modules rather than programs;
so, for the impatient reader, the following code is a complete "hello world"
module:<br>
<pre>
#include &lt;linux/init.h&gt;
#include &lt;linux/module.h&gt;
MODULE_LICENSE(&quot;Dual BSD/GPL&quot;);

static int hello_init(void)
{
    printk(KERN_ALERT &quot;Hello, world\n&quot;);
    return 0;
}

static void hello_exit(void)
{
    printk(KERN_ALERT &quot;Goodbye, cruel world\n&quot;);
}

module_init(hello_init);
module_exit(hello_exit);
</pre>
This module defines two functions, one to be invoked when the module is loaded
into the kernel (<i>hello_init</i>) and one for when the module is removed (<i>hello_exit</i>). The<br>
<br>
<A name="17"></a><font color="blue">PAGE 17</font><br>
<br>
<i>module_init </i>and <i>module_exit </i>lines use special kernel macros to indicate the role of
these two functions. Another special macro <i><font class="fixd">(MODULE_LICENSE)</font></i> is used to tell the
kernel that this module bears a free license; without such a declaration, the kernel
complains when the module is loaded.<br>
<br>
The <i>printk </i>function is defined in the Linux kernel and made available to modules; it
behaves similarly to the standard C library function <i>printf</i>. The kernel needs its own
printing function because it runs by itself, without the help of the C library. The
module can call <i>printk </i>because, after <i>insmod </i>has loaded it, the module is linked to
the kernel and can access the kernel's public symbols (functions and variables, as
detailed in the next section). The string <font class="fixd">KERN_ALERT</font> is the priority of the message.*
We've specified a high priority in this module, because a message with the default
priority might not show up anywhere useful, depending on the kernel version you
are running, the version of the <i>klogd </i>daemon, and your configuration. You can
ignore this issue for now; we explain it in Chapter 4.<br>
<br>
You can test the module with the <i>insmod </i>and <i>rmmod </i>utilities, as shown below. Note
that only the superuser can load and unload a module.<br>
<pre>
% <b>make
</b>make[1]: Entering directory `/usr/src/linux-2.6.10'
  CC [M]  /home/ldd3/src/misc-modules/hello.o
  Building modules, stage 2.
  MODPOST
  CC      /home/ldd3/src/misc-modules/hello.mod.o
  LD [M]  /home/ldd3/src/misc-modules/hello.ko
make[1]: Leaving directory `/usr/src/linux-2.6.10'
% <b>su
</b>root# <b>insmod ./hello.ko
</b>Hello, world
root# <b>rmmod hello
</b>Goodbye, cruel world
root#
</pre>
Please note once again that, for the above sequence of commands to work, you must
have a properly configured and built kernel tree in a place where the makefile is able
to find it (<i>/usr/src/linux-2.6.10 </i>in the example shown). We get into the details of how
modules are built in the section "Compiling and Loading."<br>
<br>
According to the mechanism your system uses to deliver the message lines, your output
may be different. In particular, the previous screen dump was taken from a text
console; if you are running <i>insmod </i>and <i>rmmod </i>from a terminal emulator running
under the window system, you won't see anything on your screen. The message goes
to one of the system log files, such as <i>/var/log/messages </i>(the name of the actual file<br>
<br>
* The priority is just a string, such as &lt;1&gt;, which is prepended to the <i>printk </i>format
string. Note the lack of a comma after <font class="fixd">KERN_ALERT</font>; adding a comma there is a common and annoying 
typo (which, fortunately, is caught by the compiler).<br>
<br>
<A name="18"></a><font color="blue">PAGE 18</font><br>
<br>
varies between Linux distributions). The mechanism used to deliver kernel messages
is described in Chapter 4.<br>
<br>
As you can see, writing a module is not as difficult as you might expect--at least, as
long as the module is not required to do anything worthwhile. The hard part is
understanding your device and how to maximize performance. We go deeper into
modularization throughout this chapter and leave device-specific issues for later
chapters.<br>
<br>
<a name="KernelModulesVersusApplications"></a><font color="red"><b>Kernel Modules Versus Applications</b></font><br>
<br>
Before we go further, it's worth underlining the various differences between a kernel
module and an application.<br>
<br>
While most small and medium-sized applications perform a single task from beginning
to end, every kernel module just registers itself in order to serve future requests,
and its initialization function terminates immediately. In other words, the task of the
module's initialization function is to prepare for later invocation of the module's
functions; it's as though the module were saying, "Here I am, and this is what I can
do." The module's exit function (<i>hello_exit </i>in the example) gets invoked just before
the module is unloaded. It should tell the kernel, "I'm not there anymore; don't ask
me to do anything else." This kind of approach to programming is similar to event-driven
programming, but while not all applications are event-driven, each and every
kernel module is. Another major difference between event-driven applications and
kernel code is in the exit function: whereas an application that terminates can be lazy
in releasing resources or avoids clean up altogether, the exit function of a module
must carefully undo everything the <i>init </i>function built up, or the pieces remain
around until the system is rebooted.<br>
<br>
Incidentally, the ability to unload a module is one of the features of modularization
that you'll most appreciate, because it helps cut down development time; you can
test successive versions of your new driver without going through the lengthy shutdown/reboot
cycle each time.<br>
<br>
As a programmer, you know that an application can call functions it doesn't define:
the linking stage resolves external references using the appropriate library of functions.
<i>printf </i>is one of those callable functions and is defined in <i>libc</i>. A module, on the
other hand, is linked only to the kernel, and the only functions it can call are the
ones exported by the kernel; there are no libraries to link to. The <i>printk </i>function
used in <i>hello.c </i>earlier, for example, is the version of <i>printf </i>defined within the kernel
and exported to modules. It behaves similarly to the original function, with a few
minor differences, the main one being lack of floating-point support.<br>
<br>
Figure 2-1 shows how function calls and function pointers are used in a module to
add new functionality to a running kernel.<br>
<br>
<A name="19"></a><font color="blue">PAGE 19</font><br>
<br>
<center>
<img src="fig2-1.gif">
</center>
<br>
<i>Figure 2-1. Linking a module to the kernel</i><br>
<br>
Because no library is linked to modules, source files should never include the usual
header files, <i>&lt;stdarg.h&gt; </i>and very special situations being the only exceptions. Only
functions that are actually part of the kernel itself may be used in kernel modules.
Anything related to the kernel is declared in headers found in the kernel source tree
you have set up and configured; most of the relevant headers live in <i>include/linux </i>and
<i>include/asm</i>, but other subdirectories of <i>include </i>have been added to host material
associated to specific kernel subsystems.<br>
<br>
The role of individual kernel headers is introduced throughout the book as each of
them is needed.<br>
<br>
Another important difference between kernel programming and application programming
is in how each environment handles faults: whereas a segmentation fault
is harmless during application development and a debugger can always be used to
trace the error to the problem in the source code, a kernel fault kills the current process
at least, if not the whole system. We see how to trace kernel errors in Chapter 4.<br>
<br>
<a name="UserSpaceAndKernelSpace"></a><font color="red"><b>User Space and Kernel Space</b></font><br>
<br>
A module runs in <i>kernel space</i>, whereas applications run in <i>user space</i>. This concept
is at the base of operating systems theory.<br>
<br>
The role of the operating system, in practice, is to provide programs with a consistent
view of the computer's hardware. In addition, the operating system must
account for independent operation of programs and protection against unauthorized
access to resources. This nontrivial task is possible only if the CPU enforces protection
of system software from the applications.<br>
<br>
<A name="20"></a><font color="blue">PAGE 20</font><br>
<br>
Every modern processor is able to enforce this behavior. The chosen approach is to
implement different operating modalities (or levels) in the CPU itself. The levels have
different roles, and some operations are disallowed at the lower levels; program code
can switch from one level to another only through a limited number of gates. Unix
systems are designed to take advantage of this hardware feature, using two such levels.
All current processors have at least two protection levels, and some, like the x86
family, have more levels; when several levels exist, the highest and lowest levels are
used. Under Unix, the kernel executes in the highest level (also called <i>supervisor
mode</i>), where everything is allowed, whereas applications execute in the lowest level
(the so-called <i>user mode</i>), where the processor regulates direct access to hardware
and unauthorized access to memory.<br>
<br>
We usually refer to the execution modes as <i>kernel space </i>and <i>user space</i>. These terms
encompass not only the different privilege levels inherent in the two modes, but also
the fact that each mode can have its own memory mapping--its own address
space--as well.<br>
<br>
Unix transfers execution from user space to kernel space whenever an application
issues a system call or is suspended by a hardware interrupt. Kernel code executing a
system call is working in the context of a process--it operates on behalf of the calling
process and is able to access data in the process's address space. Code that handles
interrupts, on the other hand, is asynchronous with respect to processes and is
not related to any particular process.<br>
<br>
The role of a module is to extend kernel functionality; modularized code runs in kernel
space. Usually a driver performs both the tasks outlined previously: some functions
in the module are executed as part of system calls, and some are in charge of
interrupt handling.<br>
<br>
<a name="ConcurrencyInTheKernel"></a><font color="red"><b>Concurrency in the Kernel</b></font><br>
<br>
One way in which kernel programming differs greatly from conventional application
programming is the issue of concurrency. Most applications, with the notable exception
of multithreading applications, typically run sequentially, from the beginning to
the end, without any need to worry about what else might be happening to change
their environment. Kernel code does not run in such a simple world, and even the
simplest kernel modules must be written with the idea that many things can be happening
at once.<br>
<br>
There are a few sources of concurrency in kernel programming. Naturally, Linux systems
run multiple processes, more than one of which can be trying to use your driver
at the same time. Most devices are capable of interrupting the processor; interrupt
handlers run asynchronously and can be invoked at the same time that your driver is
trying to do something else. Several software abstractions (such as kernel timers,
introduced in Chapter 7) run asynchronously as well. Moreover, of course, Linux<br>
<br>
<A name="21"></a><font color="blue">PAGE 21</font><br>
<br>
can run on symmetric multiprocessor (SMP) systems, with the result that your driver
could be executing concurrently on more than one CPU. Finally, in 2.6, kernel code
has been made preemptible; this change causes even uniprocessor systems to have
many of the same concurrency issues as multiprocessor systems.<br>
<br>
As a result, Linux kernel code, including driver code, must be <i>reentrant</i>--it must be
capable of running in more than one context at the same time. Data structures must
be carefully designed to keep multiple threads of execution separate, and the code
must take care to access shared data in ways that prevent corruption of the data.
Writing code that handles concurrency and avoids race conditions (situations in
which an unfortunate order of execution causes undesirable behavior) requires
thought and can be tricky. Proper management of concurrency is required to write
correct kernel code; for that reason, every sample driver in this book has been written
with concurrency in mind. The techniques used are explained as we come to
them; Chapter 5 has also been dedicated to this issue and the kernel primitives available
for concurrency management.<br>
<br>
A common mistake made by driver programmers is to assume that concurrency is
not a problem as long as a particular segment of code does not go to sleep (or
"block"). Even in previous kernels (which were not preemptive), this assumption
was not valid on multiprocessor systems. In 2.6, kernel code can (almost) never
assume that it can hold the processor over a given stretch of code. If you do not write
your code with concurrency in mind, it will be subject to catastrophic failures that
can be exceedingly difficult to debug.<br>
<br>
<a name="TheCurrentProcess"></a><font color="red"><b>The Current Process</b></font><br>
<br>
Although kernel modules don't execute sequentially as applications do, most actions
performed by the kernel are done on behalf of a specific process. Kernel code can
refer to the current process by accessing the global item current, defined in <i>&lt;asm/
current.h&gt;</i>, which yields a pointer to <font class="fixd">struct task_struct</font>, defined by <i>&lt;linux/sched.h&gt;</i>.
The current pointer refers to the process that is currently executing. During the execution
of a system call, such as <i>open </i>or <i>read</i>, the current process is the one that
invoked the call. Kernel code can use process-specific information by using current,
if it needs to do so. An example of this technique is presented in Chapter 6.<br>
<br>
Actually, current is not truly a global variable. The need to support SMP systems
forced the kernel developers to develop a mechanism that finds the current process on
the relevant CPU. This mechanism must also be fast, since references to current happen
frequently. The result is an architecture-dependent mechanism that, usually,
hides a pointer to the <font class="fixd">task_struct</font> structure on the kernel stack. The details of the
implementation remain hidden to other kernel subsystems though, and a device
driver can just include <i>&lt;linux/sched.h&gt; </i>and refer to the current process. For example,<br>
<br>
<A name="22"></a><font color="blue">PAGE 22</font><br>
<br>
the following statement prints the process ID and the command name of the current
process by accessing certain fields in <font class="fixd">struct task_struct</font>:<br>
<pre>
printk(KERN_INFO &quot;The process is \&quot;%s\&quot; (pid %i)\n&quot;,
        current-&gt;comm, current-&gt;pid);
</pre>
The command name stored in <font class="fixd">current-&gt;comm</font> is the base name of the program file
(trimmed to 15 characters if need be) that is being executed by the current process.<br>
<br>
<a name="AFewOtherDetails"></a><font color="red"><b>A Few Other Details</b></font><br>
<br>
Kernel programming differs from user-space programming in many ways. We'll
point things out as we get to them over the course of the book, but there are a few
fundamental issues which, while not warranting a section of their own, are worth a
mention. So, as you dig into the kernel, the following issues should be kept in mind.<br>
<br>
Applications are laid out in virtual memory with a very large stack area. The stack, of
course, is used to hold the function call history and all automatic variables created by
currently active functions. The kernel, instead, has a very small stack; it can be as
small as a single, 4096-byte page. Your functions must share that stack with the
entire kernel-space call chain. Thus, it is never a good idea to declare large automatic
variables; if you need larger structures, you should allocate them dynamically
at call time.<br>
<br>
Often, as you look at the kernel API, you will encounter function names starting with
a double underscore (<font class="fixd">__</font>). Functions so marked are generally a low-level component
of the interface and should be used with caution. Essentially, the double underscore
says to the programmer: "If you call this function, be sure you know what you are
doing."<br>
<br>
Kernel code cannot do floating point arithmetic. Enabling floating point would
require that the kernel save and restore the floating point processor's state on each
entry to, and exit from, kernel space--at least, on some architectures. Given that
there really is no need for floating point in kernel code, the extra overhead is not
worthwhile.<br>
<br>
<a name="CompilingAndLoading"></a><font color="red"><b>Compiling and Loading</b></font><br>
<br>
The "hello world" example at the beginning of this chapter included a brief demonstration
of building a module and loading it into the system. There is, of course, a lot
more to that whole process than we have seen so far. This section provides more
detail on how a module author turns source code into an executing subsystem within
the kernel.<br>
<br>
<A name="23"></a><font color="blue">PAGE 23</font><br>
<br>
<a name="CompilingModules"></a><font color="red"><b>Compiling Modules</b></font><br>
<br>
As the first step, we need to look a bit at how modules must be built. The build process
for modules differs significantly from that used for user-space applications; the
kernel is a large, stand alone program with detailed and explicit requirements on how
its pieces are put together. The build process also differs from how things were done
with previous versions of the kernel; the new build system is simpler to use and produces
more correct results, but it looks very different from what came before. The
kernel build system is a complex beast, and we just look at a tiny piece of it. The files
found in the <i>Documentation/kbuild </i>directory in the kernel source are required reading
for anybody wanting to understand all that is really going on beneath the surface.<br>
<br>
There are some prerequisites that you must get out of the way before you can build
kernel modules. The first is to ensure that you have sufficiently current versions of the
compiler, module utilities, and other necessary tools. The file <i>Documentation/Changes
</i>in the kernel documentation directory always lists the required tool versions; you
should consult it before going any further. Trying to build a kernel (and its modules)
with the wrong tool versions can lead to no end of subtle, difficult problems. Note
that, occasionally, a version of the compiler that is too new can be just as problematic
as one that is too old; the kernel source makes a great many assumptions about the
compiler, and new releases can sometimes break things for a while.<br>
<br>
If you still do not have a kernel tree handy, or have not yet configured and built that
kernel, now is the time to go do it. You cannot build loadable modules for a 2.6 kernel
without this tree on your filesystem. It is also helpful (though not required) to be
actually running the kernel that you are building for.<br>
<br>
Once you have everything set up, creating a makefile for your module is straightforward.
In fact, for the "hello world" example shown earlier in this chapter, a single
line will suffice:<br>
<pre>
obj-m := hello.o
</pre>
Readers who are familiar with <i>make</i>, but not with the 2.6 kernel build system, are
likely to be wondering how this makefile works. The above line is not how a traditional
makefile looks, after all. The answer, of course, is that the kernel build system
handles the rest. The assignment above (which takes advantage of the extended syntax
provided by GNU <i>make</i>) states that there is one module to be built from the
object file <i>hello.o</i>. The resulting module is named <i>hello.ko </i>after being built from the
object file.<br>
<br>
If, instead, you have a module called <i>module.ko </i>that is generated from two source
files (called, say, <i>file1.c</i> and <i>file2.c</i>), the correct incantation would be:<br>
<pre>
obj-m := module.o
module-objs := file1.o file2.o
</pre>
For a makefile like those shown above to work, it must be invoked within the context
of the larger kernel build system. If your kernel source tree is located in, say,<br>
<br>
<A name="24"></a><font color="blue">PAGE 24</font><br>
<br>
your <i>~/kernel-2.6 </i>directory, the <i>make </i>command required to build your module
(typed in the directory containing the module source and makefile) would be:<br>
<pre>
make -C ~/kernel-2.6 M=`pwd` modules
</pre>
This command starts by changing its directory to the one provided with the <font class="fixd">-C</font>
option (that is, your kernel source directory). There it finds the kernel's top-level
makefile. The <font class="fixd">M=</font> option causes that makefile to move back into your module source
directory before trying to build the <font class="fixd">modules</font> target. This target, in turn, refers to the list
of modules found in the <font class="fixd">obj-m</font> variable, which we've set to <i>module.o</i> in our examples.<br>
<br>
Typing the previous <i>make </i>command can get tiresome after a while, so the kernel
developers have developed a sort of makefile idiom, which makes life easier for those
building modules outside of the kernel tree. The trick is to write your makefile as follows:<br>
<pre>
# If KERNELRELEASE is defined, we've been invoked from the
# kernel build system and can use its language.
ifneq ($(KERNELRELEASE),)
    obj-m := hello.o

# Otherwise we were called directly from the command
# line; invoke the kernel build system.
else

    KERNELDIR ?= /lib/modules/$(shell uname -r)/build
    PWD  := $(shell pwd)

default:
    $(MAKE) -C $(KERNELDIR) M=$(PWD) modules

endif
</pre>
Once again, we are seeing the extended GNU <i>make </i>syntax in action. This makefile is
read twice on a typical build. When the makefile is invoked from the command line,
it notices that the <font class="fixd">KERNELRELEASE</font> variable has not been set. It locates the kernel source
directory by taking advantage of the fact that the symbolic link <i>build </i>in the installed
modules directory points back at the kernel build tree. If you are not actually running
the kernel that you are building for, you can supply a <font class="fixd">KERNELDIR=</font> option on the
command line, set the <font class="fixd">KERNELDIR</font> environment variable, or rewrite the line that sets
<font class="fixd">KERNELDIR</font> in the makefile. Once the kernel source tree has been found, the makefile
invokes the default: target, which runs a second <i>make </i>command (parameterized in
the makefile as <font class="fixd">$(MAKE))</font> to invoke the kernel build system as described previously.
On the second reading, the makefile sets <font class="fixd">obj-m</font>, and the kernel makefiles take care of
actually building the module.<br>
<br>
This mechanism for building modules may strike you as a bit unwieldy and obscure.
Once you get used to it, however, you will likely appreciate the capabilities that have
been programmed into the kernel build system. Do note that the above is not a complete
makefile; a real makefile includes the usual sort of targets for cleaning up<br>
<br>
<A name="25"></a><font color="blue">PAGE 25</font><br>
<br>
unneeded files, installing modules, etc. See the makefiles in the example source
directory for a complete example.<br>
<br>
<a name="LoadingAndUnloadingModules"></a><font color="red"><b>Loading and Unloading Modules</b></font><br>
<br>
After the module is built, the next step is loading it into the kernel. As we've already
pointed out, <i>insmod </i>does the job for you. The program loads the module code and
data into the kernel, which, in turn, performs a function similar to that of <i>ld</i>, in that
it links any unresolved symbol in the module to the symbol table of the kernel.
Unlike the linker, however, the kernel doesn't modify the module's disk file, but
rather an in-memory copy. <i>insmod </i>accepts a number of command-line options (for
details, see the manpage), and it can assign values to parameters in your module
before linking it to the current kernel. Thus, if a module is correctly designed, it can
be configured at load time; load-time configuration gives the user more flexibility
than compile-time configuration, which is still used sometimes. Load-time configuration
is explained in the section "Module Parameters," later in this chapter.<br>
<br>
Interested readers may want to look at how the kernel supports <i>insmod</i>: it relies on a
system call defined in <i>kernel/module.c</i>. The function <i>sys_init_module </i>allocates kernel
memory to hold a module (this memory is allocated with <i>vmalloc</i>; see the section
"vmalloc and Friends" in Chapter 8); it then copies the module text into that memory
region, resolves kernel references in the module via the kernel symbol table, and
calls the module's initialization function to get everything going.<br>
<br>
If you actually look in the kernel source, you'll find that the names of the system calls
are prefixed with <font class="fixd">sys_</font>. This is true for all system calls and no other functions; it's
useful to keep this in mind when grepping for the system calls in the sources.<br>
<br>
The <i>modprobe </i>utility is worth a quick mention. <i>modprobe</i>, like <i>insmod</i>, loads a module
into the kernel. It differs in that it will look at the module to be loaded to see
whether it references any symbols that are not currently defined in the kernel. If any
such references are found, <i>modprobe </i>looks for other modules in the current module
search path that define the relevant symbols. When <i>modprobe </i>finds those modules
(which are needed by the module being loaded), it loads them into the kernel as well.
If you use <i>insmod </i>in this situation instead, the command fails with an "unresolved
symbols" message left in the system logfile.<br>
<br>
As mentioned before, modules may be removed from the kernel with the <i>rmmod </i>utility.
Note that module removal fails if the kernel believes that the module is still in
use (e.g., a program still has an open file for a device exported by the modules), or if
the kernel has been configured to disallow module removal. It is possible to configure
the kernel to allow "forced" removal of modules, even when they appear to be
busy. If you reach a point where you are considering using this option, however,
things are likely to have gone wrong badly enough that a reboot may well be the better
course of action.<br>
<br>
<A name="26"></a><font color="blue">PAGE 26</font><br>
<br>
The <i>lsmod </i>program produces a list of the modules currently loaded in the kernel.
Some other information, such as any other modules making use of a specific module,
is also provided. <i>lsmod </i>works by reading the <i>/proc/modules </i>virtual file. Information
on currently loaded modules can also be found in the sysfs virtual filesystem
under <i>/sys/module</i>.<br>
<br>
<a name="VersionDependency"></a><font color="red"><b>Version Dependency</b></font><br>
<br>
Bear in mind that your module's code has to be recompiled for each version of the
kernel that it is linked to--at least, in the absence of modversions, not covered here
as they are more for distribution makers than developers. Modules are strongly tied
to the data structures and function prototypes defined in a particular kernel version;
the interface seen by a module can change significantly from one kernel version to
the next. This is especially true of development kernels, of course.<br>
<br>
The kernel does not just assume that a given module has been built against the
proper kernel version. One of the steps in the build process is to link your module
against a file (called <i>vermagic.o</i>) from the current kernel tree; this object contains a
fair amount of information about the kernel the module was built for, including the
target kernel version, compiler version, and the settings of a number of important
configuration variables. When an attempt is made to load a module, this information
can be tested for compatibility with the running kernel. If things don't match,
the module is not loaded; instead, you see something like:<br>
<pre>
# <b>insmod hello.ko
</b>Error inserting './hello.ko': -1 Invalid module format
</pre>
A look in the system log file (<i>/var/log/messages </i>or whatever your system is configured
to use) will reveal the specific problem that caused the module to fail to load.<br>
<br>
If you need to compile a module for a specific kernel version, you will need to use the
build system and source tree for that particular version. A simple change to the
<font class="fixd">KERNELDIR</font> variable in the example makefile shown previously does the trick.<br>
<br>
Kernel interfaces often change between releases. If you are writing a module that is
intended to work with multiple versions of the kernel (especially if it must work
across major releases), you likely have to make use of macros and <font class="fixd">#ifdef</font> constructs
to make your code build properly. This edition of this book only concerns itself with
one major version of the kernel, so you do not often see version tests in our example
code. But the need for them does occasionally arise. In such cases, you want to make
use of the definitions found in <i>linux/version.h</i>. This header file defines the following macros:<br>
<br>
<A name="27"></a><font color="blue">PAGE 27</font><br>
<br>
<font class="fixd">UTS_RELEASE</font><br>
<div class="bq">This macro expands to a string describing the version of this kernel tree. For
example, &quot;2.6.10&quot;.</div>
<br>
<font class="fixd">LINUX_VERSION_CODE</font><br>
<div class="bq">This macro expands to the binary representation of the kernel version, one byte
for each part of the version release number. For example, the code for 2.6.10 is
132618 (i.e., 0x02060a).* With this information, you can (almost) easily determine
what version of the kernel you are dealing with.</div>
<br>
<font class="fixd">KERNEL_VERSION(major,minor,release)</font><br>
<div class="bq">This is the macro used to build an integer version code from the individual numbers
that build up a version number. For example, <font class="fixd">KERNEL_VERSION(2,6,10)</font>
expands to 132618. This macro is very useful when you need to compare the
current version and a known checkpoint.</div>
<br>
Most dependencies based on the kernel version can be worked around with preprocessor
conditionals by exploiting <font class="fixd">KERNEL_VERSION</font> and <font class="fixd">LINUX_VERSION_CODE</font>. Version
dependency should, however, not clutter driver code with hairy <font class="fixd">#ifdef</font> conditionals;
the best way to deal with incompatibilities is by confining them to a specific header
file. As a general rule, code which is explicitly version (or platform) dependent
should be hidden behind a low-level macro or function. High-level code can then
just call those functions without concern for the low-level details. Code written in
this way tends to be easier to read and more robust.<br>
<br>
<a name="PlatformDependency"></a><font color="red"><b>Platform Dependency</b></font><br>
<br>
Each computer platform has its peculiarities, and kernel designers are free to exploit
all the peculiarities to achieve better performance in the target object file.<br>
<br>
Unlike application developers, who must link their code with precompiled libraries
and stick to conventions on parameter passing, kernel developers can dedicate some
processor registers to specific roles, and they have done so. Moreover, kernel code
can be optimized for a specific processor in a CPU family to get the best from the target
platform: unlike applications that are often distributed in binary format, a custom
compilation of the kernel can be optimized for a specific computer set.<br>
<br>
For example, the IA32 (x86) architecture has been subdivided into several different
processor types. The old 80386 processor is still supported (for now), even though
its instruction set is, by modern standards, quite limited. The more modern processors
in this architecture have introduced a number of new capabilities, including
faster instructions for entering the kernel, interprocessor locking, copying data, etc.
Newer processors can also, when operated in the correct mode, employ 36-bit (or<br>
<br>
* This allows up to 256 development versions between stable versions.<br>
<br>
<A name="28"></a><font color="blue">PAGE 28</font><br>
<br>
larger) physical addresses, allowing them to address more than 4 GB of physical
memory. Other processor families have seen similar improvements. The kernel,
depending on various configuration options, can be built to make use of these additional
features.<br>
<br>
Clearly, if a module is to work with a given kernel, it must be built with the same
understanding of the target processor as that kernel was. Once again, the <i>vermagic.o
</i>object comes in to play. When a module is loaded, the kernel checks the processor specific
configuration options for the module and makes sure they match the running
kernel. If the module was compiled with different options, it is not loaded.<br>
<br>
If you are planning to write a driver for general distribution, you may well be wondering
just how you can possibly support all these different variations. The best
answer, of course, is to release your driver under a GPL-compatible license and contribute
it to the mainline kernel. Failing that, distributing your driver in source form
and a set of scripts to compile it on the user's system may be the best answer. Some
vendors have released tools to make this task easier. If you must distribute your
driver in binary form, you need to look at the different kernels provided by your target
distributions, and provide a version of the module for each. Be sure to take into
account any errata kernels that may have been released since the distribution was
produced. Then, there are licensing issues to be considered, as we discussed in the
section "License Terms" in Chapter 1. As a general rule, distributing things in source
form is an easier way to make your way in the world.<br>
<br>
<a name="TheKernelSymbolTable"></a><font color="red"><b>The Kernel Symbol Table</b></font><br>
<br>
We've seen how <i>insmod </i>resolves undefined symbols against the table of public kernel
symbols. The table contains the addresses of global kernel items--functions and
variables--that are needed to implement modularized drivers. When a module is
loaded, any symbol exported by the module becomes part of the kernel symbol table.
In the usual case, a module implements its own functionality without the need to
export any symbols at all. You need to export symbols, however, whenever other
modules may benefit from using them.<br>
<br>
New modules can use symbols exported by your module, and you can stack new
modules on top of other modules. Module stacking is implemented in the mainstream
kernel sources as well: the <i>msdos </i>filesystem relies on symbols exported by the
<i>fat</i> module, and each input USB device module stacks on the <i>usbcore</i> and <i>input</i> modules.<br>
<br>
Module stacking is useful in complex projects. If a new abstraction is implemented in
the form of a device driver, it might offer a plug for hardware-specific implementations.
For example, the video-for-linux set of drivers is split into a generic module that
exports symbols used by lower-level device drivers for specific hardware. According to
your setup, you load the generic video module and the specific module for your
installed hardware. Support for parallel ports and the wide variety of attachable<br>
<br>
<A name="29"></a><font color="blue">PAGE 29</font><br>
<br>
devices is handled in the same way, as is the USB kernel subsystem. Stacking in the
parallel port subsystem is shown in Figure 2-2; the arrows show the communications
between the modules and with the kernel programming interface.<br>
<br><br>
<center>
<img src="fig2-2.gif">
</center>
<br>
<i>Figure 2-2. Stacking of parallel port driver modules</i><br>
<br>
When using stacked modules, it is helpful to be aware of the <i>modprobe </i>utility. As we
described earlier, <i>modprobe </i>functions in much the same way as <i>insmod</i>, but it also
loads any other modules that are required by the module you want to load. Thus,
one <i>modprobe </i>command can sometimes replace several invocations of <i>insmod
</i>(although you'll still need <i>insmod </i>when loading your own modules from the current
directory, because <i>modprobe</i> looks only in the standard installed module directories).<br>
<br>
Using stacking to split modules into multiple layers can help reduce development
time by simplifying each layer. This is similar to the separation between mechanism
and policy that we discussed in Chapter 1.<br>
<br>
The Linux kernel header files provide a convenient way to manage the visibility of
your symbols, thus reducing namespace pollution (filling the namespace with names
that may conflict with those defined elsewhere in the kernel) and promoting proper
information hiding. If your module needs to export symbols for other modules to
use, the following macros should be used.<br>
<pre>
EXPORT_SYMBOL(name);
EXPORT_SYMBOL_GPL(name);
</pre>
Either of the above macros makes the given symbol available outside the module.
The <font class="fixd">_GPL</font> version makes the symbol available to GPL-licensed modules only. Symbols
must be exported in the global part of the module's file, outside of any function,
because the macros expand to the declaration of a special-purpose variable that
is expected to be accessible globally. This variable is stored in a special part of the
module executable (an "ELF section") that is used by the kernel at load time to find
the variables exported by the module. (Interested readers can look at <i>&lt;linux/module.h&gt;
</i>for the details, even though the details are not needed to make things work.)<br>
<br>
<A name="30"></a><font color="blue">PAGE 30</font><br>
<br>
<a name="Preliminaries"></a><font color="red"><b>Preliminaries</b></font><br>
<br>
We are getting closer to looking at some actual module code. But first, we need to
look at some other things that need to appear in your module source files. The kernel
is a unique environment, and it imposes its own requirements on code that
would interface with it.<br>
<br>
Most kernel code ends up including a fairly large number of header files to get definitions
of functions, data types, and variables. We'll examine these files as we come to
them, but there are a few that are specific to modules, and must appear in every loadable
module. Thus, just about all module code has the following:<br>
<pre>
#include &lt;linux/module.h&gt;
#include &lt;linux/init.h&gt;
</pre>
<i>module.h </i>contains a great many definitions of symbols and functions needed by loadable
modules. You need <i>init.h </i>to specify your initialization and cleanup functions, as
we saw in the "hello world" example above, and which we revisit in the next section.
Most modules also include <i>moduleparam.h </i>to enable the passing of parameters
to the module at load time; we will get to that shortly.<br>
<br>
It is not strictly necessary, but your module really should specify which license
applies to its code. Doing so is just a matter of including a <font class="fixd">MODULE_LICENSE</font> line:<br>
<pre>
MODULE_LICENSE(&quot;GPL&quot;);
</pre>
The specific licenses recognized by the kernel are "GPL" (for any version of the GNU
General Public License), "GPL v2" (for GPL version two only), "GPL and additional
rights," "Dual BSD/GPL," "Dual MPL/GPL," and "Proprietary." Unless your module
is explicitly marked as being under a free license recognized by the kernel, it is
assumed to be proprietary, and the kernel is "tainted" when the module is loaded. As
we mentioned in the section "License Terms" in Chapter 1, kernel developers tend to
be unenthusiastic about helping users who experience problems after loading proprietary
modules.<br>
<br>
Other descriptive definitions that can be contained within a module include
<font class="fixd">MODULE_AUTHOR</font> (stating who wrote the module), <font class="fixd">MODULE_DESCRIPTION</font> (a human-readable
statement of what the module does), <font class="fixd">MODULE_VERSION</font> (for a code revision number;
see the comments in <i>&lt;linux/module.h&gt; </i>for the conventions to use in creating
version strings), <font class="fixd">MODULE_ALIAS</font> (another name by which this module can be known),
and <font class="fixd">MODULE_DEVICE_TABLE</font> (to tell user space about which devices the module supports).
We'll discuss <font class="fixd">MODULE_ALIAS</font> in Chapter 11 and <font class="fixd">MODULE_DEVICE_TABLE</font> in
Chapter 12.<br>
<br>
The various <font class="fixd">MODULE_</font> declarations can appear anywhere within your source file outside
of a function. A relatively recent convention in kernel code, however, is to put
these declarations at the end of the file.<br>
<br>
<A name="31"></a><font color="blue">PAGE 31</font><br>
<br>
<a name="InitializationAndShutdown"></a><font color="red"><b>Initialization and Shutdown</b></font><br>
<br>
As already mentioned, the module initialization function registers any facility offered
by the module. By <i>facility</i>, we mean a new functionality, be it a whole driver or a new
software abstraction, that can be accessed by an application. The actual definition of
the initialization function always looks like:<br>
<pre>
static int __init initialization_function(void)
{
    /* Initialization code here */
}
module_init(initialization_function);
</pre>
Initialization functions should be declared static, since they are not meant to be visible
outside the specific file; there is no hard rule about this, though, as no function is
exported to the rest of the kernel unless explicitly requested. The <font class="fixd">__init</font> token in the
definition may look a little strange; it is a hint to the kernel that the given function is
used only at initialization time. The module loader drops the initialization function
after the module is loaded, making its memory available for other uses. There is
a similar tag (<font class="fixd">__initdata</font>) for data used only during initialization. Use of <font class="fixd">__init</font> and
<font class="fixd">__initdata</font> is optional, but it is worth the trouble. Just be sure not to use them for
any function (or data structure) you will be using after initialization completes. You
may also encounter <font class="fixd">__devinit</font> and <font class="fixd">__devinitdata</font> in the kernel source; these translate
to <font class="fixd">__init</font> and <font class="fixd">__initdata</font> only if the kernel has not been configured for hotpluggable
devices. We will look at hotplug support in Chapter 14.<br>
<br>
The use of <i>module_init </i>is mandatory. This macro adds a special section to the module's
object code stating where the module's initialization function is to be found.
Without this definition, your initialization function is never called.<br>
<br>
Modules can register many different types of facilities, including different kinds of
devices, filesystems, cryptographic transforms, and more. For each facility, there is a
specific kernel function that accomplishes this registration. The arguments passed to
the kernel registration functions are usually pointers to data structures describing the
new facility and the name of the facility being registered. The data structure usually
contains pointers to module functions, which is how functions in the module body
get called.<br>
<br>
The items that can be registered go beyond the list of device types mentioned in
Chapter 1. They include, among others, serial ports, miscellaneous devices, sysfs
entries, <i>/proc </i>files, executable domains, and line disciplines. Many of those registrable
items support functions that aren't directly related to hardware but remain in the
"software abstractions" field. Those items can be registered, because they are integrated
into the driver's functionality anyway (like <i>/proc </i>files and line disciplines for
example).<br>
<br>
<A name="32"></a><font color="blue">PAGE 32</font><br>
<br>
There are other facilities that can be registered as add-ons for certain drivers, but
their use is so specific that it's not worth talking about them; they use the stacking
technique, as described in the section "The Kernel Symbol Table." If you want to
probe further, you can grep for <font class="fixd">EXPORT_SYMBOL</font> in the kernel sources, and find the
entry points offered by different drivers. Most registration functions are prefixed with
<font class="fixd">register_</font>, so another possible way to find them is to grep for <font class="fixd">register_</font> in the kernel
source.<br>
<br>
<a name="TheCleanupFunction"></a><font color="red"><b>The Cleanup Function</b></font><br>
<br>
Every nontrivial module also requires a cleanup function, which unregisters interfaces
and returns all resources to the system before the module is removed. This
function is defined as:<br>
<pre>
static void __exit cleanup_function(void)
{
    /* Cleanup code here */
}

module_exit(cleanup_function);
</pre>
The cleanup function has no value to return, so it is declared void. The <font class="fixd">__exit</font> modifier
marks the code as being for module unload only (by causing the compiler to
place it in a special ELF section). If your module is built directly into the kernel,
or if your kernel is configured to disallow the unloading of modules, functions
marked <font class="fixd">__exit</font> are simply discarded. For this reason, a function marked <font class="fixd">__exit</font> can
be called <i>only </i>at module unload or system shutdown time; any other use is an error.
Once again, the <i>module_exit </i>declaration is necessary to enable the kernel to find your
cleanup function.<br>
<br>
If your module does not define a cleanup function, the kernel does not allow it to be
unloaded.<br>
<br>
<a name="ErrorHandlingDuringInitialization"></a><font color="red"><b>Error Handling During Initialization</b></font><br>
<br>
One thing you must always bear in mind when registering facilities with the kernel
is that the registration could fail. Even the simplest action often requires memory
allocation, and the required memory may not be available. So module code must
always check return values, and be sure that the requested operations have actually
succeeded.<br>
<br>
If any errors occur when you register utilities, the first order of business is to decide
whether the module can continue initializing itself anyway. Often, the module can
continue to operate after a registration failure, with degraded functionality if necessary.
Whenever possible, your module should press forward and provide what capabilities
it can after things fail.<br>
<br>
<A name="33"></a><font color="blue">PAGE 33</font><br>
<br>
If it turns out that your module simply cannot load after a particular type of failure,
you must undo any registration activities performed before the failure. Linux doesn't
keep a per-module registry of facilities that have been registered, so the module must
back out of everything itself if initialization fails at some point. If you ever fail to
unregister what you obtained, the kernel is left in an unstable state; it contains internal
pointers to code that no longer exists. In such situations, the only recourse, usually,
is to reboot the system. You really do want to take care to do the right thing
when an initialization error occurs.<br>
<br>
Error recovery is sometimes best handled with the goto statement. We normally hate
to use goto, but in our opinion, this is one situation where it is useful. Careful use of
goto in error situations can eliminate a great deal of complicated, highly-indented,
"structured" logic. Thus, in the kernel, goto is often used as shown here to deal with
errors.<br>
<br>
The following sample code (using fictitious registration and unregistration functions)
behaves correctly if initialization fails at any point:<br>
<pre>
int __init my_init_function(void)
{
    int err;

    /* registration takes a pointer and a name */
    err = register_this(ptr1, &quot;skull&quot;);
    if (err) goto fail_this;
    err = register_that(ptr2, &quot;skull&quot;);
    if (err) goto fail_that;
    err = register_those(ptr3, &quot;skull&quot;);
    if (err) goto fail_those;

    return 0; /* success */

  fail_those: unregister_that(ptr2, &quot;skull&quot;);
  fail_that: unregister_this(ptr1, &quot;skull&quot;);
  fail_this: return err; /* propagate the error */
 }
</pre>
This code attempts to register three (fictitious) facilities. The goto statement is used
in case of failure to cause the unregistration of only the facilities that had been successfully
registered before things went bad.<br>
<br>
Another option, requiring no hairy goto statements, is keeping track of what has
been successfully registered and calling your module's cleanup function in case of
any error. The cleanup function unrolls only the steps that have been successfully
accomplished. This alternative, however, requires more code and more CPU time, so
in fast paths you still resort to goto as the best error-recovery tool.<br>
<br>
The return value of <i>my_init_function</i>, err, is an error code. In the Linux kernel, error
codes are negative numbers belonging to the set defined in <i>&lt;linux/errno.h&gt;</i>. If you
want to generate your own error codes instead of returning what you get from other<br>
<br>
<A name="34"></a><font color="blue">PAGE 34</font><br>
<br>
functions, you should include <i>&lt;linux/errno.h&gt; </i>in order to use symbolic values such
as <font class="fixd">-ENODEV, -ENOMEM,</font> and so on. It is always good practice to return appropriate error
codes, because user programs can turn them to meaningful strings using <i>perror </i>or
similar means.<br>
<br>
Obviously, the module cleanup function must undo any registration performed by
the initialization function, and it is customary (but not usually mandatory) to unregister
facilities in the reverse order used to register them:<br>
<pre>
void __exit my_cleanup_function(void)
{
    unregister_those(ptr3, &quot;skull&quot;);
    unregister_that(ptr2, &quot;skull&quot;);
    unregister_this(ptr1, &quot;skull&quot;);
    return;
}
</pre>
If your initialization and cleanup are more complex than dealing with a few items,
the goto approach may become difficult to manage, because all the cleanup code
must be repeated within the initialization function, with several labels intermixed.
Sometimes, therefore, a different layout of the code proves more successful.<br>
<br>
What you'd do to minimize code duplication and keep everything streamlined is to
call the cleanup function from within the initialization whenever an error occurs.
The cleanup function then must check the status of each item before undoing its registration.
In its simplest form, the code looks like the following:<br>
<pre>
struct something *item1;
struct somethingelse *item2;
int stuff_ok;

void my_cleanup(void)
{
    if (item1)
        release_thing(item1);
    if (item2)
        release_thing2(item2);
    if (stuff_ok)
        unregister_stuff( );
    return;
 }

int __init my_init(void)
{
    int err = -ENOMEM;

    item1 = allocate_thing(arguments);
    item2 = allocate_thing2(arguments2);
    if (!item1 || !item2)
        goto fail;
    err = register_stuff(item1, item2);
    if (!err)
</pre>
<A name="35"></a><font color="blue">PAGE 35</font>
<pre>
        stuff_ok = 1;
    else
        goto fail;
    return 0; /* success */

  fail:
    my_cleanup( );
    return err;
}
</pre>
As shown in this code, you may or may not need external flags to mark success of the
initialization step, depending on the semantics of the registration/allocation function
you call. Whether or not flags are needed, this kind of initialization scales well to a
large number of items and is often better than the technique shown earlier. Note,
however, that the cleanup function cannot be marked <font class="fixd">__exit</font> when it is called by
nonexit code, as in the previous example.<br>
<br>
<a name="ModuleLoadingRaces"></a><font color="red"><b>Module-Loading Races</b></font><br>
<br>
Thus far, our discussion has skated over an important aspect of module loading: race
conditions. If you are not careful in how you write your initialization function, you
can create situations that can compromise the stability of the system as a whole. We
will discuss race conditions later in this book; for now, a couple of quick points will
have to suffice.<br>
<br>
The first is that you should always remember that some other part of the kernel can
make use of any facility you register immediately after that registration has completed.
It is entirely possible, in other words, that the kernel will make calls into your
module while your initialization function is still running. So your code must be prepared
to be called as soon as it completes its first registration. Do not register any
facility until all of your internal initialization needed to support that facility has been
completed.<br>
<br>
You must also consider what happens if your initialization function decides to fail,
but some part of the kernel is already making use of a facility your module has registered.
If this situation is possible for your module, you should seriously consider not
failing the initialization at all. After all, the module has clearly succeeded in exporting
something useful. If initialization must fail, it must carefully step around any possible
operations going on elsewhere in the kernel until those operations have
completed.<br>
<br>
<a name="ModuleParameters"></a><font color="red"><b>Module Parameters</b></font><br>
<br>
Several parameters that a driver needs to know can change from system to system.
These can vary from the device number to use (as we'll see in the next chapter) to
numerous aspects of how the driver should operate. For example, drivers for SCSI<br>
<br>
<A name="36"></a><font color="blue">PAGE 36</font><br>
<br>
adapters often have options controlling the use of tagged command queuing, and the
Integrated Device Electronics (IDE) drivers allow user control of DMA operations. If
your driver controls older hardware, it may also need to be told explicitly where to
find that hardware's I/O ports or I/O memory addresses. The kernel supports these
needs by making it possible for a driver to designate parameters that may be changed
when the driver's module is loaded.<br>
<br>
These parameter values can be assigned at load time by <i>insmod </i>or <i>modprobe</i>; the latter
can also read parameter assignment from its configuration file (<i>/etc/modprobe.
conf</i>). The commands accept the specification of several types of values on the command
line. As a way of demonstrating this capability, imagine a much-needed
enhancement to the "hello world" module (called <i>hellop</i>) shown at the beginning of
this chapter. We add two parameters: an integer value called <font class="fixd">howmany</font> and a character
string called <font class="fixd">whom</font>. Our vastly more functional module then, at load time, greets <font class="fixd">whom</font>
not just once, but <font class="fixd">howmany</font> times. Such a module could then be loaded with a command
line such as:<br>
<pre>
insmod hellop howmany=10 whom=&quot;Mom&quot;
</pre>
Upon being loaded that way, <i>hellop</i> would say "Hello, Mom" 10 times.<br>
<br>
However, before <i>insmod </i>can change module parameters, the module must make
them available. Parameters are declared with the <font class="fixd">module_param</font> macro, which is
defined in <i>moduleparam.h</i>. <font class="fixd">module_param</font> takes three parameters: the name of the
variable, its type, and a permissions mask to be used for an accompanying sysfs
entry. The macro should be placed outside of any function and is typically found
near the head of the source file. So <i>hellop </i>would declare its parameters and make
them available to <i>insmod</i> as follows:<br>
<pre>
static char *whom = &quot;world&quot;;
static int howmany = 1;
module_param(howmany, int, S_IRUGO);
module_param(whom, charp, S_IRUGO);
</pre>
Numerous types are supported for module parameters:<br>
<br>
<font class="fixd">bool<br>
invbool</font><br>
<div class="bq">A boolean (true or false) value (the associated variable should be of type <font class="fixd">int</font>).
The <font class="fixd">invbool</font> type inverts the value, so that true values become false and vice
versa.</div>
<font class="fixd">charp</font><br>
<div class="bq">A char pointer value. Memory is allocated for user-provided strings, and the
pointer is set accordingly.</div>
<br>
<A name="37"></a><font color="blue">PAGE 37</font><br>
<br>
<font class="fixd">int<br>
long<br>
short<br>
uint<br>
ulong<br>
ushort</font><br>
<div class="bq">Basic integer values of various lengths. The versions starting with <font class="fixd">u</font> are for
unsigned values.</div>
<br>
Array parameters, where the values are supplied as a comma-separated list, are also
supported by the module loader. To declare an array parameter, use:<br>
<pre>
module_param_array(name,type,nump,perm);
</pre>
Where <font class="fixd">name</font> is the name of your array (and of the parameter), <font class="fixd">type</font> is the type of the
array elements, <font class="fixd">nump</font> is a pointer to an integer variable, and <font class="fixd">perm</font> is the usual permissions value. If
the array parameter is set at load time, <font class="fixd">nump</font> is set to the number of values supplied.
The module loader refuses to accept more values than will fit in the array.<br>
<br>
If you really need a type that does not appear in the list above, there are hooks in the
module code that allow you to define them; see <i>moduleparam.h </i>for details on how to
do that. All module parameters should be given a default value; <i>insmod </i>changes the
value only if explicitly told to by the user. The module can check for explicit parameters
by testing parameters against their default values.<br>
<br>
The final <i>module_param </i>field is a permission value; you should use the definitions
found in <i>&lt;linux/stat.h&gt;</i>. This value controls who can access the representation of the
module parameter in sysfs. If perm is set to 0, there is no sysfs entry at all; otherwise,
it appears under <i>/sys/module</i>* with the given set of permissions. Use <font class="fixd">S_IRUGO</font> for a
parameter that can be read by the world but cannot be changed; <font class="fixd">S_IRUGO|S_IWUSR</font>
allows root to change the parameter. Note that if a parameter is changed by sysfs, the
value of that parameter as seen by your module changes, but your module is not
notified in any other way. You should probably not make module parameters writable,
unless you are prepared to detect the change and react accordingly.<br>
<br>
<a name="DoingItInUserSpace"></a><font color="red"><b>Doing It in User Space</b></font><br>
<br>
A Unix programmer who's addressing kernel issues for the first time might be nervous
about writing a module. Writing a user program that reads and writes directly
to the device ports may be easier.<br>
<br>
Indeed, there are some arguments in favor of user-space programming, and sometimes
writing a so-called user-space device driver is a wise alternative to kernel hacking.
In this section, we discuss some of the reasons why you might write a driver in<br>
<br>
* As of this writing, there is talk of moving parameters elsewhere within <font class="fixd">sysfs</font>, however.<br>
<br>
<A name="38"></a><font color="blue">PAGE 38</font><br>
<br>
user space. This book is about kernel-space drivers, however, so we do not go
beyond this introductory discussion.<br>
<br>
The advantages of user-space drivers are:<br>
<ul>
<li> The full C library can be linked in. The driver can perform many exotic tasks without resorting to external programs (the utility programs implementing usage policies that are usually distributed along with the driver itself).
<li> The programmer can run a conventional debugger on the driver code without having to go through contortions to debug a running kernel.
<li> If a user-space driver hangs, you can simply kill it. Problems with the driver are unlikely to hang the entire system, unless the hardware being controlled is <i>really </i>misbehaving.
<li> User memory is swappable, unlike kernel memory. An infrequently used device with a huge driver won't occupy RAM that other programs could be using, except when it is actually in use.
<li> A well-designed driver program can still, like kernel-space drivers, allow concurrent access to a device.
<li> If you must write a closed-source driver, the user-space option makes it easier for you to avoid ambiguous licensing situations and problems with changing kernel interfaces.
</ul>
For example, USB drivers can be written for user space; see the (still young) libusb
project at libusb.sourceforge.net and "gadgetfs" in the kernel source. Another example
is the X server: it knows exactly what the hardware can do and what it can't, and
it offers the graphic resources to all X clients. Note, however, that there is a slow but
steady drift toward frame-buffer-based graphics environments, where the X server
acts only as a server based on a real kernel-space device driver for actual graphic
manipulation.<br>
<br>
Usually, the writer of a user-space driver implements a server process, taking over
from the kernel the task of being the single agent in charge of hardware control. Client
applications can then connect to the server to perform actual communication
with the device; therefore, a smart driver process can allow concurrent access to the
device. This is exactly how the X server works.<br>
<br>
But the user-space approach to device driving has a number of drawbacks. The most
important are:<br>
<ul>
<li> Interrupts are not available in user space. There are work-arounds for this limitation on some platforms, such as the <i>vm86</i> system call on the IA32 architecture.
<li> Direct access to memory is possible only by <i>mmap</i>ping <i>/dev/mem</i>, and only a privileged user can do that.
<li> Access to I/O ports is available only after calling <i>ioperm </i>or <i>iopl</i>. Moreover, not all platforms support these system calls, and access to <i>/dev/port </i>can be too slow
</ul>
<A name="39"></a><font color="blue">PAGE 39</font>
<ul>
to be effective. Both the system calls and the device file are reserved to a privileged user.
<li> Response time is slower, because a context switch is required to transfer information or actions between the client and the hardware.
<li> Worse yet, if the driver has been swapped to disk, response time is unacceptably long. Using the <i>mlock </i>system call might help, but usually you'll need to lock many memory pages, because a user-space program depends on a lot of library code. <i>mlock</i>, too, is limited to privileged users.
<li> The most important devices can't be handled in user space, including, but not limited to, network interfaces and block devices.
</ul>
As you see, user-space drivers can't do that much after all. Interesting applications
nonetheless exist: for example, support for SCSI scanner devices (implemented by
the <i>SANE </i>package) and CD writers (implemented by <i>cdrecord </i>and other tools). In
both cases, user-level device drivers rely on the "SCSI generic" kernel driver, which
exports low-level SCSI functionality to user-space programs so they can drive their
own hardware.<br>
<br>
One case in which working in user space might make sense is when you are beginning
to deal with new and unusual hardware. This way you can learn to manage your
hardware without the risk of hanging the whole system. Once you've done that,
encapsulating the software in a kernel module should be a painless operation.<br>
<br>
<a name="QuickReference2"></a><font color="red"><b>Quick Reference</b></font><br>
<br>
This section summarizes the kernel functions, variables, macros, and <i>/proc </i>files that
we've touched on in this chapter. It is meant to act as a reference. Each item is listed
after the relevant header file, if any. A similar section appears at the end of almost
every chapter from here on, summarizing the new symbols introduced in the chapter.
Entries in this section generally appear in the same order in which they were
introduced in the chapter:<br>
<br>
<i>insmod<br>
modprobe<br>
rmmod</i><br>
<div class="bq">User-space utilities that load modules into the running kernels and remove them.</div>
<br>
<font class="fixd">#include &lt;linux/init.h&gt;<br>
module_init(init_function);<br>
module_exit(cleanup_function);<br></font>
<div class="bq">Macros that designate a module's initialization and cleanup functions.</div>
<br>
<A name="40"></a><font color="blue">PAGE 40</font><br>
<br>
<font class="fixd">__init<br>
__initdata<br>
__exit<br>
__exitdata</font><br>
<div class="bq">Markers for functions (<font class="fixd">__init</font> and <font class="fixd">__exit</font>) and data (<font class="fixd">__initdata</font> and <font class="fixd">__exitdata</font>)
that are only used at module initialization or cleanup time. Items marked for initialization
may be discarded once initialization completes; the exit items may be
discarded if module unloading has not been configured into the kernel. These
markers work by causing the relevant objects to be placed in a special ELF section
in the executable file.</div>
<br>
<font class="fixd">#include &lt;linux/sched.h&gt;</font><br>
<div class="bq">One of the most important header files. This file contains definitions of much of
the kernel API used by the driver, including functions for sleeping and numerous
variable declarations.</div>
<br>
<font class="fixd">struct task_struct *current;</font><br>
<div class="bq">The current process.</div>
<br>
<font class="fixd">current-&gt;pid<br>
current-&gt;comm</font><br>
<div class="bq">The process ID and command name for the current process.</div>
<br>
<font class="fixd">obj-m</font><br>
<div class="bq">A makefile symbol used by the kernel build system to determine which modules
should be built in the current directory.</div>
<br>
<i>/sys/module<br>
/proc/modules</i><br>
<div class="bq"><i>/sys/module </i>is a sysfs directory hierarchy containing information on currently loaded
modules. <i>/proc/modules </i>is the older, single-file version of that information.
Entries contain the module name, the amount of memory each module
occupies, and the usage count. Extra strings are appended to each line to specify
flags that are currently active for the module.</div>
<br>
<i>vermagic.o</i><br>
<div class="bq">An object file from the kernel source directory that describes the environment a
module was built for.</div>
<br>
<font class="fixd">#include &lt;linux/module.h&gt;</font><br>
<div class="bq">Required header. It must be included by a module source.</div>
<br>
<font class="fixd">#include &lt;linux/version.h&gt;</font><br>
<div class="bq">A header file containing information on the version of the kernel being built.</div>
<br>
<font class="fixd">LINUX_VERSION_CODE</font><br>
<div class="bq">Integer macro, useful to <font class="fixd">#ifdef</font> version dependencies.</div>
<br>
<A name="41"></a><font color="blue">PAGE 41</font><br>
<br>
<font class="fixd">EXPORT_SYMBOL (symbol);<br>
EXPORT_SYMBOL_GPL (symbol);</font><br>
<div class="bq">Macro used to export a symbol to the kernel. The second form exports without
using versioning information, and the third limits the export to GPL-licensed
modules.</div>
<br>
<font class="fixd">MODULE_AUTHOR(author);<br>
MODULE_DESCRIPTION(description);<br>
MODULE_VERSION(version_string);<br>
MODULE_DEVICE_TABLE(table_info);<br>
MODULE_LICENSE(license);<br>
MODULE_ALIAS(alternate_name);</font><br>
<div class="bq">Place documentation on the module in the object file.</div>
<br>
<font class="fixd">module_init(init_function);<br>
module_exit(exit_function);</font><br>
<div class="bq">Macros that declare a module's initialization and cleanup functions.</div>
<br>
<font class="fixd">#include &lt;linux/moduleparam.h&gt;<br>
module_param(variable, type, perm);</font><br>
<div class="bq">Macro that creates a module parameter that can be adjusted by the user when
the module is loaded (or at boot time for built-in code). The type can be one of
<font class="fixd">bool, charp, int, invbool, long, short, ushort, uint, ulong,</font> or <font class="fixd">intarray.</font></div>
<br>
<font class="fixd">#include &lt;linux/kernel.h&gt;<br>
int printk(const char * fmt, ...);</font><br>
<div class="bq">The analogue of <i>printf</i> for kernel code.</div>
<br>
<A name="42"></a><font color="blue">PAGE 42</font><br>
<br>
<a name="CHAPTER3"></a><font color="red"><b>CHAPTER 3</b></font><br>
<br>
<a name="CharDrivers"></a><font color="#7519FF" size="+1"><b>Char Drivers</b></font><br>
<br>
The goal of this chapter is to write a complete char device driver. We develop a character
driver because this class is suitable for most simple hardware devices. Char
drivers are also easier to understand than block drivers or network drivers (which we
get to in later chapters). Our ultimate aim is to write a <i>modularized </i>char driver, but
we won't talk about modularization issues in this chapter.<br>
<br>
Throughout the chapter, we present code fragments extracted from a real device
driver: <i>scull </i>(Simple Character Utility for Loading Localities). <i>scull </i>is a char driver
that acts on a memory area as though it were a device. In this chapter, because of
that peculiarity of <i>scull</i>, we use the word <i>device </i>interchangeably with "the memory
area used by <i>scull</i>."<br>
<br>
The advantage of <i>scull </i>is that it isn't hardware dependent. <i>scull </i>just acts on some
memory, allocated from the kernel. Anyone can compile and run <i>scull</i>, and <i>scull </i>is
portable across the computer architectures on which Linux runs. On the other hand,
the device doesn't do anything "useful" other than demonstrate the interface
between the kernel and char drivers and allow the user to run some tests.<br>
<br>
<a name="TheDesignOfScull"></a><font color="red"><b>The Design of scull</b></font><br>
<br>
The first step of driver writing is defining the capabilities (the mechanism) the driver
will offer to user programs. Since our "device" is part of the computer's memory,
we're free to do what we want with it. It can be a sequential or random-access
device, one device or many, and so on.<br>
<br>
To make <i>scull </i>useful as a template for writing real drivers for real devices, we'll show
you how to implement several device abstractions on top of the computer memory,
each with a different personality.<br>
<br>
The <i>scull </i>source implements the following devices. Each kind of device implemented
by the module is referred to as a <i>type</i>.<br>
<br>
<A name="43"></a><font color="blue">PAGE 43</font><br>
<br>
<i>scull0 to scull3</i><br>
<div class="bq">Four devices, each consisting of a memory area that is both global and persistent.
Global means that if the device is opened multiple times, the data contained
within the device is shared by all the file descriptors that opened it.
Persistent means that if the device is closed and reopened, data isn't lost. This
device can be fun to work with, because it can be accessed and tested using conventional
commands, such as <i>cp</i>, <i>cat</i>, and shell I/O redirection.</div>
<br>
<i>scullpipe0 to scullpipe3</i><br>
<div class="bq">Four FIFO (first-in-first-out) devices, which act like pipes. One process reads
what another process writes. If multiple processes read the same device, they
contend for data. The internals of <i>scullpipe </i>will show how blocking and nonblocking
<i>read </i>and <i>write </i>can be implemented without having to resort to interrupts.
Although real drivers synchronize with their devices using hardware
interrupts, the topic of blocking and nonblocking operations is an important one
and is separate from interrupt handling (covered in Chapter 10).</div>
<br>
<i>scullsingle<br>
scullpriv<br>
sculluid<br>
scullwuid</i><br>
<div class="bq">These devices are similar to <i>scull0 </i>but with some limitations on when an <i>open </i>is
permitted. The first (<i>scullsingle</i>) allows only one process at a time to use the
driver, whereas <i>scullpriv </i>is private to each virtual console (or X terminal session),
because processes on each console/terminal get different memory areas.
<i>sculluid </i>and <i>scullwuid </i>can be opened multiple times, but only by one user at a
time; the former returns an error of "Device Busy" if another user is locking the
device, whereas the latter implements blocking <i>open</i>. These variations of <i>scull
</i>would appear to be confusing policy and mechanism, but they are worth looking
at, because some real-life devices require this sort of management.</div>
<br>
Each of the <i>scull </i>devices demonstrates different features of a driver and presents different
difficulties. This chapter covers the internals of <i>scull0 </i>to <i>scull3</i>; the more
advanced devices are covered in Chapter 6. <i>scullpipe </i>is described in the section "A
Blocking I/O Example," and the others are described in "Access Control on a Device
File."<br>
<br>
<a name="MajorAndMinorNumbers"></a><font color="red"><b>Major and Minor Numbers</b></font><br>
<br>
Char devices are accessed through names in the filesystem. Those names are called
special files or device files or simply nodes of the filesystem tree; they are conventionally
located in the <i>/dev </i>directory. Special files for char drivers are identified by a "c"
in the first column of the output of <i>ls -l</i>. Block devices appear in <i>/dev </i>as well, but
they are identified by a "b." The focus of this chapter is on char devices, but much of
the following information applies to block devices as well.<br>
<br>
<A name="44"></a><font color="blue">PAGE 44</font><br>
<br>
If you issue the <i>ls -l </i>command, you'll see two numbers (separated by a comma) in
the device file entries before the date of the last modification, where the file length
normally appears. These numbers are the major and minor device number for the
particular device. The following listing shows a few devices as they appear on a typical
system. Their major numbers are 1, 4, 7, and 10, while the minors are 1, 3, 5, 64,
65, and 129.<br>
<pre>
 crw-rw-rw-    1 root     root       1,   3 Apr 11  2002 null
 crw-------    1 root     root      10,   1 Apr 11  2002 psaux
 crw-------    1 root     root       4,   1 Oct 28 03:04 tty1
 crw-rw-rw-    1 root     tty        4,  64 Apr 11  2002 ttys0
 crw-rw----    1 root     uucp       4,  65 Apr 11  2002 ttyS1
 crw--w----    1 vcsa     tty        7,   1 Apr 11  2002 vcs1
 crw--w----    1 vcsa     tty        7, 129 Apr 11  2002 vcsa1
 crw-rw-rw-    1 root     root       1,   5 Apr 11  2002 zero
</pre>
Traditionally, the major number identifies the driver associated with the device. For
example, <i>/dev/null </i>and <i>/dev/zero </i>are both managed by driver 1, whereas virtual consoles
and serial terminals are managed by driver 4; similarly, both <i>vcs1 </i>and <i>vcsa1
</i>devices are managed by driver 7. Modern Linux kernels allow multiple drivers to
share major numbers, but most devices that you will see are still organized on the
one-major-one-driver principle.<br>
<br>
The minor number is used by the kernel to determine exactly which device is being
referred to. Depending on how your driver is written (as we will see below), you can
either get a direct pointer to your device from the kernel, or you can use the minor
number yourself as an index into a local array of devices. Either way, the kernel itself
knows almost nothing about minor numbers beyond the fact that they refer to
devices implemented by your driver.<br>
<br>
<a name="TheInternalRepresentationOfDeviceNumbers"></a><font color="red"><b>The Internal Representation of Device Numbers</b></font><br>
<br>
Within the kernel, the <font class="fixd">dev_t</font> type (defined in <i>&lt;linux/types.h&gt;</i>) is used to hold device
numbers--both the major and minor parts. As of Version 2.6.0 of the kernel, <font class="fixd">dev_t</font> is
a 32-bit quantity with 12 bits set aside for the major number and 20 for the minor
number. Your code should, of course, never make any assumptions about the internal
organization of device numbers; it should, instead, make use of a set of macros
found in <i>&lt;linux/kdev_t.h&gt;</i>. To obtain the major or minor parts of a <font class="fixd">dev_t</font>, use:<br>
<pre>
MAJOR(dev_t dev);
MINOR(dev_t dev);
</pre>
If, instead, you have the major and minor numbers and need to turn them into a <font class="fixd">dev_t</font>,
use:<br>
<pre>
MKDEV(int major, int minor);
</pre>
Note that the 2.6 kernel can accommodate a vast number of devices, while previous
kernel versions were limited to 255 major and 255 minor numbers. One assumes<br>
<br>
<A name="45"></a><font color="blue">PAGE 45</font><br>
<br>
that the wider range will be sufficient for quite some time, but the computing field is
littered with erroneous assumptions of that nature. So you should expect that the
format of <font class="fixd">dev_t</font> could change again in the future; if you write your drivers carefully,
however, these changes will not be a problem.<br>
<br>
<a name="AllocatingAndFreeingDeviceNumbers"></a><font color="red"><b>Allocating and Freeing Device Numbers</b></font><br>
<br>
One of the first things your driver will need to do when setting up a char device is to
obtain one or more device numbers to work with. The necessary function for this
task is <i>register_chrdev_region</i>, which is declared in <i>&lt;linux/fs.h&gt;</i>:<br>
<pre>
int register_chrdev_region(dev_t first, unsigned int count,
                           char *name);
</pre>
Here, <font class="fixd">first</font> is the beginning device number of the range you would like to allocate.
The minor number portion of <font class="fixd">first</font> is often 0, but there is no requirement to that
effect. <font class="fixd">count</font> is the total number of contiguous device numbers you are requesting.
Note that, if <font class="fixd">count</font> is large, the range you request could spill over to the next major
number; but everything will still work properly as long as the number range you
request is available. Finally, <font class="fixd">name</font> is the name of the device that should be associated
with this number range; it will appear in <i>/proc/devices</i> and sysfs.<br>
<br>
As with most kernel functions, the return value from <i>register_chrdev_region </i>will be 0
if the allocation was successfully performed. In case of error, a negative error code
will be returned, and you will not have access to the requested region.<br>
<br>
<i>register_chrdev_region </i>works well if you know ahead of time exactly which device
numbers you want. Often, however, you will not know which major numbers your
device will use; there is a constant effort within the Linux kernel development community
to move over to the use of dynamically-allocated device numbers. The kernel
will happily allocate a major number for you on the fly, but you must request this
allocation by using a different function:<br>
<pre>
int alloc_chrdev_region(dev_t *dev, unsigned int firstminor,
                        unsigned int count, char *name);
</pre>
With this function, dev is an output-only parameter that will, on successful completion,
hold the first number in your allocated range. <font class="fixd">firstminor</font> should be the
requested first minor number to use; it is usually 0. The <font class="fixd">count</font> and <font class="fixd">name</font> parameters
work like those given to <i>register_chrdev_region</i>.<br>
<br>
Regardless of how you allocate your device numbers, you should free them when
they are no longer in use. Device numbers are freed with:<br>
<pre>
void unregister_chrdev_region(dev_t first, unsigned int count);
</pre>
The usual place to call <i>unregister_chrdev_region </i>would be in your module's cleanup
function.<br>
<br>
<A name="46"></a><font color="blue">PAGE 46</font><br>
<br>
The above functions allocate device numbers for your driver's use, but they do not
tell the kernel anything about what you will actually do with those numbers. Before a
user-space program can access one of those device numbers, your driver needs to
connect them to its internal functions that implement the device's operations. We
will describe how this connection is accomplished shortly, but there are a couple of
necessary digressions to take care of first.<br>
<br>
<a name="DynamicAllocationOfMajorNumbers"></a><font color="red"><b>Dynamic Allocation of Major Numbers</b></font><br>
<br>
Some major device numbers are statically assigned to the most common devices. A
list of those devices can be found in <i>Documentation/devices.txt </i>within the kernel
source tree. The chances of a static number having already been assigned for the use
of your new driver are small, however, and new numbers are not being assigned. So,
as a driver writer, you have a choice: you can simply pick a number that appears to
be unused, or you can allocate major numbers in a dynamic manner. Picking a number
may work as long as the only user of your driver is you; once your driver is more
widely deployed, a randomly picked major number will lead to conflicts and trouble.<br>
<br>
Thus, for new drivers, we strongly suggest that you use dynamic allocation to obtain
your major device number, rather than choosing a number randomly from the ones
that are currently free. In other words, your drivers should almost certainly be using
<i>alloc_chrdev_region</i> rather than <i>register_chrdev_region</i>.<br>
<br>
The disadvantage of dynamic assignment is that you can't create the device nodes in
advance, because the major number assigned to your module will vary. For normal
use of the driver, this is hardly a problem, because once the number has been
assigned, you can read it from <i>/proc/devices</i>.*<br>
<br>
To load a driver using a dynamic major number, therefore, the invocation of <i>insmod
</i>can be replaced by a simple script that, after calling <i>insmod</i>, reads <i>/proc/devices </i>in
order to create the special file(s).<br>
<br>
A typical <i>/proc/devices</i> file looks like the following:<br>
<pre>
Character devices:
 1 mem
 2 pty
 3 ttyp
 4 ttyS
 6 lp
 7 vcs
 10 misc
 13 input
 14 sound
</pre>
* Even better device information can usually be obtained from sysfs, generally mounted on <i>/sys </i>on 2.6-based systems. Getting <i>scull </i>to export information via sysfs is beyond the scope of this chapter, however; we'll return to this topic in Chapter 14.<br>
<br>
<A name="47"></a><font color="blue">PAGE 47</font><br>
<pre>
 21 sg
180 usb

Block devices:
 2 fd
 8 sd
 11 sr
 65 sd
 66 sd
</pre>
The script to load a module that has been assigned a dynamic number can, therefore,
be written using a tool such as <i>awk </i>to retrieve information from <i>/proc/devices </i>in
order to create the files in <i>/dev</i>.<br>
<br>
The following script, <i>scull_load</i>, is part of the <i>scull </i>distribution. The user of a driver
that is distributed in the form of a module can invoke such a script from the system's
<i>rc.local</i> file or call it manually whenever the module is needed.<br>
<pre>
#!/bin/sh
module=&quot;scull&quot;
device=&quot;scull&quot;
mode=&quot;664&quot;

# invoke insmod with all arguments we got
# and use a pathname, as newer modutils don't look in . by default
/sbin/insmod ./$module.ko $* || exit 1

# remove stale nodes
rm -f /dev/${device}[0-3]

major=$(awk &quot;\$2= =\&quot;$module\&quot; {print \$1}&quot; /proc/devices)

mknod /dev/${device}0 c $major 0
mknod /dev/${device}1 c $major 1
mknod /dev/${device}2 c $major 2
mknod /dev/${device}3 c $major 3

# give appropriate group/permissions, and change the group.
# Not all distributions have staff, some have &quot;wheel&quot; instead.
group=&quot;staff&quot;
grep -q '^staff:' /etc/group || group=&quot;wheel&quot;

chgrp $group /dev/${device}[0-3]
chmod $mode  /dev/${device}[0-3]
</pre>
The script can be adapted for another driver by redefining the variables and adjusting
the <i>mknod </i>lines. The script just shown creates four devices because four is the
default in the <i>scull</i> sources.<br>
<br>
The last few lines of the script may seem obscure: why change the group and mode
of a device? The reason is that the script must be run by the superuser, so newly created
special files are owned by root. The permission bits default so that only root has
write access, while anyone can get read access. Normally, a device node requires a<br>
<br>
<A name="48"></a><font color="blue">PAGE 48</font><br>
<br>
different access policy, so in some way or another access rights must be changed.
The default in our script is to give access to a group of users, but your needs may
vary. In the section "Access Control on a Device File" in Chapter 6, the code for <i>sculluid
</i>demonstrates how the driver can enforce its own kind of authorization for device
access.<br>
<br>
A <i>scull_unload </i>script is also available to clean up the <i>/dev </i>directory and remove the
module.<br>
<br>
As an alternative to using a pair of scripts for loading and unloading, you could write
an init script, ready to be placed in the directory your distribution uses for these
scripts.* As part of the <i>scull </i>source, we offer a fairly complete and configurable example
of an init script, called <i>scull.init</i>; it accepts the conventional arguments--start,
stop, and restart--and performs the role of both <i>scull_load</i> and <i>scull_unload</i>.<br>
<br>
If repeatedly creating and destroying <i>/dev </i>nodes sounds like overkill, there is a useful
work-around. If you are loading and unloading only a single driver, you can just use
<i>rmmod </i>and <i>insmod </i>after the first time you create the special files with your script:
dynamic numbers are not randomized,&#134; and you can count on the same number
being chosen each time if you don't load any other (dynamic) modules. Avoiding
lengthy scripts is useful during development. But this trick, clearly, doesn't scale to
more than one driver at a time.<br>
<br>
The best way to assign major numbers, in our opinion, is by defaulting to dynamic
allocation while leaving yourself the option of specifying the major number at load
time, or even at compile time. The <i>scull </i>implementation works in this way; it uses a
global variable, <font class="fixd">scull_major</font>, to hold the chosen number (there is also a <font class="fixd">scull_minor</font>
for the minor number). The variable is initialized to <font class="fixd">SCULL_MAJOR</font>, defined in <i>scull.h</i>.
The default value of <font class="fixd">SCULL_MAJOR</font> in the distributed source is 0, which means "use
dynamic assignment." The user can accept the default or choose a particular major
number, either by modifying the macro before compiling or by specifying a value for
<font class="fixd">scull_major</font> on the <i>insmod </i>command line. Finally, by using the <i>scull_load </i>script, the
user can pass arguments to <i>insmod</i> on <i>scull_load</i>'s command line.&#135;<br>
<br>
Here's the code we use in <i>scull</i>'s source to get a major number:<br>
<pre>
if (scull_major) {
    dev = MKDEV(scull_major, scull_minor);
    result = register_chrdev_region(dev, scull_nr_devs, &quot;scull&quot;);
} else {
    result = alloc_chrdev_region(&amp;dev, scull_minor, scull_nr_devs,
</pre>
* The Linux Standard Base specifies that init scripts should be placed in <i>/etc/init.d</i>, but some distributions 
still place them elsewhere. In addition, if your script is to be run at boot time, you need to make a link to it from
the appropriate run-level directory (i.e., <i>.../rc3.d</i>).<br>
<br>
&#134; Though certain kernel developers have threatened to do exactly that in the future.<br>
<br>
&#135;The init script <i>scull.init </i>doesn't accept driver options on the command line, but it supports a configuration 
file, because it's designed for automatic use at boot and shutdown time.<br>
<br>
<A name="49"></a><font color="blue">PAGE 49</font><br>
<pre>
            &quot;scull&quot;);
    scull_major = MAJOR(dev);
}
if (result &lt; 0) {
    printk(KERN_WARNING &quot;scull: can't get major %d\n&quot;, scull_major);
    return result;
}
</pre>
Almost all of the sample drivers used in this book use similar code for their major
number assignment.<br>
<br>
<a name="SomeImportantDataStructures"></a><font color="red"><b>Some Important Data Structures</b></font><br>
<br>
As you can imagine, device number registration is just the first of many tasks that
driver code must carry out. We will soon look at other important driver components,
but one other digression is needed first. Most of the fundamental driver operations
involve three important kernel data structures, called <font class="fixd">file_operations, file,</font>
and <font class="fixd">inode.</font> A basic familiarity with these structures is required to be able to do much
of anything interesting, so we will now take a quick look at each of them before getting
into the details of how to implement the fundamental driver operations.<br>
<br>
<a name="FileOperations"></a><font color="red"><b>File Operations</b></font><br>
<br>
So far, we have reserved some device numbers for our use, but we have not yet connected
any of our driver's operations to those numbers. The <font class="fixd">file_operations</font> structure
is how a char driver sets up this connection. The structure, defined in <i>&lt;linux/fs.h&gt;</i>,
is a collection of function pointers. Each open file (represented internally by a file
structure, which we will examine shortly) is associated with its own set of functions
(by including a field called <font class="fixd">f_op</font> that points to a <font class="fixd">file_operations</font> structure). The
operations are mostly in charge of implementing the system calls and are therefore,
named <i>open</i>, <i>read</i>, and so on. We can consider the file to be an "object" and the
functions operating on it to be its "methods," using object-oriented programming
terminology to denote actions declared by an object to act on itself. This is the first
sign of object-oriented programming we see in the Linux kernel, and we'll see more
in later chapters.<br>
<br>
Conventionally, a <font class="fixd">file_operations</font> structure or a pointer to one is called <font class="fixd">fops</font> (or
some variation thereof). Each field in the structure must point to the function in the
driver that implements a specific operation, or be left <font class="fixd">NULL</font> for unsupported operations.
The exact behavior of the kernel when a <font class="fixd">NULL</font> pointer is specified is different
for each function, as the list later in this section shows.<br>
<br>
The following list introduces all the operations that an application can invoke on a
device. We've tried to keep the list brief so it can be used as a reference, merely summarizing
each operation and the default kernel behavior when a <font class="fixd">NULL</font> pointer is used.<br>
<br>
<A name="50"></a><font color="blue">PAGE 50</font><br>
<br>
As you read through the list of <font class="fixd">file_operations</font> methods, you will note that a number
of parameters include the <font class="fixd">string__user</font>. This annotation is a form of documentation,
noting that a pointer is a user-space address that cannot be directly
dereferenced. For normal compilation, <font class="fixd">__user</font> has no effect, but it can be used by
external checking software to find misuse of user-space addresses.<br>
<br>
The rest of the chapter, after describing some other important data structures,
explains the role of the most important operations and offers hints, caveats, and real
code examples. We defer discussion of the more complex operations to later chapters,
because we aren't ready to dig into topics such as memory management, blocking
operations, and asynchronous notification quite yet.<br>
<br>
<font class="fixd">struct module *owner</font><br>
<div class="bq">
The first <font class="fixd">file_operations</font> field is not an operation at all; it is a pointer to the
module that "owns" the structure. This field is used to prevent the module from
being unloaded while its operations are in use. Almost all the time, it is simply
initialized to <font class="fixd">THIS_MODULE,</font> a macro defined in <i>&lt;linux/module.h&gt;</i>.</div>
<br>
<font class="fixd">loff_t (*llseek) (struct file *, loff_t, int);</font><br>
<div class="bq">
The <i>llseek </i>method is used to change the current read/write position in a file, and
the new position is returned as a (positive) return value. The <font class="fixd">loff_t</font> parameter is
a "long offset" and is at least 64 bits wide even on 32-bit platforms. Errors are
signaled by a negative return value. If this function pointer is <font class="fixd">NULL</font>, seek calls will
modify the position counter in the file structure (described in the section "The
file Structure") in potentially unpredictable ways.</div>
<br>
<font class="fixd">ssize_t (*read) (struct file *, char __user *, size_t, loff_t *);</font><br>
<div class="bq">
Used to retrieve data from the device. A null pointer in this position causes the
<i>read </i>system call to fail with <font class="fixd">-EINVAL</font> ("Invalid argument"). A nonnegative return
value represents the number of bytes successfully read (the return value is a
"signed size" type, usually the native integer type for the target platform).</div>
<br>
<font class="fixd">ssize_t (*aio_read)(struct kiocb *, char __user *, size_t, loff_t);<</font>br>
<div class="bq">
Initiates an asynchronous read--a read operation that might not complete
before the function returns. If this method is <font class="fixd">NULL</font>, all operations will be processed
(synchronously) by <i>read</i> instead.</div>
<br>
<font class="fixd">ssize_t (*write) (struct file *, const char __user *, size_t, loff_t *);</font><br>
<div class="bq">
Sends data to the device. If <font class="fixd">NULL, -EINVAL</font> is returned to the program calling the
<i>write </i>system call. The return value, if nonnegative, represents the number of
bytes successfully written.</div>
<br>
<font class="fixd">ssize_t (*aio_write)(struct kiocb *, const char __user *, size_t, loff_t *);</font><br>
<div class="bq">
Initiates an asynchronous write operation on the device.</div>
<br>
<font class="fixd">int (*readdir) (struct file *, void *, filldir_t);</font><br>
<div class="bq">
This field should be <font class="fixd">NULL</font> for device files; it is used for reading directories and is
useful only for filesystems.</div>
<br>
<A name="51"></a><font color="blue">PAGE 51</font><br>
<br>
<font class="fixd">unsigned int (*poll) (struct file *, struct poll_table_struct *);</font><br>
<div class="bq">
The <i>poll </i>method is the back end of three system calls: <i>poll, epoll, </i>and <i>select</i>, all of
which are used to query whether a read or write to one or more file descriptors
would block. The <i>poll </i>method should return a bit mask indicating whether nonblocking
reads or writes are possible, and, possibly, provide the kernel with
information that can be used to put the calling process to sleep until I/O
becomes possible. If a driver leaves its <i>poll </i>method <font class="fixd">NULL</font>, the device is assumed to
be both readable and writable without blocking.</div>
<br>
<font class="fixd">int (*ioctl) (struct inode *, struct file *, unsigned int, unsigned long);</font><br>
<div class="bq">
The <i>ioctl </i>system call offers a way to issue device-specific commands (such as formatting
a track of a floppy disk, which is neither reading nor writing). Additionally,
a few <i>ioctl </i>commands are recognized by the kernel without referring to the
fops table. If the device doesn't provide an <i>ioctl </i>method, the system call returns
an error for any request that isn't predefined (<font class="fixd">-ENOTTY,</font> "No such ioctl for
device").</div>
<br>
<font class="fixd">int (*mmap) (struct file *, struct vm_area_struct *);</font><br>
<div class="bq">
<i>mmap </i>is used to request a mapping of device memory to a process's address
space. If this method is <font class="fixd">NULL</font>, the <i>mmap</i> system call returns <font class="fixd">-ENODEV.</font></div>
<br>
<font class="fixd">int (*open) (struct inode *, struct file *);</font><br>
<div class="bq">
Though this is always the first operation performed on the device file, the driver
is not required to declare a corresponding method. If this entry is <font class="fixd">NULL</font>, opening
the device always succeeds, but your driver isn't notified.</div>
<br>
<font class="fixd">int (*flush) (struct file *);</font><br>
<div class="bq">
The <i>flush </i>operation is invoked when a process closes its copy of a file descriptor
for a device; it should execute (and wait for) any outstanding operations on the
device. This must not be confused with the <i>fsync </i>operation requested by user
programs. Currently, <i>flush </i>is used in very few drivers; the SCSI tape driver uses
it, for example, to ensure that all data written makes it to the tape before the
device is closed. If <i>flush </i>is <font class="fixd">NULL</font>, the kernel simply ignores the user application
request.</div>
<br>
<font class="fixd">int (*release) (struct inode *, struct file *);</font><br>
<div class="bq">
This operation is invoked when the file structure is being released. Like <i>open</i>,
<i>release</i> can be <font class="fixd">NULL</font>.*</div>
<br>
<font class="fixd">int (*fsync) (struct file *, struct dentry *, int);</font><br>
<div class="bq">
This method is the back end of the <i>fsync </i>system call, which a user calls to flush
any pending data. If this pointer is <font class="fixd">NULL</font>, the system call returns <font class="fixd">-EINVAL.</font></div>
<br>
* Note that <i>release </i>isn't invoked every time a process calls <i>close</i>. Whenever 
a file structure is shared (for example, after a <i>fork </i>or a <i>dup</i>), <i>release </i>won't 
be invoked until all copies are closed. If you need to flush pending
data when any copy is closed, you should implement the <i>flush</i> method.<br>
<br>
<A name="52"></a><font color="blue">PAGE 52</font><br>
<br>
<font class="fixd">int (*aio_fsync)(struct kiocb *, int);</font><br>
<div class="bq">
This is the asynchronous version of the <i>fsync</i> method.</div>
<br>
<font class="fixd">int (*fasync) (int, struct file *, int);</font><br>
<div class="bq">
This operation is used to notify the device of a change in its <font class="fixd">FASYNC</font> flag. Asynchronous
notification is an advanced topic and is described in Chapter 6. The
field can be <font class="fixd">NULL</font> if the driver doesn't support asynchronous notification.</div>
<br>
<font class="fixd">int (*lock) (struct file *, int, struct file_lock *);</font><br>
<div class="bq">
The <i>lock </i>method is used to implement file locking; locking is an indispensable
feature for regular files but is almost never implemented by device drivers.</div>
<br>
<font class="fixd">ssize_t (*readv) (struct file *, const struct iovec *, unsigned long, loff_t *);<br>
ssize_t (*writev) (struct file *, const struct iovec *, unsigned long, loff_t *);</font><br>
<div class="bq">
These methods implement scatter/gather read and write operations. Applications
occasionally need to do a single read or write operation involving multiple
memory areas; these system calls allow them to do so without forcing extra copy
operations on the data. If these function pointers are left <font class="fixd">NULL</font>, the <i>read </i>and <i>write
</i>methods are called (perhaps more than once) instead.</div>
<br>
<font class="fixd">ssize_t (*sendfile)(struct file *, loff_t *, size_t, read_actor_t, void *);</font><br>
<div class="bq">
This method implements the read side of the <i>sendfile </i>system call, which moves
the data from one file descriptor to another with a minimum of copying. It is
used, for example, by a web server that needs to send the contents of a file out a
network connection. Device drivers usually leave <i>sendfile </i><font class="fixd">NULL</font>.</div>
<br>
<font class="fixd">ssize_t (*sendpage) (struct file *, struct page *, int, size_t, loff_t *, int);</font><br>
<div class="bq">
<i>sendpage </i>is the other half of <i>sendfile</i>; it is called by the kernel to send data, one
page at a time, to the corresponding file. Device drivers do not usually implement
<i>sendpage</i>.</div>
<br>
<font class="fixd">unsigned long (*get_unmapped_area)(struct file *, unsigned long, unsigned
  long, unsigned long, unsigned long);</font><br>
<div class="bq">
The purpose of this method is to find a suitable location in the process's address
space to map in a memory segment on the underlying device. This task is normally
performed by the memory management code; this method exists to allow
drivers to enforce any alignment requirements a particular device may have.
Most drivers can leave this method <font class="fixd">NULL</font>.</div>
<br>
<font class="fixd">int (*check_flags)(int)</font><br>
<div class="bq">
This method allows a module to check the flags passed to an <i>fcntl(F_SETFL...) </i>call.</div>
<br>
<font class="fixd">int (*dir_notify)(struct file *, unsigned long);</font><br>
<div class="bq">
This method is invoked when an application uses <i>fcntl </i>to request directory
change notifications. It is useful only to filesystems; drivers need not implement
<i>dir_notify</i>.</div>
<br>
<A name="53"></a><font color="blue">PAGE 53</font><br>
<br>
The <i>scull </i>device driver implements only the most important device methods. Its
<font class="fixd">file_operations</font> structure is initialized as follows:<br>
<pre>
struct file_operations scull_fops = {
    .owner =    THIS_MODULE,
    .llseek =   scull_llseek,
    .read =     scull_read,
    .write =    scull_write,
    .ioctl =    scull_ioctl,
    .open =     scull_open,
    .release =  scull_release,
};
</pre>
This declaration uses the standard C tagged structure initialization syntax. This syntax
is preferred because it makes drivers more portable across changes in the definitions
of the structures and, arguably, makes the code more compact and readable.
Tagged initialization allows the reordering of structure members; in some cases, substantial
performance improvements have been realized by placing pointers to frequently
accessed members in the same hardware cache line.<br>
<br>
<a name="TheFileStructure"></a><font color="red"><b>The file Structure</b></font><br>
<br>
<font class="fixd">struct file</font>, defined in <i>&lt;linux/fs.h&gt;</i>, is the second most important data structure
used in device drivers. Note that a file has nothing to do with the FILE pointers of
user-space programs. A FILE is defined in the C library and never appears in kernel
code. A <font class="fixd">struct file</font>, on the other hand, is a kernel structure that never appears in
user programs.<br>
<br>
The file structure represents an <i>open file</i>. (It is not specific to device drivers; every
open file in the system has an associated <font class="fixd">struct file</font> in kernel space.) It is created by
the kernel on <i>open </i>and is passed to any function that operates on the file, until
the last <i>close</i>. After all instances of the file are closed, the kernel releases the data
structure.<br>
<br>
In the kernel sources, a pointer to <font class="fixd">struct file</font> is usually called either file or <font class="fixd">filp</font>
("file pointer"). We'll consistently call the pointer <font class="fixd">filp</font> to prevent ambiguities with
the structure itself. Thus, <font class="fixd">file</font> refers to the structure and <font class="fixd">filp</font> to a pointer to the
structure.<br>
<br>
The most important fields of <font class="fixd">struct file</font> are shown here. As in the previous section,
the list can be skipped on a first reading. However, later in this chapter, when we
face some real C code, we'll discuss the fields in more detail.<br>
<br>
<font class="fixd">mode_t f_mode;</font><br>
<div class="bq">
The file mode identifies the file as either readable or writable (or both), by means
of the bits <font class="fixd">FMODE_READ</font> and <font class="fixd">FMODE_WRITE</font>. You might want to check this field for
read/write permission in your <i>open </i>or <i>ioctl </i>function, but you don't need to check
permissions for <i>read </i>and <i>write</i>, because the kernel checks before invoking your</div>
<br>
<A name="54"></a><font color="blue">PAGE 54</font><br>
<br>
<div class="bq">
method. An attempt to read or write when the file has not been opened for that
type of access is rejected without the driver even knowing about it.</div>
<br>
<font class="fixd">loff_t f_pos;</font><br>
<div class="bq">
The current reading or writing position. <font class="fixd">loff_t</font> is a 64-bit value on all platforms
(<font class="fixd">long long</font> in <i>gcc </i>terminology). The driver can read this value if it needs to know
the current position in the file but should not normally change it; <i>read </i>and <i>write
</i>should update a position using the pointer they receive as the last argument
instead of acting on <font class="fixd">filp-&gt;f_pos</font> directly. The one exception to this rule is in the
<i>llseek</i> method, the purpose of which is to change the file position.</div>
<br>
<font class="fixd">unsigned int f_flags;</font><br>
<div class="bq">
These are the file flags, such as <font class="fixd">O_RDONLY, O_NONBLOCK,</font> and <font class="fixd">O_SYNC</font>. A driver should
check the <font class="fixd">O_NONBLOCK</font> flag to see if nonblocking operation has been requested (we
discuss nonblocking I/O in the section "Blocking and Nonblocking Operations"
in Chapter 6); the other flags are seldom used. In particular, read/write permission
should be checked using <font class="fixd">f_mode</font> rather than <font class="fixd">f_flags</font>. All the flags are
defined in the header <i>&lt;linux/fcntl.h&gt;</i>.</div>
<br>
<font class="fixd">struct file_operations *f_op;</font><br>
<div class="bq">
The operations associated with the file. The kernel assigns the pointer as part of
its implementation of <i>open </i>and then reads it when it needs to dispatch any operations.
The value in <font class="fixd">filp-&gt;f_op</font> is never saved by the kernel for later reference;
this means that you can change the file operations associated with your file, and
the new methods will be effective after you return to the caller. For example, the
code for <i>open </i>associated with major number 1 (<i>/dev/null</i>, <i>/dev/zero</i>, and so on)
substitutes the operations in <font class="fixd">filp-&gt;f_op</font> depending on the minor number being
opened. This practice allows the implementation of several behaviors under the
same major number without introducing overhead at each system call. The ability
to replace the file operations is the kernel equivalent of "method overriding"
in object-oriented programming.</div>
<br>
<font class="fixd">void *private_data;</font><br>
<div class="bq">
The <i>open </i>system call sets this pointer to <font class="fixd">NULL</font> before calling the <i>open </i>method for
the driver. You are free to make its own use of the field or to ignore it; you can
use the field to point to allocated data, but then you must remember to free that
memory in the <i>release </i>method before the <font class="fixd">file</font> structure is destroyed by the kernel.
<font class="fixd">private_data</font> is a useful resource for preserving state information across system
calls and is used by most of our sample modules.</div>
<br>
<font class="fixd">struct dentry *f_dentry;</font><br>
<div class="bq">
The directory entry (<i>dentry</i>) structure associated with the file. Device driver writers
normally need not concern themselves with dentry structures, other than to
access the inode structure as <font class="fixd">filp-&gt;f_dentry-&gt;d_inode.</font></div>
<br>
<A name="55"></a><font color="blue">PAGE 55</font><br>
<br>
The real structure has a few more fields, but they aren't useful to device drivers. We
can safely ignore those fields, because drivers never create <font class="fixd">file</font> structures; they only
access structures created elsewhere.<br>
<br>
<a name="TheInodeStructure"></a><font color="red"><b>The inode Structure</b></font><br>
<br>
The <i>inode </i>structure is used by the kernel internally to represent files. Therefore, it is
different from the <font class="fixd">file</font> structure that represents an open file descriptor. There can be
numerous <font class="fixd">file</font> structures representing multiple open descriptors on a single file, but
they all point to a single <font class="fixd">inode</font> structure.<br>
<br>
The <font class="fixd">inode</font> structure contains a great deal of information about the file. As a general
rule, only two fields of this structure are of interest for writing driver code:<br>
<br>
<font class="fixd">dev_t i_rdev;</font><br>
<div class="bq">
For inodes that represent device files, this field contains the actual device number.</div>
<br>
<font class="fixd">struct cdev *i_cdev;</font><br>
<div class="bq">
<font class="fixd">struct cdev</font> is the kernel's internal structure that represents char devices; this
field contains a pointer to that structure when the inode refers to a char device
file.</div>
<br>
The type of <font class="fixd">i_rdev</font> changed over the course of the 2.5 development series, breaking a
lot of drivers. As a way of encouraging more portable programming, the kernel developers
have added two macros that can be used to obtain the major and minor number
from an inode:<br>
<pre>
unsigned int iminor(struct inode *inode);
unsigned int imajor(struct inode *inode);
</pre>
In the interest of not being caught by the next change, these macros should be used
instead of manipulating <font class="fixd">i_rdev</font> directly.<br>
<br>
<a name="CharDeviceRegistration"></a><font color="red"><b>Char Device Registration</b></font><br>
<br>
As we mentioned, the kernel uses structures of type struct cdev to represent char
devices internally. Before the kernel invokes your device's operations, you must allocate
and register one or more of these structures.* To do so, your code should include
<i>&lt;linux/cdev.h&gt;</i>, where the structure and its associated helper functions are defined.<br>
<br>
There are two ways of allocating and initializing one of these structures. If you wish
to obtain a stand alone cdev structure at runtime, you may do so with code such as:<br>
<pre>
struct cdev *my_cdev = cdev_alloc( );
my_cdev-&gt;ops = &amp;my_fops;
</pre>
* There is an older mechanism that avoids the use of cdev structures (which we discuss 
in the section "The Older Way"). New code should use the newer technique, however.<br>
<br>
<A name="56"></a><font color="blue">PAGE 56</font><br>
<br>
Chances are, however, that you will want to embed the <font class="fixd">cdev</font> structure within a
device-specific structure of your own; that is what <i>scull </i>does. In that case, you should
initialize the structure that you have already allocated with:<br>
<pre>
void cdev_init(struct cdev *cdev, struct file_operations *fops);
</pre>
Either way, there is one other struct <font class="fixd">cdev</font> field that you need to initialize. Like the
<font class="fixd">file_operations</font> structure, <font class="fixd">struct cdev</font> has an <font class="fixd">owner</font> field that should be set to
<font class="fixd">THIS_MODULE</font>.<br>
<br>
Once the <font class="fixd">cdev</font> structure is set up, the final step is to tell the kernel about it with a call to:<br>
<pre>
int cdev_add(struct cdev *dev, dev_t num, unsigned int count);
</pre>
Here, dev is the <font class="fixd">cdev</font> structure, <font class="fixd">num</font> is the first device number to which this device
responds, and <font class="fixd">count</font> is the number of device numbers that should be associated with
the device. Often <font class="fixd">count</font> is one, but there are situations where it makes sense to have
more than one device number correspond to a specific device. Consider, for example,
the SCSI tape driver, which allows user space to select operating modes (such as
density) by assigning multiple minor numbers to each physical device.<br>
<br>
There are a couple of important things to keep in mind when using <i>cdev_add</i>. The
first is that this call can fail. If it returns a negative error code, your device has not
been added to the system. It almost always succeeds, however, and that brings up
the other point: as soon as <i>cdev_add </i>returns, your device is "live" and its operations
can be called by the kernel. You should not call <i>cdev_add </i>until your driver is completely
ready to handle operations on the device.<br>
<br>
To remove a char device from the system, call:<br>
<pre>
void cdev_del(struct cdev *dev);
</pre>
Clearly, you should not access the <font class="fixd">cdev</font> structure after passing it to <i>cdev_del</i>.<br>
<br>
<a name="DeviceRegistrationInScull"></a><font color="red"><b>Device Registration in scull</b></font><br>
<br>
Internally, <i>scull </i>represents each device with a structure of type <font class="fixd">struct scull_dev</font>. This
structure is defined as:<br>
<pre>
struct scull_dev {
    struct scull_qset *data;  /* Pointer to first quantum set */
    int quantum;              /* the current quantum size */
    int qset;                 /* the current array size */
    unsigned long size;       /* amount of data stored here */
    unsigned int access_key;  /* used by sculluid and scullpriv */
    struct semaphore sem;     /* mutual exclusion semaphore     */
    struct cdev cdev;     /* Char device structure      */
};
</pre>
We discuss the various fields in this structure as we come to them, but for now, we
call attention to <font class="fixd">cdev</font>, the struct <font class="fixd">cdev</font> that interfaces our device to the kernel. This<br>
<br>
<A name="57"></a><font color="blue">PAGE 57</font><br>
<br>
structure must be initialized and added to the system as described above; the <i>scull
</i>code that handles this task is:<br>
<pre>
static void scull_setup_cdev(struct scull_dev *dev, int index)
{
    int err, devno = MKDEV(scull_major, scull_minor + index);

    cdev_init(&amp;dev-&gt;cdev, &amp;scull_fops);
    dev-&gt;cdev.owner = THIS_MODULE;
    dev-&gt;cdev.ops = &amp;scull_fops;
    err = cdev_add (&amp;dev-&gt;cdev, devno, 1);
    /* Fail gracefully if need be */
    if (err)
    printk(KERN_NOTICE &quot;Error %d adding scull%d&quot;, err, index);
}
</pre>
Since the <font class="fixd">cdev</font> structure is embedded within <font class="fixd">struct scull_dev,</font> <i>cdev_init </i>must be
called to perform the initialization of that structure.<br>
<br>
<a name="TheOlderWay"></a><font color="red"><b>The Older Way</b></font><br>
<br>
If you dig through much driver code in the 2.6 kernel, you may notice that quite a
few char drivers do not use the <font class="fixd">cdev</font> interface that we have just described. What you
are seeing is older code that has not yet been upgraded to the 2.6 interface. Since that
code works as it is, this upgrade may not happen for a long time. For completeness,
we describe the older char device registration interface, but new code should not use
it; this mechanism will likely go away in a future kernel.<br>
<br>
The classic way to register a char device driver is with:<br>
<pre>
int register_chrdev(unsigned int major, const char *name,
                    struct file_operations *fops);
</pre>
Here, <font class="fixd">major</font> is the major number of interest, <font class="fixd">name</font> is the name of the driver (it
appears in <i>/proc/devices</i>), and <font class="fixd">fops</font> is the default <font class="fixd">file_operations</font> structure. A call to
<i>register_chrdev </i>registers minor numbers 0-255 for the given major,</font> and sets up a
default <font class="fixd">cdev</font> structure for each. Drivers using this interface must be prepared to handle
<i>open </i>calls on all 256 minor numbers (whether they correspond to real devices or
not), and they cannot use major or minor numbers greater than 255.<br>
<br>
If you use <i>register_chrdev</i>, the proper function to remove your device(s) from the system
is:<br>
<pre>
int unregister_chrdev(unsigned int major, const char *name);
</pre>
<font class="fixd">major</font> and <font class="fixd">name</font> must be the same as those passed to <i>register_chrdev</i>, or the call will
fail.<br>
<br>
<A name="58"></a><font color="blue">PAGE 58</font><br>
<br>
<a name="OpenAndRelease"></a><font color="red"><b>open and release</b></font><br>
<br>
Now that we've taken a quick look at the fields, we start using them in real <i>scull
</i>functions.<br>
<br>
<a name="TheOpenMethod"></a><font color="red"><b>The open Method</b></font><br>
<br>
The <i>open </i>method is provided for a driver to do any initialization in preparation for
later operations. In most drivers, <i>open</i> should perform the following tasks:<br>
<ul>
<li> Check for device-specific errors (such as device-not-ready or similar hardware problems)
<li> Initialize the device if it is being opened for the first time 
<li> Update the <font class="fixd">f_op</font> pointer, if necessary
<li> Allocate and fill any data structure to be put in <font class="fixd">filp-&gt;private_data</font>
</ul>
The first order of business, however, is usually to identify which device is being
opened. Remember that the prototype for the <i>open</i> method is:<br>
<pre>
int (*open)(struct inode *inode, struct file *filp);
</pre>
The <i>inode </i>argument has the information we need in the form of its <font class="fixd">i_cdev</font> field,
which contains the <font class="fixd">cdev</font> structure we set up before. The only problem is that we do
not normally want the <font class="fixd">cdev</font> structure itself, we want the <font class="fixd">scull_dev</font> structure that contains
that <font class="fixd">cdev</font> structure. The C language lets programmers play all sorts of tricks to
make that kind of conversion; programming such tricks is error prone, however, and
leads to code that is difficult for others to read and understand. Fortunately, in this
case, the kernel hackers have done the tricky stuff for us, in the form of the
<i>container_of</i> macro, defined in <i>&lt;linux/kernel.h&gt;</i>:<br>
<pre>
container_of(pointer, container_type, container_field);
</pre>
This macro takes a pointer to a field named <font class="fixd">container_field,</font> within a structure of
type <font class="fixd">container_type,</font> and returns a pointer to the containing structure. In <i>scull_open</i>,
this macro is used to find the appropriate device structure:<br>
<pre>
struct scull_dev *dev; /* device information */

dev = container_of(inode-&gt;i_cdev, struct scull_dev, cdev);
filp-&gt;private_data = dev; /* for other methods */
</pre>
Once it has found the <font class="fixd">scull_dev</font> structure, <i>scull </i>stores a pointer to it in the <font class="fixd">private_data</font>
field of the <font class="fixd">file</font> structure for easier access in the future.<br>
<br>
The other way to identify the device being opened is to look at the minor number
stored in the <font class="fixd">inode</font> structure. If you register your device with <i>register_chrdev</i>, you
must use this technique. Be sure to use <i>iminor </i>to obtain the minor number from the
<font class="fixd">inode</font> structure, and make sure that it corresponds to a device that your driver is
actually prepared to handle.<br>
<br>
<A name="59"></a><font color="blue">PAGE 59</font><br>
<br>
The (slightly simplified) code for <i>scull_open</i> is:<br>
<pre>
int scull_open(struct inode *inode, struct file *filp)
{
    struct scull_dev *dev; /* device information */
    dev = container_of(inode-&gt;i_cdev, struct scull_dev, cdev);
    filp-&gt;private_data = dev; /* for other methods */

    /* now trim to 0 the length of the device if open was write-only */
    if ( (filp-&gt;f_flags &amp; O_ACCMODE) = = O_WRONLY) {
        scull_trim(dev); /* ignore errors */
    }
    return 0;          /* success */
}
</pre>
The code looks pretty sparse, because it doesn't do any particular device handling
when <i>open </i>is called. It doesn't need to, because the <i>scull </i>device is global and persistent
by design. Specifically, there's no action such as "initializing the device on first
open," because we don't keep an open count for <i>scull</i>s.<br>
<br>
The only real operation performed on the device is truncating it to a length of 0 when
the device is opened for writing. This is performed because, by design, overwriting a
<i>scull </i>device with a shorter file results in a shorter device data area. This is similar to
the way opening a regular file for writing truncates it to zero length. The operation
does nothing if the device is opened for reading.<br>
<br>
We'll see later how a real initialization works when we look at the code for the other
<i>scull</i> personalities.<br>
<br>
<a name="TheReleaseMethod"></a><font color="red"><b>The release Method</b></font><br>
<br>
The role of the <i>release </i>method is the reverse of <i>open</i>. Sometimes you'll find that the
method implementation is called <i>device_close</i> instead of <i>device_release.</i> Either
way, the device method should perform the following tasks:<br>
<ul>
<li> Deallocate anything that <i>open</i> allocated in <font class="fixd">filp-&gt;private_data</font>
<li> Shut down the device on last close
</ul>
The basic form of <i>scull </i>has no hardware to shut down, so the code required is
minimal:*<br>
<pre>
int scull_release(struct inode *inode, struct file *filp)
{
    return 0;
}
</pre>
* The other flavors of the device are closed by different functions because <i>scull_open </i>substituted a different 
<font class="fixd">filp-&gt;f_op</font> for each device. We'll discuss these as we introduce each flavor.<br>
<br>
<A name="60"></a><font color="blue">PAGE 60</font><br>
<br>
You may be wondering what happens when a device file is closed more times than it
is opened. After all, the <i>dup </i>and <i>fork </i>system calls create copies of open files without
calling <i>open</i>; each of those copies is then closed at program termination. For example,
most programs don't open their <i>stdin </i>file (or device), but all of them end up closing
it. How does a driver know when an open device file has <i>really</i> been closed?<br>
<br>
The answer is simple: not every <i>close </i>system call causes the <i>release </i>method to be
invoked. Only the calls that actually release the device data structure invoke the
method--hence its name. The kernel keeps a counter of how many times a file
structure is being used. Neither <i>fork </i>nor <i>dup </i>creates a new <font class="fixd">file</font> structure (only <i>open
</i>does that); they just increment the counter in the existing structure. The <i>close </i>system
call executes the <i>release </i>method only when the counter for the <font class="fixd">file</font> structure
drops to 0, which happens when the structure is destroyed. This relationship
between the <i>release </i>method and the <i>close </i>system call guarantees that your driver sees
only one <i>release</i> call for each <i>open</i>.<br>
<br>
Note that the <i>flush </i>method <i>is </i>called every time an application calls <i>close</i>. However,
very few drivers implement <i>flush</i>, because usually there's nothing to perform at close
time unless <i>release</i> is involved.<br>
<br>
As you may imagine, the previous discussion applies even when the application terminates
without explicitly closing its open files: the kernel automatically closes any
file at process exit time by internally using the <i>close</i> system call.<br>
<br>
<a name="ScullsMemoryUsage"></a><font color="red"><b>scull's Memory Usage</b></font><br>
<br>
Before introducing the <i>read </i>and <i>write </i>operations, we'd better look at how and why
<i>scull </i>performs memory allocation. "How" is needed to thoroughly understand the
code, and "why" demonstrates the kind of choices a driver writer needs to make,
although <i>scull</i> is definitely not typical as a device.<br>
<br>
This section deals only with the memory allocation policy in <i>scull </i>and doesn't show
the hardware management skills you need to write real drivers. These skills are introduced
in Chapters 9 and 10. Therefore, you can skip this section if you're not interested
in understanding the inner workings of the memory-oriented <i>scull</i> driver.<br>
<br>
The region of memory used by <i>scull</i>, also called a <i>device</i>, is variable in length. The
more you write, the more it grows; trimming is performed by overwriting the device
with a shorter file.<br>
<br>
The <i>scull </i>driver introduces two core functions used to manage memory in the Linux
kernel. These functions, defined in <i>&lt;linux/slab.h&gt;</i>, are:<br>
<pre>
void *kmalloc(size_t size, int flags);
void kfree(void *ptr);
</pre>
A call to <i>kmalloc </i>attempts to allocate <font class="fixd">size</font> bytes of memory; the return value is a
pointer to that memory or <font class="fixd">NULL</font> if the allocation fails. The flags argument is used to<br>
<br>
<A name="61"></a><font color="blue">PAGE 61</font><br>
<br>
describe how the memory should be allocated; we examine those flags in detail in
Chapter 8. For now, we always use <font class="fixd">GFP_KERNEL</font>. Allocated memory should be freed
with <i>kfree</i>. You should never pass anything to <i>kfree </i>that was not obtained from
<i>kmalloc</i>. It is, however, legal to pass a <font class="fixd">NULL</font> pointer to <i>kfree</i>.<br>
<br>
<i>kmalloc </i>is not the most efficient way to allocate large areas of memory (see
Chapter 8), so the implementation chosen for <i>scull </i>is not a particularly smart one.
The source code for a smart implementation would be more difficult to read, and the
aim of this section is to show <i>read </i>and <i>write</i>, not memory management. That's why
the code just uses <i>kmalloc </i>and <i>kfree </i>without resorting to allocation of whole pages,
although that approach would be more efficient.<br>
<br>
On the flip side, we didn't want to limit the size of the "device" area, for both a
philosophical reason and a practical one. Philosophically, it's always a bad idea to
put arbitrary limits on data items being managed. Practically, <i>scull </i>can be used to
temporarily eat up your system's memory in order to run tests under low-memory
conditions. Running such tests might help you understand the system's internals.
You can use the command <i>cp /dev/zero /dev/scull0 </i>to eat all the real RAM with <i>scull</i>,
and you can use the <i>dd</i> utility to choose how much data is copied to the <i>scull</i> device.<br>
<br>
In <i>scull</i>, each device is a linked list of pointers, each of which points to a <font class="fixd">scull_qset</font>
structure. Each such structure can refer, by default, to at most four million bytes,
through an array of intermediate pointers. The released source uses an array of 1000
pointers to areas of 4000 bytes. We call each memory area a <i>quantum </i>and the array
(or its length) a <i>quantum set</i>. A <i>scull </i>device and its memory areas are shown in
Figure 3-1.<br>
<br><br>
<center>
<img src="fig3-1.gif">
</center>
<br>
<i>Figure 3-1. The layout of a scull device</i><br>
<br>
<A name="62"></a><font color="blue">PAGE 62</font><br>
<br>
The chosen numbers are such that writing a single byte in <i>scull </i>consumes 8000 or
12,000 bytes of memory: 4000 for the quantum and 4000 or 8000 for the
quantum set (according to whether a pointer is represented in 32 bits or 64 bits on
the target platform). If, instead, you write a huge amount of data, the overhead of the
linked list is not too bad. There is only one list element for every four megabytes of
data, and the maximum size of the device is limited by the computer's memory size.<br>
<br>
Choosing the appropriate values for the quantum and the quantum set is a question
of policy, rather than mechanism, and the optimal sizes depend on how the device is
used. Thus, the <i>scull </i>driver should not force the use of any particular values for the
quantum and quantum set sizes. In <i>scull</i>, the user can change the values in
several ways: by changing the macros <font class="fixd">SCULL_QUANTUM</font> and <font class="fixd">SCULL_QSET</font> in <i>scull.h </i>at
compile time, by setting the integer values <font class="fixd">scull_quantum</font> and <font class="fixd">scull_qset</font> at module
load time, or by changing both the current and default values using <i>ioctl</i> at runtime.<br>
<br>
Using a macro and an integer value to allow both compile-time and load-time configuration
is reminiscent of how the major number is selected. We use this technique
for whatever value in the driver is arbitrary or related to policy.<br>
<br>
The only question left is how the default numbers have been chosen. In this particular
case, the problem is finding the best balance between the waste of memory resulting
from half-filled quanta and quantum sets and the overhead of allocation,
deallocation, and pointer chaining that occurs if quanta and sets are small. Additionally,
the internal design of <i>kmalloc </i>should be taken into account. (We won't pursue
the point now, though; the innards of <i>kmalloc </i>are explored in Chapter 8.) The choice
of default numbers comes from the assumption that massive amounts of data are
likely to be written to <i>scull </i>while testing it, although normal use of the device will
most likely transfer just a few kilobytes of data.<br>
<br>
We have already seen the <font class="fixd">scull_dev</font> structure that represents our device internally.
That structure's quantum and qset fields hold the device's quantum and quantum set
sizes, respectively. The actual data, however, is tracked by a different structure,
which we call <font class="fixd">struct scull_qset</font>:<br>
<pre>
struct scull_qset {
    void **data;
    struct scull_qset *next;
};
</pre>
The next code fragment shows in practice how <font class="fixd">struct scull_dev</font> and <font class="fixd">struct scull_qset</font>
are used to hold data. The function <i>scull_trim </i>is in charge of freeing the whole data
area and is invoked by <i>scull_open </i>when the file is opened for writing. It simply walks
through the list and frees any quantum and quantum set it finds.<br>
<pre>
int scull_trim(struct scull_dev *dev)
{
    struct scull_qset *next, *dptr;
    int qset = dev-&gt;qset;   /* &quot;dev&quot; is not-null */
    int i;
</pre>
<A name="63"></a><font color="blue">PAGE 63</font>
<pre>
    for (dptr = dev-&gt;data; dptr; dptr = next) { /* all the list items */
        if (dptr-&gt;data) {
            for (i = 0; i &lt; qset; i++)
                kfree(dptr-&gt;data[i]);
            kfree(dptr-&gt;data);
            dptr-&gt;data = NULL;
        }
        next = dptr-&gt;next;
        kfree(dptr);
    }
    dev-&gt;size = 0;
    dev-&gt;quantum = scull_quantum;
    dev-&gt;qset = scull_qset;
    dev-&gt;data = NULL;
    return 0;
}
</pre>
<i>scull_trim </i>is also used in the module cleanup function to return memory used by
<i>scull</i> to the system.<br>
<br>
<a name="ReadAndWrite"></a><font color="red"><b>read and write</b></font><br>
<br>
The <i>read </i>and <i>write </i>methods both perform a similar task, that is, copying data from
and to application code. Therefore, their prototypes are pretty similar, and it's worth
introducing them at the same time:<br>
<pre>
ssize_t read(struct file *filp, char __user *buff,
    size_t count, loff_t *offp);
ssize_t write(struct file *filp, const char __user *buff,
    size_t count, loff_t *offp);
</pre>
For both methods, <font class="fixd">filp</font> is the file pointer and <font class="fixd">count</font> is the size of the requested data
transfer. The <font class="fixd">buff</font> argument points to the user buffer holding the data to be written or
the empty buffer where the newly read data should be placed. Finally, <font class="fixd">offp</font> is a pointer
to a "long offset type" object that indicates the file position the user is accessing. The
return value is a "signed size type"; its use is discussed later.<br>
<br>
Let us repeat that the <font class="fixd">buff</font> argument to the <i>read </i>and <i>write </i>methods is a user-space
pointer. Therefore, it cannot be directly dereferenced by kernel code. There are a few
reasons for this restriction:<br>
<ul>
<li> Depending on which architecture your driver is running on, and how the kernel
was configured, the user-space pointer may not be valid while running in kernel
mode at all. There may be no mapping for that address, or it could point to some
other, random data.
<li> Even if the pointer does mean the same thing in kernel space, user-space memory 
is paged, and the memory in question might not be resident in RAM when
the system call is made. Attempting to reference the user-space memory directly
could generate a page fault, which is something that kernel code is not allowed
</ul>
<A name="64"></a><font color="blue">PAGE 64</font>
<ul>
to do. The result would be an "oops," which would result in the death of the
process that made the system call.
<li> The pointer in question has been supplied by a user program, which could be
buggy or malicious. If your driver ever blindly dereferences a user-supplied
pointer, it provides an open doorway allowing a user-space program to access or
overwrite memory anywhere in the system. If you do not wish to be responsible
for compromising the security of your users' systems, you cannot ever dereference
a user-space pointer directly.
</ul>
Obviously, your driver must be able to access the user-space buffer in order to get its
job done. This access must always be performed by special, kernel-supplied functions,
however, in order to be safe. We introduce some of those functions (which are
defined in <i>&lt;asm/uaccess.h&gt;</i>) here, and the rest in the section "Using the ioctl Argument"
in Chapter 6; they use some special, architecture-dependent magic to ensure
that data transfers between kernel and user space happen in a safe and correct way.<br>
<br>
The code for <i>read </i>and <i>write </i>in <i>scull </i>needs to copy a whole segment of data to or from
the user address space. This capability is offered by the following kernel functions,
which copy an arbitrary array of bytes and sit at the heart of most <i>read </i>and <i>write
</i>implementations:<br>
<pre>
unsigned long copy_to_user(void __user *to,
                           const void *from,
                           unsigned long count);
unsigned long copy_from_user(void *to,
                             const void __user *from,
                             unsigned long count);
</pre>
Although these functions behave like normal <i>memcpy </i>functions, a little extra care
must be used when accessing user space from kernel code. The user pages being
addressed might not be currently present in memory, and the virtual memory subsystem
can put the process to sleep while the page is being transferred into place.
This happens, for example, when the page must be retrieved from swap space. The
net result for the driver writer is that any function that accesses user space must be
reentrant, must be able to execute concurrently with other driver functions, and, in
particular, must be in a position where it can legally sleep. We return to this subject
in Chapter 5.<br>
<br>
The role of the two functions is not limited to copying data to and from user-space:
they also check whether the user space pointer is valid. If the pointer is invalid, no copy
is performed; if an invalid address is encountered during the copy, on the other hand,
only part of the data is copied. In both cases, the return value is the amount of memory
still to be copied. The <i>scull </i>code looks for this error return, and returns <font class="fixd">-EFAULT</font> to
the user if it's not 0.<br>
<br>
The topic of user-space access and invalid user space pointers is somewhat advanced
and is discussed in Chapter 6. However, it's worth noting that if you don't need to<br>
<br>
<A name="65"></a><font color="blue">PAGE 65</font><br>
<br>
check the user-space pointer you can invoke <i>__copy_to_user </i>and <i>__copy_from_user
</i>instead. This is useful, for example, if you know you already checked the argument.
Be careful, however; if, in fact, you do <i>not </i>check a user-space pointer that you pass to
these functions, then you can create kernel crashes and/or security holes.<br>
<br>
As far as the actual device methods are concerned, the task of the <i>read </i>method is to
copy data from the device to user space (using <i>copy_to_user</i>), while the <i>write </i>method
must copy data from user space to the device (using <i>copy_from_user</i>). Each <i>read </i>or
<i>write </i>system call requests transfer of a specific number of bytes, but the driver is free
to transfer less data--the exact rules are slightly different for reading and writing and
are described later in this chapter.<br>
<br>
Whatever the amount of data the methods transfer, they should generally update the
file position at *offp to represent the current file position after successful completion
of the system call. The kernel then propagates the file position change back into
the <font class="fixd">file</font> structure when appropriate. The <i>pread </i>and <i>pwrite </i>system calls have different
semantics, however; they operate from a given file offset and do not change the
file position as seen by any other system calls. These calls pass in a pointer to the
user-supplied position, and discard the changes that your driver makes.<br>
<br><br>
<center>
<img src="fig3-2.gif">
</center>
<br>
<i>Figure 3-2. The arguments to read</i><br>
<br>
Both the <i>read </i>and <i>write </i>methods return a negative value if an error occurs. A return
value greater than or equal to 0, instead, tells the calling program how many bytes
have been successfully transferred. If some data is transferred correctly and then an
error happens, the return value must be the count of bytes successfully transferred,<br>
<br>
<A name="66"></a><font color="blue">PAGE 66</font><br>
<br>
and the error does not get reported until the next time the function is called. Implementing
this convention requires, of course, that your driver remember that the error
has occurred so that it can return the error status in the future.<br>
<br>
Although kernel functions return a negative number to signal an error, and the value
of the number indicates the kind of error that occurred (as introduced in Chapter 2),
programs that run in user space always see -1 as the error return value. They need to
access the errno variable to find out what happened. The user-space behavior is dictated
by the POSIX standard, but that standard does not make requirements on how
the kernel operates internally.<br>
<br>
<a name="TheReadMethod"></a><font color="red"><b>The read Method</b></font><br>
<br>
The return value for <i>read</i> is interpreted by the calling application program:<br>
<ul>
<li> If the value equals the <font class="fixd">count</font> argument passed to the <i>read </i>system call, the
requested number of bytes has been transferred. This is the optimal case.
<li> If the value is positive, but smaller than <font class="fixd">count,</font> only part of the data has been
transferred. This may happen for a number of reasons, depending on the device.
Most often, the application program retries the read. For instance, if you read
using the <i>fread </i>function, the library function reissues the system call until completion
of the requested data transfer.
<li> If the value is 0, end-of-file was reached (and no data was read).
<li> A negative value means there was an error. The value specifies what the error
was, according to <i>&lt;linux/errno.h&gt;</i>. Typical values returned on error include <font class="fixd">-EINTR</font>
(interrupted system call) or <font class="fixd">-EFAULT</font> (bad address).
</ul>
What is missing from the preceding list is the case of "there is no data, but it may
arrive later." In this case, the <i>read </i>system call should block. We'll deal with blocking
input in Chapter 6.<br>
<br>
The <i>scull </i>code takes advantage of these rules. In particular, it takes advantage of the
partial-read rule. Each invocation of <i>scull_read </i>deals only with a single data quantum,
without implementing a loop to gather all the data; this makes the code shorter
and easier to read. If the reading program really wants more data, it reiterates the
call. If the standard I/O library (i.e., <i>fread</i>) is used to read the device, the application
won't even notice the quantization of the data transfer.<br>
<br>
If the current read position is greater than the device size, the <i>read </i>method of <i>scull
</i>returns 0 to signal that there's no data available (in other words, we're at end-of-file).
This situation can happen if process A is reading the device while process B opens it
for writing, thus truncating the device to a length of 0. Process A suddenly finds itself
past end-of-file, and the next <i>read</i> call returns 0.<br>
<br>
<A name="67"></a><font color="blue">PAGE 67</font><br>
<br>
Here is the code for <i>read </i>(ignore the calls to <i>down_interruptible </i>and <i>up </i>for now; we
will get to them in the next chapter):<br>
<pre>
ssize_t scull_read(struct file *filp, char __user *buf, size_t count,
                loff_t *f_pos)
{
    struct scull_dev *dev = filp-&gt;private_data;
    struct scull_qset *dptr;    /* the first listitem */
    int quantum = dev-&gt;quantum, qset = dev-&gt;qset;
    int itemsize = quantum * qset; /* how many bytes in the listitem */
    int item, s_pos, q_pos, rest;
    ssize_t retval = 0;

    if (down_interruptible(&amp;dev-&gt;sem))
        return -ERESTARTSYS;
    if (*f_pos &gt;= dev-&gt;size)
        goto out;
    if (*f_pos + count &gt; dev-&gt;size)
        count = dev-&gt;size - *f_pos;

    /* find listitem, qset index, and offset in the quantum */
    item = (long)*f_pos / itemsize;
    rest = (long)*f_pos % itemsize;
    s_pos = rest / quantum; q_pos = rest % quantum;

    /* follow the list up to the right position (defined elsewhere) */
    dptr = scull_follow(dev, item);

    if (dptr = = NULL || !dptr-&gt;data || ! dptr-&gt;data[s_pos])
        goto out; /* don't fill holes */

    /* read only up to the end of this quantum */
    if (count &gt; quantum - q_pos)
        count = quantum - q_pos;

    if (copy_to_user(buf, dptr-&gt;data[s_pos] + q_pos, count)) {
        retval = -EFAULT;
        goto out;
    }
    *f_pos += count;
    retval = count;

  out:
    up(&amp;dev-&gt;sem);
    return retval;
}
</pre>
<A name="68"></a><font color="blue">PAGE 68</font><br>
<br>
<a name="TheWriteMethod"></a><font color="red"><b>The write Method</b></font><br>
<br>
<i>write</i>, like <i>read</i>, can transfer less data than was requested, according to the following
rules for the return value:<br>
<ul>
<li> If the value equals <font class="fixd">count,</font> the requested number of bytes has been transferred.
<li> If the value is positive, but smaller than count, only part of the data has been
transferred. The program will most likely retry writing the rest of the data.
<li> If the value is 0, nothing was written. This result is not an error, and there is no
reason to return an error code. Once again, the standard library retries the call to
<i>write</i>. We'll examine the exact meaning of this case in Chapter 6, where blocking
<i>write</i> is introduced.
<li> A negative value means an error occurred; as for <i>read</i>, valid error values are
those defined in <i>&lt;linux/errno.h&gt;</i>.<br>
</ul>
Unfortunately, there may still be misbehaving programs that issue an error message
and abort when a partial transfer is performed. This happens because some programmers
are accustomed to seeing <i>write </i>calls that either fail or succeed completely,
which is actually what happens most of the time and should be supported by devices
as well. This limitation in the <i>scull </i>implementation could be fixed, but we didn't
want to complicate the code more than necessary.<br>
<br>
The <i>scull </i>code for <i>write </i>deals with a single quantum at a time, as the <i>read </i>method
does:<br>
<pre>
ssize_t scull_write(struct file *filp, const char __user *buf, size_t count,
                loff_t *f_pos)
{
    struct scull_dev *dev = filp-&gt;private_data;
    struct scull_qset *dptr;
    int quantum = dev-&gt;quantum, qset = dev-&gt;qset;
    int itemsize = quantum * qset;
    int item, s_pos, q_pos, rest;
    ssize_t retval = -ENOMEM; /* value used in &quot;goto out&quot; statements */

    if (down_interruptible(&amp;dev-&gt;sem))
        return -ERESTARTSYS;

    /* find listitem, qset index and offset in the quantum */
    item = (long)*f_pos / itemsize;
    rest = (long)*f_pos % itemsize;
    s_pos = rest / quantum; q_pos = rest % quantum;

    /* follow the list up to the right position */
    dptr = scull_follow(dev, item);
    if (dptr = = NULL)
        goto out;
    if (!dptr-&gt;data) {
        dptr-&gt;data = kmalloc(qset * sizeof(char *), GFP_KERNEL);
        if (!dptr-&gt;data)
</pre>
<A name="69"></a><font color="blue">PAGE 69</font><br>
<pre>
            goto out;
        memset(dptr-&gt;data, 0, qset * sizeof(char *));
    }
    if (!dptr-&gt;data[s_pos]) {
        dptr-&gt;data[s_pos] = kmalloc(quantum, GFP_KERNEL);
        if (!dptr-&gt;data[s_pos])
            goto out;
    }
    /* write only up to the end of this quantum */
    if (count &gt; quantum - q_pos)
        count = quantum - q_pos;

    if (copy_from_user(dptr-&gt;data[s_pos]+q_pos, buf, count)) {
        retval = -EFAULT;
        goto out;
    }
    *f_pos += count;
    retval = count;

        /* update the size */
    if (dev-&gt;size &lt; *f_pos)
        dev-&gt;size = *f_pos;

  out:
    up(&amp;dev-&gt;sem);
    return retval;
}
</pre>
<a name="ReadvAndWritev"></a><font color="red"><b>readv and writev</b></font><br>
<br>
Unix systems have long supported two system calls named <i>readv </i>and <i>writev</i>. These
"vector" versions of <i>read </i>and <i>write </i>take an array of structures, each of which contains
a pointer to a buffer and a length value. A <i>readv </i>call would then be expected to
read the indicated amount into each buffer in turn. <i>writev</i>, instead, would gather
together the contents of each buffer and put them out as a single write operation.<br>
<br>
If your driver does not supply methods to handle the vector operations, <i>readv </i>and
<i>writev </i>are implemented with multiple calls to your <i>read </i>and <i>write </i>methods. In many
situations, however, greater efficiency is achieved by implementing <i>readv </i>and <i>writev
</i>directly.<br>
<br>
The prototypes for the vector operations are:<br>
<pre>
ssize_t (*readv) (struct file *filp, const struct iovec *iov,
                  unsigned long count, loff_t *ppos);
ssize_t (*writev) (struct file *filp, const struct iovec *iov,
                  unsigned long count, loff_t *ppos);
</pre>
Here, the <font class="fixd">filp</font> and <font class="fixd">ppos</font> arguments are the same as for <i>read </i>and <i>write</i>. 
The <font class="fixd">iovec</font> structure, defined in <i>&lt;linux/uio.h&gt;</i>, looks like:<br>
<pre>
struct iovec
{
</pre>
<A name="70"></a><font color="blue">PAGE 70</font><br>
<pre>
    void __user *iov_base;
    __kernel_size_t iov_len;
};
</pre>
Each <font class="fixd">iovec</font> describes one chunk of data to be transferred; it starts at <font class="fixd">iov_base</font> (in user
space) and is <font class="fixd">iov_len</font> bytes long. The count parameter tells the method how many
<font class="fixd">iovec</font> structures there are. These structures are created by the application, but the
kernel copies them into kernel space before calling the driver.<br>
<br>
The simplest implementation of the vectored operations would be a straightforward
loop that just passes the address and length out of each <font class="fixd">iovec</font> to the driver's <i>read </i>or
<i>write </i>function. Often, however, efficient and correct behavior requires that the driver
do something smarter. For example, a <i>writev </i>on a tape drive should write the contents
of all the <font class="fixd">iovec</font> structures as a single record on the tape.<br>
<br>
Many drivers, however, gain no benefit from implementing these methods themselves.
Therefore, <i>scull </i>omits them. The kernel emulates them with <i>read </i>and <i>write</i>,
and the end result is the same.<br>
<br>
<a name="PlayingWithTheNewDevices"></a><font color="red"><b>Playing with the New Devices</b></font><br>
<br>
Once you are equipped with the four methods just described, the driver can be compiled
and tested; it retains any data you write to it until you overwrite it with new
data. The device acts like a data buffer whose length is limited only by the amount of
real RAM available. You can try using <i>cp</i>, <i>dd</i>, and input/output redirection to test out
the driver.<br>
<br>
The <i>free </i>command can be used to see how the amount of free memory shrinks and
expands according to how much data is written into <i>scull</i>.<br>
<br>
To get more confident with reading and writing one quantum at a time, you can add
a <i>printk </i>at an appropriate point in the driver and watch what happens while an application
reads or writes large chunks of data. Alternatively, use the <i>strace </i>utility to
monitor the system calls issued by a program, together with their return values. Tracing
a <i>cp </i>or an <i>ls -l &gt; /dev/scull0 </i>shows quantized reads and writes. Monitoring (and
debugging) techniques are presented in detail in Chapter 4<br>
<br>
<a name="QuickReference3"></a><font color="red"><b>Quick Reference</b></font><br>
<br>
This chapter introduced the following symbols and header files. The list of the fields
in <font class="fixd">struct file_operations</font> and <font class="fixd">struct file</font> is not repeated here.<br>
<br>
<A name="71"></a><font color="blue">PAGE 71</font><br>
<br>
<font class="fixd">#include &lt;linux/types.h&gt;<br>
dev_t</font><br>
<div class="bq">
<font class="fixd">dev_t</font> is the type used to represent device numbers within the kernel.</div>
<br>
<font class="fixd">int MAJOR(dev_t dev);<br>
int MINOR(dev_t dev);</font><br>
<div class="bq">
Macros that extract the major and minor numbers from a device number.</div>
<br>
<font class="fixd">dev_t MKDEV(unsigned int major, unsigned int minor);</font><br>
<div class="bq">
Macro that builds a <font class="fixd">dev_t</font> data item from the major and minor numbers.</div>
<br>
<font class="fixd">#include &lt;linux/fs.h&gt;</font><br>
<div class="bq">
The "filesystem" header is the header required for writing device drivers. Many
important functions and data structures are declared in here.</div>
<br>
<font class="fixd">int register_chrdev_region(dev_t first, unsigned int count, char *name)<br>
int alloc_chrdev_region(dev_t *dev, unsigned int firstminor, unsigned int count, char *name)<br>
void unregister_chrdev_region(dev_t first, unsigned int count);</font><br>
<div class="bq">
Functions that allow a driver to allocate and free ranges of device numbers.
<i>register_chrdev_region </i>should be used when the desired major number is known
in advance; for dynamic allocation, use <i>alloc_chrdev_region</i> instead.</div>
<br>
<font class="fixd">int register_chrdev(unsigned int major, const char *name, struct file_operations *fops);</font><br>
<div class="bq">
The old (pre-2.6) char device registration routine. It is emulated in the 2.6 kernel
but should not be used for new code. If the major number is not 0, it is used
unchanged; otherwise a dynamic number is assigned for this device.</div>
<br>
<font class="fixd">int unregister_chrdev(unsigned int major, const char *name);</font><br>
<div class="bq">
Function that undoes a registration made with <i>register_chrdev</i>. Both <font class="fixd">major</font> and
the <font class="fixd">name</font> string must contain the same values that were used to register the driver.</div>
<br>
<font class="fixd">struct file_operations;<br>
struct file;<br>
struct inode;</font><br>
<div class="bq">
Three important data structures used by most device drivers. The <font class="fixd">file_operations</font>
structure holds a char driver's methods; <font class="fixd">struct file</font> represents an open file, and
<font class="fixd">struct inode</font> represents a file on disk.</div>
<br>
<font class="fixd">#include &lt;linux/cdev.h&gt;<br>
struct cdev *cdev_alloc(void);<br>
void cdev_init(struct cdev *dev, struct file_operations *fops);<br>
int cdev_add(struct cdev *dev, dev_t num, unsigned int count);<br>
void cdev_del(struct cdev *dev);</font><br>
<div class="bq">
Functions for the management of <font class="fixd">cdev</font> structures, which represent char devices
within the kernel.</div>
<br>
<A name="72"></a><font color="blue">PAGE 72</font><br>
<br>
<font class="fixd">#include &lt;linux/kernel.h&gt;<br>
container_of(pointer, type, field);</font> <br>
<div class="bq">
A convenience macro that may be used to obtain a pointer to a structure from a
pointer to some other structure contained within it.</div>
<br>
<font class="fixd">#include &lt;asm/uaccess.h&gt;</font> <br>
<div class="bq">
This include file declares functions used by kernel code to move data to and
from user space.</div>
<br>
<font class="fixd">unsigned long copy_from_user (void *to, const void *from, unsigned long count);<br>
unsigned long copy_to_user (void *to, const void *from, unsigned long count);</font> <br>
<div class="bq">
Copy data between user space and kernel space.</div>
<br>
<A name="73"></a><font color="blue">PAGE 73</font><br>
<br>
<a name="CHAPTER4"></a><font color="red"><b>CHAPTER 4</b></font><br>
<br>
<a name="DebuggingTechniques"></a><font color="#7519FF" size="+1"><b>Debugging Techniques</b></font><br>
<br>
Kernel programming brings its own, unique debugging challenges. Kernel code cannot
be easily executed under a debugger, nor can it be easily traced, because it is a set
of functionalities not related to a specific process. Kernel code errors can also be
exceedingly hard to reproduce and can bring down the entire system with them, thus
destroying much of the evidence that could be used to track them down.<br>
<br>
This chapter introduces techniques you can use to monitor kernel code and trace
errors under such trying circumstances.<br>
<br>
<a name="DebuggingSupportInTheKernel"></a><font color="red"><b>Debugging Support in the Kernel</b></font><br>
<br>
In Chapter 2, we recommended that you build and install your own kernel, rather
than running the stock kernel that comes with your distribution. One of the strongest
reasons for running your own kernel is that the kernel developers have built several
debugging features into the kernel itself. These features can create extra output
and slow performance, so they tend not to be enabled in production kernels from
distributors. As a kernel developer, however, you have different priorities and will
gladly accept the (minimal) overhead of the extra kernel debugging support.<br>
<br>
Here, we list the configuration options that should be enabled for kernels used for
development. Except where specified otherwise, all of these options are found under
the "kernel hacking" menu in whatever kernel configuration tool you prefer. Note
that some of these options are not supported by all architectures.<br>
<br>
<font class="fixd">CONFIG_DEBUG_KERNEL</font><br>
<div class="bq">
This option just makes other debugging options available; it should be turned on
but does not, by itself, enable any features.</div>
<br>
<font class="fixd">CONFIG_DEBUG_SLAB</font><br>
<div class="bq">
This crucial option turns on several types of checks in the kernel memory allocation
functions; with these checks enabled, it is possible to detect a number of
memory overrun and missing initialization errors. Each byte of allocated memory</div>
<br>
<A name="74"></a><font color="blue">PAGE 74</font><br>
<br>
<div class="bq">
is set to 0xa5 before being handed to the caller and then set to 0x6b when it is
freed. If you ever see either of those "poison" patterns repeating in output from
your driver (or often in an oops listing), you'll know exactly what sort of error to
look for. When debugging is enabled, the kernel also places special guard values
before and after every allocated memory object; if those values ever get changed,
the kernel knows that somebody has overrun a memory allocation, and it complains
loudly. Various checks for more obscure errors are enabled as well.</div>
<br>
<font class="fixd">CONFIG_DEBUG_PAGEALLOC</font><br>
<div class="bq">
Full pages are removed from the kernel address space when freed. This option
can slow things down significantly, but it can also quickly point out certain
kinds of memory corruption errors.</div>
<br>
<font class="fixd">CONFIG_DEBUG_SPINLOCK</font><br>
<div class="bq">
With this option enabled, the kernel catches operations on uninitialized spinlocks
and various other errors (such as unlocking a lock twice).</div>
<br>
<font class="fixd">CONFIG_DEBUG_SPINLOCK_SLEEP</font><br>
<div class="bq">
This option enables a check for attempts to sleep while holding a spinlock. In
fact, it complains if you call a function that could potentially sleep, even if the
call in question would not sleep.</div>
<br>
<font class="fixd">CONFIG_INIT_DEBUG</font><br>
<div class="bq">
Items marked with <font class="fixd">__init</font> (or <font class="fixd">__initdata</font>) are discarded after system initialization
or module load time. This option enables checks for code that attempts to
access initialization-time memory after initialization is complete.</div>
<br>
<font class="fixd">CONFIG_DEBUG_INFO</font><br>
<div class="bq">
This option causes the kernel to be built with full debugging information
included. You'll need that information if you want to debug the kernel with <i>gdb</i>.
You may also want to enable <font class="fixd">CONFIG_FRAME_POINTER</font> if you plan to use <i>gdb</i>.</div>
<br>
<font class="fixd">CONFIG_MAGIC_SYSRQ</font><br>
<div class="bq">
Enables the "magic SysRq" key. We look at this key in the section "System
Hangs," later in this chapter.</div>
<br>
<font class="fixd">CONFIG_DEBUG_STACKOVERFLOW</font>
<font class="fixd">CONFIG_DEBUG_STACK_USAGE</font><br>
<div class="bq">
These options can help track down kernel stack overflows. A sure sign of a stack
overflow is an oops listing without any sort of reasonable back trace. The first
option adds explicit overflow checks to the kernel; the second causes the kernel
to monitor stack usage and make some statistics available via the magic SysRq
key.</div>
<br>
<font class="fixd">CONFIG_KALLSYMS</font><br>
<div class="bq">
This option (under "General setup/Standard features") causes kernel symbol
information to be built into the kernel; it is enabled by default. The symbol
information is used in debugging contexts; without it, an oops listing can give
you a kernel traceback only in hexadecimal, which is not very useful.</div>
<br>
<A name="75"></a><font color="blue">PAGE 75</font><br>
<br>
<font class="fixd">CONFIG_IKCONFIG</font>
<font class="fixd">CONFIG_IKCONFIG_PROC</font><br>
<div class="bq">
These options (found in the "General setup" menu) cause the full kernel configuration
state to be built into the kernel and to be made available via <i>/proc</i>. Most
kernel developers know which configuration they used and do not need these
options (which make the kernel bigger). They can be useful, though, if you are
trying to debug a problem in a kernel built by somebody else.</div>
<br>
<font class="fixd">CONFIG_ACPI_DEBUG</font><br>
<div class="bq">
Under "Power management/ACPI." This option turns on verbose ACPI
(Advanced Configuration and Power Interface) debugging information, which
can be useful if you suspect a problem related to ACPI.</div>
<br>
<font class="fixd">CONFIG_DEBUG_DRIVER</font><br>
<div class="bq">
Under "Device drivers." Turns on debugging information in the driver core,
which can be useful for tracking down problems in the low-level support code.
We'll look at the driver core in Chapter 14.</div>
<br>
<font class="fixd">CONFIG_SCSI_CONSTANTS</font><br>
<div class="bq">
This option, found under "Device drivers/SCSI device support," builds in information
for verbose SCSI error messages. If you are working on a SCSI driver, you
probably want this option.</div>
<br>
<font class="fixd">CONFIG_INPUT_EVBUG</font><br>
<div class="bq">
This option (under "Device drivers/Input device support") turns on verbose logging
of input events. If you are working on a driver for an input device, this
option may be helpful. Be aware of the security implications of this option, however:
it logs everything you type, including your passwords.</div>
<br>
<font class="fixd">CONFIG_PROFILING</font><br>
<div class="bq">
This option is found under "Profiling support." Profiling is normally used for
system performance tuning, but it can also be useful for tracking down some
kernel hangs and related problems.</div>
<br>
We will revisit some of the above options as we look at various ways of tracking
down kernel problems. But first, we will look at the classic debugging technique:
print statements.<br>
<br>
<a name="DebuggingByPrinting"></a><font color="red"><b>Debugging by Printing</b></font><br>
<br>
The most common debugging technique is monitoring, which in applications programming
is done by calling <i>printf </i>at suitable points. When you are debugging kernel
code, you can accomplish the same goal with <i>printk</i>.<br>
<br>
<A name="76"></a><font color="blue">PAGE 76</font><br>
<br>
<a name="Printk"></a><font color="red"><b>printk</b></font><br>
<br>
We used the <i>printk </i>function in earlier chapters with the simplifying assumption that
it works like <i>printf</i>. Now it's time to introduce some of the differences.<br>
<br>
One of the differences is that <i>printk </i>lets you classify messages according to their
severity by associating different <i>loglevels</i>, or priorities, with the messages. You usually
indicate the loglevel with a macro. For example, <font class="fixd">KERN_INFO,</font> which we saw
prepended to some of the earlier print statements, is one of the possible loglevels of
the message. The loglevel macro expands to a string, which is concatenated to the
message text at compile time; that's why there is no comma between the priority and
the format string in the following examples. Here are two examples of <i>printk </i>commands,
a debug message and a critical message:<br>
<pre>
printk(KERN_DEBUG &quot;Here I am: %s:%i\n&quot;, __FILE__, __LINE__);
printk(KERN_CRIT &quot;I'm trashed; giving up on %p\n&quot;, ptr);
</pre>
There are eight possible loglevel strings, defined in the header <i>&lt;linux/kernel.h&gt;</i>; we
list them in order of decreasing severity:<br>
<br>
<font class="fixd">KERN_EMERG</font><br>
<div class="bq">
Used for emergency messages, usually those that precede a crash.</div>
<br>
<font class="fixd">KERN_ALERT</font><br>
<div class="bq">
A situation requiring immediate action.</div>
<br>
<font class="fixd">KERN_CRIT</font><br>
<div class="bq">
Critical conditions, often related to serious hardware or software failures.</div>
<br>
<font class="fixd">KERN_ERR</font><br>
<div class="bq">
Used to report error conditions; device drivers often use <font class="fixd">KERN_ERR</font> to report hardware
difficulties.</div>
<br>
<font class="fixd">KERN_WARNING</font><br>
<div class="bq">
Warnings about problematic situations that do not, in themselves, create serious
problems with the system.</div>
<br>
<font class="fixd">KERN_NOTICE</font><br>
<div class="bq">
Situations that are normal, but still worthy of note. A number of security-related
conditions are reported at this level.</div>
<br>
<font class="fixd">KERN_INFO</font><br>
<div class="bq">
Informational messages. Many drivers print information about the hardware
they find at startup time at this level.</div>
<br>
<font class="fixd">KERN_DEBUG</font><br>
<div class="bq">
Used for debugging messages.</div>
<br>
Each string (in the macro expansion) represents an integer in angle brackets. Integers
range from 0 to 7, with smaller values representing higher priorities.<br>
<br>
<A name="77"></a><font color="blue">PAGE 77</font><br>
<br>
A <i>printk </i>statement with no specified priority defaults to <font class="fixd">DEFAULT_MESSAGE_LOGLEVEL,</font>
specified in <i>kernel/printk.c </i>as an integer. In the 2.6.10 kernel, <font class="fixd">DEFAULT_MESSAGE_LOGLEVEL</font>
is <font class="fixd">KERN_WARNING,</font> but that has been known to change in the past.<br>
<br>
Based on the loglevel, the kernel may print the message to the current console, be it a
text-mode terminal, a serial port, or a parallel printer. If the priority is less than the
integer variable <font class="fixd">console_loglevel</font>, the message is delivered to the console one line at
a time (nothing is sent unless a trailing newline is provided). If both <i>klogd </i>and <i>syslogd
</i>are running on the system, kernel messages are appended to <i>/var/log/messages
</i>(or otherwise treated depending on your <i>syslogd </i>configuration), independent of
<font class="fixd">console_loglevel</font>. If <i>klogd </i>is not running, the message won't reach user space unless
you read <i>/proc/kmsg </i>(which is often most easily done with the <i>dmesg </i>command).
When using <i>klogd</i>, you should remember that it doesn't save consecutive identical
lines; it only saves the first such line and, at a later time, the number of repetitions it
received.<br>
<br>
The variable <font class="fixd">console_loglevel</font> is initialized to <font class="fixd">DEFAULT_CONSOLE_LOGLEVEL</font> and can be
modified through the <i>sys_syslog </i>system call. One way to change it is by specifying
the <i>-c </i>switch when invoking <i>klogd</i>, as specified in the <i>klogd </i>manpage. Note that to
change the current value, you must first kill <i>klogd </i>and then restart it with the <i>-c
</i>option. Alternatively, you can write a program to change the console loglevel. You'll
find a version of such a program in <i>misc-progs/setlevel.c </i>in the source files provided
on O'Reilly's FTP site. The new level is specified as an integer value between 1 and 8,
inclusive. If it is set to 1, only messages of level 0 (<font class="fixd">KERN_EMERG</font>) reach the console; if it
is set to 8, all messages, including debugging ones, are displayed.<br>
<br>
It is also possible to read and modify the console loglevel using the text file <i>/proc/sys/
kernel/printk</i>. The file hosts four integer values: the current loglevel, the default level
for messages that lack an explicit loglevel, the minimum allowed loglevel, and the
boot-time default loglevel. Writing a single value to this file changes the current
loglevel to that value; thus, for example, you can cause all kernel messages to appear
at the console by simply entering:<br>
<pre>
 # <b>echo 8 &gt; /proc/sys/kernel/printk</b>
</pre>
It should now be apparent why the <i>hello.c </i>sample had the <font class="fixd">KERN_ALERT</font>; markers; they
are there to make sure that the messages appear on the console.<br>
<br>
<a name="RedirectingConsoleMessages"></a><font color="red"><b>Redirecting Console Messages</b></font><br>
<br>
Linux allows for some flexibility in console logging policies by letting you send messages
to a specific virtual console (if your console lives on the text screen). By default,
the "console" is the current virtual terminal. To select a different virtual terminal to
receive messages, you can issue <font class="fixd">ioctl(TIOCLINUX)</font> on any console device. The following
program, <i>setconsole</i>, can be used to choose which console receives kernel messages;
it must be run by the superuser and is available in the <i>misc-progs</i> directory.<br>
<br>
<A name="78"></a><font color="blue">PAGE 78</font><br>
<br>
The following is the program in its entirety. You should invoke it with a single argument
specifying the number of the console that is to receive messages.<br>
<pre>
int main(int argc, char **argv)
{
    char bytes[2] = {11,0}; /* 11 is the TIOCLINUX cmd number */

    if (argc==2) bytes[1] = atoi(argv[1]); /* the chosen console */
    else {
        fprintf(stderr, &quot;%s: need a single arg\n&quot;,argv[0]); exit(1);
    }
    if (ioctl(STDIN_FILENO, TIOCLINUX, bytes)&lt;0) {    /* use stdin */
        fprintf(stderr,&quot;%s: ioctl(stdin, TIOCLINUX): %s\n&quot;,
                argv[0], strerror(errno));
        exit(1);
    }
    exit(0);
}
</pre>
<i>setconsole </i>uses the special <i>ioctl </i>command <font class="fixd">TIOCLINUX</font>, which implements Linux specific
functions. To use <font class="fixd">TIOCLINUX</font>, you pass it an argument that is a pointer to a
byte array. The first byte of the array is a number that specifies the requested subcommand,
and the following bytes are subcommand specific. In <i>setconsole</i>, subcommand
11 is used, and the next byte (stored in bytes[1]) identifies the virtual console.
The complete description of <font class="fixd">TIOCLINUX</font> can be found in <i>drivers/char/tty_io.c</i>, in the
kernel sources.<br>
<br>
<a name="HowMessagesGetLogged"></a><font color="red"><b>How Messages Get Logged</b></font><br>
<br>
The <i>printk </i>function writes messages into a circular buffer that is <font class="fixd">__LOG_BUF_LEN</font> bytes
long: a value from 4 KB to 1 MB chosen while configuring the kernel. The function
then wakes any process that is waiting for messages, that is, any process that is sleeping
in the <i>syslog </i>system call or that is reading <i>/proc/kmsg</i>. These two interfaces to the
logging engine are almost equivalent, but note that reading from <i>/proc/kmsg </i>consumes
the data from the log buffer, whereas the <i>syslog </i>system call can optionally
return log data while leaving it for other processes as well. In general, reading the
<i>/proc </i>file is easier and is the default behavior for <i>klogd</i>. The <i>dmesg </i>command can be
used to look at the content of the buffer without flushing it; actually, the command
returns to <i>stdout </i>the whole content of the buffer, whether or not it has already been
read.<br>
<br>
If you happen to read the kernel messages by hand, after stopping <i>klogd</i>, you'll find
that the <i>/proc </i>file looks like a FIFO, in that the reader blocks, waiting for more data.
Obviously, you can't read messages this way if <i>klogd </i>or another process is already
reading the same data, because you'll contend for it.<br>
<br>
If the circular buffer fills up, <i>printk </i>wraps around and starts adding new data to the
beginning of the buffer, overwriting the oldest data. Therefore, the logging process<br>
<br>
<A name="79"></a><font color="blue">PAGE 79</font><br>
<br>
loses the oldest data. This problem is negligible compared with the advantages of
using such a circular buffer. For example, a circular buffer allows the system to run
even without a logging process, while minimizing memory waste by overwriting old
data should nobody read it. Another feature of the Linux approach to messaging is
that <i>printk </i>can be invoked from anywhere, even from an interrupt handler, with no
limit on how much data can be printed. The only disadvantage is the possibility of
losing some data.<br>
<br>
If the <i>klogd </i>process is running, it retrieves kernel messages and dispatches them to
<i>syslogd</i>, which in turn checks <i>/etc/syslog.conf </i>to find out how to deal with them. <i>syslogd
</i>differentiates between messages according to a facility and a priority; allowable
values for both the facility and the priority are defined in <i>&lt;sys/syslog.h&gt;</i>. Kernel messages
are logged by the <font class="fixd">LOG_KERN</font> facility at a priority corresponding to the one used in
<i>printk </i>(for example, <font class="fixd">LOG_ERR</font> is used for <font class="fixd">KERN_ERR</font> messages). If <i>klogd </i>isn't running,
data remains in the circular buffer until someone reads it or the buffer overflows.<br>
<br>
If you want to avoid clobbering your system log with the monitoring messages from
your driver, you can either specify the <i>-f </i>(file) option to <i>klogd </i>to instruct it to save
messages to a specific file, or customize <i>/etc/syslog.conf </i>to suit your needs. Yet
another possibility is to take the brute-force approach: kill <i>klogd </i>and verbosely print
messages on an unused virtual terminal,* or issue the command <i>cat /proc/kmsg </i>from
an unused <i>xterm</i>.<br>
<br>
<a name="TurningTheMessagesOnAndOff"></a><font color="red"><b>Turning the Messages On and Off</b></font><br>
<br>
During the early stages of driver development, <i>printk </i>can help considerably in debugging
and testing new code. When you officially release the driver, on the other hand,
you should remove, or at least disable, such print statements. Unfortunately, you're
likely to find that as soon as you think you no longer need the messages and remove
them, you implement a new feature in the driver (or somebody finds a bug), and you
want to turn at least one of the messages back on. There are several ways to solve
both issues, to globally enable or disable your debug messages and to turn individual
messages on or off.<br>
<br>
Here we show one way to code <i>printk </i>calls so you can turn them on and off individually
or globally; the technique depends on defining a macro that resolves to a <i>printk
</i>(or <i>printf</i>) call when you want it to:<br>
<ul>
<li> Each print statement can be enabled or disabled by removing or adding a single letter to the macro's name.
<li> All the messages can be disabled at once by changing the value of the <font class="fixd">CFLAGS</font>
variable before compiling.
</ul>
* For example, use <i>setlevel 8; setconsole 10</i> to set up terminal 10 to display messages.<br>
<br>
<A name="80"></a><font color="blue">PAGE 80</font>
<ul>
<li> The same print statement can be used in kernel code and user-level code, so that
the driver and test programs can be managed in the same way with regard to
extra messages.
</ul>
The following code fragment implements these features and comes directly from the
header <i>scull.h</i>:<br>
<pre>
#undef PDEBUG             /* undef it, just in case */
#ifdef SCULL_DEBUG
#  ifdef __KERNEL__
     /* This one if debugging is on, and kernel space */
#    define PDEBUG(fmt, args...) printk( KERN_DEBUG &quot;scull: &quot; fmt, ## args)
#  else
     /* This one for user space */
#    define PDEBUG(fmt, args...) fprintf(stderr, fmt, ## args)
#  endif
#else
#  define PDEBUG(fmt, args...) /* not debugging: nothing */
#endif

#undef PDEBUGG
#define PDEBUGG(fmt, args...) /* nothing: it's a placeholder */
</pre>
The symbol <font class="fixd">PDEBUG</font> is defined or undefined, depending on whether <font class="fixd">SCULL_DEBUG</font> is
defined, and displays information in whatever manner is appropriate to the environment
where the code is running: it uses the kernel call <i>printk </i>when it's in the kernel
and the <i>libc </i>call <i>fprintf </i>to the standard error when run in user space. The <font class="fixd">PDEBUGG</font>
symbol, on the other hand, does nothing; it can be used to easily "comment" print
statements without removing them entirely.<br>
<br>
To simplify the process further, add the following lines to your makefile:<br>
<pre>
# Comment/uncomment the following line to disable/enable debugging
DEBUG = y

# Add your debugging flag (or not) to CFLAGS
ifeq ($(DEBUG),y)
  DEBFLAGS = -O -g -DSCULL_DEBUG # &quot;-O&quot; is needed to expand inlines
else
  DEBFLAGS = -O2
endif

CFLAGS += $(DEBFLAGS)
</pre>
The macros shown in this section depend on a <i>gcc </i>extension to the ANSI C preprocessor
that supports macros with a variable number of arguments. This <i>gcc </i>dependency
shouldn't be a problem, because the kernel proper depends heavily on <i>gcc
</i>features anyway. In addition, the makefile depends on GNU's version of <i>make</i>; once
again, the kernel already depends on GNU <i>make</i>, so this dependency is not a problem.<br>
<br>
<A name="81"></a><font color="blue">PAGE 81</font><br>
<br>
If you're familiar with the C preprocessor, you can expand on the given definitions to
implement the concept of a "debug level," defining different levels and assigning an
integer (or bit mask) value to each level to determine how verbose it should be.<br>
<br>
But every driver has its own features and monitoring needs. The art of good programming
is in choosing the best trade-off between flexibility and efficiency, and we
can't tell what is the best for you. Remember that preprocessor conditionals (as well
as constant expressions in the code) are executed at compile time, so you must
recompile to turn messages on or off. A possible alternative is to use C conditionals,
which are executed at runtime and, therefore, permit you to turn messaging on and
off during program execution. This is a nice feature, but it requires additional processing
every time the code is executed, which can affect performance even when the
messages are disabled. Sometimes this performance hit is unacceptable.<br>
<br>
The macros shown in this section have proven themselves useful in a number of situations,
with the only disadvantage being the requirement to recompile a module after
any changes to its messages.<br>
<br>
<a name="RateLimiting"></a><font color="red"><b>Rate Limiting</b></font><br>
<br>
If you are not careful, you can find yourself generating thousands of messages with
<i>printk</i>, overwhelming the console and, possibly, overflowing the system log file.
When using a slow console device (e.g., a serial port), an excessive message rate can
also slow down the system or just make it unresponsive. It can be very hard to get a
handle on what is wrong with a system when the console is spewing out data nonstop.
Therefore, you should be very careful about what you print, especially in production
versions of drivers and especially once initialization is complete. In general,
production code should never print anything during normal operation; printed output
should be an indication of an exceptional situation requiring attention.<br>
<br>
On the other hand, you may want to emit a log message if a device you are driving
stops working. But you should be careful not to overdo things. An unintelligent process
that continues forever in the face of failures can generate thousands of retries per
second; if your driver prints a "my device is broken" message every time, it could create
vast amounts of output and possibly hog the CPU if the console device is slow-no
interrupts can be used to driver the console, even if it is a serial port or a line
printer.<br>
<br>
In many cases, the best behavior is to set a flag saying, "I have already complained
about this," and not print any further messages once the flag gets set. In others,
though, there are reasons to emit an occasional "the device is still broken" notice.
The kernel has provided a function that can be helpful in such cases:<br>
<pre>
int printk_ratelimit(void);
</pre>
<A name="82"></a><font color="blue">PAGE 82</font><br>
<br>
This function should be called before you consider printing a message that could be
repeated often. If the function returns a nonzero value, go ahead and print your message,
otherwise skip it. Thus, typical calls look like this:<br>
<pre>
if (printk_ratelimit( ))
    printk(KERN_NOTICE &quot;The printer is still on fire\n&quot;);
</pre>
<i>printk_ratelimit </i>works by tracking how many messages are sent to the console.
When the level of output exceeds a threshold, <i>printk_ratelimit </i>starts returning 0 and
causing messages to be dropped.<br>
<br>
The behavior of <i>printk_ratelimit </i>can be customized by modifying <i>/proc/sys/kernel/
<font class="fixd">printk_ratelimit</font> </i>(the number of seconds to wait before re-enabling messages) and are
<i>/proc/sys/kernel/printk_ratelimit_burst </i>(the number of messages accepted before rate-limiting).<br>
<br>
<a name="PrintingDeviceNumbers"></a><font color="red"><b>Printing Device Numbers</b></font><br>
<br>
Occasionally, when printing a message from a driver, you will want to print the
device number associated with the hardware of interest. It is not particularly hard
to print the major and minor numbers, but, in the interest of consistency, the kernel
provides a couple of utility macros (defined in <i>&lt;linux/kdev_t.h&gt;</i>) for this purpose:<br>
<pre>
int print_dev_t(char *buffer, dev_t dev);
char *format_dev_t(char *buffer, dev_t dev);
</pre>
Both macros encode the device number into the given buffer; the only difference is
that <i>print_dev_t </i>returns the number of characters printed, while <i>format_dev_t </i>returns
buffer; therefore, it can be used as a parameter to a <i>printk </i>call directly, although one
must remember that <i>printk </i>doesn't flush until a trailing newline is provided. The
buffer should be large enough to hold a device number; given that 64-bit device
numbers are a distinct possibility in future kernel releases, the buffer should probably
be at least 20 bytes long.<br>
<br>
<a name="DebuggingByQuerying"></a><font color="red"><b>Debugging by Querying</b></font><br>
<br>
The previous section described how <i>printk </i>works and how it can be used. What it
didn't talk about are its disadvantages.<br>
<br>
A massive use of <i>printk </i>can slow down the system noticeably, even if you lower
<i>console_loglevel </i>to avoid loading the console device, because <i>syslogd </i>keeps syncing
its output files; thus, every line that is printed causes a disk operation. This is the
right implementation from <i>syslogd</i>'s perspective. It tries to write everything to disk in
case the system crashes right after printing the message; however, you don't want to
slow down your system just for the sake of debugging messages. This problem can be
solved by prefixing the name of your log file as it appears in <i>/etc/syslogd.conf </i>with a<br>
<br>
<A name="83"></a><font color="blue">PAGE 83</font><br>
<br>
hyphen.* The problem with changing the configuration file is that the modification
will likely remain there after you are done debugging, even though during normal
system operation you do want messages to be flushed to disk as soon as possible. An
alternative to such a permanent change is running a program other than <i>klogd </i>(such
as <i>cat /proc/kmsg</i>, as suggested earlier), but this may not provide a suitable environment
for normal system operation.<br>
<br>
More often than not, the best way to get relevant information is to query the system
when you need the information, instead of continually producing data. In fact, every
Unix system provides many tools for obtaining system information: <i>ps</i>, <i>netstat</i>,
<i>vmstat</i>, and so on.<br>
<br>
A few techniques are available to driver developers for querying the system: creating
a file in the <i>/proc </i>filesystem, using the <i>ioctl </i>driver method, and exporting attributes
via <i>sysfs</i>. The use of <i>sysfs </i>requires quite some background on the driver model. It is
discussed in Chapter 14.<br>
<br>
<a name="UsingTheProcFilesystem"></a><font color="red"><b>Using the /proc Filesystem</b></font><br>
<br>
The <i>/proc </i>filesystem is a special, software-created filesystem that is used by the kernel
to export information to the world. Each file under <i>/proc </i>is tied to a kernel function
that generates the file's "contents" on the fly when the file is read. We have
already seen some of these files in action; <i>/proc/modules</i>, for example, always returns
a list of the currently loaded modules.<br>
<br>
<i>/proc </i>is heavily used in the Linux system. Many utilities on a modern Linux distribution,
such as <i>ps</i>, <i>top</i>, and <i>uptime</i>, get their information from <i>/proc</i>. Some device drivers
also export information via <i>/proc</i>, and yours can do so as well. The <i>/proc
</i>filesystem is dynamic, so your module can add or remove entries at any time.<br>
<br>
Fully featured <i>/proc </i>entries can be complicated beasts; among other things, they can
be written to as well as read from. Most of the time, however, <i>/proc </i>entries are readonly
files. This section concerns itself with the simple read-only case. Those who are
interested in implementing something more complicated can look here for the basics;
the kernel source may then be consulted for the full picture.<br>
<br>
Before we continue, however, we should mention that adding files under <i>/proc </i>is discouraged.
The <i>/proc </i>filesystem is seen by the kernel developers as a bit of an uncontrolled
mess that has gone far beyond its original purpose (which was to provide
information about the processes running in the system). The recommended way of
making information available in new code is via sysfs. As suggested, working with
sysfs requires an understanding of the Linux device model, however, and we do not<br>
<br>
* The hyphen, or minus sign, is a "magic" marker to prevent <i>syslogd </i>from flushing the file to disk at every new 
message, documented in <i>syslog.conf(5)</i>, a manpage worth reading.<br>
<br>
<A name="84"></a><font color="blue">PAGE 84</font><br>
<br>
get to that until Chapter 14. Meanwhile, files under <i>/proc </i>are slightly easier to create,
and they are entirely suitable for debugging purposes, so we cover them here.<br>
<br>
<a name="ImplementingFilesInProc"></a><font color="red"><b>Implementing files in /proc</b></font><br>
<br>
All modules that work with <i>/proc </i>should include <i>&lt;linux/proc_fs.h&gt; </i>to define the
proper functions.<br>
<br>
To create a read-only <i>/proc </i>file, your driver must implement a function to produce
the data when the file is read. When some process reads the file (using the <i>read </i>system
call), the request reaches your module by means of this function. We'll look at
this function first and get to the registration interface later in this section.<br>
<br>
When a process reads from your <i>/proc </i>file, the kernel allocates a page of memory (i.e.,
<font class="fixd">PAGE_SIZE</font> bytes) where the driver can write data to be returned to user space. That
buffer is passed to your function, which is a method called <i>read_proc</i>:<br>
<pre>
int (*read_proc)(char *page, char **start, off_t offset, int count,
                 int *eof, void *data);
</pre>
The <font class="fixd">page</font> pointer is the buffer where you'll write your data; <font class="fixd">start</font> is used by the function
to say where the interesting data has been written in <font class="fixd">page</font> (more on this later);
<font class="fixd">offset</font> and <font class="fixd">count</font> have the same meaning as for the <i>read </i>method. The <font class="fixd">eof</font> argument
points to an integer that must be set by the driver to signal that it has no more
data to return, while <font class="fixd">data</font> is a driver-specific data pointer you can use for internal
bookkeeping.<br>
<br>
This function should return the number of bytes of data actually placed in the <font class="fixd">page</font>
buffer, just like the <i>read </i>method does for other files. Other output values are <font class="fixd">*eof</font>
and <font class="fixd">*start. eof</font> is a simple flag, but the use of the <font class="fixd">start</font> value is somewhat more
complicated; its purpose is to help with the implementation of large (greater than
one page) <i>/proc</i> files.<br>
<br>
The <font class="fixd">start</font> parameter has a somewhat unconventional use. Its purpose is to indicate
where (within <font class="fixd">page</font>) the data to be returned to the user is found. When your <i>proc_read
</i>method is called, <font class="fixd">*start</font> will be <font class="fixd">NULL</font>. If you leave it <font class="fixd">NULL</font>, the kernel assumes that the
data has been put into <font class="fixd">page</font> as if <font class="fixd">offset</font> were 0; in other words, it assumes a simpleminded
version of <i>proc_read</i>, which places the entire contents of the virtual file in <font class="fixd">page</font>
without paying attention to the <font class="fixd">offset</font> parameter. If, instead, you <font class="fixd">set *start</font> to a nonNULL
value, the kernel assumes that the data pointed to by <font class="fixd">*start</font> takes <font class="fixd">offset</font> into
account and is ready to be returned directly to the user. In general, simple <i>proc_read
</i>methods that return tiny amounts of data just ignore <font class="fixd">start</font>. More complex methods set
<font class="fixd">*start</font> to <font class="fixd">page</font> and only place data beginning at the requested <font class="fixd">offset</font> there.<br>
<br>
There has long been another major issue with <i>/proc </i>files, which <font class="fixd">start</font> is meant to
solve as well. Sometimes the ASCII representation of kernel data structures changes
between successive calls to <i>read</i>, so the reader process could find inconsistent data
from one call to the next. If <font class="fixd">*start</font> is set to a small integer value, the caller uses it to<br>
<br>
<A name="85"></a><font color="blue">PAGE 85</font><br>
<br>
increment <font class="fixd">filp-&gt;f_pos</font> independently of the amount of data you return, thus making
<font class="fixd">f_pos</font> an internal record number of your <i>read_proc </i>procedure. If, for example,
your <i>read_proc </i>function is returning information from a big array of structures, and
five of those structures were returned in the first call, <font class="fixd">*start</font> could be set to 5. The
next call provides that same value as the offset; the driver then knows to start returning
data from the sixth structure in the array. This is acknowledged as a "hack" by its
authors and can be seen in <i>fs/proc/generic.c</i>.<br>
<br>
Note that there is a better way to implement large <i>/proc </i>files; it's called <font class="fixd">seq_file,</font> and
we'll discuss it shortly. First, though, it is time for an example. Here is a simple (if
somewhat ugly) <i>read_proc</i> implementation for the <i>scull</i> device:<br>
<pre>
int scull_read_procmem(char *buf, char **start, off_t offset,
                   int count, int *eof, void *data)
{
    int i, j, len = 0;
    int limit = count - 80; /* Don't print more than this */

    for (i = 0; i &lt; scull_nr_devs &amp;&amp; len &lt;= limit; i++) {
        struct scull_dev *d = &amp;scull_devices[i];
        struct scull_qset *qs = d-&gt;data;
        if (down_interruptible(&amp;d-&gt;sem))
            return -ERESTARTSYS;
        len += sprintf(buf+len,&quot;\nDevice %i: qset %i, q %i, sz %li\n&quot;,
                i, d-&gt;qset, d-&gt;quantum, d-&gt;size);
        for (; qs &amp;&amp; len &lt;= limit; qs = qs-&gt;next) { /* scan the list */
            len += sprintf(buf + len, &quot;  item at %p, qset at %p\n&quot;,
                    qs, qs-&gt;data);
            if (qs-&gt;data &amp;&amp; !qs-&gt;next) /* dump only the last item */
                for (j = 0; j &lt; d-&gt;qset; j++) {
                    if (qs-&gt;data[j])
                        len += sprintf(buf + len,
                                &quot;    % 4i: %8p\n&quot;,
                                j, qs-&gt;data[j]);
                }
        }
        up(&amp;scull_devices[i].sem);
    }
    *eof = 1;
    return len;
}
</pre>
This is a fairly typical <i>read_proc </i>implementation. It assumes that there will never be a
need to generate more than one page of data and so ignores the <font class="fixd">start</font> and <font class="fixd">offset</font> values.
It is, however, careful not to overrun its buffer, just in case.<br>
<br>
<a name="AnOlderInterface"></a><font color="red"><b>An older interface</b></font><br>
<br>
If you read through the kernel source, you may encounter code implementing <i>/proc
</i>files with an older interface:<br>
<pre>
int (*get_info)(char *page, char **start, off_t offset, int count);
</pre>
<A name="86"></a><font color="blue">PAGE 86</font><br>
<br>
All of the arguments have the same meaning as they do for <i>read_proc</i>, but the <font class="fixd">eof</font>
and <font class="fixd">data</font> arguments are missing. This interface is still supported, but it could go
away in the future; new code should use the <i>read_proc</i> interface instead.<br>
<br>
<a name="CreatingYourProcFile"></a><font color="red"><b>Creating your /proc file</b></font><br>
<br>
Once you have a <i>read_proc </i>function defined, you need to connect it to an entry in
the <i>/proc</i> hierarchy. This is done with a call to <i>create_proc_read_entry</i>:<br>
<pre>
struct proc_dir_entry *create_proc_read_entry(const char *name,
                              mode_t mode, struct proc_dir_entry *base,
                              read_proc_t *read_proc, void *data);
</pre>
Here, <font class="fixd">name</font> is the name of the file to create, <font class="fixd">mode</font> is the protection mask for the file (it
can be passed as 0 for a system-wide default), base indicates the directory in which the
file should be created (if base is <font class="fixd">NULL</font>, the file is created in the <i>/proc </i>root), <font class="fixd">read_proc</font> is
the <i>read_proc </i>function that implements the file, and data is ignored by the kernel (but
passed to <i>read_proc</i>). Here is the call used by <i>scull </i>to make its <i>/proc </i>function available
as <i>/proc/scullmem</i>:<br>
<pre>
create_proc_read_entry(&quot;scullmem&quot;, 0 /* default mode */,
        NULL /* parent dir */, scull_read_procmem,
        NULL /* client data */);
</pre>
Here, we create a file called <i>scullmem </i>directly under <i>/proc</i>, with the default, world-readable
protections.<br>
<br>
The directory entry pointer can be used to create entire directory hierarchies under
<i>/proc</i>. Note, however, that an entry may be more easily placed in a subdirectory of
<i>/proc </i>simply by giving the directory name as part of the name of the entry--as long
as the directory itself already exists. For example, an (often ignored) convention says
that <i>/proc </i>entries associated with device drivers should go in the subdirectory <i>driver/</i>;
<i>scull</i> could place its entry there simply by giving its name as <i>driver/scullmem</i>.<br>
<br>
Entries in <i>/proc</i>, of course, should be removed when the module is unloaded.
<i>remove_proc_entry </i>is the function that undoes what <i>create_proc_read_entry </i>already
did:<br>
<pre>
remove_proc_entry(&quot;scullmem&quot;, NULL /* parent dir */);
</pre>
Failure to remove entries can result in calls at unwanted times, or, if your module has
been unloaded, kernel crashes.<br>
<br>
When using <i>/proc </i>files as shown, you must remember a few nuisances of the implementation--no
surprise its use is discouraged nowadays.<br>
<br>
The most important problem is with removal of <i>/proc </i>entries. Such removal may well
happen while the file is in use, as there is no owner associated to <i>/proc </i>entries, so
using them doesn't act on the module's reference count. This problem is simply triggered
by running <i>sleep 100 &lt; /proc/myfile</i> just before removing the module, for example.<br>
<br>
<A name="87"></a><font color="blue">PAGE 87</font><br>
<br>
Another issue is about registering two entries with the same name. The kernel trusts
the driver and doesn't check if the name is already registered, so if you are not careful
you might end up with two or more entries with the same name. This is a problem
known to happen in classrooms, and such entries are indistinguishable, both
when you access them and when you call <i>remove_proc_entry</i>.<br>
<br>
<a name="TheSeqfileInterface"></a><font color="red"><b>The <font class="fixd">seq_file</font> interface</b></font><br>
<br>
As we noted above, the implementation of large files under <i>/proc </i>is a little awkward.
Over time, <i>/proc </i>methods have become notorious for buggy implementations when
the amount of output grows large. As a way of cleaning up the <i>/proc </i>code and making
life easier for kernel programmers, the <font class="fixd">seq_file</font> interface was added. This interface
provides a simple set of functions for the implementation of large kernel virtual
files.<br>
<br>
The <font class="fixd">seq_file</font> interface assumes that you are creating a virtual file that steps through
a sequence of items that must be returned to user space. To use <font class="fixd">seq_file</font>, you must
create a simple "iterator" object that can establish a position within the sequence,
step forward, and output one item in the sequence. It may sound complicated, but,
in fact, the process is quite simple. We'll step through the creation of a <i>/proc </i>file in
the <i>scull</i> driver to show how it is done.<br>
<br>
The first step, inevitably, is the inclusion of <i>&lt;linux/seq_file.h&gt;</i>. Then you must create
four iterator methods, called <i>start</i>, <i>next</i>, <i>stop</i>, and <i>show</i>.<br>
<br>
The <i>start</i> method is always called first. The prototype for this function is:<br>
<pre>
void *start(struct seq_file *sfile, loff_t *pos);
</pre>
The <font class="fixd">sfile</font> argument can almost always be ignored. <font class="fixd">pos</font> is an integer position indicating
where the reading should start. The interpretation of the position is entirely up to
the implementation; it need not be a byte position in the resulting file. Since <font class="fixd">seq_file</font>
implementations typically step through a sequence of interesting items, the position
is often interpreted as a cursor pointing to the next item in the sequence. The <i>scull
</i>driver interprets each device as one item in the sequence, so the incoming <font class="fixd">pos</font> is simply
an index into the <font class="fixd">scull_devices</font> array. Thus, the <i>start</i> method used in <i>scull</i> is:<br>
<pre>
static void *scull_seq_start(struct seq_file *s, loff_t *pos)
{
    if (*pos &gt;= scull_nr_devs)
        return NULL;   /* No more to read */
    return scull_devices + *pos;
}
</pre>
The return value, if <font class="fixd">non-NULL</font>, is a private value that can be used by the iterator
implementation.<br>
<br>
The <i>next </i>function should move the iterator to the next position, returning <font class="fixd">NULL</font> if
there is nothing left in the sequence. This method's prototype is:<br>
<pre>
void *next(struct seq_file *sfile, void *v, loff_t *pos);
</pre>
<A name="88"></a><font color="blue">PAGE 88</font><br>
<br>
Here, v is the iterator as returned from the previous call to <i>start </i>or <i>next</i>, and <font class="fixd">pos</font> is
the current position in the file. <i>next </i>should increment the value pointed to by <font class="fixd">pos</font>;
depending on how your iterator works, you might (though probably won't) want to
increment <font class="fixd">pos</font> by more than one. Here's what <i>scull</i> does:<br>
<pre>
static void *scull_seq_next(struct seq_file *s, void *v, loff_t *pos)
{
    (*pos)++;
    if (*pos &gt;= scull_nr_devs)
        return NULL;
    return scull_devices + *pos;
}
</pre>
When the kernel is done with the iterator, it calls <i>stop</i> to clean up:<br>
<pre>
void stop(struct seq_file *sfile, void *v);
</pre>
The <i>scull</i> implementation has no cleanup work to do, so its <i>stop</i> method is empty.<br>
<br>
It is worth noting that the <font class="fixd">seq_file</font> code, by design, does not sleep or perform other
nonatomic tasks between the calls to <i>start </i>and <i>stop</i>. You are also guaranteed to see
one <i>stop </i>call sometime shortly after a call to <i>start</i>. Therefore, it is safe for your <i>start
</i>method to acquire semaphores or spinlocks. As long as your other <font class="fixd">seq_file</font> methods
are atomic, the whole sequence of calls is atomic. (If this paragraph does not
make sense to you, come back to it after you've read the next chapter.)<br>
<br>
In between these calls, the kernel calls the <i>show </i>method to actually output something
interesting to the user space. This method's prototype is:<br>
<pre>
int show(struct seq_file *sfile, void *v);
</pre>
This method should create output for the item in the sequence indicated by the iterator
<font class="fixd">v.</font> It should not use <i>printk</i>, however; instead, there is a special set of functions for
<font class="fixd">seq_file</font> output:<br>
<br>
<font class="fixd">int seq_printf(struct seq_file *sfile, const char *fmt, ...);</font><br>
<div class="bq">
This is the <i>printf </i>equivalent for <font class="fixd">seq_file</font> implementations; it takes the usual format
string and additional value arguments. You must also pass it the <font class="fixd">seq_file</font>
structure given to the <i>show </i>function, however. If <i>seq_printf </i>returns a nonzero
value, it means that the buffer has filled, and output is being discarded. Most
implementations ignore the return value, however.</div>
<br>
<font class="fixd">int seq_putc(struct seq_file *sfile, char c);<br>
int seq_puts(struct seq_file *sfile, const char *s);</font><br>
<div class="bq">
These are the equivalents of the user-space <i>putc</i> and <i>puts</i> functions.</div>
<br>
<font class="fixd">int seq_escape(struct seq_file *m, const char *s, const char *esc);</font><br>
<div class="bq">
This function is equivalent to <i>seq_puts </i>with the exception that any character in
s that is also found in <font class="fixd">esc</font> is printed in octal format. A common value for <font class="fixd">esc</font> is
&quot; \t\n\\&quot;, which keeps embedded white space from messing up the output and
possibly confusing shell scripts.</div>
<br>
<A name="89"></a><font color="blue">PAGE 89</font><br>
<br>
<font class="fixd">int seq_path(struct seq_file *sfile, struct vfsmount *m, struct dentry
  *dentry, char *esc);</font><br>
<div class="bq">
This function can be used for outputting the file name associated with a given
directory entry. It is unlikely to be useful in device drivers; we have included it
here for completeness.</div>
<br>
Getting back to our example; the <i>show</i> method used in <i>scull</i> is:<br>
<pre>
static int scull_seq_show(struct seq_file *s, void *v)
{
    struct scull_dev *dev = (struct scull_dev *) v;
    struct scull_qset *d;
    int i;

    if (down_interruptible(&amp;dev-&gt;sem))
        return -ERESTARTSYS;
    seq_printf(s, &quot;\nDevice %i: qset %i, q %i, sz %li\n&quot;,
            (int) (dev - scull_devices), dev-&gt;qset,
            dev-&gt;quantum, dev-&gt;size);
    for (d = dev-&gt;data; d; d = d-&gt;next) { /* scan the list */
        seq_printf(s, &quot;  item at %p, qset at %p\n&quot;, d, d-&gt;data);
        if (d-&gt;data &amp;&amp; !d-&gt;next) /* dump only the last item */
            for (i = 0; i &lt; dev-&gt;qset; i++) {
                if (d-&gt;data[i])
                    seq_printf(s, &quot;    % 4i: %8p\n&quot;,
                            i, d-&gt;data[i]);
            }
    }
    up(&amp;dev-&gt;sem);
    return 0;
}
</pre>
Here, we finally interpret our "iterator" value, which is simply a pointer to a <font class="fixd">scull_dev</font>
structure.<br>
<br>
Now that it has a full set of iterator operations, <i>scull </i>must package them up and
connect them to a file in <i>/proc</i>. The first step is done by filling in a <font class="fixd">seq_operations</font>
structure:<br>
<pre>
static struct seq_operations scull_seq_ops = {
    .start = scull_seq_start,
    .next  = scull_seq_next,
    .stop  = scull_seq_stop,
    .show  = scull_seq_show
};
</pre>
With that structure in place, we must create a file implementation that the kernel
understands. We do not use the <i>read_proc </i>method described previously; when using
<font class="fixd">seq_file</font>, it is best to connect in to <i>/proc </i>at a slightly lower level. That means creating
a <font class="fixd">file_operations</font> structure (yes, the same structure used for char drivers) implementing
all of the operations needed by the kernel to handle reads and seeks on the<br>
<br>
<A name="90"></a><font color="blue">PAGE 90</font><br>
<br>
file. Fortunately, this task is straightforward. The first step is to create an <i>open
</i>method that connects the file to the <font class="fixd">seq_file</font> operations:<br>
<pre>
static int scull_proc_open(struct inode *inode, struct file *file)
{
    return seq_open(file, &amp;scull_seq_ops);
}
</pre>
The call to <i>seq_open </i>connects the <font class="fixd">file</font> structure with our sequence operations
defined above. As it turns out, <i>open </i>is the only file operation we must implement
ourselves, so we can now set up our <font class="fixd">file_operations</font> structure:<br>
<pre>
static struct file_operations scull_proc_ops = {
    .owner   = THIS_MODULE,
    .open    = scull_proc_open,
    .read    = seq_read,
    .llseek  = seq_lseek,
    .release = seq_release
};
</pre>
Here we specify our own <i>open </i>method, but use the canned methods <i>seq_read</i>, <i>seq_
lseek</i>, and <i>seq_release</i> for everything else.<br>
<br>
The final step is to create the actual file in <i>/proc</i>:<br>
<pre>
entry = create_proc_entry(&quot;scullseq&quot;, 0, NULL);
if (entry)
    entry-&gt;proc_fops = &amp;scull_proc_ops;
</pre>
Rather than using <i>create_proc_read_entry</i>, we call the lower-level <i>create_proc_entry</i>,
which has this prototype:<br>
<pre>
struct proc_dir_entry *create_proc_entry(const char *name,
                              mode_t mode,
                              struct proc_dir_entry *parent);
</pre>
The arguments are the same as their equivalents in <i>create_proc_read_entry</i>: the name
of the file, its protections, and the parent directory.<br>
<br>
With the above code, <i>scull </i>has a new <i>/proc </i>entry that looks much like the previous
one. It is superior, however, because it works regardless of how large its output
becomes, it handles seeks properly, and it is generally easier to read and maintain.
We recommend the use of <font class="fixd">seq_file</font> for the implementation of files that contain more
than a very small number of lines of output.<br>
<br>
<a name="TheIoctlMethod"></a><font color="red"><b>The ioctl Method</b></font><br>
<br>
<i>ioctl</i>, which we show you how to use in Chapter 6, is a system call that acts on a file
descriptor; it receives a number that identifies a command to be performed and
(optionally) another argument, usually a pointer. As an alternative to using the <i>/proc
</i>filesystem, you can implement a few <i>ioctl </i>commands tailored for debugging. These<br>
<br>
<A name="91"></a><font color="blue">PAGE 91</font><br>
<br>
commands can copy relevant data structures from the driver to user space where you
can examine them.<br>
<br>
Using <i>ioctl </i>this way to get information is somewhat more difficult than using <i>/proc</i>,
because you need another program to issue the <i>ioctl </i>and display the results. This program
must be written, compiled, and kept in sync with the module you're testing.
On the other hand, the driver-side code can be easier than what is needed to implement
a <i>/proc</i> file.<br>
<br>
There are times when <i>ioctl </i>is the best way to get information, because it runs faster
than reading <i>/proc</i>. If some work must be performed on the data before it's written to
the screen, retrieving the data in binary form is more efficient than reading a text file.
In addition, <i>ioctl</i> doesn't require splitting data into fragments smaller than a page.<br>
<br>
Another interesting advantage of the <i>ioctl </i>approach is that information-retrieval commands
can be left in the driver even when debugging would otherwise be disabled.
Unlike a <i>/proc </i>file, which is visible to anyone who looks in the directory (and too
many people are likely to wonder "what that strange file is"), undocumented <i>ioctl
</i>commands are likely to remain unnoticed. In addition, they will still be there should
something weird happen to the driver. The only drawback is that the module will be
slightly bigger.<br>
<br>
<a name="DebuggingByWatching"></a><font color="red"><b>Debugging by Watching</b></font><br>
<br>
Sometimes minor problems can be tracked down by watching the behavior of an
application in user space. Watching programs can also help in building confidence
that a driver is working correctly. For example, we were able to feel confident about
<i>scull </i>after looking at how its <i>read </i>implementation reacted to read requests for different
amounts of data.<br>
<br>
There are various ways to watch a user-space program working. You can run a
debugger on it to step through its functions, add print statements, or run the program
under <i>strace</i>. Here we'll discuss just the last technique, which is most interesting
when the real goal is examining kernel code.<br>
<br>
The <i>strace </i>command is a powerful tool that shows all the system calls issued by a
user-space program. Not only does it show the calls, but it can also show the arguments
to the calls and their return values in symbolic form. When a system call fails,
both the symbolic value of the error (e.g., <font class="fixd">ENOMEM</font>) and the corresponding string (<font class="fixd">Out
of memory</font>) are displayed. <i>strace </i>has many command-line options; the most useful of
which are <i>-t </i>to display the time <i>when </i>each call is executed, <i>-T </i>to display the time
spent in the call, <i>-e </i>to limit the types of calls traced, and <i>-o </i>to redirect the output to a
file. By default, <i>strace</i> prints tracing information on stderr.<br>
<br>
<i>strace </i>receives information from the kernel itself. This means that a program can be
traced regardless of whether or not it was compiled with debugging support (the <i>-g</i><br>
<br>
<A name="92"></a><font color="blue">PAGE 92</font><br>
<br>
option to <i>gcc</i>) and whether or not it is stripped. You can also attach tracing to a running
process, similar to the way a debugger can connect to a running process and
control it.<br>
<br>
The trace information is often used to support bug reports sent to application developers,
but it's also invaluable to kernel programmers. We've seen how driver code
executes by reacting to system calls; <i>strace </i>allows us to check the consistency of
input and output data of each call.<br>
<br>
For example, the following screen dump shows (most of) the last lines of running the
command <i>strace ls /dev &gt; /dev/scull0</i>:<br>
<pre>
open(&quot;/dev&quot;, O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 3
fstat64(3, {st_mode=S_IFDIR|0755, st_size=24576, ...}) = 0
fcntl64(3, F_SETFD, FD_CLOEXEC)         = 0
getdents64(3, /* 141 entries */, 4096)  = 4088
[...]
getdents64(3, /* 0 entries */, 4096)    = 0
close(3)                                = 0
[...]
fstat64(1, {st_mode=S_IFCHR|0664, st_rdev=makedev(254, 0), ...}) = 0
write(1, &quot;MAKEDEV\nadmmidi0\nadmmidi1\nadmmid&quot;..., 4096) = 4000
write(1, &quot;b\nptywc\nptywd\nptywe\nptywf\nptyx0\n&quot;..., 96) = 96
write(1, &quot;b\nptyxc\nptyxd\nptyxe\nptyxf\nptyy0\n&quot;..., 4096) = 3904
write(1, &quot;s17\nvcs18\nvcs19\nvcs2\nvcs20\nvcs21&quot;..., 192) = 192
write(1, &quot;\nvcs47\nvcs48\nvcs49\nvcs5\nvcs50\nvc&quot;..., 673) = 673
close(1)                                = 0
exit_group(0)                           = ?
</pre>
It's apparent from the first <i>write </i>call that after <i>ls </i>finished looking in the target directory,
it tried to write 4 KB. Strangely (for <i>ls</i>), only 4000 bytes were written, and the
operation was retried. However, we know that the <i>write </i>implementation in <i>scull
</i>writes a single quantum at a time, so we could have expected the partial write. After
a few steps, everything sweeps through, and the program exits successfully.<br>
<br>
As another example, let's <i>read</i> the <i>scull</i> device (using the <i>wc</i> command):<br>
<pre>
[...]
open(&quot;/dev/scull0&quot;, O_RDONLY|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFCHR|0664, st_rdev=makedev(254, 0), ...}) = 0
read(3, &quot;MAKEDEV\nadmmidi0\nadmmidi1\nadmmid&quot;..., 16384) = 4000
read(3, &quot;b\nptywc\nptywd\nptywe\nptywf\nptyx0\n&quot;..., 16384) = 4000
read(3, &quot;s17\nvcs18\nvcs19\nvcs2\nvcs20\nvcs21&quot;..., 16384) = 865
read(3, &quot;&quot;, 16384)                      = 0
fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0
write(1, &quot;8865 /dev/scull0\n&quot;, 17)      = 17
close(3)                                = 0
exit_group(0)                           = ?
</pre>
As expected, <i>read </i>is able to retrieve only 4000 bytes at a time, but the total amount
of data is the same that was written in the previous example. It's interesting to note
how retries are organized in this example, as opposed to the previous trace. <i>wc </i>is<br>
<br>
<A name="93"></a><font color="blue">PAGE 93</font><br>
<br>
optimized for fast reading and, therefore, bypasses the standard library, trying to
read more data with a single system call. You can see from the <font class="fixd">read</font> lines in the trace
how <i>wc</i> tried to read 16 KB at a time.<br>
<br>
Linux experts can find much useful information in the output of <i>strace</i>. If you're put
off by all the symbols, you can limit yourself to watching how the file methods (<i>open</i>,
<i>read</i>, and so on) work with the efile flag.<br>
<br>
Personally, we find <i>strace </i>most useful for pinpointing runtime errors from system
calls. Often the <i>perror </i>call in the application or demo program isn't verbose enough
to be useful for debugging, and being able to tell exactly which arguments to which
system call triggered the error can be a great help.<br>
<br>
<a name="DebuggingSystemFaults"></a><font color="red"><b>Debugging System Faults</b></font><br>
<br>
Even if you've used all the monitoring and debugging techniques, sometimes bugs
remain in the driver, and the system faults when the driver is executed. When this
happens, it's important to be able to collect as much information as possible to solve
the problem.<br>
<br>
Note that "fault" doesn't mean "panic." The Linux code is robust enough to respond
gracefully to most errors: a fault usually results in the destruction of the current process
while the system goes on working. The system <i>can </i>panic, and it may if a fault
happens outside of a process's context or if some vital part of the system is compromised.
But when the problem is due to a driver error, it usually results only in the
sudden death of the process unlucky enough to be using the driver. The only unrecoverable
damage when a process is destroyed is that some memory allocated to the
process's context is lost; for instance, dynamic lists allocated by the driver through
<i>kmalloc </i>might be lost. However, since the kernel calls the <i>close </i>operation for any
open device when a process dies, your driver can release what was allocated by the
<i>open</i> method.<br>
<br>
Even though an oops usually does not bring down the entire system, you may well
find yourself needing to reboot after one happens. A buggy driver can leave hardware
in an unusable state, leave kernel resources in an inconsistent state, or, in the worst
case, corrupt kernel memory in random places. Often you can simply unload your
buggy driver and try again after an oops. If, however, you see anything that suggests
that the system as a whole is not well, your best bet is usually to reboot immediately.<br>
<br>
We've already said that when kernel code misbehaves, an informative message is
printed on the console. The next section explains how to decode and use such messages.
Even though they appear rather obscure to the novice, processor dumps are
full of interesting information, often sufficient to pinpoint a program bug without the
need for additional testing.<br>
<br>
<A name="94"></a><font color="blue">PAGE 94</font><br>
<br>
<a name="OopsMessages"></a><font color="red"><b>Oops Messages</b></font><br>
<br>
Most bugs show themselves in <font class="fixd">NULL</font> pointer dereferences or by the use of other incorrect
pointer values. The usual outcome of such bugs is an oops message.<br>
<br>
Almost any address used by the processor is a virtual address and is mapped to physical
addresses through a complex structure of page tables (the exceptions are physical
addresses used with the memory management subsystem itself). When an invalid
pointer is dereferenced, the paging mechanism fails to map the pointer to a physical
address, and the processor signals a <i>page fault </i>to the operating system. If the address
is not valid, the kernel is not able to "page in" the missing address; it (usually) generates
an oops if this happens while the processor is in supervisor mode.<br>
<br>
An oops displays the processor status at the time of the fault, including the contents
of the CPU registers and other seemingly incomprehensible information. The message
is generated by <i>printk </i>statements in the fault handler (<i>arch/*/kernel/traps.c</i>) and
is dispatched as described earlier in the section "printk."<br>
<br>
Let's look at one such message. Here's what results from dereferencing a <font class="fixd">NULL</font> pointer
on a PC running Version 2.6 of the kernel. The most relevant information here is the
instruction pointer (<font class="fixd">EIP</font>), the address of the faulty instruction.<br>
<pre>
Unable to handle kernel <font class="fixd">NULL</font> pointer dereference at virtual address 00000000
 printing eip:
d083a064
Oops: 0002 [#1]
SMP
CPU:    0
EIP:    0060:[&lt;d083a064&gt;]    Not tainted
EFLAGS: 00010246   (2.6.6)
EIP is at faulty_write+0x4/0x10 [faulty]
eax: 00000000   ebx: 00000000   ecx: 00000000   edx: 00000000
esi: cf8b2460   edi: cf8b2480   ebp: 00000005   esp: c31c5f74
ds: 007b   es: 007b   ss: 0068
Process bash (pid: 2086, threadinfo=c31c4000 task=cfa0a6c0)
Stack: c0150558 cf8b2460 080e9408 00000005 cf8b2480 00000000 cf8b2460 cf8b2460
       fffffff7 080e9408 c31c4000 c0150682 cf8b2460 080e9408 00000005 cf8b2480
       00000000 00000001 00000005 c0103f8f 00000001 080e9408 00000005 00000005
Call Trace:
 [&lt;c0150558&gt;] vfs_write+0xb8/0x130
 [&lt;c0150682&gt;] sys_write+0x42/0x70
 [&lt;c0103f8f&gt;] syscall_call+0x7/0xb

Code: 89 15 00 00 00 00 c3 90 8d 74 26 00 83 ec 0c b8 00 a6 83 d0
</pre>
This message was generated by writing to a device owned by the <i>faulty </i>module, a
module built deliberately to demonstrate failures. The implementation of the <i>write
</i>method of <i>faulty.c</i> is trivial:<br>
<pre>
ssize_t faulty_write (struct file *filp, const char __user *buf, size_t count,
        loff_t *pos)
{
</pre>
<A name="95"></a><font color="blue">PAGE 95</font><br>
<pre>
    /* make a simple fault by dereferencing a NULL pointer */
    *(int *)0 = 0;
    return 0;
}
</pre>
As you can see, what we do here is dereference a <font class="fixd">NULL</font> pointer. Since 0 is never a valid
pointer value, a fault occurs, which the kernel turns into the oops message shown
earlier. The calling process is then killed.<br>
<br>
The <i>faulty</i> module has a different fault condition in its <i>read</i> implementation:<br>
<pre>
ssize_t faulty_read(struct file *filp, char __user *buf,
            size_t count, loff_t *pos)
{
    int ret;
    char stack_buf[4];

    /* Let's try a buffer overflow  */
    memset(stack_buf, 0xff, 20);
    if (count &gt; 4)
        count = 4; /* copy 4 bytes to the user */
    ret = copy_to_user(buf, stack_buf, count);
    if (!ret)
        return count;
    return ret;
}
</pre>
This method copies a string into a local variable; unfortunately, the string is longer
than the destination array. The resulting buffer overflow causes an oops when the
function returns. Since the return instruction brings the instruction pointer to
nowhere land, this kind of fault is much harder to trace, and you can get something
such as the following:<br>
<pre>
EIP:    0010:[&lt;00000000&gt;]
Unable to handle kernel paging request at virtual address ffffffff
 printing eip:
ffffffff
Oops: 0000 [#5]
SMP
CPU:    0
EIP:    0060:[&lt;ffffffff&gt;]    Not tainted
EFLAGS: 00010296   (2.6.6)
EIP is at 0xffffffff
eax: 0000000c   ebx: ffffffff   ecx: 00000000   edx: bfffda7c
esi: cf434f00   edi: ffffffff   ebp: 00002000   esp: c27fff78
ds: 007b   es: 007b   ss: 0068
Process head (pid: 2331, threadinfo=c27fe000 task=c3226150)
Stack: ffffffff bfffda70 00002000 cf434f20 00000001 00000286 cf434f00 fffffff7
       bfffda70 c27fe000 c0150612 cf434f00 bfffda70 00002000 cf434f20 00000000
       00000003 00002000 c0103f8f 00000003 bfffda70 00002000 00002000 bfffda70
Call Trace:
 [&lt;c0150612&gt;] sys_read+0x42/0x70
 [&lt;c0103f8f&gt;] syscall_call+0x7/0xb

Code:  Bad EIP value.
</pre>
<A name="96"></a><font color="blue">PAGE 96</font><br>
<br>
In this case, we see only part of the call stack (<i>vfs_read </i>and <i>faulty_read </i>are missing),
and the kernel complains about a "bad <font class="fixd">EIP</font> value." That complaint, and the offending
address (<font class="fixd">ffffffff</font>) listed at the beginning are both hints that the kernel stack has
been corrupted.<br>
<br>
In general, when you are confronted with an oops, the first thing to do is to look at
the location where the problem happened, which is usually listed separately from the
call stack. In the first oops shown above, the relevant line is:<br>
<pre>
EIP is at faulty_write+0x4/0x10 [faulty]
</pre>
Here we see that we were in the function <i>faulty_write</i>, which is located in the <i>faulty
</i>module (which is listed in square brackets). The hex numbers indicate that the
instruction pointer was 4 bytes into the function, which appears to be 10 (hex) bytes
long. Often that is enough to figure out what the problem is.<br>
<br>
If you need more information, the call stack shows you how you got to where things
fell apart. The stack itself is printed in hex form; with a bit of work, you can often
determine the values of local variables and function parameters from the stack listing.
Experienced kernel developers can benefit from a certain amount of pattern recognition
here; for example, if we look at the stack listing from the <i>faulty_read</i> oops:<br>
<pre>
Stack: ffffffff bfffda70 00002000 cf434f20 00000001 00000286 cf434f00 fffffff7
       bfffda70 c27fe000 c0150612 cf434f00 bfffda70 00002000 cf434f20 00000000
       00000003 00002000 c0103f8f 00000003 bfffda70 00002000 00002000 bfffda70
</pre>
The <font class="fixd">ffffffff</font> at the top of the stack is part of our string that broke things. On the
x86 architecture, by default, the user-space stack starts just below <font class="fixd">0xc0000000;</font> thus,
the recurring value <font class="fixd">0xbfffda70</font> is probably a user-space stack address; it is, in fact,
the address of the buffer passed to the <i>read </i>system call, replicated each time it is
passed down the kernel call chain. On the x86 (again, by default), kernel space starts
at <font class="fixd">0xc0000000,</font> so values above that are almost certainly kernel-space addresses, and
so on.<br>
<br>
Finally, when looking at oops listings, always be on the lookout for the "slab poisoning"
values discussed at the beginning of this chapter. Thus, for example, if you get a
kernel oops where the offending address is <font class="fixd">0xa5a5a5a5,</font> you are almost certainly forgetting
to initialize dynamic memory somewhere.<br>
<br>
Please note that you see a symbolic call stack (as shown above) only if your kernel is
built with the <font class="fixd">CONFIG_KALLSYMS</font> option turned on. Otherwise, you see a bare, hexadecimal
listing, which is far less useful until you have decoded it in other ways.<br>
<br>
<a name="SystemHangs"></a><font color="red"><b>System Hangs</b></font><br>
<br>
Although most bugs in kernel code end up as oops messages, sometimes they can
completely hang the system. If the system hangs, no message is printed. For example,<br>
<br>
<A name="97"></a><font color="blue">PAGE 97</font><br>
<br>
if the code enters an endless loop, the kernel stops scheduling,* and the system doesn't
respond to any action, including the magic Ctrl-Alt-Del combination. You have two
choices for dealing with system hangs--either prevent them beforehand or be able to
debug them after the fact.<br>
<br>
You can prevent an endless loop by inserting <i>schedule </i>invocations at strategic points.
The <i>schedule </i>call (as you might guess) invokes the scheduler and, therefore, allows
other processes to steal CPU time from the current process. If a process is looping in
kernel space due to a bug in your driver, the <i>schedule </i>calls enable you to kill the process
after tracing what is happening.<br>
<br>
You should be aware, of course, that any call to <i>schedule </i>may create an additional
source of reentrant calls to your driver, since it allows other processes to run. This
reentrancy should not normally be a problem, assuming that you have used suitable
locking in your driver. Be sure, however, not to call <i>schedule </i>any time that your
driver is holding a spinlock.<br>
<br>
If your driver really hangs the system, and you don't know where to insert <i>schedule
</i>calls, the best way to go may be to add some print messages and write them to the
console (by changing the <font class="fixd">console_loglevel</font> value if need be).<br>
<br>
Sometimes the system may appear to be hung, but it isn't. This can happen, for
example, if the keyboard remains locked in some strange way. These false hangs can
be detected by looking at the output of a program you keep running for just this purpose.
A clock or system load meter on your display is a good status monitor; as long
as it continues to update, the scheduler is working.<br>
<br>
An indispensable tool for many lockups is the "magic SysRq key," which is available
on most architectures. Magic SysRq is invoked with the combination of the Alt and
SysRq keys on the PC keyboard, or with other special keys on other platforms (see
<i>Documentation/sysrq.txt </i>for details), and is available on the serial console as well. A
third key, pressed along with these two, performs one of a number of useful actions:<br>
<dl>
<dt>r<dd>Turns off keyboard raw mode; useful in situations where a crashed application
(such as the X server) may have left your keyboard in a strange state.
<dt>k<dd>Invokes the "secure attention key" (SAK) function. SAK kills all processes running
on the current console, leaving you with a clean terminal.
<dt>s
<dd>Performs an emergency synchronization of all disks.
<dt>u
<dd>Umount. Attempts to remount all disks in a read-only mode. This operation,
usually invoked immediately after <i>s</i>, can save a lot of filesystem checking time in
cases where the system is in serious trouble.
</dl>
* Actually, multiprocessor systems still schedule on the other processors, and even a uniprocessor machine 
might reschedule if kernel preemption is enabled. For the most common case (uniprocessor with preemption
disabled), however, the system stops scheduling altogether.<br>
<br>
<A name="98"></a><font color="blue">PAGE 98</font>
<dl>
<dt>b
<dd>Boot. Immediately reboots the system. Be sure to synchronize and remount the
disks first.
<dt>p
<dd>Prints processor registers information.
<dt>t
<dd>Prints the current task list.
<dt>m
<dd>Prints memory information.
</dl>
Other magic SysRq functions exist; see <i>sysrq.txt </i>in the <i>Documentation </i>directory of
the kernel source for the full list. Note that magic SysRq must be explicitly enabled in
the kernel configuration and that most distributions do not enable it, for obvious
security reasons. For a system used to develop drivers, however, enabling magic
SysRq is worth the trouble of building a new kernel in itself. Magic SysRq may be
disabled at runtime with a command such as the following:<br>
<pre>
echo 0 &gt; /proc/sys/kernel/sysrq
</pre>
You should consider disabling it if unprivileged users can reach your system keyboard,
to prevent accidental or willing damages. Some previous kernel versions had
<i>sysrq </i>disabled by default, so you needed to enable it at runtime by writing 1 to that
same <i>/proc/sys</i> file.<br>
<br>
The <i>sysrq </i>operations are exceedingly useful, so they have been made available to system
administrators who can't reach the console. The file <i>/proc/sysrq-trigger </i>is a write only
entry point, where you can trigger a specific <i>sysrq </i>action by writing the associated
command character; you can then collect any output data from the kernel logs.
This entry point to <i>sysrq</i> is always working, even if <i>sysrq</i> is disabled on the console.<br>
<br>
If you are experiencing a "live hang," in which your driver is stuck in a loop but the
system as a whole is still functioning, there are a couple of techniques worth knowing.
Often, the SysRq <i>p </i>function points the finger directly at the guilty routine. Failing
that, you can also use the kernel profiling function. Build a kernel with profiling
enabled, and boot it with <font class="fixd">profile=2</font> on the command line. Reset the profile counters
with the <i>readprofile </i>utility, then send your driver into its loop. After a little while, use
<i>readprofile </i>again to see where the kernel is spending its time. Another more
advanced alternative is <i>oprofile</i>, that you may consider as well. The file
<i>Documentation/basic_profiling.txt </i>tells you everything you need to know to get
started with the profilers.<br>
<br>
One precaution worth using when chasing system hangs is to mount all your disks as
read-only (or unmount them). If the disks are read-only or unmounted, there's no
risk of damaging the filesystem or leaving it in an inconsistent state. Another possibility
is using a computer that mounts all of its filesystems via NFS, the network file
system. The "NFS-Root" capability must be enabled in the kernel, and special
parameters must be passed at boot time. In this case, you'll avoid filesystem corruption
without even resorting to SysRq, because filesystem coherence is managed by
the NFS server, which is not brought down by your device driver.<br>
<br>
<A name="99"></a><font color="blue">PAGE 99</font><br>
<br>
<a name="DebuggersAndRelatedTools"></a><font color="red"><b>Debuggers and Related Tools</b></font><br>
<br>
The last resort in debugging modules is using a debugger to step through the code,
watching the value of variables and machine registers. This approach is time-consuming
and should be avoided whenever possible. Nonetheless, the fine-grained perspective
on the code that is achieved through a debugger is sometimes invaluable.<br>
<br>
Using an interactive debugger on the kernel is a challenge. The kernel runs in its own
address space on behalf of all the processes on the system. As a result, a number of
common capabilities provided by user-space debuggers, such as breakpoints and single-stepping,
are harder to come by in the kernel. In this section we look at several
ways of debugging the kernel; each of them has advantages and disadvantages.<br>
<br>
<a name="UsingGdb"></a><font color="red"><b>Using gdb</b></font><br>
<br>
<i>gdb </i>can be quite useful for looking at the system internals. Proficient use of the
debugger at this level requires some confidence with <i>gdb </i>commands, some understanding
of assembly code for the target platform, and the ability to match source
code and optimized assembly.<br>
<br>
The debugger must be invoked as though the kernel were an application. In addition
to specifying the filename for the ELF kernel image, you need to provide the name of
a core file on the command line. For a running kernel, that core file is the kernel core
image, <i>/proc/kcore</i>. A typical invocation of <i>gdb</i> looks like the following:<br>
<pre>
gdb /usr/src/linux/vmlinux /proc/kcore
</pre>
The first argument is the name of the uncompressed ELF kernel executable, not the
<i>zImage</i> or <i>bzImage</i> or anything built specifically for the boot environment.<br>
<br>
The second argument on the <i>gdb </i>command line is the name of the core file. Like any
file in <i>/proc</i>, <i>/proc/kcore </i>is generated when it is read. When the <i>read </i>system call executes
in the <i>/proc </i>filesystem, it maps to a data-generation function rather than a data retrieval
one; we've already exploited this feature in the section "Using the /proc
Filesystem" earlier in this chapter. <i>kcore </i>is used to represent the kernel "executable"
in the format of a core file; it is a huge file, because it represents the whole kernel
address space, which corresponds to all physical memory. From within <i>gdb</i>, you can
look at kernel variables by issuing the standard <i>gdb </i>commands. For example, <font class="fixd">p jiffies</font>
prints the number of clock ticks from system boot to the current time.<br>
<br>
When you print data from <i>gdb</i>, the kernel is still running, and the various data items
have different values at different times; <i>gdb</i>, however, optimizes access to the core
file by caching data that has already been read. If you try to look at the <font class="fixd">jiffies</font> variable
once again, you'll get the same answer as before. Caching values to avoid extra
disk access is a correct behavior for conventional core files but is inconvenient when
a "dynamic" core image is used. The solution is to issue the command <i>core-file /proc/
kcore </i>whenever you want to flush the <i>gdb </i>cache; the debugger gets ready to use a<br>
<br>
<A name="100"></a><font color="blue">PAGE 100</font><br>
<br>
new core file and discards any old information. You won't, however, always need to
issue <i>core-file </i>when reading a new datum; <i>gdb </i>reads the core in chunks of a few kilobytes
and caches only chunks it has already referenced.<br>
<br>
Numerous capabilities normally provided by <i>gdb </i>are not available when you are
working with the kernel. For example, <i>gdb </i>is not able to modify kernel data; it
expects to be running a program to be debugged under its own control before playing
with its memory image. It is also not possible to set breakpoints or watchpoints,
or to single-step through kernel functions.<br>
<br>
Note that, in order to have symbol information available for <i>gdb</i>, you must compile
your kernel with the <font class="fixd">CONFIG_DEBUG_INFO</font> option set. The result is a far larger kernel
image on disk, but, without that information, digging through kernel variables is
almost impossible.<br>
<br>
With the debugging information available, you can learn a lot about what is going on
inside the kernel. <i>gdb </i>happily prints out structures, follows pointers, etc. One thing
that is harder, however, is examining modules. Since modules are not part of the
<i>vmlinux </i>image passed to <i>gdb</i>, the debugger knows nothing about them. Fortunately,
as of kernel 2.6.7, it is possible to teach <i>gdb </i>what it needs to know to examine loadable
modules.<br>
<br>
Linux loadable modules are ELF-format executable images; as such, they have been
divided up into numerous sections. A typical module can contain a dozen or more
sections, but there are typically three that are relevant in a debugging session:<br>
<br>
<font class="fixd">.text</font><br>
<div class="bq">
This section contains the executable code for the module. The debugger must
know where this section is to be able to give trace-backs or set breakpoints. (Neither
of these operations is relevant when running the debugger on <i>/proc/kcore</i>,
but they can useful when working with <i>kgdb</i>, described below).</div>
<br>
<font class="fixd">.bss<br>
.data</font><br>
<div class="bq">
These two sections hold the module's variables. Any variable that is not initialized
at compile time ends up in <font class="fixd">.bss,</font> while those that are initialized go into <font class="fixd">.data.</font></div>
<br>
Making <i>gdb </i>work with loadable modules requires informing the debugger about
where a given module's sections have been loaded. That information is available in
sysfs, under <i>/sys/module</i>. For example, after loading the <i>scull </i>module, the directory
<i>/sys/module/scull/sections </i>contains files with names such as <i>.text</i>; the content of each
file is the base address for that section.<br>
<br>
We are now in a position to issue a <i>gdb </i>command telling it about our module. The
command we need is <font class="fixd">add-symbol-file;</font> this command takes as parameters the name
of the module object file, the <i>.text </i>base address, and a series of optional parameters<br>
<br>
<A name="101"></a><font color="blue">PAGE 101</font><br>
<br>
describing where any other sections of interest have been put. After digging through
the module section data in sysfs, we can construct a command such as:<br>
<pre>
(gdb) <b>add-symbol-file .../scull.ko 0xd0832000 \</b>
<b>        -s .bss 0xd0837100 \</b>
<b>        -s .data 0xd0836be0</b>
</pre>
We have included a small script in the sample source (<i>gdbline</i>) that can create this
command for a given module.<br>
<br>
We can now use <i>gdb </i>to examine variables in our loadable module. Here is a quick
example taken from a <i>scull</i> debugging session:<br>
<pre>
(gdb) <b>add-symbol-file scull.ko 0xd0832000 \</b>
<b>        -s .bss 0xd0837100 \</b>
<b>        -s .data 0xd0836be0</b>
add symbol table from file &quot;scull.ko&quot; at
        .text_addr = 0xd0832000
        .bss_addr = 0xd0837100
        .data_addr = 0xd0836be0
(y or n) <b>y</b>
Reading symbols from scull.ko...done.(gdb) 
<b>p scull_devices[0]</b>
$1 = {data = 0xcfd66c50,
      quantum = 4000,
      qset = 1000,
      size = 20881,
      access_key = 0,
      ...}
</pre>
Here we see that the first <i>scull </i>device currently holds 20,881 bytes. If we wanted, we
could follow the <font class="fixd">data chain</font>, or look at anything else of interest in the module.<br>
<br>
One other useful trick worth knowing about is this:<br>
<pre>
(gdb) <b>print *(address)</b>
</pre>
Here, fill in a hex address for <font class="fixd">address;</font> the output is a file and line number for the
code corresponding to that address. This technique may be useful, for example, to
find out where a function pointer really points.<br>
<br>
We still cannot perform typical debugging tasks like setting breakpoints or modifying
data; to perform those operations, we need to use a tool like <i>kdb </i>(described next)
or <i>kgdb</i> (which we get to shortly).<br>
<br>
<a name="TheKdbKernelDebugger"></a><font color="red"><b>The kdb Kernel Debugger</b></font><br>
<br>
Many readers may be wondering why the kernel does not have any more advanced
debugging features built into it. The answer, quite simply, is that Linus does not
believe in interactive debuggers. He fears that they lead to poor fixes, those which
patch up symptoms rather than addressing the real cause of problems. Thus, no
built-in debuggers.<br>
<br>
<A name="102"></a><font color="blue">PAGE 102</font><br>
<br>
Other kernel developers, however, see an occasional use for interactive debugging
tools. One such tool is the <i>kdb </i>built-in kernel debugger, available as a nonofficial
patch from <i>oss.sgi.com</i>. To use <i>kdb</i>, you must obtain the patch (be sure to get a version
that matches your kernel version), apply it, and rebuild and reinstall the kernel.
Note that, as of this writing, <i>kdb </i>works only on IA-32 (x86) systems (though a version
for the IA-64 existed for a while in the mainline kernel source before being
removed).<br>
<br>
Once you are running a <i>kdb</i>-enabled kernel, there are a couple of ways to enter the
debugger. Pressing the Pause (or Break) key on the console starts up the debugger.
<i>kdb </i>also starts up when a kernel oops happens or when a breakpoint is hit. In any
case, you see a message that looks something like this:<br>
<pre>
Entering kdb (0xc0347b80) on processor 0 due to Keyboard Entry
[0]kdb&gt;
</pre>
Note that just about everything the kernel does stops when <i>kdb </i>is running. Nothing
else should be running on a system where you invoke <i>kdb</i>; in particular, you should
not have networking turned on--unless, of course, you are debugging a network
driver. It is generally a good idea to boot the system in single-user mode if you will be
using <i>kdb</i>.<br>
<br>
As an example, consider a quick <i>scull </i>debugging session. Assuming that the driver is
already loaded, we can tell <i>kdb</i> to set a breakpoint in <i>scull_read</i> as follows:<br>
<pre>
[0]kdb&gt; <b>bp scull_read
</b>Instruction(i) BP #0 at 0xcd087c5dc (scull_read)
    is enabled globally adjust 1
[0]kdb&gt; <b>go</b>
</pre>
The <i>bp </i>command tells <i>kdb </i>to stop the next time the kernel enters <i>scull_read</i>. You
then type <font class="fixd"><b>go</b></font> to continue execution. After putting something into one of the <i>scull
</i>devices, we can attempt to read it by running <i>cat </i>under a shell on another terminal,
yielding the following:<br>
<pre>
Instruction(i) breakpoint #0 at 0xd087c5dc (adjusted)
0xd087c5dc scull_read:          int3

Entering kdb (current=0xcf09f890, pid 1575) on processor 0 due to
Breakpoint @ 0xd087c5dc
[0]kdb&gt;
</pre>
We are now positioned at the beginning of <i>scull_read</i>. To see how we got there, we
can get a stack trace:<br>
<pre>
[0]kdb&gt; <b>bt
</b>    ESP    EIP        Function (args)
0xcdbddf74 0xd087c5dc [scull]scull_read
0xcdbddf78 0xc0150718 vfs_read+0xb8
0xcdbddfa4 0xc01509c2 sys_read+0x42
0xcdbddfc4 0xc0103fcf syscall_call+0x7
[0]kdb&gt;
</pre>
<A name="103"></a><font color="blue">PAGE 103</font><br>
<br>
<i>kdb </i>attempts to print out the arguments to every function in the call trace. It gets
confused, however, by optimization tricks used by the compiler. Therefore, it fails to
print the arguments to <i>scull_read</i>.<br>
<br>
Time to look at some data. The <i>mds </i>command manipulates data; we can query the
value of the <font class="fixd">scull_devices</font> pointer with a command such as:<br>
<pre>
[0]kdb&gt; <b>mds <font class="fixd">scull_devices</font> 1
</b>0xd0880de8 cf36ac00    ....
</pre>
Here we asked for one (4-byte) word of data starting at the location of scull_devices;
the answer tells us that our device array is at the address <font class="fixd">0xd0880de8;</font> the first device
structure itself is at <font class="fixd">0xcf36ac00.</font> To look at that device structure, we need to use that
address:<br>
<pre>
[0]kdb&gt; <b>mds cf36ac00
</b>0xcf36ac00 ce137dbc ....
0xcf36ac04 00000fa0 ....
0xcf36ac08 000003e8 ....
0xcf36ac0c 0000009b ....
0xcf36ac10 00000000 ....
0xcf36ac14 00000001 ....
0xcf36ac18 00000000 ....
0xcf36ac1c 00000001 ....
</pre>
The eight lines here correspond to the beginning part of the <font class="fixd">scull_dev</font> structure.
Therefore, we see that the memory for the first device is allocated at <font class="fixd">0xce137dbc,</font> the
quantum is 4000 (hex <font class="fixd">fa0</font>), the quantum set size is 1000 (hex <font class="fixd">3e8</font>), and there are currently
155 (hex <font class="fixd">9b</font>) bytes stored in the device.<br>
<br>
<i>kdb </i>can change data as well. Suppose we wanted to trim some of the data from the
device:<br>
<pre>
[0]kdb&gt;<b> mm cf36ac0c 0x50
</b>0xcf26ac0c = 0x50
</pre>
A subsequent <i>cat</i> on the device will now return less data than before.<br>
<br>
<i>kdb </i>has a number of other capabilities, including single-stepping (by instructions, not
lines of C source code), setting breakpoints on data access, disassembling code, stepping
through linked lists, accessing register data, and more. After you have applied the
<i>kdb </i>patch, a full set of manual pages can be found in the <i>Documentation/kdb </i>directory
in your kernel source tree.<br>
<br>
<a name="TheKgdbPatches"></a><font color="red"><b>The kgdb Patches</b></font><br>
<br>
The two interactive debugging approaches we have looked at so far (using <i>gdb </i>on
<i>/proc/kcore </i>and <i>kdb</i>) both fall short of the sort of environment that user-space application
developers have become used to. Wouldn't it be nice if there were a true
debugger for the kernel that supported features like changing variables, breakpoints,
etc.?<br>
<br>
<A name="104"></a><font color="blue">PAGE 104</font><br>
<br>
As it turns out, such a solution does exist. There are, as of this writing, two separate
patches in circulation that allow <i>gdb</i>, with full capabilities, to be run against the kernel.
Confusingly, both of these patches are called <i>kgdb</i>. They work by separating the
system running the test kernel from the system running the debugger; the two are
typically connected via a serial cable. Therefore, the developer can run <i>gdb </i>on his or
her stable desktop system, while operating on a kernel running on a sacrificial test
box. Setting up <i>gdb </i>in this mode takes a little time at the outset, but that investment
can pay off quickly when a difficult bug shows up.<br>
<br>
These patches are in a strong state of flux, and may even be merged at some point, so
we avoid saying much about them beyond where they are and their basic features.
Interested readers are encouraged to look and see the current state of affairs.<br>
<br>
The first <i>kgdb </i>patch is currently found in the <font class="fixd">-mm</font> kernel tree--the staging area for
patches on their way into the 2.6 mainline. This version of the patch supports the
x86, SuperH, ia64, x86_64, SPARC, and 32-bit PPC architectures. In addition to the
usual mode of operation over a serial port, this version of <i>kgdb </i>can also communicate
over a local-area network. It is simply a matter of enabling the Ethernet mode
and booting with the <font class="fixd">kgdboe</font> parameter set to indicate the IP address from which
debugging commands can originate. The documentation under <i>Documentation/i386/
kgdb</i> describes how to set things up.*<br>
<br>
As an alternative, you can use the <i>kgdb </i>patch found on <a href="http://kgdb.sf.net/" target="_blank"><i>http://kgdb.sf.net/</i></a>. This version
of the debugger does not support the network communication mode (though
that is said to be under development), but it does have some built-in support for
working with loadable modules. It supports the x86, x86_64, PowerPC, and S/390
architectures.<br>
<br>
<a name="TheUserModeLinuxPort"></a><font color="red"><b>The User-Mode Linux Port</b></font><br>
<br>
User-Mode Linux (UML) is an interesting concept. It is structured as a separate port
of the Linux kernel with its own <i>arch/um </i>subdirectory. It does not run on a new type
of hardware, however; instead, it runs on a virtual machine implemented on the
Linux system call interface. Thus, UML allows the Linux kernel to run as a separate,
user-mode process on a Linux system.<br>
<br>
Having a copy of the kernel running as a user-mode process brings a number of
advantages. Because it is running on a constrained, virtual processor, a buggy kernel
cannot damage the "real" system. Different hardware and software configurations can
be tried easily on the same box. And, perhaps most significantly for kernel developers,
the user-mode kernel can be easily manipulated with <i>gdb </i>or another debugger.<br>
<br>
* It does neglect to point out that you should have your network adapter driver built into the kernel, however, 
or the debugger fails to find it at boot time and will shut itself down.<br>
<br>
<A name="105"></a><font color="blue">PAGE 105</font><br>
<br>
After all, it is just another process. UML clearly has the potential to accelerate kernel
development.<br>
<br>
However, UML has a big shortcoming from the point of view of driver writers: the
user-mode kernel has no access to the host system's hardware. Thus, while it can be
useful for debugging most of the sample drivers in this book, UML is not yet useful
for debugging drivers that have to deal with real hardware.<br>
<br>
See <a href="http://user-mode-linux.sf.net/" target="_blank"><i>http://user-mode-linux.sf.net/</i></a> for more information on UML.<br>
<br>
<a name="TheLinuxTraceToolkit"></a><font color="red"><b>The Linux Trace Toolkit</b></font><br>
<br>
The Linux Trace Toolkit (LTT) is a kernel patch and a set of related utilities that
allow the tracing of events in the kernel. The trace includes timing information and
can create a reasonably complete picture of what happened over a given period of
time. Thus, it can be used not only for debugging but also for tracking down performance
problems.<br>
<br>
LTT, along with extensive documentation, can be found at <a href="http://www.opersys.com/LTT" target="_blank"><i>http://www.opersys.com/LTT</i></a>.<br>
<br>
<a name="DynamicProbes"></a><font color="red"><b>Dynamic Probes</b></font><br>
<br>
Dynamic Probes (or DProbes) is a debugging tool released (under the GPL) by IBM
for Linux on the IA-32 architecture. It allows the placement of a "probe" at almost
any place in the system, in both user and kernel space. The probe consists of some
code (written in a specialized, stack-oriented language) that is executed when control
hits the given point. This code can report information back to user space, change
registers, or do a number of other things. The useful feature of DProbes is that once
the capability has been built into the kernel, probes can be inserted anywhere within
a running system without kernel builds or reboots. DProbes can also work with the
LTT to insert new tracing events at arbitrary locations.<br>
<br>
The DProbes tool can be downloaded from IBM's open source site: <a href="http://oss.software.ibm.com" target="_blank"><i>http://oss.software.ibm.com</i></a>.<br>
<br>
<A name="106"></a><font color="blue">PAGE 106</font><br>
<br>
<a name="CHAPTER5"></a><font color="red"><b>CHAPTER 5</b></font><br>
<br>
<a name="ConcurrencyAndRacebrConditions"></a><font color="#7519FF" size="+1"><b>Concurrency and Race Conditions</b></font><br>
<br>
Thus far, we have paid little attention to the problem of concurrency--i.e., what
happens when the system tries to do more than one thing at once. The management
of concurrency is, however, one of the core problems in operating systems programming.
Concurrency-related bugs are some of the easiest to create and some of the
hardest to find. Even expert Linux kernel programmers end up creating concurrency-related
bugs on occasion.<br>
<br>
In early Linux kernels, there were relatively few sources of concurrency. Symmetric
multiprocessing (SMP) systems were not supported by the kernel, and the only cause
of concurrent execution was the servicing of hardware interrupts. That approach
offers simplicity, but it no longer works in a world that prizes performance on systems
with more and more processors, and that insists that the system respond to
events quickly. In response to the demands of modern hardware and applications,
the Linux kernel has evolved to a point where many more things are going on simultaneously.
This evolution has resulted in far greater performance and scalability. It
has also, however, significantly complicated the task of kernel programming. Device
driver programmers must now factor concurrency into their designs from the beginning,
and they must have a strong understanding of the facilities provided by the kernel
for concurrency management.<br>
<br>
The purpose of this chapter is to begin the process of creating that understanding.
To that end, we introduce facilities that are immediately applied to the <i>scull </i>driver
from Chapter 3. Other facilities presented here are not put to use for some time yet.
But first, we take a look at what could go wrong with our simple <i>scull </i>driver and how
to avoid these potential problems.<br>
<br>
<A name="107"></a><font color="blue">PAGE 107</font><br>
<br>
<a name="PitfallsInScull"></a><font color="red"><b>Pitfalls in scull</b></font><br>
<br>
Let us take a quick look at a fragment of the <i>scull </i>memory management code. Deep
down inside the <i>write </i>logic, <i>scull </i>must decide whether the memory it requires has
been allocated yet or not. One piece of the code that handles this task is:<br>
<pre>
    if (!dptr-&gt;data[s_pos]) {
        dptr-&gt;data[s_pos] = kmalloc(quantum, GFP_KERNEL);
        if (!dptr-&gt;data[s_pos])
            goto out;
    }
</pre>
Suppose for a moment that two processes (we'll call them "A" and "B") are independently
attempting to write to the same offset within the same <i>scull </i>device. Each process
reaches the if test in the first line of the fragment above at the same time. If the
pointer in question is <font class="fixd">NULL,</font> each process will decide to allocate memory, and each
will assign the resulting pointer to <font class="fixd">dptr-&gt;data[s_pos].</font> Since both processes are
assigning to the same location, clearly only one of the assignments will prevail.<br>
<br>
What will happen, of course, is that the process that completes the assignment second
will "win." If process A assigns first, its assignment will be overwritten by process
B. At that point, <i>scull </i>will forget entirely about the memory that A allocated; it
only has a pointer to B's memory. The memory allocated by A, thus, will be dropped
and never returned to the system.<br>
<br>
This sequence of events is a demonstration of a <i>race condition</i>. Race conditions are a
result of uncontrolled access to shared data. When the wrong access pattern happens,
something unexpected results. For the race condition discussed here, the result
is a memory leak. That is bad enough, but race conditions can often lead to system
crashes, corrupted data, or security problems as well. Programmers can be tempted
to disregard race conditions as extremely low probability events. But, in the computing
world, one-in-a-million events can happen every few seconds, and the consequences
can be grave.<br>
<br>
We will eliminate race conditions from <i>scull </i>shortly, but first we need to take a more
general view of concurrency.<br>
<br>
<a name="ConcurrencyAndItsManagement"></a><font color="red"><b>Concurrency and Its Management</b></font><br>
<br>
In a modern Linux system, there are numerous sources of concurrency and, therefore,
possible race conditions. Multiple user-space processes are running, and they
can access your code in surprising combinations of ways. SMP systems can be executing
your code simultaneously on different processors. Kernel code is preemptible;
your driver's code can lose the processor at any time, and the process that replaces it
could also be running in your driver. Device interrupts are asynchronous events that
can cause concurrent execution of your code. The kernel also provides various mechanisms
for delayed code execution, such as workqueues, tasklets, and timers, which<br>
<br>
<A name="108"></a><font color="blue">PAGE 108</font><br>
<br>
can cause your code to run at any time in ways unrelated to what the current process
is doing. In the modern, hot-pluggable world, your device could simply disappear
while you are in the middle of working with it.<br>
<br>
Avoidance of race conditions can be an intimidating task. In a world where anything
can happen at any time, how does a driver programmer avoid the creation of absolute
chaos? As it turns out, most race conditions can be avoided through some
thought, the kernel's concurrency control primitives, and the application of a few
basic principles. We'll start with the principles first, then get into the specifics of
how to apply them.<br>
<br>
Race conditions come about as a result of shared access to resources. When two
threads of execution* have a reason to work with the same data structures (or hardware
resources), the potential for mixups always exists. So the first rule of thumb to
keep in mind as you design your driver is to avoid shared resources whenever possible.
If there is no concurrent access, there can be no race conditions. So carefully written
kernel code should have a minimum of sharing. The most obvious application
of this idea is to avoid the use of global variables. If you put a resource in a place
where more than one thread of execution can find it, there should be a strong reason
for doing so.<br>
<br>
The fact of the matter is, however, that such sharing is often required. Hardware
resources are, by their nature, shared, and software resources also must often be
available to more than one thread. Bear in mind as well that global variables are far
from the only way to share data; any time your code passes a pointer to some other
part of the kernel, it is potentially creating a new sharing situation. Sharing is a fact
of life.<br>
<br>
Here is the hard rule of resource sharing: any time that a hardware or software
resource is shared beyond a single thread of execution, and the possibility exists that
one thread could encounter an inconsistent view of that resource, you must explicitly
manage access to that resource. In the <i>scull </i>example above, process B's view of
the situation is inconsistent; unaware that process A has already allocated memory
for the (shared) device, it performs its own allocation and overwrites A's work. In
this case, we must control access to the <i>scull </i>data structure. We need to arrange
things so that the code either sees memory that has been allocated or knows that no
memory has been <i>or will be </i>allocated by anybody else. The usual technique for
access management is called <i>locking </i>or <i>mutual exclusion</i>--making sure that only one
thread of execution can manipulate a shared resource at any time. Much of the rest
of this chapter will be devoted to locking.<br>
<br>
* For the purposes of this chapter, a "thread" of execution is any context that is running code. Each process is
clearly a thread of execution, but so is an interrupt handler or other code running in response to an asynchronous
kernel event.<br>
<br>
<A name="109"></a><font color="blue">PAGE 109</font><br>
<br>
First, however, we must briefly consider one other important rule. When kernel code
creates an object that will be shared with any other part of the kernel, that object
must continue to exist (and function properly) until it is known that no outside references
to it exist. The instant that <i>scull </i>makes its devices available, it must be prepared
to handle requests on those devices. And <i>scull </i>must continue to be able to
handle requests on its devices until it knows that no reference (such as open userspace
files) to those devices exists. Two requirements come out of this rule: no object
can be made available to the kernel until it is in a state where it can function properly,
and references to such objects must be tracked. In most cases, you'll find that
the kernel handles reference counting for you, but there are always exceptions.<br>
<br>
Following the above rules requires planning and careful attention to detail. It is easy
to be surprised by concurrent access to resources you hadn't realized were shared.
With some effort, however, most race conditions can be headed off before they bite
you--or your users.<br>
<br>
<a name="SemaphoresAndMutexes"></a><font color="red"><b>Semaphores and Mutexes</b></font><br>
<br>
So let us look at how we can add locking to <i>scull</i>. Our goal is to make our operations
on the <i>scull </i>data structure <i>atomic</i>, meaning that the entire operation happens at once
as far as other threads of execution are concerned. For our memory leak example, we
need to ensure that if one thread finds that a particular chunk of memory must be
allocated, it has the opportunity to perform that allocation before any other thread
can make that test. To this end, we must set up <i>critical sections</i>: code that can be executed
by only one thread at any given time.<br>
<br>
Not all critical sections are the same, so the kernel provides different primitives for
different needs. In this case, every access to the <i>scull </i>data structure happens in process
context as a result of a direct user request; no accesses will be made from interrupt
handlers or other asynchronous contexts. There are no particular latency
(response time) requirements; application programmers understand that I/O
requests are not usually satisfied immediately. Furthermore, the <i>scull </i>is not holding
any other critical system resource while it is accessing its own data structures. What
all this means is that if the <i>scull </i>driver goes to sleep while waiting for its turn to
access the data structure, nobody is going to mind.<br>
<br>
"Go to sleep" is a well-defined term in this context. When a Linux process reaches a
point where it cannot make any further processes, it goes to sleep (or "blocks"),
yielding the processor to somebody else until some future time when it can get work
done again. Processes often sleep when waiting for I/O to complete. As we get
deeper into the kernel, we will encounter a number of situations where we cannot
sleep. The <i>write </i>method in <i>scull </i>is not one of those situations, however. So we can
use a locking mechanism that might cause the process to sleep while waiting for
access to the critical section.<br>
<br>
<A name="110"></a><font color="blue">PAGE 110</font><br>
<br>
Just as importantly, we will be performing an operation (memory allocation with
<i>kmalloc</i>) that could sleep--so sleeps are a possibility in any case. If our critical sections
are to work properly, we must use a locking primitive that works when a thread
that owns the locksleeps. Not all locking mechanisms can be used where sleeping is
a possibility (we'll see some that don't later in this chapter). For our present needs,
however, the mechanism that fits best is a <i>semaphore</i>.<br>
<br>
Semaphores are a well-understood concept in computer science. At its core, a semaphore
is a single integer value combined with a pair of functions that are typically
called <i>P </i>and <i>V</i>. A process wishing to enter a critical section will call <i>P </i>on the relevant
semaphore; if the semaphore's value is greater than zero, that value is decremented
by one and the process continues. If, instead, the semaphore's value is 0 (or less), the
process must wait until somebody else releases the semaphore. Unlocking a semaphore
is accomplished by calling <i>V</i>; this function increments the value of the semaphore
and, if necessary, wakes up processes that are waiting.<br>
<br>
When semaphores are used for <i>mutual exclusion</i>--keeping multiple processes from
running within a critical section simultaneously--their value will be initially set to 1.
Such a semaphore can be held only by a single process or thread at any given time. A
semaphore used in this mode is sometimes called a <i>mutex</i>, which is, of course, an
abbreviation for "mutual exclusion." Almost all semaphores found in the Linux kernel
are used for mutual exclusion.<br>
<br>
<a name="TheLinuxSemaphoreImplementation"></a><font color="red"><b>The Linux Semaphore Implementation</b></font><br>
<br>
The Linux kernel provides an implementation of semaphores that conforms to the
above semantics, although the terminology is a little different. To use semaphores,
kernel code must include <i>&lt;asm/semaphore.h&gt;</i>. The relevant type is <font class="fixd">struct semaphore;</font>
actual semaphores can be declared and initialized in a few ways. One is to create a
semaphore directly, then set it up with <i>sema_init</i>:<br>
<pre>
void sema_init(struct semaphore *sem, int val);
</pre>
where <font class="fixd">val</font> is the initial value to assign to a semaphore.<br>
<br>
Usually, however, semaphores are used in a mutex mode. To make this common
case a little easier, the kernel has provided a set of helper functions and macros.
Thus, a mutex can be declared and initialized with one of the following:<br>
<pre>
DECLARE_MUTEX(name);
DECLARE_MUTEX_LOCKED(name);
</pre>
Here, the result is a semaphore variable (called <font class="fixd">name</font>) that is initialized to 1 (with
<font class="fixd">DECLARE_MUTEX</font>) or 0 (with <font class="fixd">DECLARE_MUTEX_LOCKED</font>). In the latter case, the mutex starts
out in a locked state; it will have to be explicitly unlocked before any thread will be
allowed access.<br>
<br>
<A name="111"></a><font color="blue">PAGE 111</font><br>
<br>
If the mutex must be initialized at runtime (which is the case if it is allocated dynamically,
for example), use one of the following:<br>
<pre>
void init_MUTEX(struct semaphore *sem);
void init_MUTEX_LOCKED(struct semaphore *sem);
</pre>
In the Linux world, the <i>P </i>function is called <i>down</i>--or some variation of that name.
Here, "down" refers to the fact that the function decrements the value of the semaphore
and, perhaps after putting the caller to sleep for a while to wait for the semaphore
to become available, grants access to the protected resources. There are three
versions of <i>down</i>:<br>
<pre>
void down(struct semaphore *sem);
int down_interruptible(struct semaphore *sem);
int down_trylock(struct semaphore *sem);
</pre>
<i>down </i>decrements the value of the semaphore and waits as long as need 
be. <i>down_interruptible </i>does the same, but the operation is interruptible. The interruptible version
is almost always the one you will want; it allows a user-space process that is
waiting on a semaphore to be interrupted by the user. You do not, as a general rule,
want to use noninterruptible operations unless there truly is no alternative. Noninterruptible
operations are a good way to create unkillable processes (the dreaded
"D state" seen in <i>ps</i>), and annoy your users. Using <i>down_interruptible </i>requires some
extra care, however, if the operation is interrupted, the function returns a nonzero
value, and the caller does <i>not </i>hold the semaphore. Proper use of <i>down_interruptible
</i>requires always checking the return value and responding accordingly.<br>
<br>
The final version (<i>down_trylock</i>) never sleeps; if the semaphore is not available at the
time of the call, <i>down_trylock</i> returns immediately with a nonzero return value.<br>
<br>
Once a thread has successfully called one of the versions of <i>down</i>, it is said to be
"holding" the semaphore (or to have "taken out" or "acquired" the semaphore).
That thread is now entitled to access the critical section protected by the semaphore.
When the operations requiring mutual exclusion are complete, the semaphore must
be returned. The Linux equivalent to <i>V</i> is <i>up</i>:<br>
<pre>
void up(struct semaphore *sem);
</pre>
Once <i>up</i> has been called, the caller no longer holds the semaphore.<br>
<br>
As you would expect, any thread that takes out a semaphore is required to release it
with one (and only one) call to <i>up</i>. Special care is often required in error paths; if an
error is encountered while a semaphore is held, that semaphore must be released
before returning the error status to the caller. Failure to free a semaphore is an easy
error to make; the result (processes hanging in seemingly unrelated places) can be
hard to reproduce and track down.<br>
<br>
<A name="112"></a><font color="blue">PAGE 112</font><br>
<br>
<a name="UsingSemaphoresInScull"></a><font color="red"><b>Using Semaphores in scull</b></font><br>
<br>
The semaphore mechanism gives <i>scull </i>a tool that can be used to avoid race conditions
while accessing the <font class="fixd">scull_dev</font> data structure. But it is up to us to use that tool
correctly. The keys to proper use of locking primitives are to specify exactly which
resources are to be protected and to make sure that every access to those resources
uses the proper locking. In our example driver, everything of interest is contained
within the <font class="fixd">scull_dev</font> structure, so that is the logical scope for our locking regime.<br>
<br>
Let's look again at that structure:<br>
<pre>
struct scull_dev {
    struct scull_qset *data;  /* Pointer to first quantum set */
    int quantum;              /* the current quantum size */
    int qset;                 /* the current array size */
    unsigned long size;       /* amount of data stored here */
    unsigned int access_key;  /* used by sculluid and scullpriv */
    struct semaphore sem;     /* mutual exclusion semaphore     */
    struct cdev cdev;     /* Char device structure      */
};
</pre>
Toward the bottom of the structure is a member called <font class="fixd">sem</font> which is, of course, our
semaphore. We have chosen to use a separate semaphore for each virtual <i>scull
</i>device. It would have been equally correct to use a single, global semaphore. The various
<i>scull </i>devices share no resources in common, however, and there is no reason to
make one process wait while another process is working with a different <i>scull </i>device.
Using a separate semaphore for each device allows operations on different devices to
proceed in parallel and, therefore, improves performance.<br>
<br>
Semaphores must be initialized before use. <i>scull </i>performs this initialization at load
time in this loop:<br>
<pre>
    for (i = 0; i &lt; scull_nr_devs; i++) {
        scull_devices[i].quantum = scull_quantum;
        scull_devices[i].qset = scull_qset;
        init_MUTEX(&amp;scull_devices[i].sem);
        scull_setup_cdev(&amp;scull_devices[i], i);
    }
</pre>
Note that the semaphore must be initialized <i>before </i>the <i>scull </i>device is made available
to the rest of the system. Therefore, <i>init_MUTEX </i>is called before <i>scull_setup_cdev</i>.
Performing these operations in the opposite order would create a race condition
where the semaphore could be accessed before it is ready.<br>
<br>
Next, we must go through the code and make sure that no accesses to the <font class="fixd">scull_dev</font>
data structure are made without holding the semaphore. Thus, for example, <i>scull_write
</i>begins with this code:<br>
<pre>
    if (down_interruptible(&amp;dev-&gt;sem))
        return -ERESTARTSYS;
</pre>
<A name="113"></a><font color="blue">PAGE 113</font><br>
<br>
Note the check on the return value of <i>down_interruptible</i>; if it returns nonzero, the operation
was interrupted. The usual thing to do in this situation is to return <font class="fixd">-ERESTARTSYS</font>.
Upon seeing this return code, the higher layers of the kernel will either restart the call
from the beginning or return the error to the user. If you return <font class="fixd">-ERESTARTSYS</font>, you must
first undo any user-visible changes that might have been made, so that the right thing
happens when the system call is retried. If you cannot undo things in this manner, you
should return <font class="fixd">-EINTR</font> instead.<br>
<br>
<i>scull_write </i>must release the semaphore whether or not it was able to carry out its
other tasks successfully. If all goes well, execution falls into the final few lines of the
function:<br>
<pre>
out:
  up(&amp;dev-&gt;sem);
  return retval;
</pre>
This code frees the semaphore and returns whatever status is called for. There are
several places in <i>scull_write </i>where things can go wrong; these include memory allocation
failures or a fault while trying to copy data from user space. In those cases, the
code performs a <font class="fixd">goto out,</font> ensuring that the proper cleanup is done.<br>
<br>
<a name="ReaderWriterSemaphores"></a><font color="red"><b>Reader/Writer Semaphores</b></font><br>
<br>
Semaphores perform mutual exclusion for all callers, regardless of what each thread
may want to do. Many tasks break down into two distinct types of work, however:
tasks that only need to read the protected data structures and those that must make
changes. It is often possible to allow multiple concurrent readers, as long as nobody
is trying to make any changes. Doing so can optimize performance significantly;
read-only tasks can get their work done in parallel without having to wait for other
readers to exit the critical section.<br>
<br>
The Linux kernel provides a special type of semaphore called a <i>rwsem </i>(or "reader/writer
semaphore") for this situation. The use of rwsems in drivers is relatively rare, but they
are occasionally useful.<br>
<br>
Code using rwsems must include <i>&lt;linux/rwsem.h&gt;</i>. The relevant data type for
reader/writer semaphores is struct rw_semaphore; an rwsem must be explicitly initialized
at runtime with:<br>
<pre>
void init_rwsem(struct rw_semaphore *sem);
</pre>
A newly initialized rwsem is available for the next task(reader or writer) that comes
along. The interface for code needing read-only access is:<br>
<pre>
void down_read(struct rw_semaphore *sem);
int down_read_trylock(struct rw_semaphore *sem);
void up_read(struct rw_semaphore *sem);
</pre>
A call to <i>down_read </i>provides read-only access to the protected resources, possibly
concurrently with other readers. Note that <i>down_read </i>may put the calling process<br>
<br>
<A name="114"></a><font color="blue">PAGE 114</font><br>
<br>
into an uninterruptible sleep. <i>down_read_trylock </i>will not wait if read access is
unavailable; it returns nonzero if access was granted, 0 otherwise. Note that the convention
for <i>down_read_trylock </i>differs from that of most kernel functions, where success
is indicated by a return value of 0. A rwsem obtained with <i>down_read </i>must
eventually be freed with <i>up_read</i>.<br>
<br>
The interface for writers is similar:<br>
<pre>
void down_write(struct rw_semaphore *sem);
int down_write_trylock(struct rw_semaphore *sem);
void up_write(struct rw_semaphore *sem);
void downgrade_write(struct rw_semaphore *sem);
</pre>
<i>down_write</i>, <i>down_write_trylock</i>, and <i>up_write </i>all behave just like their reader counterparts,
except, of course, that they provide write access. If you have a situation
where a writer lockis needed for a quick change, followed by a longer period of readonly
access, you can use <i>downgrade_write </i>to allow other readers in once you have
finished making changes.<br>
<br>
An rwsem allows either one writer or an unlimited number of readers to hold the
semaphore. Writers get priority; as soon as a writer tries to enter the critical section,
no readers will be allowed in until all writers have completed their work. This implementation
can lead to reader <i>starvation</i>--where readers are denied access for a long
time--if you have a large number of writers contending for the semaphore. For this
reason, rwsems are best used when write access is required only rarely, and writer
access is held for short periods of time.<br>
<br>
<a name="Completions"></a><font color="red"><b>Completions</b></font><br>
<br>
A common pattern in kernel programming involves initiating some activity outside of
the current thread, then waiting for that activity to complete. This activity can be the
creation of a new kernel thread or user-space process, a request to an existing process,
or some sort of hardware-based action. It such cases, it can be tempting to use a
semaphore for synchronization of the two tasks, with code such as:<br>
<br>
struct semaphore sem;<br>
<pre>
init_MUTEX_LOCKED(&amp;sem);
start_external_task(&amp;sem);
down(&amp;sem);
</pre>
The external task can then call <font class="fixd">up(&amp;sem)</font> when its work is done.<br>
<br>
As is turns out, semaphores are not the best tool to use in this situation. In normal use,
code attempting to locka semaphore finds that semaphore available almost all the
time; if there is significant contention for the semaphore, performance suffers and the
locking scheme needs to be reviewed. So semaphores have been heavily optimized for
the "available" case. When used to communicate task completion in the way shown
above, however, the thread calling <i>down </i>will almost always have to wait; performance<br>
<br>
<A name="115"></a><font color="blue">PAGE 115</font><br>
<br>
will suffer accordingly. Semaphores can also be subject to a (difficult) race condition
when used in this way if they are declared as automatic variables. In some cases, the
semaphore could vanish before the process calling <i>up</i> is finished with it.<br>
<br>
These concerns inspired the addition of the "completion" interface in the 2.4.7 kernel.
Completions are a lightweight mechanism with one task: allowing one thread to
tell another that the job is done. To use completions, your code must include <i>&lt;linux/
completion.h&gt;</i>. A completion can be created with:<br>
<pre>
DECLARE_COMPLETION(my_completion);
</pre>
Or, if the completion must be created and initialized dynamically:<br>
<pre>
struct completion my_completion;
/* ... */
init_completion(&amp;my_completion);
</pre>
Waiting for the completion is a simple matter of calling:<br>
<pre>
void wait_for_completion(struct completion *c);
</pre>
Note that this function performs an uninterruptible wait. If your code calls <i>wait_for_
completion </i>and nobody ever completes the task, the result will be an unkillable
process.*<br>
<br>
On the other side, the actual completion event may be signalled by calling one of the
following:<br>
<pre>
void complete(struct completion *c);
void complete_all(struct completion *c);
</pre>
The two functions behave differently if more than one thread is waiting for the same
completion event. <i>complete </i>wakes up only one of the waiting threads while
<i>complete_all </i>allows all of them to proceed. In most cases, there is only one waiter,
and the two functions will produce an identical result.<br>
<br>
A completion is normally a one-shot device; it is used once then discarded. It is possible,
however, to reuse completion structures if proper care is taken. If <i>complete_all
</i>is not used, a completion structure can be reused without any problems as long as
there is no ambiguity about what event is being signalled. If you use <i>complete_all</i>,
however, you must reinitialize the completion structure before reusing it. The macro:<br>
<pre>
INIT_COMPLETION(struct completion c);
</pre>
can be used to quickly perform this reinitialization.<br>
<br>
As an example of how completions may be used, consider the <i>complete </i>module, which
is included in the example source. This module defines a device with simple semantics:
any process trying to read from the device will wait (using <i>wait_for_completion</i>)<br>
<br>
* As of this writing, patches adding interruptible versions were in circulation but had not been merged into the mainline.<br>
<br>
<A name="116"></a><font color="blue">PAGE 116</font><br>
<br>
until some other process writes to the device. The code which implements this behavior
is:<br>
<pre>
DECLARE_COMPLETION(comp);

ssize_t complete_read (struct file *filp, char __user *buf, size_t count, loff_t
*pos)
{
    printk(KERN_DEBUG &quot;process %i (%s) going to sleep\n&quot;,
            current-&gt;pid, current-&gt;comm);
    wait_for_completion(&amp;comp);
    printk(KERN_DEBUG &quot;awoken %i (%s)\n&quot;, current-&gt;pid, current-&gt;comm);
    return 0; /* EOF */
}

ssize_t complete_write (struct file *filp, const char __user *buf, size_t count,
        loff_t *pos)
{
    printk(KERN_DEBUG &quot;process %i (%s) awakening the readers...\n&quot;,
            current-&gt;pid, current-&gt;comm);
    complete(&amp;comp);
    return count; /* succeed, to avoid retrial */
}
</pre>
It is possible to have multiple processes "reading" from this device at the same time.
Each write to the device will cause exactly one read operation to complete, but there
is no way to know which one it will be.<br>
<br>
A typical use of the completion mechanism is with kernel thread termination at module
exit time. In the prototypical case, some of the driver internal workings is performed
by a kernel thread in a <font class="fixd">while (1)</font> loop. When the module is ready to be
cleaned up, the exit function tells the thread to exit and then waits for completion.
To this aim, the kernel includes a specific function to be used by the thread:<br>
<pre>
void complete_and_exit(struct completion *c, long retval);
</pre>
<a name="Spinlocks"></a><font color="red"><b>Spinlocks</b></font><br>
<br>
Semaphores are a useful tool for mutual exclusion, but they are not the only such
tool provided by the kernel. Instead, most locking is implemented with a mechanism
called a <i>spinlock</i>. Unlike semaphores, spinlocks may be used in code that cannot
sleep, such as interrupt handlers. When properly used, spinlocks offer higher
performance than semaphores in general. They do, however, bring a different set of
constraints on their use.<br>
<br>
Spinlocks are simple in concept. A spinlock is a mutual exclusion device that can
have only two values: "locked" and "unlocked." It is usually implemented as a single
bit in an integer value. Code wishing to take out a particular lock tests the relevant
bit. If the lockis available, the "locked" bit is set and the code continues into the critical
section. If, instead, the lockhas been taken by somebody else, the code goes into<br>
<br>
<A name="117"></a><font color="blue">PAGE 117</font><br>
<br>
a tight loop where it repeatedly checks the lock until it becomes available. This loop
is the "spin" part of a spinlock.<br>
<br>
Of course, the real implementation of a spinlock is a bit more complex than the
description above. The "test and set" operation must be done in an atomic manner
so that only one thread can obtain the lock, even if several are spinning at any given
time. Care must also be taken to avoid deadlocks on <i>hyperthreaded </i>processors-chips
that implement multiple, virtual CPUs sharing a single processor core and
cache. So the actual spinlock implementation is different for every architecture that
Linux supports. The core concept is the same on all systems, however, when there is
contention for a spinlock, the processors that are waiting execute a tight loop and
accomplish no useful work.<br>
<br>
Spinlocks are, by their nature, intended for use on multiprocessor systems, although
a uniprocessor workstation running a preemptive kernel behaves like SMP, as far as
concurrency is concerned. If a nonpreemptive uniprocessor system ever went into a
spin on a lock, it would spin forever; no other thread would ever be able to obtain
the CPU to release the lock. For this reason, spinlock operations on uniprocessor systems
without preemption enabled are optimized to do nothing, with the exception of
the ones that change the IRQ masking status. Because of preemption, even if you
never expect your code to run on an SMP system, you still need to implement proper
locking.<br>
<br>
<a name="IntroductionToTheSpinlockAPI"></a><font color="red"><b>Introduction to the Spinlock API</b></font><br>
<br>
The required include file for the spinlock primitives is <i>&lt;linux/spinlock.h&gt;</i>. An actual
lockhas the type <font class="fixd">spinlock_t</font>. Like any other data structure, a spinlock must be initialized.
This initialization may be done at compile time as follows:<br>
<pre>
spinlock_t my_lock = SPIN_LOCK_UNLOCKED;
</pre>
or at runtime with:<br>
<pre>
void spin_lock_init(spinlock_t *lock);
</pre>
Before entering a critical section, your code must obtain the requisite lock with:<br>
<pre>
void spin_lock(spinlock_t *lock);
</pre>
Note that all spinlock waits are, by their nature, uninterruptible. Once you call
<i>spin_lock</i>, you will spin until the lock becomes available.<br>
<br>
To release a lock that you have obtained, pass it to:<br>
<pre>
void spin_unlock(spinlock_t *lock);
</pre>
There are many other spinlock-functions, and we will look at them all shortly. But
none of them depart from the core idea shown by the functions listed above. There is
very little that one can do with a lock, other than lock and release it. However, there<br>
<br>
<A name="118"></a><font color="blue">PAGE 118</font><br>
<br>
are a few rules about how you must work with spinlocks. We will take a moment to
look at those before getting into the full spinlock interface.<br>
<br>
<a name="SpinlocksAndAtomicContext"></a><font color="red"><b>Spinlocks and Atomic Context</b></font><br>
<br>
Imagine for a moment that your driver acquires a spinlock and goes about its business
within its critical section. Somewhere in the middle, your driver loses the processor.
Perhaps it has called a function (<i>copy_from_user</i>, say) that puts the process to
sleep. Or, perhaps, kernel preemption kicks in, and a higher-priority process pushes
your code aside. Your code is now holding a lockthat it will not release any time in
the foreseeable future. If some other thread tries to obtain the same lock, it will, in
the best case, wait (spinning in the processor) for a very long time. In the worst case,
the system could deadlock entirely.<br>
<br>
Most readers would agree that this scenario is best avoided. Therefore, the core rule
that applies to spinlocks is that any code must, while holding a spinlock, be atomic.
It cannot sleep; in fact, it cannot relinquish the processor for any reason except to
service interrupts (and sometimes not even then).<br>
<br>
The kernel preemption case is handled by the spinlock code itself. Any time kernel
code holds a spinlock, preemption is disabled on the relevant processor. Even uniprocessor
systems must disable preemption in this way to avoid race conditions.
That is why proper locking is required even if you never expect your code to run on a
multiprocessor machine.<br>
<br>
Avoiding sleep while holding a lockcan be more difficult; many kernel functions can
sleep, and this behavior is not always well documented. Copying data to or from user
space is an obvious example: the required user-space page may need to be swapped
in from the disk before the copy can proceed, and that operation clearly requires a
sleep. Just about any operation that must allocate memory can sleep; <i>kmalloc </i>can
decide to give up the processor, and wait for more memory to become available
unless it is explicitly told not to. Sleeps can happen in surprising places; writing code
that will execute under a spinlock requires paying attention to every function that
you call.<br>
<br>
Here's another scenario: your driver is executing and has just taken out a lock that
controls access to its device. While the lockis held, the device issues an interrupt,
which causes your interrupt handler to run. The interrupt handler, before accessing
the device, must also obtain the lock. Taking out a spinlock in an interrupt handler is
a legitimate thing to do; that is one of the reasons that spinlock operations do not
sleep. But what happens if the interrupt routine executes in the same processor as the
code that took out the lock originally? While the interrupt handler is spinning, the
noninterrupt code will not be able to run to release the lock. That processor will spin
forever.<br>
<br>
<A name="119"></a><font color="blue">PAGE 119</font><br>
<br>
Avoiding this trap requires disabling interrupts (on the local CPU only) while the
spinlock is held. There are variants of the spinlock functions that will disable interrupts
for you (we'll see them in the next section). However, a complete discussion of
interrupts must wait until Chapter 10.<br>
<br>
The last important rule for spinlock usage is that spinlocks must always be held for
the minimum time possible. The longer you hold a lock, the longer another processor
may have to spin waiting for you to release it, and the chance of it having to spin
at all is greater. Long lockhold times also keep the current processor from scheduling,
meaning that a higher priority process--which really should be able to get the
CPU--may have to wait. The kernel developers put a great deal of effort into reducing
kernel latency (the time a process may have to wait to be scheduled) in the 2.5
development series. A poorly written driver can wipe out all that progress just by
holding a lockfor too long. To avoid creating this sort of problem, make a point of
keeping your lock-hold times short.<br>
<br>
<a name="TheSpinlockFunctions"></a><font color="red"><b>The Spinlock Functions</b></font><br>
<br>
We have already seen two functions, <i>spin_lock </i>and <i>spin_unlock</i>, that manipulate spinlocks.
There are several other functions, however, with similar names and purposes.
We will now present the full set. This discussion will take us into ground we will not
be able to cover properly for a few chapters yet; a complete understanding of the spinlock
API requires an understanding of interrupt handling and related concepts.<br>
<br>
There are actually four functions that can lock a spinlock:<br>
<pre>
void spin_lock(spinlock_t *lock);
void spin_lock_irqsave(spinlock_t *lock, unsigned long flags);
void spin_lock_irq(spinlock_t *lock);
void spin_lock_bh(spinlock_t *lock)
</pre>
We have already seen how <i>spin_lock </i>works. <i>spin_lock_irqsave </i>disables interrupts (on
the local processor only) before taking the spinlock; the previous interrupt state is
stored in <font class="fixd">flags</font>. If you are absolutely sure nothing else might have already disabled
interrupts on your processor (or, in other words, you are sure that you should enable
interrupts when you release your spinlock), you can use <i>spin_lock_irq </i>instead and
not have to keep track of the flags. Finally, <i>spin_lock_bh </i>disables software interrupts
before taking the lock, but leaves hardware interrupts enabled.<br>
<br>
If you have a spinlock that can be taken by code that runs in (hardware or software)
interrupt context, you must use one of the forms of <i>spin_lock </i>that disables interrupts.
Doing otherwise can deadlock the system, sooner or later. If you do not access
your lockin a hardware interrupt handler, but you do via software interrupts (in
code that runs out of a tasklet, for example, a topic covered in Chapter 7), you can
use <i>spin_lock_bh </i>to safely avoid deadlocks while still allowing hardware interrupts to
be serviced.<br>
<br>
<A name="120"></a><font color="blue">PAGE 120</font><br>
<br>
There are also four ways to release a spinlock; the one you use must correspond to
the function you used to take the lock:<br>
<pre>
void spin_unlock(spinlock_t *lock);
void spin_unlock_irqrestore(spinlock_t *lock, unsigned long flags);
void spin_unlock_irq(spinlock_t *lock);
void spin_unlock_bh(spinlock_t *lock);
</pre>
Each <i>spin_unlock </i>variant undoes the work performed by the corresponding <i>spin_lock
</i>function. The <font class="fixd">flags</font> argument passed to <i>spin_unlock_irqrestore </i>must be the same
variable passed to <i>spin_lock_irqsave</i>. You must also call <i>spin_lock_irqsave </i>and <i>spin_
<font class="fixd">unlock_irqrestore</font> </i>in the same function; otherwise, your code may break on some
architectures.<br>
<br>
There is also a set of nonblocking spinlock operations:<br>
<pre>
int spin_trylock(spinlock_t *lock);
int spin_trylock_bh(spinlock_t *lock);
</pre>
These functions return nonzero on success (the lock was obtained), 0 otherwise.
There is no "try" version that disables interrupts.<br>
<br>
<a name="ReaderWriterSpinlocks"></a><font color="red"><b>Reader/Writer Spinlocks</b></font><br>
<br>
The kernel provides a reader/writer form of spinlocks that is directly analogous to
the reader/writer semaphores we saw earlier in this chapter. These locks allow any
number of readers into a critical section simultaneously, but writers must have exclusive
access. Reader/writer locks have a type of <font class="fixd">rwlock_t</font>, defined in <i>&lt;linux/spinlock.h&gt;</i>.
They can be declared and initialized in two ways:<br>
<pre>
rwlock_t my_rwlock = RW_LOCK_UNLOCKED; /* Static way */

rwlock_t my_rwlock;
rwlock_init(&amp;my_rwlock);  /* Dynamic way */
</pre>
The list of functions available should look reasonably familiar by now. For readers,
the following functions are available:<br>
<pre>
void read_lock(rwlock_t *lock);
void read_lock_irqsave(rwlock_t *lock, unsigned long flags);
void read_lock_irq(rwlock_t *lock);
void read_lock_bh(rwlock_t *lock);

void read_unlock(rwlock_t *lock);
void read_unlock_irqrestore(rwlock_t *lock, unsigned long flags);
void read_unlock_irq(rwlock_t *lock);
void read_unlock_bh(rwlock_t *lock);
</pre>
Interestingly, there is no <i>read_trylock</i>.<br>
<br>
The functions for write access are similar:<br>
<pre>
void write_lock(rwlock_t *lock);
void write_lock_irqsave(rwlock_t *lock, unsigned long flags);
</pre>
<A name="121"></a><font color="blue">PAGE 121</font><br>
<pre>
void write_lock_irq(rwlock_t *lock);
void write_lock_bh(rwlock_t *lock);
int write_trylock(rwlock_t *lock);

void write_unlock(rwlock_t *lock);
void write_unlock_irqrestore(rwlock_t *lock, unsigned long flags);
void write_unlock_irq(rwlock_t *lock);
void write_unlock_bh(rwlock_t *lock);
</pre>
Reader/writer locks can starve readers just as rwsems can. This behavior is rarely a
problem; however, if there is enough lockcontention to bring about starvation, performance
is poor anyway.<br>
<br>
<a name="LockingTraps"></a><font color="red"><b>Locking Traps</b></font><br>
<br>
Many years of experience with locks--experience that predates Linux--have shown
that locking can be very hard to get right. Managing concurrency is an inherently
tricky undertaking, and there are many ways of making mistakes. In this section, we
take a quick look at things that can go wrong.<br>
<br>
<a name="AmbiguousRules"></a><font color="red"><b>Ambiguous Rules</b></font><br>
<br>
As has already been said above, a proper locking scheme requires clear and explicit
rules. When you create a resource that can be accessed concurrently, you should
define which lockwill control that access. Locking should really be laid out at the
beginning; it can be a hard thing to retrofit in afterward. Time taken at the outset
usually is paid back generously at debugging time.<br>
<br>
As you write your code, you will doubtless encounter several functions that all
require access to structures protected by a specific lock. At this point, you must be
careful: if one function acquires a lockand then calls another function that also
attempts to acquire the lock, your code deadlocks. Neither semaphores nor spinlocks
allow a lockholder to acquire the locka second time; should you attempt to do
so, things simply hang.<br>
<br>
To make your locking work properly, you have to write some functions with the
assumption that their caller has already acquired the relevant lock(s). Usually, only
your internal, static functions can be written in this way; functions called from outside
must handle locking explicitly. When you write internal functions that make
assumptions about locking, do yourself (and anybody else who works with your
code) a favor and document those assumptions explicitly. It can be very hard to
come back months later and figure out whether you need to hold a lockto call a particular
function or not.<br>
<br>
In the case of <i>scull</i>, the design decision taken was to require all functions invoked
directly from system calls to acquire the semaphore applying to the device structure<br>
<br>
<A name="122"></a><font color="blue">PAGE 122</font><br>
<br>
that is accessed. All internal functions, which are only called from other <i>scull </i>functions,
can then assume that the semaphore has been properly acquired.<br>
<br>
<a name="LockOrderingRules"></a><font color="red"><b>Lock Ordering Rules</b></font><br>
<br>
In systems with a large number of locks (and the kernel is becoming such a system),
it is not unusual for code to need to hold more than one lockat once. If some sort of
computation must be performed using two different resources, each of which has its
own lock, there is often no alternative to acquiring both locks.<br>
<br>
Taking multiple locks can be dangerous, however. If you have two locks, called
<i>Lock1 </i>and <i>Lock2</i>, and code needs to acquire both at the same time, you have a
potential deadlock. Just imagine one thread locking <i>Lock1 </i>while another simultaneously
takes <i>Lock2</i>. Then each thread tries to get the one it doesn't have. Both
threads will deadlock.<br>
<br>
The solution to this problem is usually simple: when multiple locks must be
acquired, they should always be acquired in the same order. As long as this convention
is followed, simple deadlocks like the one described above can be avoided.
However, following lockordering rules can be easier said than done. It is very rare
that such rules are actually written down anywhere. Often the best you can do is to
see what other code does.<br>
<br>
A couple of rules of thumb can help. If you must obtain a lockthat is local to your
code (a device lock, say) along with a lock belonging to a more central part of the
kernel, take your lock first. If you have a combination of semaphores and spinlocks,
you must, of course, obtain the semaphore(s) first; calling <i>down </i>(which can sleep)
while holding a spinlock is a serious error. But most of all, try to avoid situations
where you need more than one lock.<br>
<br>
<a name="FineVersusCoarseGrainedLocking"></a><font color="red"><b>Fine- Versus Coarse-Grained Locking</b></font><br>
<br>
The first Linux kernel that supported multiprocessor systems was 2.0; it contained
exactly one spinlock. The <i>big kernel lock </i>turned the entire kernel into one large critical
section; only one CPU could be executing kernel code at any given time. This
locksolved the concurrency problem well enough to allow the kernel developers to
address all of the other issues involved in supporting SMP. But it did not scale very
well. Even a two-processor system could spend a significant amount of time simply
waiting for the big kernel lock. The performance of a four-processor system was not
even close to that of four independent machines.<br>
<br>
So, subsequent kernel releases have included finer-grained locking. In 2.2, one spinlock
controlled access to the block I/O subsystem; another worked for networking,
and so on. A modern kernel can contain thousands of locks, each protecting one
small resource. This sort of fine-grained locking can be good for scalability; it allows<br>
<br>
<A name="123"></a><font color="blue">PAGE 123</font><br>
<br>
each processor to work on its specific task without contending for locks used by
other processors. Very few people miss the big kernel lock.*<br>
<br>
Fine-grained locking comes at a cost, however. In a kernel with thousands of locks, it
can be very hard to know which locks you need--and in which order you should
acquire them--to perform a specific operation. Remember that locking bugs can be
very difficult to find; more locks provide more opportunities for truly nasty locking
bugs to creep into the kernel. Fine-grained locking can bring a level of complexity
that, over the long term, can have a large, adverse effect on the maintainability of the
kernel.<br>
<br>
Locking in a device driver is usually relatively straightforward; you can have a single
lockthat covers everything you do, or you can create one lockfor every device you
manage. As a general rule, you should start with relatively coarse locking unless you
have a real reason to believe that contention could be a problem. Resist the urge to
optimize prematurely; the real performance constraints often show up in unexpected
places.<br>
<br>
If you do suspect that lockcontention is hurting performance, you may find the <i>lockmeter
</i>tool useful. This patch (available at <a href="http://oss.sgi.com/projects/lockmeter/" target="_blank"><i>http://oss.sgi.com/projects/lockmeter/</i></a>)
instruments the kernel to measure time spent waiting in locks. By looking at the
report, you are able to determine quickly whether lock contention is truly the problem
or not.<br>
<br>
<a name="AlternativesToLocking"></a><font color="red"><b>Alternatives to Locking</b></font><br>
<br>
The Linux kernel provides a number of powerful locking primitives that can be used
to keep the kernel from tripping over its own feet. But, as we have seen, the design
and implementation of a locking scheme is not without its pitfalls. Often there is no
alternative to semaphores and spinlocks; they may be the only way to get the job
done properly. There are situations, however, where atomic access can be set up
without the need for full locking. This section looks at other ways of doing things.<br>
<br>
<a name="LockFreeAlgorithms"></a><font color="red"><b>Lock-Free Algorithms</b></font><br>
<br>
Sometimes, you can recast your algorithms to avoid the need for locking altogether.
A number of reader/writer situations--if there is only one writer--can often workin
this manner. If the writer takes care that the view of the data structure, as seen by the
reader, is always consistent, it may be possible to create a lock-free data structure.<br>
<br>
A data structure that can often be useful for lockless producer/consumer tasks is the
<i>circular buffer</i>. This algorithm involves a producer placing data into one end of an<br>
<br>
* This lockstill exists in 2.6, though it covers very little of the kernel now. If you stumble 
across a <i>lock_kernel</i> call, you have found the big kernel lock. Do not even think about 
using it in any new code, however.<br>
<br>
<A name="124"></a><font color="blue">PAGE 124</font><br>
<br>
array, while the consumer removes data from the other. When the end of the array is
reached, the producer wraps back around to the beginning. So a circular buffer
requires an array and two index values to track where the next new value goes and
which value should be removed from the buffer next.<br>
<br>
When carefully implemented, a circular buffer requires no locking in the absence of
multiple producers or consumers. The producer is the only thread that is allowed to
modify the write index and the array location it points to. As long as the writer stores
a new value into the buffer before updating the write index, the reader will always
see a consistent view. The reader, in turn, is the only thread that can access the read
index and the value it points to. With a bit of care to ensure that the two pointers do
not overrun each other, the producer and the consumer can access the buffer concurrently
with no race conditions.<br>
<br>
Figure 5-1 shows circular buffer in several states of fill. This buffer has been defined
such that an empty condition is indicated by the read and write pointers being equal,
while a full condition happens whenever the write pointer is immediately behind the
read pointer (being careful to account for a wrap!). When carefully programmed, this
buffer can be used without locks.<br>
<br><br>
<center>
<img src="fig5-1.gif">
</center>
<br>
<i>Figure 5-1. A circular buffer</i><br>
<br>
Circular buffers show up reasonably often in device drivers. Networking adaptors, in
particular, often use circular buffers to exchange data (packets) with the processor.
Note that, as of 2.6.10, there is a generic circular buffer implementation available in
the kernel; see <i>&lt;linux/kfifo.h&gt;</i> for information on how to use it.<br>
<br>
<a name="AtomicVariables"></a><font color="red"><b>Atomic Variables</b></font><br>
<br>
Sometimes, a shared resource is a simple integer value. Suppose your driver maintains
a shared variable <font class="fixd">n_op</font> that tells how many device operations are currently outstanding.
Normally, even a simple operation such as:<br>
<pre>
n_op++;
</pre>
<A name="125"></a><font color="blue">PAGE 125</font><br>
<br>
would require locking. Some processors might perform that sort of increment in an
atomic manner, but you can't count on it. But a full locking regime seems like overhead
for a simple integer value. For cases like this, the kernel provides an atomic
integer type called <font class="fixd">atomic_t</font>, defined in <i>&lt;asm/atomic.h&gt;</i>.<br>
<br>
An <font class="fixd">atomic_t</font> holds an <font class="fixd">int</font> value on all supported architectures. Because of the way
this type works on some processors, however, the full integer range may not be available;
thus, you should not count on an <font class="fixd">atomic_t</font> holding more than 24 bits. The following
operations are defined for the type and are guaranteed to be atomic with
respect to all processors of an SMP computer. The operations are very fast, because
they compile to a single machine instruction whenever possible.<br>
<br>
<font class="fixd">void atomic_set(atomic_t *v, int i);<br>
atomic_t v = ATOMIC_INIT(0);</font><br>
<div class="bq">
Set the atomic variable <font class="fixd">v</font> to the integer value <font class="fixd">i.</font> You can also initialize atomic values
at compile time with the <font class="fixd">ATOMIC_INIT</font> macro.</div>
<br>
<font class="fixd">int atomic_read(atomic_t *v);</font><br>
<div class="bq">
Return the current value of <font class="fixd">v.</font></div>
<br>
<font class="fixd">void atomic_add(int i, atomic_t *v);</font><br>
<div class="bq">
Add <font class="fixd">i</font> to the atomic variable pointed to by <font class="fixd">v.</font> The return value is <font class="fixd">void,</font> because
there is an extra cost to returning the new value, and most of the time there's no
need to know it.</div>
<br>
<font class="fixd">void atomic_sub(int i, atomic_t *v);</font><br>
<div class="bq">
Subtract <font class="fixd">i</font> from <font class="fixd">*v.</font></div>
<br>
<font class="fixd">void atomic_inc(atomic_t *v);<br>
void atomic_dec(atomic_t *v);</font><br>
<div class="bq">
Increment or decrement an atomic variable.</div>
<br>
<font class="fixd">int atomic_inc_and_test(atomic_t *v);<br>
int atomic_dec_and_test(atomic_t *v);<br>
int atomic_sub_and_test(int i, atomic_t *v);</font><br>
<div class="bq">
Perform the specified operation and test the result; if, after the operation, the
atomic value is <font class="fixd">0,</font> then the return value is true; otherwise, it is false. Note that
there is no <i>atomic_add_and_test</i>.</div>
<br>
<font class="fixd">int atomic_add_negative(int i, atomic_t *v);</font><br>
<div class="bq">
Add the integer variable <font class="fixd">i</font> to <font class="fixd">v.</font> The return value is true if the result is negative,
false otherwise.</div>
<br>
<font class="fixd">int atomic_add_return(int i, atomic_t *v);<br>
int atomic_sub_return(int i, atomic_t *v);<br>
int atomic_inc_return(atomic_t *v);<br>
int atomic_dec_return(atomic_t *v);</font><br>
<div class="bq">
Behave just like <i>atomic_add </i>and friends, with the exception that they return the
new value of the atomic variable to the caller.</div>
<br>
<A name="126"></a><font color="blue">PAGE 126</font><br>
<br>
As stated earlier, <font class="fixd">atomic_t</font> data items must be accessed only through these functions.
If you pass an atomic item to a function that expects an integer argument, you'll get
a compiler error.<br>
<br>
You should also bear in mind that <font class="fixd">atomic_t</font> values work only when the quantity in
question is truly atomic. Operations requiring multiple <font class="fixd">atomic_t</font> variables still
require some other sort of locking. Consider the following code:<br>
<pre>
atomic_sub(amount, &amp;first_atomic);
atomic_add(amount, &amp;second_atomic);
</pre>
There is a period of time where the amount has been subtracted from the first atomic
value but not yet added to the second. If that state of affairs could create trouble for
code that might run between the two operations, some form of locking must be
employed.<br>
<br>
<a name="BitOperations"></a><font color="red"><b>Bit Operations</b></font><br>
<br>
The <font class="fixd">atomic_t</font> type is good for performing integer arithmetic. It doesn't work as well,
however, when you need to manipulate individual bits in an atomic manner. For that
purpose, instead, the kernel offers a set of functions that modify or test single bits
atomically. Because the whole operation happens in a single step, no interrupt (or
other processor) can interfere.<br>
<br>
Atomic bit operations are very fast, since they perform the operation using a single
machine instruction without disabling interrupts whenever the underlying platform
can do that. The functions are architecture dependent and are declared in <i>&lt;asm/
bitops.h&gt;</i>. They are guaranteed to be atomic even on SMP computers and are useful
to keep coherence across processors.<br>
<br>
Unfortunately, data typing in these functions is architecture dependent as well. The
nr argument (describing which bit to manipulate) is usually defined as <font class="fixd">int</font> but is
<font class="fixd">unsigned long</font> for a few architectures. The address to be modified is usually a pointer
to <font class="fixd">unsigned long</font>, but a few architectures use <font class="fixd">void *</font> instead.<br>
<br>
The available bit operations are:<br>
<br>
<font class="fixd">void set_bit(nr, void *addr);</font><br>
<div class="bq">
Sets bit number <font class="fixd">nr</font> in the data item pointed to by <font class="fixd">addr.</font></div>
<br>
<font class="fixd">void clear_bit(nr, void *addr);</font><br>
<div class="bq">
Clears the specified bit in the <font class="fixd">unsigned long</font> datum that lives at <font class="fixd">addr.</font> Its semantics
are otherwise the same as <i>set_bit</i>.</div>
<br>
<font class="fixd">void change_bit(nr, void *addr);</font><br>
<div class="bq">
Toggles the bit.</div>
<br>
<A name="127"></a><font color="blue">PAGE 127</font><br>
<br>
<font class="fixd">test_bit(nr, void *addr);</font><br>
<div class="bq">
This function is the only bit operation that doesn't need to be atomic; it simply
returns the current value of the bit.</div>
<br>
<font class="fixd">int test_and_set_bit(nr, void *addr);<br>
int test_and_clear_bit(nr, void *addr);<br>
int test_and_change_bit(nr, void *addr);</font><br>
<div class="bq">
Behave atomically like those listed previously, except that they also return the
previous value of the bit.</div>
<br>
When these functions are used to access and modify a shared flag, you don't have to
do anything except call them; they perform their operations in an atomic manner.
Using bit operations to manage a lockvariable that controls access to a shared variable,
on the other hand, is a little more complicated and deserves an example. Most
modern code does not use bit operations in this way, but code like the following still
exists in the kernel.<br>
<br>
A code segment that needs to access a shared data item tries to atomically acquire a
lockusing either <i>test_and_set_bit </i>or <i>test_and_clear_bit</i>. The usual implementation is
shown here; it assumes that the locklives at bit <font class="fixd">nr</font> of address <font class="fixd">addr</font>. It also assumes
that the bit is 0 when the lock is free or nonzero when the lock is busy.<br>
<pre>
/* try to set lock */
while (test_and_set_bit(nr, addr) != 0)
    wait_for_a_while( );

/* do your work */

/* release lock, and check... */
if (test_and_clear_bit(nr, addr) = = 0)
    something_went_wrong( ); /* already released: error */
</pre>
If you read through the kernel source, you find code that works like this example. It
is, however, far better to use spinlocks in new code; spinlocks are well debugged,
they handle issues like interrupts and kernel preemption, and others reading your
code do not have to work to understand what you are doing.<br>
<br>
<a name="Seqlocks"></a><font color="red"><b>seqlocks</b></font><br>
<br>
The 2.6 kernel contains a couple of new mechanisms that are intended to provide
fast, lockless access to a shared resource. Seqlocks work in situations where the
resource to be protected is small, simple, and frequently accessed, and where write
access is rare but must be fast. Essentially, they work by allowing readers free access
to the resource but requiring those readers to check for collisions with writers and,
when such a collision happens, retry their access. Seqlocks generally cannot be used
to protect data structures involving pointers, because the reader may be following a
pointer that is invalid while the writer is changing the data structure.<br>
<br>
<A name="128"></a><font color="blue">PAGE 128</font><br>
<br>
Seqlocks are defined in <i>&lt;linux/seqlock.h&gt;</i>. There are the two usual methods for initializing
a seqlock (which has type <font class="fixd">seqlock_t</font>):<br>
<pre>
seqlock_t lock1 = SEQLOCK_UNLOCKED;

seqlock_t lock2;
seqlock_init(&amp;lock2);
</pre>
Read access works by obtaining an (unsigned) integer sequence value on entry into
the critical section. On exit, that sequence value is compared with the current value;
if there is a mismatch, the read access must be retried. As a result, reader code has a
form like the following:<br>
<pre>
unsigned int seq;

do {
    seq = read_seqbegin(&amp;the_lock);
    /* Do what you need to do */
} while read_seqretry(&amp;the_lock, seq);
</pre>
This sort of lockis usually used to protect some sort of simple computation that
requires multiple, consistent values. If the test at the end of the computation shows
that a concurrent write occurred, the results can be simply discarded and recomputed.<br>
<br>
If your seqlock might be accessed from an interrupt handler, you should use the
IRQ-safe versions instead:<br>
<pre>
unsigned int read_seqbegin_irqsave(seqlock_t *lock,
                                   unsigned long flags);
int read_seqretry_irqrestore(seqlock_t *lock, unsigned int seq,
                             unsigned long flags);
</pre>
Writers must obtain an exclusive lockto enter the critical section protected by a
seqlock. To do so, call:<br>
<pre>
void write_seqlock(seqlock_t *lock);
</pre>
The write lockis implemented with a spinlock, so all the usual constraints apply.
Make a call to:<br>
<pre>
void write_sequnlock(seqlock_t *lock);
</pre>
to release the lock. Since spinlocks are used to control write access, all of the usual
variants are available:<br>
<pre>
void write_seqlock_irqsave(seqlock_t *lock, unsigned long flags);
void write_seqlock_irq(seqlock_t *lock);
void write_seqlock_bh(seqlock_t *lock);

void write_sequnlock_irqrestore(seqlock_t *lock, unsigned long flags);
void write_sequnlock_irq(seqlock_t *lock);
void write_sequnlock_bh(seqlock_t *lock);
</pre>
There is also a <i>write_tryseqlock</i> that returns nonzero if it was able to obtain the lock.<br>
<br>
<A name="129"></a><font color="blue">PAGE 129</font><br>
<br>
<a name="ReadCopyUpdate"></a><font color="red"><b>Read-Copy-Update</b></font><br>
<br>
Read-copy-update (RCU) is an advanced mutual exclusion scheme that can yield
high performance in the right conditions. Its use in drivers is rare but not unknown,
so it is worth a quick overview here. Those who are interested in the full details of
the RCU algorithm can find them in the white paper published by its creator <br>
<br>
(<a href="http://www.rdrop.com/users/paulmck/rclock/intro/rclock_intro.html" target="_blank"><i>http://www.rdrop.com/users/paulmck/rclock/intro/rclock_intro.html</i></a>).<br>
<br>
RCU places a number of constraints on the sort of data structure that it can protect.
It is optimized for situations where reads are common and writes are rare. The
resources being protected should be accessed via pointers, and all references to those
resources must be held only by atomic code. When the data structure needs to be
changed, the writing thread makes a copy, changes the copy, then aims the relevant
pointer at the new version--thus, the name of the algorithm. When the kernel is sure
that no references to the old version remain, it can be freed.<br>
<br>
As an example of real-world use of RCU, consider the network routing tables. Every
outgoing packet requires a check of the routing tables to determine which interface
should be used. The check is fast, and, once the kernel has found the target interface,
it no longer needs the routing table entry. RCU allows route lookups to be performed
without locking, with significant performance benefits. The Starmode radio
IP driver in the kernel also uses RCU to keep track of its list of devices.<br>
<br>
Code using RCU should include <i>&lt;linux/rcupdate.h&gt;</i>.<br>
<br>
On the read side, code using an RCU-protected data structure should bracket its references
with calls to <i>rcu_read_lock </i>and <i>rcu_read_unlock</i>. As a result, RCU code
tends to look like:<br>
<pre>
struct my_stuff *stuff;

rcu_read_lock( );
stuff = find_the_stuff(args...);
do_something_with(stuff);
rcu_read_unlock( );
</pre>
The <i>rcu_read_lock </i>call is fast; it disables kernel preemption but does not wait for
anything. The code that executes while the read "lock" is held must be atomic. No
reference to the protected resource may be used after the call to <i>rcu_read_unlock</i>.<br>
<br>
Code that needs to change the protected structure has to carry out a few steps. The
first part is easy; it allocates a new structure, copies data from the old one if need be,
then replaces the pointer that is seen by the read code. At this point, for the purposes
of the read side, the change is complete; any code entering the critical section
sees the new version of the data.<br>
<br>
All that remains is to free the old version. The problem, of course, is that code running
on other processors may still have a reference to the older data, so it cannot be freed
immediately. Instead, the write code must wait until it knows that no such reference<br>
<br>
<A name="130"></a><font color="blue">PAGE 130</font><br>
<br>
can exist. Since all code holding references to this data structure must (by the rules) be
atomic, we know that once every processor on the system has been scheduled at least
once, all references must be gone. So that is what RCU does; it sets aside a callback
that waits until all processors have scheduled; that callback is then run to perform the
cleanup work.<br>
<br>
Code that changes an RCU-protected data structure must get its cleanup callback by
allocating a <font class="fixd">struct rcu_head,</font> although it doesn't need to initialize that structure in
any way. Often, that structure is simply embedded within the larger resource that is
protected by RCU. After the change to that resource is complete, a call should be
made to:<br>
<pre>
void call_rcu(struct rcu_head *head, void (*func)(void *arg), void *arg);
</pre>
The given <font class="fixd">func</font> is called when it is safe to free the resource; it is passed to the same
<font class="fixd">arg</font> that was passed to <i>call_rcu</i>. Usually, the only thing <font class="fixd">func</font> needs to do is to call
<i>kfree</i>.<br>
<br>
The full RCU interface is more complex than we have seen here; it includes, for
example, utility functions for working with protected linked lists. See the relevant
header files for the full story.<br>
<br>
<a name="QuickReference5"></a><font color="red"><b>Quick Reference</b></font><br>
<br>
This chapter has introduced a substantial set of symbols for the management of concurrency.
The most important of these are summarized here:<br>
<br>
<font class="fixd">#include &lt;asm/semaphore.h&gt;</font><br>
<div class="bq">
The include file that defines semaphores and the operations on them.</div>
<br>
<font class="fixd">DECLARE_MUTEX(name);<br>
DECLARE_MUTEX_LOCKED(name);</font></div>
<div class="bq">
Two macros for declaring and initializing a semaphore used in mutual exclusion
mode.</div>
<br>
<font class="fixd">void init_MUTEX(struct semaphore *sem);<br>
void init_MUTEX_LOCKED(struct semaphore *sem);</font><br>
<div class="bq">
These two functions can be used to initialize a semaphore at runtime.</div>
<br>
<font class="fixd">void down(struct semaphore *sem);<br>
int down_interruptible(struct semaphore *sem);<br>
int down_trylock(struct semaphore *sem);<br>
void up(struct semaphore *sem);</font><br>
<div class="bq">
Lock and unlock a semaphore. <i>down </i>puts the calling process into an uninterruptible
sleep if need be; <i>down_interruptible</i>, instead, can be interrupted by a signal.
<i>down_trylock </i>does not sleep; instead, it returns immediately if the
semaphore is unavailable. Code that locks a semaphore must eventually unlock
it with <i>up</i>.</div>
<br>
<A name="131"></a><font color="blue">PAGE 131</font><br>
<br>
<font class="fixd">struct rw_semaphore;<br>
init_rwsem(struct rw_semaphore *sem);</font><br>
<div class="bq">
The reader/writer version of semaphores and the function that initializes it.</div>
<br>
<font class="fixd">void down_read(struct rw_semaphore *sem);<br>
int down_read_trylock(struct rw_semaphore *sem);<br>
void up_read(struct rw_semaphore *sem);</font><br>
<div class="bq">
Functions for obtaining and releasing read access to a reader/writer semaphore.</div>
<br>
<font class="fixd">void down_write(struct rw_semaphore *sem)<br>
int down_write_trylock(struct rw_semaphore *sem)<br>
void up_write(struct rw_semaphore *sem)<br>
void downgrade_write(struct rw_semaphore *sem)</font><br>
<div class="bq">
Functions for managing write access to a reader/writer semaphore.</div>
<br>
<font class="fixd">#include &lt;linux/completion.h&gt;<br>
DECLARE_COMPLETION(name);<br>
init_completion(struct completion *c);<br>
INIT_COMPLETION(struct completion c);</font><br>
<div class="bq">
The include file describing the Linux completion mechanism, and the normal
methods for initializing completions. <font class="fixd">INIT_COMPLETION</font> should be used only to
reinitialize a completion that has been previously used.</div>
<br>
<font class="fixd">void wait_for_completion(struct completion *c);</font><br>
<div class="bq">
Wait for a completion event to be signalled.</div>
<br>
<font class="fixd">void complete(struct completion *c);<br>
void complete_all(struct completion *c);</font><br>
<div class="bq">
Signal a completion event. <i>complete </i>wakes, at most, one waiting thread, while
<i>complete_all</i> wakes all waiters.</div>
<br>
<font class="fixd">void complete_and_exit(struct completion *c, long retval);</font><br>
<div class="bq">
Signals a completion event by calling <i>complete </i>and calls <i>exit </i>for the current
thread.</div>
<br>
<font class="fixd">#include &lt;linux/spinlock.h&gt;<br>
spinlock_t lock = SPIN_LOCK_UNLOCKED;<br>
spin_lock_init(spinlock_t *lock);</font><br>
<div class="bq">
The include file defining the spinlock interface and the two ways of initializing
locks.</div>
<br>
<font class="fixd">void spin_lock(spinlock_t *lock);<br>
void spin_lock_irqsave(spinlock_t *lock, unsigned long flags);<br>
void spin_lock_irq(spinlock_t *lock);<br>
void spin_lock_bh(spinlock_t *lock);</font><br>
<div class="bq">
The various ways of locking a spinlock and, possibly, disabling interrupts.</div>
<br>
<A name="132"></a><font color="blue">PAGE 132</font><br>
<br>
<font class="fixd">int spin_trylock(spinlock_t *lock);<br>
int spin_trylock_bh(spinlock_t *lock);</font><br>
<div class="bq">
Nonspinning versions of the above functions; these return 0 in case of failure to
obtain the lock, nonzero otherwise.</div>
<br>
<font class="fixd">void spin_unlock(spinlock_t *lock);<br>
void spin_unlock_irqrestore(spinlock_t *lock, unsigned long flags);<br>
void spin_unlock_irq(spinlock_t *lock);<br>
void spin_unlock_bh(spinlock_t *lock);</font><br>
<div class="bq">
The corresponding ways of releasing a spinlock.</div>
<br>
<font class="fixd">rwlock_t lock = RW_LOCK_UNLOCKED
rwlock_init(rwlock_t *lock);</font><br>
<div class="bq">
The two ways of initializing reader/writer locks.</div>
<br>
<font class="fixd">void read_lock(rwlock_t *lock);<br>
void read_lock_irqsave(rwlock_t *lock, unsigned long flags);<br>
void read_lock_irq(rwlock_t *lock);<br>
void read_lock_bh(rwlock_t *lock);</font><br>
<div class="bq">
Functions for obtaining read access to a reader/writer lock.</div>
<br>
<font class="fixd">void read_unlock(rwlock_t *lock);<br>
void read_unlock_irqrestore(rwlock_t *lock, unsigned long flags);<br>
void read_unlock_irq(rwlock_t *lock);<br>
void read_unlock_bh(rwlock_t *lock);</font><br>
<div class="bq">
Functions for releasing read access to a reader/writer spinlock.</div>
<br>
<font class="fixd">void write_lock(rwlock_t *lock);<br>
void write_lock_irqsave(rwlock_t *lock, unsigned long flags);<br>
void write_lock_irq(rwlock_t *lock);<br>
void write_lock_bh(rwlock_t *lock);</font><br>
<div class="bq">
Functions for obtaining write access to a reader/writer lock.</div>
<br>
<font class="fixd">void write_unlock(rwlock_t *lock);<br>
void write_unlock_irqrestore(rwlock_t *lock, unsigned long flags);<br>
void write_unlock_irq(rwlock_t *lock);<br>
void write_unlock_bh(rwlock_t *lock);</font><br>
<div class="bq">
Functions for releasing write access to a reader/writer spinlock.</div>
<br>
<A name="133"></a><font color="blue">PAGE 133</font><br>
<br>
<font class="fixd">#include &lt;asm/atomic.h&gt;<br>
atomic_t v = ATOMIC_INIT(value);<br>
void atomic_set(atomic_t *v, int i);<br>
int atomic_read(atomic_t *v);<br>
void atomic_add(int i, atomic_t *v);<br>
void atomic_sub(int i, atomic_t *v);<br>
void atomic_inc(atomic_t *v);<br>
void atomic_dec(atomic_t *v);<br>
int atomic_inc_and_test(atomic_t *v);<br>
int atomic_dec_and_test(atomic_t *v);<br>
int atomic_sub_and_test(int i, atomic_t *v);<br>
int atomic_add_negative(int i, atomic_t *v);<br>
int atomic_add_return(int i, atomic_t *v);<br>
int atomic_sub_return(int i, atomic_t *v);<br>
int atomic_inc_return(atomic_t *v);<br>
int atomic_dec_return(atomic_t *v);</font><br>
<div class="bq">
Atomically access integer variables. The <font class="fixd">atomic_t</font> variables must be accessed
only through these functions.</div>
<br>
<font class="fixd">#include &lt;asm/bitops.h&gt;<br>
void set_bit(nr, void *addr);<br>
void clear_bit(nr, void *addr);<br>
void change_bit(nr, void *addr);<br>
test_bit(nr, void *addr);<br>
int test_and_set_bit(nr, void *addr);<br>
int test_and_clear_bit(nr, void *addr);<br>
int test_and_change_bit(nr, void *addr);</font><br>
<div class="bq">
Atomically access bit values; they can be used for <font class="fixd">flags</font> or lockvariables. Using
these functions prevents any race condition related to concurrent access to the
bit.</div>
<br>
<font class="fixd">#include &lt;linux/seqlock.h&gt;<br>
seqlock_t lock = SEQLOCK_UNLOCKED;<br>
seqlock_init(seqlock_t *lock);</font><br>
<div class="bq">
The include file defining seqlocks and the two ways of initializing them.</div>
<br>
<font class="fixd">unsigned int read_seqbegin(seqlock_t *lock);<br>
unsigned int read_seqbegin_irqsave(seqlock_t *lock, unsigned long flags);<br>
int read_seqretry(seqlock_t *lock, unsigned int seq);<br>
int read_seqretry_irqrestore(seqlock_t *lock, unsigned int seq, unsigned long flags);</font><br>
<div class="bq">
Functions for obtaining read access to a seqlock-protected resources.</div>
<br>
<A name="134"></a><font color="blue">PAGE 134</font><br>
<br>
<font class="fixd">void write_seqlock(seqlock_t *lock);<br>
void write_seqlock_irqsave(seqlock_t *lock, unsigned long flags);<br>
void write_seqlock_irq(seqlock_t *lock);<br>
void write_seqlock_bh(seqlock_t *lock);<br>
int write_tryseqlock(seqlock_t *lock);</font><br>
<div class="bq">
Functions for obtaining write access to a seqlock-protected resource.</div>
<br>
<font class="fixd">void write_sequnlock(seqlock_t *lock);<br>
void write_sequnlock_irqrestore(seqlock_t *lock, unsigned long flags);<br>
void write_sequnlock_irq(seqlock_t *lock);<br>
void write_sequnlock_bh(seqlock_t *lock);</font><br>
<div class="bq">
Functions for releasing write access to a seqlock-protected resource.</div>
<br>
<font class="fixd">#include &lt;linux/rcupdate.h&gt;</font><br>
<div class="bq">
The include file required to use the read-copy-update (RCU) mechanism.</div>
<br>
<font class="fixd">void rcu_read_lock;<br>
void rcu_read_unlock;</font><br>
<div class="bq">
Macros for obtaining atomic read access to a resource protected by RCU.</div>
<br>
<font class="fixd">void call_rcu(struct rcu_head *head, void (*func)(void *arg), void *arg);</font><br>
<div class="bq">
Arranges for a callback to run after all processors have been scheduled and an
RCU-protected resource can be safely freed.</div>
<br>
<A name="135"></a><font color="blue">PAGE 135</font><br>
<br>
<a name="CHAPTER6"></a><font color="red"><b>CHAPTER 6</b></font><br>
<br>
<a name="AdvancedCharDriverOperations"></a><font color="#7519FF" size="+1"><b>Advanced Char Driver Operations</b></font><br>
<br>
In Chapter 3, we built a complete device driver that the user can write to and read
from. But a real device usually offers more functionality than synchronous <i>read </i>and
<i>write</i>. Now that we're equipped with debugging tools should something go awry-and
a firm understanding of concurrency issues to help keep things from going
awry--we can safely go ahead and create a more advanced driver.<br>
<br>
This chapter examines a few concepts that you need to understand to write fully featured
char device drivers. We start with implementing the <i>ioctl </i>system call, which is
a common interface used for device control. Then we proceed to various ways of synchronizing
with user space; by the end of this chapter you have a good idea of how to
put processes to sleep (and wake them up), implement nonblocking I/O, and inform
user space when your devices are available for reading or writing. We finish with a
look at how to implement a few different device access policies within drivers.<br>
<br>
The ideas discussed here are demonstrated by way of a couple of modified versions
of the <i>scull </i>driver. Once again, everything is implemented using in-memory virtual
devices, so you can try out the code yourself without needing to have any particular
hardware. By now, you may be wanting to get your hands dirty with real hardware,
but that will have to wait until Chapter 9.<br>
<br>
<a name="Ioctl"></a><font color="red"><b>ioctl</b></font><br>
<br>
Most drivers need--in addition to the ability to read and write the device--the ability
to perform various types of hardware control via the device driver. Most devices
can perform operations beyond simple data transfers; user space must often be able
to request, for example, that the device lock its door, eject its media, report error
information, change a baud rate, or self destruct. These operations are usually supported
via the <i>ioctl</i> method, which implements the system call by the same name.<br>
<br>
In user space, the <i>ioctl</i> system call has the following prototype:<br>
<pre>
int ioctl(int fd, unsigned long cmd, ...);
</pre>
<A name="136"></a><font color="blue">PAGE 136</font><br>
<br>
The prototype stands out in the list of Unix system calls because of the dots, which
usually mark the function as having a variable number of arguments. In a real system,
however, a system call can't actually have a variable number of arguments. System
calls must have a well-defined prototype, because user programs can access
them only through hardware "gates." Therefore, the dots in the prototype represent
not a variable number of arguments but a single optional argument, traditionally
identified as <font class="fixd">char *argp.</font> The dots are simply there to prevent type checking during
compilation. The actual nature of the third argument depends on the specific control
command being issued (the second argument). Some commands take no arguments,
some take an integer value, and some take a pointer to other data. Using a
pointer is the way to pass arbitrary data to the <i>ioctl </i>call; the device is then able to
exchange any amount of data with user space.<br>
<br>
The unstructured nature of the <i>ioctl </i>call has caused it to fall out of favor among kernel
developers. Each <i>ioctl </i>command is, essentially, a separate, usually undocumented
system call, and there is no way to audit these calls in any sort of
comprehensive manner. It is also difficult to make the unstructured <i>ioctl </i>arguments
work identically on all systems; for example, consider 64-bit systems with a userspace
process running in 32-bit mode. As a result, there is strong pressure to implement
miscellaneous control operations by just about any other means. Possible alternatives
include embedding commands into the data stream (we will discuss this
approach later in this chapter) or using virtual filesystems, either sysfs or driver-specific
filesystems. (We will look at sysfs in Chapter 14.) However, the fact remains
that <i>ioctl</i> is often the easiest and most straightforward choice for true device operations.<br>
<br>
The <i>ioctl </i>driver method has a prototype that differs somewhat from the user-space
version:<br>
<pre>
int (*ioctl) (struct inode *inode, struct file *filp,
              unsigned int cmd, unsigned long arg);
</pre>
The <font class="fixd">inode</font> and <font class="fixd">filp</font> pointers are the values corresponding to the file 
descriptor <font class="fixd">fd</font> passed on by the application and are the same parameters passed to the <i>open
</i>method. The <font class="fixd">cmd</font> argument is passed from the user unchanged, and the optional arg
argument is passed in the form of an <font class="fixd">unsigned long</font>, regardless of whether it was
given by the user as an integer or a pointer. If the invoking program doesn't pass a
third argument, the <font class="fixd">arg</font> value received by the driver operation is undefined. Because
type checking is disabled on the extra argument, the compiler can't warn you if an
invalid argument is passed to <i>ioctl</i>, and any associated bug would be difficult to spot.<br>
<br>
As you might imagine, most <i>ioctl </i>implementations consist of a <font class="fixd">big switch</font> statement
that selects the correct behavior according to the <font class="fixd">cmd</font> argument. Different commands
have different numeric values, which are usually given symbolic names to simplify
coding. The symbolic name is assigned by a preprocessor definition. Custom drivers
usually declare such symbols in their header files; <i>scull.h </i>declares them for <i>scull</i>. User<br>
<br>
<A name="137"></a><font color="blue">PAGE 137</font><br>
<br>
programs must, of course, include that header file as well to have access to those
symbols.<br>
<br>
<a name="ChoosingTheIoctlCommands"></a><font color="red"><b>Choosing the ioctl Commands</b></font><br>
<br>
Before writing the code for <i>ioctl</i>, you need to choose the numbers that correspond to
commands. The first instinct of many programmers is to choose a set of small numbers
starting with 0 or 1 and going up from there. There are, however, good reasons
for not doing things that way. The <i>ioctl </i>command numbers should be unique across
the system in order to prevent errors caused by issuing the right command to the
wrong device. Such a mismatch is not unlikely to happen, and a program might find
itself trying to change the baud rate of a non-serial-port input stream, such as a FIFO
or an audio device. If each <i>ioctl </i>number is unique, the application gets an <font class="fixd">EINVAL</font>
error rather than succeeding in doing something unintended.<br>
<br>
To help programmers create unique <i>ioctl </i>command codes, these codes have been
split up into several bitfields. The first versions of Linux used 16-bit numbers: the
top eight were the "magic" numbers associated with the device, and the bottom eight
were a sequential number, unique within the device. This happened because Linus
was "clueless" (his own word); a better division of bitfields was conceived only later.
Unfortunately, quite a few drivers still use the old convention. They have to: changing
the command codes would break no end of binary programs, and that is not
something the kernel developers are willing to do.<br>
<br>
To choose <i>ioctl </i>numbers for your driver according to the Linux kernel convention,
you should first check <i>include/asm/ioctl.h </i>and <i>Documentation/ioctl-number.txt</i>. The
header defines the bitfields you will be using: type (magic number), ordinal number,
direction of transfer, and size of argument. The <i>ioctl-number.txt </i>file lists the magic
numbers used throughout the kernel,* so you'll be able to choose your own magic
number and avoid overlaps. The text file also lists the reasons why the convention
should be used.<br>
<br>
The approved way to define <i>ioctl </i>command numbers uses four bitfields, which have
the following meanings. New symbols introduced in this list are defined in <i>&lt;linux/
ioctl.h&gt;</i>.<br>
<br>
<font class="fixd">type</font><br>
<div class="bq">
The magic number. Just choose one number (after consulting <i>ioctl-number.txt</i>)
and use it throughout the driver. This field is eight bits wide (<font class="fixd">_IOC_TYPEBITS</font>).</div>
<br>
<font class="fixd">number</font><br>
<div class="bq">
The ordinal (sequential) number. It's eight bits (<font class="fixd">_IOC_NRBITS</font>) wide.</div>
<br>
* Maintenance of this file has been somewhat scarce as of late, however.<br>
<br>
<A name="138"></a><font color="blue">PAGE 138</font><br>
<br>
<font class="fixd">direction</font><br>
<div class="bq">
The direction of data transfer, if the particular command involves a data transfer.
The possible values are <font class="fixd">_IOC_NONE</font> (no data transfer), <font class="fixd">_IOC_READ, _IOC_WRITE,</font>
and <font class="fixd">_IOC_READ|_IOC_WRITE</font> (data is transferred both ways). Data transfer is seen
from the application's point of view; <font class="fixd">_IOC_READ</font> means reading <i>from </i>the device,
so the driver must write to user space. Note that the field is a bit mask, so <font class="fixd">_IOC_READ</font>
and <font class="fixd">_IOC_WRITE</font> can be extracted using a logical AND operation.</div>
<br>
<font class="fixd">size</font><br>
<div class="bq">
The size of user data involved. The width of this field is architecture dependent,
but is usually 13 or 14 bits. You can find its value for your specific architecture
in the macro <font class="fixd">_IOC_SIZEBITS</font>. It's not mandatory that you use the <font class="fixd">size</font> field--the
kernel does not check it--but it is a good idea. Proper use of this field can help
detect user-space programming errors and enable you to implement backward
compatibility if you ever need to change the size of the relevant data item. If you
need larger data structures, however, you can just ignore the <font class="fixd">size</font> field. We'll see
how this field is used soon.</div>
<br>
The header file <i>&lt;asm/ioctl.h&gt;</i>, which is included by <i>&lt;linux/ioctl.h&gt;</i>, defines macros
that help set up the command numbers as follows: <font class="fixd">_IO(type,nr)</font> (for a command
that has no argument), <font class="fixd">_IOR(type,nr,datatype)</font> (for reading data from the
driver), <font class="fixd">_IOW(type,nr,datatype)</font> (for writing data), and <font class="fixd">_IOWR(type,nr,datatype)</font> (for
bidirectional transfers). The type and number fields are passed as arguments, and the
<font class="fixd">size</font> field is derived by applying <i>sizeof</i> to the datatype argument.<br>
<br>
The header also defines macros that may be used in your driver to decode the numbers:
<font class="fixd">_IOC_DIR(nr), _IOC_TYPE(nr), _IOC_NR(nr)</font>, and <font class="fixd">_IOC_SIZE(nr).</font> We won't go
into any more detail about these macros because the header file is clear, and sample
code is shown later in this section.<br>
<br>
Here is how some <i>ioctl </i>commands are defined in <i>scull</i>. In particular, these commands
set and get the driver's configurable parameters.<br>
<pre>
/* Use 'k' as magic number */
#define SCULL_IOC_MAGIC  'k'
/* Please use a different 8-bit number in your code */

#define SCULL_IOCRESET    _IO(SCULL_IOC_MAGIC, 0)

/*
 * S means &quot;Set&quot; through a ptr,
 * T means &quot;Tell&quot; directly with the argument value
 * G means &quot;Get&quot;: reply by setting through a pointer
 * Q means &quot;Query&quot;: response is on the return value
 * X means &quot;eXchange&quot;: switch G and S atomically
 * H means &quot;sHift&quot;: switch T and Q atomically
 */
#define SCULL_IOCSQUANTUM _IOW(SCULL_IOC_MAGIC,  1, int)
#define SCULL_IOCSQSET    _IOW(SCULL_IOC_MAGIC,  2, int)
</pre>
<A name="139"></a><font color="blue">PAGE 139</font><br>
<pre>
#define SCULL_IOCTQUANTUM _IO(SCULL_IOC_MAGIC,   3)
#define SCULL_IOCTQSET    _IO(SCULL_IOC_MAGIC,   4)
#define SCULL_IOCGQUANTUM _IOR(SCULL_IOC_MAGIC,  5, int)
#define SCULL_IOCGQSET    _IOR(SCULL_IOC_MAGIC,  6, int)
#define SCULL_IOCQQUANTUM _IO(SCULL_IOC_MAGIC,   7)
#define SCULL_IOCQQSET    _IO(SCULL_IOC_MAGIC,   8)
#define SCULL_IOCXQUANTUM _IOWR(SCULL_IOC_MAGIC, 9, int)
#define SCULL_IOCXQSET    _IOWR(SCULL_IOC_MAGIC,10, int)
#define SCULL_IOCHQUANTUM _IO(SCULL_IOC_MAGIC,  11)
#define SCULL_IOCHQSET    _IO(SCULL_IOC_MAGIC,  12)

#define SCULL_IOC_MAXNR 14
</pre>
The actual source file defines a few extra commands that have not been shown here.<br>
<br>
We chose to implement both ways of passing integer arguments: by pointer and by
explicit value (although, by an established convention, <i>ioctl </i>should exchange values
by pointer). Similarly, both ways are used to return an integer number: by pointer or
by setting the return value. This works as long as the return value is a positive integer;
as you know by now, on return from any system call, a positive value is preserved
(as we saw for <i>read </i>and <i>write</i>), while a negative value is considered an error
and is used to set <font class="fixd">errno</font> in user space.*<br>
<br>
The "exchange" and "shift" operations are not particularly useful for <i>scull</i>. We
implemented "exchange" to show how the driver can combine separate operations
into a single atomic one, and "shift" to pair "tell" and "query." There are times when
atomic test-and-set operations like these are needed, in particular, when applications
need to set or release locks.<br>
<br>
The explicit ordinal number of the command has no specific meaning. It is used only
to tell the commands apart. Actually, you could even use the same ordinal number
for a read command and a write command, since the actual <i>ioctl </i>number is different
in the "direction" bits, but there is no reason why you would want to do so. We
chose not to use the ordinal number of the command anywhere but in the declaration,
so we didn't assign a symbolic value to it. That's why explicit numbers appear
in the definition given previously. The example shows one way to use the command
numbers, but you are free to do it differently.<br>
<br>
With the exception of a small number of predefined commands (to be discussed
shortly), the value of the <i>ioctl </i><font class="fixd">cmd</font> argument is not currently used by the kernel, and
it's quite unlikely it will be in the future. Therefore, you could, if you were feeling
lazy, avoid the complex declarations shown earlier and explicitly declare a set of scalar
numbers. On the other hand, if you did, you wouldn't benefit from using the bitfields,
and you would encounter difficulties if you ever submitted your code for<br>
<br>
* Actually, all <i>libc </i>implementations currently in use (including uClibc) consider as 
error codes only values in the range -4095 to -1. Unfortunately, being able to return large 
negative numbers but not small ones is not very useful.<br>
<br>
<A name="140"></a><font color="blue">PAGE 140</font><br>
<br>
inclusion in the mainline kernel. The header <i>&lt;linux/kd.h&gt; </i>is an example of this old-fashioned
approach, using 16-bit scalar values to define the <i>ioctl </i>commands. That
source file relied on scalar numbers because it used the conventions obeyed at that
time, not out of laziness. Changing it now would cause gratuitous incompatibility.<br>
<br>
<a name="TheReturnValue"></a><font color="red"><b>The Return Value</b></font><br>
<br>
The implementation of <i>ioctl </i>is usually a <font class="fixd">switch</font> statement based on the command
number. But what should the <font class="fixd">default</font> selection be when the command number
doesn't match a valid operation? The question is controversial. Several kernel functions
return <font class="fixd">-EINVAL</font> ("Invalid argument"), which makes sense because the command
argument is indeed not a valid one. The POSIX standard, however, states that
if an inappropriate <i>ioctl </i>command has been issued, then <font class="fixd">-ENOTTY</font> should be returned.
This error code is interpreted by the C library as "inappropriate ioctl for device,"
which is usually exactly what the programmer needs to hear. It's still pretty common,
though, to return <font class="fixd">-EINVAL</font> in response to an invalid <i>ioctl</i> command.<br>
<br>
<a name="ThePredefinedCommands"></a><font color="red"><b>The Predefined Commands</b></font><br>
<br>
Although the <i>ioctl </i>system call is most often used to act on devices, a few commands
are recognized by the kernel. Note that these commands, when applied to your
device, are decoded <i>before </i>your own file operations are called. Thus, if you choose
the same number for one of your <i>ioctl </i>commands, you won't ever see any request for
that command, and the application gets something unexpected because of the conflict
between the <i>ioctl</i> numbers.<br>
<br>
The predefined commands are divided into three groups:<br>
<ul>
<li> Those that can be issued on any file (regular, device, FIFO, or socket)
<li> Those that are issued only on regular files
<li> Those specific to the filesystem type
</ul>
Commands in the last group are executed by the implementation of the hosting filesystem
(this is how the <i>chattr </i>command works). Device driver writers are interested
only in the first group of commands, whose magic number is "T." Looking at the
workings of the other groups is left to the reader as an exercise; <i>ext2_ioctl </i>is a most
interesting function (and easier to understand than one might expect), because it
implements the append-only flag and the immutable flag.<br>
<br>
<A name="141"></a><font color="blue">PAGE 141</font><br>
<br>
The following <i>ioctl </i>commands are predefined for any file, including device-special
files:<br>
<br>
<font class="fixd">FIOCLEX</font><br>
<div class="bq">
Set the close-on-exec flag (File IOctl CLose on EXec). Setting this flag causes the
file descriptor to be closed when the calling process executes a new program.</div>
<br>
<font class="fixd">FIONCLEX</font><br>
<div class="bq">
Clear the close-on-exec flag (File IOctl Not CLos on EXec). The command
restores the common file behavior, undoing what <font class="fixd">FIOCLEX</font> above does.</div>
<br>
<font class="fixd">FIOASYNC</font><br>
<div class="bq">
Set or reset asynchronous notification for the file (as discussed in the section
"Asynchronous Notification," later in this chapter). Note that kernel versions up
to Linux 2.2.4 incorrectly used this command to modify the <font class="fixd">O_SYNC</font> flag. Since
both actions can be accomplished through <i>fcntl</i>, nobody actually uses the
<font class="fixd">FIOASYNC</font> command, which is reported here only for completeness.</div>
<br>
<font class="fixd">FIOQSIZE</font><br>
<div class="bq">
This command returns the size of a file or directory; when applied to a device
file, however, it yields an <font class="fixd">ENOTTY</font> error return.</div>
<br>
<font class="fixd">FIONBIO</font><br>
<div class="bq">
"File IOctl Non-Blocking I/O" (described in the section "Blocking and Nonblocking
Operations"). This call modifies the <font class="fixd">O_NONBLOCK</font> flag in <font class="fixd">filp-&gt;f_flags</font>.
The third argument to the system call is used to indicate whether the flag is to be
set or cleared. (We'll look at the role of the flag later in this chapter.) Note that
the usual way to change this flag is with the <i>fcntl </i>system call, using the <i><font class="fixd">F_SETFL</font>
</i>command.</div>
<br>
The last item in the list introduced a new system call, <i>fcntl</i>, which looks like <i>ioctl</i>. In
fact, the <i>fcntl </i>call is very similar to <i>ioctl </i>in that it gets a command argument and an
extra (optional) argument. It is kept separate from <i>ioctl </i>mainly for historical reasons:
when Unix developers faced the problem of controlling I/O operations, they decided
that files and devices were different. At the time, the only devices with <i>ioctl </i>implementations
were ttys, which explains why <font class="fixd">-ENOTTY</font> is the standard reply for an incorrect
<i>ioctl</i> command. Things have changed, but <i>fcntl</i> remains a separate system call.<br>
<br>
<a name="UsingTheIoctlArgument"></a><font color="red"><b>Using the ioctl Argument</b></font><br>
<br>
Another point we need to cover before looking at the <i>ioctl </i>code for the <i>scull </i>driver is
how to use the extra argument. If it is an integer, it's easy: it can be used directly. If it
is a pointer, however, some care must be taken.<br>
<br>
<A name="142"></a><font color="blue">PAGE 142</font><br>
<br>
When a pointer is used to refer to user space, we must ensure that the user address is
valid. An attempt to access an unverified user-supplied pointer can lead to incorrect
behavior, a kernel oops, system corruption, or security problems. It is the driver's
responsibility to make proper checks on every user-space address it uses and to
return an error if it is invalid.<br>
<br>
In Chapter 3, we looked at the <i>copy_from_user </i>and <i>copy_to_user </i>functions, which
can be used to safely move data to and from user space. Those functions can be used
in <i>ioctl </i>methods as well, but <i>ioctl </i>calls often involve small data items that can be
more efficiently manipulated through other means. To start, address verification
(without transferring data) is implemented by the function <i>access_ok</i>, which is
declared in <i>&lt;asm/uaccess.h&gt;</i>:<br>
<pre>
int access_ok(int type, const void *addr, unsigned long size);
</pre>
The first argument should be either <font class="fixd">VERIFY_READ</font> or <font class="fixd">VERIFY_WRITE</font>, depending on
whether the action to be performed is reading the user-space memory area or writing
it. The <font class="fixd">addr</font> argument holds a user-space address, and <font class="fixd">size</font> is a byte count. If <i>ioctl</i>,
for instance, needs to read an integer value from user space, <font class="fixd">size</font> is <font class="fixd">sizeof(int).</font> If
you need to both read and write at the given address, use <font class="fixd">VERIFY_WRITE</font>, since it is a
superset of <font class="fixd">VERIFY_READ</font>.<br>
<br>
Unlike most kernel functions, <i>access_ok </i>returns a boolean value: <font class="fixd">1</font> for success (access
is OK) and <font class="fixd">0</font> for failure (access is not OK). If it returns false, the driver should usually
return <font class="fixd">-EFAULT</font> to the caller.<br>
<br>
There are a couple of interesting things to note about <i>access_ok</i>. First, it does not do
the complete job of verifying memory access; it only checks to see that the memory
reference is in a region of memory that the process might reasonably have access to.
In particular, <i>access_ok </i>ensures that the address does not point to kernel-space memory.
Second, most driver code need not actually call <i>access_ok</i>. The memory-access
routines described later take care of that for you. Nonetheless, we demonstrate its
use so that you can see how it is done.<br>
<br>
The <i>scull </i>source exploits the bitfields in the <i>ioctl </i>number to check the arguments
before the <font class="fixd">switch:</font><br>
<pre>
int err = 0, tmp;
int retval = 0;

/*
 * extract the type and number bitfields, and don't decode
 * wrong cmds: return ENOTTY (inappropriate ioctl) before access_ok( )
 */
 if (_IOC_TYPE(cmd) != SCULL_IOC_MAGIC) return -ENOTTY;
 if (_IOC_NR(cmd) &gt; SCULL_IOC_MAXNR) return -ENOTTY;

/*
 * the direction is a bitmask, and VERIFY_WRITE catches R/W
 * transfers. `Type' is user-oriented, while
</pre>
<A name="143"></a><font color="blue">PAGE 143</font>
<pre>
 * access_ok is kernel-oriented, so the concept of &quot;read&quot; and
 * &quot;write&quot; is reversed
 */
if (_IOC_DIR(cmd) &amp; _IOC_READ)
    err = !access_ok(VERIFY_WRITE, (void __user *)arg, _IOC_SIZE(cmd));
else if (_IOC_DIR(cmd) &amp; _IOC_WRITE)
    err =  !access_ok(VERIFY_READ, (void __user *)arg, _IOC_SIZE(cmd));
if (err) return -EFAULT;
</pre>
After calling <i>access_ok</i>, the driver can safely perform the actual transfer. In addition
to the <i>copy_from_user </i>and <i>copy_to_user </i>functions, the programmer can exploit a set
of functions that are optimized for the most used data sizes (one, two, four, and eight
bytes). These functions are described in the following list and are defined in <i>&lt;asm/uaccess.h&gt;</i>:<br>
<br>
<font class="fixd">put_user(datum, ptr)<br>
__put_user(datum, ptr)</font><br>
<div class="bq">
These macros write the datum to user space; they are relatively fast and should be
called instead of <i>copy_to_user </i>whenever single values are being transferred. The
macros have been written to allow the passing of any type of pointer to <i>put_user</i>,
as long as it is a user-space address. The size of the data transfer depends on the
type of the <font class="fixd">ptr</font> argument and is determined at compile time using the <font class="fixd">sizeof</font> and
<font class="fixd">typeof</font> compiler builtins. As a result, if <font class="fixd">ptr</font> is a char pointer, one byte is transferred,
and so on for two, four, and possibly eight bytes.<br>
<br>
<i>put_user </i>checks to ensure that the process is able to write to the given memory
address. It returns <font class="fixd">0</font> on success, and <font class="fixd">-EFAULT</font> on error. <i>__put_user </i>performs less
checking (it does not call <i>access_ok</i>), but can still fail if the memory pointed to is
not writable by the user. Thus, <i>__put_user </i>should only be used if the memory
region has already been verified with <i>access_ok</i>.<br>
<br>
As a general rule, you call <i>__put_user </i>to save a few cycles when you are implementing
a <i>read </i>method, or when you copy several items and, thus, call <i>access_ok
</i>just once before the first data transfer, as shown above for <i>ioctl</i>.</div>
<br>
<font class="fixd">get_user(local, ptr)<br>
__get_user(local, ptr)</font><br>
<div class="bq">
These macros are used to retrieve a single datum from user space. They behave
like <i>put_user </i>and <i>__put_user</i>, but transfer data in the opposite direction. The
value retrieved is stored in the local variable <font class="fixd">local;</font> the return value indicates
whether the operation succeeded. Again, <i>__get_user </i>should only be used if the
address has already been verified with <i>access_ok</i>.</div>
<br>
If an attempt is made to use one of the listed functions to transfer a value that does
not fit one of the specific sizes, the result is usually a strange message from the compiler,
such as "conversion to non-scalar type requested." In such cases, <i>copy_to_user
</i>or <i>copy_from_user</i> must be used.<br>
<br>
<A name="144"></a><font color="blue">PAGE 144</font><br>
<br>
<a name="CapabilitiesAndRestrictedOperations"></a><font color="red"><b>Capabilities and Restricted Operations</b></font><br>
<br>
Access to a device is controlled by the permissions on the device file(s), and the driver
is not normally involved in permissions checking. There are situations, however,
where any user is granted read/write permission on the device, but some control operations
should still be denied. For example, not all users of a tape drive should be able
to set its default block size, and a user who has been granted read/write access to a
disk device should probably still be denied the ability to format it. In cases like these,
the driver must perform additional checks to be sure that the user is capable of performing
the requested operation.<br>
<br>
Unix systems have traditionally restricted privileged operations to the superuser
account. This meant that privilege was an all-or-nothing thing--the superuser can do
absolutely anything, but all other users are highly restricted. The Linux kernel provides
a more flexible system called <i>capabilities</i>. A capability-based system leaves the
all-or-nothing mode behind and breaks down privileged operations into separate
subgroups. In this way, a particular user (or program) can be empowered to perform
a specific privileged operation without giving away the ability to perform other, unrelated
operations. The kernel uses capabilities exclusively for permissions management
and exports two system calls <i>capget </i>and <i>capset</i>, to allow them to be managed
from user space.<br>
<br>
The full set of capabilities can be found in <i>&lt;linux/capability.h&gt;</i>. These are the only
capabilities known to the system; it is not possible for driver authors or system administrators
to define new ones without modifying the kernel source. A subset of those
capabilities that might be of interest to device driver writers includes the following:<br>
<br>
<font class="fixd">CAP_DAC_OVERRIDE</font><br>
<div class="bq">
The ability to override access restrictions (data access control, or DAC) on files
and directories.</div>
<br>
<font class="fixd">CAP_NET_ADMIN</font></div>
<div class="bq">
The ability to perform network administration tasks, including those that affect
network interfaces.</div>
<br>
<font class="fixd">CAP_SYS_MODULE</font></div>
<div class="bq">
The ability to load or remove kernel modules.</div>
<br>
<font class="fixd">CAP_SYS_RAWIO</font></div>
<div class="bq">
The ability to perform "raw" I/O operations. Examples include accessing device
ports or communicating directly with USB devices.</div>
<br>
<font class="fixd">CAP_SYS_ADMIN</font></div>
<div class="bq">
A catch-all capability that provides access to many system administration operations.</div>
<br>
<font class="fixd">CAP_SYS_TTY_CONFIG</font><br>
<div class="bq">
The ability to perform tty configuration tasks.</div>
<br>
<A name="145"></a><font color="blue">PAGE 145</font><br>
<br>
Before performing a privileged operation, a device driver should check that the calling
process has the appropriate capability; failure to do so could result user processes
performing unauthorized operations with bad results on system stability or
security. Capability checks are performed with the <i>capable </i>function (defined in
<i>&lt;linux/sched.h&gt;</i>):<br>
<pre>
 int capable(int capability);
</pre>
In the <i>scull </i>sample driver, any user is allowed to query the quantum and quantum set
sizes. Only privileged users, however, may change those values, since inappropriate
values could badly affect system performance. When needed, the <i>scull </i>implementation
of <i>ioctl</i> checks a user's privilege level as follows:<br>
<pre>
 if (! capable (CAP_SYS_ADMIN))
        return -EPERM;
</pre>
In the absence of a more specific capability for this task, <font class="fixd">CAP_SYS_ADMIN</font> was chosen
for this test.<br>
<br>
<a name="TheImplementationOfTheIoctlCommands"></a><font color="red"><b>The Implementation of the ioctl Commands</b></font><br>
<br>
The <i>scull </i>implementation of <i>ioctl </i>only transfers the configurable parameters of the
device and turns out to be as easy as the following:<br>
<pre>
switch(cmd) {

  case SCULL_IOCRESET:
    <font class="fixd">scull_quantum</font> = SCULL_QUANTUM;
    <font class="fixd">scull_qset</font> = SCULL_QSET;
    break;

  case SCULL_IOCSQUANTUM: /* Set: arg points to the value */
    if (! capable (CAP_SYS_ADMIN))
        return -EPERM;
    retval = __get_user(scull_quantum, (int __user *)arg);
    break;

  case SCULL_IOCTQUANTUM: /* Tell: arg is the value */
    if (! capable (CAP_SYS_ADMIN))
        return -EPERM;
    scull_quantum = arg;
    break;

  case SCULL_IOCGQUANTUM: /* Get: arg is pointer to result */
    retval = __put_user(scull_quantum, (int __user *)arg);
    break;

  case SCULL_IOCQQUANTUM: /* Query: return it (it's positive) */
    return scull_quantum;

  case SCULL_IOCXQUANTUM: /* eXchange: use arg as pointer */
    if (! capable (CAP_SYS_ADMIN))
</pre>
<A name="146"></a><font color="blue">PAGE 146</font>
<pre>
        return -EPERM;
    tmp = scull_quantum;
    retval = __get_user(scull_quantum, (int __user *)arg);
    if (retval = = 0)
        retval = __put_user(tmp, (int __user *)arg);
    break;

  case SCULL_IOCHQUANTUM: /* sHift: like Tell + Query */
    if (! capable (CAP_SYS_ADMIN))
        return -EPERM;
    tmp = scull_quantum;
    scull_quantum = arg;
    return tmp;

  default:  /* redundant, as cmd was checked against MAXNR */
    return -ENOTTY;
}
return retval;
</pre>
<i>scull </i>also includes six entries that act on <font class="fixd">scull_qset</font>. These entries are identical to the
ones for <font class="fixd">scull_quantum</font> and are not worth showing in print.<br>
<br>
The six ways to pass and receive arguments look like the following from the caller's
point of view (i.e., from user space):<br>
<pre>
int quantum;

ioctl(fd,SCULL_IOCSQUANTUM, &amp;quantum);          /* Set by pointer */
ioctl(fd,SCULL_IOCTQUANTUM, quantum);           /* Set by value */

ioctl(fd,SCULL_IOCGQUANTUM, &amp;quantum);          /* Get by pointer */
quantum = ioctl(fd,SCULL_IOCQQUANTUM);          /* Get by return value */

ioctl(fd,SCULL_IOCXQUANTUM, &amp;quantum);          /* Exchange by pointer */
quantum = ioctl(fd,SCULL_IOCHQUANTUM, quantum); /* Exchange by value */
</pre>
Of course, a normal driver would not implement such a mix of calling modes. We
have done so here only to demonstrate the different ways in which things could be
done. Normally, however, data exchanges would be consistently performed, either
through pointers or by value, and mixing of the two techniques would be avoided.<br>
<br>
<a name="DeviceControlWithoutIoctl"></a><font color="red"><b>Device Control Without ioctl</b></font><br>
<br>
Sometimes controlling the device is better accomplished by writing control
sequences to the device itself. For example, this technique is used in the console
driver, where so-called escape sequences are used to move the cursor, change the
default color, or perform other configuration tasks. The benefit of implementing
device control this way is that the user can control the device just by writing data,
without needing to use (or sometimes write) programs built just for configuring the
device. When devices can be controlled in this manner, the program issuing commands
often need not even be running on the same system as the device it is controlling.<br>
<br>
<A name="147"></a><font color="blue">PAGE 147</font><br>
<br>
For example, the <i>setterm </i>program acts on the console (or another terminal) configuration
by printing escape sequences. The controlling program can live on a different
computer from the controlled device, because a simple redirection of the data stream
does the configuration job. This is what happens every time you run a remote tty session:
escape sequences are printed remotely but affect the local tty; the technique is
not restricted to ttys, though.<br>
<br>
The drawback of controlling by printing is that it adds policy constraints to the
device; for example, it is viable only if you are sure that the control sequence can't
appear in the data being written to the device during normal operation. This is only
partly true for ttys. Although a text display is meant to display only ASCII characters,
sometimes control characters can slip through in the data being written and
can, therefore, affect the console setup. This can happen, for example, when you <i>cat
</i>a binary file to the screen; the resulting mess can contain anything, and you often
end up with the wrong font on your console.<br>
<br>
Controlling by write <i>is </i>definitely the way to go for those devices that don't transfer
data but just respond to commands, such as robotic devices.<br>
<br>
For instance, a driver written for fun by one of your authors moves a camera on two
axes. In this driver, the "device" is simply a pair of old stepper motors, which can't
really be read from or written to. The concept of "sending a data stream" to a stepper
motor makes little or no sense. In this case, the driver interprets what is being
written as ASCII commands and converts the requests to sequences of impulses that
manipulate the stepper motors. The idea is similar, somewhat, to the AT commands
you send to the modem in order to set up communication, the main difference being
that the serial port used to communicate with the modem must transfer real data as
well. The advantage of direct device control is that you can use <i>cat </i>to move the camera
without writing and compiling special code to issue the <i>ioctl</i> calls.<br>
<br>
When writing command-oriented drivers, there's no reason to implement the <i>ioctl
</i>method. An additional command in the interpreter is easier to implement and use.<br>
<br>
Sometimes, though, you might choose to act the other way around: instead of turning
the <i>write </i>method into an interpreter and avoiding <i>ioctl</i>, you might choose to
avoid <i>write </i>altogether and use <i>ioctl </i>commands exclusively, while accompanying the
driver with a specific command-line tool to send those commands to the driver. This
approach moves the complexity from kernel space to user space, where it may be
easier to deal with, and helps keep the driver small while denying use of simple <i>cat </i>or
<i>echo</i> commands.<br>
<br>
<a name="BlockingIO"></a><font color="red"><b>Blocking I/O</b></font><br>
<br>
Back in Chapter 3, we looked at how to implement the <i>read </i>and <i>write </i>driver methods.
At that point, however, we skipped over one important issue: how does a driver
respond if it cannot immediately satisfy the request? A call to <i>read </i>may come when<br>
<br>
<A name="148"></a><font color="blue">PAGE 148</font><br>
<br>
no data is available, but more is expected in the future. Or a process could attempt to
<i>write</i>, but your device is not ready to accept the data, because your output buffer is
full. The calling process usually does not care about such issues; the programmer
simply expects to call <i>read </i>or <i>write </i>and have the call return after the necessary work
has been done. So, in such cases, your driver should (by default) <i>block </i>the process,
putting it to sleep until the request can proceed.<br>
<br>
This section shows how to put a process to sleep and wake it up again later on. As
usual, however, we have to explain a few concepts first.<br>
<br>
<a name="IntroductionToSleeping"></a><font color="red"><b>Introduction to Sleeping</b></font><br>
<br>
What does it mean for a process to "sleep"? When a process is put to sleep, it is
marked as being in a special state and removed from the scheduler's run queue. Until
something comes along to change that state, the process will not be scheduled on
any CPU and, therefore, will not run. A sleeping process has been shunted off to the
side of the system, waiting for some future event to happen.<br>
<br>
Causing a process to sleep is an easy thing for a Linux device driver to do. There are,
however, a couple of rules that you must keep in mind to be able to code sleeps in a
safe manner.<br>
<br>
The first of these rules is: never sleep when you are running in an atomic context.
We got an introduction to atomic operation in Chapter 5; an atomic context is simply
a state where multiple steps must be performed without any sort of concurrent
access. What that means, with regard to sleeping, is that your driver cannot sleep
while holding a spinlock, seqlock, or RCU lock. You also cannot sleep if you have
disabled interrupts. It <i>is </i>legal to sleep while holding a semaphore, but you should
look very carefully at any code that does so. If code sleeps while holding a semaphore,
any other thread waiting for that semaphore also sleeps. So any sleeps that
happen while holding semaphores should be short, and you should convince yourself
that, by holding the semaphore, you are not blocking the process that will eventually
wake you up.<br>
<br>
Another thing to remember with sleeping is that, when you wake up, you never
know how long your process may have been out of the CPU or what may have
changed in the mean time. You also do not usually know if another process may
have been sleeping for the same event; that process may wake before you and grab
whatever resource you were waiting for. The end result is that you can make no
assumptions about the state of the system after you wake up, and you must check to
ensure that the condition you were waiting for is, indeed, true.<br>
<br>
One other relevant point, of course, is that your process cannot sleep unless it is
assured that somebody else, somewhere, will wake it up. The code doing the awakening
must also be able to find your process to be able to do its job. Making sure that
a wakeup happens is a matter of thinking through your code and knowing, for each<br>
<br>
<A name="149"></a><font color="blue">PAGE 149</font><br>
<br>
sleep, exactly what series of events will bring that sleep to an end. Making it possible
for your sleeping process to be found is, instead, accomplished through a data structure
called a <i>wait queue</i>. A wait queue is just what it sounds like: a list of processes,
all waiting for a specific event.<br>
<br>
In Linux, a wait queue is managed by means of a "wait queue head," a structure of
type <font class="fixd">wait_queue_head_t,</font> which is defined in <i>&lt;linux/wait.h&gt;</i>. A wait queue head can
be defined and initialized statically with:<br>
<pre>
DECLARE_WAIT_QUEUE_HEAD(name);
</pre>
or dynamically as follows:<br>
<pre>
wait_queue_head_t my_queue;
init_waitqueue_head(&amp;my_queue);
</pre>
We will return to the structure of wait queues shortly, but we know enough now to
take a first look at sleeping and waking up.<br>
<br>
<a name="SimpleSleeping"></a><font color="red"><b>Simple Sleeping</b></font><br>
<br>
When a process sleeps, it does so in expectation that some condition will become
true in the future. As we noted before, any process that sleeps must check to be sure
that the condition it was waiting for is really true when it wakes up again. The simplest
way of sleeping in the Linux kernel is a macro called <i>wait_event </i>(with a few
variants); it combines handling the details of sleeping with a check on the condition
a process is waiting for. The forms of <i>wait_event</i> are:<br>
<pre>
wait_event(queue, condition)
wait_event_interruptible(queue, condition)
wait_event_timeout(queue, condition, timeout)
wait_event_interruptible_timeout(queue, condition, timeout)
</pre>
In all of the above forms, queue is the wait queue head to use. Notice that it is passed
"by value." The <font class="fixd">condition</font> is an arbitrary boolean expression that is evaluated by the
macro before and after sleeping; until <font class="fixd">condition</font> evaluates to a true value, the process
continues to sleep. Note that <font class="fixd">condition</font> may be evaluated an arbitrary number of
times, so it should not have any side effects.<br>
<br>
If you use <i>wait_event</i>, your process is put into an uninterruptible sleep which, as we
have mentioned before, is usually not what you want. The preferred alternative is
<i>wait_event_interruptible</i>, which can be interrupted by signals. This version returns an
integer value that you should check; a nonzero value means your sleep was interrupted
by some sort of signal, and your driver should probably return <font class="fixd">-ERESTARTSYS</font>.
The final versions (<i>wait_event_timeout </i>and <i>wait_event_interruptible_timeout</i>) wait for
a limited time; after that time period (expressed in jiffies, which we will discuss in
Chapter 7) expires, the macros return with a value of 0 regardless of how <font class="fixd">condition</font>
evaluates.<br>
<br>
<A name="150"></a><font color="blue">PAGE 150</font><br>
<br>
The other half of the picture, of course, is waking up. Some other thread of execution
(a different process, or an interrupt handler, perhaps) has to perform the
wakeup for you, since your process is, of course, asleep. The basic function that
wakes up sleeping processes is called <i>wake_up</i>. It comes in several forms (but we
look at only two of them now):<br>
<pre>
void wake_up(wait_queue_head_t *queue);
void wake_up_interruptible(wait_queue_head_t *queue);
</pre>
<i>wake_up </i>wakes up all processes waiting on the given queue (though the situation is a
little more complicated than that, as we will see later). The other form (<i>wake_up_
interruptible</i>) restricts itself to processes performing an interruptible sleep. In general,
the two are indistinguishable (if you are using interruptible sleeps); in practice,
the convention is to use <i>wake_up </i>if you are using <i>wait_event </i>and <i>wake_up_interruptible</i>
if you use <i>wait_event_interruptible</i>.<br>
<br>
We now know enough to look at a simple example of sleeping and waking up. In the
sample source, you can find a module called <i>sleepy</i>. It implements a device with simple
behavior: any process that attempts to read from the device is put to sleep.
Whenever a process writes to the device, all sleeping processes are awakened. This
behavior is implemented with the following <i>read</i> and <i>write</i> methods:<br>
<pre>
static DECLARE_WAIT_QUEUE_HEAD(wq);
static int flag = 0;

ssize_t sleepy_read (struct file *filp, char __user *buf, size_t count, loff_t *pos)
{
    printk(KERN_DEBUG &quot;process %i (%s) going to sleep\n&quot;,
            current-&gt;pid, current-&gt;comm);
    wait_event_interruptible(wq, flag != 0);
    flag = 0;
    printk(KERN_DEBUG &quot;awoken %i (%s)\n&quot;, current-&gt;pid, current-&gt;comm);
    return 0; /* EOF */
}

ssize_t sleepy_write (struct file *filp, const char __user *buf, size_t count,
        loff_t *pos)
{
    printk(KERN_DEBUG &quot;process %i (%s) awakening the readers...\n&quot;,
            current-&gt;pid, current-&gt;comm);
    flag = 1;
    wake_up_interruptible(&amp;wq);
    return count; /* succeed, to avoid retrial */
}
</pre>
Note the use of the <font class="fixd">flag</font> variable in this example. Since <i>wait_event_interruptible
</i>checks for a condition that must become true, we use <font class="fixd">flag</font> to create that condition.<br>
<br>
It is interesting to consider what happens if <i>two </i>processes are waiting when <i>sleepy_write
</i>is called. Since <i>sleepy_read </i>resets <font class="fixd">flag</font> to 0 once it wakes up, you might think that the
second process to wake up would immediately go back to sleep. On a single-processor<br>
<br>
<A name="151"></a><font color="blue">PAGE 151</font><br>
<br>
system, that is almost always what happens. But it is important to understand why you
cannot count on that behavior. The <i>wake_up_interruptible </i>call <i>will </i>cause both sleeping
processes to wake up. It is entirely possible that they will both note that <font class="fixd">flag</font> is nonzero
before either has the opportunity to reset it. For this trivial module, this race condition is
unimportant. In a real driver, this kind of race can create rare crashes that are difficult to
diagnose. If correct operation required that exactly one process see the nonzero value, it
would have to be tested in an atomic manner. We will see how a real driver handles
such situations shortly. But first we have to cover one other topic.<br>
<br>
<a name="BlockingAndNonblockingOperations"></a><font color="red"><b>Blocking and Nonblocking Operations</b></font><br>
<br>
One last point we need to touch on before we look at the implementation of full-featured
<i>read </i>and <i>write </i>methods is deciding when to put a process to sleep. There are
times when implementing proper Unix semantics requires that an operation not
block, even if it cannot be completely carried out.<br>
<br>
There are also times when the calling process informs you that it does not <i>want </i>to
block, whether or not its I/O can make any progress at all. Explicitly nonblocking I/O
is indicated by the <font class="fixd">O_NONBLOCK</font> flag in <font class="fixd">filp-&gt;f_flags</font>. The flag is defined in <i>&lt;linux/
fcntl.h&gt;</i>, which is automatically included by <i>&lt;linux/fs.h&gt;</i>. The flag gets its name from
"open-nonblock," because it can be specified at open time (and originally could be
specified only there). If you browse the source code, you find some references to an
<font class="fixd">O_NDELAY</font> flag; this is an alternate name for <font class="fixd">O_NONBLOCK,</font> accepted for compatibility
with System V code. The flag is cleared by default, because the normal behavior of a
process waiting for data is just to sleep. In the case of a blocking operation, which is
the default, the following behavior should be implemented in order to adhere to the
standard semantics:<br>
<ul>
<li> If a process calls <i>read </i>but no data is (yet) available, the process must block. The
process is awakened as soon as some data arrives, and that data is returned to
the caller, even if there is less than the amount requested in the count argument
to the method.
<li> If a process calls <i>write </i>and there is no space in the buffer, the process must
block, and it must be on a different wait queue from the one used for reading.
When some data has been written to the hardware device, and space becomes
free in the output buffer, the process is awakened and the <i>write </i>call succeeds,
although the data may be only partially written if there isn't room in the buffer
for the count bytes that were requested.
</ul>
Both these statements assume that there are both input and output buffers; in practice,
almost every device driver has them. The input buffer is required to avoid losing
data that arrives when nobody is reading. In contrast, data can't be lost on <i>write</i>,
because if the system call doesn't accept data bytes, they remain in the user-space
buffer. Even so, the output buffer is almost always useful for squeezing more performance
out of the hardware.<br>
<br>
<A name="152"></a><font color="blue">PAGE 152</font><br>
<br>
The performance gain of implementing an output buffer in the driver results from
the reduced number of context switches and user-level/kernel-level transitions.
Without an output buffer (assuming a slow device), only one or a few characters are
accepted by each system call, and while one process sleeps in <i>write</i>, another process
runs (that's one context switch). When the first process is awakened, it resumes
(another context switch), <i>write </i>returns (kernel/user transition), and the process reiterates
the system call to write more data (user/kernel transition); the call blocks and
the loop continues. The addition of an output buffer allows the driver to accept
larger chunks of data with each <i>write </i>call, with a corresponding increase in performance.
If that buffer is big enough, the <i>write </i>call succeeds on the first attempt--the
buffered data will be pushed out to the device later--without control needing to go
back to user space for a second or third <i>write </i>call. The choice of a suitable size for
the output buffer is clearly device-specific.<br>
<br>
We don't use an input buffer in <i>scull</i>, because data is already available when <i>read </i>is
issued. Similarly, no output buffer is used, because data is simply copied to the memory
area associated with the device. Essentially, the device <i>is </i>a buffer, so the implementation
of additional buffers would be superfluous. We'll see the use of buffers in
Chapter 10.<br>
<br>
The behavior of <i>read </i>and <i>write </i>is different if <font class="fixd">O_NONBLOCK</font> is specified. In this case, the
calls simply return <font class="fixd">-EAGAIN</font> ("try it again") if a process calls <i>read </i>when no data is
available or if it calls <i>write</i> when there's no space in the buffer.<br>
<br>
As you might expect, nonblocking operations return immediately, allowing the
application to poll for data. Applications must be careful when using the <i>stdio </i>functions
while dealing with nonblocking files, because they can easily mistake a nonblocking
return for <font class="fixd">EOF</font>. They always have to check <font class="fixd">errno</font>.<br>
<br>
Naturally, <font class="fixd">O_NONBLOCK</font> is meaningful in the <i>open </i>method also. This happens when the
call can actually block for a long time; for example, when opening (for read access) a
FIFO that has no writers (yet), or accessing a disk file with a pending lock. Usually,
opening a device either succeeds or fails, without the need to wait for external
events. Sometimes, however, opening the device requires a long initialization, and
you may choose to support <font class="fixd">O_NONBLOCK</font> in your <i>open </i>method by returning immediately
with <font class="fixd">-EAGAIN</font> if the flag is set, after starting the device initialization process. The
driver may also implement a blocking <i>open </i>to support access policies in a way similar
to file locks. We'll see one such implementation in the section "Blocking open as
an Alternative to EBUSY" later in this chapter.<br>
<br>
Some drivers may also implement special semantics for <font class="fixd">O_NONBLOCK</font>; for example, an
open of a tape device usually blocks until a tape has been inserted. If the tape drive is
opened with <font class="fixd">O_NONBLOCK</font>, the open succeeds immediately regardless of whether the
media is present or not.<br>
<br>
Only the <i>read</i>, <i>write</i>, and <i>open</i> file operations are affected by the nonblocking flag.<br>
<br>
<A name="153"></a><font color="blue">PAGE 153</font><br>
<br>
<a name="ABlockingIOExample"></a><font color="red"><b>A Blocking I/O Example</b></font><br>
<br>
Finally, we get to an example of a real driver method that implements blocking I/O.
This example is taken from the <i>scullpipe </i>driver; it is a special form of <i>scull </i>that implements
a pipe-like device.<br>
<br>
Within a driver, a process blocked in a <i>read </i>call is awakened when data arrives; usually
the hardware issues an interrupt to signal such an event, and the driver awakens
waiting processes as part of handling the interrupt. The <i>scullpipe </i>driver works differently,
so that it can be run without requiring any particular hardware or an interrupt
handler. We chose to use another process to generate the data and wake the reading
process; similarly, reading processes are used to wake writer processes that are waiting
for buffer space to become available.<br>
<br>
The device driver uses a device structure that contains two wait queues and a buffer.
The size of the buffer is configurable in the usual ways (at compile time, load time, or
runtime).<br>
<pre>
struct scull_pipe {
        wait_queue_head_t inq, outq;       /* read and write queues */
        char *buffer, *end;                /* begin of buf, end of buf */
        int buffersize;                    /* used in pointer arithmetic */
        char *rp, *wp;                     /* where to read, where to write */
        int nreaders, nwriters;            /* number of openings for r/w */
        struct fasync_struct *async_queue; /* asynchronous readers */
        struct semaphore sem;              /* mutual exclusion semaphore */
        struct cdev cdev;                  /* Char device structure */
};
</pre>
The <i>read </i>implementation manages both blocking and nonblocking input and looks
like this:<br>
<pre>
static ssize_t scull_p_read (struct file *filp, char __user *buf, size_t count,
                loff_t *f_pos)
{
    struct scull_pipe *dev = filp-&gt;private_data;

    if (down_interruptible(&amp;dev-&gt;sem))
        return -ERESTARTSYS;

    while (dev-&gt;rp = = dev-&gt;wp) { /* nothing to read */
        up(&amp;dev-&gt;sem); /* release the lock */
        if (filp-&gt;f_flags &amp; O_NONBLOCK)
            return -EAGAIN;
        PDEBUG(&quot;\&quot;%s\&quot; reading: going to sleep\n&quot;, current-&gt;comm);
        if (wait_event_interruptible(dev-&gt;inq, (dev-&gt;rp != dev-&gt;wp)))
            return -ERESTARTSYS; /* signal: tell the fs layer to handle it */
        /* otherwise loop, but first reacquire the lock */
        if (down_interruptible(&amp;dev-&gt;sem))
            return -ERESTARTSYS;
    }
    /* ok, data is there, return something */
</pre>
<A name="154"></a><font color="blue">PAGE 154</font><br>
<pre>
    if (dev-&gt;wp &gt; dev-&gt;rp)
        count = min(count, (size_t)(dev-&gt;wp - dev-&gt;rp));
    else /* the write pointer has wrapped, return data up to dev-&gt;end */
        count = min(count, (size_t)(dev-&gt;end - dev-&gt;rp));
    if (copy_to_user(buf, dev-&gt;rp, count)) {
        up (&amp;dev-&gt;sem);
        return -EFAULT;
    }
    dev-&gt;rp += count;
    if (dev-&gt;rp = = dev-&gt;end)
        dev-&gt;rp = dev-&gt;buffer; /* wrapped */
    up (&amp;dev-&gt;sem);

    /* finally, awake any writers and return */
    wake_up_interruptible(&amp;dev-&gt;outq);
    PDEBUG(&quot;\&quot;%s\&quot; did read %li bytes\n&quot;,current-&gt;comm, (long)count);
    return count;
}
</pre>
As you can see, we left some <font class="fixd">PDEBUG</font> statements in the code. When you compile the
driver, you can enable messaging to make it easier to follow the interaction of different
processes.<br>
<br>
Let us look carefully at how <i>scull_p_read </i>handles waiting for data. The <font class="fixd">while</font> loop
tests the buffer with the device semaphore held. If there is data there, we know we
can return it to the user immediately without sleeping, so the entire body of the loop
is skipped. If, instead, the buffer is empty, we must sleep. Before we can do that,
however, we must drop the device semaphore; if we were to sleep holding it, no
writer would ever have the opportunity to wake us up. Once the semaphore has been
dropped, we make a quick check to see if the user has requested non-blocking I/O,
and return if so. Otherwise, it is time to call <i>wait_event_interruptible</i>.<br>
<br>
Once we get past that call, something has woken us up, but we do not know what.
One possibility is that the process received a signal. The if statement that contains
the <i>wait_event_interruptible </i>call checks for this case. This statement ensures the
proper and expected reaction to signals, which could have been responsible for waking
up the process (since we were in an interruptible sleep). If a signal has arrived
and it has not been blocked by the process, the proper behavior is to let upper layers
of the kernel handle the event. To this end, the driver returns <font class="fixd">-ERESTARTSYS</font> to the
caller; this value is used internally by the virtual filesystem (VFS) layer, which either
restarts the system call or returns <font class="fixd">-EINTR</font> to user space. We use the same type of
check to deal with signal handling for every <i>read</i> and <i>write</i> implementation.<br>
<br>
However, even in the absence of a signal, we do not yet know for sure that there is
data there for the taking. Somebody else could have been waiting for data as well,
and they might win the race and get the data first. So we must acquire the device
semaphore again; only then can we test the read buffer again (in the <font class="fixd">while</font> loop) and
truly know that we can return the data in the buffer to the user. The end result of all<br>
<br>
<A name="155"></a><font color="blue">PAGE 155</font><br>
<br>
this code is that, when we exit from the <font class="fixd">while</font> loop, we know that the semaphore is
held and the buffer contains data that we can use.<br>
<br>
Just for completeness, let us note that <i>scull_p_read </i>can sleep in another spot after we
take the device semaphore: the call to <i>copy_to_user</i>. If <i>scull </i>sleeps while copying data
between kernel and user space, it sleeps with the device semaphore held. Holding the
semaphore in this case is justified since it does not deadlock the system (we know
that the kernel will perform the copy to user space and wakes us up without trying to
lock the same semaphore in the process), and since it is important that the device
memory array not change while the driver sleeps.<br>
<br>
<a name="AdvancedSleeping"></a><font color="red"><b>Advanced Sleeping</b></font><br>
<br>
Many drivers are able to meet their sleeping requirements with the functions we have
covered so far. There are situations, however, that call for a deeper understanding of
how the Linux wait queue mechanism works. Complex locking or performance
requirements can force a driver to use lower-level functions to effect a sleep. In this
section, we look at the lower level to get an understanding of what is really going on
when a process sleeps.<br>
<br>
<a name="HowAProcessSleeps"></a><font color="red"><b>How a process sleeps</b></font><br>
<br>
If you look inside <i>&lt;linux/wait.h&gt;</i>, you see that the data structure behind 
the <font class="fixd">wait_queue_head_t</font> type is quite simple; it consists of a spinlock and a linked list. What goes
on to that list is a wait queue entry, which is declared with the type <font class="fixd">wait_queue_t</font>. This
structure contains information about the sleeping process and exactly how it would
like to be woken up.<br>
<br>
The first step in putting a process to sleep is usually the allocation and initialization
of a <font class="fixd">wait_queue_t</font> structure, followed by its addition to the proper wait queue. When
everything is in place, whoever is charged with doing the wakeup will be able to find
the right processes.<br>
<br>
The next step is to set the state of the process to mark it as being asleep. There are several
task states defined in <i>&lt;linux/sched.h&gt;</i>. <font class="fixd">TASK_RUNNING</font> means that the process is able
to run, although it is not necessarily executing in the processor at any specific moment.
There are two states that indicate that a process is asleep: <font class="fixd">TASK_INTERRUPTIBLE</font> and
<font class="fixd">TASK_UNINTERRUPTIBLE;</font> they correspond, of course, to the two types of sleep. The other
states are not normally of concern to driver writers.<br>
<br>
In the 2.6 kernel, it is not normally necessary for driver code to manipulate the process
state directly. However, should you need to do so, the call to use is:<br>
<pre>
void set_current_state(int new_state);
</pre>
In older code, you often see something like this instead:<br>
<pre>
current-&gt;state = TASK_INTERRUPTIBLE;
</pre>
<A name="156"></a><font color="blue">PAGE 156</font><br>
<br>
But changing current directly in that manner is discouraged; such code breaks easily
when data structures change. The above code does show, however, that changing the
current state of a process does not, by itself, put it to sleep. By changing the current
state, you have changed the way the scheduler treats a process, but you have not yet
yielded the processor.<br>
<br>
Giving up the processor is the final step, but there is one thing to do first: you must
check the condition you are sleeping for first. Failure to do this check invites a race
condition; what happens if the condition came true while you were engaged in the
above process, and some other thread has just tried to wake you up? You could miss
the wakeup altogether and sleep longer than you had intended. Consequently, down
inside code that sleeps, you typically see something such as:<br>
<pre>
if (!condition)
    schedule( );
</pre>
By checking our condition <i>after </i>setting the process state, we are covered against all
possible sequences of events. If the condition we are waiting for had come about
before setting the process state, we notice in this check and not actually sleep. If the
wakeup happens thereafter, the process is made runnable whether or not we have
actually gone to sleep yet.<br>
<br>
The call to <i>schedule </i>is, of course, the way to invoke the scheduler and yield the CPU.
Whenever you call this function, you are telling the kernel to consider which process
should be running and to switch control to that process if necessary. So you never
know how long it will be before <i>schedule</i> returns to your code.<br>
<br>
After the <font class="fixd">if test</font> and possible call to (and return from) <i>schedule</i>, there is some
cleanup to be done. Since the code no longer intends to sleep, it must ensure that the
task state is reset to <font class="fixd">TASK_RUNNING</font>. If the code just returned from <i>schedule</i>, this step is
unnecessary; that function does not return until the process is in a runnable state.
But if the call to <i>schedule </i>was skipped because it was no longer necessary to sleep,
the process state will be incorrect. It is also necessary to remove the process from the
wait queue, or it may be awakened more than once.<br>
<br>
<a name="ManualSleeps"></a><font color="red"><b>Manual sleeps</b></font><br>
<br>
In previous versions of the Linux kernel, nontrivial sleeps required the programmer
to handle all of the above steps manually. It was a tedious process involving a fair
amount of error-prone boilerplate code. Programmers can still code a manual sleep
in that manner if they want to; <i>&lt;linux/sched.h&gt; </i>contains all the requisite definitions,
and the kernel source abounds with examples. There is an easier way, however.<br>
<br>
The first step is the creation and initialization of a wait queue entry. That is usually
done with this macro:<br>
<pre>
DEFINE_WAIT(my_wait);
</pre>
<A name="157"></a><font color="blue">PAGE 157</font><br>
<br>
in which name is the name of the wait queue entry variable. You can also do things in
two steps:<br>
<pre>
wait_queue_t my_wait;
init_wait(&amp;my_wait);
</pre>
But it is usually easier to put a <font class="fixd">DEFINE_WAIT</font> line at the top of the loop that implements
your sleep.<br>
<br>
The next step is to add your wait queue entry to the queue, and set the process state.
Both of those tasks are handled by this function:<br>
<pre>
void prepare_to_wait(wait_queue_head_t *queue,
                     wait_queue_t *wait,
                     int state);
</pre>
Here, <font class="fixd">queue</font> and <font class="fixd">wait</font> are the wait queue head and the process entry, respectively.
<font class="fixd">state</font> is the new state for the process; it should be either <font class="fixd">TASK_INTERRUPTIBLE</font> (for
interruptible sleeps, which is usually what you want) or <font class="fixd">TASK_UNINTERRUPTIBLE</font> (for
uninterruptible sleeps).<br>
<br>
After calling <i>prepare_to_wait</i>, the process can call <i>schedule</i>--after it has checked to
be sure it still needs to wait. Once <i>schedule </i>returns, it is cleanup time. That task, too,
is handled by a special function:<br>
<pre>
void finish_wait(wait_queue_head_t *queue, wait_queue_t *wait);
</pre>
Thereafter, your code can test its state and see if it needs to wait again.<br>
<br>
We are far past due for an example. Previously we looked at the <i>read </i>method for
<i>scullpipe</i>, which uses <i>wait_event</i>. The <i>write </i>method in the same driver does its waiting
with <i>prepare_to_wait </i>and <i>finish_wait</i>, instead. Normally you would not mix
methods within a single driver in this way, but we did so in order to be able to show
both ways of handling sleeps.<br>
<br>
First, for completeness, let's look at the <i>write</i> method itself:<br>
<pre>
/* How much space is free? */
static int spacefree(struct scull_pipe *dev)
{
    if (dev-&gt;rp = = dev-&gt;wp)
        return dev-&gt;buffersize - 1;
    return ((dev-&gt;rp + dev-&gt;buffersize - dev-&gt;wp) % dev-&gt;buffersize) - 1;
}

static ssize_t scull_p_write(struct file *filp, const char __user *buf, size_t count,
                loff_t *f_pos)
{
    struct scull_pipe *dev = filp-&gt;private_data;
    int result;

    if (down_interruptible(&amp;dev-&gt;sem))
        return -ERESTARTSYS;
</pre>
<A name="158"></a><font color="blue">PAGE 158</font><br>
<pre>
    /* Make sure there's space to write */
    result = scull_getwritespace(dev, filp);
    if (result)
        return result; /* scull_getwritespace called up(&amp;dev-&gt;sem) */

    /* ok, space is there, accept something */
    count = min(count, (size_t)spacefree(dev));
    if (dev-&gt;wp &gt;= dev-&gt;rp)
        count = min(count, (size_t)(dev-&gt;end - dev-&gt;wp)); /* to end-of-buf */
    else /* the write pointer has wrapped, fill up to rp-1 */
        count = min(count, (size_t)(dev-&gt;rp - dev-&gt;wp - 1));
    PDEBUG(&quot;Going to accept %li bytes to %p from %p\n&quot;, (long)count, dev-&gt;wp, buf);
    if (copy_from_user(dev-&gt;wp, buf, count)) {
        up (&amp;dev-&gt;sem);
        return -EFAULT;
    }
    dev-&gt;wp += count;
    if (dev-&gt;wp = = dev-&gt;end)
        dev-&gt;wp = dev-&gt;buffer; /* wrapped */
    up(&amp;dev-&gt;sem);

    /* finally, awake any reader */
    wake_up_interruptible(&amp;dev-&gt;inq);  /* blocked in read( ) and select( ) */

    /* and signal asynchronous readers, explained late in chapter 5 */
    if (dev-&gt;async_queue)
        kill_fasync(&amp;dev-&gt;async_queue, SIGIO, POLL_IN);
    PDEBUG(&quot;\&quot;%s\&quot; did write %li bytes\n&quot;,current-&gt;comm, (long)count);
    return count;
}
</pre>
This code looks similar to the <i>read </i>method, except that we have pushed the code
that sleeps into a separate function called <i>scull_getwritespace</i>. Its job is to ensure that
there is space in the buffer for new data, sleeping if need be until that space comes
available. Once the space is there, <i>scull_p_write </i>can simply copy the user's data
there, adjust the pointers, and wake up any processes that may have been waiting to
read data.<br>
<br>
The code that handles the actual sleep is:<br>
<pre>
/* Wait for space for writing; caller must hold device semaphore.  On
 * error the semaphore will be released before returning. */
static int scull_getwritespace(struct scull_pipe *dev, struct file *filp)
{
    while (spacefree(dev) = = 0) { /* full */
        DEFINE_WAIT(wait);

        up(&amp;dev-&gt;sem);
        if (filp-&gt;f_flags &amp; O_NONBLOCK)
            return -EAGAIN;
</pre>
<A name="159"></a><font color="blue">PAGE 159</font><br>
<pre>
        PDEBUG(&quot;\&quot;%s\&quot; writing: going to sleep\n&quot;,current-&gt;comm);
        prepare_to_wait(&amp;dev-&gt;outq, &amp;wait, TASK_INTERRUPTIBLE);
        if (spacefree(dev) = = 0)
            schedule( );
        finish_wait(&amp;dev-&gt;outq, &amp;wait);
        if (signal_pending(current))
            return -ERESTARTSYS; /* signal: tell the fs layer to handle it */
        if (down_interruptible(&amp;dev-&gt;sem))
            return -ERESTARTSYS;
    }
    return 0;
}
</pre>
Note once again the containing <font class="fixd">while</font> loop. If space is available without sleeping, this
function simply returns. Otherwise, it must drop the device semaphore and wait.
The code uses <i><font class="fixd">DEFINE_WAIT</font> </i>to set up a wait queue entry and <i>prepare_to_wait </i>to
get ready for the actual sleep. Then comes the obligatory check on the buffer; we
must handle the case in which space becomes available in the buffer after we have
entered the <font class="fixd">while</font> loop (and dropped the semaphore) but before we put ourselves
onto the wait queue. Without that check, if the reader processes were able to completely
empty the buffer in that time, we could miss the only wakeup we would ever
get and sleep forever. Having satisfied ourselves that we must sleep, we can call
<i>schedule</i>.<br>
<br>
It is worth looking again at this case: what happens if the wakeup happens between
the test in the <font class="fixd">if</font> statement and the call to <i>schedule</i>? In that case, all is well. The
wakeup resets the process state to <font class="fixd">TASK_RUNNING</font> and <i>schedule </i>returns--although not
necessarily right away. As long as the test happens after the process has put itself on
the wait queue and changed its state, things will work.<br>
<br>
To finish up, we call <i>finish_wait</i>. The call to <i>signal_pending </i>tells us whether we were
awakened by a signal; if so, we need to return to the user and let them try again later.
Otherwise, we reacquire the semaphore, and test again for free space as usual.<br>
<br>
<a name="ExclusiveWaits"></a><font color="red"><b>Exclusive waits</b></font><br>
<br>
We have seen that when a process calls <i>wake_up </i>on a wait queue, all processes waiting
on that queue are made runnable. In many cases, that is the correct behavior. In
others, however, it is possible to know ahead of time that only one of the processes
being awakened will succeed in obtaining the desired resource, and the rest will simply
have to sleep again. Each one of those processes, however, has to obtain the processor,
contend for the resource (and any governing locks), and explicitly go back to
sleep. If the number of processes in the wait queue is large, this "thundering herd"
behavior can seriously degrade the performance of the system.<br>
<br>
<A name="160"></a><font color="blue">PAGE 160</font><br>
<br>
In response to real-world thundering herd problems, the kernel developers added an
"exclusive wait" option to the kernel. An exclusive wait acts very much like a normal
sleep, with two important differences:<br>
<ul>
<li> When a wait queue entry has the <font class="fixd">WQ_FLAG_EXCLUSIVE</font> flag set, it is added to the end 
of the wait queue. Entries without that flag are, instead, added to the beginning.
<li> When <i>wake_up </i>is called on a wait queue, it stops after waking the first process 
that has the <font class="fixd">WQ_FLAG_EXCLUSIVE</font> flag set.
</ul>
The end result is that processes performing exclusive waits are awakened one at a
time, in an orderly manner, and do not create thundering herds. The kernel still
wakes up all nonexclusive waiters every time, however.<br>
<br>
Employing exclusive waits within a driver is worth considering if two conditions are
met: you expect significant contention for a resource, and waking a single process is
sufficient to completely consume the resource when it becomes available. Exclusive
waits work well for the Apache web server, for example; when a new connection
comes in, exactly one of the (often many) Apache processes on the system should
wake up to deal with it. We did not use exclusive waits in the <i>scullpipe </i>driver, however;
it is rare to see readers contending for data (or writers for buffer space), and we
cannot know that one reader, once awakened, will consume all of the available data.<br>
<br>
Putting a process into an interruptible wait is a simple matter of calling <i>prepare_to_
wait_exclusive</i>:<br>
<pre>
void prepare_to_wait_exclusive(wait_queue_head_t *queue,
                               wait_queue_t *wait,
                               int state);
</pre>
This call, when used in place of <i>prepare_to_wait</i>, sets the "exclusive" flag in the wait
queue entry and adds the process to the end of the wait queue. Note that there is no
way to perform exclusive waits with <i>wait_event</i> and its variants.<br>
<br>
<a name="TheDetailsOfWakingUp"></a><font color="red"><b>The details of waking up</b></font><br>
<br>
The view we have presented of the wakeup process is simpler than what really happens
inside the kernel. The actual behavior that results when a process is awakened
is controlled by a function in the wait queue entry. The default wakeup function* sets
the process into a runnable state and, possibly, performs a context switch to that
process if it has a higher priority. Device drivers should never need to supply a different
wake function; should yours prove to be the exception, see <i>&lt;linux/wait.h&gt; </i>for
information on how to do it.<br>
<br>
* It has the imaginative name <i>default_wake_function</i>.<br>
<br>
<A name="161"></a><font color="blue">PAGE 161</font><br>
<br>
We have not yet seen all the variations of <i>wake_up</i>. Most driver writers never need
the others, but, for completeness, here is the full set:<br>
<br>
<font class="fixd">wake_up(wait_queue_head_t *queue);<br>
wake_up_interruptible(wait_queue_head_t *queue);</font><br>
<div class="bq">
<i>wake_up </i>awakens every process on the queue that is not in an exclusive wait,
and exactly one exclusive waiter, if it exists. <i>wake_up_interruptible </i>does the
same, with the exception that it skips over processes in an uninterruptible sleep.
These functions can, before returning, cause one or more of the processes awakened
to be scheduled (although this does not happen if they are called from an
atomic context).</div>
<br>
<font class="fixd">wake_up_nr(wait_queue_head_t *queue, int nr);<br>
wake_up_interruptible_nr(wait_queue_head_t *queue, int nr);</font><br>
<div class="bq">
These functions perform similarly to <i>wake_up</i>, except they can awaken up to <font class="fixd">nr</font>
exclusive waiters, instead of just one. Note that passing 0 is interpreted as asking
for <i>all</i> of the exclusive waiters to be awakened, rather than none of them.</div>
<br>
<font class="fixd">wake_up_all(wait_queue_head_t *queue);<br>
wake_up_interruptible_all(wait_queue_head_t *queue);</font><br>
<div class="bq">
This form of <i>wake_up </i>awakens all processes whether they are performing an
exclusive wait or not (though the interruptible form still skips processes doing
uninterruptible waits).</div>
<br>
<font class="fixd">wake_up_interruptible_sync(wait_queue_head_t *queue);</font><br>
<div class="bq">
Normally, a process that is awakened may preempt the current process and be
scheduled into the processor before <i>wake_up </i>returns. In other words, a call to
<i>wake_up </i>may not be atomic. If the process calling <i>wake_up </i>is running in an
atomic context (it holds a spinlock, for example, or is an interrupt handler), this
rescheduling does not happen. Normally, that protection is adequate. If, however,
you need to explicitly ask to not be scheduled out of the processor at this
time, you can use the "sync" variant of <i>wake_up_interruptible</i>. This function is
most often used when the caller is about to reschedule anyway, and it is more
efficient to simply finish what little work remains first.</div>
<br>
If all of the above is not entirely clear on a first reading, don't worry. Very few drivers
ever need to call anything except <i>wake_up_interruptible</i>.<br>
<br>
<a name="AncientHistorySleepon"></a><font color="red"><b>Ancient history: sleep_on</b></font><br>
<br>
If you spend any time digging through the kernel source, you will likely encounter
two functions that we have neglected to discuss so far:<br>
<pre>
void sleep_on(wait_queue_head_t *queue);
void interruptible_sleep_on(wait_queue_head_t *queue);
</pre>
As you might expect, these functions unconditionally put the current process to
sleep on the given <font class="fixd">queue</font>. These functions are strongly deprecated, however, and you<br>
<br>
<A name="162"></a><font color="blue">PAGE 162</font><br>
<br>
should never use them. The problem is obvious if you think about it: <i>sleep_on </i>offers
no way to protect against race conditions. There is always a window between when
your code decides it must sleep and when <i>sleep_on </i>actually effects that sleep. A
wakeup that arrives during that window is missed. For this reason, code that calls
<i>sleep_on</i> is never entirely safe.<br>
<br>
Current plans call for <i>sleep_on </i>and its variants (there are a couple of time-out forms
we haven't shown) to be removed from the kernel in the not-too-distant future.<br>
<br>
<a name="TestingTheScullpipeDriver"></a><font color="red"><b>Testing the Scullpipe Driver</b></font><br>
<br>
We have seen how the <i>scullpipe </i>driver implements blocking I/O. If you wish to try it
out, the source to this driver can be found with the rest of the book examples. Blocking
I/O in action can be seen by opening two windows. The first can run a command such
as <font class="fixd">cat /dev/scullpipe.</font> If you then, in another window, copy a file to <i>/dev/scullpipe</i>, you
should see that file's contents appear in the first window.<br>
<br>
Testing nonblocking activity is trickier, because the conventional programs available
to a shell don't perform nonblocking operations. The <i>misc-progs </i>source directory
contains the following simple program, called <i>nbtest</i>, for testing nonblocking operations.
All it does is copy its input to its output, using nonblocking I/O and delaying
between retries. The delay time is passed on the command line and is one second by
default.<br>
<pre>
int main(int argc, char **argv)
{
    int delay = 1, n, m = 0;

    if (argc &gt; 1)
        delay=atoi(argv[1]);
    fcntl(0, F_SETFL, fcntl(0,F_GETFL) | O_NONBLOCK); /* stdin */
    fcntl(1, F_SETFL, fcntl(1,F_GETFL) | O_NONBLOCK); /* stdout */

    while (1) {
        n = read(0, buffer, 4096);
        if (n &gt;= 0)
            m = write(1, buffer, n);
        if ((n &lt; 0 || m &lt; 0) &amp;&amp; (errno != EAGAIN))
            break;
        sleep(delay);
    }
    perror(n &lt; 0 ? &quot;stdin&quot; : &quot;stdout&quot;);
    exit(1);
}
</pre>
If you run this program under a process tracing utility such as <i>strace</i>, you can see the
success or failure of each operation, depending on whether data is available when the
operation is tried.<br>
<br>
<A name="163"></a><font color="blue">PAGE 163</font><br>
<br>
<a name="PollAndSelect"></a><font color="red"><b>poll and select</b></font><br>
<br>
Applications that use nonblocking I/O often use the <i>poll</i>, <i>select</i>, and <i>epoll </i>system
calls as well. <i>poll</i>, <i>select</i>, and <i>epoll </i>have essentially the same functionality: each allow
a process to determine whether it can read from or write to one or more open files
without blocking. These calls can also block a process until any of a given set of file
descriptors becomes available for reading or writing. Therefore, they are often used
in applications that must use multiple input or output streams without getting stuck
on any one of them. The same functionality is offered by multiple functions, because
two were implemented in Unix almost at the same time by two different groups:
<i>select </i>was introduced in BSD Unix, whereas <i>poll </i>was the System V solution. The <i>epoll
</i>call* was added in 2.5.45 as a way of making the polling function scale to thousands
of file descriptors.<br>
<br>
Support for any of these calls requires support from the device driver. This support
(for all three calls) is provided through the driver's <i>poll </i>method. This method has the
following prototype:<br>
<pre>
unsigned int (*poll) (struct file *filp, poll_table *wait);
</pre>
The driver method is called whenever the user-space program performs a <i>poll</i>, <i>select</i>,
or <i>epoll </i>system call involving a file descriptor associated with the driver. The device
method is in charge of these two steps:<br>
<ol>
<li>Call <i>poll_wait </i>on one or more wait queues that could indicate a change in the
poll status. If no file descriptors are currently available for I/O, the kernel causes
the process to wait on the wait queues for all file descriptors passed to the system call.
<li>Return a bit mask describing the operations (if any) that could be immediately
performed without blocking.
</ol>
Both of these operations are usually straightforward and tend to look very similar
from one driver to the next. They rely, however, on information that only the driver
can provide and, therefore, must be implemented individually by each driver.<br>
<br>
The <font class="fixd">poll_table</font> structure, the second argument to the <i>poll </i>method, is used within the
kernel to implement the <i>poll</i>, <i>select</i>, and <i>epoll </i>calls; it is declared in <i>&lt;linux/poll.h&gt;</i>,
which must be included by the driver source. Driver writers do not need to know
anything about its internals and must use it as an opaque object; it is passed to the
driver method so that the driver can load it with every wait queue that could wake
up the process and change the status of the <i>poll </i>operation. The driver adds a wait
queue to the <font class="fixd">poll_table</font> structure by calling the function <i>poll_wait</i>:<br>
<pre>
 void poll_wait (struct file *, wait_queue_head_t *, poll_table *);
</pre>
* Actually, <i>epoll </i>is a set of three calls that together can be used to achieve the polling functionality. For our
purposes, though, we can think of it as a single call.<br>
<br>
<A name="164"></a><font color="blue">PAGE 164</font><br>
<br>
The second task performed by the <i>poll </i>method is returning the bit mask describing
which operations could be completed immediately; this is also straightforward. For
example, if the device has data available, a <i>read </i>would complete without sleeping;
the <i>poll </i>method should indicate this state of affairs. Several flags (defined via <i>&lt;linux/
poll.h&gt;</i>) are used to indicate the possible operations:<br>
<br>
<font class="fixd">POLLIN</font><br>
<div class="bq">
This bit must be set if the device can be read without blocking.</div>
<br>
<font class="fixd">POLLRDNORM</font><br>
<div class="bq">
This bit must be set if "normal" data is available for reading. A readable device
returns (<font class="fixd">POLLIN</font> | <font class="fixd">POLLRDNORM</font>).</div>
<br>
<font class="fixd">POLLRDBAND</font><br>
<div class="bq">
This bit indicates that out-of-band data is available for reading from the device.
It is currently used only in one place in the Linux kernel (the DECnet code) and
is not generally applicable to device drivers.</div>
<br>
<font class="fixd">POLLPRI</font><br>
<div class="bq">
High-priority data (out-of-band) can be read without blocking. This bit causes
<i>select </i>to report that an exception condition occurred on the file, because <i>select
</i>reports out-of-band data as an exception condition.</div>
<br>
<font class="fixd">POLLHUP</font><br>
<div class="bq">
When a process reading this device sees end-of-file, the driver must set <font class="fixd">POLLHUP</font>
(hang-up). A process calling <i>select </i>is told that the device is readable, as dictated
by the <i>select</i> functionality.</div>
<br>
<font class="fixd">POLLERR</font><br>
<div class="bq">
An error condition has occurred on the device. When <i>poll </i>is invoked, the device
is reported as both readable and writable, since both <i>read </i>and <i>write </i>return an
error code without blocking.</div>
<br>
<font class="fixd">POLLOUT</font><br>
<div class="bq">
This bit is set in the return value if the device can be written to without blocking.</div>
<br>
<font class="fixd">POLLWRNORM</font><br>
<div class="bq">
This bit has the same meaning as <font class="fixd">POLLOUT,</font> and sometimes it actually is the same number. A writable device returns (<font class="fixd">POLLOUT</font> | <font class="fixd">POLLWRNORM</font>).</div>
<br>
<font class="fixd">POLLWRBAND</font><br>
<div class="bq">
Like <font class="fixd">POLLRDBAND,</font> this bit means that data with nonzero priority can be written to
the device. Only the datagram implementation of <i>poll </i>uses this bit, since a datagram
can transmit out-of-band data.</div>
<br>
It's worth repeating that <font class="fixd">POLLRDBAND</font> and <font class="fixd">POLLWRBAND</font> are meaningful only with file
descriptors associated with sockets: device drivers won't normally use these flags.<br>
<br>
<A name="165"></a><font color="blue">PAGE 165</font><br>
<br>
The description of <i>poll </i>takes up a lot of space for something that is relatively simple
to use in practice. Consider the <i>scullpipe</i> implementation of the <i>poll</i> method:<br>
<pre>
static unsigned int scull_p_poll(struct file *filp, poll_table *wait)
{
    struct scull_pipe *dev = filp-&gt;private_data;
    unsigned int mask = 0;

    /*
     * The buffer is circular; it is considered full
     * if &quot;wp&quot; is right behind &quot;rp&quot; and empty if the
     * two are equal.
     */
    down(&amp;dev-&gt;sem);
    poll_wait(filp, &amp;dev-&gt;inq,  wait);
    poll_wait(filp, &amp;dev-&gt;outq, wait);
    if (dev-&gt;rp != dev-&gt;wp)
        mask |= POLLIN | POLLRDNORM;    /* readable */
    if (spacefree(dev))
        mask |= POLLOUT | POLLWRNORM;   /* writable */
    up(&amp;dev-&gt;sem);
    return mask;
}
</pre>
This code simply adds the two <i>scullpipe </i>wait queues to the <font class="fixd">poll_table,</font> then sets the
appropriate mask bits depending on whether data can be read or written.<br>
<br>
The <i>poll </i>code as shown is missing end-of-file support, because <i>scullpipe </i>does not
support an end-of-file condition. For most real devices, the <i>poll </i>method should
return <font class="fixd">POLLHUP</font> if no more data is (or will become) available. If the caller used the
<i>select </i>system call, the file is reported as readable. Regardless of whether <i>poll </i>or <i>select
</i>is used, the application knows that it can call <i>read </i>without waiting forever, and the
<i>read</i> method returns, 0 to signal end-of-file.<br>
<br>
With real FIFOs, for example, the reader sees an end-of-file when all the writers close
the file, whereas in <i>scullpipe </i>the reader never sees end-of-file. The behavior is different
because a FIFO is intended to be a communication channel between two processes,
while <i>scullpipe </i>is a trash can where everyone can put data as long as there's at
least one reader. Moreover, it makes no sense to reimplement what is already available
in the kernel, so we chose to implement a different behavior in our example.<br>
<br>
Implementing end-of-file in the same way as FIFOs do would mean checking 
<font class="fixd">dev-&gt;nwriters,</font> both in <i>read </i>and in <i>poll</i>, and reporting end-of-file (as just described) if no
process has the device opened for writing. Unfortunately, though, with this implementation,
if a reader opened the <i>scullpipe </i>device before the writer, it would see endof-file
without having a chance to wait for data. The best way to fix this problem
would be to implement blocking within <i>open </i>like real FIFOs do; this task is left as an
exercise for the reader.<br>
<br>
<A name="166"></a><font color="blue">PAGE 166</font><br>
<br>
<a name="InteractionWithReadAndWrite"></a><font color="red"><b>Interaction with read and write</b></font><br>
<br>
The purpose of the <i>poll </i>and <i>select </i>calls is to determine in advance if an I/O operation
will block. In that respect, they complement <i>read </i>and <i>write</i>. More important, <i>poll
</i>and <i>select </i>are useful, because they let the application wait simultaneously for several
data streams, although we are not exploiting this feature in the <i>scull</i> examples.<br>
<br>
A correct implementation of the three calls is essential to make applications work
correctly: although the following rules have more or less already been stated, we
summarize them here.<br>
<br>
<a name="ReadingDataFromTheDevice"></a><font color="red"><b>Reading data from the device</b></font><br>
<ul>
<li> If there is data in the input buffer, the <i>read </i>call should return immediately, with
no noticeable delay, even if less data is available than the application requested,
and the driver is sure the remaining data will arrive soon. You can always return
less data than you're asked for if this is convenient for any reason (we did it in
<i>scull</i>), provided you return at least one byte. In this case, <i>poll </i>should return
<font class="fixd">POLLIN|POLLRDNORM.</font>
<li> If there is no data in the input buffer, by default <i>read </i>must block until at least
one byte is there. If <font class="fixd">O_NONBLOCK</font> is set, on the other hand, <i>read </i>returns immediately
with a return value of <font class="fixd">-EAGAIN</font> (although some old versions of System V
return 0 in this case). In these cases, <i>poll </i>must report that the device is unreadable
until at least one byte arrives. As soon as there is some data in the buffer, we
fall back to the previous case.
<li> If we are at end-of-file, <i>read </i>should return immediately with a return value of 0,
independent of <font class="fixd">O_NONBLOCK</font>. <i>poll</i> should report <font class="fixd">POLLHUP</font> in this case.
</ul>
<a name="WritingToTheDevice"></a><font color="red"><b>Writing to the device</b></font>
<ul>
<li> If there is space in the output buffer, <i>write </i>should return without delay. It can
accept less data than the call requested, but it must accept at least one byte. In
this case, <i>poll</i> reports that the device is writable by returning <font class="fixd">POLLOUT|POLLWRNORM.</font>
<li> If the output buffer is full, by default <i>write </i>blocks until some space is freed. If
<font class="fixd">O_NONBLOCK</font> is set, <i>write </i>returns immediately with a return value of <font class="fixd">-EAGAIN</font> (older
System V Unices returned 0). In these cases, <i>poll </i>should report that the file is not
writable. If, on the other hand, the device is not able to accept any more data,
<i>write </i>returns <font class="fixd">-ENOSPC</font> ("No space left on device"), independently of the setting of
<font class="fixd">O_NONBLOCK</font>.
<li> Never make a <i>write </i>call wait for data transmission before returning, even if
<font class="fixd">O_NONBLOCK</font> is clear. This is because many applications use <i>select </i>to find out
whether a <i>write </i>will block. If the device is reported as writable, the call must not
block. If the program using the device wants to ensure that the data it enqueues
</ul>
<A name="167"></a><font color="blue">PAGE 167</font><br>
<ul>
in the output buffer is actually transmitted, the driver must provide an <i>fsync
</i>method. For instance, a removable device should have an <i>fsync</i> entry point.
</ul>
Although this is a good set of general rules, one should also recognize that each
device is unique and that sometimes the rules must be bent slightly. For example,
record-oriented devices (such as tape drives) cannot execute partial writes.<br>
<br>
<a name="FlushingPendingOutput"></a><font color="red"><b>Flushing pending output</b></font><br>
<br>
We've seen how the <i>write </i>method by itself doesn't account for all data output needs.
The <i>fsync </i>function, invoked by the system call of the same name, fills the gap. This
method's prototype is<br>
<pre>
 int (*fsync) (struct file *file, struct dentry *dentry, int datasync);
</pre>
If some application ever needs to be assured that data has been sent to the device, the
<i>fsync </i>method must be implemented regardless of whether <font class="fixd">O_NONBLOCK</font> is set. A call to
<i>fsync </i>should return only when the device has been completely flushed (i.e., the output
buffer is empty), even if that takes some time. The datasync argument is used to
distinguish between the <i>fsync </i>and <i>fdatasync </i>system calls; as such, it is only of interest
to filesystem code and can be ignored by drivers.<br>
<br>
The <i>fsync </i>method has no unusual features. The call isn't time critical, so every device
driver can implement it to the author's taste. Most of the time, char drivers just have
a <font class="fixd">NULL</font> pointer in their <font class="fixd">fops</font>. Block devices, on the other hand, always implement the
method with the general-purpose <i>block_fsync</i>, which, in turn, flushes all the blocks
of the device, waiting for I/O to complete.<br>
<br>
<a name="TheUnderlyingDataStructure"></a><font color="red"><b>The Underlying Data Structure</b></font><br>
<br>
The actual implementation of the <i>poll </i>and <i>select </i>system calls is reasonably simple, for
those who are interested in how it works; <i>epoll </i>is a bit more complex but is built on the
same mechanism. Whenever a user application calls <i>poll</i>, <i>select</i>, or <i>epoll_ctl</i>,* the kernel
invokes the <i>poll </i>method of all files referenced by the system call, passing the same
<font class="fixd">poll_table</font> to each of them. The <font class="fixd">poll_table</font> structure is just a wrapper around a function
that builds the actual data structure. That structure, for <i>poll </i>and <i>select</i>, is a linked
list of memory pages containing <font class="fixd">poll_table_entry</font> structures. Each <font class="fixd">poll_table_entry</font>
holds the <font class="fixd">struct file</font> and <font class="fixd">wait_queue_head_t</font> pointers passed to <i>poll_wait</i>, along with
an associated wait queue entry. The call to <i>poll_wait </i>sometimes also adds the process
to the given wait queue. The whole structure must be maintained by the kernel so that
the process can be removed from all of those queues before <i>poll</i> or <i>select</i> returns.<br>
<br>
If none of the drivers being polled indicates that I/O can occur without blocking, the
<i>poll</i> call simply sleeps until one of the (perhaps many) wait queues it is on wakes it up.<br>
<br>
* This is the function that sets up the internal data structure for future calls to <i>epoll_wait</i>.<br>
<br>
<A name="168"></a><font color="blue">PAGE 168</font><br>
<br>
What's interesting in the implementation of <i>poll </i>is that the driver's <i>poll </i>method may
be called with a <font class="fixd">NULL</font> pointer as a <font class="fixd">poll_table</font> argument. This situation can come
about for a couple of reasons. If the application calling <i>poll </i>has provided a timeout
value of 0 (indicating that no wait should be done), there is no reason to accumulate
wait queues, and the system simply does not do it. The <font class="fixd">poll_table</font> pointer is also set
to <font class="fixd">NULL</font> immediately after any driver being <i>poll</i>ed indicates that I/O is possible. Since
the kernel knows at that point that no wait will occur, it does not build up a list of
wait queues.<br>
<br>
When the <i>poll </i>call completes, the <font class="fixd">poll_table</font> structure is deallocated, and all wait
queue entries previously added to the poll table (if any) are removed from the table
and their wait queues.<br>
<br>
We tried to show the data structures involved in polling in Figure 6-1; the figure is
a simplified representation of the real data structures, because it ignores the multipage
nature of a poll table and disregards the file pointer that is part of each
<font class="fixd">poll_table_entry</font>. The reader interested in the actual implementation is urged to
look in <i>&lt;linux/poll.h&gt;</i> and <i>fs/select.c</i>.<br>
<br><br>
<center>
<img src="fig6-1.gif">
</center>
<br>
<i>Figure 6-1. The data structures behind poll</i><br>
<br>
<A name="169"></a><font color="blue">PAGE 169</font><br>
<br>
At this point, it is possible to understand the motivation behind the new <i>epoll </i>system
call. In a typical case, a call to <i>poll </i>or <i>select </i>involves only a handful of file
descriptors, so the cost of setting up the data structure is small. There are applications
out there, however, that work with thousands of file descriptors. At that point,
setting up and tearing down this data structure between every I/O operation
becomes prohibitively expensive. The <i>epoll </i>system call family allows this sort of
application to set up the internal kernel data structure exactly once and to use it
many times.<br>
<br>
<a name="AsynchronousNotification"></a><font color="red"><b>Asynchronous Notification</b></font><br>
<br>
Although the combination of blocking and nonblocking operations and the <i>select
</i>method are sufficient for querying the device most of the time, some situations aren't
efficiently managed by the techniques we've seen so far.<br>
<br>
Let's imagine a process that executes a long computational loop at low priority but
needs to process incoming data as soon as possible. If this process is responding to
new observations available from some sort of data acquisition peripheral, it would
like to know immediately when new data is available. This application could be written
to call <i>poll </i>regularly to check for data, but, for many situations, there is a better
way. By enabling asynchronous notification, this application can receive a signal
whenever data becomes available and need not concern itself with polling.<br>
<br>
User programs have to execute two steps to enable asynchronous notification from
an input file. First, they specify a process as the "owner" of the file. When a process
invokes the <font class="fixd">F_SETOWN</font> command using the <i>fcntl </i>system call, the process ID of the
owner process is saved in <font class="fixd">filp-&gt;f_owner</font> for later use. This step is necessary for the
kernel to know just whom to notify. In order to actually enable asynchronous notification,
the user programs must set the <font class="fixd">FASYNC</font> flag in the device by means of the
<font class="fixd">F_SETFL</font> <i>fcntl</i> command.<br>
<br>
After these two calls have been executed, the input file can request delivery of a <font class="fixd">SIGIO</font>
signal whenever new data arrives. The signal is sent to the process (or process group,
if the value is negative) stored in <font class="fixd">filp-&gt;f_owner</font>.<br>
<br>
For example, the following lines of code in a user program enable asynchronous
notification to the current process for the stdin input file:<br>
<pre>
signal(SIGIO, &amp;input_handler); /* dummy sample; sigaction( ) is better */
fcntl(STDIN_FILENO, F_SETOWN, getpid( ));
oflags = fcntl(STDIN_FILENO, F_GETFL);
fcntl(STDIN_FILENO, F_SETFL, oflags | FASYNC);
</pre>
The program named <i>asynctest </i>in the sources is a simple program that reads stdin as
shown. It can be used to test the asynchronous capabilities of <i>scullpipe</i>. The program
is similar to <i>cat </i>but doesn't terminate on end-of-file; it responds only to input, not to
the absence of input.<br>
<br>
<A name="170"></a><font color="blue">PAGE 170</font><br>
<br>
Note, however, that not all the devices support asynchronous notification, and you
can choose not to offer it. Applications usually assume that the asynchronous capability
is available only for sockets and ttys.<br>
<br>
There is one remaining problem with input notification. When a process receives a
<font class="fixd">SIGIO</font>, it doesn't know which input file has new input to offer. If more than one file is
enabled to asynchronously notify the process of pending input, the application must
still resort to <i>poll</i> or <i>select</i> to find out what happened.<br>
<br>
<a name="TheDriversPointOfView"></a><font color="red"><b>The Driver's Point of View</b></font><br>
<br>
A more relevant topic for us is how the device driver can implement asynchronous
signaling. The following list details the sequence of operations from the kernel's
point of view:<br>
<ol>
<li>When <font class="fixd">F_SETOWN</font> is invoked, nothing happens, except that a value is assigned to
<font class="fixd">filp-&gt;f_owner</font>.
<li>When <font class="fixd">F_SETFL</font> is executed to turn on <font class="fixd">FASYNC</font>, the driver's <i>fasync </i>method is called.
This method is called whenever the value of <font class="fixd">FASYNC</font> is changed in <font class="fixd">filp-&gt;f_flags</font>
to notify the driver of the change, so it can respond properly. The flag is cleared
by default when the file is opened. We'll look at the standard implementation of
the driver method later in this section.
<li>When data arrives, all the processes registered for asynchronous notification
must be sent a <font class="fixd">SIGIO</font> signal.
</ol>
While implementing the first step is trivial--there's nothing to do on the driver's
part--the other steps involve maintaining a dynamic data structure to keep track of
the different asynchronous readers; there might be several. This dynamic data structure,
however, doesn't depend on the particular device involved, and the kernel
offers a suitable general-purpose implementation so that you don't have to rewrite
the same code in every driver.<br>
<br>
The general implementation offered by Linux is based on one data structure and two
functions (which are called in the second and third steps described earlier). The
header that declares related material is <i>&lt;linux/fs.h&gt; </i>(nothing new here), and the data
structure is called <font class="fixd">struct fasync_struct</font>. As with wait queues, we need to insert a
pointer to the structure in the device-specific data structure.<br>
<br>
The two functions that the driver calls correspond to the following prototypes:<br>
<pre>
int fasync_helper(int fd, struct file *filp,
       int mode, struct fasync_struct **fa);
void kill_fasync(struct fasync_struct **fa, int sig, int band);
</pre>
<font class="fixd">fasync_helper</font> is invoked to add or remove entries from the list of interested processes
when the <font class="fixd">FASYNC</font> flag changes for an open file. All of its arguments except the last are
provided to the <i>fasync </i>method and can be passed through directly. <font class="fixd">kill_fasync</font> is used<br>
<br>
<A name="171"></a><font color="blue">PAGE 171</font><br>
<br>
to signal the interested processes when data arrives. Its arguments are the signal to
send (usually <font class="fixd">SIGIO</font>) and the band, which is almost always <font class="fixd">POLL_IN*</font> (but that may be
used to send "urgent" or out-of-band data in the networking code).<br>
<br>
Here's how <i>scullpipe</i> implements the <i>fasync</i> method:<br>
<pre>
static int scull_p_fasync(int fd, struct file *filp, int mode)
{
    struct scull_pipe *dev = filp-&gt;private_data;

    return fasync_helper(fd, filp, mode, &amp;dev-&gt;async_queue);
}
</pre>
It's clear that all the work is performed by <i>fasync_helper</i>. It wouldn't be possible,
however, to implement the functionality without a method in the driver, because the
helper function needs to access the correct pointer to <font class="fixd">struct fasync_struct *</font> (here
<font class="fixd">&amp;dev-&gt;async_queue</font>), and only the driver can provide the information.<br>
<br>
When data arrives, then, the following statement must be executed to signal asynchronous
readers. Since new data for the <i>scullpipe </i>reader is generated by a process
issuing a <i>write</i>, the statement appears in the <i>write</i> method of <i>scullpipe</i>.<br>
<pre>
if (dev-&gt;async_queue)
    kill_fasync(&amp;dev-&gt;async_queue, SIGIO, POLL_IN);
</pre>
Note that some devices also implement asynchronous notification to indicate when
the device can be written; in this case, of course, <i>kill_fasync </i>must be called with a
mode of <font class="fixd">POLL_OUT</font>.<br>
<br>
It might appear that we're done, but there's still one thing missing. We must invoke
our <i>fasync </i>method when the file is closed to remove the file from the list of active
asynchronous readers. Although this call is required only if <font class="fixd">filp-&gt;f_flags</font> has <font class="fixd">FASYNC</font>
set, calling the function anyway doesn't hurt and is the usual implementation. The
following lines, for example, are part of the <i>release</i> method for <i>scullpipe</i>:<br>
<pre>
/* remove this filp from the asynchronously notified filp's */
scull_p_fasync(-1, filp, 0);
</pre>
The data structure underlying asynchronous notification is almost identical to the
structure <font class="fixd">struct wait_queue,</font> because both situations involve waiting on an event.
The difference is that <font class="fixd">struct file</font> is used in place of <font class="fixd">struct task_struct</font>. 
The <font class="fixd">struct file</font> in the queue is then used to retrieve <font class="fixd">f_owner,</font> in order to signal the process.<br>
<br>
<a name="SeekingADevice"></a><font color="red"><b>Seeking a Device</b></font><br>
<br>
One of the last things we need to cover in this chapter is the <i>llseek </i>method, which is
useful (for some devices) and easy to implement.<br>
<br>
<font class="fixd">* POLL_IN</font> is a symbol used in the asynchronous notification code; it is equivalent to <font class="fixd">POLLIN|POLLRDNORM.</font><br>
<br>
<A name="172"></a><font color="blue">PAGE 172</font><br>
<br>
<a name="TheLlseekImplementation"></a><font color="red"><b>The llseek Implementation</b></font><br>
<br>
The <i>llseek </i>method implements the <i>lseek </i>and <i>llseek </i>system calls. We have already
stated that if the <i>llseek </i>method is missing from the device's operations, the default
implementation in the kernel performs seeks by modifying <font class="fixd">filp-&gt;f_pos</font>, the current
reading/writing position within the file. Please note that for the <i>lseek </i>system call to
work correctly, the <i>read </i>and <i>write </i>methods must cooperate by using and updating
the offset item they receive as an argument.<br>
<br>
You may need to provide your own <i>llseek </i>method if the seek operation corresponds
to a physical operation on the device. A simple example can be seen in the <i>scull
</i>driver:<br>
<pre>
loff_t scull_llseek(struct file *filp, loff_t off, int whence)
{
    struct scull_dev *dev = filp-&gt;private_data;
    loff_t newpos;

    switch(whence) {
      case 0: /* SEEK_SET */
        newpos = off;
        break;

      case 1: /* SEEK_CUR */
        newpos = filp-&gt;f_pos + off;
        break;

      case 2: /* SEEK_END */
        newpos = dev-&gt;size + off;
        break;

      default: /* can't happen */
        return -EINVAL;
    }
    if (newpos &lt; 0) return -EINVAL;
    filp-&gt;f_pos = newpos;
    return newpos;
}
</pre>
The only device-specific operation here is retrieving the file length from the device. In
<i>scull</i> the <i>read</i> and <i>write</i> methods cooperate as needed, as shown in Chapter 3.<br>
<br>
Although the implementation just shown makes sense for <i>scull</i>, which handles a well-defined
data area, most devices offer a data flow rather than a data area (just think
about the serial ports or the keyboard), and seeking those devices does not make
sense. If this is the case for your device, you can't just refrain from declaring the <i>llseek
</i>operation, because the default method allows seeking. Instead, you should inform the
kernel that your device does not support <i>llseek </i>by calling <i>nonseekable_open </i>in your
<i>open</i> method:<br>
<pre>
int nonseekable_open(struct inode *inode; struct file *filp);
</pre>
<A name="173"></a><font color="blue">PAGE 173</font><br>
<br>
This call marks the given <font class="fixd">filp</font> as being nonseekable; the kernel never allows an <i>lseek
</i>call on such a file to succeed. By marking the file in this way, you can also be assured
that no attempts will be made to seek the file by way of the <i>pread </i>and <i>pwrite </i>system
calls.<br>
<br>
For completeness, you should also set the <i>llseek </i>method in your <font class="fixd">file_operations</font>
structure to the special helper function <i>no_llseek</i>, which is defined in <i>&lt;linux/fs.h&gt;</i>.<br>
<br>
<a name="AccessControlOnADeviceFile"></a><font color="red"><b>Access Control on a Device File</b></font><br>
<br>
Offering access control is sometimes vital for the reliability of a device node. Not
only should unauthorized users not be permitted to use the device (a restriction is
enforced by the filesystem permission bits), but sometimes only one authorized user
should be allowed to open the device at a time.<br>
<br>
The problem is similar to that of using ttys. In that case, the <i>login </i>process changes
the ownership of the device node whenever a user logs into the system, in order to
prevent other users from interfering with or sniffing the tty data flow. However, it's
impractical to use a privileged program to change the ownership of a device every
time it is opened just to grant unique access to it.<br>
<br>
None of the code shown up to now implements any access control beyond the filesystem
permission bits. If the <i>open </i>system call forwards the request to the driver,
<i>open </i>succeeds. We now introduce a few techniques for implementing some additional
checks.<br>
<br>
Every device shown in this section has the same behavior as the bare <i>scull </i>device
(that is, it implements a persistent memory area) but differs from <i>scull </i>in access control,
which is implemented in the <i>open</i> and <i>release</i> operations.<br>
<br>
<a name="SingleOpenDevices"></a><font color="red"><b>Single-Open Devices</b></font><br>
<br>
The brute-force way to provide access control is to permit a device to be opened by
only one process at a time (single openness). This technique is best avoided because it
inhibits user ingenuity. A user might want to run different processes on the same
device, one reading status information while the other is writing data. In some cases,
users can get a lot done by running a few simple programs through a shell script, as
long as they can access the device concurrently. In other words, implementing a singleopen
behavior amounts to creating policy, which may get in the way of what your
users want to do.<br>
<br>
Allowing only a single process to open a device has undesirable properties, but it is
also the easiest access control to implement for a device driver, so it's shown here.
The source code is extracted from a device called <i>scullsingle</i>.<br>
<br>
<A name="174"></a><font color="blue">PAGE 174</font><br>
<br>
The <i>scullsingle </i>device maintains an <font class="fixd">atomic_t</font> variable called <font class="fixd">scull_s_available;</font> that
variable is initialized to a value of one, indicating that the device is indeed available.
The <i>open </i>call decrements and tests <font class="fixd">scull_s_available</font> and refuses access if somebody
else already has the device open:<br>
<pre>
static atomic_t scull_s_available = ATOMIC_INIT(1);

static int scull_s_open(struct inode *inode, struct file *filp)
{
    struct scull_dev *dev = &amp;scull_s_device; /* device information */

    if (! atomic_dec_and_test (&amp;scull_s_available)) {
        atomic_inc(&amp;scull_s_available);
        return -EBUSY; /* already open */
    }

    /* then, everything else is copied from the bare scull device */
    if ( (filp-&gt;f_flags &amp; O_ACCMODE) = = O_WRONLY)
        scull_trim(dev);
    filp-&gt;private_data = dev;
    return 0;          /* success */
}
</pre>
The <i>release</i> call, on the other hand, marks the device as no longer busy:<br>
<pre>
static int scull_s_release(struct inode *inode, struct file *filp)
{
    atomic_inc(&amp;scull_s_available); /* release the device */
    return 0;
}
</pre>
Normally, we recommend that you put the open flag <font class="fixd">scull_s_available</font> within the
device structure (<font class="fixd">Scull_Dev</font> here) because, conceptually, it belongs to the device. The
<i>scull </i>driver, however, uses stand alone variables to hold the flag so it can use the same
device structure and methods as the bare <i>scull</i> device and minimize code duplication.<br>
<br>
<a name="RestrictingAccessToASingleUserAtATime"></a><font color="red"><b>Restricting Access to a Single User at a Time</b></font><br>
<br>
The next step beyond a single-open device is to let a single user open a device in multiple
processes but allow only one user to have the device open at a time. This solution
makes it easy to test the device, since the user can read and write from several
processes at once, but assumes that the user takes some responsibility for maintaining
the integrity of the data during multiple accesses. This is accomplished by adding
checks in the <i>open </i>method; such checks are performed <i>after </i>the normal
permission checking and can only make access more restrictive than that specified by
the owner and group permission bits. This is the same access policy as that used for
ttys, but it doesn't resort to an external privileged program.<br>
<br>
Those access policies are a little trickier to implement than single-open policies. In
this case, two items are needed: an open count and the uid of the "owner" of the<br>
<br>
<A name="175"></a><font color="blue">PAGE 175</font><br>
<br>
device. Once again, the best place for such items is within the device structure; our
example uses global variables instead, for the reason explained earlier for <i>scullsingle</i>.
The name of the device is <i>sculluid</i>.<br>
<br>
The <i>open </i>call grants access on first open but remembers the owner of the device.
This means that a user can open the device multiple times, thus allowing cooperating
processes to work concurrently on the device. At the same time, no other user
can open it, thus avoiding external interference. Since this version of the function is
almost identical to the preceding one, only the relevant part is reproduced here:<br>
<pre>
    spin_lock(&amp;scull_u_lock);
    if (scull_u_count &amp;&amp;
            (scull_u_owner != current-&gt;uid) &amp;&amp;  /* allow user */
            (scull_u_owner != current-&gt;euid) &amp;&amp; /* allow whoever did su */
            !capable(CAP_DAC_OVERRIDE)) { /* still allow root */
        spin_unlock(&amp;scull_u_lock);
        return -EBUSY;   /* -EPERM would confuse the user */
    }

    if (scull_u_count = = 0)
        scull_u_owner = current-&gt;uid; /* grab it */

    scull_u_count++;
    spin_unlock(&amp;scull_u_lock);
</pre>
Note that the <i>sculluid </i>code has two variables (<font class="fixd">scull_u_owner</font> and <font class="fixd">scull_u_count</font>)
that control access to the device and that could be accessed concurrently by multiple
processes. To make these variables safe, we control access to them with a spinlock
(<font class="fixd">scull_u_lock</font>). Without that locking, two (or more) processes could test
<font class="fixd">scull_u_count</font> at the same time, and both could conclude that they were entitled to
take ownership of the device. A spinlock is indicated here, because the lock is held
for a very short time, and the driver does nothing that could sleep while holding the
lock.<br>
<br>
We chose to return <font class="fixd">-EBUSY</font> and not <font class="fixd">-EPERM,</font> even though the code is performing a permission
check, in order to point a user who is denied access in the right direction.
The reaction to "Permission denied" is usually to check the mode and owner of the
<i>/dev </i>file, while "Device busy" correctly suggests that the user should look for a process
already using the device.<br>
<br>
This code also checks to see if the process attempting the open has the ability to
override file access permissions; if so, the open is allowed even if the opening process
is not the owner of the device. The <font class="fixd">CAP_DAC_OVERRIDE</font> capability fits the task well
in this case.<br>
<br>
The <i>release</i> method looks like the following:<br>
<pre>
static int scull_u_release(struct inode *inode, struct file *filp)
{
    spin_lock(&amp;scull_u_lock);
    scull_u_count--; /* nothing else */
</pre>
<A name="176"></a><font color="blue">PAGE 176</font><br>
<pre>
    spin_unlock(&amp;scull_u_lock);
    return 0;
}
</pre>
Once again, we must obtain the lock prior to modifying the count to ensure that we
do not race with another process.<br>
<br>
<a name="BlockingOpenAsAnAlternativeToEBUSY"></a><font color="red"><b>Blocking open as an Alternative to EBUSY</b></font><br>
<br>
When the device isn't accessible, returning an error is usually the most sensible
approach, but there are situations in which the user would prefer to wait for the
device.<br>
<br>
For example, if a data communication channel is used both to transmit reports on a
regular, scheduled basis (using <i>crontab</i>) and for casual usage according to people's
needs, it's much better for the scheduled operation to be slightly delayed rather than
fail just because the channel is currently busy.<br>
<br>
This is one of the choices that the programmer must make when designing a device
driver, and the right answer depends on the particular problem being solved.<br>
<br>
The alternative to <font class="fixd">EBUSY,</font> as you may have guessed, is to implement blocking <i>open</i>.
The <i>scullwuid </i>device is a version of <i>sculluid </i>that waits for the device on <i>open </i>instead
of returning <font class="fixd">-EBUSY.</font> It differs from <i>sculluid </i>only in the following part of the <i>open
</i>operation:<br>
<pre>
spin_lock(&amp;scull_w_lock);
while (! scull_w_available( )) {
    spin_unlock(&amp;scull_w_lock);
    if (filp-&gt;f_flags &amp; O_NONBLOCK) return -EAGAIN;
    if (wait_event_interruptible (scull_w_wait, scull_w_available( )))
        return -ERESTARTSYS; /* tell the fs layer to handle it */
    spin_lock(&amp;scull_w_lock);
}
if (scull_w_count = = 0)
    scull_w_owner = current-&gt;uid; /* grab it */
scull_w_count++;
spin_unlock(&amp;scull_w_lock);
</pre>
The implementation is based once again on a wait queue. If the device is not currently
available, the process attempting to open it is placed on the wait queue until
the owning process closes the device.<br>
<br>
The <i>release</i> method, then, is in charge of awakening any pending process:<br>
<pre>
static int scull_w_release(struct inode *inode, struct file *filp)
{
    int temp;

    spin_lock(&amp;scull_w_lock);
    scull_w_count--;
    temp = scull_w_count;
    spin_unlock(&amp;scull_w_lock);
</pre>
<A name="177"></a><font color="blue">PAGE 177</font><br>
<pre>
    if (temp = = 0)
        wake_up_interruptible_sync(&amp;scull_w_wait); /* awake other uid's */
    return 0;
}
</pre>
Here is an example of where calling <i>wake_up_interruptible_sync </i>makes sense. When
we do the wakeup, we are just about to return to user space, which is a natural
scheduling point for the system. Rather than potentially reschedule when we do the
wakeup, it is better to just call the "sync" version and finish our job.<br>
<br>
The problem with a blocking-open implementation is that it is really unpleasant for the
interactive user, who has to keep guessing what is going wrong. The interactive user
usually invokes standard commands, such as <i>cp </i>and <i>tar</i>, and can't just add <font class="fixd">O_NONBLOCK</font>
to the <i>open </i>call. Someone who's making a backup using the tape drive in the next
room would prefer to get a plain "device or resource busy" message instead of being
left to guess why the hard drive is so silent today, while <i>tar</i> should be scanning it.<br>
<br>
This kind of problem (a need for different, incompatible policies for the same device)
is often best solved by implementing one device node for each access policy. An
example of this practice can be found in the Linux tape driver, which provides multiple
device files for the same device. Different device files will, for example, cause the
drive to record with or without compression, or to automatically rewind the tape
when the device is closed.<br>
<br>
<a name="CloningTheDeviceOnOpen"></a><font color="red"><b>Cloning the Device on open</b></font><br>
<br>
Another technique to manage access control is to create different private copies of
the device, depending on the process opening it.<br>
<br>
Clearly, this is possible only if the device is not bound to a hardware object; <i>scull </i>is
an example of such a "software" device. The internals of <i>/dev/tty </i>use a similar technique
in order to give its process a different "view" of what the <i>/dev </i>entry point represents.
When copies of the device are created by the software driver, we call them
<i>virtual devices</i>--just as virtual consoles use a single physical tty device.<br>
<br>
Although this kind of access control is rarely needed, the implementation can be
enlightening in showing how easily kernel code can change the application's perspective
of the surrounding world (i.e., the computer).<br>
<br>
The <i>/dev/scullpriv </i>device node implements virtual devices within the <i>scull </i>package.
The <i>scullpriv </i>implementation uses the device number of the process's controlling tty
as a key to access the virtual device. Nonetheless, you can easily modify the sources to
use any integer value for the key; each choice leads to a different policy. For example,
using the uid leads to a different virtual device for each user, while using a pid key creates
a new device for each process accessing it.<br>
<br>
The decision to use the controlling terminal is meant to enable easy testing of the
device using I/O redirection: the device is shared by all commands run on the same<br>
<br>
<A name="178"></a><font color="blue">PAGE 178</font><br>
<br>
virtual terminal and is kept separate from the one seen by commands run on another
terminal.<br>
<br>
The <i>open </i>method looks like the following code. It must look for the right virtual
device and possibly create one. The final part of the function is not shown because it
is copied from the bare <i>scull</i>, which we've already seen.<br>
<pre>
/* The clone-specific data structure includes a key field */

struct scull_listitem {
    struct scull_dev device;
    dev_t key;
    struct list_head list;

};

/* The list of devices, and a lock to protect it */
static LIST_HEAD(scull_c_list);
static spinlock_t scull_c_lock = SPIN_LOCK_UNLOCKED;

/* Look for a device or create one if missing */
static struct scull_dev *scull_c_lookfor_device(dev_t key)
{
    struct scull_listitem *lptr;

    list_for_each_entry(lptr, &amp;scull_c_list, list) {
        if (lptr-&gt;key = = key)
            return &amp;(lptr-&gt;device);
    }

    /* not found */
    lptr = kmalloc(sizeof(struct scull_listitem), GFP_KERNEL);
    if (!lptr)
        return NULL;

    /* initialize the device */
    memset(lptr, 0, sizeof(struct scull_listitem));
    lptr-&gt;key = key;
    scull_trim(&amp;(lptr-&gt;device)); /* initialize it */
    init_MUTEX(&amp;(lptr-&gt;device.sem));

    /* place it in the list */
    list_add(&amp;lptr-&gt;list, &amp;scull_c_list);

    return &amp;(lptr-&gt;device);
}

static int scull_c_open(struct inode *inode, struct file *filp)
{
    struct scull_dev *dev;
</pre>
<A name="179"></a><font color="blue">PAGE 179</font><br>
<pre>
    <font class="fixd">dev_t</font> key;

    if (!current-&gt;signal-&gt;tty) {
        PDEBUG(&quot;Process \&quot;%s\&quot; has no ctl tty\n&quot;, current-&gt;comm);
        return -EINVAL;
    }
    key = tty_devnum(current-&gt;signal-&gt;tty);

    /* look for a scullc device in the list */
    spin_lock(&amp;scull_c_lock);
    dev = scull_c_lookfor_device(key);
    spin_unlock(&amp;scull_c_lock);

    if (!dev)
        return -ENOMEM;

    /* then, everything else is copied from the bare scull device */
</pre>
The <i>release </i>method does nothing special. It would normally release the device on last
close, but we chose not to maintain an open count in order to simplify the testing of
the driver. If the device were released on last close, you wouldn't be able to read the
same data after writing to the device, unless a background process were to keep it
open. The sample driver takes the easier approach of keeping the data, so that at the
next <i>open</i>, you'll find it there. The devices are released when <i>scull_cleanup</i> is called.<br>
<br>
This code uses the generic Linux linked list mechanism in preference to reimplementing
the same capability from scratch. Linux lists are discussed in Chapter 11.<br>
<br>
Here's the <i>release </i>implementation for <i>/dev/scullpriv</i>, which closes the discussion of
device methods.<br>
<pre>
static int scull_c_release(struct inode *inode, struct file *filp)
{
    /*
     * Nothing to do, because the device is persistent.
     * A `real' cloned device should be freed on last close
     */
    return 0;
}
</pre>
<a name="QuickReference6"></a><font color="red"><b>Quick Reference</b></font><br>
<br>
This chapter introduced the following symbols and header files:<br>
<br>
<font class="fixd">#include &lt;linux/ioctl.h&gt;</font><br>
<div class="bq">
Declares all the macros used to define <i>ioctl </i>commands. It is currently included
by <i>&lt;linux/fs.h&gt;</i>.</div>
<br>
<A name="180"></a><font color="blue">PAGE 180</font><br>
<br>
<font class="fixd">_IOC_NRBITS<br>
_IOC_TYPEBITS<br>
_IOC_SIZEBITS<br>
_IOC_DIRBITS</font><br>
<div class="bq">
The number of bits available for the different bitfields of <i>ioctl </i>commands. There
are also four macros that specify the <font class="fixd">MASKs</font> and four that specify the <font class="fixd">SHIFTs,</font> but
they're mainly for internal use. <font class="fixd">_IOC_SIZEBITS</font> is an important value to check,
because it changes across architectures.</div>
<br>
<font class="fixd">_IOC_NONE<br>
_IOC_READ<br>
_IOC_WRITE</font><br>
<div class="bq">
The possible values for the "direction" bitfield. "Read" and "write" are different
bits and can be ORed to specify read/write. The values are 0-based.</div>
<br>
<font class="fixd">_IOC(dir,type,nr,size)<br>
_IO(type,nr)<br>
_IOR(type,nr,size)<br>
_IOW(type,nr,size)<br>
_IOWR(type,nr,size)</font><br>
<div class="bq">
Macros used to create an <i>ioctl</i> command.</div>
<br>
<font class="fixd">_IOC_DIR(nr)<br>
_IOC_TYPE(nr)<br>
_IOC_NR(nr)<br>
_IOC_SIZE(nr)</font><br>
<div class="bq">
Macros used to decode a command. In particular, <font class="fixd">_IOC_TYPE(nr)</font> is an OR combination
of <font class="fixd">_IOC_READ</font> and <font class="fixd">_IOC_WRITE</font>.</div>
<br>
<font class="fixd">#include &lt;asm/uaccess.h&gt;<br>
int access_ok(int type, const void *addr, unsigned long size);</font><br>
<div class="bq">
Checks that a pointer to user space is actually usable. <i>access_ok </i>returns a nonzero
value if the access should be allowed.</div>
<br>
<font class="fixd">VERIFY_READ<br>
VERIFY_WRITE</font><br>
<div class="bq">
The possible values for the type argument in <i>access_ok</i>. <font class="fixd">VERIFY_WRITE</font> is a superset
of <font class="fixd">VERIFY_READ</font>.</div>
<br>
<font class="fixd">#include &lt;asm/uaccess.h&gt;<br>
int put_user(datum,ptr);<br>
int get_user(local,ptr);<br>
int __put_user(datum,ptr);<br>
int __get_user(local,ptr);</font><br>
<div class="bq">
Macros used to store or retrieve a datum to or from user space. The number of
bytes being transferred depends on <font class="fixd">sizeof(*ptr).</font> The regular versions call</div>
<br>
<A name="181"></a><font color="blue">PAGE 181</font><br>
<br>
<div class="bq">
<i>access_ok </i>first, while the qualified versions (<i>__put_user </i>and <i>__get_user</i>) assume
that <i>access_ok</i> has already been called.</div>
<br>
<font class="fixd">#include &lt;linux/capability.h&gt;</font><br>
<div class="bq">
Defines the various <font class="fixd">CAP_</font> symbols describing the capabilities a user-space process
may have.</div>
<br>
<font class="fixd">int capable(int capability);</font><br>
<div class="bq">
Returns nonzero if the process has the given capability.</div>
<br>
<font class="fixd">#include &lt;linux/wait.h&gt;<br>
typedef struct { /* ... */ } wait_queue_head_t;<br>
void init_waitqueue_head(wait_queue_head_t *queue);<br>
DECLARE_WAIT_QUEUE_HEAD(queue);</font><br>
<div class="bq">
The defined type for Linux wait queues. A <font class="fixd">wait_queue_head_t</font> must be explicitly
initialized with either <i>init_waitqueue_head </i>at runtime or <i><font class="fixd">DECLARE_WAIT_</font>
<font class="fixd">QUEUE_HEAD</font></i> at compile time.</div>
<br>
<font class="fixd">void wait_event(wait_queue_head_t q, int condition);<br>
int wait_event_interruptible(wait_queue_head_t q, int condition);<br>
int wait_event_timeout(wait_queue_head_t q, int condition, int time);<br>
int wait_event_interruptible_timeout(wait_queue_head_t q, int condition, int time);</font><br>
<div class="bq">
Cause the process to sleep on the given queue until the given condition evaluates
to a true value.</div>
<br>
<font class="fixd">void wake_up(struct wait_queue **q);<br>
void wake_up_interruptible(struct wait_queue **q);<br>
void wake_up_nr(struct wait_queue **q, int nr);<br>
void wake_up_interruptible_nr(struct wait_queue **q, int nr);<br>
void wake_up_all(struct wait_queue **q);<br>
void wake_up_interruptible_all(struct wait_queue **q);<br>
void wake_up_interruptible_sync(struct wait_queue **q);</font><br>
<div class="bq">
Wake processes that are sleeping on the queue q. The <i>_interruptible </i>form wakes
only interruptible processes. Normally, only one exclusive waiter is awakened,
but that behavior can be changed with the <i>_nr </i>or <i>_all </i>forms. The <i>_sync </i>version
does not reschedule the CPU before returning.</div>
<br>
<font class="fixd">#include &lt;linux/sched.h&gt;<br>
set_current_state(int state);</font><br>
<div class="bq">
Sets the execution state of the current process. <font class="fixd">TASK_RUNNING</font> means it is ready to
run, while the sleep states are <font class="fixd">TASK_INTERRUPTIBLE</font> and <font class="fixd">TASK_UNINTERRUPTIBLE</font>.</div>
<br>
<font class="fixd">void schedule(void);</font><br>
<div class="bq">
Selects a runnable process from the run queue. The chosen process can be
current or a different one.</div>
<br>
<A name="182"></a><font color="blue">PAGE 182</font><br>
<br>
<font class="fixd">typedef struct { /* ... */ } wait_queue_t;<br>
init_waitqueue_entry(wait_queue_t *entry, struct task_struct *task);</font><br>
<div class="bq">
The <font class="fixd">wait_queue_t</font> type is used to place a process onto a wait queue.</div>
<br>
<font class="fixd">void prepare_to_wait(wait_queue_head_t *queue, wait_queue_t *wait, int state);<br>
void prepare_to_wait_exclusive(wait_queue_head_t *queue, wait_queue_t *wait, int state);<br>
void finish_wait(wait_queue_head_t *queue, wait_queue_t *wait);</font><br>
<div class="bq">
Helper functions that can be used to code a manual sleep.</div>
<br>
<font class="fixd">void sleep_on(wiat_queue_head_t *queue);<br>
void interruptible_sleep_on(wiat_queue_head_t *queue);</font><br>
<div class="bq">
Obsolete and deprecated functions that unconditionally put the current process
to sleep.</div>
<br>
<font class="fixd">#include &lt;linux/poll.h&gt;<br>
void poll_wait(struct file *filp, wait_queue_head_t *q, poll_table *p)</font><br>
<div class="bq">
Places the current process into a wait queue without scheduling immediately. It
is designed to be used by the <i>poll</i> method of device drivers.</div>
<br>
<font class="fixd">int fasync_helper(struct inode *inode, struct file *filp, int mode, struct
  fasync_struct **fa);</font><br>
<div class="bq">
A "helper" for implementing the <i>fasync </i>device method. The mode argument is the
same value that is passed to the method, while fa points to a device-specific
<font class="fixd">fasync_struct *.</font></div>
<br>
<font class="fixd">void kill_fasync(struct fasync_struct *fa, int sig, int band);</font><br>
<div class="bq">
If the driver supports asynchronous notification, this function can be used to
send a signal to processes registered in fa.</div>
<br>
<font class="fixd">int nonseekable_open(struct inode *inode, struct file *filp);<br>
loff_t no_llseek(struct file *file, loff_t offset, int whence);</font><br>
<div class="bq">
<i>nonseekable_open </i>should be called in the <i>open </i>method of any device that does
not support seeking. Such devices should also use <i>no_llseek </i>as their <i>llseek
</i>method.</div>
<br>
<A name="183"></a><font color="blue">PAGE 183</font><br>
<br>
<a name="CHAPTER7"></a><font color="red"><b>CHAPTER 7</b></font><br>
<br>
<a name="TimeDelaysAndDeferredWork"></a><font color="#7519FF" size="+1"><b>Time, Delays, and Deferred Work</b></font><br>
<br>
At this point, we know the basics of how to write a full-featured char module. Real World
drivers, however, need to do more than implement the operations that control
a device; they have to deal with issues such as timing, memory management, hardware
access, and more. Fortunately, the kernel exports a number of facilities to ease
the task of the driver writer. In the next few chapters, we'll describe some of the kernel
resources you can use. This chapter leads the way by describing how timing
issues are addressed. Dealing with time involves the following tasks, in order of
increasing complexity:<br>
<ul>
<li> Measuring time lapses and comparing times
<li> Knowing the current time
<li> Delaying operation for a specified amount of time
<li> Scheduling asynchronous functions to happen at a later time
</ul>
<a name="MeasuringTimeLapses"></a><font color="red"><b>Measuring Time Lapses</b></font><br>
<br>
The kernel keeps track of the flow of time by means of timer interrupts. Interrupts
are covered in detail in Chapter 10.<br>
<br>
Timer interrupts are generated by the system's timing hardware at regular intervals;
this interval is programmed at boot time by the kernel according to the value of <font class="fixd">HZ</font>,
which is an architecture-dependent value defined in <i>&lt;linux/param.h&gt; </i>or a subplatform
file included by it. Default values in the distributed kernel source range from 50
to 1200 ticks per second on real hardware, down to 24 for software simulators. Most
platforms run at 100 or 1000 interrupts per second; the popular x86 PC defaults to
1000, although it used to be 100 in previous versions (up to and including 2.4). As a
general rule, even if you know the value of <font class="fixd">HZ</font>, you should never count on that specific
value when programming.<br>
<br>
It is possible to change the value of <font class="fixd">HZ</font> for those who want systems with a different
clock interrupt frequency. If you change <font class="fixd">HZ</font> in the header file, you need to recompile<br>
<br>
<A name="184"></a><font color="blue">PAGE 184</font><br>
<br>
the kernel and all modules with the new value. You might want to raise <font class="fixd">HZ</font> to get a
more fine-grained resolution in your asynchronous tasks, if you are willing to pay the
overhead of the extra timer interrupts to achieve your goals. Actually, raising <font class="fixd">HZ</font> to
1000 was pretty common with x86 industrial systems using Version 2.4 or 2.2 of the
kernel. With current versions, however, the best approach to the timer interrupt is to
keep the default value for <font class="fixd">HZ</font>, by virtue of our complete trust in the kernel developers,
who have certainly chosen the best value. Besides, some internal calculations are
currently implemented only for <font class="fixd">HZ</font> in the range from 12 to 1535 (see <i>&lt;linux/timex.h&gt;
</i>and RFC-1589).<br>
<br>
Every time a timer interrupt occurs, the value of an internal kernel counter is incremented.
The counter is initialized to 0 at system boot, so it represents the number of
clock ticks since last boot. The counter is a 64-bit variable (even on 32-bit architectures)
and is called <font class="fixd">jiffies_64</font>. However, driver writers normally access the <font class="fixd">jiffies</font>
variable, an <font class="fixd">unsigned long</font> that is the same as either <font class="fixd">jiffies_64</font> or its least significant
bits. Using <font class="fixd">jiffies</font> is usually preferred because it is faster, and accesses to the 64-bit
<font class="fixd">jiffies_64</font> value are not necessarily atomic on all architectures.<br>
<br>
In addition to the low-resolution kernel-managed jiffy mechanism, some CPU platforms
feature a high-resolution counter that software can read. Although its actual
use varies somewhat across platforms, it's sometimes a very powerful tool.<br>
<br>
<a name="UsingTheJiffiesCounter"></a><font color="red"><b>Using the jiffies Counter</b></font><br>
<br>
The counter and the utility functions to read it live in <i>&lt;linux/jiffies.h&gt;</i>, although
you'll usually just include <i>&lt;linux/sched.h&gt;</i>, that automatically pulls <i>jiffies.h </i>in. Needless
to say, both <font class="fixd">jiffies</font> and <font class="fixd">jiffies_64</font> must be considered read-only.<br>
<br>
Whenever your code needs to remember the current value of <font class="fixd">jiffies</font>, it can simply
access the <font class="fixd">unsigned long</font> variable, which is declared as volatile to tell the compiler
not to optimize memory reads. You need to read the current counter whenever your
code needs to calculate a future time stamp, as shown in the following example:<br>
<pre>
#include &lt;linux/jiffies.h&gt;
unsigned long j, stamp_1, stamp_half, stamp_n;

j = jiffies;                      /* read the current value */
stamp_1    = j + HZ;              /* 1 second in the future */
stamp_half = j + HZ/2;            /* half a second */
stamp_n    = j + n * HZ / 1000;   /* n milliseconds */
</pre>
This code has no problem with <font class="fixd">jiffies</font> wrapping around, as long as different values
are compared in the right way. Even though on 32-bit platforms the counter wraps
around only once every 50 days when <font class="fixd">HZ</font> is 1000, your code should be prepared to
face that event. To compare your cached value (like <font class="fixd">stamp_1</font> above) and the current
value, you should use one of the following macros:<br>
<pre>
#include &lt;linux/jiffies.h&gt;
int time_after(unsigned long a, unsigned long b);
</pre>
<A name="185"></a><font color="blue">PAGE 185</font><br>
<pre>
int time_before(unsigned long a, unsigned long b);
int time_after_eq(unsigned long a, unsigned long b);
int time_before_eq(unsigned long a, unsigned long b);
</pre>
The first evaluates true when <i>a</i>, as a snapshot of <font class="fixd">jiffies</font>, represents a time after <i>b</i>,
the second evaluates true when time <i>a </i>is before time <i>b</i>, and the last two compare for
"after or equal" and "before or equal." The code works by converting the values to
signed long, subtracting them, and comparing the result. If you need to know the difference
between two instances of <font class="fixd">jiffies</font> in a safe way, you can use the same trick:<br>
<pre>
<font class="fixd">diff = (long)t2 - (long)t1;</font>
</pre>
You can convert a jiffies difference to milliseconds trivially through:<br>
<pre>
msec = diff * 1000 / HZ;
</pre>
Sometimes, however, you need to exchange time representations with user space
programs that tend to represent time values with <font class="fixd">struct timeval</font> and <font class="fixd">struct timespec.</font> 
The two structures represent a precise time quantity with two numbers:
seconds and microseconds are used in the older and popular <font class="fixd">struct timeval,</font> and seconds
and nanoseconds are used in the newer <font class="fixd">struct timespec.</font> The kernel exports
four helper functions to convert time values expressed as jiffies to and from those structures:<br>
<pre>
#include &lt;linux/time.h&gt;

unsigned long timespec_to_jiffies(struct timespec *value);
void jiffies_to_timespec(unsigned long jiffies, struct timespec *value);
unsigned long timeval_to_jiffies(struct timeval *value);
void jiffies_to_timeval(unsigned long jiffies, struct timeval *value);
</pre>
Accessing the 64-bit jiffy count is not as straightforward as accessing <font class="fixd">jiffies</font>. While
on 64-bit computer architectures the two variables are actually one, access to the
value is not atomic for 32-bit processors. This means you might read the wrong value
if both halves of the variable get updated while you are reading them. It's extremely
unlikely you'll ever need to read the 64-bit counter, but in case you do, you'll be glad
to know that the kernel exports a specific helper function that does the proper locking
for you:<br>
<pre>
#include &lt;linux/jiffies.h&gt;
u64 get_jiffies_64(void);
</pre>
In the above prototype, the <font class="fixd">u64</font> type is used. This is one of the types defined by
<i>&lt;linux/types.h&gt;</i>, discussed in Chapter 11, and represents an unsigned 64-bit type.<br>
<br>
If you're wondering how 32-bit platforms update both the 32-bit and 64-bit counters
at the same time, read the linker script for your platform (look for a file whose name
matches <i>vmlinux*.lds*</i>). There, the <font class="fixd">jiffies</font> symbol is defined to access the least significant
word of the 64-bit value, according to whether the platform is little-endian
or big-endian. Actually, the same trick is used for 64-bit platforms, so that the
<font class="fixd">unsigned long</font> and <font class="fixd">u64</font> variables are accessed at the same address.<br>
<br>
<A name="186"></a><font color="blue">PAGE 186</font><br>
<br>
Finally, note that the actual clock frequency is almost completely hidden from user
space. The macro <font class="fixd">HZ</font> always expands to 100 when user-space programs include
<i>param.h</i>, and every counter reported to user space is converted accordingly. This
applies to <i>clock(3)</i>, <i>times(2)</i>, and any related function. The only evidence available to
users of the <font class="fixd">HZ</font> value is how fast timer interrupts happen, as shown in <i>/proc/
interrupts</i>. For example, you can obtain <font class="fixd">HZ</font> by dividing this count by the system
uptime reported in <i>/proc/uptime</i>.<br>
<br>
<a name="ProcessorSpecificRegisters"></a><font color="red"><b>Processor-Specific Registers</b></font><br>
<br>
If you need to measure very short time intervals or you need extremely high precision
in your figures, you can resort to platform-dependent resources, a choice of precision
over portability.<br>
<br>
In modern processors, the pressing demand for empirical performance figures is
thwarted by the intrinsic unpredictability of instruction timing in most CPU designs
due to cache memories, instruction scheduling, and branch prediction. As a
response, CPU manufacturers introduced a way to count clock cycles as an easy and
reliable way to measure time lapses. Therefore, most modern processors include a
counter register that is steadily incremented once at each clock cycle. Nowadays, this
clock counter is the only reliable way to carry out high-resolution timekeeping tasks.<br>
<br>
The details differ from platform to platform: the register may or may not be readable
from user space, it may or may not be writable, and it may be 64 or 32 bits wide. In
the last case, you must be prepared to handle overflows just like we did with the jiffy
counter. The register may even not exist for your platform, or it can be implemented
in an external device by the hardware designer, if the CPU lacks the feature and you
are dealing with a special-purpose computer.<br>
<br>
Whether or not the register can be zeroed, we strongly discourage resetting it, even
when hardware permits. You might not, after all, be the only user of the counter at
any given time; on some platforms supporting SMP, for example, the kernel depends
on such a counter to be synchronized across processors. Since you can always measure
differences between values, as long as that difference doesn't exceed the overflow
time, you can get the work done without claiming exclusive ownership of the
register by modifying its current value.<br>
<br>
The most renowned counter register is the TSC (timestamp counter), introduced in
x86 processors with the Pentium and present in all CPU designs ever since--including
the x86_64 platform. It is a 64-bit register that counts CPU clock cycles; it can be
read from both kernel space and user space.<br>
<br>
After including <i>&lt;asm/msr.h&gt; </i>(an x86-specific header whose name stands for
"machine-specific registers"), you can use one of these macros:<br>
<pre>
rdtsc(low32,high32);
rdtscl(low32);
rdtscll(var64);
</pre>
<A name="187"></a><font color="blue">PAGE 187</font><br>
<br>
The first macro atomically reads the 64-bit value into two 32-bit variables; the next
one ("read low half") reads the low half of the register into a 32-bit variable, discarding
the high half; the last reads the 64-bit value into a <font class="fixd">long long</font> variable, hence, the
name. All of these macros store values into their arguments.<br>
<br>
Reading the low half of the counter is enough for most common uses of the TSC. A
1-GHz CPU overflows it only once every 4.2 seconds, so you won't need to deal with
multiregister variables if the time lapse you are benchmarking reliably takes less time.
However, as CPU frequencies rise over time and as timing requirements increase,
you'll most likely need to read the 64-bit counter more often in the future.<br>
<br>
As an example using only the low half of the register, the following lines measure the
execution of the instruction itself:<br>
<pre>
unsigned long ini, end;
rdtscl(ini); rdtscl(end);
printk(&quot;time lapse: %li\n&quot;, end - ini);
</pre>
Some of the other platforms offer similar functionality, and kernel headers offer an
architecture-independent function that you can use instead of <i>rdtsc</i>. It is called <i>get_cycles</i>, 
defined in <i>&lt;asm/timex.h&gt;</i> (included by <i>&lt;linux/timex.h&gt;</i>). Its prototype is:<br>
<pre>
 #include &lt;linux/timex.h&gt;
 cycles_t get_cycles(void);
</pre>
This function is defined for every platform, and it always returns 0 on the platforms
that have no cycle-counter register. The <font class="fixd">cycles_t</font> type is an appropriate unsigned
type to hold the value read.<br>
<br>
Despite the availability of an architecture-independent function, we'd like to take the
opportunity to show an example of inline assembly code. To this aim, we implement
a <i>rdtscl </i>function for MIPS processors that works in the same way as the x86
one.<br>
<br>
We base the example on MIPS because most MIPS processors feature a 32-bit
counter as register 9 of their internal "coprocessor 0." To access the register, readable
only from kernel space, you can define the following macro that executes a
"move from coprocessor 0" assembly instruction:*<br>
<pre>
#define rdtscl(dest) \
   <font class="fixd">__asm__</font> __volatile__(&quot;mfc0 %0,$9; nop&quot; : &quot;=r&quot; (dest))
</pre>
With this macro in place, the MIPS processor can execute the same code shown earlier
for the x86.<br>
<br>
* The trailing <i>nop </i>instruction is required to prevent the compiler from accessing the target register in the 
instruction immediately following <i>mfc0</i>. This kind of interlock is typical of RISC processors, and the compiler
can still schedule useful instructions in the delay slots. In this case, we use <i>nop </i>because inline assembly
is a black box for the compiler and no optimization can be performed.<br>
<br>
<A name="188"></a><font color="blue">PAGE 188</font><br>
<br>
With <i>gcc </i>inline assembly, the allocation of general-purpose registers is left to the
compiler. The macro just shown uses %0 as a placeholder for "argument 0," which is
later specified as "any register (<font class="fixd">r</font>) used as output (<font class="fixd">=</font>)." The macro also states that the
output register must correspond to the C expression <font class="fixd">dest</font>. The syntax for inline
assembly is very powerful but somewhat complex, especially for architectures that
have constraints on what each register can do (namely, the x86 family). The syntax is
described in the <i>gcc</i> documentation, usually available in the <i>info</i> documentation tree.<br>
<br>
The short C-code fragment shown in this section has been run on a K7-class x86 processor
and a MIPS VR4181 (using the macro just described). The former reported a
time lapse of 11 clock ticks and the latter just 2 clock ticks. The small figure was
expected, since RISC processors usually execute one instruction per clock cycle.<br>
<br>
There is one other thing worth knowing about timestamp counters: they are not necessarily
synchronized across processors in an SMP system. To be sure of getting a
coherent value, you should disable preemption for code that is querying the counter.<br>
<br>
<a name="KnowingTheCurrentTime"></a><font color="red"><b>Knowing the Current Time</b></font><br>
<br>
Kernel code can always retrieve a representation of the current time by looking at the
value of <font class="fixd">jiffies</font>. Usually, the fact that the value represents only the time since the
last boot is not relevant to the driver, because its life is limited to the system uptime.
As shown, drivers can use the current value of <font class="fixd">jiffies</font> to calculate time intervals
across events (for example, to tell double-clicks from single-clicks in input device
drivers or calculate timeouts). In short, looking at <font class="fixd">jiffies</font> is almost always sufficient
when you need to measure time intervals. If you need very precise measurements for
short time lapses, processor-specific registers come to the rescue (although they bring
in serious portability issues).<br>
<br>
It's quite unlikely that a driver will ever need to know the wall-clock time, expressed
in months, days, and hours; the information is usually needed only by user programs
such as <i>cron </i>and <i>syslogd</i>. Dealing with real-world time is usually best left to
user space, where the C library offers better support; besides, such code is often too
policy-related to belong in the kernel. There <i>is </i>a kernel function that turns a wallclock
time into a <font class="fixd">jiffies</font> value, however:<br>
<pre>
#include &lt;linux/time.h&gt;
unsigned long mktime (unsigned int year, unsigned int mon,
                      unsigned int day, unsigned int hour,
                      unsigned int min, unsigned int sec);
</pre>
To repeat: dealing directly with wall-clock time in a driver is often a sign that policy
is being implemented and should therefore be questioned.<br>
<br>
While you won't have to deal with human-readable representations of the time,
sometimes you need to deal with absolute timestamp even in kernel space. To this
aim, &lt;<i>linux/time.h&gt; </i>exports the <i>do_gettimeofday </i>function. When called, it fills a<br>
<br>
<A name="189"></a><font color="blue">PAGE 189</font><br>
<br>
<font class="fixd">struct timeval</font> pointer--the same one used in the <i>gettimeofday </i>system call--with the
familiar seconds and microseconds values. The prototype for <i>do_gettimeofday</i> is:<br>
<pre>
 #include &lt;linux/time.h&gt;
 void do_gettimeofday(struct timeval *tv);
</pre>
The source states that <i>do_gettimeofday </i>has "near microsecond resolution," because it
asks the timing hardware what fraction of the current jiffy has already elapsed. The
precision varies from one architecture to another, however, since it depends on the
actual hardware mechanisms in use. For example, some <i>m68knommu </i>processors,
Sun3 systems, and other <i>m68k </i>systems cannot offer more than jiffy resolution. Pentium
systems, on the other hand, offer very fast and precise subtick measures by
reading the timestamp counter described earlier in this chapter.<br>
<br>
The current time is also available (though with jiffy granularity) from the  <font class="fixd">xtime</font> variable,
a  <font class="fixd">struct timespec</font> value. Direct use of this variable is discouraged because it is
difficult to atomically access both the fields. Therefore, the kernel offers the utility
function <i>current_kernel_time</i>:<br>
<pre>
#include &lt;linux/time.h&gt;
struct timespec current_kernel_time(void);
</pre>
Code for retrieving the current time in the various ways it is available within the <i>jit
</i>("just in time") module in the source files provided on O'Reilly's FTP site. <i>jit </i>creates
a file called <i>/proc/currentime</i>, which returns the following items in ASCII when read:<br>
<ul>
<li> The current <font class="fixd">jiffies</font> and <font class="fixd">jiffies_64</font> values as hex numbers
<li> The current time as returned by <i>do_gettimeofday</i>
<li> The  <font class="fixd">timespec</font> returned by <i>current_kernel_time</i>
</ul>
We chose to use a dynamic <i>/proc </i>file to keep the boilerplate code to a minimum--it's
not worth creating a whole device just to return a little textual information.<br>
<br>
The file returns text lines continuously as long as the module is loaded; each <i>read
</i>system call collects and returns one set of data, organized in two lines for better readability.
Whenever you read multiple data sets in less than a timer tick, you'll see the
difference between <i>do_gettimeofday</i>, which queries the hardware, and the other values
that are updated only when the timer ticks.<br>
<pre>
phon% <b>head -8 /proc/currentime
</b>0x00bdbc1f 0x0000000100bdbc1f 1062370899.630126
                              1062370899.629161488
0x00bdbc1f 0x0000000100bdbc1f 1062370899.630150
                              1062370899.629161488
0x00bdbc20 0x0000000100bdbc20 1062370899.630208
                              1062370899.630161336
0x00bdbc20 0x0000000100bdbc20 1062370899.630233
                              1062370899.630161336
</pre>
In the screenshot above, there are two interesting things to note. First, the <i>current_kernel_time</i> value, 
though expressed in nanoseconds, has only clock-tick granularity;<br>
<br>
<A name="190"></a><font color="blue">PAGE 190</font><br>
<br>
<i>do_gettimeofday </i>consistently reports a later time but not later than the next timer
tick. Second, the 64-bit jiffies counter has the least-significant bit of the upper 32-bit
word set. This happens because the default value for <font class="fixd">INITIAL_JIFFIES,</font> used at boot
time to initialize the counter, forces a low-word overflow a few minutes after boot
time to help detect problems related to that very overflow. This initial bias in the
counter has no effect, because <font class="fixd">jiffies</font> is unrelated to wall-clock time. In <i>/proc/
uptime</i>, where the kernel extracts the uptime from the counter, the initial bias is
removed before conversion.<br>
<br>
<a name="DelayingExecution"></a><font color="red"><b>Delaying Execution</b></font><br>
<br>
Device drivers often need to delay the execution of a particular piece of code for a
period of time, usually to allow the hardware to accomplish some task. In this section
we cover a number of different techniques for achieving delays. The circumstances
of each situation determine which technique is best to use; we go over them
all, and point out the advantages and disadvantages of each.<br>
<br>
One important thing to consider is how the delay you need compares with the clock
tick, considering the range of <font class="fixd">HZ</font> across the various platforms. Delays that are reliably
longer than the clock tick, and don't suffer from its coarse granularity, can make use
of the system clock. Very short delays typically must be implemented with software
loops. In between these two cases lies a gray area. In this chapter, we use the phrase
"long" delay to refer to a multiple-jiffy delay, which can be as low as a few milliseconds
on some platforms, but is still long as seen by the CPU and the kernel.<br>
<br>
The following sections talk about the different delays by taking a somewhat long
path from various intuitive but inappropriate solutions to the right solution. We
chose this path because it allows a more in-depth discussion of kernel issues related
to timing. If you are eager to find the right code, just skim through the section.<br>
<br>
<a name="LongDelays"></a><font color="red"><b>Long Delays</b></font><br>
<br>
Occasionally a driver needs to delay execution for relatively long periods--more than
one clock tick. There are a few ways of accomplishing this sort of delay; we start with
the simplest technique, then proceed to the more advanced techniques.<br>
<br>
<a name="BusyWaiting"></a><font color="red"><b>Busy waiting</b></font><br>
<br>
If you want to delay execution by a multiple of the clock tick, allowing some slack in
the value, the easiest (though not recommended) implementation is a loop that monitors
the jiffy counter. The <i>busy-waiting </i>implementation usually looks like the following
code, where <font class="fixd">j1</font> is the value of <font class="fixd">jiffies</font> at the expiration of the delay:<br>
<pre>
while (time_before(jiffies, j1))
    cpu_relax( );
</pre>
<A name="191"></a><font color="blue">PAGE 191</font><br>
<br>
The call to <i>cpu_relax </i>invokes an architecture-specific way of saying that you're not
doing much with the processor at the moment. On many systems it does nothing at
all; on symmetric multithreaded ("hyperthreaded") systems, it may yield the core to
the other thread. In any case, this approach should definitely be avoided whenever
possible. We show it here because on occasion you might want to run this code to
better understand the internals of other code.<br>
<br>
So let's look at how this code works. The loop is guaranteed to work because <font class="fixd">jiffies</font>
is declared as <font class="fixd">volatile</font> by the kernel headers and, therefore, is fetched from memory
any time some C code accesses it. Although technically correct (in that it works as
designed), this busy loop severely degrades system performance. If you didn't configure
your kernel for preemptive operation, the loop completely locks the processor for
the duration of the delay; the scheduler never preempts a process that is running in
kernel space, and the computer looks completely dead until time <font class="fixd">j1</font> is reached. The
problem is less serious if you are running a preemptive kernel, because, unless the
code is holding a lock, some of the processor's time can be recovered for other uses.
Busy waits are still expensive on preemptive systems, however.<br>
<br>
Still worse, if interrupts happen to be disabled when you enter the loop, <font class="fixd">jiffies</font>
won't be updated, and the <font class="fixd">while</font> condition remains true forever. Running a preemptive
kernel won't help either, and you'll be forced to hit the big red button.<br>
<br>
This implementation of delaying code is available, like the following ones, in the <i>jit
</i>module. The <i>/proc/jit* </i>files created by the module delay a whole second each time
you read a line of text, and lines are guaranteed to be 20 bytes each. If you want to
test the busy-wait code, you can read <i>/proc/jitbusy</i>, which busy-loops for one second
for each line it returns.<br>
<br>
<div class="warn">Be sure to read, at most, one line (or a few lines) at a time from <i>/proc/
jitbusy</i>. The simplified kernel mechanism to register <i>/proc </i>files invokes
the <i>read </i>method over and over to fill the data buffer the user
requested. Therefore, a command such as <i>cat /proc/jitbusy</i>, if it reads 4
KB at a time, freezes the computer for 205 seconds.</div>
<br>
The suggested command to read <i>/proc/jitbusy </i>is <i>dd bs=20 &lt; /proc/jitbusy</i>, optionally
specifying the number of blocks as well. Each 20-byte line returned by the file represents
the value the jiffy counter had before and after the delay. This is a sample run
on an otherwise unloaded computer:<br>
<pre>
phon% <b>dd bs=20 count=5 &lt; /proc/jitbusy</b>
  1686518   1687518
  1687519   1688519
  1688520   1689520
  1689520   1690520
  1690521   1691521
</pre>
<A name="192"></a><font color="blue">PAGE 192</font><br>
<br>
All looks good: delays are exactly one second (1000 jiffies), and the next <i>read </i>system
call starts immediately after the previous one is over. But let's see what happens on a
system with a large number of CPU-intensive processes running (and nonpreemptive
kernel):<br>
<pre>
phon% <b>dd bs=20 count=5 &lt; /proc/jitbusy</b>
  1911226   1912226
  1913323   1914323
  1919529   1920529
  1925632   1926632
  1931835   1932835
</pre>
Here, each <i>read </i>system call delays exactly one second, but the kernel can take more
than 5 seconds before scheduling the <i>dd </i>process so it can issue the next system call.
That's expected in a multitasking system; CPU time is shared between all running
processes, and a CPU-intensive process has its dynamic priority reduced. (A discussion
of scheduling policies is outside the scope of this book.)<br>
<br>
The test under load shown above has been performed while running the <i>load50 </i>sample
program. This program forks a number of processes that do nothing, but do it in
a CPU-intensive way. The program is part of the sample files accompanying this
book, and forks 50 processes by default, although the number can be specified on
the command line. In this chapter, and elsewhere in the book, the tests with a loaded
system have been performed with <i>load50</i> running in an otherwise idle computer.<br>
<br>
If you repeat the command while running a preemptible kernel, you'll find no noticeable
difference on an otherwise idle CPU and the following behavior under load:<br>
<pre>
phon% <b>dd bs=20 count=5 &lt; /proc/jitbusy</b>
 14940680  14942777
 14942778  14945430
 14945431  14948491
 14948492  14951960
 14951961  14955840
</pre>
Here, there is no significant delay between the end of a system call and the beginning
of the next one, but the individual delays are far longer than one second: up to
3.8 seconds in the example shown and increasing over time. These values demonstrate
that the process has been interrupted during its delay, scheduling other processes.
The gap between system calls is not the only scheduling option for this
process, so no special delay can be seen there.<br>
<br>
<a name="YieldingTheProcessor"></a><font color="red"><b>Yielding the processor</b></font><br>
<br>
As we have seen, busy waiting imposes a heavy load on the system as a whole; we
would like to find a better technique. The first change that comes to mind is to<br>
<br>
<A name="193"></a><font color="blue">PAGE 193</font><br>
<br>
explicitly release the CPU when we're not interested in it. This is accomplished by
calling the <i>schedule</i> function, declared in <i>&lt;linux/sched.h&gt;</i>:<br>
<pre>
while (time_before(jiffies, j1)) {
    schedule( );
}
</pre>
This loop can be tested by reading <i>/proc/jitsched </i>as we read <i>/proc/jitbusy </i>above. However,
is still isn't optimal. The current process does nothing but release the CPU, but
it remains in the run queue. If it is the only runnable process, it actually runs (it calls
the scheduler, which selects the same process, which calls the scheduler, which...).
In other words, the load of the machine (the average number of running processes) is
at least one, and the idle task (process number 0, also called <i>swapper </i>for historical
reasons) never runs. Though this issue may seem irrelevant, running the idle task
when the computer is idle relieves the processor's workload, decreasing its temperature
and increasing its lifetime, as well as the duration of the batteries if the computer
happens to be your laptop. Moreover, since the process is actually executing
during the delay, it is accountable for all the time it consumes.<br>
<br>
The behavior of <i>/proc/jitsched </i>is actually similar to running <i>/proc/jitbusy </i>under a preemptive
kernel. This is a sample run, on an unloaded system:<br>
<pre>
phon% <b>dd bs=20 count=5 &lt; /proc/jitsched</b>
  1760205   1761207
  1761209   1762211
  1762212   1763212
  1763213   1764213
  1764214   1765217
</pre>
It's interesting to note that each <i>read </i>sometimes ends up waiting a few clock ticks
more than requested. This problem gets worse and worse as the system gets busy,
and the driver could end up waiting longer than expected. Once a process releases
the processor with <i>schedule</i>, there are no guarantees that the process will get the processor
back anytime soon. Therefore, calling <i>schedule </i>in this manner is not a safe
solution to the driver's needs, in addition to being bad for the computing system as a
whole. If you test <i>jitsched </i>while running <i>load50</i>, you can see that the delay associated
to each line is extended by a few seconds, because other processes are using the
CPU when the timeout expires.<br>
<br>
<a name="Timeouts"></a><font color="red"><b>Timeouts</b></font><br>
<br>
The suboptimal delay loops shown up to now work by watching the jiffy counter
without telling anyone. But the best way to implement a delay, as you may imagine,
is usually to ask the kernel to do it for you. There are two ways of setting up jiffy-based
timeouts, depending on whether your driver is waiting for other events or not.<br>
<br>
<A name="194"></a><font color="blue">PAGE 194</font><br>
<br>
If your driver uses a wait queue to wait for some other event, but you also want to be
sure that it runs within a certain period of time, it can use <i>wait_event_timeout </i>or
<i>wait_event_interruptible_timeout</i>:<br>
<pre>
#include &lt;linux/wait.h&gt;
long wait_event_timeout(wait_queue_head_t q, condition, long timeout);
long wait_event_interruptible_timeout(wait_queue_head_t q,
                      condition, long timeout);
</pre>
These functions sleep on the given wait queue, but they return after the timeout
(expressed in <font class="fixd">jiffies</font>) expires. Thus, they implement a bounded sleep that does not go
on forever. Note that the timeout value represents the number of <font class="fixd">jiffies</font> to wait, not
an absolute time value. The value is represented by a signed number, because it
sometimes is the result of a subtraction, although the functions complain through a
<i>printk </i>statement if the provided timeout is negative. If the timeout expires, the functions
return 0; if the process is awakened by another event, it returns the remaining
delay expressed in <font class="fixd">jiffies</font>. The return value is never negative, even if the delay is
greater than expected because of system load.<br>
<br>
The <i>/proc/jitqueue </i>file shows a delay based on <i>wait_event_interruptible_timeout</i>,
although the module has no event to wait for, and uses 0 as a condition:<br>
<pre>
wait_queue_head_t wait;
init_waitqueue_head (&amp;wait);
wait_event_interruptible_timeout(wait, 0, delay);
</pre>
The observed behaviour, when reading <i>/proc/jitqueue</i>, is nearly optimal, even under
load:<br>
<pre>
phon% <b>dd bs=20 count=5 &lt; /proc/jitqueue</b>
  2027024   2028024
  2028025   2029025
  2029026   2030026
  2030027   2031027
  2031028   2032028
</pre>
Since the reading process (<i>dd </i>above) is not in the run queue while waiting for the
timeout, you see no difference in behavior whether the code is run in a preemptive
kernel or not.<br>
<br>
<i>wait_event_timeout </i>and <i>wait_event_interruptible_timeout </i>were designed with a hardware
driver in mind, where execution could be resumed in either of two ways: either
somebody calls <i>wake_up </i>on the wait queue, or the timeout expires. This doesn't
apply to <i>jitqueue</i>, as nobody ever calls <i>wake_up </i>on the wait queue (after all, no other
code even knows about it), so the process always wakes up when the timeout
expires. To accommodate for this very situation, where you want to delay execution
waiting for no specific event, the kernel offers the <i>schedule_timeout </i>function so you
can avoid declaring and using a superfluous wait queue head:<br>
<pre>
#include &lt;linux/sched.h&gt;
signed long schedule_timeout(signed long timeout);
</pre>
<A name="195"></a><font color="blue">PAGE 195</font><br>
<br>
Here, <font class="fixd">timeout</font> is the number of jiffies to delay. The return value is 0 unless the function
returns before the given timeout has elapsed (in response to a signal). <i>schedule_timeout
</i>requires that the caller first set the current process state, so a typical call looks like:<br>
<pre>
set_current_state(TASK_INTERRUPTIBLE);
schedule_timeout (delay);
</pre>
The previous lines (from <i>/proc/jitschedto</i>) cause the process to sleep until the given
time has passed. Since <i>wait_event_interruptible_timeout </i>relies on <i>schedule_timeout
</i>internally, we won't bother showing the numbers <i>jitschedto </i>returns, because they are
the same as those of <i>jitqueue</i>. Once again, it is worth noting that an extra time interval
could pass between the expiration of the timeout and when your process is actually
scheduled to execute.<br>
<br>
In the example just shown, the first line calls <i>set_current_state </i>to set things up so that
the scheduler won't run the current process again until the timeout places it back in
<font class="fixd">TASK_RUNNING</font> state. To achieve an uninterruptible delay, use <font class="fixd">TASK_UNINTERRUPTIBLE</font>
instead. If you forget to change the state of the current process, a call to <i>schedule_
timeout </i>behaves like a call to <i>schedule </i>(i.e., the <i>jitsched </i>behavior), setting up a timer
that is not used.<br>
<br>
If you want to play with the four <i>jit </i>files under different system situations or different
kernels, or try other ways to delay execution, you may want to configure the
amount of the delay when loading the module by setting the <i>delay</i> module parameter.<br>
<br>
<a name="ShortDelays"></a><font color="red"><b>Short Delays</b></font><br>
<br>
When a device driver needs to deal with latencies in its hardware, the delays involved
are usually a few dozen microseconds at most. In this case, relying on the clock tick
is definitely not the way to go.<br>
<br>
The kernel functions <i>ndelay</i>, <i>udelay</i>, and <i>mdelay </i>serve well for short delays, delaying
execution for the specified number of nanoseconds, microseconds, or milliseconds
respectively.* Their prototypes are:<br>
<pre>
#include &lt;linux/delay.h&gt;
void ndelay(unsigned long nsecs);
void udelay(unsigned long usecs);
void mdelay(unsigned long msecs);
</pre>
The actual implementations of the functions are in <i>&lt;asm/delay.h&gt;</i>, being architecture-specific,
and sometimes build on an external function. Every architecture implements
<i>udelay</i>, but the other functions may or may not be defined; if they are not,
<i>&lt;linux/delay.h&gt; </i>offers a default version based on <i>udelay</i>. In all cases, the delay
achieved is at least the requested value but could be more; actually, no platform currently
achieves nanosecond precision, although several ones offer submicrosecond<br>
<br>
* The u in <i>udelay</i> represents the Greek letter mu and stands for <i>micro</i>.<br>
<br>
<A name="196"></a><font color="blue">PAGE 196</font><br>
<br>
precision. Delaying more than the requested value is usually not a problem, as short
delays in a driver are usually needed to wait for the hardware, and the requirements
are to wait for <i>at least</i> a given time lapse.<br>
<br>
The implementation of <i>udelay </i>(and possibly <i>ndelay </i>too) uses a software loop based on
the processor speed calculated at boot time, using the integer variable <font class="fixd">loops_per_jiffy</font>.
If you want to look at the actual code, however, be aware that the <i>x86 </i>implementation
is quite a complex one because of the different timing sources it uses, based on what
CPU type is running the code.<br>
<br>
To avoid integer overflows in loop calculations, <i>udelay </i>and <i>ndelay </i>impose an upper
bound in the value passed to them. If your module fails to load and displays an unresolved
symbol, <i>__bad_udelay</i>, it means you called <i>udelay </i>with too large an argument.
Note, however, that the compile-time check can be performed only on
constant values and that not all platforms implement it. As a general rule, if you are
trying to delay for thousands of nanoseconds, you should be using <i>udelay </i>rather than
<i>ndelay</i>; similarly, millisecond-scale delays should be done with <i>mdelay </i>and not one
of the finer-grained functions.<br>
<br>
It's important to remember that the three delay functions are busy-waiting; other
tasks can't be run during the time lapse. Thus, they replicate, though on a different
scale, the behavior of <i>jitbusy</i>. Thus, these functions should only be used when there
is no practical alternative.<br>
<br>
There is another way of achieving millisecond (and longer) delays that does not
involve busy waiting. The file <i>&lt;linux/delay.h&gt;</i> declares these functions:<br>
<pre>
void msleep(unsigned int millisecs);
unsigned long msleep_interruptible(unsigned int millisecs);
void ssleep(unsigned int seconds)
</pre>
The first two functions puts the calling process to sleep for the given number of
<font class="fixd">millisecs.</font> A call to <i>msleep </i>is uninterruptible; you can be sure that the process sleeps
for at least the given number of milliseconds. If your driver is sitting on a wait queue
and you want a wakeup to break the sleep, use <i>msleep_interruptible</i>. The return value
from <i>msleep_interruptible </i>is normally 0; if, however, the process is awakened early,
the return value is the number of milliseconds remaining in the originally requested
sleep period. A call to <i>ssleep </i>puts the process into an uninterruptible sleep for the
given number of seconds.<br>
<br>
In general, if you can tolerate longer delays than requested, you should use
<i>schedule_timeout</i>, <i>msleep</i>, or <i>ssleep</i>.<br>
<br>
<a name="KernelTimers"></a><font color="red"><b>Kernel Timers</b></font><br>
<br>
Whenever you need to schedule an action to happen later, without blocking the current
process until that time arrives, kernel timers are the tool for you. These timers<br>
<br>
<A name="197"></a><font color="blue">PAGE 197</font><br>
<br>
are used to schedule execution of a function at a particular time in the future, based
on the clock tick, and can be used for a variety of tasks; for example, polling a device
by checking its state at regular intervals when the hardware can't fire interrupts.
Other typical uses of kernel timers are turning off the floppy motor or finishing
another lengthy shut down operation. In such cases, delaying the return from <i>close
</i>would impose an unnecessary (and surprising) cost on the application program.
Finally, the kernel itself uses the timers in several situations, including the implementation
of <i>schedule_timeout</i>.<br>
<br>
A kernel timer is a data structure that instructs the kernel to execute a user-defined
function with a user-defined argument at a user-defined time. The implementation
resides in <i>&lt;linux/timer.h&gt; </i>and <i>kernel/timer.c </i>and is described in detail in the section
"The Implementation of Kernel Timers."<br>
<br>
The functions scheduled to run almost certainly do <i>not </i>run while the process that
registered them is executing. They are, instead, run asynchronously. Until now,
everything we have done in our sample drivers has run in the context of a process
executing system calls. When a timer runs, however, the process that scheduled it
could be asleep, executing on a different processor, or quite possibly has exited
altogether.<br>
<br>
This asynchronous execution resembles what happens when a hardware interrupt
happens (which is discussed in detail in Chapter 10). In fact, kernel timers are run as
the result of a "software interrupt." When running in this sort of atomic context,
your code is subject to a number of constraints. Timer functions must be atomic in
all the ways we discussed in the section "Spinlocks and Atomic Context" in
Chapter 1, but there are some additional issues brought about by the lack of a process
context. We will introduce these constraints now; they will be seen again in several
places in later chapters. Repetition is called for because the rules for atomic
contexts must be followed assiduously, or the system will find itself in deep trouble.<br>
<br>
A number of actions require the context of a process in order to be executed. When
you are outside of process context (i.e., in interrupt context), you must observe the
following rules:<br>
<ul>
<li> No access to user space is allowed. Because there is no process context, there is
no path to the user space associated with any particular process.
<li> The <font class="fixd">current</font> pointer is not meaningful in atomic mode and cannot be used since
the relevant code has no connection with the process that has been interrupted.
<li> No sleeping or scheduling may be performed. Atomic code may not call <i>schedule </i>or 
a form of <i>wait_event</i>, nor may it call any other function that could sleep.
For example, calling <i>kmalloc(..., GFP_KERNEL) </i>is against the rules. Semaphores
also must not be used since they can sleep.
</ul>
<A name="198"></a><font color="blue">PAGE 198</font><br>
<br>
Kernel code can tell if it is running in interrupt context by calling the function <i>in_interrupt( )</i>, 
which takes no parameters and returns nonzero if the processor is currently
running in interrupt context, either hardware interrupt or software interrupt.<br>
<br>
A function related to <i>in_interrupt( ) </i>is <i>in_atomic( )</i>. Its return value is nonzero whenever
scheduling is not allowed; this includes hardware and software interrupt contexts
as well as any time when a spinlock is held. In the latter case, current may be valid, but
access to user space is forbidden, since it can cause scheduling to happen. Whenever
you are using <i>in_interrupt( )</i>, you should really consider whether <i>in_atomic( ) </i>is what
you actually mean. Both functions are declared in <i>&lt;asm/hardirq.h&gt;</i><br>
<br>
One other important feature of kernel timers is that a task can reregister itself to run
again at a later time. This is possible because each <font class="fixd">timer_list</font> structure is unlinked
from the list of active timers before being run and can, therefore, be immediately relinked
elsewhere. Although rescheduling the same task over and over might appear
to be a pointless operation, it is sometimes useful. For example, it can be used to
implement the polling of devices.<br>
<br>
It's also worth knowing that in an SMP system, the timer function is executed by the
same CPU that registered it, to achieve better cache locality whenever possible.
Therefore, a timer that reregisters itself always runs on the same CPU.<br>
<br>
An important feature of timers that should not be forgotten, though, is that they are
a potential source of race conditions, even on uniprocessor systems. This is a direct
result of their being asynchronous with other code. Therefore, any data structures
accessed by the timer function should be protected from concurrent access, either by
being atomic types (discussed in the section "Atomic Variables" in Chapter 1) or by
using spinlocks (discussed in Chapter 5).<br>
<br>
<a name="TheTimerAPI"></a><font color="red"><b>The Timer API</b></font><br>
<br>
The kernel provides drivers with a number of functions to declare, register, and
remove kernel timers. The following excerpt shows the basic building blocks:<br>
<pre>
#include &lt;linux/timer.h&gt;
struct timer_list {
        /* ... */
        unsigned long expires;
        void (*function)(unsigned long);
        unsigned long data;
};

void init_timer(struct timer_list *timer);
struct timer_list TIMER_INITIALIZER(_function, _expires, _data);

void add_timer(struct timer_list * timer);
int del_timer(struct timer_list * timer);
</pre>
<A name="199"></a><font color="blue">PAGE 199</font><br>
<br>
The data structure includes more fields than the ones shown, but those three are the
ones that are meant to be accessed from outside the timer code iteslf. The <font class="fixd">expires</font>
field represents the <font class="fixd">jiffies</font> value when the timer is expected to run; at that time, the
function <i>function </i>is called with <font class="fixd">data</font> as an argument. If you need to pass multiple
items in the argument, you can bundle them as a single data structure and pass a
pointer cast to <font class="fixd">unsigned long</font>, a safe practice on all supported architectures and
pretty common in memory management (as discussed in Chapter 15). The <font class="fixd">expires</font>
value is not a <font class="fixd">jiffies_64</font> item because timers are not expected to expire very far in
the future, and 64-bit operations are slow on 32-bit platforms.<br>
<br>
The structure must be initialized before use. This step ensures that all the fields are
properly set up, including the ones that are opaque to the caller. Initialization can be
performed by calling <i>init_timer </i>or assigning <font class="fixd">TIMER_INITIALIZER</font> to a static structure,
according to your needs. After initialization, you can change the three public fields
before calling <i>add_timer</i>. To disable a registered timer before it expires, call <i>del_timer</i>.<br>
<br>
The <i>jit </i>module includes a sample file, <i>/proc/jitimer </i>(for "just in timer"), that returns
one header line and six data lines. The data lines represent the current environment
where the code is running; the first one is generated by the <i>read </i>file operation and
the others by a timer. The following output was recorded while compiling a kernel:<br>
<pre>
phon% <b>cat /proc/jitimer
</b>   time   delta  inirq    pid   cpu command
 33565837    0     0      1269   0   cat
 33565847   10     1      1271   0   sh
 33565857   10     1      1273   0   cpp0
 33565867   10     1      1273   0   cpp0
 33565877   10     1      1274   0   cc1
 33565887   10     1      1274   0   cc1
</pre>
In this output, the time field is the value of <font class="fixd">jiffies</font> when the code runs, delta is the
change in <font class="fixd">jiffies</font> since the previous line, <font class="fixd">inirq</font> is the Boolean value returned by <i>in_interrupt</i>, 
<font class="fixd">pid</font> and <font class="fixd">command</font> refer to the current process, and <font class="fixd">cpu</font> is the number of the
CPU being used (always 0 on uniprocessor systems).<br>
<br>
If you read <i>/proc/jitimer </i>while the system is unloaded, you'll find that the context of
the timer is process 0, the idle task, which is called "swapper" mainly for historical
reasons.<br>
<br>
The timer used to generate <i>/proc/jitimer </i>data is run every 10 <font class="fixd">jiffies</font> by default, but you
can change the value by setting the tdelay (timer delay) parameter when loading the
module.<br>
<br>
The following code excerpt shows the part of <i>jit </i>related to the <i>jitimer </i>timer. When a
process attempts to read our file, we set up the timer as follows:<br>
<pre>
unsigned long j = jiffies;

/* fill the data for our timer function */
data-&gt;prevjiffies = j;
</pre>
<A name="200"></a><font color="blue">PAGE 200</font><br>
<pre>
data-&gt;buf = buf2;
data-&gt;loops = JIT_ASYNC_LOOPS;

/* register the timer */
data-&gt;timer.data = (unsigned long)data;
data-&gt;timer.function = jit_timer_fn;
data-&gt;timer.expires = j + tdelay; /* parameter */
add_timer(&amp;data-&gt;timer);

/* wait for the buffer to fill */
wait_event_interruptible(data-&gt;wait, !data-&gt;loops);
</pre>
The actual timer function looks like this:<br>
<pre>
void jit_timer_fn(unsigned long arg)
{
    struct jit_data *data = (struct jit_data *)arg;
    unsigned long j = jiffies;
    data-&gt;buf += sprintf(data-&gt;buf, &quot;%9li  %3li     %i    %6i   %i   %s\n&quot;,
                 j, j - data-&gt;prevjiffies, in_interrupt( ) ? 1 : 0,
                 current-&gt;pid, smp_processor_id( ), current-&gt;comm);

    if (--data-&gt;loops) {
        data-&gt;timer.expires += tdelay;
        data-&gt;prevjiffies = j;
        add_timer(&amp;data-&gt;timer);
    } else {
        wake_up_interruptible(&amp;data-&gt;wait);
    }
}
</pre>
The timer API includes a few more functions than the ones introduced above. The
following set completes the list of kernel offerings:<br>
<br>
<font class="fixd">int mod_timer(struct timer_list *timer, unsigned long expires);</font><br>
<div class="bq">
Updates the expiration time of a timer, a common task for which a timeout
timer is used (again, the motor-off floppy timer is a typical example). <i>mod_timer
</i>can be called on inactive timers as well, where you normally use <i>add_timer</i>.</div>
<br>
<font class="fixd">int del_timer_sync(struct timer_list *timer);</font><br>
<div class="bq">
Works like <i>del_timer</i>, but also guarantees that when it returns, the timer function
is not running on any CPU. <i>del_timer_sync </i>is used to avoid race conditions
on SMP systems and is the same as <i>del_timer </i>in UP kernels. This function should
be preferred over <i>del_timer </i>in most situations. This function can sleep if it is
called from a nonatomic context but busy waits in other situations. Be very careful
about calling <i>del_timer_sync </i>while holding locks; if the timer function
attempts to obtain the same lock, the system can deadlock. If the timer function
reregisters itself, the caller must first ensure that this reregistration will not happen;
this is usually accomplished by setting a "shutting down" flag, which is
checked by the timer function.</div>
<br>
<A name="201"></a><font color="blue">PAGE 201</font><br>
<br>
<font class="fixd">int timer_pending(const struct timer_list * timer);</font><br>
<div class="bq">
Returns true or false to indicate whether the timer is currently scheduled to run
by reading one of the opaque fields of the structure.</div>
<br>
<a name="TheImplementationOfKernelTimers"></a><font color="red"><b>The Implementation of Kernel Timers</b></font><br>
<br>
Although you won't need to know how kernel timers are implemented in order to
use them, the implementation is interesting, and a look at its internals is worthwhile.<br>
<br>
The implementation of the timers has been designed to meet the following requirements
and assumptions:<br>
<ul>
<li> Timer management must be as lightweight as possible.
<li> The design should scale well as the number of active timers increases.
<li> Most timers expire within a few seconds or minutes at most, while timers with
long delays are pretty rare.
<li> A timer should run on the same CPU that registered it.
</ul>
The solution devised by kernel developers is based on a per-CPU data structure. The
<i>timer_list </i>structure includes a pointer to that data structure in its <font class="fixd">base</font> field. If <font class="fixd">base</font> is
<font class="fixd">NULL</font>, the timer is not scheduled to run; otherwise, the pointer tells which data structure
(and, therefore, which CPU) runs it. Per-CPU data items are described in the
section "Per-CPU Variables" in Chapter 8.<br>
<br>
Whenever kernel code registers a timer (via <i>add_timer </i>or <i>mod_timer</i>), the operation
is eventually performed by <i>internal_add_timer </i>(in <font class="fixd">kernel/timer.c</font>) which, in turn,
adds the new timer to a double-linked list of timers within a "cascading table" associated
to the current CPU.<br>
<br>
The cascading table works like this: if the timer expires in the next 0 to 255 <font class="fixd">jiffies</font>, it
is added to one of the 256 lists devoted to short-range timers using the least significant
bits of the <font class="fixd">expires</font> field. If it expires farther in the future (but before 16,384 <font class="fixd">jiffies</font>),
it is added to one of 64 lists based on bits 9-14 of the <font class="fixd">expires</font> field. For timers
expiring even farther, the same trick is used for bits 15-20, 21-26, and 27-31. Timers
with an expire field pointing still farther in the future (something that can happen
only on 64-bit platforms) are hashed with a delay value of <font class="fixd">0xffffffff</font>, and
timers with <font class="fixd">expires</font> in the past are scheduled to run at the next timer tick. (A timer
that is already expired may sometimes be registered in high-load situations, especially
if you run a preemptible kernel.)<br>
<br>
When <i>__run_timers </i>is fired, it executes all pending timers for the current timer tick.
If <font class="fixd">jiffies</font> is currently a multiple of 256, the function also rehashes one of the next level
lists of timers into the 256 short-term lists, possibly cascading one or more of
the other levels as well, according to the bit representation of <font class="fixd">jiffies</font>.<br>
<br>
<A name="202"></a><font color="blue">PAGE 202</font><br>
<br>
This approach, while exceedingly complex at first sight, performs very well both with
few timers and with a large number of them. The time required to manage each
active timer is independent of the number of timers already registered and is limited
to a few logic operations on the binary representation of its <font class="fixd">expires</font> field. The only
cost associated with this implementation is the memory for the 512 list heads (256
short-term lists and 4 groups of 64 more lists)--i.e., 4 KB of storage.<br>
<br>
The function <i>__run_timers</i>, as shown by <i>/proc/jitimer</i>, is run in atomic context. In
addition to the limitations we already described, this brings in an interesting feature:
the timer expires at just the right time, even if you are not running a preemptible kernel,
and the CPU is busy in kernel space. You can see what happens when you read
<i>/proc/jitbusy </i>in the background and <i>/proc/jitimer </i>in the foreground. Although the system
appears to be locked solid by the busy-waiting system call, the kernel timers still
work fine.<br>
<br>
Keep in mind, however, that a kernel timer is far from perfect, as it suffers from jitter
and other artifacts induced by hardware interrupts, as well as other timers and other
asynchronous tasks. While a timer associated with simple digital I/O can be enough
for simple tasks like running a stepper motor or other amateur electronics, it is usually
not suitable for production systems in industrial environments. For such tasks,
you'll most likely need to resort to a real-time kernel extension.<br>
<br>
<a name="Tasklets"></a><font color="red"><b>Tasklets</b></font><br>
<br>
Another kernel facility related to timing issues is the <i>tasklet </i>mechanism. It is mostly
used in interrupt management (we'll see it again in Chapter 10.)<br>
<br>
Tasklets resemble kernel timers in some ways. They are always run at interrupt time,
they always run on the same CPU that schedules them, and they receive an <font class="fixd">unsigned long</font> 
argument. Unlike kernel timers, however, you can't ask to execute the function
at a specific time. By scheduling a tasklet, you simply ask for it to be executed at a
later time chosen by the kernel. This behavior is especially useful with interrupt handlers,
where the hardware interrupt must be managed as quickly as possible, but
most of the data management can be safely delayed to a later time. Actually, a
tasklet, just like a kernel timer, is executed (in atomic mode) in the context of a "soft
interrupt," a kernel mechanism that executes asynchronous tasks with hardware
interrupts enabled.<br>
<br>
A tasklet exists as a data structure that must be initialized before use. Initialization
can be performed by calling a specific function or by declaring the structure using
certain macros:<br>
<pre>
#include &lt;linux/interrupt.h&gt;

struct tasklet_struct {
      /* ... */
</pre>
<A name="203"></a><font color="blue">PAGE 203</font><br>
<pre>
      void (*func)(unsigned long);
      unsigned long data;
};

void tasklet_init(struct tasklet_struct *t,
      void (*func)(unsigned long), unsigned long data);
DECLARE_TASKLET(name, func, data);
DECLARE_TASKLET_DISABLED(name, func, data);
</pre>
Tasklets offer a number of interesting features:<br>
<ul>
<li> A tasklet can be disabled and re-enabled later; it won't be executed until it is
enabled as many times as it has been disabled.
<li> Just like timers, a tasklet can reregister itself.
<li> A tasklet can be scheduled to execute at normal priority or high priority. The latter group is always executed first.
<li> Tasklets may be run immediately if the system is not under heavy load but never
later than the next timer tick.
<li> A tasklets can be concurrent with other tasklets but is strictly serialized with
respect to itself--the same tasklet never runs simultaneously on more than one
processor. Also, as already noted, a tasklet always runs on the same CPU that
schedules it.
</ul>
The <i>jit </i>module includes two files, <i>/proc/jitasklet </i>and <i>/proc/jitasklethi</i>, that return the
same data as <i>/proc/jitimer</i>, introduced in the section "Kernel Timers." When you
read one of the files, you get back a header and six data lines. The first data line
describes the context of the calling process, and the other lines describe the context
of successive runs of a tasklet procedure. This is a sample run while compiling a kernel:<br>
<pre>
phon% <b>cat /proc/jitasklet
</b>   time   delta  inirq    pid   cpu command
  6076139    0     0      4370   0   cat
  6076140    1     1      4368   0   cc1
  6076141    1     1      4368   0   cc1
  6076141    0     1         2   0   ksoftirqd/0
  6076141    0     1         2   0   ksoftirqd/0
  6076141    0     1         2   0   ksoftirqd/0
</pre>
As confirmed by the above data, the tasklet is run at the next timer tick as long as the
CPU is busy running a process, but it is run immediately when the CPU is otherwise
idle. The kernel provides a set of <i>ksoftirqd </i>kernel threads, one per CPU, just to run
"soft interrupt" handlers, such as the <i>tasklet_action </i>function. Thus, the final three
runs of the tasklet take place in the context of the <i>ksoftirqd </i>kernel thread associated
to CPU 0. The <i>jitasklethi </i>implementation uses a high-priority tasklet, explained in an
upcoming list of functions.<br>
<br>
The actual code in <i>jit </i>that implements <i>/proc/jitasklet </i>and <i>/proc/jitasklethi </i>is almost
identical to the code that implements <i>/proc/jitimer</i>, but it uses the tasklet calls instead<br>
<br>
<A name="204"></a><font color="blue">PAGE 204</font><br>
<br>
of the timer ones. The following list lays out in detail the kernel interface to tasklets
after the tasklet structure has been initialized:<br>
<br>
<font class="fixd">void tasklet_disable(struct tasklet_struct *t);</font><br>
<div class="bq">
This function disables the given tasklet. The tasklet may still be scheduled with
<i>tasklet_schedule</i>, but its execution is deferred until the tasklet has been enabled
again. If the tasklet is currently running, this function busy-waits until the tasklet
exits; thus, after calling <i>tasklet_disable</i>, you can be sure that the tasklet is not
running anywhere in the system.</div>
<br>
<font class="fixd">void tasklet_disable_nosync(struct tasklet_struct *t);</font><br>
<div class="bq">
Disable the tasklet, but without waiting for any currently-running function to
exit. When it returns, the tasklet is disabled and won't be scheduled in the future
until re-enabled, but it may be still running on another CPU when the function
returns.</div>
<br>
<font class="fixd">void tasklet_enable(struct tasklet_struct *t);</font><br>
<div class="bq">
Enables a tasklet that had been previously disabled. If the tasklet has already
been scheduled, it will run soon. A call to <i>tasklet_enable </i>must match each call to
<i>tasklet_disable</i>, as the kernel keeps track of the "disable count" for each tasklet.</div>
<br>
<font class="fixd">void tasklet_schedule(struct tasklet_struct *t);</font><br>
<div class="bq">
Schedule the tasklet for execution. If a tasklet is scheduled again before it has a
chance to run, it runs only once. However, if it is scheduled <i>while </i>it runs, it runs
again after it completes; this ensures that events occurring while other events are
being processed receive due attention. This behavior also allows a tasklet to
reschedule itself.</div>
<br>
<font class="fixd">void tasklet_hi_schedule(struct tasklet_struct *t);</font><br>
<div class="bq">
Schedule the tasklet for execution with higher priority. When the soft interrupt
handler runs, it deals with high-priority tasklets before other soft interrupt tasks,
including "normal" tasklets. Ideally, only tasks with low-latency requirements
(such as filling the audio buffer) should use this function, to avoid the additional
latencies introduced by other soft interrupt handlers. Actually, <i>/proc/
jitasklethi</i> shows no human-visible difference from <i>/proc/jitasklet</i>.</div>
<br>
<font class="fixd">void tasklet_kill(struct tasklet_struct *t);</font><br>
<div class="bq">
This function ensures that the tasklet is not scheduled to run again; it is usually
called when a device is being closed or the module removed. If the tasklet is
scheduled to run, the function waits until it has executed. If the tasklet reschedules
itself, you must prevent it from rescheduling itself before calling <i>tasklet_kill</i>,
as with <i>del_timer_sync</i>.</div>
<br>
Tasklets are implemented in <i>kernel/softirq.c</i>. The two tasklet lists (normal and high priority)
are declared as per-CPU data structures, using the same CPU-affinity mechanism
used by kernel timers. The data structure used in tasklet management is a simple
linked list, because tasklets have none of the sorting requirements of kernel
timers.<br>
<br>
<A name="205"></a><font color="blue">PAGE 205</font><br>
<br>
<a name="Workqueues"></a><font color="red"><b>Workqueues</b></font><br>
<br>
<i>Workqueues </i>are, superficially, similar to tasklets; they allow kernel code to request
that a function be called at some future time. There are, however, some significant
differences between the two, including:<br>
<ul>
<li> Tasklets run in software interrupt context with the result that all tasklet code
must be atomic. Instead, workqueue functions run in the context of a special
kernel process; as a result, they have more flexibility. In particular, workqueue
functions can sleep.
<li> Tasklets always run on the processor from which they were originally submitted. 
Work-queues work in the same way, by default.
<li> Kernel code can request that the execution of workqueue functions be delayed
for an explicit interval.
</ul>
The key difference between the two is that tasklets execute quickly, for a short period
of time, and in atomic mode, while workqueue functions may have higher latency but
need not be atomic. Each mechanism has situations where it is appropriate.<br>
<br>
Workqueues have a type of struct <font class="fixd">workqueue_struct,</font> which is defined in <i>&lt;linux/
workqueue.h&gt;</i>. A workqueue must be explicitly created before use, using one of the
following two functions:<br>
<pre>
struct workqueue_struct *create_workqueue(const char *name);
struct workqueue_struct *create_singlethread_workqueue(const char *name);
</pre>
Each workqueue has one or more dedicated processes ("kernel threads"), which run
functions submitted to the queue. If you use <i>create_workqueue</i>, you get a workqueue
that has a dedicated thread for each processor on the system. In many cases,
all those threads are simply overkill; if a single worker thread will suffice, create the
workqueue with <i>create_singlethread_workqueue</i> instead.<br>
<br>
To submit a task to a workqueue, you need to fill in a <font class="fixd">work_struct</font> structure. This
can be done at compile time as follows:<br>
<pre>
DECLARE_WORK(name, void (*function)(void *), void *data);
</pre>
Where name is the name of the structure to be declared, function is the function that is
to be called from the workqueue, and data is a value to pass to that function. If you
need to set up the <font class="fixd">work_struct</font> structure at runtime, use the following two macros:<br>
<pre>
INIT_WORK(struct work_struct *work, void (*function)(void *), void *data);
PREPARE_WORK(struct work_struct *work, void (*function)(void *), void *data);
</pre>
<i><font class="fixd">INIT_WORK</font> </i>does a more thorough job of initializing the structure; you should use
it the first time that structure is set up. <i><font class="fixd">PREPARE_WORK</font> </i>does almost the same job,
but it does not initialize the pointers used to link the <font class="fixd">work_struct</font> structure into the
workqueue. If there is any possibility that the structure may currently be submitted<br>
<br>
<A name="206"></a><font color="blue">PAGE 206</font><br>
<br>
to a workqueue, and you need to change that structure, use <i>PREPARE_WORK</i> 
rather than <i>INIT_WORK</i>.<br>
<br>
There are two functions for submitting work to a workqueue:<br>
<pre>
int queue_work(struct workqueue_struct *queue, struct work_struct *work);
int queue_delayed_work(struct workqueue_struct *queue,
                       struct work_struct *work, unsigned long delay);
</pre>
Either one adds work to the given <font class="fixd">queue.</font> If <i>queue_delayed_work </i>is used, however, the
actual work is not performed until at least <font class="fixd">delay</font> jiffies have passed. The return value
from these functions is 0 if the work was successfully added to the queue; a nonzero
result means that this <font class="fixd">work_struct</font> structure was already waiting in the queue, and
was not added a second time.<br>
<br>
At some time in the future, the work function will be called with the given data
value. The function will be running in the context of the worker thread, so it can
sleep if need be--although you should be aware of how that sleep might affect any
other tasks submitted to the same workqueue. What the function cannot do, however,
is access user space. Since it is running inside a kernel thread, there simply is no
user space to access.<br>
<br>
Should you need to cancel a pending workqueue entry, you may call:<br>
<pre>
int cancel_delayed_work(struct work_struct *work);
</pre>
The return value is nonzero if the entry was canceled before it began execution. The
kernel guarantees that execution of the given entry will not be initiated after a call to
<i>cancel_delayed_work</i>. If <i>cancel_delayed_work </i>returns 0, however, the entry may have
already been running on a different processor, and might still be running after a call
to <i>cancel_delayed_work</i>. To be absolutely sure that the work function is not running
anywhere in the system after <i>cancel_delayed_work </i>returns 0, you must follow that
call with a call to:<br>
<pre>
void flush_workqueue(struct workqueue_struct *queue);
</pre>
After <i>flush_workqueue </i>returns, no work function submitted prior to the call is running
anywhere in the system.<br>
<br>
When you are done with a workqueue, you can get rid of it with:<br>
<pre>
void destroy_workqueue(struct workqueue_struct *queue);
</pre>
<a name="TheSharedQueue"></a><font color="red"><b>The Shared Queue</b></font><br>
<br>
A device driver, in many cases, does not need its own workqueue. If you only submit
tasks to the queue occasionally, it may be more efficient to simply use the shared,
default workqueue that is provided by the kernel. If you use this queue, however,
you must be aware that you will be sharing it with others. Among other things, that
means that you should not monopolize the queue for long periods of time (no long
sleeps), and it may take longer for your tasks to get their turn in the processor.<br>
<br>
<A name="207"></a><font color="blue">PAGE 207</font><br>
<br>
The <i>jiq </i>("just in queue") module exports two files that demonstrate the use of the
shared workqueue. They use a single <font class="fixd">work_struct</font> structure, which is set up this way:<br>
<pre>
static struct work_struct jiq_work;

    /* this line is in jiq_init( ) */
    INIT_WORK(&amp;jiq_work, jiq_print_wq, &amp;jiq_data);
</pre>
When a process reads <i>/proc/jiqwq</i>, the module initiates a series of trips through the
shared workqueue with no delay. The function it uses is:<br>
<pre>
int schedule_work(struct work_struct *work);
</pre>
Note that a different function is used when working with the shared queue; it
requires only the <font class="fixd">work_struct</font> structure for an argument. The actual code in <i>jiq </i>looks
like this:<br>
<pre>
prepare_to_wait(&amp;jiq_wait, &amp;wait, TASK_INTERRUPTIBLE);
schedule_work(&amp;jiq_work);
schedule( );
finish_wait(&amp;jiq_wait, &amp;wait);
</pre>
The actual work function prints out a line just like the <i>jit </i>module does, then, if need
be, resubmits the <font class="fixd">work_struct</font> structure into the workqueue. Here is <i>jiq_print_wq </i>in
its entirety:<br>
<pre>
static void jiq_print_wq(void *ptr)
{
    struct clientdata *data = (struct clientdata *) ptr;

    if (! <font class="fixd">jiq_print</font> (ptr))
        return;

    if (data-&gt;delay)
        schedule_delayed_work(&amp;jiq_work, data-&gt;delay);
    else
        schedule_work(&amp;jiq_work);
}
</pre>
If the user is reading the delayed device (<i>/proc/jiqwqdelay</i>), the work function resubmits
itself in the delayed mode with <i>schedule_delayed_work</i>:<br>
<pre>
int schedule_delayed_work(struct work_struct *work, unsigned long delay);
</pre>
If you look at the output from these two devices, it looks something like:<br>
<pre>
% <b>cat /proc/jiqwq
</b>    time  delta preempt   pid cpu command
  1113043     0       0     7   1 events/1
  1113043     0       0     7   1 events/1
  1113043     0       0     7   1 events/1
  1113043     0       0     7   1 events/1
  1113043     0       0     7   1 events/1
% <b>cat /proc/jiqwqdelay
</b>    time  delta preempt   pid cpu command
  1122066     1       0     6   0 events/0
</pre>
<A name="208"></a><font color="blue">PAGE 208</font><br>
<pre>
  1122067     1       0     6   0 events/0
  1122068     1       0     6   0 events/0
  1122069     1       0     6   0 events/0
  1122070     1       0     6   0 events/0
</pre>
When <i>/proc/jiqwq </i>is read, there is no obvious delay between the printing of each line.
When, instead, <i>/proc/jiqwqdelay </i>is read, there is a delay of exactly one jiffy between
each line. In either case, we see the same process name printed; it is the name of the
kernel thread that implements the shared workqueue. The CPU number is printed
after the slash; we never know which CPU will be running when the <i>/proc </i>file is read,
but the work function will always run on the same processor thereafter.<br>
<br>
If you need to cancel a work entry submitted to the shared queue, you may use
<i>cancel_delayed_work</i>, as described above. Flushing the shared workqueue requires a
separate function, however:<br>
<pre>
void flush_scheduled_work(void);
</pre>
Since you do not know who else might be using this queue, you never really know
how long it might take for <i>flush_scheduled_work</i> to return.<br>
<br>
<a name="QuickReference7"></a><font color="red"><b>Quick Reference</b></font><br>
<br>
This chapter introduced the following symbols.<br>
<br>
<a name="Timekeeping"></a><font color="red"><b>Timekeeping</b></font><br>
<br>
<font class="fixd">#include &lt;linux/param.h&gt;<br>
HZ</font><br>
<div class="bq">
The <font class="fixd">HZ</font> symbol specifies the number of clock ticks generated per second.</div>
<br>
<font class="fixd">#include &lt;linux/jiffies.h&gt;<br>
volatile unsigned long jiffies<br>
u64 jiffies_64</font><br>
<div class="bq">
The <font class="fixd">jiffies_64</font> variable is incremented once for each clock tick; thus, it's incremented
<font class="fixd">HZ</font> times per second. Kernel code most often refers to <font class="fixd">jiffies</font>, which is
the same as <font class="fixd">jiffies_64</font> on 64-bit platforms and the least significant half of it on
32-bit platforms.</div>
<br>
<font class="fixd">int time_after(unsigned long a, unsigned long b);<br>
int time_before(unsigned long a, unsigned long b);<br>
int time_after_eq(unsigned long a, unsigned long b);<br>
int time_before_eq(unsigned long a, unsigned long b);</font><br>
<div class="bq">
These Boolean expressions compare jiffies in a safe way, without problems in
case of counter overflow and without the need to access <font class="fixd">jiffies_64</font>.</div>
<br>
<font class="fixd">u64 get_jiffies_64(void);</font><br>
<div class="bq">
Retrieves <font class="fixd">jiffies_64</font> without race conditions.</div>
<br>
<A name="209"></a><font color="blue">PAGE 209</font><br>
<br>
<font class="fixd">#include &lt;linux/time.h&gt;<br>
unsigned long timespec_to_jiffies(struct timespec *value);<br>
void jiffies_to_timespec(unsigned long jiffies, struct timespec *value);<br>
unsigned long timeval_to_jiffies(struct timeval *value);<br>
void jiffies_to_timeval(unsigned long jiffies, struct timeval *value);</font><br>
<div class="bq">
Converts time representations between jiffies and other representations.</div>
<br>
<font class="fixd">#include &lt;asm/msr.h&gt;<br>
rdtsc(low32,high32);<br>
rdtscl(low32);<br>
rdtscll(var32);</font><br>
<div class="bq">
x86-specific macros to read the timestamp counter. They read it as two 32-bit
halves, read only the lower half, or read all of it into a <font class="fixd">long long</font> variable.</div>
<br>
<font class="fixd">#include &lt;linux/timex.h&gt;<br>
cycles_t get_cycles(void);</font><br>
<div class="bq">
Returns the timestamp counter in a platform-independent way. If the CPU offers
no timestamp feature, 0 is returned.</div>
<br>
<font class="fixd">#include &lt;linux/time.h&gt;<br>
unsigned long mktime(year, mon, day, h, m, s);</font><br>
<div class="bq">
Returns the number of seconds since the Epoch, based on the six <font class="fixd">unsigned int</font>
arguments.</div>
<br>
<font class="fixd">void do_gettimeofday(struct timeval *tv);</font><br>
<div class="bq">
Returns the current time, as seconds and microseconds since the Epoch, with the
best resolution the hardware can offer. On most platforms the resolution is one
microsecond or better, although some platforms offer only jiffies resolution.</div>
<br>
<font class="fixd">struct timespec current_kernel_time(void);</font><br>
<div class="bq">
Returns the current time with the resolution of one jiffy.</div>
<br>
<a name="Delays"></a><font color="red"><b>Delays</b></font><br>
<br>
<font class="fixd">#include &lt;linux/wait.h&gt;<br>
long wait_event_interruptible_timeout(wait_queue_head_t *q, condition, signed long timeout);</font><br>
<div class="bq">
Puts the current process to sleep on the wait queue, installing a timeout value
expressed in jiffies. Use <i>schedule_timeout</i> (below) for noninterruptible sleeps.</div>
<br>
<font class="fixd">#include &lt;linux/sched.h&gt;<br>
signed long schedule_timeout(signed long timeout);</font><br>
<div class="bq">
Calls the scheduler after ensuring that the current process is awakened at timeout
expiration. The caller must invoke <i>set_current_state </i>first to put itself in an
interruptible or noninterruptible sleep state.</div>
<br>
<A name="210"></a><font color="blue">PAGE 210</font><br>
<br>
<font class="fixd">#include &lt;linux/delay.h&gt;<br>
void ndelay(unsigned long nsecs);<br>
void udelay(unsigned long usecs);<br>
void mdelay(unsigned long msecs);</font><br>
<div class="bq">
Introduces delays of an integer number of nanoseconds, microseconds, and milliseconds.
The delay achieved is at least the requested value, but it can be more.
The argument to each function must not exceed a platform-specific limit (usually
a few thousands).</div>
<br>
<font class="fixd">void msleep(unsigned int millisecs);<br>
unsigned long msleep_interruptible(unsigned int millisecs);<br>
void ssleep(unsigned int seconds);</font><br>
<div class="bq">
Puts the process to sleep for the given number of milliseconds (or seconds, in the
case of <i>ssleep</i>).</div>
<br>
<a name="KernelTimers2"></a><font color="red"><b>Kernel Timers</b></font><br>
<br>
<font class="fixd">#include &lt;asm/hardirq.h&gt;<br>
int in_interrupt(void);<br>
int in_atomic(void);</font><br>
<div class="bq">
Returns a Boolean value telling whether the calling code is executing in interrupt
context or atomic context. Interrupt context is outside of a process context,
either during hardware or software interrupt processing. Atomic context is
when you can't schedule either an interrupt context or a process's context with a
spinlock held.</div>
<br>
<font class="fixd">#include &lt;linux/timer.h&gt;<br>
void init_timer(struct timer_list * timer);<br>
struct timer_list TIMER_INITIALIZER(_function, _expires, _data);</font><br>
<div class="bq">
This function and the static declaration of the timer structure are the two ways
to initialize a <font class="fixd">timer_list</font> data structure.</div>
<br>
<font class="fixd">void add_timer(struct timer_list * timer);</font><br>
<div class="bq">
Registers the timer structure to run on the current CPU.</div>
<br>
<font class="fixd">int mod_timer(struct timer_list *timer, unsigned long expires);</font><br>
<div class="bq">
Changes the expiration time of an already scheduled timer structure. It can also
act as an alternative to <i>add_timer</i>.</div>
<br>
<font class="fixd">int timer_pending(struct timer_list * timer);</font><br>
<div class="bq">
Macro that returns a Boolean value stating whether the timer structure is already
registered to run.</div>
<br>
<font class="fixd">void del_timer(struct timer_list * timer);<br>
void del_timer_sync(struct timer_list * timer);</font><br>
<div class="bq">
Removes a timer from the list of active timers. The latter function ensures that
the timer is not currently running on another CPU.</div>
<br>
<A name="211"></a><font color="blue">PAGE 211</font><br>
<br>
<a name="Tasklets2"></a><font color="red"><b>Tasklets</b></font><br>
<br>
<font class="fixd">#include &lt;linux/interrupt.h&gt;
DECLARE_TASKLET(name, func, data);<br>
DECLARE_TASKLET_DISABLED(name, func, data);<br>
void tasklet_init(struct tasklet_struct *t, void (*func)(unsigned long), unsigned long data);</font><br>
<div class="bq">
The first two macros declare a tasklet structure, while the <i>tasklet_init </i>function
initializes a tasklet structure that has been obtained by allocation or other
means. The second <font class="fixd">DECLARE</font> macro marks the tasklet as disabled.</div>
<br>
<font class="fixd">void tasklet_disable(struct tasklet_struct *t);<br>
void tasklet_disable_nosync(struct tasklet_struct *t);<br>
void tasklet_enable(struct tasklet_struct *t);</font><br>
<div class="bq">
Disables and reenables a tasklet. Each <i>disable </i>must be matched with an <i>enable
</i>(you can disable the tasklet even if it's already disabled). The function <i>tasklet_
disable </i>waits for the tasklet to terminate if it is running on another CPU. The
<i>nosync</i> version doesn't take this extra step.</div>
<br>
<font class="fixd">void tasklet_schedule(struct tasklet_struct *t);<br>
void tasklet_hi_schedule(struct tasklet_struct *t);</font><br>
<div class="bq">
Schedules a tasklet to run, either as a "normal" tasklet or a high-priority one.
When soft interrupts are executed, high-priority tasklets are dealt with first,
while normal tasklets run last.</div>
<br>
<font class="fixd">void tasklet_kill(struct tasklet_struct *t);</font><br>
<div class="bq">
Removes the tasklet from the list of active ones, if it's scheduled to run. Like
<i>tasklet_disable</i>, the function may block on SMP systems waiting for the tasklet to
terminate if it's currently running on another CPU.</div>
<br>
<a name="Workqueues2"></a><font color="red"><b>Workqueues</b></font><br>
<br>
<font class="fixd">#include &lt;linux/workqueue.h&gt;<br>
struct workqueue_struct;<br>
struct work_struct;</font><br>
<div class="bq">
The structures representing a workqueue and a work entry, respectively.</div>
<br>
<font class="fixd">struct workqueue_struct *create_workqueue(const char *name);<br>
struct workqueue_struct *create_singlethread_workqueue(const char *name);<br>
void destroy_workqueue(struct workqueue_struct *queue);</font><br>
<div class="bq">
Functions for creating and destroying workqueues. A call to <i>create_workqueue
</i>creates a queue with a worker thread on each processor in the system;
instead, <i>create_singlethread_workqueue </i>creates a workqueue with a single
worker process.</div>
<br>
<A name="212"></a><font color="blue">PAGE 212</font><br>
<br>
<font class="fixd">DECLARE_WORK(name, void (*function)(void *), void *data);<br>
INIT_WORK(struct work_struct *work, void (*function)(void *), void *data);<br>
PREPARE_WORK(struct work_struct *work, void (*function)(void *), void *data);</font><br>
<div class="bq">
Macros that declare and initialize workqueue entries.</div>
<br>
<font class="fixd">int queue_work(struct workqueue_struct *queue, struct work_struct *work);<br>
int queue_delayed_work(struct workqueue_struct *queue, struct work_struct *work, unsigned long delay);</font><br>
<div class="bq">
Functions that queue work for execution from a workqueue.</div>
<br>
<font class="fixd">int cancel_delayed_work(struct work_struct *work);<br>
void flush_workqueue(struct workqueue_struct *queue);</font><br>
<div class="bq">
Use <i>cancel_delayed_work </i>to remove an entry from a workqueue; <i>flush_workqueue
</i>ensures that no workqueue entries are running anywhere in the system.</div>
<br>
<font class="fixd">int schedule_work(struct work_struct *work);<br>
int schedule_delayed_work(struct work_struct *work, unsigned long delay);<br>
void flush_scheduled_work(void);</font><br>
<div class="bq">
Functions for working with the shared workqueue.</div>
<br>
<A name="213"></a><font color="blue">PAGE 213</font><br>
<br>
<a name="CHAPTER8"></a><font color="red"><b>CHAPTER 8</b></font><br>
<br>
<a name="AllocatingMemory"></a><font color="#7519FF" size="+1"><b>Allocating Memory</b></font><br>
<br>
Thus far, we have used <i>kmalloc </i>and <i>kfree </i>for the allocation and freeing of memory.
The Linux kernel offers a richer set of memory allocation primitives, however. In this
chapter, we look at other ways of using memory in device drivers and how to optimize
your system's memory resources. We do not get into how the different architectures
actually administer memory. Modules are not involved in issues of
segmentation, paging, and so on, since the kernel offers a unified memory management
interface to the drivers. In addition, we won't describe the internal details of
memory management in this chapter, but defer it to Chapter 15.<br>
<br>
<a name="TheRealStoryOfKmalloc"></a><font color="red"><b>The Real Story of kmalloc</b></font><br>
<br>
The <i>kmalloc </i>allocation engine is a powerful tool and easily learned because of its
similarity to <i>malloc</i>. The function is fast (unless it blocks) and doesn't clear the memory
it obtains; the allocated region still holds its previous content.* The allocated
region is also contiguous in physical memory. In the next few sections, we talk in
detail about <i>kmalloc</i>, so you can compare it with the memory allocation techniques
that we discuss later.<br>
<br>
<a name="TheFlagsArgument"></a><font color="red"><b>The Flags Argument</b></font><br>
<br>
Remember that the prototype for <i>kmalloc</i> is:<br>
<pre>
#include &lt;linux/slab.h&gt;

void *kmalloc(size_t size, int flags);
</pre>
* Among other things, this implies that you should explicitly clear any memory that might be exposed to user 
space or written to a device; otherwise, you risk disclosing information that should be kept private.<br>
<br>
<A name="214"></a><font color="blue">PAGE 214</font><br>
<br>
The first argument to <i>kmalloc </i>is the size of the block to be allocated. The second
argument, the allocation flags, is much more interesting, because it controls the
behavior of <i>kmalloc</i> in a number of ways.<br>
<br>
The most commonly used flag, <font class="fixd">GFP_KERNEL,</font> means that the allocation (internally performed
by calling, eventually, <i>__get_free_pages</i>, which is the source of the <font class="fixd">GFP_</font> prefix)
is performed on behalf of a process running in kernel space. In other words, this
means that the calling function is executing a system call on behalf of a process.
Using <font class="fixd">GFP_KERNEL</font> means that <i>kmalloc </i>can put the current process to sleep waiting for
a page when called in low-memory situations. A function that allocates memory
using <font class="fixd">GFP_KERNEL</font> must, therefore, be reentrant and cannot be running in atomic context.
While the current process sleeps, the kernel takes proper action to locate some
free memory, either by flushing buffers to disk or by swapping out memory from a
user process.<br>
<br>
<font class="fixd">GFP_KERNEL</font> isn't always the right allocation flag to use; sometimes <i>kmalloc </i>is called
from outside a process's context. This type of call can happen, for instance, in interrupt
handlers, tasklets, and kernel timers. In this case, the current process should
not be put to sleep, and the driver should use a flag of <font class="fixd">GFP_ATOMIC</font> instead. The kernel
normally tries to keep some free pages around in order to fulfill atomic allocation.
When <font class="fixd">GFP_ATOMIC</font> is used, <i>kmalloc </i>can use even the last free page. If that last
page does not exist, however, the allocation fails.<br>
<br>
Other flags can be used in place of or in addition to <font class="fixd">GFP_KERNEL</font> and <font class="fixd">GFP_ATOMIC,</font>
although those two cover most of the needs of device drivers. All the flags are defined
in <i>&lt;linux/gfp.h&gt;</i>, and individual flags are prefixed with a double underscore, such
as <font class="fixd">__GFP_DMA</font>. In addition, there are symbols that represent frequently used combinations
of flags; these lack the prefix and are sometimes called <i>allocation priorities</i>. The
latter include:<br>
<br>
<font class="fixd">GFP_ATOMIC</font><br>
<div class="bq">
Used to allocate memory from interrupt handlers and other code outside of a
process context. Never sleeps.</div>
<br>
<font class="fixd">GFP_KERNEL</font><br>
<div class="bq">
Normal allocation of kernel memory. May sleep.</div>
<br>
<font class="fixd">GFP_USER</font><br>
<div class="bq">
Used to allocate memory for user-space pages; it may sleep.</div>
<br>
<font class="fixd">GFP_HIGHUSER</font><br>
<div class="bq">
Like <font class="fixd">GFP_USER,</font> but allocates from high memory, if any. High memory is
described in the next subsection.</div>
<br>
<font class="fixd">GFP_NOIO<br>
GFP_NOFS</font><br>
<div class="bq">
These flags function like <font class="fixd">GFP_KERNEL,</font> but they add restrictions on what the kernel
can do to satisfy the request. A <font class="fixd">GFP_NOFS</font> allocation is not allowed to perform</div>
<br>
<A name="215"></a><font color="blue">PAGE 215</font><br>
<br>
<div class="bq">
any filesystem calls, while <font class="fixd">GFP_NOIO</font> disallows the initiation of any I/O at all.
They are used primarily in the filesystem and virtual memory code where an allocation
may be allowed to sleep, but recursive filesystem calls would be a bad
idea.</div>
<br>
The allocation flags listed above can be augmented by an ORing in any of the following
flags, which change how the allocation is carried out:<br>
<br>
<font class="fixd">__GFP_DMA</font><br>
<div class="bq">
This flag requests allocation to happen in the DMA-capable memory zone. The
exact meaning is platform-dependent and is explained in the following section.</div>
<br>
<font class="fixd">__GFP_HIGHMEM</font><br>
<div class="bq">
This flag indicates that the allocated memory may be located in high memory.</div>
<br>
<font class="fixd">__GFP_COLD</font><br>
<div class="bq">
Normally, the memory allocator tries to return "cache warm" pages--pages that
are likely to be found in the processor cache. Instead, this flag requests a "cold"
page, which has not been used in some time. It is useful for allocating pages for
DMA reads, where presence in the processor cache is not useful. See the section
"Direct Memory Access" in Chapter 1 for a full discussion of how to allocate
DMA buffers.</div>
<br>
<font class="fixd">__GFP_NOWARN</font><br>
<div class="bq">
This rarely used flag prevents the kernel from issuing warnings (with <i>printk</i>)
when an allocation cannot be satisfied.</div>
<br>
<font class="fixd">__GFP_HIGH</font><br>
<div class="bq">
This flag marks a high-priority request, which is allowed to consume even the
last pages of memory set aside by the kernel for emergencies.</div>
<br>
<font class="fixd">__GFP_REPEAT<br>
__GFP_NOFAIL<br>
__GFP_NORETRY</font><br>
<div class="bq">
These flags modify how the allocator behaves when it has difficulty satisfying an
allocation. <font class="fixd">__GFP_REPEAT</font> means "try a little harder" by repeating the attempt-but
the allocation can still fail. The <font class="fixd">__GFP_NOFAIL</font> flag tells the allocator never to
fail; it works as hard as needed to satisfy the request. Use of <font class="fixd">__GFP_NOFAIL</font> is very
strongly discouraged; there will probably never be a valid reason to use it in a
device driver. Finally, <font class="fixd">__GFP_NORETRY</font> tells the allocator to give up immediately if
the requested memory is not available.</div>
<br>
<a name="MemoryZones"></a><font color="red"><b>Memory zones</b></font><br>
<br>
Both <font class="fixd">__GFP_DMA</font> and <font class="fixd">__GFP_HIGHMEM</font> have a platform-dependent role, although their
use is valid for all platforms.<br>
<br>
The Linux kernel knows about a minimum of three <i>memory zones</i>: DMA-capable
memory, normal memory, and high memory. While allocation normally happens in<br>
<br>
<A name="216"></a><font color="blue">PAGE 216</font><br>
<br>
the <i>normal </i>zone, setting either of the bits just mentioned requires memory to be allocated
from a different zone. The idea is that every computer platform that must
know about special memory ranges (instead of considering all RAM equivalents) will
fall into this abstraction.<br>
<br>
<i>DMA-capable memory </i>is memory that lives in a preferential address range, where
peripherals can perform DMA access. On most sane platforms, all memory lives in
this zone. On the x86, the DMA zone is used for the first 16 MB of RAM, where legacy
ISA devices can perform DMA; PCI devices have no such limit.<br>
<br>
<i>High memory </i>is a mechanism used to allow access to (relatively) large amounts of
memory on 32-bit platforms. This memory cannot be directly accessed from the kernel
without first setting up a special mapping and is generally harder to work with. If
your driver uses large amounts of memory, however, it will work better on large systems
if it can use high memory. See the section "High and Low Memory" in
Chapter 1 for a detailed description of how high memory works and how to use it.<br>
<br>
Whenever a new page is allocated to fulfill a memory allocation request, the kernel
builds a list of zones that can be used in the search. If <font class="fixd">__GFP_DMA</font> is specified, only the
DMA zone is searched: if no memory is available at low addresses, allocation fails. If no
special flag is present, both normal and DMA memory are searched; if <font class="fixd">__GFP_HIGHMEM</font> is
set, all three zones are used to search a free page. (Note, however, that <i>kmalloc </i>cannot
allocate high memory.)<br>
<br>
The situation is more complicated on nonuniform memory access (NUMA) systems.
As a general rule, the allocator attempts to locate memory local to the processor performing
the allocation, although there are ways of changing that behavior.<br>
<br>
The mechanism behind memory zones is implemented in <i>mm/page_alloc.c</i>, while initialization
of the zone resides in platform-specific files, usually in <i>mm/init.c </i>within
the <i>arch</i> tree. We'll revisit these topics in Chapter 15.<br>
<br>
<a name="TheSizeArgument"></a><font color="red"><b>The Size Argument</b></font><br>
<br>
The kernel manages the system's <i>physical </i>memory, which is available only in pagesized
chunks. As a result, <i>kmalloc </i>looks rather different from a typical user-space
<i>malloc </i>implementation. A simple, heap-oriented allocation technique would quickly
run into trouble; it would have a hard time working around the page boundaries.
Thus, the kernel uses a special page-oriented allocation technique to get the best use
from the system's RAM.<br>
<br>
Linux handles memory allocation by creating a set of pools of memory objects of
fixed sizes. Allocation requests are handled by going to a pool that holds sufficiently
large objects and handing an entire memory chunk back to the requester. The memory
management scheme is quite complex, and the details of it are not normally all
that interesting to device driver writers.<br>
<br>
<A name="217"></a><font color="blue">PAGE 217</font><br>
<br>
The one thing driver developers should keep in mind, though, is that the kernel can
allocate only certain predefined, fixed-size byte arrays. If you ask for an arbitrary
amount of memory, you're likely to get slightly more than you asked for, up to twice
as much. Also, programmers should remember that the smallest allocation that
<i>kmalloc </i>can handle is as big as 32 or 64 bytes, depending on the page size used by
the system's architecture.<br>
<br>
There is an upper limit to the size of memory chunks that can be allocated by <i>kmalloc</i>.
That limit varies depending on architecture and kernel configuration options. If
your code is to be completely portable, it cannot count on being able to allocate anything
larger than 128 KB. If you need more than a few kilobytes, however, there are
better ways than <i>kmalloc</i> to obtain memory, which we describe later in this chapter.<br>
<br>
<a name="LookasideCaches"></a><font color="red"><b>Lookaside Caches</b></font><br>
<br>
A device driver often ends up allocating many objects of the same size, over and over.
Given that the kernel already maintains a set of memory pools of objects that are all
the same size, why not add some special pools for these high-volume objects? In fact,
the kernel does implement a facility to create this sort of pool, which is often called a
<i>lookaside cache</i>. Device drivers normally do not exhibit the sort of memory behavior
that justifies using a lookaside cache, but there can be exceptions; the USB and SCSI
drivers in Linux 2.6 use caches.<br>
<br>
The cache manager in the Linux kernel is sometimes called the "slab allocator." For
that reason, its functions and types are declared in <i>&lt;linux/slab.h&gt;</i>. The slab allocator
implements caches that have a type of <font class="fixd">kmem_cache_t;</font> they are created with a call to
<i>kmem_cache_create</i>:<br>
<pre>
kmem_cache_t *kmem_cache_create(const char *name, size_t size,
                                size_t offset,
                                unsigned long flags,
                                void (*constructor)(void *, kmem_cache_t *,
                                                    unsigned long flags),
                                void (*destructor)(void *, kmem_cache_t *,
                                                   unsigned long flags));
</pre>
The function creates a new cache object that can host any number of memory areas
all of the same <font class="fixd">size,</font> specified by the size argument. The <font class="fixd">name</font> argument is associated
with this cache and functions as housekeeping information usable in tracking problems;
usually, it is set to the name of the type of structure that is cached. The cache
keeps a pointer to the name, rather than copying it, so the driver should pass in a
pointer to a name in static storage (usually the name is just a literal string). The name
cannot contain blanks.<br>
<br>
The <font class="fixd">offset</font> is the offset of the first object in the page; it can be used to ensure a particular
alignment for the allocated objects, but you most likely will use 0 to request<br>
<br>
<A name="218"></a><font color="blue">PAGE 218</font><br>
<br>
the default value. <font class="fixd">flags</font> controls how allocation is done and is a bit mask of the following
flags:<br>
<br>
<font class="fixd">SLAB_NO_REAP</font><br>
<div class="bq">
Setting this flag protects the cache from being reduced when the system is looking
for memory. Setting this flag is normally a bad idea; it is important to avoid
restricting the memory allocator's freedom of action unnecessarily.</div>
<br>
<font class="fixd">SLAB_HWCACHE_ALIGN</font><br>
<div class="bq">
This flag requires each data object to be aligned to a cache line; actual alignment
depends on the cache layout of the host platform. This option can be a good
choice if your cache contains items that are frequently accessed on SMP
machines. The padding required to achieve cache line alignment can end up
wasting significant amounts of memory, however.</div>
<br>
<font class="fixd">SLAB_CACHE_DMA</font><br>
<div class="bq">
This flag requires each data object to be allocated in the DMA memory zone.</div>
<br>
There is also a set of flags that can be used during the debugging of cache allocations;
see <i>mm/slab.c </i>for the details. Usually, however, these flags are set globally via a
kernel configuration option on systems used for development.<br>
<br>
The <font class="fixd">constructor</font> and <font class="fixd">destructor</font> arguments to the function are optional functions
(but there can be no destructor without a constructor); the former can be used to initialize
newly allocated objects, and the latter can be used to "clean up" objects prior
to their memory being released back to the system as a whole.<br>
<br>
Constructors and destructors can be useful, but there are a few constraints that you
should keep in mind. A constructor is called when the memory for a set of objects is
allocated; because that memory may hold several objects, the constructor may be
called multiple times. You cannot assume that the constructor will be called as an
immediate effect of allocating an object. Similarly, destructors can be called at some
unknown future time, not immediately after an object has been freed. Constructors
and destructors may or may not be allowed to sleep, according to whether they are
passed the <font class="fixd">SLAB_CTOR_ATOMIC</font> flag (where <font class="fixd">CTOR</font> is short for <i>constructor</i>).<br>
<br>
For convenience, a programmer can use the same function for both the constructor
and destructor; the slab allocator always passes the <font class="fixd">SLAB_CTOR_CONSTRUCTOR</font> flag when
the callee is a constructor.<br>
<br>
Once a cache of objects is created, you can allocate objects from it by calling
<i>kmem_cache_alloc</i>:<br>
<pre>
void *kmem_cache_alloc(kmem_cache_t *cache, int flags);
</pre>
Here, the <font class="fixd">cache</font> argument is the cache you have created previously; the flags are the
same as you would pass to <i>kmalloc </i>and are consulted if <i>kmem_cache_alloc </i>needs to
go out and allocate more memory itself.<br>
<br>
To free an object, use <i>kmem_cache_free</i>:<br>
<pre>
 void kmem_cache_free(kmem_cache_t *cache, const void *obj);
</pre>
<A name="219"></a><font color="blue">PAGE 219</font><br>
<br>
When driver code is finished with the cache, typically when the module is unloaded,
it should free its cache as follows:<br>
<pre>
 int kmem_cache_destroy(kmem_cache_t *cache);
</pre>
The destroy operation succeeds only if all objects allocated from the cache have
been returned to it. Therefore, a module should check the return status from
<i>kmem_cache_destroy</i>; a failure indicates some sort of memory leak within the module
(since some of the objects have been dropped).<br>
<br>
One side benefit to using lookaside caches is that the kernel maintains statistics on
cache usage. These statistics may be obtained from <i>/proc/slabinfo</i>.<br>
<br>
<a name="AScullBasedOnTheSlabCachesScullc"></a><font color="red"><b>A scull Based on the Slab Caches: scullc</b></font><br>
<br>
Time for an example. <i>scullc </i>is a cut-down version of the <i>scull </i>module that implements
only the bare device--the persistent memory region. Unlike <i>scull</i>, which uses
<i>kmalloc</i>, <i>scullc </i>uses memory caches. The size of the quantum can be modified at
compile time and at load time, but not at runtime--that would require creating a
new memory cache, and we didn't want to deal with these unneeded details.<br>
<br>
<i>scullc </i>is a complete example that can be used to try out the slab allocator. It differs
from <i>scull</i> only in a few lines of code. First, we must declare our own slab cache:<br>
<pre>
/* declare one cache pointer: use it for all devices */
kmem_cache_t *scullc_cache;
</pre>
The creation of the slab cache is handled (at module load time) in this way:<br>
<pre>
/* scullc_init: create a cache for our quanta */
scullc_cache = kmem_cache_create(&quot;scullc&quot;, scullc_quantum,
        0, SLAB_HWCACHE_ALIGN, NULL, NULL); /* no ctor/dtor */
if (!scullc_cache) {
    scullc_cleanup( );
    return -ENOMEM;
}
</pre>
This is how it allocates memory quanta:<br>
<pre>
/* Allocate a quantum using the memory cache */
if (!dptr-&gt;data[s_pos]) {
    dptr-&gt;data[s_pos] = kmem_cache_alloc(scullc_cache, GFP_KERNEL);
    if (!dptr-&gt;data[s_pos])
        goto nomem;
    memset(dptr-&gt;data[s_pos], 0, scullc_quantum);
}
</pre>
And these lines release memory:<br>
<pre>
for (i = 0; i &lt; qset; i++)
if (dptr-&gt;data[i])
        kmem_cache_free(scullc_cache, dptr-&gt;data[i]);
</pre>
<A name="220"></a><font color="blue">PAGE 220</font><br>
<br>
Finally, at module unload time, we have to return the cache to the system:<br>
<pre>
/* scullc_cleanup: release the cache of our quanta */
if (scullc_cache)
    kmem_cache_destroy(scullc_cache);
</pre>
The main differences in passing from <i>scull </i>to <i>scullc </i>are a slight speed improvement
and better memory use. Since quanta are allocated from a pool of memory fragments
of exactly the right size, their placement in memory is as dense as possible, as
opposed to <i>scull</i> quanta, which bring in an unpredictable memory fragmentation.<br>
<br>
<a name="MemoryPools"></a><font color="red"><b>Memory Pools</b></font><br>
<br>
There are places in the kernel where memory allocations cannot be allowed to fail.
As a way of guaranteeing allocations in those situations, the kernel developers created
an abstraction known as a <i>memory pool </i>(or "mempool"). A memory pool is
really just a form of a lookaside cache that tries to always keep a list of free memory
around for use in emergencies.<br>
<br>
A memory pool has a type of <font class="fixd">mempool_t</font> (defined in <i>&lt;linux/mempool.h&gt;</i>); you can create
one with <i>mempool_create</i>:<br>
<pre>
mempool_t *mempool_create(int min_nr,
                          mempool_alloc_t *alloc_fn,
                          mempool_free_t *free_fn,
                          void *pool_data);
</pre>
The <font class="fixd">min_nr</font> argument is the minimum number of allocated objects that the pool
should always keep around. The actual allocation and freeing of objects is handled
by <font class="fixd">alloc_fn</font> and <font class="fixd">free_fn</font>, which have these prototypes:<br>
<pre>
typedef void *(mempool_alloc_t)(int gfp_mask, void *pool_data);
typedef void (mempool_free_t)(void *element, void *pool_data);
</pre>
The final parameter to <i>mempool_create</i> (<font class="fixd">pool_data</font>) is passed to <font class="fixd">alloc_fn</font> and <font class="fixd">free_fn</font>.<br>
<br>
If need be, you can write special-purpose functions to handle memory allocations for
mempools. Usually, however, you just want to let the kernel slab allocator handle that
task for you. There are two functions (<i>mempool_alloc_slab </i>and <i>mempool_free_slab</i>)
that perform the impedance matching between the memory pool allocation prototypes
and <i>kmem_cache_alloc </i>and <i>kmem_cache_free</i>. Thus, code that sets up memory
pools often looks like the following:<br>
<pre>
cache = kmem_cache_create(. . .);
pool = mempool_create(MY_POOL_MINIMUM,
                      mempool_alloc_slab, mempool_free_slab,
                      cache);
</pre>
Once the pool has been created, objects can be allocated and freed with:<br>
<pre>
void *mempool_alloc(mempool_t *pool, int gfp_mask);
void mempool_free(void *element, mempool_t *pool);
</pre>
<A name="221"></a><font color="blue">PAGE 221</font><br>
<br>
When the mempool is created, the allocation function will be called enough times to
create a pool of preallocated objects. Thereafter, calls to <i>mempool_alloc </i>attempt to
acquire additional objects from the allocation function; should that allocation fail,
one of the preallocated objects (if any remain) is returned. When an object is freed
with <i>mempool_free</i>, it is kept in the pool if the number of preallocated objects is currently
below the minimum; otherwise, it is to be returned to the system.<br>
<br>
A mempool can be resized with:<br>
<pre>
int mempool_resize(mempool_t *pool, int new_min_nr, int gfp_mask);
</pre>
This call, if successful, resizes the pool to have at least <font class="fixd">new_min_nr</font> objects.<br>
<br>
If you no longer need a memory pool, return it to the system with:<br>
<pre>
void mempool_destroy(mempool_t *pool);
</pre>
You must return all allocated objects before destroying the mempool, or a kernel
oops results.<br>
<br>
If you are considering using a mempool in your driver, please keep one thing in
mind: mempools allocate a chunk of memory that sits in a list, idle and unavailable
for any real use. It is easy to consume a great deal of memory with mempools. In
almost every case, the preferred alternative is to do without the mempool and simply
deal with the possibility of allocation failures instead. If there is any way for your
driver to respond to an allocation failure in a way that does not endanger the integrity
of the system, do things that way. Use of mempools in driver code should be
rare.<br>
<br>
<a name="GetfreepageAndFriends"></a><font color="red"><b>get_free_page and Friends</b></font><br>
<br>
If a module needs to allocate big chunks of memory, it is usually better to use a pageoriented
technique. Requesting whole pages also has other advantages, which are
introduced in Chapter 15.<br>
<br>
To allocate pages, the following functions are available:<br>
<br>
<font class="fixd">get_zeroed_page(unsigned int flags);</font><br>
<div class="bq">
Returns a pointer to a new page and fills the page with zeros.</div>
<br>
<font class="fixd">__get_free_page(unsigned int flags);</font><br>
<div class="bq">
Similar to <i>get_zeroed_page</i>, but doesn't clear the page.</div>
<br>
<font class="fixd">__get_free_pages(unsigned int flags, unsigned int order);</font><br>
<div class="bq">
Allocates and returns a pointer to the first byte of a memory area that is potentially
several (physically contiguous) pages long but doesn't zero the area.</div>
<br>
The flags argument works in the same way as with <i>kmalloc</i>; usually either <font class="fixd">GFP_KERNEL</font>
or <font class="fixd">GFP_ATOMIC</font> is used, perhaps with the addition of the <font class="fixd">__GFP_DMA</font> flag (for memory
that can be used for ISA direct-memory-access operations) or <font class="fixd">__GFP_HIGHMEM</font> when<br>
<br>
<A name="222"></a><font color="blue">PAGE 222</font><br>
<br>
high memory can be used.* order is the base-two logarithm of the number of pages
you are requesting or freeing (i.e., log2<i>N</i>). For example, order is 0 if you want one
page and 3 if you request eight pages. If order is too big (no contiguous area of that
size is available), the page allocation fails. The <i>get_order </i>function, which takes an integer
argument, can be used to extract the order from a size (that must be a power of
two) for the hosting platform. The maximum allowed value for order is 10 or 11 (corresponding
to 1024 or 2048 pages), depending on the architecture. The chances of an
order-10 allocation succeeding on anything other than a freshly booted system with a
lot of memory are small, however.<br>
<br>
If you are curious, <i>/proc/buddyinfo </i>tells you how many blocks of each order are available
for each memory zone on the system.<br>
<br>
When a program is done with the pages, it can free them with one of the following
functions. The first function is a macro that falls back on the second:<br>
<pre>
void free_page(unsigned long addr);
void free_pages(unsigned long addr, unsigned long order);
</pre>
If you try to free a different number of pages from what you allocated, the memory
map becomes corrupted, and the system gets in trouble at a later time.<br>
<br>
It's worth stressing that <i>__get_free_pages </i>and the other functions can be called at any
time, subject to the same rules we saw for <i>kmalloc</i>. The functions can fail to allocate
memory in certain circumstances, particularly when <font class="fixd">GFP_ATOMIC</font> is used. Therefore,
the program calling these allocation functions must be prepared to handle an allocation
failure.<br>
<br>
Although <font class="fixd">kmalloc(GFP_KERNEL)</font> sometimes fails when there is no available memory,
the kernel does its best to fulfill allocation requests. Therefore, it's easy to degrade
system responsiveness by allocating too much memory. For example, you can bring
the computer down by pushing too much data into a <i>scull </i>device; the system starts
crawling while it tries to swap out as much as possible in order to fulfill the <i>kmalloc
</i>request. Since every resource is being sucked up by the growing device, the computer
is soon rendered unusable; at that point, you can no longer even start a new
process to try to deal with the problem. We don't address this issue in <i>scull</i>, since it
is just a sample module and not a real tool to put into a multiuser system. As a programmer,
you must be careful nonetheless, because a module is privileged code and
can open new security holes in the system (the most likely is a denial-of-service hole
like the one just outlined).<br>
<br>
* Although <i>alloc_pages </i>(described shortly) should really be used for allocating high-memory pages, 
for reasons we can't really get into until Chapter 15.<br>
<br>
<A name="223"></a><font color="blue">PAGE 223</font><br>
<br>
<a name="AScullUsingWholePagesScullp"></a><font color="red"><b>A scull Using Whole Pages: scullp</b></font><br>
<br>
In order to test page allocation for real, we have released the <i>scullp </i>module together
with other sample code. It is a reduced <i>scull</i>, just like <i>scullc</i> introduced earlier.<br>
<br>
Memory quanta allocated by <i>scullp </i>are whole pages or page sets: the <font class="fixd">scullp_order</font>
variable defaults to 0 but can be changed at either compile or load time.<br>
<br>
The following lines show how it allocates memory:<br>
<pre>
/* Here's the allocation of a single quantum */
if (!dptr-&gt;data[s_pos]) {
    dptr-&gt;data[s_pos] =
        (void *)__get_free_pages(GFP_KERNEL, dptr-&gt;order);
    if (!dptr-&gt;data[s_pos])
        goto nomem;
    memset(dptr-&gt;data[s_pos], 0, PAGE_SIZE &lt;&lt; dptr-&gt;order);
}
</pre>
The code to deallocate memory in <i>scullp</i> looks like this:<br>
<pre>
/* This code frees a whole quantum-set */
for (i = 0; i &lt; qset; i++)
    if (dptr-&gt;data[i])
        free_pages((unsigned long)(dptr-&gt;data[i]),
                dptr-&gt;order);
</pre>
At the user level, the perceived difference is primarily a speed improvement and better
memory use, because there is no internal fragmentation of memory. We ran some
tests copying 4 MB from <i>scull0 </i>to <i>scull1 </i>and then from <i>scullp0 </i>to <i>scullp1</i>; the results
showed a slight improvement in kernel-space processor usage.<br>
<br>
The performance improvement is not dramatic, because <i>kmalloc </i>is designed to be
fast. The main advantage of page-level allocation isn't actually speed, but rather
more efficient memory usage. Allocating by pages wastes no memory, whereas using
<i>kmalloc</i> wastes an unpredictable amount of memory because of allocation granularity.<br>
<br>
But the biggest advantage of the <i>__get_free_page </i>functions is that the pages obtained
are completely yours, and you could, in theory, assemble the pages into a linear area
by appropriate tweaking of the page tables. For example, you can allow a user process
to <i>mmap </i>memory areas obtained as single unrelated pages. We discuss this kind
of operation in Chapter 15, where we show how <i>scullp </i>offers memory mapping,
something that <i>scull</i> cannot offer.<br>
<br>
<a name="TheAllocpagesInterface"></a><font color="red"><b>The <font class="fixd">alloc_pages</font> Interface</b></font><br>
<br>
For completeness, we introduce another interface for memory allocation, even
though we will not be prepared to use it until after Chapter 15. For now, suffice it to
say that struct page is an internal kernel structure that describes a page of memory.
As we will see, there are many places in the kernel where it is necessary to work with<br>
<br>
<A name="224"></a><font color="blue">PAGE 224</font><br>
<br>
<font class="fixd">page</font> structures; they are especially useful in any situation where you might be dealing
with high memory, which does not have a constant address in kernel space.<br>
<br>
The <i>real</i> core of the Linux page allocator is a function called <i>alloc_pages_node</i>:<br>
<pre>
struct page *alloc_pages_node(int nid, unsigned int flags,
                              unsigned int order);
</pre>
This function also has two variants (which are simply macros); these are the versions
that you will most likely use:<br>
<pre>
struct page *alloc_pages(unsigned int flags, unsigned int order);
struct page *alloc_page(unsigned int flags);
</pre>
The core function, <i>alloc_pages_node</i>, takes three arguments. <font class="fixd">nid</font> is the NUMA node
ID* whose memory should be allocated, <font class="fixd">flags</font> is the usual <font class="fixd">GFP_</font> allocation flags, and
<font class="fixd">order</font> is the size of the allocation. The return value is a pointer to the first of (possibly
many) page structures describing the allocated memory, or, as usual, <font class="fixd">NULL</font> on failure.<br>
<br>
<i>alloc_pages </i>simplifies the situation by allocating the memory on the current NUMA
node (it calls <i>alloc_pages_node </i>with the return value from <i>numa_node_id </i>as the <font class="fixd">nid</font>
parameter). And, of course, <i>alloc_page </i>omits the order parameter and allocates a single
page.<br>
<br>
To release pages allocated in this manner, you should use one of the following:<br>
<pre>
void __free_page(struct page *page);
void __free_pages(struct page *page, unsigned int order);
void free_hot_page(struct page *page);
void free_cold_page(struct page *page);
</pre>
If you have specific knowledge of whether a single page's contents are likely to be
resident in the processor cache, you should communicate that to the kernel with
<i>free_hot_page </i>(for cache-resident pages) or <i>free_cold_page</i>. This information helps
the memory allocator optimize its use of memory across the system.<br>
<br>
<a name="VmallocAndFriends"></a><font color="red"><b>vmalloc and Friends</b></font><br>
<br>
The next memory allocation function that we show you is <i>vmalloc</i>, which allocates a
contiguous memory region in the <i>virtual </i>address space. Although the pages are not consecutive
in physical memory (each page is retrieved with a separate call to <i>alloc_page</i>),
the kernel sees them as a contiguous range of addresses. <i>vmalloc </i>returns 0 (the <font class="fixd">NULL</font>
address) if an error occurs, otherwise, it returns a pointer to a linear memory area of size
at least size.<br>
<br>
* NUMA (nonuniform memory access) computers are multiprocessor systems where memory is "local" to 
specific groups of processors ("nodes"). Access to local memory is faster than access to nonlocal memory.
On such systems, allocating memory on the correct node is important. Driver authors do not normally have
to worry about NUMA issues, however.<br>
<br>
<A name="225"></a><font color="blue">PAGE 225</font><br>
<br>
We describe <i>vmalloc </i>here because it is one of the fundamental Linux memory allocation
mechanisms. We should note, however, that use of <i>vmalloc </i>is discouraged in
most situations. Memory obtained from <i>vmalloc </i>is slightly less efficient to work with,
and, on some architectures, the amount of address space set aside for <i>vmalloc </i>is relatively
small. Code that uses <i>vmalloc </i>is likely to get a chilly reception if submitted for
inclusion in the kernel. If possible, you should work directly with individual pages
rather than trying to smooth things over with <i>vmalloc</i>.<br>
<br>
That said, let's see how <i>vmalloc </i>works. The prototypes of the function and its relatives
(<i>ioremap</i>, which is not strictly an allocation function, is discussed later in this
section) are as follows:<br>
<pre>
#include &lt;linux/vmalloc.h&gt;

void *vmalloc(unsigned long size);
void vfree(void * addr);
void *ioremap(unsigned long offset, unsigned long size);
void iounmap(void * addr);
</pre>
It's worth stressing that memory addresses returned by <i>kmalloc </i>and <i>_get_free_pages
</i>are also virtual addresses. Their actual value is still massaged by the MMU (the memory
management unit, usually part of the CPU) before it is used to address physical
memory.* <i>vmalloc </i>is not different in how it uses the hardware, but rather in how the
kernel performs the allocation task.<br>
<br>
The (virtual) address range used by <i>kmalloc </i>and <i>__get_free_pages </i>features a one-toone
mapping to physical memory, possibly shifted by a constant <font class="fixd">PAGE_OFFSET</font> value;
the functions don't need to modify the page tables for that address range. The
address range used by <i>vmalloc </i>and <i>ioremap</i>, on the other hand, is completely synthetic,
and each allocation builds the (virtual) memory area by suitably setting up the
page tables.<br>
<br>
This difference can be perceived by comparing the pointers returned by the allocation
functions. On some platforms (for example, the x86), addresses returned by
<i>vmalloc </i>are just beyond the addresses that <i>kmalloc </i>uses. On other platforms (for
example, MIPS, IA-64, and x86_64), they belong to a completely different address
range. Addresses available for <i>vmalloc </i>are in the range from <font class="fixd">VMALLOC_START</font> to
<font class="fixd">VMALLOC_END</font>. Both symbols are defined in <i>&lt;asm/pgtable.h&gt;</i>.<br>
<br>
Addresses allocated by <i>vmalloc </i>can't be used outside of the microprocessor, because
they make sense only on top of the processor's MMU. When a driver needs a real
physical address (such as a DMA address, used by peripheral hardware to drive the
system's bus), you can't easily use <i>vmalloc</i>. The right time to call <i>vmalloc </i>is when<br>
<br>
* Actually, some architectures define ranges of "virtual" addresses as reserved to address physical memory. 
When this happens, the Linux kernel takes advantage of the feature, and both the kernel and <i>__get_free_pages
</i>addresses lie in one of those memory ranges. The difference is transparent to device drivers and other code
that is not directly involved with the memory-management kernel subsystem.<br>
<br>
<A name="226"></a><font color="blue">PAGE 226</font><br>
<br>
you are allocating memory for a large sequential buffer that exists only in software.
It's important to note that <i>vmalloc </i>has more overhead than <i>__get_free_pages</i>,
because it must both retrieve the memory and build the page tables. Therefore, it
doesn't make sense to call <i>vmalloc</i> to allocate just one page.<br>
<br>
An example of a function in the kernel that uses <i>vmalloc </i>is the <i>create_module </i>system
call, which uses <i>vmalloc </i>to get space for the module being created. Code and data of
the module are later copied to the allocated space using <i>copy_from_user</i>. In this way,
the module appears to be loaded into contiguous memory. You can verify, by looking
in <i>/proc/kallsyms</i>, that kernel symbols exported by modules lie in a different
memory range from symbols exported by the kernel proper.<br>
<br>
Memory allocated with <i>vmalloc </i>is released by <i>vfree</i>, in the same way that <i>kfree
</i>releases memory allocated by <i>kmalloc</i>.<br>
<br>
Like <i>vmalloc</i>, <i>ioremap </i>builds new page tables; unlike <i>vmalloc</i>, however, it doesn't
actually allocate any memory. The return value of <i>ioremap </i>is a special virtual address
that can be used to access the specified physical address range; the virtual address
obtained is eventually released by calling <i>iounmap</i>.<br>
<br>
<i>ioremap </i>is most useful for mapping the (physical) address of a PCI buffer to (virtual)
kernel space. For example, it can be used to access the frame buffer of a PCI video
device; such buffers are usually mapped at high physical addresses, outside of the
address range for which the kernel builds page tables at boot time. PCI issues are
explained in more detail in Chapter 12.<br>
<br>
It's worth noting that for the sake of portability, you should not directly access
addresses returned by <i>ioremap </i>as if they were pointers to memory. Rather, you
should always use <i>readb </i>and the other I/O functions introduced in Chapter 9. This
requirement applies because some platforms, such as the Alpha, are unable to
directly map PCI memory regions to the processor address space because of differences
between PCI specs and Alpha processors in how data is transferred.<br>
<br>
Both <i>ioremap </i>and <i>vmalloc </i>are page oriented (they work by modifying the page
tables); consequently, the relocated or allocated size is rounded up to the nearest
page boundary. <i>ioremap </i>simulates an unaligned mapping by "rounding down" the
address to be remapped and by returning an offset into the first remapped page.<br>
<br>
One minor drawback of <i>vmalloc </i>is that it can't be used in atomic context because,
internally, it uses <i>kmalloc(GFP_KERNEL) </i>to acquire storage for the page tables, and
therefore could sleep. This shouldn't be a problem--if the use of <i>__get_free_page </i>isn't
good enough for an interrupt handler, the software design needs some cleaning up.<br>
<br>
<A name="227"></a><font color="blue">PAGE 227</font><br>
<br>
<a name="AScullUsingVirtualAddressesScullv"></a><font color="red"><b>A scull Using Virtual Addresses: scullv</b></font><br>
<br>
Sample code using <i>vmalloc </i>is provided in the <i>scullv </i>module. Like <i>scullp</i>, this module
is a stripped-down version of <i>scull </i>that uses a different allocation function to obtain
space for the device to store data.<br>
<br>
The module allocates memory 16 pages at a time. The allocation is done in large
chunks to achieve better performance than <i>scullp </i>and to show something that takes
too long with other allocation techniques to be feasible. Allocating more than one
page with <i>__get_free_pages </i>is failure prone, and even when it succeeds, it can be
slow. As we saw earlier, <i>vmalloc </i>is faster than other functions in allocating several
pages, but somewhat slower when retrieving a single page, because of the overhead
of page-table building. <i>scullv </i>is designed like <i>scullp</i>. order specifies the "order" of
each allocation and defaults to 4. The only difference between <i>scullv </i>and <i>scullp </i>is in
allocation management. These lines use <i>vmalloc</i> to obtain new memory:<br>
<pre>
/* Allocate a quantum using virtual addresses */
if (!dptr-&gt;data[s_pos]) {
    dptr-&gt;data[s_pos] =
        (void *)vmalloc(PAGE_SIZE &lt;&lt; dptr-&gt;order);
    if (!dptr-&gt;data[s_pos])
        goto nomem;
    memset(dptr-&gt;data[s_pos], 0, PAGE_SIZE &lt;&lt; dptr-&gt;order);
}
</pre>
and these lines release memory:<br>
<pre>
/* Release the quantum-set */
for (i = 0; i &lt; qset; i++)
    if (dptr-&gt;data[i])
        vfree(dptr-&gt;data[i]);
</pre>
If you compile both modules with debugging enabled, you can look at their data
allocation by reading the files they create in <i>/proc</i>. This snapshot was taken on an
x86_64 system:<br>
<pre>
salma% cat /tmp/bigfile &gt; /dev/scullp0; head -5 /proc/scullpmem
Device 0: qset 500, order 0, sz 1535135
  item at 000001001847da58, qset at 000001001db4c000
       0:1001db56000
       1:1003d1c7000

salma% cat /tmp/bigfile &gt; /dev/scullv0; head -5 /proc/scullvmem

Device 0: qset 500, order 4, sz 1535135
  item at 000001001847da58, qset at 0000010013dea000
       0:ffffff0001177000
       1:ffffff0001188000
</pre>
<A name="228"></a><font color="blue">PAGE 228</font><br>
<br>
The following output, instead, came from an x86 system:<br>
<pre>
rudo% cat /tmp/bigfile &gt; /dev/scullp0; head -5 /proc/scullpmem

Device 0: qset 500, order 0, sz 1535135
  item at ccf80e00, qset at cf7b9800
       0:ccc58000
       1:cccdd000

rudo%  cat /tmp/bigfile &gt; /dev/scullv0; head -5 /proc/scullvmem

Device 0: qset 500, order 4, sz 1535135
  item at cfab4800, qset at cf8e4000
       0:d087a000
       1:d08d2000
</pre>
The values show two different behaviors. On x86_64, physical addresses and virtual
addresses are mapped to completely different address ranges (0x100 and 0xffffff00),
while on x86 computers, <i>vmalloc </i>returns virtual addresses just above the mapping
used for physical memory.<br>
<br>
<a name="PerCPUVariables"></a><font color="red"><b>Per-CPU Variables</b></font><br>
<br>
Per-CPU variables are an interesting 2.6 kernel feature. When you create a per-CPU
variable, each processor on the system gets its own copy of that variable. This may
seem like a strange thing to want to do, but it has its advantages. Access to per-CPU
variables requires (almost) no locking, because each processor works with its own
copy. Per-CPU variables can also remain in their respective processors'caches, which
leads to significantly better performance for frequently updated quantities.<br>
<br>
A good example of per-CPU variable use can be found in the networking subsystem.
The kernel maintains no end of counters tracking how many of each type of packet
was received; these counters can be updated thousands of times per second. Rather
than deal with the caching and locking issues, the networking developers put the statistics
counters into per-CPU variables. Updates are now lockless and fast. On the
rare occasion that user space requests to see the values of the counters, it is a simple
matter to add up each processor's version and return the total.<br>
<br>
The declarations for per-CPU variables can be found in <i>&lt;linux/percpu.h&gt;</i>. To create a
per-CPU variable at compile time, use this macro:<br>
<pre>
DEFINE_PER_CPU(type, name);
</pre>
If the variable (to be called <font class="fixd">name</font>) is an array, include the dimension information with
the type. Thus, a per-CPU array of three integers would be created with:<br>
<pre>
DEFINE_PER_CPU(int[3], my_percpu_array);
</pre>
Per-CPU variables can be manipulated without explicit locking--almost. Remember
that the 2.6 kernel is preemptible; it would not do for a processor to be preempted in<br>
<br>
<A name="229"></a><font color="blue">PAGE 229</font><br>
<br>
the middle of a critical section that modifies a per-CPU variable. It also would not be
good if your process were to be moved to another processor in the middle of a perCPU
variable access. For this reason, you must explicitly use the <i>get_cpu_var </i>macro
to access the current processor's copy of a given variable, and call <i>put_cpu_var </i>when
you are done. The call to <i>get_cpu_var </i>returns an lvalue for the current processor's
version of the variable and disables preemption. Since an lvalue is returned, it can be
assigned to or operated on directly. For example, one counter in the networking code
is incremented with these two statements:<br>
<pre>
get_cpu_var(sockets_in_use)++;
put_cpu_var(sockets_in_use);
</pre>
You can access another processor's copy of the variable with:<br>
<pre>
per_cpu(variable, int cpu_id);
</pre>
If you write code that involves processors reaching into each other's per-CPU variables,
you, of course, have to implement a locking scheme that makes that access
safe.<br>
<br>
Dynamically allocated per-CPU variables are also possible. These variables can be
allocated with:<br>
<pre>
void *alloc_percpu(type);
void *__alloc_percpu(size_t size, size_t align);
</pre>
In most cases, <i>alloc_percpu </i>does the job; you can call <i>__alloc_percpu </i>in cases where
a particular alignment is required. In either case, a per-CPU variable can be returned
to the system with <i>free_percpu</i>. Access to a dynamically allocated per-CPU variable is
done via <i>per_cpu_ptr</i>:<br>
<pre>
per_cpu_ptr(void *per_cpu_var, int cpu_id);
</pre>
This macro returns a pointer to the version of <font class="fixd">per_cpu_var</font> corresponding to the given
<font class="fixd">cpu_id</font>. If you are simply reading another CPU's version of the variable, you can dereference
that pointer and be done with it. If, however, you are manipulating the current
processor's version, you probably need to ensure that you cannot be moved out of
that processor first. If the entirety of your access to the per-CPU variable happens
with a spinlock held, all is well. Usually, however, you need to use <i>get_cpu </i>to block
preemption while working with the variable. Thus, code using dynamic per-CPU variables
tends to look like this:<br>
<pre>
int cpu;

cpu = get_cpu( )
ptr = per_cpu_ptr(per_cpu_var, cpu);
/* work with ptr */
put_cpu( );
</pre>
When using compile-time per-CPU variables, the <i>get_cpu_var </i>and <i>put_cpu_var </i>macros
take care of these details. Dynamic per-CPU variables require more explicit protection.<br>
<br>
<A name="230"></a><font color="blue">PAGE 230</font><br>
<br>
Per-CPU variables can be exported to modules, but you must use a special version of
the macros:<br>
<pre>
EXPORT_PER_CPU_SYMBOL(per_cpu_var);
EXPORT_PER_CPU_SYMBOL_GPL(per_cpu_var);
</pre>
To access such a variable within a module, declare it with:<br>
<pre>
DECLARE_PER_CPU(type, name);
</pre>
The use of <i><font class="fixd">DECLARE_PER_CPU</font> </i>(instead of <i><font class="fixd">DEFINE_PER_CPU</font></i>) tells the compiler
that an external reference is being made.<br>
<br>
If you want to use per-CPU variables to create a simple integer counter, take a look
at the canned implementation in <i>&lt;linux/percpu_counter.h&gt;</i>. Finally, note that some
architectures have a limited amount of address space available for per-CPU variables.
If you create per-CPU variables in your code, you should try to keep them
small.<br>
<br>
<a name="ObtainingLargeBuffers"></a><font color="red"><b>Obtaining Large Buffers</b></font><br>
<br>
As we have noted in previous sections, allocations of large, contiguous memory buffers
are prone to failure. System memory fragments over time, and chances are that a
truly large region of memory will simply not be available. Since there are usually
ways of getting the job done without huge buffers, the kernel developers have not
put a high priority on making large allocations work. Before you try to obtain a large
memory area, you should really consider the alternatives. By far the best way of performing
large I/O operations is through scatter/gather operations, which we discuss
in the section "Scatter-gather mappings" in Chapter 1.<br>
<br>
<a name="AcquiringADedicatedBufferAtBootTime"></a><font color="red"><b>Acquiring a Dedicated Buffer at Boot Time</b></font><br>
<br>
If you really need a huge buffer of physically contiguous memory, the best approach
is often to allocate it by requesting memory at boot time. Allocation at boot time is
the only way to retrieve consecutive memory pages while bypassing the limits
imposed by <i>__get_free_pages </i>on the buffer size, both in terms of maximum allowed
size and limited choice of sizes. Allocating memory at boot time is a "dirty" technique,
because it bypasses all memory management policies by reserving a private
memory pool. This technique is inelegant and inflexible, but it is also the least prone
to failure. Needless to say, a module can't allocate memory at boot time; only drivers
directly linked to the kernel can do that.<br>
<br>
One noticeable problem with boot-time allocation is that it is not a feasible option
for the average user, since this mechanism is available only for code linked in the kernel
image. A device driver using this kind of allocation can be installed or replaced
only by rebuilding the kernel and rebooting the computer.<br>
<br>
<A name="231"></a><font color="blue">PAGE 231</font><br>
<br>
When the kernel is booted, it gains access to all the physical memory available in the
system. It then initializes each of its subsystems by calling that subsystem's initialization
function, allowing initialization code to allocate a memory buffer for private use
by reducing the amount of RAM left for normal system operation.<br>
<br>
Boot-time memory allocation is performed by calling one of these functions:<br>
<pre>
#include &lt;linux/bootmem.h&gt;
void *alloc_bootmem(unsigned long size);
void *alloc_bootmem_low(unsigned long size);
void *alloc_bootmem_pages(unsigned long size);
void *alloc_bootmem_low_pages(unsigned long size);
</pre>
The functions allocate either whole pages (if they end with <font class="fixd">_pages</font>) or non-page aligned
memory areas. The allocated memory may be high memory unless one of the
<font class="fixd">_low</font> versions is used. If you are allocating this buffer for a device driver, you probably
want to use it for DMA operations, and that is not always possible with high
memory; thus, you probably want to use one of the <font class="fixd">_low</font> variants.<br>
<br>
It is rare to free memory allocated at boot time; you will almost certainly be unable
to get it back later if you want it. There is an interface to free this memory, however:<br>
<pre>
void free_bootmem(unsigned long addr, unsigned long size);
</pre>
Note that partial pages freed in this manner are not returned to the system--but, if
you are using this technique, you have probably allocated a fair number of whole
pages to begin with.<br>
<br>
If you must use boot-time allocation, you need to link your driver directly into the
kernel. See the files in the kernel source under <i>Documentation/kbuild </i>for more information
on how this should be done.<br>
<br>
<a name="QuickReference8"></a><font color="red"><b>Quick Reference</b></font><br>
<br>
The functions and symbols related to memory allocation are:<br>
<br>
<font class="fixd">#include &lt;linux/slab.h&gt;<br>
void *kmalloc(size_t size, int flags);<br>
void kfree(void *obj);</font><br>
<div class="bq">
The most frequently used interface to memory allocation.</div>
<br>
<font class="fixd">#include &lt;linux/mm.h&gt;<br>
GFP_USER<br>
GFP_KERNEL<br>
GFP_NOFS<br>
GFP_NOIO<br>
GFP_ATOMIC</font><br>
<div class="bq">
Flags that control how memory allocations are performed, from the least restrictive
to the most. The <font class="fixd">GFP_USER</font> and <font class="fixd">GFP_KERNEL</font> priorities allow the current process</div>
<br>
<A name="232"></a><font color="blue">PAGE 232</font><br>
<br>
<div class="bq">to be put to sleep to satisfy the request. <font class="fixd">GFP_NOFS</font> and <font class="fixd">GFP_NOIO</font> disable filesystem
operations and all I/O operations, respectively, while <font class="fixd">GFP_ATOMIC</font> allocations cannot
sleep at all.</div>
<br>
<font class="fixd">__GFP_DMA<br>
__GFP_HIGHMEM<br>
__GFP_COLD<br>
__GFP_NOWARN<br>
__GFP_HIGH<br>
__GFP_REPEAT<br>
__GFP_NOFAIL<br>
__GFP_NORETRY</font><br>
<div class="bq">
These flags modify the kernel's behavior when allocating memory.</div>
<br>
<font class="fixd">#include &lt;linux/malloc.h&gt;<br>
kmem_cache_t *kmem_cache_create(char *name, size_t size, size_t offset,<br>
  unsigned long flags, constructor( ), destructor( ));<br>
int kmem_cache_destroy(kmem_cache_t *cache);</font><br>
<div class="bq">
Create and destroy a slab cache. The cache can be used to allocate several
objects of the same size.</div>
<br>
<font class="fixd">SLAB_NO_REAP<br>
SLAB_HWCACHE_ALIGN<br>
SLAB_CACHE_DMA</font><br>
<div class="bq">
Flags that can be specified while creating a cache.</div>
<br>
<font class="fixd">SLAB_CTOR_ATOMIC<br>
SLAB_CTOR_CONSTRUCTOR</font><br>
<div class="bq">
Flags that the allocator can pass to the constructor and the destructor functions.</div>
<br>
<font class="fixd">void *kmem_cache_alloc(kmem_cache_t *cache, int flags);<br>
void kmem_cache_free(kmem_cache_t *cache, const void *obj);</font><br>
<div class="bq">
Allocate and release a single object from the cache.</div>
<br>
<i>/proc/slabinfo</i><br>
<div class="bq">
A virtual file containing statistics on slab cache usage.</div>
<br>
<font class="fixd">#include &lt;linux/mempool.h&gt;<br>
mempool_t *mempool_create(int min_nr, mempool_alloc_t *alloc_fn, mempool_free_t *free_fn, void *data);<br>
void mempool_destroy(mempool_t *pool);</font><br>
<div class="bq">
Functions for the creation of memory pools, which try to avoid memory allocation
failures by keeping an "emergency list" of allocated items.</div>
<br>
<font class="fixd">void *mempool_alloc(mempool_t *pool, int gfp_mask);<br>
void mempool_free(void *element, mempool_t *pool);</font><br>
<div class="bq">
Functions for allocating items from (and returning them to) memory pools.</div>
<br>
<A name="233"></a><font color="blue">PAGE 233</font><br>
<br>
<font class="fixd">unsigned long get_zeroed_page(int flags);<br>
unsigned long __get_free_page(int flags);<br>
unsigned long __get_free_pages(int flags, unsigned long order);</font><br>
<div class="bq">
The page-oriented allocation functions. <i>get_zeroed_page </i>returns a single, zero-filled
page. All the other versions of the call do not initialize the contents of the
returned page(s).</div>
<br>
<font class="fixd">int get_order(unsigned long size);</font><br>
<div class="bq">
Returns the allocation order associated to <i>size </i>in the current platform, according
to <font class="fixd">PAGE_SIZE</font>. The argument must be a power of two, and the return value is at
least 0.</div>
<br>
<font class="fixd">void free_page(unsigned long addr);<br>
void free_pages(unsigned long addr, unsigned long order);</font><br>
<div class="bq">
Functions that release page-oriented allocations.</div>
<br>
<font class="fixd">struct page *alloc_pages_node(int nid, unsigned int flags, unsigned int order);<br>
struct page *alloc_pages(unsigned int flags, unsigned int order);<br>
struct page *alloc_page(unsigned int flags);</font><br>
<div class="bq">
All variants of the lowest-level page allocator in the Linux kernel.</div>
<br>
<font class="fixd">void __free_page(struct page *page);<br>
void __free_pages(struct page *page, unsigned int order);<br>
void free_hot_page(struct page *page);<br>
void free_cold_page(struct page *page);</font><br>
<div class="bq">
Various ways of freeing pages allocated with one of the forms of <i>alloc_page</i>.</div>
<br>
<font class="fixd">#include &lt;linux/vmalloc.h&gt;<br>
void * vmalloc(unsigned long size);<br>
void vfree(void * addr);<br>
#include &lt;asm/io.h&gt;<br>
void * ioremap(unsigned long offset, unsigned long size);<br>
void iounmap(void *addr);</font><br>
<div class="bq">
Functions that allocate or free a contiguous <i>virtual </i>address space. <i>ioremap
</i>accesses physical memory through virtual addresses, while <i>vmalloc </i>allocates free
pages. Regions mapped with <i>ioremap </i>are freed with <i>iounmap</i>, while pages
obtained from <i>vmalloc</i> are released with <i>vfree</i>.</div>
<br>
<font class="fixd">#include &lt;linux/percpu.h&gt;<br>
DEFINE_PER_CPU(type, name);<br>
DECLARE_PER_CPU(type, name);</font><br>
<div class="bq">
Macros that define and declare per-CPU variables.</div>
<br>
<font class="fixd">per_cpu(variable, int cpu_id)<br>
get_cpu_var(variable)<br>
put_cpu_var(variable)</font><br>
<div class="bq">
Macros that provide access to statically declared per-CPU variables.</div>
<br>
<A name="234"></a><font color="blue">PAGE 234</font><br>
<br>
<font class="fixd">void *alloc_percpu(type);<br>
void *__alloc_percpu(size_t size, size_t align);<br>
void free_percpu(void *variable);</font><br>
<div class="bq">
Functions that perform runtime allocation and freeing of per-CPU variables.</div>
<br>
<font class="fixd">int get_cpu( );<br>
void put_cpu( );<br>
per_cpu_ptr(void *variable, int cpu_id)</font><br>
<div class="bq">
<i>get_cpu </i>obtains a reference to the current processor (therefore, preventing preemption
and movement to another processor) and returns the ID number of the
processor; <i>put_cpu </i>returns that reference. To access a dynamically allocated perCPU
variable, use <i>per_cpu_ptr </i>with the ID of the CPU whose version should be
accessed. Manipulations of the current CPU's version of a dynamic, per-CPU
variable should probably be surrounded by calls to <i>get_cpu</i> and <i>put_cpu</i>.</div>
<br>
<font class="fixd">#include &lt;linux/bootmem.h&gt;<br>
void *alloc_bootmem(unsigned long size);<br>
void *alloc_bootmem_low(unsigned long size);<br>
void *alloc_bootmem_pages(unsigned long size);<br>
void *alloc_bootmem_low_pages(unsigned long size);<br>
void free_bootmem(unsigned long addr, unsigned long size);</font><br>
<div class="bq">
Functions (which can be used only by drivers directly linked into the kernel) that
perform allocation and freeing of memory at system bootstrap time.</div>
<br>
<A name="235"></a><font color="blue">PAGE 235</font><br>
<br>
<a name="CHAPTER9"></a><font color="red"><b>CHAPTER 9</b></font><br>
<br>
<a name="CommunicatingWithHardware"></a><font color="#7519FF" size="+1"><b>Communicating with Hardware</b></font><br>
<br>
Although playing with <i>scull </i>and similar toys is a good introduction to the software
interface of a Linux device driver, implementing a <i>real </i>device requires hardware. The
driver is the abstraction layer between software concepts and hardware circuitry; as
such, it needs to talk with both of them. Up until now, we have examined the internals
of software concepts; this chapter completes the picture by showing you how
a driver can access I/O ports and I/O memory while being portable across Linux
platforms.<br>
<br>
This chapter continues in the tradition of staying as independent of specific hardware
as possible. However, where specific examples are needed, we use simple digital
I/O ports (such as the standard PC parallel port) to show how the I/O
instructions work and normal frame-buffer video memory to show memory-mapped
I/O.<br>
<br>
We chose simple digital I/O because it is the easiest form of an input/output port.
Also, the parallel port implements raw I/O and is available in most computers: data
bits written to the device appear on the output pins, and voltage levels on the input
pins are directly accessible by the processor. In practice, you have to connect LEDs
or a printer to the port to actually <i>see </i>the results of a digital I/O operation, but the
underlying hardware is extremely easy to use.<br>
<br>
<a name="IOPortsAndIOMemory"></a><font color="red"><b>I/O Ports and I/O Memory</b></font><br>
<br>
Every peripheral device is controlled by writing and reading its registers. Most of the
time a device has several registers, and they are accessed at consecutive addresses,
either in the memory address space or in the I/O address space.<br>
<br>
At the hardware level, there is no conceptual difference between memory regions and
I/O regions: both of them are accessed by asserting electrical signals on the address<br>
<br>
<A name="236"></a><font color="blue">PAGE 236</font><br>
<br>
bus and control bus (i.e., the <i>read </i>and <i>write </i>signals)* and by reading from or writing
to the data bus.<br>
<br>
While some CPU manufacturers implement a single address space in their chips, others
decided that peripheral devices are different from memory and, therefore, deserve
a separate address space. Some processors (most notably the x86 family) have separate
<i>read </i>and <i>write </i>electrical lines for I/O ports and special CPU instructions to
access ports.<br>
<br>
Because peripheral devices are built to fit a peripheral bus, and the most popular I/O
buses are modeled on the personal computer, even processors that do not have a separate
address space for I/O ports must fake reading and writing I/O ports when
accessing some peripheral devices, usually by means of external chipsets or extra circuitry
in the CPU core. The latter solution is common within tiny processors meant
for embedded use.<br>
<br>
For the same reason, Linux implements the concept of I/O ports on all computer
platforms it runs on, even on platforms where the CPU implements a single address
space. The implementation of port access sometimes depends on the specific make
and model of the host computer (because different models use different chipsets to
map bus transactions into memory address space).<br>
<br>
Even if the peripheral bus has a separate address space for I/O ports, not all devices
map their registers to I/O ports. While use of I/O ports is common for ISA peripheral
boards, most PCI devices map registers into a memory address region. This I/O
memory approach is generally preferred, because it doesn't require the use of special purpose
processor instructions; CPU cores access memory much more efficiently,
and the compiler has much more freedom in register allocation and addressing-mode
selection when accessing memory.<br>
<br>
<a name="IORegistersAndConventionalMemory"></a><font color="red"><b>I/O Registers and Conventional Memory</b></font><br>
<br>
Despite the strong similarity between hardware registers and memory, a programmer
accessing I/O registers must be careful to avoid being tricked by CPU (or compiler)
optimizations that can modify the expected I/O behavior.<br>
<br>
The main difference between I/O registers and RAM is that I/O operations have side
effects, while memory operations have none: the only effect of a memory write is
storing a value to a location, and a memory read returns the last value written there.
Because memory access speed is so critical to CPU performance, the no-side-effects
case has been optimized in several ways: values are cached and read/write instructions
are reordered.<br>
<br>
* Not all computer platforms use a <i>read </i>and a <i>write </i>signal; some have different means to address external circuits. The difference is irrelevant at software level, however, and we'll assume all have <i>read </i>and <i>write </i>to simplify
the discussion.<br>
<br>
<A name="237"></a><font color="blue">PAGE 237</font><br>
<br>
The compiler can cache data values into CPU registers without writing them to
memory, and even if it stores them, both write and read operations can operate on
cache memory without ever reaching physical RAM. Reordering can also happen
both at the compiler level and at the hardware level: often a sequence of instructions
can be executed more quickly if it is run in an order different from that which
appears in the program text, for example, to prevent interlocks in the RISC pipeline.
On CISC processors, operations that take a significant amount of time can be executed
concurrently with other, quicker ones.<br>
<br>
These optimizations are transparent and benign when applied to conventional memory
(at least on uniprocessor systems), but they can be fatal to correct I/O operations,
because they interfere with those "side effects" that are the main reason why a
driver accesses I/O registers. The processor cannot anticipate a situation in which
some other process (running on a separate processor, or something happening inside
an I/O controller) depends on the order of memory access. The compiler or the CPU
may just try to outsmart you and reorder the operations you request; the result can
be strange errors that are very difficult to debug. Therefore, a driver must ensure that
no caching is performed and no read or write reordering takes place when accessing
registers.<br>
<br>
The problem with hardware caching is the easiest to face: the underlying hardware is
already configured (either automatically or by Linux initialization code) to disable
any hardware cache when accessing I/O regions (whether they are memory or port
regions).<br>
<br>
The solution to compiler optimization and hardware reordering is to place a <i>memory
barrier </i>between operations that must be visible to the hardware (or to another processor)
in a particular order. Linux provides four macros to cover all possible ordering
needs:<br>
<br>
<font class="fixd">#include &lt;linux/kernel.h&gt;<br>
void barrier(void)</font><br>
<div class="bq">
This function tells the compiler to insert a memory barrier but has no effect on
the hardware. Compiled code stores to memory all values that are currently
modified and resident in CPU registers, and rereads them later when they are
needed. A call to <i>barrier </i>prevents compiler optimizations across the barrier but
leaves the hardware free to do its own reordering.</div>
<br>
<font class="fixd">#include &lt;asm/system.h&gt;<br>
void rmb(void);<br>
void read_barrier_depends(void);<br>
void wmb(void);<br>
void mb(void);</font><br>
<div class="bq">
These functions insert hardware memory barriers in the compiled instruction
flow; their actual instantiation is platform dependent. An <i>rmb </i>(read memory
barrier) guarantees that any reads appearing before the barrier are completed</div>
<br>
<A name="238"></a><font color="blue">PAGE 238</font><br>
<br>
<div class="bq">
prior to the execution of any subsequent read. <i>wmb </i>guarantees ordering in write
operations, and the <i>mb </i>instruction guarantees both. Each of these functions is a
superset of <i>barrier</i>.<br>
<br>
<i>read_barrier_depends </i>is a special, weaker form of read barrier. Whereas <i>rmb </i>prevents
the reordering of all reads across the barrier, <i>read_barrier_depends </i>blocks
only the reordering of reads that depend on data from other reads. The distinction
is subtle, and it does not exist on all architectures. Unless you understand
exactly what is going on, and you have a reason to believe that a full read barrier
is exacting an excessive performance cost, you should probably stick to using
<i>rmb</i>.</div>
<br>
<font class="fixd">void smp_rmb(void);<br>
void smp_read_barrier_depends(void);<br>
void smp_wmb(void);<br>
void smp_mb(void);</font><br>
<div class="bq">
These versions of the barrier macros insert hardware barriers only when the kernel
is compiled for SMP systems; otherwise, they all expand to a simple <i>barrier
</i>call.</div>
<br>
A typical usage of memory barriers in a device driver may have this sort of form:<br>
<pre>
writel(dev-&gt;registers.addr, io_destination_address);
writel(dev-&gt;registers.size, io_size);
writel(dev-&gt;registers.operation, DEV_READ);
wmb( );
writel(dev-&gt;registers.control, DEV_GO);
</pre>
In this case, it is important to be sure that all of the device registers controlling a particular
operation have been properly set prior to telling it to begin. The memory barrier
enforces the completion of the writes in the necessary order.<br>
<br>
Because memory barriers affect performance, they should be used only where they
are really needed. The different types of barriers can also have different performance
characteristics, so it is worthwhile to use the most specific type possible. For example,
on the x86 architecture, <i>wmb( ) </i>currently does nothing, since writes outside the
processor are not reordered. Reads are reordered, however, so <i>mb( ) </i>is slower than
<i>wmb( )</i>.<br>
<br>
It is worth noting that most of the other kernel primitives dealing with synchronization,
such as spinlock and <font class="fixd">atomic_t</font> operations, also function as memory barriers.
Also worthy of note is that some peripheral buses (such as the PCI bus) have caching
issues of their own; we discuss those when we get to them in later chapters.<br>
<br>
Some architectures allow the efficient combination of an assignment and a memory
barrier. The kernel provides a few macros that perform this combination; in the
default case, they are defined as follows:<br>
<pre>
#define set_mb(var, value)  do {var = value; mb( );}  while 0
#define set_wmb(var, value) do {var = value; wmb( );} while 0
#define set_rmb(var, value) do {var = value; rmb( );} while 0
</pre>
<A name="239"></a><font color="blue">PAGE 239</font><br>
<br>
Where appropriate, <i>&lt;asm/system.h&gt; </i>defines these macros to use architecture-specific
instructions that accomplish the task more quickly. Note that <i>set_rmb </i>is defined
only by a small number of architectures. (The use of a <font class="fixd">do...while</font> construct is a standard
C idiom that causes the expanded macro to work as a normal C statement in all
contexts.)<br>
<br>
<a name="UsingIOPorts"></a><font color="red"><b>Using I/O Ports</b></font><br>
<br>
I/O ports are the means by which drivers communicate with many devices, at least
part of the time. This section covers the various functions available for making use of
I/O ports; we also touch on some portability issues.<br>
<br>
<a name="IOPortAllocation"></a><font color="red"><b>I/O Port Allocation</b></font><br>
<br>
As you might expect, you should not go off and start pounding on I/O ports without
first ensuring that you have exclusive access to those ports. The kernel provides a
registration interface that allows your driver to claim the ports it needs. The core
function in that interface is <i>request_region</i>:<br>
<pre>
#include &lt;linux/ioport.h&gt;
struct resource *request_region(unsigned long first, unsigned long n,
                                const char *name);
</pre>
This function tells the kernel that you would like to make use of <font class="fixd">n</font> ports, starting
with <font class="fixd">first.</font> The <font class="fixd">name</font> parameter should be the name of your device. The return value
is <font class="fixd">non-NULL</font> if the allocation succeeds. If you get <font class="fixd">NULL</font> back from <i>request_region</i>, you
will not be able to use the desired ports.<br>
<br>
All port allocations show up in <i>/proc/ioports</i>. If you are unable to allocate a needed
set of ports, that is the place to look to see who got there first.<br>
<br>
When you are done with a set of I/O ports (at module unload time, perhaps), they
should be returned to the system with:<br>
<pre>
void release_region(unsigned long start, unsigned long n);
</pre>
There is also a function that allows your driver to check to see whether a given set of
I/O ports is available:<br>
<pre>
int check_region(unsigned long first, unsigned long n);
</pre>
Here, the return value is a negative error code if the given ports are not available.
This function is deprecated because its return value provides no guarantee of
whether an allocation would succeed; checking and later allocating are not an atomic
operation. We list it here because several drivers are still using it, but you should
always use <i>request_region</i>, which performs the required locking to ensure that the
allocation is done in a safe, atomic manner.<br>
<br>
<A name="240"></a><font color="blue">PAGE 240</font><br>
<br>
<a name="ManipulatingIOPorts"></a><font color="red"><b>Manipulating I/O ports</b></font><br>
<br>
After a driver has requested the range of I/O ports it needs to use in its activities, it
must read and/or write to those ports. To this end, most hardware differentiates
between 8-bit, 16-bit, and 32-bit ports. Usually you can't mix them like you normally
do with system memory access.*<br>
<br>
A C program, therefore, must call different functions to access different size ports. As
suggested in the previous section, computer architectures that support only memory-mapped
I/O registers fake port I/O by remapping port addresses to memory
addresses, and the kernel hides the details from the driver in order to ease portability.
The Linux kernel headers (specifically, the architecture-dependent header <i>&lt;asm/
io.h&gt;</i>) define the following inline functions to access I/O ports:<br>
<br>
<font class="fixd">unsigned inb(unsigned port);<br>
void outb(unsigned char byte, unsigned port);</font><br>
<div class="bq">
Read or write byte ports (eight bits wide). The <font class="fixd">port</font> argument is defined as
<font class="fixd">unsigned long</font> for some platforms and <font class="fixd">unsigned short</font> for others. The return
type of <i>inb</i> is also different across architectures.</div>
<br>
<font class="fixd">unsigned inw(unsigned port);<br>
void outw(unsigned short word, unsigned port);</font></div>
<div class="bq">
These functions access 16-bit ports (one word wide); they are not available when
compiling for the S390 platform, which supports only byte I/O.</div>
<br>
<font class="fixd">unsigned inl(unsigned port);<br>
void outl(unsigned longword, unsigned port);</font><br>
<div class="bq">
These functions access 32-bit ports. <font class="fixd">longword</font> is declared as either <font class="fixd">unsigned long</font>
or <font class="fixd">unsigned int</font>, according to the platform. Like word I/O, "long" I/O is not
available on S390.</div>
<br>
<div class="tip">From now on, when we use unsigned without further type specifications,
we are referring to an architecture-dependent definition whose
exact nature is not relevant. The functions are almost always portable,
because the compiler automatically casts the values during assignment--their
being unsigned helps prevent compile-time warnings. No
information is lost with such casts as long as the programmer assigns
sensible values to avoid overflow. We stick to this convention of
"incomplete typing" throughout this chapter.</div>
<br>
Note that no 64-bit port I/O operations are defined. Even on 64-bit architectures, the
port address space uses a 32-bit (maximum) data path.<br>
<br>
* Sometimes I/O ports are arranged like memory, and you can (for example) bind two 8-bit writes into a single 
16-bit operation. This applies, for instance, to PC video boards. But generally, you can't count on this feature.<br>
<br>
<A name="241"></a><font color="blue">PAGE 241</font><br>
<br>
<a name="IOPortAccessFromUserSpace"></a><font color="red"><b>I/O Port Access from User Space</b></font><br>
<br>
The functions just described are primarily meant to be used by device drivers, but
they can also be used from user space, at least on PC-class computers. The GNU C
library defines them in <i>&lt;sys/io.h&gt;</i>. The following conditions should apply in order
for <i>inb</i> and friends to be used in user-space code:<br>
<ul>
<li> The program must be compiled with the <i>-O </i>option to force expansion of inline functions.
<li> The <i>ioperm </i>or <i>iopl </i>system calls must be used to get permission to perform I/O
operations on ports. <i>ioperm </i>gets permission for individual ports, while <i>iopl </i>gets
permission for the entire I/O space. Both of these functions are x86-specific.
<li> The program must run as root to invoke <i>ioperm </i>or <i>iopl</i>.* Alternatively, one of its
ancestors must have gained port access running as root.
</ul>
If the host platform has no <i>ioperm </i>and no <i>iopl </i>system calls, user space can still access
I/O ports by using the <i>/dev/port </i>device file. Note, however, that the meaning of the
file is very platform-specific and not likely useful for anything but the PC.<br>
<br>
The sample sources <i>misc-progs/inp.c </i>and <i>misc-progs/outp.c </i>are a minimal tool for
reading and writing ports from the command line, in user space. They expect to be
installed under multiple names (e.g., <i>inb</i>, <i>inw</i>, and <i>inl </i>and manipulates byte, word, or
long ports depending on which name was invoked by the user). They use <i>ioperm </i>or
<i>iopl</i> under x86, <i>/dev/port</i> on other platforms.<br>
<br>
The programs can be made setuid root, if you want to live dangerously and play with
your hardware without acquiring explicit privileges. Please do not install them setuid
on a production system, however; they are a security hole by design.<br>
<br>
<a name="StringOperations"></a><font color="red"><b>String Operations</b></font><br>
<br>
In addition to the single-shot in and out operations, some processors implement special
instructions to transfer a sequence of bytes, words, or longs to and from a single
I/O port or the same size. These are the so-called <i>string instructions</i>, and they perform
the task more quickly than a C-language loop can do. The following macros
implement the concept of string I/O either by using a single machine instruction or
by executing a tight loop if the target processor has no instruction that performs
string I/O. The macros are not defined at all when compiling for the S390 platform.
This should not be a portability problem, since this platform doesn't usually share
device drivers with other platforms, because its peripheral buses are different.<br>
<br>
* Technically, it must have the <font class="fixd">CAP_SYS_RAWIO</font> capability, but that is the same as running as root on most current systems.<br>
<br>
<A name="242"></a><font color="blue">PAGE 242</font><br>
<br>
The prototypes for string functions are:<br>
<br>
<font class="fixd">void insb(unsigned port, void *addr, unsigned long count);<br>
void outsb(unsigned port, void *addr, unsigned long count);</font><br>
<div class="bq">
Read or write <font class="fixd">count</font> bytes starting at the memory address <font class="fixd">addr.</font> Data is read from
or written to the single port <font class="fixd">port.</font></div>
<br>
<font class="fixd">void insw(unsigned port, void *addr, unsigned long count);<br>
void outsw(unsigned port, void *addr, unsigned long count);</font><br>
<div class="bq">
Read or write 16-bit values to a single 16-bit port.</div>
<br>
<font class="fixd">void insl(unsigned port, void *addr, unsigned long count);<br>
void outsl(unsigned port, void *addr, unsigned long count);</font><br>
<div class="bq">
Read or write 32-bit values to a single 32-bit port.</div>
<br>
There is one thing to keep in mind when using the string functions: they move a
straight byte stream to or from the port. When the port and the host system have different
byte ordering rules, the results can be surprising. Reading a port with <i>inw
</i>swaps the bytes, if need be, to make the value read match the host ordering. The
string functions, instead, do not perform this swapping.<br>
<br>
<a name="PausingIO"></a><font color="red"><b>Pausing I/O</b></font><br>
<br>
Some platforms--most notably the i386--can have problems when the processor
tries to transfer data too quickly to or from the bus. The problems can arise when the
processor is overclocked with respect to the peripheral bus (think ISA here) and can
show up when the device board is too slow. The solution is to insert a small delay
after each I/O instruction if another such instruction follows. On the x86, the pause
is achieved by performing an <font class="fixd">out b</font> instruction to port 0x80 (normally but not always
unused), or by busy waiting. See the <i>io.h </i>file under your platform's <i>asm </i>subdirectory
for details.<br>
<br>
If your device misses some data, or if you fear it might miss some, you can use pausing
functions in place of the normal ones. The pausing functions are exactly like
those listed previously, but their names end in <i>_p</i>; they are called <i>inb_p</i>, <i>outb_p</i>, and
so on. The functions are defined for most supported architectures, although they
often expand to the same code as nonpausing I/O, because there is no need for the
extra pause if the architecture runs with a reasonably modern peripheral bus.<br>
<br>
<a name="PlatformDependencies"></a><font color="red"><b>Platform Dependencies</b></font><br>
<br>
I/O instructions are, by their nature, highly processor dependent. Because they work
with the details of how the processor handles moving data in and out, it is very hard
to hide the differences between systems. As a consequence, much of the source code
related to port I/O is platform-dependent.<br>
<br>
You can see one of the incompatibilities, data typing, by looking back at the list of functions,
where the arguments are typed differently based on the architectural differences<br>
<br>
<A name="243"></a><font color="blue">PAGE 243</font><br>
<br>
between platforms. For example, a port is <font class="fixd">unsigned short</font> on the x86 (where the processor
supports a 64-KB I/O space), but <font class="fixd">unsigned long</font> on other platforms, whose ports are
just special locations in the same address space as memory.<br>
<br>
Other platform dependencies arise from basic structural differences in the processors
and are, therefore, unavoidable. We won't go into detail about the differences,
because we assume that you won't be writing a device driver for a particular system
without understanding the underlying hardware. Instead, here is an overview of the
capabilities of the architectures supported by the kernel:<br>
<br>
<i>IA-32 (x86)<br>
x86_64</i><br>
<div class="bq">
The architecture supports all the functions described in this chapter. Port numbers
are of type <font class="fixd">unsigned short</font>.</div>
<br>
<i>IA-64 (Itanium)</i><br>
<div class="bq">
All functions are supported; ports are <font class="fixd">unsigned long</font> (and memory-mapped).
String functions are implemented in C.</div>
<br>
<i>Alpha</i><br>
<div class="bq">
All the functions are supported, and ports are memory-mapped. The implementation
of port I/O is different in different Alpha platforms, according to the
chipset they use. String functions are implemented in C and defined in <i>arch/
alpha/lib/io.c</i>. Ports are <font class="fixd">unsigned long</font>.</div>
<br>
<i>ARM</i><br>
<div class="bq">
Ports are memory-mapped, and all functions are supported; string functions are
implemented in C. Ports are of type <font class="fixd">unsigned int</font>.</div>
<br>
<i>Cris</i><br>
<div class="bq">
This architecture does not support the I/O port abstraction even in an emulated
mode; the various port operations are defined to do nothing at all.</div>
<br>
<i>M68k<br>
M68k-nommu</i><br>
<div class="bq">
Ports are memory-mapped. String functions are supported, and the port type is
<font class="fixd">unsigned char *.</font></div>
<br>
<i>MIPS<br>
MIPS64</i><br>
<div class="bq">
The MIPS port supports all the functions. String operations are implemented
with tight assembly loops, because the processor lacks machine-level string I/O.
Ports are memory-mapped; they are <font class="fixd">unsigned long</font>.</div>
<br>
<i>PA-RISC</i><br>
<div class="bq">
All of the functions are supported; ports are int on PCI-based systems and
<font class="fixd">unsigned short</font> on EISA systems, except for string operations, 
which use <font class="fixd">unsigned long</font> port numbers.</div>
<br>
<A name="244"></a><font color="blue">PAGE 244</font><br>
<br>
<i>PowerPC<br>
PowerPC64</i><br>
<div class="bq">
All the functions are supported; ports have type <font class="fixd">unsigned char *</font> on 32-bit systems
and <font class="fixd">unsigned long</font> on 64-bit systems.</div>
<br>
<i>S390</i><br>
<div class="bq">
Similar to the M68k, the header for this platform supports only byte-wide port I/O
with no string operations. Ports are char pointers and are memory-mapped.</div>
<br>
<i>Super-H</i><br>
<div class="bq">
Ports are <font class="fixd">unsigned int</font> (memory-mapped), and all the functions are supported.</div>
<br>
<i>SPARC<br>
SPARC64</i><br>
<div class="bq">
Once again, I/O space is memory-mapped. Versions of the port functions are
defined to work with <font class="fixd">unsigned long</font> ports.</div>
<br>
The curious reader can extract more information from the <i>io.h </i>files, which sometimes
define a few architecture-specific functions in addition to those we describe in
this chapter. Be warned that some of these files are rather difficult reading, however.<br>
<br>
It's interesting to note that no processor outside the x86 family features a different
address space for ports, even though several of the supported families are shipped
with ISA and/or PCI slots (and both buses implement separate I/O and memory
address spaces).<br>
<br>
Moreover, some processors (most notably the early Alphas) lack instructions that
move one or two bytes at a time.* Therefore, their peripheral chipsets simulate 8-bit
and 16-bit I/O accesses by mapping them to special address ranges in the memory
address space. Thus, an <i>inb </i>and an <i>inw </i>instruction that act on the same port are
implemented by two 32-bit memory reads that operate on different addresses. Fortunately,
all of this is hidden from the device driver writer by the internals of the macros
described in this section, but we feel it's an interesting feature to note. If you
want to probe further, look for examples in <i>include/asm-alpha/core_lca.h</i>.<br>
<br>
How I/O operations are performed on each platform is well described in the programmer's
manual for each platform; those manuals are usually available for download
as PDFs on the Web.<br>
<br>
* Single-byte I/O is not as important as one may imagine, because it is a rare operation. To read/write a single 
byte to any address space, you need to implement a data path connecting the low bits of the register-set data
bus to any byte position in the external data bus. These data paths require additional logic gates that get in
the way of every data transfer. Dropping byte-wide loads and stores can benefit overall system performance.<br>
<br>
<A name="245"></a><font color="blue">PAGE 245</font><br>
<br>
<a name="AnIOPortExample"></a><font color="red"><b>An I/O Port Example</b></font><br>
<br>
The sample code we use to show port I/O from within a device driver acts on general-purpose
digital I/O ports; such ports are found in most computer systems.<br>
<br>
A digital I/O port, in its most common incarnation, is a byte-wide I/O location,
either memory-mapped or port-mapped. When you write a value to an output location,
the electrical signal seen on output pins is changed according to the individual
bits being written. When you read a value from the input location, the current logic
level seen on input pins is returned as individual bit values.<br>
<br>
The actual implementation and software interface of such I/O ports varies from system
to system. Most of the time, I/O pins are controlled by two I/O locations: one
that allows selecting what pins are used as input and what pins are used as output
and one in which you can actually read or write logic levels. Sometimes, however,
things are even simpler, and the bits are hardwired as either input or output (but, in
this case, they're no longer called "general-purpose I/O"); the parallel port found on
all personal computers is one such not-so-general-purpose I/O port. Either way, the
I/O pins are usable by the sample code we introduce shortly.<br>
<br>
<a name="AnOverviewOfTheParallelPort"></a><font color="red"><b>An Overview of the Parallel Port</b></font><br>
<br>
Because we expect most readers to be using an x86 platform in the form called "personal
computer," we feel it is worth explaining how the PC parallel port is designed.
The parallel port is the peripheral interface of choice for running digital I/O sample
code on a personal computer. Although most readers probably have parallel port
specifications available, we summarize them here for your convenience.<br>
<br>
The parallel interface, in its minimal configuration (we overlook the ECP and EPP
modes) is made up of three 8-bit ports. The PC standard starts the I/O ports for the
first parallel interface at 0x378 and for the second at 0x278. The first port is a bidirectional
data register; it connects directly to pins 2-9 on the physical connector. The
second port is a read-only status register; when the parallel port is being used for a
printer, this register reports several aspects of printer status, such as being online,
out of paper, or busy. The third port is an output-only control register, which,
among other things, controls whether interrupts are enabled.<br>
<br>
The signal levels used in parallel communications are standard transistor-transistor
logic (TTL) levels: 0 and 5 volts, with the logic threshold at about 1.2 volts. You can
count on the ports at least meeting the standard TTL LS current ratings, although
most modern parallel ports do better in both current and voltage ratings.<br>
<br>
<A name="246"></a><font color="blue">PAGE 246</font><br>
<br>
<div class="warn">The parallel connector is not isolated from the computer's internal circuitry,
which is useful if you want to connect logic gates directly to the
port. But you have to be careful to do the wiring correctly; the parallel
port circuitry is easily damaged when you play with your own custom
circuitry, unless you add optoisolators to your circuit. You can choose
to use plug-in parallel ports if you fear you'll damage your motherboard.</div>
<br>
The bit specifications are outlined in Figure 9-1. You can access 12 output bits and 5
input bits, some of which are logically inverted over the course of their signal path.
The only bit with no associated signal pin is bit 4 (0x10) of port 2, which enables
interrupts from the parallel port. We use this bit as part of our implementation of an
interrupt handler in Chapter 10.<br>
<br><br>
<center>
<img src="fig9-1.gif">
</center>
<br>
<i>Figure 9-1. The pinout of the parallel port</i><br>
<br>
<a name="ASampleDriver"></a><font color="red"><b>A Sample Driver</b></font><br>
<br>
The driver we introduce is called <i>short </i>(Simple Hardware Operations and Raw
Tests). All it does is read and write a few 8-bit ports, starting from the one you select
at load time. By default, it uses the port range assigned to the parallel interface of the
PC. Each device node (with a unique minor number) accesses a different port. The
<i>short </i>driver doesn't do anything useful; it just isolates for external use as a single
instruction acting on a port. If you are not used to port I/O, you can use <i>short </i>to get<br>
<br>
<A name="247"></a><font color="blue">PAGE 247</font><br>
<br>
familiar with it; you can measure the time it takes to transfer data through a port or
play other games.<br>
<br>
For <i>short </i>to work on your system, it must have free access to the underlying hardware
device (by default, the parallel interface); thus, no other driver may have allocated
it. Most modern distributions set up the parallel port drivers as modules that
are loaded only when needed, so contention for the I/O addresses is not usually a
problem. If, however, you get a "can't get I/O address" error from <i>short </i>(on the console
or in the system log file), some other driver has probably already taken the port.
A quicklook at <i>/proc/ioports </i>usually tells you which driver is getting in the way. The
same caveat applies to other I/O devices if you are not using the parallel interface.<br>
<br>
From now on, we just refer to "the parallel interface" to simplify the discussion.
However, you can set the base module parameter at load time to redirect <i>short </i>to
other I/O devices. This feature allows the sample code to run on any Linux platform
where you have access to a digital I/O interface that is accessible via <i>outb </i>and <i>inb
</i>(even though the actual hardware is memory-mapped on all platforms but the x86).
Later, in the section "Using I/O Memory," we show how <i>short </i>can be used with
generic memory-mapped digital I/O as well.<br>
<br>
To watch what happens on the parallel connector and if you have a bit of an inclination
to work with hardware, you can solder a few LEDs to the output pins. Each
LED should be connected in series to a 1-K resistor leading to a ground pin (unless,
of course, your LEDs have the resistor built in). If you connect an output pin to an
input pin, you'll generate your own input to be read from the input ports.<br>
<br>
Note that you cannot just connect a printer to the parallel port and see data sent to
<i>short</i>. This driver implements simple access to the I/O ports and does not perform
the handshake that printers need to operate on the data. In the next chapter, we
show a sample driver (called <i>shortprint</i>), that is capable of driving parallel printers;
that driver uses interrupts, however, so we can't get to it quite yet.<br>
<br>
If you are going to view parallel data by soldering LEDs to a D-type connector, we
suggest that you not use pins 9 and 10, because we connect them together later to
run the sample code shown in Chapter 10.<br>
<br>
As far as <i>short </i>is concerned, <i>/dev/short0 </i>writes to and reads from the 8-bit port
located at the I/O address base (0x378 unless changed at load time). <i>/dev/short1
</i>writes to the 8-bit port located at <font class="fixd">base + 1,</font> and so on up to <font class="fixd">base + 7.</font><br>
<br>
The actual output operation performed by <i>/dev/short0 </i>is based on a tight loop using
<i>outb</i>. A memory barrier instruction is used to ensure that the output operation actually
takes place and is not optimized away:<br>
<pre>
while (count--) {
    outb(*(ptr++), port);
    wmb( );
}
</pre>
<A name="248"></a><font color="blue">PAGE 248</font><br>
<br>
You can run the following command to light your LEDs:<br>
<pre>
echo  -n &quot;any string&quot;  &gt; /dev/short0
</pre>
Each LED monitors a single bit of the output port. Remember that only the last character
written remains steady on the output pins long enough to be perceived by your
eyes. For that reason, we suggest that you prevent automatic insertion of a trailing
newline by passing the <i>-n</i> option to <i>echo</i>.<br>
<br>
Reading is performed by a similar function, built around <i>inb </i>instead of <i>outb</i>. In order
to read "meaningful" values from the parallel port, you need to have some hardware
connected to the input pins of the connector to generate signals. If there is no signal,
you read an endless stream of identical bytes. If you choose to read from an output
port, you most likely get back the last value written to the port (this applies to the
parallel interface and to most other digital I/O circuits in common use). Thus, those
uninclined to get out their soldering irons can read the current output value on port
0x378 by running a command such as:<br>
<pre>
dd if=/dev/short0 bs=1 count=1 | od -t x1
</pre>
To demonstrate the use of all the I/O instructions, there are three variations of each
<i>short </i>device: <i>/dev/short0 </i>performs the loop just shown, <i>/dev/short0p </i>uses <i>outb_p </i>and
<i>inb_p </i>in place of the "fast" functions, and <i>/dev/short0s </i>uses the string instructions.
There are eight such devices, from <i>short0 </i>to <i>short7</i>. Although the PC parallel interface
has only three ports, you may need more of them if using a different I/O device
to run your tests.<br>
<br>
The <i>short </i>driver performs an absolute minimum of hardware control but is adequate
to show how the I/O port instructions are used. Interested readers may want to look
at the source for the <i>parport </i>and <i>parport_pc </i>modules to see how complicated this
device can get in real life in order to support a range of devices (printers, tape
backup, network interfaces) on the parallel port.<br>
<br>
<a name="UsingIOMemory"></a><font color="red"><b>Using I/O Memory</b></font><br>
<br>
Despite the popularity of I/O ports in the x86 world, the main mechanism used to
communicate with devices is through memory-mapped registers and device memory.
Both are called <i>I/O memory </i>because the difference between registers and memory
is transparent to software.<br>
<br>
I/O memory is simply a region of RAM-like locations that the device makes available
to the processor over the bus. This memory can be used for a number of purposes,
such as holding video data or Ethernet packets, as well as implementing device registers
that behave just like I/O ports (i.e., they have side effects associated with reading
and writing them).<br>
<br>
The way to access I/O memory depends on the computer architecture, bus, and
device being used, although the principles are the same everywhere. The discussion<br>
<br>
<A name="249"></a><font color="blue">PAGE 249</font><br>
<br>
in this chapter touches mainly on ISA and PCI memory, while trying to convey general
information as well. Although access to PCI memory is introduced here, a thorough
discussion of PCI is deferred to Chapter 12.<br>
<br>
Depending on the computer platform and bus being used, I/O memory may or may
not be accessed through page tables. When access passes though page tables, the
kernel must first arrange for the physical address to be visible from your driver, and
this usually means that you must call <i>ioremap </i>before doing any I/O. If no page tables
are needed, I/O memory locations look pretty much like I/O ports, and you can just
read and write to them using proper wrapper functions.<br>
<br>
Whether or not <i>ioremap </i>is required to access I/O memory, direct use of pointers to I/O
memory is discouraged. Even though (as introduced in the section "I/O Ports and I/O
Memory") I/O memory is addressed like normal RAM at hardware level, the extra
care outlined in the section "I/O Registers and Conventional Memory" suggests
avoiding normal pointers. The wrapper functions used to access I/O memory are safe
on all platforms and are optimized away whenever straight pointer dereferencing can
perform the operation.<br>
<br>
Therefore, even though dereferencing a pointer works (for now) on the x86, failure
to use the proper macros hinders the portability and readability of the driver.<br>
<br>
<a name="IOMemoryAllocationAndMapping"></a><font color="red"><b>I/O Memory Allocation and Mapping</b></font><br>
<br>
I/O memory regions must be allocated prior to use. The interface for allocation of
memory regions (defined in <i>&lt;linux/ioport.h&gt;</i>) is:<br>
<pre>
struct resource *request_mem_region(unsigned long start, unsigned long len,
                                    char *name);
</pre>
This function allocates a memory region of len bytes, starting at start. If all goes
well, a <font class="fixd">non-NULL</font> pointer is returned; otherwise the return value is <font class="fixd">NULL</font>. All I/O memory
allocations are listed in <i>/proc/iomem</i>.<br>
<br>
Memory regions should be freed when no longer needed:<br>
<pre>
void release_mem_region(unsigned long start, unsigned long len);
</pre>
There is also an old function for checking I/O memory region availability:<br>
<pre>
int check_mem_region(unsigned long start, unsigned long len);
</pre>
But, as with <i>check_region</i>, this function is unsafe and should be avoided.<br>
<br>
Allocation of I/O memory is not the only required step before that memory may be
accessed. You must also ensure that this I/O memory has been made accessible to the
kernel. Getting at I/O memory is not just a matter of dereferencing a pointer; on many
systems, I/O memory is not directly accessible in this way at all. So a mapping must
be set up first. This is the role of the <i>ioremap </i>function, introduced in the section<br>
<br>
<A name="250"></a><font color="blue">PAGE 250</font><br>
<br>
"vmalloc and Friends" in Chapter 1. The function is designed specifically to assign
virtual addresses to I/O memory regions.<br>
<br>
Once equipped with <i>ioremap </i>(and <i>iounmap</i>), a device driver can access any I/O
memory address, whether or not it is directly mapped to virtual address space.
Remember, though, that the addresses returned from <i>ioremap </i>should not be dereferenced
directly; instead, accessor functions provided by the kernel should be used.
Before we get into those functions, we'd better review the <i>ioremap </i>prototypes and
introduce a few details that we passed over in the previous chapter.<br>
<br>
The functions are called according to the following definition:<br>
<pre>
#include &lt;asm/io.h&gt;
void *ioremap(unsigned long phys_addr, unsigned long size);
void *ioremap_nocache(unsigned long phys_addr, unsigned long size);
void iounmap(void * addr);
</pre>
First of all, you notice the new function <i>ioremap_nocache</i>. We didn't cover it in
Chapter 8, because its meaning is definitely hardware related. Quoting from one of
the kernel headers: "It's useful if some control registers are in such an area, and write
combining or read caching is not desirable." Actually, the function's implementation
is identical to <i>ioremap </i>on most computer platforms: in situations where all of I/O
memory is already visible through noncacheable addresses, there's no reason to
implement a separate, noncaching version of <i>ioremap</i>.<br>
<br>
<a name="AccessingIOMemory"></a><font color="red"><b>Accessing I/O Memory</b></font><br>
<br>
On some platforms, you may get away with using the return value from <i>ioremap </i>as a
pointer. Such use is not portable, and, increasingly, the kernel developers have been
working to eliminate any such use. The proper way of getting at I/O memory is via a
set of functions (defined via <i>&lt;asm/io.h&gt;</i>) provided for that purpose.<br>
<br>
To read from I/O memory, use one of the following:<br>
<pre>
unsigned int ioread8(void *addr);
unsigned int ioread16(void *addr);
unsigned int ioread32(void *addr);
</pre>
Here, <font class="fixd">addr</font> should be an address obtained from <i>ioremap </i>(perhaps with an integer offset);
the return value is what was read from the given I/O memory.<br>
<br>
There is a similar set of functions for writing to I/O memory:<br>
<pre>
void iowrite8(u8 value, void *addr);
void iowrite16(u16 value, void *addr);
void iowrite32(u32 value, void *addr);
</pre>
If you must read or write a series of values to a given I/O memory address, you can
use the repeating versions of the functions:<br>
<pre>
void ioread8_rep(void *addr, void *buf, unsigned long count);
void ioread16_rep(void *addr, void *buf, unsigned long count);
</pre>
<A name="251"></a><font color="blue">PAGE 251</font><br>
<pre>
void ioread32_rep(void *addr, void *buf, unsigned long count);
void iowrite8_rep(void *addr, const void *buf, unsigned long count);
void iowrite16_rep(void *addr, const void *buf, unsigned long count);
void iowrite32_rep(void *addr, const void *buf, unsigned long count);
</pre>
These functions read or write <font class="fixd">count</font> values from the given <font class="fixd">buf</font> to the given <font class="fixd">addr.</font> Note
that <font class="fixd">count</font> is expressed in the size of the data being written; <i>ioread32_rep </i>reads <font class="fixd">count</font>
32-bit values starting at <font class="fixd">buf.</font><br>
<br>
The functions described above perform all I/O to the given <font class="fixd">addr.</font> If, instead, you need
to operate on a block of I/O memory, you can use one of the following:<br>
<pre>
void memset_io(void *addr, u8 value, unsigned int count);
void memcpy_fromio(void *dest, void *source, unsigned int count);
void memcpy_toio(void *dest, void *source, unsigned int count);
</pre>
These functions behave like their C library analogs.<br>
<br>
If you read through the kernel source, you see many calls to an older set of functions
when I/O memory is being used. These functions still work, but their use in new
code is discouraged. Among other things, they are less safe because they do not perform
the same sort of type checking. Nonetheless, we describe them here:<br>
<br>
<font class="fixd">unsigned readb(address);<br>
unsigned readw(address);<br>
unsigned readl(address);</font><br>
<div class="bq">These macros are used to retrieve 8-bit, 16-bit, and 32-bit data values from I/O
memory.</div>
<br>
<font class="fixd">void writeb(unsigned value, address);<br>
void writew(unsigned value, address);<br>
void writel(unsigned value, address);</font><br>
<div class="bq">Like the previous functions, these functions (macros) are used to write 8-bit, 16bit,
and 32-bit data items.</div>
<br>
Some 64-bit platforms also offer <i>readq </i>and <i>writeq</i>, for quad-word (8-byte) memory
operations on the PCI bus. The <i>quad-word </i>nomenclature is a historical leftover from
the times when all real processors had 16-bit words. Actually, the <i>L </i>naming used for
32-bit values has become incorrect too, but renaming everything would confuse
things even more.<br>
<br>
<a name="PortsAsIOMemory"></a><font color="red"><b>Ports as I/O Memory</b></font><br>
<br>
Some hardware has an interesting feature: some versions use I/O ports, while others
use I/O memory. The registers exported to the processor are the same in either case,
but the access method is different. As a way of making life easier for drivers dealing
with this kind of hardware, and as a way of minimizing the apparent differences
between I/O port and memory accesses, the 2.6 kernel provides a function called
<i>ioport_map</i>:<br>
<pre>
void *ioport_map(unsigned long port, unsigned int count);
</pre>
<A name="252"></a><font color="blue">PAGE 252</font><br>
<br>
This function remaps <font class="fixd">count</font> I/O ports and makes them appear to be I/O memory.
From that point thereafter, the driver may use <i>ioread8 </i>and friends on the returned
addresses and forget that it is using I/O ports at all.<br>
<br>
This mapping should be undone when it is no longer needed:<br>
<pre>
void ioport_unmap(void *addr);
</pre>
These functions make I/O ports look like memory. Do note, however, that the I/O
ports must still be allocated with <i>request_region </i>before they can be remapped in this
way.<br>
<br>
<a name="ReusingShortForIOMemory"></a><font color="red"><b>Reusing short for I/O Memory</b></font><br>
<br>
The <i>short </i>sample module, introduced earlier to access I/O ports, can be used to
access I/O memory as well. To this aim, you must tell it to use I/O memory at load
time; also, you need to change the base address to make it point to your I/O region.<br>
<br>
For example, this is how we used <i>short </i>to light the debug LEDs on a MIPS development
board:<br>
<pre>
mips.root# <b>./short_load use_mem=1 base=0xb7ffffc0
</b>mips.root# <b>echo -n 7 &gt; /dev/short0</b>
</pre>
Use of <i>short</i> for I/O memory is the same as it is for I/O ports.<br>
<br>
The following fragment shows the loop used by <i>short</i> in writing to a memory location:<br>
<pre>
while (count--) {
    iowrite8(*ptr++, address);
    wmb( );
}
</pre>
Note the use of a write memory barrier here. Because <i>iowrite8 </i>likely turns into a
direct assignment on many architectures, the memory barrier is needed to ensure
that the writes happen in the expected order.<br>
<br>
<i>short </i>uses <i>inb </i>and <i>outb </i>to show how that is done. It would be a straightforward exercise
for the reader, however, to change <i>short </i>to remap I/O ports with <i>ioport_map</i>,
and simplify the rest of the code considerably.<br>
<br>
<a name="ISAMemoryBelow1MB"></a><font color="red"><b>ISA Memory Below 1 MB</b></font><br>
<br>
One of the most well-known I/O memory regions is the ISA range found on personal
computers. This is the memory range between 640 KB (0xA0000) and 1 MB
(0x100000). Therefore, it appears right in the middle of regular system RAM. This
positioning may seem a little strange; it is an artifact of a decision made in the early
1980s, when 640 KB of memory seemed like more than anybody would ever be able
to use.<br>
<br>
<A name="253"></a><font color="blue">PAGE 253</font><br>
<br>
This memory range belongs to the non-directly-mapped class of memory.* You can
read/write a few bytes in that memory range using the <i>short </i>module as explained previously,
that is, by setting <font class="fixd">use_mem</font> at load time.<br>
<br>
Although ISA I/O memory exists only in x86-class computers, we thinkit's worth
spending a few words and a sample driver on it.<br>
<br>
We are not going to discuss PCI memory in this chapter, since it is the cleanest kind
of I/O memory: once you know the physical address, you can simply remap and
access it. The "problem" with PCI I/O memory is that it doesn't lend itself to a working
example for this chapter, because we can't know in advance the physical
addresses your PCI memory is mapped to, or whether it's safe to access either of
those ranges. We chose to describe the ISA memory range, because it's both less
clean and more suitable to running sample code.<br>
<br>
To demonstrate access to ISA memory, we use yet another silly little module (part of
the sample sources). In fact, this one is called <i>silly</i>, as an acronym for Simple Tool for
Unloading and Printing ISA Data, or something like that.<br>
<br>
The module supplements the functionality of <i>short </i>by giving access to the whole
384-KB memory space and by showing all the different I/O functions. It features four
device nodes that perform the same task using different data transfer functions. The
<i>silly </i>devices act as a window over I/O memory, in a way similar to <i>/dev/mem</i>. You
can read and write data, and <i>lseek</i> to an arbitrary I/O memory address.<br>
<br>
Because <i>silly </i>provides access to ISA memory, it must start by mapping the physical
ISA addresses into kernel virtual addresses. In the early days of the Linux kernel, one
could simply assign a pointer to an ISA address of interest, then dereference it
directly. In the modern world, though, we must work with the virtual memory system
and remap the memory range first. This mapping is done with <i>ioremap</i>, as
explained earlier for <i>short</i>:<br>
<pre>
#define ISA_BASE    0xA0000
#define ISA_MAX     0x100000  /* for general memory access */

    /* this line appears in silly_init */
    io_base = ioremap(ISA_BASE, ISA_MAX - ISA_BASE);
</pre>
<i>ioremap </i>returns a pointer value that can be used with <i>ioread8 </i>and the other functions
explained in the section "Accessing I/O Memory."<br>
<br>
Let's look back at our sample module to see how these functions might be used. <i>/dev/
sillyb</i>, featuring minor number 0, accesses I/O memory with <i>ioread8 </i>and <i>iowrite8</i>.
The following code shows the implementation for <i>read</i>, which makes the address<br>
<br>
* Actually, this is not completely true. The memory range is so small and so frequently used that the kernel 
builds page tables at boot time to access those addresses. However, the virtual address used to access them
is not the same as the physical address, and thus <i>ioremap</i> is needed anyway.<br>
<br>
<A name="254"></a><font color="blue">PAGE 254</font><br>
<br>
range 0xA0000-0xFFFFF available as a virtual file in the range 0-0x5FFFF. The <i>read
</i>function is structured as a <font class="fixd">switch</font> statement over the different access modes; here is
the <i>sillyb </i>case:<br>
<pre>
case M_8:
  while (count) {
      *ptr = ioread8(add);
      add++;
      count--;
      ptr++;
  }
  break;
</pre>
The next two devices are <i>/dev/sillyw </i>(minor number 1) and <i>/dev/sillyl </i>(minor number
2). They act like <i>/dev/sillyb</i>, except that they use 16-bit and 32-bit functions. Here's
the <i>write</i> implementation of <i>sillyl</i>, again part of a switch:<br>
<pre>
case M_32:
  while (count &gt;= 4) {
      iowrite8(*(u32 *)ptr, add);
      add += 4;
      count -= 4;
      ptr += 4;
  }
  break;
</pre>
The last device is <i>/dev/sillycp </i>(minor number 3), which uses the <i>memcpy_*io </i>functions
to perform the same task. Here's the core of its <i>read</i> implementation:<br>
<pre>
case M_memcpy:
  memcpy_fromio(ptr, add, count);
  break;
</pre>
Because <i>ioremap </i>was used to provide access to the ISA memory area, <i>silly </i>must
invoke <i>iounmap</i> when the module is unloaded:<br>
<pre>
iounmap(io_base);
</pre>
<a name="IsareadbAndFriends"></a><font color="red"><b>isa_readb and Friends</b></font><br>
<br>
A look at the kernel source will turn up another set of routines with names such as
<i>isa_readb</i>. In fact, each of the functions just described has an <i>isa_ </i>equivalent. These
functions provide access to ISA memory without the need for a separate <i>ioremap
</i>step. The word from the kernel developers, however, is that these functions are
intended to be temporary driver-porting aids and that they may go away in the
future. Therefore, you should avoid using them.<br>
<br>
<A name="255"></a><font color="blue">PAGE 255</font><br>
<br>
<a name="QuickReference9"></a><font color="red"><b>Quick Reference</b></font><br>
<br>
This chapter introduced the following symbols related to hardware management:<br>
<br>
<font class="fixd">#include &lt;linux/kernel.h&gt;<br>
void barrier(void)</font><br>
<div class="bq">
This "software" memory barrier requests the compiler to consider all memory
volatile across this instruction.</div>
<br>
<font class="fixd">#include &lt;asm/system.h&gt;<br>
void rmb(void);<br>
void read_barrier_depends(void);<br>
void wmb(void);<br>
void mb(void);</font><br>
<div class="bq">
Hardware memory barriers. They request the CPU (and the compiler) to checkpoint
all memory reads, writes, or both across this instruction.</div>
<br>
<font class="fixd">#include &lt;asm/io.h&gt;<br>
unsigned inb(unsigned port);<br>
void outb(unsigned char byte, unsigned port);<br>
unsigned inw(unsigned port);<br>
void outw(unsigned short word, unsigned port);<br>
unsigned inl(unsigned port);<br>
void outl(unsigned doubleword, unsigned port);</font><br>
<div class="bq">
Functions that are used to read and write I/O ports. They can also be called by
user-space programs, provided they have the right privileges to access ports.</div>
<br>
<font class="fixd">unsigned inb_p(unsigned port);<br>
...</font><br>
<div class="bq">
If a small delay is needed after an I/O operation, you can use the six pausing
counterparts of the functions introduced in the previous entry; these pausing
functions have names ending in <i>_p.</i></div>
<br>
<font class="fixd">void insb(unsigned port, void *addr, unsigned long count);<br>
void outsb(unsigned port, void *addr, unsigned long count);<br>
void insw(unsigned port, void *addr, unsigned long count);<br>
void outsw(unsigned port, void *addr, unsigned long count);<br>
void insl(unsigned port, void *addr, unsigned long count);<br>
void outsl(unsigned port, void *addr, unsigned long count);</font><br>
<div class="bq">
The "string functions" are optimized to transfer data from an input port to a
region of memory, or the other way around. Such transfers are performed by
reading or writing the same port count times.</div>
<br>
<A name="256"></a><font color="blue">PAGE 256</font><br>
<br>
<font class="fixd">#include &lt;linux/ioport.h&gt;<br>
struct resource *request_region(unsigned long start, unsigned long len, char *name);<br>
void release_region(unsigned long start, unsigned long len);<br>
int check_region(unsigned long start, unsigned long len);</font><br>
<div class="bq">
Resource allocators for I/O ports. The (deprecated) <i>check </i>function returns 0 for
success and less than 0 in case of error.</div>
<br>
<font class="fixd">struct resource *request_mem_region(unsigned long start, unsigned long len, char *name);<br>
void release_mem_region(unsigned long start, unsigned long len);<br>
int check_mem_region(unsigned long start, unsigned long len);</font><br>
<div class="bq">
Functions that handle resource allocation for memory regions.</div>
<br>
<font class="fixd">#include &lt;asm/io.h&gt;<br>
void *ioremap(unsigned long phys_addr, unsigned long size);<br>
void *ioremap_nocache(unsigned long phys_addr, unsigned long size);<br>
void iounmap(void *virt_addr);</font><br>
<div class="bq">
<i>ioremap </i>remaps a physical address range into the processor's virtual address
space, making it available to the kernel. <i>iounmap </i>frees the mapping when it is no
longer needed.</div>
<br>
<font class="fixd">#include &lt;asm/io.h&gt;<br>
unsigned int ioread8(void *addr);<br>
unsigned int ioread16(void *addr);<br>
unsigned int ioread32(void *addr);<br>
void iowrite8(u8 value, void *addr);<br>
void iowrite16(u16 value, void *addr);<br>
void iowrite32(u32 value, void *addr);</font><br>
<div class="bq">
Accessor functions that are used to work with I/O memory.</div>
<br>
<font class="fixd">void ioread8_rep(void *addr, void *buf, unsigned long count);<br>
void ioread16_rep(void *addr, void *buf, unsigned long count);<br>
void ioread32_rep(void *addr, void *buf, unsigned long count);<br>
void iowrite8_rep(void *addr, const void *buf, unsigned long count);<br>
void iowrite16_rep(void *addr, const void *buf, unsigned long count);<br>
void iowrite32_rep(void *addr, const void *buf, unsigned long count);</font><br>
<div class="bq">
"Repeating" versions of the I/O memory primitives.</div>
<br>
<A name="257"></a><font color="blue">PAGE 257</font><br>
<br>
<font class="fixd">unsigned readb(address);<br>
unsigned readw(address);<br>
unsigned readl(address);<br>
void writeb(unsigned value, address);<br>
void writew(unsigned value, address);<br>
void writel(unsigned value, address);<br>
memset_io(address, value, count);<br>
memcpy_fromio(dest, source, nbytes);<br>
memcpy_toio(dest, source, nbytes);</font><br>
<div class="bq">
Older, type-unsafe functions for accessing I/O memory.</div>
<br>
<font class="fixd">void *ioport_map(unsigned long port, unsigned int count);<br>
void ioport_unmap(void *addr);</font><br>
<div class="bq">
A driver author that wants to treat I/O ports as if they were I/O memory may pass
those ports to <i>ioport_map</i>. The mapping should be done (with <i>ioport_unmap</i>)
when no longer needed.</div>
<br>
<A name="258"></a><font color="blue">PAGE 258</font><br>
<br>
<a name="CHAPTER10"></a><font color="red"><b>CHAPTER 10</b></font><br>
<br>
<a name="InterruptHandling"></a><font color="#7519FF" size="+1"><b>Interrupt Handling</b></font><br>
<br>
Although some devices can be controlled using nothing but their I/O regions, most
real devices are a bit more complicated than that. Devices have to deal with the
external world, which often includes things such as spinning disks, moving tape,
wires to distant places, and so on. Much has to be done in a time frame that is different
from, and far slower than, that of the processor. Since it is almost always undesirable
to have the processor wait on external events, there must be a way for a device
to let the processor know when something has happened.<br>
<br>
That way, of course, is interrupts. An <i>interrupt </i>is simply a signal that the hardware
can send when it wants the processor's attention. Linux handles interrupts in much
the same way that it handles signals in user space. For the most part, a driver need
only register a handler for its device's interrupts, and handle them properly when
they arrive. Of course, underneath that simple picture there is some complexity; in
particular, interrupt handlers are somewhat limited in the actions they can perform
as a result of how they are run.<br>
<br>
It is difficult to demonstrate the use of interrupts without a real hardware device to
generate them. Thus, the sample code used in this chapter works with the parallel
port. Such ports are starting to become scarce on modern hardware, but, with luck,
most people are still able to get their hands on a system with an available port. We'll
be working with the <i>short </i>module from the previous chapter; with some small additions
it can generate and handle interrupts from the parallel port. The module's
name, <i>short</i>, actually means <i>short int </i>(it is C, isn't it?), to remind us that it handles
<i>int</i>errupts.<br>
<br>
Before we get into the topic, however, it is time for one cautionary note. Interrupt
handlers, by their nature, run concurrently with other code. Thus, they inevitably
raise issues of concurrency and contention for data structures and hardware. If you
succumbed to the temptation to pass over the discussion in Chapter 5, we understand.
But we also recommend that you turn back and have another look now. A
solid understanding of concurrency control techniques is vital when working with
interrupts.<br>
<br>
<A name="259"></a><font color="blue">PAGE 259</font><br>
<br>
<a name="PreparingTheParallelPort"></a><font color="red"><b>Preparing the Parallel Port</b></font><br>
<br>
Although the parallel interface is simple, it can trigger interrupts. This capability is
used by the printer to notify the <i>lp </i>driver that it is ready to accept the next character
in the buffer.<br>
<br>
Like most devices, the parallel port doesn't actually generate interrupts before it's
instructed to do so; the parallel standard states that setting bit 4 of port 2 (0x37a,
0x27a, or whatever) enables interrupt reporting. A simple <i>outb </i>call to set the bit is
performed by <i>short</i> at module initialization.<br>
<br>
Once interrupts are enabled, the parallel interface generates an interrupt whenever
the electrical signal at pin 10 (the so-called ACK bit) changes from low to high. The
simplest way to force the interface to generate interrupts (short of hooking up a
printer to the port) is to connect pins 9 and 10 of the parallel connector. A short
length of wire inserted into the appropriate holes in the parallel port connector on
the back of your system creates this connection. The pinout of the parallel port is
shown in Figure 9-1.<br>
<br>
Pin 9 is the most significant bit of the parallel data byte. If you write binary data to
<i>/dev/short0</i>, you generate several interrupts. Writing ASCII text to the port won't
generate any interrupts, though, because the ASCII character set has no entries with
the top bit set.<br>
<br>
If you'd rather avoid wiring pins together, but you do have a printer at hand, you can
run the sample interrupt handler using a real printer, as shown later. However, note
that the probing functions we introduce depend on the jumper between pin 9 and 10
being in place, and you need it to experiment with probing using our code.<br>
<br>
<a name="InstallingAnInterruptHandler"></a><font color="red"><b>Installing an Interrupt Handler</b></font><br>
<br>
If you want to actually "see" interrupts being generated, writing to the hardware
device isn't enough; a software handler must be configured in the system. If the
Linux kernel hasn't been told to expect your interrupt, it simply acknowledges and
ignores it.<br>
<br>
Interrupt lines are a precious and often limited resource, particularly when there are
only 15 or 16 of them. The kernel keeps a registry of interrupt lines, similar to the
registry of I/O ports. A module is expected to request an interrupt channel (or IRQ,
for interrupt request) before using it and to release it when finished. In many situations,
modules are also expected to be able to share interrupt lines with other drivers,
as we will see. The following functions, declared in <i>&lt;linux/interrupt.h&gt;</i>,
implement the interrupt registration interface:<br>
<pre>
int request_irq(unsigned int irq,
                irqreturn_t (*handler)(int, void *, struct pt_regs *),
                unsigned long flags,
</pre>
<A name="260"></a><font color="blue">PAGE 260</font><br>
<pre>
                const char *dev_name,
                void *dev_id);

void free_irq(unsigned int irq, void *dev_id);
</pre>
The value returned from <i>request_irq </i>to the requesting function is either 0 to indicate
success or a negative error code, as usual. It's not uncommon for the function to
return <font class="fixd">-EBUSY</font> to signal that another driver is already using the requested interrupt
line. The arguments to the functions are as follows:<br>
<br>
<font class="fixd">unsigned int irq</font><br>
<div class="bq">
The interrupt number being requested.</div>
<br>
<font class="fixd">irqreturn_t (*handler)(int, void *, struct pt_regs *)</font><br>
<div class="bq">
The pointer to the handling function being installed. We discuss the arguments
to this function and its return value later in this chapter.</div>
<br>
<font class="fixd">unsigned long flags</font><br>
<div class="bq">
As you might expect, a bit maskof options (described later) related to interrupt
management.</div>
<br>
<font class="fixd">const char *dev_name</font><br>
<div class="bq">
The string passed to <i>request_irq </i>is used in <i>/proc/interrupts </i>to show the owner of
the interrupt (see the next section).</div>
<br>
<font class="fixd">void *dev_id</font><br>
<div class="bq">
Pointer used for shared interrupt lines. It is a unique identifier that is used when
the interrupt line is freed and that may also be used by the driver to point to its
own private data area (to identify which device is interrupting). If the interrupt is
not shared, <font class="fixd">dev_id</font> can be set to <font class="fixd">NULL</font>, but it a good idea anyway to use this item
to point to the device structure. We'll see a practical use for <font class="fixd">dev_id</font> in the section
"Implementing a Handler."</div>
<br>
The bits that can be set in flags are as follows:<br>
<br>
<font class="fixd">SA_INTERRUPT</font><br>
<div class="bq">
When set, this indicates a "fast" interrupt handler. Fast handlers are executed
with interrupts disabled on the current processor (the topic is covered in the section
"Fast and Slow Handlers").</div>
<br>
<font class="fixd">SA_SHIRQ</font><br>
<div class="bq">
This bit signals that the interrupt can be shared between devices. The concept of
sharing is outlined in the section "Interrupt Sharing."</div>
<br>
<font class="fixd">SA_SAMPLE_RANDOM</font><br>
<div class="bq">
This bit indicates that the generated interrupts can contribute to the entropy pool
used by <i>/dev/random </i>and <i>/dev/urandom</i>. These devices return truly random numbers
when read and are designed to help application software choose secure keys
for encryption. Such random numbers are extracted from an entropy pool that is
contributed by various random events. If your device generates interrupts at truly
random times, you should set this flag. If, on the other hand, your interrupts are</div>
<br>
<A name="261"></a><font color="blue">PAGE 261</font><br>
<br>
<div class="bq">predictable (for example, vertical blanking of a frame grabber), the flag is not
worth setting--it wouldn't contribute to system entropy anyway. Devices that
could be influenced by attackers should not set this flag; for example, network
drivers can be subjected to predictable packet timing from outside and should not
contribute to the entropy pool. See the comments in <i>drivers/char/random.c </i>for
more information.</div>
<br>
The interrupt handler can be installed either at driver initialization or when the
device is first opened. Although installing the interrupt handler from within the module's
initialization function might sound like a good idea, it often isn't, especially if
your device does not share interrupts. Because the number of interrupt lines is limited,
you don't want to waste them. You can easily end up with more devices in your
computer than there are interrupts. If a module requests an IRQ at initialization, it
prevents any other driver from using the interrupt, even if the device holding it is
never used. Requesting the interrupt at device open, on the other hand, allows some
sharing of resources.<br>
<br>
It is possible, for example, to run a frame grabber on the same interrupt as a modem,
as long as you don't use the two devices at the same time. It is quite common for
users to load the module for a special device at system boot, even if the device is
rarely used. A data acquisition gadget might use the same interrupt as the second
serial port. While it's not too hard to avoid connecting to your Internet service provider
(ISP) during data acquisition, being forced to unload a module in order to use
the modem is really unpleasant.<br>
<br>
The correct place to call <i>request_irq </i>is when the device is first opened, <i>before </i>the
hardware is instructed to generate interrupts. The place to call <i>free_irq </i>is the last
time the device is closed, <i>after </i>the hardware is told not to interrupt the processor any
more. The disadvantage of this technique is that you need to keep a per-device open
count so that you know when interrupts can be disabled.<br>
<br>
This discussion notwithstanding, <i>short </i>requests its interrupt line at load time. This
was done so that you can run the test programs without having to run an extra process
to keep the device open. <i>short</i>, therefore, requests the interrupt from within its
initialization function (<i>short_init</i>) instead of doing it in <i>short_open</i>, as a real device
driver would.<br>
<br>
The interrupt requested by the following code is <font class="fixd">short_irq</font>. The actual assignment of
the variable (i.e., determining which IRQ to use) is shown later, since it is not relevant
to the current discussion. <font class="fixd">short_base</font> is the base I/O address of the parallel interface
being used; register 2 of the interface is written to enable interrupt reporting.<br>
<pre>
if (short_irq &gt;= 0) {
    result = request_irq(short_irq, short_interrupt,
            SA_INTERRUPT, &quot;short&quot;, NULL);
   if (result) {
        printk(KERN_INFO &quot;short: can't get assigned irq %i\n&quot;,
                short_irq);
</pre>
<A name="262"></a><font color="blue">PAGE 262</font><br>
<pre>
        short_irq = -1;
    }
    else { /* actually enable it -- assume this *is* a parallel port */
        outb(0x10,short_base+2);
    }
}
</pre>
The code shows that the handler being installed is a fast handler (<font class="fixd">SA_INTERRUPT</font>),
doesn't support interrupt sharing (<font class="fixd">SA_SHIRQ</font> is missing), and doesn't contribute to
system entropy (<font class="fixd">SA_SAMPLE_RANDOM</font> is missing, too). The <i>outb </i>call then enables interrupt
reporting for the parallel port.<br>
<br>
For what it's worth, the i386 and x86_64 architectures define a function for querying
the availability of an interrupt line:<br>
<pre>
int can_request_irq(unsigned int irq, unsigned long flags);
</pre>
This function returns a nonzero value if an attempt to allocate the given interrupt succeeds.
Note, however, that things can always change between calls to <i>can_request_irq
</i>and <i>request_irq</i>.<br>
<br>
<a name="TheProcInterface"></a><font color="red"><b>The /proc Interface</b></font><br>
<br>
Whenever a hardware interrupt reaches the processor, an internal counter is incremented,
providing a way to check whether the device is working as expected.<br>
<br>
Reported interrupts are shown in <i>/proc/interrupts</i>. The following snapshot was taken
on a two-processor Pentium system:<br>
<pre>
root@montalcino:/bike/corbet/write/ldd3/src/short# <b>m /proc/interrupts
</b>           CPU0       CPU1
  0:    4848108         34    IO-APIC-edge  timer
  2:          0          0          XT-PIC  cascade
  8:          3          1    IO-APIC-edge  rtc
 10:       4335          1   IO-APIC-level  aic7xxx
 11:       8903          0   IO-APIC-level  uhci_hcd
 12:         49          1    IO-APIC-edge  i8042
NMI:          0          0
LOC:    4848187    4848186
ERR:          0
MIS:          0
</pre>
The first column is the IRQ number. You can see from the IRQs that are missing that
the file shows only interrupts corresponding to installed handlers. For example, the
first serial port (which uses interrupt number 4) is not shown, indicating that the
modem isn't being used. In fact, even if the modem had been used earlier but wasn't
in use at the time of the snapshot, it would not show up in the file; the serial ports
are well behaved and release their interrupt handlers when the device is closed.<br>
<br>
The <i>/proc/interrupts </i>display shows how many interrupts have been delivered to each
CPU on the system. As you can see from the output, the Linux kernel generally handles<br>
<br>
<A name="263"></a><font color="blue">PAGE 263</font><br>
<br>
interrupts on the first CPU as a way of maximizing cache locality.* The last two columns
give information on the programmable interrupt controller that handles the interrupt
(and that a driver writer does not need to worry about), and the name(s) of the
device(s) that have registered handlers for the interrupt (as specified in the <font class="fixd">dev_name</font>
argument to <i>request_irq</i>).<br>
<br>
The <i>/proc </i>tree contains another interrupt-related file, <i>/proc/stat</i>; sometimes you'll
find one file more useful and sometimes you'll prefer the other. <i>/proc/stat </i>records
several low-level statistics about system activity, including (but not limited to) the
number of interrupts received since system boot. Each line of <i>stat </i>begins with a text
string that is the key to the line; the <font class="fixd">intr</font> markis what we are looking for. The following
(truncated) snapshot was taken shortly after the previous one:<br>
<pre>
intr 5167833 5154006 2 0 2 4907 0 2 68 4 0 4406 9291 50 0 0
</pre>
The first number is the total of all interrupts, while each of the others represents a
single IRQ line, starting with interrupt 0. All of the counts are summed across all
processors in the system. This snapshot shows that interrupt number 4 has been
used 4907 times, even though no handler is <i>currently </i>installed. If the driver you're
testing acquires and releases the interrupt at each open and close cycle, you may find
<i>/proc/stat</i> more useful than <i>/proc/interrupts</i>.<br>
<br>
Another difference between the two files is that <i>interrupts </i>is not architecture dependent
(except, perhaps, for a couple of lines at the end), whereas <i>stat </i>is; the number of
fields depends on the hardware underlying the kernel. The number of available interrupts
varies from as few as 15 on the SPARC to as many as 256 on the IA-64 and a
few other systems. It's interesting to note that the number of interrupts defined on
the x86 is currently 224, not 16 as you may expect; this, as explained in <i>include/
asm-i386/irq.h</i>, depends on Linux using the architectural limit instead of an implementation-specific
limit (such as the 16 interrupt sources of the old-fashioned PC
interrupt controller).<br>
<br>
The following is a snapshot of <i>/proc/interrupts </i>taken on an IA-64 system. As you can
see, besides different hardware routing of common interrupt sources, the output is
very similar to that from the 32-bit system shown earlier.<br>
<pre>
           CPU0       CPU1
 27:       1705      34141  IO-SAPIC-level  qla1280
 40:          0          0           SAPIC  perfmon
 43:        913       6960  IO-SAPIC-level  eth0
 47:      26722        146  IO-SAPIC-level  usb-uhci
 64:          3          6   IO-SAPIC-edge  ide0
 80:          4          2   IO-SAPIC-edge  keyboard
 89:          0          0   IO-SAPIC-edge  PS/2 Mouse
239:    5606341    5606052           SAPIC  timer
</pre>
* Although, some larger systems explicitly use interrupt balancing schemes to spread the 
interrupt load across the system.<br>
<br>
<A name="264"></a><font color="blue">PAGE 264</font><br>
<pre>
254:      67575      52815           SAPIC  IPI
NMI:          0          0
ERR:          0
</pre>
<a name="AutodetectingTheIRQNumber"></a><font color="red"><b>Auto-Detecting the IRQ Number</b></font><br>
<br>
One of the most challenging problems for a driver at initialization time can be how
to determine which IRQ line is going to be used by the device. The driver needs the
information in order to correctly install the handler. Even though a programmer
could require the user to specify the interrupt number at load time, this is a bad practice,
because most of the time the user doesn't know the number, either because he
didn't configure the jumpers or because the device is jumperless. Most users want
their hardware to "just work" and are not interested in issues like interrupt numbers.
So auto-detection of the interrupt number is a basic requirement for driver
usability.<br>
<br>
Sometimes auto-detection depends on the knowledge that some devices feature a
default behavior that rarely, if ever, changes. In this case, the driver might assume
that the default values apply. This is exactly how <i>short </i>behaves by default with the
parallel port. The implementation is straightforward, as shown by <i>short</i> itself:<br>
<pre>
if (short_irq &lt; 0) /* not yet specified: force the default on */
    switch(short_base) {
        case 0x378: short_irq = 7; break;
        case 0x278: short_irq = 2; break;
        case 0x3bc: short_irq = 5; break;
    }
</pre>
The code assigns the interrupt number according to the chosen base I/O address,
while allowing the user to override the default at load time with something like:<br>
<pre>
insmod ./short.ko irq=<i>x</i>
</pre>
<font class="fixd">short_base</font> defaults to <font class="fixd">0x378,</font> so <font class="fixd">short_irq</font> defaults to <font class="fixd">7.</font><br>
<br>
Some devices are more advanced in design and simply "announce" which interrupt
they're going to use. In this case, the driver retrieves the interrupt number by reading
a status byte from one of the device's I/O ports or PCI configuration space.
When the target device is one that has the ability to tell the driver which interrupt it
is going to use, auto-detecting the IRQ number just means probing the device, with
no additional work required to probe the interrupt. Most modern hardware works
this way, fortunately; for example, the PCI standard solves the problem by requiring
peripheral devices to declare what interrupt line(s) they are going to use. The PCI
standard is discussed in Chapter 12.<br>
<br>
Unfortunately, not every device is programmer friendly, and auto-detection might
require some probing. The technique is quite simple: the driver tells the device to
generate interrupts and watches what happens. If everything goes well, only one
interrupt line is activated.<br>
<br>
<A name="265"></a><font color="blue">PAGE 265</font><br>
<br>
Although probing is simple in theory, the actual implementation might be unclear.
We look at two ways to perform the task: calling kernel-defined helper functions and
implementing our own version.<br>
<br>
<a name="KernelassistedProbing"></a><font color="red"><b>Kernel-assisted probing</b></font><br>
<br>
The Linux kernel offers a low-level facility for probing the interrupt number. It works
for only nonshared interrupts, but most hardware that is capable of working in a
shared interrupt mode provides better ways of finding the configured interrupt number
anyway. The facility consists of two functions, declared in <i>&lt;linux/interrupt.h&gt;
</i>(which also describes the probing machinery):<br>
<br>
<font class="fixd">unsigned long probe_irq_on(void);</font><br>
<div class="bq">
This function returns a bit maskof unassigned interrupts. The driver must preserve
the returned bit mask, and pass it to <i>probe_irq_off </i>later. After this call, the
driver should arrange for its device to generate at least one interrupt.</div>
<br>
<font class="fixd">int probe_irq_off(unsigned long);</font><br>
<div class="bq">
After the device has requested an interrupt, the driver calls this function, passing
as its argument the bit maskpreviously returned by <i>probe_irq_on</i>. <i>probe_irq_off
</i>returns the number of the interrupt that was issued after "probe_on." If no interrupts
occurred, 0 is returned (therefore, IRQ 0 can't be probed for, but no custom
device can use it on any of the supported architectures anyway). If more than
one interrupt occurred (ambiguous detection), <i>probe_irq_off </i>returns a negative
value.</div>
<br>
The programmer should be careful to enable interrupts on the device <i>after </i>the call to
<i>probe_irq_on </i>and to disable them <i>before </i>calling <i>probe_irq_off</i>. Additionally, you
must remember to service the pending interrupt in your device after <i>probe_irq_off</i>.<br>
<br>
The <i>short </i>module demonstrates how to use such probing. If you load the module
with <font class="fixd">probe=1,</font> the following code is executed to detect your interrupt line, provided
pins 9 and 10 of the parallel connector are bound together:<br>
<pre>
int count = 0;
do {
    unsigned long mask;

    mask = probe_irq_on( );
    outb_p(0x10,short_base+2); /* enable reporting */
    outb_p(0x00,short_base);   /* clear the bit */
    outb_p(0xFF,short_base);   /* set the bit: interrupt! */
    outb_p(0x00,short_base+2); /* disable reporting */
    udelay(5);  /* give it some time */
    short_irq = probe_irq_off(mask);

    if (short_irq = = 0) { /* none of them? */
        printk(KERN_INFO &quot;short: no irq reported by probe\n&quot;);
        short_irq = -1;
    }
</pre>
<A name="266"></a><font color="blue">PAGE 266</font><br>
<pre>
    /*
     * if more than one line has been activated, the result is
     * negative. We should service the interrupt (no need for lpt port)
     * and loop over again. Loop at most five times, then give up
     */
} while (short_irq &lt; 0 &amp;&amp; count++ &lt; 5);
if (short_irq &lt; 0)
    printk(&quot;short: probe failed %i times, giving up\n&quot;, count);
</pre>
Note the use of <i>udelay </i>before calling <i>probe_irq_off</i>. Depending on the speed of your
processor, you may have to wait for a brief period to give the interrupt time to actually
be delivered.<br>
<br>
Probing might be a lengthy task. While this is not true for <i>short</i>, probing a frame
grabber, for example, requires a delay of at least 20 ms (which is ages for the processor),
and other devices might take even longer. Therefore, it's best to probe for the
interrupt line only once, at module initialization, independently of whether you
install the handler at device open (as you should) or within the initialization function
(which is not recommended).<br>
<br>
It's interesting to note that on some platforms (PowerPC, M68k, most MIPS implementations,
and both SPARC versions) probing is unnecessary, and, therefore, the
previous functions are just empty placeholders, sometimes called "useless ISA nonsense."
On other platforms, probing is implemented only for ISA devices. Anyway,
most architectures define the functions (even if they are empty) to ease porting existing
device drivers.<br>
<br>
<a name="DoityourselfProbing"></a><font color="red"><b>Do-it-yourself probing</b></font><br>
<br>
Probing can also be implemented in the driver itself without too much trouble. It is a
rare driver that must implement its own probing, but seeing how it works gives some
insight into the process. To that end, the <i>short </i>module performs do-it-yourself detection
of the IRQ line if it is loaded with <font class="fixd">probe=2.</font><br>
<br>
The mechanism is the same as the one described earlier: enable all unused interrupts,
then wait and see what happens. We can, however, exploit our knowledge of
the device. Often a device can be configured to use one IRQ number from a set of
three or four; probing just those IRQs enables us to detect the right one, without
having to test for all possible IRQs.<br>
<br>
The <i>short </i>implementation assumes that 3, 5, 7, and 9 are the only possible IRQ values.
These numbers are actually the values that some parallel devices allow you to
select.<br>
<br>
The following code probes by testing all "possible" interrupts and looking at what
happens. The trials array lists the IRQs to try and has 0 as the end marker; the
tried array is used to keep track of which handlers have actually been registered by
this driver.<br>
<br>
<A name="267"></a><font color="blue">PAGE 267</font><br>
<pre>
int trials[ ] = {3, 5, 7, 9, 0};
int tried[ ]  = {0, 0, 0, 0, 0};
int i, count = 0;

/*
 * install the probing handler for all possible lines. Remember
 * the result (0 for success, or -EBUSY) in order to only free
 * what has been acquired
 */
for (i = 0; trials[i]; i++)
    tried[i] = request_irq(trials[i], short_probing,
            SA_INTERRUPT, &quot;short probe&quot;, NULL);

do {
    short_irq = 0; /* none got, yet */
    outb_p(0x10,short_base+2); /* enable */
    outb_p(0x00,short_base);
    outb_p(0xFF,short_base); /* toggle the bit */
    outb_p(0x00,short_base+2); /* disable */
    udelay(5);  /* give it some time */

    /* the value has been set by the handler */
    if (short_irq = = 0) { /* none of them? */
        printk(KERN_INFO &quot;short: no irq reported by probe\n&quot;);
    }
    /*
     * If more than one line has been activated, the result is
     * negative. We should service the interrupt (but the lpt port
     * doesn't need it) and loop over again. Do it at most 5 times
     */
} while (short_irq &lt;=0 &amp;&amp; count++ &lt; 5);

/* end of loop, uninstall the handler */
for (i = 0; trials[i]; i++)
    if (tried[i] = = 0)
        free_irq(trials[i], NULL);

if (short_irq &lt; 0)
    printk(&quot;short: probe failed %i times, giving up\n&quot;, count);
</pre>
You might not know in advance what the "possible" IRQ values are. In that case,
you need to probe all the free interrupts, instead of limiting yourself to a few <font class="fixd">trials[ ].</font>
To probe for all interrupts, you have to probe from IRQ 0 to IRQ <font class="fixd">NR_IRQS-1,</font> where
<font class="fixd">NR_IRQS</font> is defined in <i>&lt;asm/irq.h&gt;</i> and is platform dependent.<br>
<br>
Now we are missing only the probing handler itself. The handler's role is to update
<font class="fixd">short_irq</font> according to which interrupts are actually received. A 0 value in <font class="fixd">short_irq</font>
means "nothing yet," while a negative value means "ambiguous." These values were
chosen to be consistent with <i>probe_irq_off </i>and to allow the same code to call either
kind of probing within <i>short.c</i>.<br>
<pre>
irqreturn_t short_probing(int irq, void *dev_id, struct pt_regs *regs)
{
</pre>
<A name="268"></a><font color="blue">PAGE 268</font><br>
<pre>
    if (short_irq = = 0) short_irq = irq;    /* found */
    if (short_irq != irq) short_irq = -irq; /* ambiguous */
    return IRQ_HANDLED;
}
</pre>
The arguments to the handler are described later. Knowing that <font class="fixd">irq</font> is the interrupt
being handled should be sufficient to understand the function just shown.<br>
<br>
<a name="FastAndSlowHandlers"></a><font color="red"><b>Fast and Slow Handlers</b></font><br>
<br>
Older versions of the Linux kernel took great pains to distinguish between "fast" and
"slow" interrupts. Fast interrupts were those that could be handled very quickly,
whereas handling slow interrupts took significantly longer. Slow interrupts could be
sufficiently demanding of the processor, and it was worthwhile to reenable interrupts
while they were being handled. Otherwise, tasks requiring quick attention
could be delayed for too long.<br>
<br>
In modern kernels, most of the differences between fast and slow interrupts have disappeared.
There remains only one: fast interrupts (those that were requested with
the <font class="fixd">SA_INTERRUPT</font> flag) are executed with all other interrupts disabled on the current
processor. Note that other processors can still handle interrupts, although you will
never see two processors handling the same IRQ at the same time.<br>
<br>
So, which type of interrupt should your driver use? On modern systems, <font class="fixd">SA_INTERRUPT</font> is
intended only for use in a few, specific situations such as timer interrupts. Unless you
have a strong reason to run your interrupt handler with other interrupts disabled, you
should not use <font class="fixd">SA_INTERRUPT</font>.<br>
<br>
This description should satisfy most readers, although someone with a taste for hardware
and some experience with her computer might be interested in going deeper. If
you don't care about the internal details, you can skip to the next section.<br>
<br>
<a name="TheInternalsOfInterruptHandlingOnTheX86"></a><font color="red"><b>The internals of interrupt handling on the x86</b></font><br>
<br>
This description has been extrapolated from <i>arch/i386/kernel/irq.c</i>, <i>arch/i386/kernel/
apic.c</i>, <i>arch/i386/kernel/entry.S</i>, <i>arch/i386/kernel/i8259.c</i>, and <i>include/asm-i386/hw_irq.h
</i>as they appear in the 2.6 kernels; although the general concepts remain the same, the
hardware details differ on other platforms.<br>
<br>
The lowest level of interrupt handling can be found in <i>entry.S</i>, an assembly-language
file that handles much of the machine-level work. By way of a bit of assembler trickery
and some macros, a bit of code is assigned to every possible interrupt. In each
case, the code pushes the interrupt number on the stack and jumps to a common
segment, which calls <i>do_IRQ</i>, defined in <i>irq.c</i>.<br>
<br>
The first thing <i>do_IRQ </i>does is to acknowledge the interrupt so that the interrupt controller
can go on to other things. It then obtains a spinlock for the given IRQ number,
thus preventing any other CPU from handling this IRQ. It clears a couple of status<br>
<br>
<A name="269"></a><font color="blue">PAGE 269</font><br>
<br>
bits (including one called <font class="fixd">IRQ_WAITING</font> that we'll look at shortly) and then looks up the
handler(s) for this particular IRQ. If there is no handler, there's nothing to do; the
spinlock is released, any pending software interrupts are handled, and <i>do_IRQ
</i>returns.<br>
<br>
Usually, however, if a device is interrupting, there is at least one handler registered
for its IRQ as well. The function <i>handle_IRQ_event </i>is called to actually invoke the
handlers. If the handler is of the slow variety (SA_INTERRUPT is not set), interrupts are
reenabled in the hardware, and the handler is invoked. Then it's just a matter of
cleaning up, running software interrupts, and getting back to regular work. The "regular
work" may well have changed as a result of an interrupt (the handler could
<i>wake_up </i>a process, for example), so the last thing that happens on return from an
interrupt is a possible rescheduling of the processor.<br>
<br>
Probing for IRQs is done by setting the <font class="fixd">IRQ_WAITING</font> status bit for each IRQ that currently
lacks a handler. When the interrupt happens, <i>do_IRQ </i>clears that bit and then
returns, because no handler is registered. <i>probe_irq_off</i>, when called by a driver,
needs to search for only the IRQ that no longer has <font class="fixd">IRQ_WAITING</font> set.<br>
<br>
<a name="ImplementingAHandler"></a><font color="red"><b>Implementing a Handler</b></font><br>
<br>
So far, we've learned to register an interrupt handler but not to write one. Actually,
there's nothing unusual about a handler--it's ordinary C code.<br>
<br>
The only peculiarity is that a handler runs at interrupt time and, therefore, suffers
some restrictions on what it can do. These restrictions are the same as those we saw
with kernel timers. A handler can't transfer data to or from user space, because it
doesn't execute in the context of a process. Handlers also cannot do anything that
would sleep, such as calling <i>wait_event</i>, allocating memory with anything other than
<font class="fixd">GFP_ATOMIC</font>, or locking a semaphore. Finally, handlers cannot call <i>schedule</i>.<br>
<br>
The role of an interrupt handler is to give feedback to its device about interrupt
reception and to read or write data according to the meaning of the interrupt being
serviced. The first step usually consists of clearing a bit on the interface board; most
hardware devices won't generate other interrupts until their "interrupt-pending" bit
has been cleared. Depending on how your hardware works, this step may need to be
performed last instead of first; there is no catch-all rule here. Some devices don't
require this step, because they don't have an "interrupt-pending" bit; such devices
are a minority, although the parallel port is one of them. For that reason, <i>short </i>does
not have to clear such a bit.<br>
<br>
A typical task for an interrupt handler is awakening processes sleeping on the device
if the interrupt signals the event they're waiting for, such as the arrival of new data.<br>
<br>
To stick with the frame grabber example, a process could acquire a sequence of
images by continuously reading the device; the <i>read </i>call blocks before reading each<br>
<br>
<A name="270"></a><font color="blue">PAGE 270</font><br>
<br>
frame, while the interrupt handler awakens the process as soon as each new frame
arrives. This assumes that the grabber interrupts the processor to signal successful
arrival of each new frame.<br>
<br>
The programmer should be careful to write a routine that executes in a minimum
amount of time, independent of its being a fast or slow handler. If a long computation
needs to be performed, the best approach is to use a tasklet or workqueue to
schedule computation at a safer time (we'll look at how work can be deferred in this
manner in the section "Top and Bottom Halves.")<br>
<br>
Our sample code in <i>short </i>responds to the interrupt by calling <i>do_gettimeofday </i>and
printing the current time into a page-sized circular buffer. It then awakens any reading
process, because there is now data available to be read.<br>
<pre>
irqreturn_t short_interrupt(int irq, void *dev_id, struct pt_regs *regs)
{
    struct timeval tv;
    int written;

    do_gettimeofday(&amp;tv);

        /* Write a 16 byte record. Assume PAGE_SIZE is a multiple of 16 */
    written = sprintf((char *)short_head,&quot;%08u.%06u\n&quot;,
            (int)(tv.tv_sec % 100000000), (int)(tv.tv_usec));
    BUG_ON(written != 16);
    short_incr_bp(&amp;short_head, written);
    wake_up_interruptible(&amp;short_queue); /* awake any reading process */
    return IRQ_HANDLED;
}
</pre>
This code, though simple, represents the typical job of an interrupt handler. It, in
turn, calls <i>short_incr_bp</i>, which is defined as follows:<br>
<pre>
static inline void short_incr_bp(volatile unsigned long *index, int delta)
{
    unsigned long new = *index + delta;
    barrier( );  /* Don't optimize these two together */
    *index = (new &gt;= (short_buffer + PAGE_SIZE)) ? short_buffer : new;
}
</pre>
This function has been carefully written to wrap a pointer into the circular buffer
without ever exposing an incorrect value. The <i>barrier </i>call is there to block compiler
optimizations across the other two lines of the function. Without the barrier, the
compiler might decide to optimize out the new variable and assign directly to <font class="fixd">*index.</font>
That optimization could expose an incorrect value of the index for a brief period in
the case where it wraps. By taking care to prevent in inconsistent value from ever
being visible to other threads, we can manipulate the circular buffer pointers safely
without locks.<br>
<br>
The device file used to read the buffer being filled at interrupt time is <i>/dev/shortint</i>.
This device special file, together with <i>/dev/shortprint</i>, wasn't introduced in<br>
<br>
<A name="271"></a><font color="blue">PAGE 271</font><br>
<br>
Chapter 9, because its use is specific to interrupt handling. The internals of <i>/dev/
shortint </i>are specifically tailored for interrupt generation and reporting. Writing to the
device generates one interrupt every other byte; reading the device gives the time
when each interrupt was reported.<br>
<br>
If you connect together pins 9 and 10 of the parallel connector, you can generate
interrupts by raising the high bit of the parallel data byte. This can be accomplished
by writing binary data to <i>/dev/short0</i> or by writing anything to <i>/dev/shortint</i>.*<br>
<br>
The following code implements <i>read</i> and <i>write</i> for <i>/dev/shortint</i>:<br>
<pre>
ssize_t short_i_read (struct file *filp, char __user *buf, size_t count,
     loff_t *f_pos)
{
    int count0;
    DEFINE_WAIT(wait);

    while (short_head = = short_tail) {
        prepare_to_wait(&amp;short_queue, &amp;wait, TASK_INTERRUPTIBLE);
        if (short_head = = short_tail)
            schedule( );
        finish_wait(&amp;short_queue, &amp;wait);
        if (signal_pending (current))  /* a signal arrived */
            return -ERESTARTSYS; /* tell the fs layer to handle it */
    }
    /* count0 is the number of readable data bytes */
    count0 = short_head - short_tail;
    if (count0 &lt; 0) /* wrapped */
        count0 = short_buffer + PAGE_SIZE - short_tail;
    if (count0 &lt; count) count = count0;

    if (copy_to_user(buf, (char *)short_tail, count))
        return -EFAULT;
    short_incr_bp (&amp;short_tail, count);
    return count;
}

ssize_t short_i_write (struct file *filp, const char __user *buf, size_t count,
        loff_t *f_pos)
{
    int written = 0, odd = *f_pos &amp; 1;
    unsigned long port = short_base; /* output to the parallel data latch */
    void *address = (void *) short_base;

    if (use_mem) {
        while (written &lt; count)
            iowrite8(0xff * ((++written + odd) &amp; 1), address);
    } else {
</pre>
* The <i>shortint</i> device accomplishes its task by alternately writing 0x00 and 0xff to the parallel port.<br>
<br>
<A name="272"></a><font color="blue">PAGE 272</font><br>
<pre>
        while (written &lt; count)
            outb(0xff * ((++written + odd) &amp; 1), port);
    }

    *f_pos += count;
    return written;
}
</pre>
The other device special file, <i>/dev/shortprint</i>, uses the parallel port to drive a printer;
you can use it if you want to avoid connecting pins 9 and 10 of a D-25 connector.
The <i>write </i>implementation of <i>shortprint </i>uses a circular buffer to store data to be
printed, while the <i>read </i>implementation is the one just shown (so you can read the
time your printer takes to eat each character).<br>
<br>
In order to support printer operation, the interrupt handler has been slightly modified
from the one just shown, adding the ability to send the next data byte to the
printer if there is more data to transfer.<br>
<br>
<a name="HandlerArgumentsAndReturnValue"></a><font color="red"><b>Handler Arguments and Return Value</b></font><br>
<br>
Though <i>short </i>ignores them, three arguments are passed to an interrupt handler: <font class="fixd">irq,
dev_id,</font> and <font class="fixd">regs.</font> Let's look at the role of each.<br>
<br>
The interrupt number (<font class="fixd">int irq</font>) is useful as information you may print in your log
messages, if any. The second argument, <font class="fixd">void *dev_id,</font> is a sort of client data; a <font class="fixd">void *</font>
argument is passed to <i>request_irq</i>, and this same pointer is then passed back as an
argument to the handler when the interrupt happens. You usually pass a pointer to
your device data structure in <font class="fixd">dev_id,</font> so a driver that manages several instances of the
same device doesn't need any extra code in the interrupt handler to find out which
device is in charge of the current interrupt event.<br>
<br>
Typical use of the argument in an interrupt handler is as follows:<br>
<pre>
static irqreturn_t sample_interrupt(int irq, void *dev_id, struct pt_regs
                             *regs)
{
    struct sample_dev *dev = dev_id;

    /* now `dev' points to the right hardware item */
    /* .... */
}
</pre>
The typical <i>open</i> code associated with this handler looks like this:<br>
<pre>
static void sample_open(struct inode *inode, struct file *filp)
{
    struct sample_dev *dev = hwinfo + MINOR(inode-&gt;i_rdev);
    request_irq(dev-&gt;irq, sample_interrupt,
                0 /* flags */, &quot;sample&quot;, dev /* dev_id */);
    /*....*/
    return 0;
}
</pre>
<A name="273"></a><font color="blue">PAGE 273</font><br>
<br>
The last argument, <font class="fixd">struct pt_regs *regs,</font> is rarely used. It holds a snapshot of the
processor's context before the processor entered interrupt code. The registers can be
used for monitoring and debugging; they are not normally needed for regular device
driver tasks.<br>
<br>
Interrupt handlers should return a value indicating whether there was actually an
interrupt to handle. If the handler found that its device did, indeed, need attention, it
should return <font class="fixd">IRQ_HANDLED;</font> otherwise the return value should be <font class="fixd">IRQ_NONE</font>. You can
also generate the return value with this macro:<br>
<pre>
IRQ_RETVAL(handled)
</pre>
where handled is nonzero if you were able to handle the interrupt. The return value is
used by the kernel to detect and suppress spurious interrupts. If your device gives
you no way to tell whether it really interrupted, you should return <font class="fixd">IRQ_HANDLED</font>.<br>
<br>
<a name="EnablingAndDisablingInterrupts"></a><font color="red"><b>Enabling and Disabling Interrupts</b></font><br>
<br>
There are times when a device driver must block the delivery of interrupts for a
(hopefully short) period of time (we saw one such situation in the section "Spinlocks"
in Chapter 5). Often, interrupts must be blocked while holding a spinlock to
avoid deadlocking the system. There are ways of disabling interrupts that do not
involve spinlocks. But before we discuss them, note that disabling interrupts should
be a relatively rare activity, even in device drivers, and this technique should never be
used as a mutual exclusion mechanism within a driver.<br>
<br>
<a name="DisablingASingleInterrupt"></a><font color="red"><b>Disabling a single interrupt</b></font><br>
<br>
Sometimes (but rarely!) a driver needs to disable interrupt delivery for a specific
interrupt line. The kernel offers three functions for this purpose, all declared in
<i>&lt;asm/irq.h&gt;</i>. These functions are part of the kernel API, so we describe them, but
their use is discouraged in most drivers. Among other things, you cannot disable
shared interrupt lines, and, on modern systems, shared interrupts are the norm. That
said, here they are:<br>
<pre>
void disable_irq(int irq);
void disable_irq_nosync(int irq);
void enable_irq(int irq);
</pre>
Calling any of these functions may update the maskfor the specified irq in the programmable
interrupt controller (PIC), thus disabling or enabling the specified IRQ
across all processors. Calls to these functions can be nested--if <i>disable_irq </i>is called
twice in succession, two <i>enable_irq </i>calls are required before the IRQ is truly reenabled.
It is possible to call these functions from an interrupt handler, but enabling
your own IRQ while handling it is not usually good practice.<br>
<br>
<i>disable_irq </i>not only disables the given interrupt but also waits for a currently executing
interrupt handler, if any, to complete. Be aware that if the thread calling <i>disable_irq</i><br>
<br>
<A name="274"></a><font color="blue">PAGE 274</font><br>
<br>
holds any resources (such as spinlocks) that the interrupt handler needs, the system
can deadlock. <i>disable_irq_nosync </i>differs from <i>disable_irq </i>in that it returns immediately.
Thus, using <i>disable_irq_nosync </i>is a little faster but may leave your driver open to
race conditions.<br>
<br>
But why disable an interrupt? Sticking to the parallel port, let's look at the <i>plip </i>network interface.
A <i>plip </i>device uses the bare-bones parallel port to transfer data. Since
only five bits can be read from the parallel connector, they are interpreted as four
data bits and a clock/handshake signal. When the first four bits of a packet are transmitted
by the initiator (the interface sending the packet), the clock line is raised,
causing the receiving interface to interrupt the processor. The <i>plip </i>handler is then
invoked to deal with newly arrived data.<br>
<br>
After the device has been alerted, the data transfer proceeds, using the handshake
line to clocknew data to the receiving interface (this might not be the best implementation,
but it is necessary for compatibility with other packet drivers using the
parallel port). Performance would be unbearable if the receiving interface had to handle
two interrupts for every byte received. Therefore, the driver disables the interrupt
during the reception of the packet; instead, a poll-and-delay loop is used to
bring in the data.<br>
<br>
Similarly, because the handshake line from the receiver to the transmitter is used to
acknowledge data reception, the transmitting interface disables its IRQ line during
packet transmission.<br>
<br>
<a name="DisablingAllInterrupts"></a><font color="red"><b>Disabling all interrupts</b></font><br>
<br>
What if you need to disable <i>all </i>interrupts? In the 2.6 kernel, it is possible to turn off
all interrupt handling on the current processor with either of the following two functions
(which are defined in <i>&lt;asm/system.h&gt;</i>):<br>
<pre>
void local_irq_save(unsigned long flags);
void local_irq_disable(void);
</pre>
A call to <i>local_irq_save </i>disables interrupt delivery on the current processor after saving
the current interrupt state into <font class="fixd">flags</font>. Note that <font class="fixd">flags</font> is passed directly, not by
pointer. <i>local_irq_disable </i>shuts off local interrupt delivery without saving the state;
you should use this version only if you know that interrupts have not already been
disabled elsewhere.<br>
<br>
Turning interrupts back on is accomplished with:<br>
<pre>
void local_irq_restore(unsigned long flags);
void local_irq_enable(void);
</pre>
The first version restores that state which was stored into <font class="fixd">flags</font> by <i>local_irq_save</i>,
while <i>local_irq_enable </i>enables interrupts unconditionally. Unlike <i>disable_irq</i>,
<i>local_irq_disable </i>does not keep track of multiple calls. If more than one function in
the call chain might need to disable interrupts, <i>local_irq_save</i> should be used.<br>
<br>
<A name="275"></a><font color="blue">PAGE 275</font><br>
<br>
In the 2.6 kernel, there is no way to disable all interrupts globally across the entire
system. The kernel developers have decided that the cost of shutting off all interrupts
is too high and that there is no need for that capability in any case. If you are
working with an older driver that makes calls to functions such as <i>cli </i>and <i>sti</i>, you
need to update it to use proper locking before it will work under 2.6.<br>
<br>
<a name="TopAndBottomHalves"></a><font color="red"><b>Top and Bottom Halves</b></font><br>
<br>
One of the main problems with interrupt handling is how to perform lengthy tasks
within a handler. Often a substantial amount of work must be done in response to a
device interrupt, but interrupt handlers need to finish up quickly and not keep interrupts
blocked for long. These two needs (work and speed) conflict with each other,
leaving the driver writer in a bit of a bind.<br>
<br>
Linux (along with many other systems) resolves this problem by splitting the interrupt
handler into two halves. The so-called <i>top half </i>is the routine that actually
responds to the interrupt--the one you register with <i>request_irq</i>. The <i>bottom half </i>is a
routine that is scheduled by the top half to be executed later, at a safer time. The big
difference between the top-half handler and the bottom half is that all interrupts are
enabled during execution of the bottom half--that's why it runs at a safer time. In
the typical scenario, the top half saves device data to a device-specific buffer, schedules
its bottom half, and exits: this operation is very fast. The bottom half then performs
whatever other work is required, such as awakening processes, starting up
another I/O operation, and so on. This setup permits the top half to service a new
interrupt while the bottom half is still working.<br>
<br>
Almost every serious interrupt handler is split this way. For instance, when a network interface
reports the arrival of a new packet, the handler just retrieves the data
and pushes it up to the protocol layer; actual processing of the packet is performed
in a bottom half.<br>
<br>
The Linux kernel has two different mechanisms that may be used to implement bottom-half
processing, both of which were introduced in Chapter 7. Tasklets are often
the preferred mechanism for bottom-half processing; they are very fast, but all tasklet
code must be atomic. The alternative to tasklets is workqueues, which may have a
higher latency but that are allowed to sleep.<br>
<br>
The following discussion works, once again, with the <i>short </i>driver. When loaded with
a module option, <i>short </i>can be told to do interrupt processing in a top/bottom-half
mode with either a tasklet or workqueue handler. In this case, the top half executes
quickly; it simply remembers the current time and schedules the bottom half processing.
The bottom half is then charged with encoding this time and awakening any
user processes that may be waiting for data.<br>
<br>
<A name="276"></a><font color="blue">PAGE 276</font><br>
<br>
<a name="Tasklets3"></a><font color="red"><b>Tasklets</b></font><br>
<br>
Remember that tasklets are a special function that may be scheduled to run, in software
interrupt context, at a system-determined safe time. They may be scheduled to
run multiple times, but tasklet scheduling is not cumulative; the tasklet runs only
once, even if it is requested repeatedly before it is launched. No tasklet ever runs in
parallel with itself, since they run only once, but tasklets can run in parallel with
other tasklets on SMP systems. Thus, if your driver has multiple tasklets, they must
employ some sort of locking to avoid conflicting with each other.<br>
<br>
Tasklets are also guaranteed to run on the same CPU as the function that first schedules
them. Therefore, an interrupt handler can be secure that a tasklet does not begin
executing before the handler has completed. However, another interrupt can certainly
be delivered while the tasklet is running, so locking between the tasklet and
the interrupt handler may still be required.<br>
<br>
Tasklets must be declared with the <font class="fixd">DECLARE_TASKLET</font> macro:<br>
<pre>
DECLARE_TASKLET(name, function, data);
</pre>
<font class="fixd">name</font> is the name to be given to the tasklet, <i>function </i>is the function that is called to
execute the tasklet (it takes one <font class="fixd">unsigned long</font> argument and returns <font class="fixd">void</font>), and <font class="fixd">data</font>
is an <font class="fixd">unsigned long</font> value to be passed to the <i>tasklet</i> function.<br>
<br>
The <i>short</i> driver declares its tasklet as follows:<br>
<pre>
void short_do_tasklet(unsigned long);
DECLARE_TASKLET(short_tasklet, short_do_tasklet, 0);
</pre>
The function <i>tasklet_schedule </i>is used to schedule a tasklet for running. If <i>short </i>is
loaded with <font class="fixd">tasklet=1,</font> it installs a different interrupt handler that saves data and
schedules the tasklet as follows:<br>
<pre>
irqreturn_t short_tl_interrupt(int irq, void *dev_id, struct pt_regs *regs)
{
    do_gettimeofday((struct timeval *) tv_head); /* cast to stop 'volatile' warning
*/
    short_incr_tv(&amp;tv_head);
    tasklet_schedule(&amp;short_tasklet);
    short_wq_count++; /* record that an interrupt arrived */
    return IRQ_HANDLED;
}
</pre>
The actual tasklet routine, <i>short_do_tasklet</i>, will be executed shortly (so to speak) at
the system's convenience. As mentioned earlier, this routine performs the bulk of the
work of handling the interrupt; it looks like this:<br>
<pre>
void short_do_tasklet (unsigned long unused)
{
    int savecount = short_wq_count, written;
    short_wq_count = 0; /* we have already been removed from the queue */
    /*
     * The bottom half reads the tv array, filled by the top half,
</pre>
<A name="277"></a><font color="blue">PAGE 277</font><br>
<pre>
     * and prints it to the circular text buffer, which is then consumed
     * by reading processes
     */

    /* First write the number of interrupts that occurred before this bh */
    written = sprintf((char *)short_head,&quot;bh after %6i\n&quot;,savecount);
    short_incr_bp(&amp;short_head, written);

    /*
     * Then, write the time values. Write exactly 16 bytes at a time,
     * so it aligns with PAGE_SIZE
     */

    do {
        written = sprintf((char *)short_head,&quot;%08u.%06u\n&quot;,
                (int)(tv_tail-&gt;tv_sec % 100000000),
                (int)(tv_tail-&gt;tv_usec));
        short_incr_bp(&amp;short_head, written);
        short_incr_tv(&amp;tv_tail);
    } while (tv_tail != tv_head);

    wake_up_interruptible(&amp;short_queue); /* awake any reading process */
}
</pre>
Among other things, this tasklet makes a note of how many interrupts have arrived
since it was last called. A device such as <i>short </i>can generate a great many interrupts in
a brief period, so it is not uncommon for several to arrive before the bottom half is
executed. Drivers must always be prepared for this possibility and must be able to
determine how much work there is to perform from the information left by the top
half.<br>
<br>
<a name="Workqueues3"></a><font color="red"><b>Workqueues</b></font><br>
<br>
Recall that workqueues invoke a function at some future time in the context of a special
worker process. Since the <i>workqueue </i>function runs in process context, it can
sleep if need be. You cannot, however, copy data into user space from a workqueue,
unless you use the advanced techniques we demonstrate in Chapter 15; the worker
process does not have access to any other process's address space.<br>
<br>
The <i>short </i>driver, if loaded with the <font class="fixd">wq</font> option set to a nonzero value, uses a workqueue
for its bottom-half processing. It uses the system default workqueue, so there
is no special setup code required; if your driver has special latency requirements (or
might sleep for a long time in the <i>workqueue </i>function), you may want to create your
own, dedicated workqueue. We do need a <font class="fixd">work_struct</font> structure, which is declared
and initialized with the following:<br>
<pre>
static struct <font class="fixd">work_struct</font> short_wq;

    /* this line is in short_init( ) */
    INIT_WORK(&amp;short_wq, (void (*)(void *)) short_do_tasklet, NULL);
</pre>
<A name="278"></a><font color="blue">PAGE 278</font><br>
<br>
Our worker function is <i>short_do_tasklet</i>, which we have already seen in the previous
section.<br>
<br>
When working with a workqueue, <i>short </i>establishes yet another interrupt handler
that looks like this:<br>
<pre>
irqreturn_t short_wq_interrupt(int irq, void *dev_id, struct pt_regs *regs)
{
    /* Grab the current time information. */
    do_gettimeofday((struct timeval *) tv_head);
    short_incr_tv(&amp;tv_head);

    /* Queue the bh. Don't worry about multiple enqueueing */
    schedule_work(&amp;short_wq);

    short_wq_count++; /* record that an interrupt arrived */
    return IRQ_HANDLED;
}
</pre>
As you can see, the interrupt handler looks very much like the tasklet version, with
the exception that it calls <i>schedule_work</i> to arrange the bottom-half processing.<br>
<br>
<a name="InterruptSharing"></a><font color="red"><b>Interrupt Sharing</b></font><br>
<br>
The notion of an IRQ conflict is almost synonymous with the PC architecture. In the
past, IRQ lines on the PC have not been able to serve more than one device, and
there have never been enough of them. As a result, frustrated users have often spent
much time with their computer case open, trying to find a way to make all of their
peripherals play well together.<br>
<br>
Modern hardware, of course, has been designed to allow the sharing of interrupts;
the PCI bus requires it. Therefore, the Linux kernel supports interrupt sharing on all
buses, even those (such as the ISA bus) where sharing has traditionally not been supported.
Device drivers for the 2.6 kernel should be written to work with shared interrupts
if the target hardware can support that mode of operation. Fortunately,
working with shared interrupts is easy, most of the time.<br>
<br>
<a name="InstallingASharedHandler"></a><font color="red"><b>Installing a Shared Handler</b></font><br>
<br>
Shared interrupts are installed through <i>request_irq </i>just like nonshared ones, but
there are two differences:<br>
<ul>
<li> The <font class="fixd">SA_SHIRQ</font> bit must be specified in the <font class="fixd">flags</font> 
argument when requesting the interrupt.
<li> The <font class="fixd">dev_id</font> argument <i>must </i>be unique. Any pointer into the module's address
space will do, but <font class="fixd">dev_id</font> definitely cannot be set to <font class="fixd">NULL</font>.
</ul>
<A name="279"></a><font color="blue">PAGE 279</font><br>
<br>
The kernel keeps a list of shared handlers associated with the interrupt, and <font class="fixd">dev_id</font>
can be thought of as the signature that differentiates between them. If two drivers
were to register <font class="fixd">NULL</font> as their signature on the same interrupt, things might get mixed
up at unload time, causing the kernel to oops when an interrupt arrived. For this reason,
modern kernels complain loudly if passed a <font class="fixd">NULL</font> <font class="fixd">dev_id</font> when registering shared
interrupts. When a shared interrupt is requested, <i>request_irq </i>succeeds if one of the
following is true:<br>
<ul>
<li> The interrupt line is free.
<li> All handlers already registered for that line have also specified that the IRQ is to be shared.
</ul>
Whenever two or more drivers are sharing an interrupt line and the hardware interrupts
the processor on that line, the kernel invokes every handler registered for that
interrupt, passing each its own <font class="fixd">dev_id</font>. Therefore, a shared handler must be able to
recognize its own interrupts and should quickly exit when its own device has not
interrupted. Be sure to return <font class="fixd">IRQ_NONE</font> whenever your handler is called and finds
that the device is not interrupting.<br>
<br>
If you need to probe for your device before requesting the IRQ line, the kernel can't
help you. No probing function is available for shared handlers. The standard probing
mechanism works if the line being used is free, but if the line is already held by
another driver with sharing capabilities, the probe fails, even if your driver would
have worked perfectly. Fortunately, most hardware designed for interrupt sharing is
also able to tell the processor which interrupt it is using, thus eliminating the need
for explicit probing.<br>
<br>
Releasing the handler is performed in the normal way, using <i>free_irq</i>. Here the <font class="fixd">dev_id</font>
argument is used to select the correct handler to release from the list of shared handlers
for the interrupt. That's why the <font class="fixd">dev_id</font> pointer must be unique.<br>
<br>
A driver using a shared handler needs to be careful about one more thing: it can't
play with <i>enable_irq </i>or <i>disable_irq</i>. If it does, things might go haywire for other
devices sharing the line; disabling another device's interrupts for even a short time
may create latencies that are problematic for that device and it's user. Generally, the
programmer must remember that his driver doesn't own the IRQ, and its behavior
should be more "social" than is necessary if one owns the interrupt line.<br>
<br>
<a name="RunningTheHandler"></a><font color="red"><b>Running the Handler</b></font><br>
<br>
As suggested earlier, when the kernel receives an interrupt, all the registered handlers
are invoked. A shared handler must be able to distinguish between interrupts
that it needs to handle and interrupts generated by other devices.<br>
<br>
<A name="280"></a><font color="blue">PAGE 280</font><br>
<br>
Loading <i>short </i>with the option <i>shared=1 </i>installs the following handler instead of the
default:<br>
<pre>
irqreturn_t short_sh_interrupt(int irq, void *dev_id, struct pt_regs *regs)
{
    int value, written;
    struct timeval tv;

    /* If it wasn't short, return immediately */
    value = inb(short_base);
    if (!(value &amp; 0x80))
        return IRQ_NONE;

    /* clear the interrupting bit */
    outb(value &amp; 0x7F, short_base);

    /* the rest is unchanged */

    do_gettimeofday(&amp;tv);
    written = sprintf((char *)short_head,&quot;%08u.%06u\n&quot;,
            (int)(tv.tv_sec % 100000000), (int)(tv.tv_usec));
    short_incr_bp(&amp;short_head, written);
    wake_up_interruptible(&amp;short_queue); /* awake any reading process */
    return IRQ_HANDLED;
}
</pre>
An explanation is due here. Since the parallel port has no "interrupt-pending" bit to
check, the handler uses the ACK bit for this purpose. If the bit is high, the interrupt
being reported is for <i>short</i>, and the handler clears the bit.<br>
<br>
The handler resets the bit by zeroing the high bit of the parallel interface's data
port--<i>short </i>assumes that pins 9 and 10 are connected together. If one of the other
devices sharing the IRQ with <i>short </i>generates an interrupt, <i>short </i>sees that its own line
is still inactive and does nothing.<br>
<br>
A full-featured driver probably splits the work into top and bottom halves, of course,
but that's easy to add and does not have any impact on the code that implements
sharing. A real driver would also likely use the <font class="fixd">dev_id</font> argument to determine which,
of possibly many, devices might be interrupting.<br>
<br>
Note that if you are using a printer (instead of the jumper wire) to test interrupt management
with <i>short</i>, this shared handler won't work as advertised, because the
printer protocol doesn't allow for sharing, and the driver can't know whether the
interrupt was from the printer.<br>
<br>
<a name="TheProcInterfaceAndSharedInterrupts"></a><font color="red"><b>The /proc Interface and Shared Interrupts</b></font><br>
<br>
Installing shared handlers in the system doesn't affect <i>/proc/stat</i>, which doesn't even
know about handlers. However, <i>/proc/interrupts</i> changes slightly.<br>
<br>
<A name="281"></a><font color="blue">PAGE 281</font><br>
<br>
All the handlers installed for the same interrupt number appear on the same line of
<i>/proc/interrupts</i>. The following output (from an x86_64 system) shows how shared
interrupt handlers are displayed:<br>
<pre>
           CPU0
  0:  892335412         XT-PIC  timer
  1:     453971         XT-PIC  i8042
  2:          0         XT-PIC  cascade
  5:          0         XT-PIC  libata, ehci_hcd
  8:          0         XT-PIC  rtc
  9:          0         XT-PIC  acpi
 10:   11365067         XT-PIC  ide2, uhci_hcd, uhci_hcd, SysKonnect SK-98xx, EMU10K1
 11:    4391962         XT-PIC  uhci_hcd, uhci_hcd
 12:        224         XT-PIC  i8042
 14:    2787721         XT-PIC  ide0
 15:     203048         XT-PIC  ide1
NMI:      41234
LOC:  892193503
ERR:        102
MIS:          0
</pre>
This system has several shared interrupt lines. IRQ 5 is used for the serial ATA and
IEEE 1394 controllers; IRQ 10 has several devices, including an IDE controller, two
USB controllers, an Ethernet interface, and a sound card; and IRQ 11 also is used by
two USB controllers.<br>
<br>
<a name="InterruptDrivenIO"></a><font color="red"><b>Interrupt-Driven I/O</b></font><br>
<br>
Whenever a data transfer to or from the managed hardware might be delayed for any
reason, the driver writer should implement buffering. Data buffers help to detach
data transmission and reception from the <i>write </i>and <i>read </i>system calls, and overall system
performance benefits.<br>
<br>
A good buffering mechanism leads to <i>interrupt-driven I/O</i>, in which an input buffer is
filled at interrupt time and is emptied by processes that read the device; an output
buffer is filled by processes that write to the device and is emptied at interrupt time.
An example of interrupt-driven output is the implementation of <i>/dev/shortprint</i>.<br>
<br>
For interrupt-driven data transfer to happen successfully, the hardware should be
able to generate interrupts with the following semantics:<br>
<ul>
<li> For input, the device interrupts the processor when new data has arrived and is
ready to be retrieved by the system processor. The actual actions to perform
depend on whether the device uses I/O ports, memory mapping, or DMA.
<li> For output, the device delivers an interrupt either when it is ready to accept new
data or to acknowledge a successful data transfer. Memory-mapped and DMA capable
devices usually generate interrupts to tell the system they are done with
the buffer.
</ul>
<A name="282"></a><font color="blue">PAGE 282</font><br>
<br>
The timing relationships between a <i>read </i>or <i>write </i>and the actual arrival of data were
introduced in the section "Blocking and Nonblocking Operations" in Chapter 6.<br>
<br>
<a name="AWriteBufferingExample"></a><font color="red"><b>A Write-Buffering Example</b></font><br>
<br>
We have mentioned the <i>shortprint </i>driver a couple of times; now it is time to actually
take a look. This module implements a very simple, output-oriented driver for the
parallel port; it is sufficient, however, to enable the printing of files. If you chose to
test this driver out, however, remember that you must pass the printer a file in a format
it understands; not all printers respond well when given a stream of arbitrary
data.<br>
<br>
The <i>shortprint </i>driver maintains a one-page circular output buffer. When a user-space
process writes data to the device, that data is fed into the buffer, but the <i>write
</i>method does not actually perform any I/O. Instead, the core of <i>shortp_write </i>looks
like this:<br>
<pre>
    while (written &lt; count) {
        /* Hang out until some buffer space is available. */
        space = shortp_out_space( );
        if (space &lt;= 0) {
            if (wait_event_interruptible(shortp_out_queue,
                        (space = shortp_out_space( )) &gt; 0))
                goto out;
        }

        /* Move data into the buffer. */
        if ((space + written) &gt; count)
            space = count - written;
        if (copy_from_user((char *) shortp_out_head, buf, space)) {
            up(&amp;shortp_out_sem);
            return -EFAULT;
        }
        shortp_incr_out_bp(&amp;shortp_out_head, space);
        buf += space;
        written += space;

        /* If no output is active, make it active. */
        spin_lock_irqsave(&amp;shortp_out_lock, flags);
        if (! shortp_output_active)
            shortp_start_output( );
        spin_unlock_irqrestore(&amp;shortp_out_lock, flags);
    }

out:
    *f_pos += written;
</pre>
A semaphore (<font class="fixd">shortp_out_sem</font>) controls access to the circular buffer; <i>shortp_write
</i>obtains that semaphore just prior to the code fragment above. While holding the semaphore,
it attempts to feed data into the circular buffer. The function <i>shortp_out_space
</i>returns the amount of contiguous space available (so there is no need to worry about<br>
<br>
<A name="283"></a><font color="blue">PAGE 283</font><br>
<br>
buffer wraps); if that amount is 0, the driver waits until some space is freed. It then
copies as much data as it can into the buffer.<br>
<br>
Once there is data to output, <i>shortp_write </i>must ensure that the data is written to the
device. The actual writing is done by way of a <i>workqueue </i>function; <i>shortp_write
</i>must kick that function off if it is not already running. After obtaining a separate
spinlock that controls access to variables used on the consumer side of the output
buffer (including <font class="fixd">shortp_output_active</font>), it calls <i>shortp_start_output </i>if need be. Then
it's just a matter of noting how much data was "written" to the buffer and returning.<br>
<br>
The function that starts the output process looks like the following:<br>
<pre>
static void shortp_start_output(void)
{
    if (shortp_output_active) /* Should never happen */
        return;

    /* Set up our 'missed interrupt' timer */
    shortp_output_active = 1;
    shortp_timer.expires = jiffies + TIMEOUT;
    add_timer(&amp;shortp_timer);

    /*  And get the process going. */
    queue_work(shortp_workqueue, &amp;shortp_work);
}
</pre>
The reality of dealing with hardware is that you can, occasionally, lose an interrupt
from the device. When this happens, you really do not want your driver to stop forevermore
until the system is rebooted; that is not a user-friendly way of doing things.
It is far better to realize that an interrupt has been missed, pickup the pieces, and go
on. To that end, <i>shortprint </i>sets a kernel timer whenever it outputs data to the device.
If the timer expires, we may have missed an interrupt. We look at the timer function
shortly, but, for the moment, let's stick with the main output functionality. That is
implemented in our <i>workqueue </i>function, which, as you can see above, is scheduled
here. The core of that function looks like the following:<br>
<pre>
    spin_lock_irqsave(&amp;shortp_out_lock, flags);

    /* Have we written everything? */
    if (shortp_out_head = = shortp_out_tail) { /* empty */
        shortp_output_active = 0;
        wake_up_interruptible(&amp;shortp_empty_queue);
        del_timer(&amp;shortp_timer);
    }
    /* Nope, write another byte */
    else
        shortp_do_write( );

    /* If somebody's waiting, maybe wake them up. */

if (((PAGE_SIZE + <font class="fixd">shortp_out_tail</font> -shortp_out_head) % PAGE_SIZE) &gt; SP_MIN_SPACE)

    {
</pre>
<A name="284"></a><font color="blue">PAGE 284</font><br>
<pre>
        wake_up_interruptible(&amp;shortp_out_queue);
    }
    spin_unlock_irqrestore(&amp;shortp_out_lock, flags);
</pre>
Since we are dealing with the output side's shared variables, we must obtain the
spinlock. Then we look to see whether there is any more data to send out; if not, we
note that output is no longer active, delete the timer, and wake up anybody who
might have been waiting for the queue to become completely empty (this sort of wait
is done when the device is closed). If, instead, there remains data to write, we call
<i>shortp_do_write</i> to actually send a byte to the hardware.<br>
<br>
Then, since we may have freed space in the output buffer, we consider waking up
any processes waiting to add more data to that buffer. We do not perform that
wakeup unconditionally, however; instead, we wait until a minimum amount of
space is available. There is no point in awakening a writer every time we take one
byte out of the buffer; the cost of awakening the process, scheduling it to run, and
putting it back to sleep is too high for that. Instead, we should wait until that process
is able to move a substantial amount of data into the buffer at once. This technique
is common in buffering, interrupt-driven drivers.<br>
<br>
For completeness, here is the code that actually writes the data to the port:<br>
<pre>
static void shortp_do_write(void)
{
    unsigned char cr = inb(shortp_base + SP_CONTROL);

    /* Something happened; reset the timer */
    mod_timer(&amp;shortp_timer, jiffies + TIMEOUT);

    /* Strobe a byte out to the device */
    outb_p(*shortp_out_tail, shortp_base+SP_DATA);
    shortp_incr_out_bp(&amp;shortp_out_tail, 1);
    if (shortp_delay)
        udelay(shortp_delay);
    outb_p(cr | SP_CR_STROBE, shortp_base+SP_CONTROL);
    if (shortp_delay)
        udelay(shortp_delay);
    outb_p(cr &amp; ~SP_CR_STROBE, shortp_base+SP_CONTROL);
}
</pre>
Here, we reset the timer to reflect the fact that we have made some progress, strobe
the byte out to the device, and update the circular buffer pointer.<br>
<br>
The <i>workqueue </i>function does not resubmit itself directly, so only a single byte will be
written to the device. At some point, the printer will, in its slow way, consume the
byte and become ready for the next one; it will then interrupt the processor. The
interrupt handler used in <i>shortprint</i> is short and simple:<br>
<pre>
static irqreturn_t shortp_interrupt(int irq, void *dev_id, struct pt_regs *regs)
{
    if (! shortp_output_active)
        return IRQ_NONE;
</pre>
<A name="285"></a><font color="blue">PAGE 285</font><br>
<pre>
    /* Remember the time, and farm off the rest to the workqueue function */
    do_gettimeofday(&amp;shortp_tv);
    queue_work(shortp_workqueue, &amp;shortp_work);
    return IRQ_HANDLED;
}
</pre>
Since the parallel port does not require an explicit interrupt acknowledgment, all the
interrupt handler really needs to do is to tell the kernel to run the <i>workqueue </i>function
again.<br>
<br>
What if the interrupt never comes? The driver code that we have seen thus far would
simply come to a halt. To keep that from happening, we set a timer back a few pages
ago. The function that is executed when that timer expires is:<br>
<pre>
static void shortp_timeout(unsigned long unused)
{
    unsigned long flags;
    unsigned char status;

    if (! shortp_output_active)
        return;
    spin_lock_irqsave(&amp;shortp_out_lock, flags);
    status = inb(shortp_base + SP_STATUS);

    /* If the printer is still busy we just reset the timer */
    if ((status &amp; SP_SR_BUSY) = = 0 || (status &amp; SP_SR_ACK)) {
        shortp_timer.expires = jiffies + TIMEOUT;
        add_timer(&amp;shortp_timer);
        spin_unlock_irqrestore(&amp;shortp_out_lock, flags);
        return;
    }

    /* Otherwise we must have dropped an interrupt. */
    spin_unlock_irqrestore(&amp;shortp_out_lock, flags);
    shortp_interrupt(shortp_irq, NULL, NULL);
}
</pre>
If no output is supposed to be active, the timer function simply returns; this keeps
the timer from resubmitting itself when things are being shut down. Then, after taking
the lock, we query the status of the port; if it claims to be busy, it simply hasn't
gotten around to interrupting us yet, so we reset the timer and return. Printers can, at
times, take a very long time to make themselves ready; consider the printer that runs
out of paper while everybody is gone over a long weekend. In such situations, there
is nothing to do other than to wait patiently until something changes.<br>
<br>
If, however, the printer claims to be ready, we must have missed its interrupt. In that
case, we simply invoke our interrupt handler manually to get the output process
moving again.<br>
<br>
The <i>shortprint </i>driver does not support reading from the port; instead, it behaves like
<i>shortint </i>and returns interrupt timing information. The implementation of an interrupt-driven
<i>read </i>method would be very similar to what we have seen, however. Data<br>
<br>
<A name="286"></a><font color="blue">PAGE 286</font><br>
<br>
from the device would be read into a driver buffer; it would be copied out to user
space only when a significant amount of data has accumulated in the buffer, the full
<i>read</i> request has been satisfied, or some sort of timeout occurs.<br>
<br>
<a name="QuickReference10"></a><font color="red"><b>Quick Reference</b></font><br>
<br>
These symbols related to interrupt management were introduced in this chapter:<br>
<br>
<font class="fixd">#include &lt;linux/interrupt.h&gt;<br>
int request_irq(unsigned int irq, irqreturn_t (*handler)( ), unsigned long flags, const char *dev_name, void *dev_id);<br>
void free_irq(unsigned int irq, void *dev_id);</font><br>
<br>
Calls that register and unregister an interrupt handler.<br>
<br>
<font class="fixd">#include &lt;linux/irq.h.h&gt;<br>
int can_request_irq(unsigned int irq, unsigned long flags);</font><br>
<br>
This function, available on the i386 and x86_64 architectures, returns a nonzero
value if an attempt to allocate the given interrupt line succeeds.<br>
<br>
<font class="fixd">#include &lt;asm/signal.h&gt;<br>
SA_INTERRUPT<br>
SA_SHIRQ<br>
SA_SAMPLE_RANDOM</font><br>
<br>
Flags for <i>request_irq</i>. <font class="fixd">SA_INTERRUPT</font> requests installation of a fast handler (as
opposed to a slow one). <font class="fixd">SA_SHIRQ</font> installs a shared handler, and the third flag
asserts that interrupt timestamps can be used to generate system entropy.<br>
<br>
<font class="fixd">/proc/interrupts<br>
/proc/stat</font><br>
<br>
Filesystem nodes that report information about hardware interrupts and
installed handlers.<br>
<br>
<font class="fixd">unsigned long probe_irq_on(void);<br>
int probe_irq_off(unsigned long);</font><br>
<br>
Functions used by the driver when it has to probe to determine which interrupt
line is being used by a device. The result of <i>probe_irq_on </i>must be passed back to
<i>probe_irq_off </i>after the interrupt has been generated. The return value of <i>probe_
irq_off</i> is the detected interrupt number.<br>
<br>
<font class="fixd">IRQ_NONE<br>
IRQ_HANDLED<br>
IRQ_RETVAL(int x)</font><br>
<br>
The possible return values from an interrupt handler, indicating whether an
actual interrupt from the device was present.<br>
<br>
<A name="287"></a><font color="blue">PAGE 287</font><br>
<br>
<font class="fixd">void disable_irq(int irq);<br>
void disable_irq_nosync(int irq);<br>
void enable_irq(int irq);</font><br>
<br>
A driver can enable and disable interrupt reporting. If the hardware tries to generate
an interrupt while interrupts are disabled, the interrupt is lost forever. A
driver using a shared handler must not use these functions.<br>
<br>
<font class="fixd">void local_irq_save(unsigned long flags);<br>
void local_irq_restore(unsigned long flags);</font><br>
<br>
Use <i>local_irq_save </i>to disable interrupts on the local processor and remember
their previous state. The <font class="fixd">flags</font> can be passed to <i>local_irq_restore </i>to restore the
previous interrupt state.<br>
<br>
<font class="fixd">void local_irq_disable(void);<br>
void local_irq_enable(void);</font><br>
<br>
Functions that unconditionally disable and enable interrupts on the current
processor.<br>
<br>
<A name="288"></a><font color="blue">PAGE 288</font><br>
<br>
<a name="CHAPTER11"></a><font color="red"><b>CHAPTER 11</b></font><br>
<br>
<a name="DataTypesInThebrKernel"></a><font color="#7519FF" size="+1"><b>Data Types in the Kernel</b></font><br>
<br>
Before we go on to more advanced topics, we need to stop for a quick note on portability
issues. Modern versions of the Linux kernel are highly portable, running on
numerous different architectures. Given the multiplatform nature of Linux, drivers
intended for serious use should be portable as well.<br>
<br>
But a core issue with kernel code is being able both to access data items of known
length (for example, filesystem data structures or registers on device boards) and to
exploit the capabilities of different processors (32-bit and 64-bit architectures, and
possibly 16 bit as well).<br>
<br>
Several of the problems encountered by kernel developers while porting x86 code to
new architectures have been related to incorrect data typing. Adherence to strict data
typing and compiling with the <i>-Wall -Wstrict-prototypes</i> flags can prevent most bugs.<br>
<br>
Data types used by kernel data are divided into three main classes: standard C types
such as int, explicitly sized types such as <font class="fixd">u32,</font> and types used for specific kernel
objects, such as <font class="fixd">pid_t</font>. We are going to see when and how each of the three typing
classes should be used. The final sections of the chapter talk about some other typical
problems you might run into when porting driver code from the x86 to other
platforms, and introduce the generalized support for linked lists exported by recent
kernel headers.<br>
<br>
If you follow the guidelines we provide, your driver should compile and run even on
platforms on which you are unable to test it.<br>
<br>
<a name="UseOfStandardCTypes"></a><font color="red"><b>Use of Standard C Types</b></font><br>
<br>
Although most programmers are accustomed to freely using standard types like <font class="fixd">int</font>
and <font class="fixd">long,</font> writing device drivers requires some care to avoid typing conflicts and
obscure bugs.<br>
<br>
The problem is that you can't use the standard types when you need "a 2-byte filler"
or "something representing a 4-byte string," because the normal C data types are not<br>
<br>
<A name="289"></a><font color="blue">PAGE 289</font><br>
<br>
the same size on all architectures. To show the data size of the various C types, the
<i>datasize </i>program has been included in the sample files provided on O'Reilly's FTP
site in the directory <i>misc-progs</i>. This is a sample run of the program on an i386 system
(the last four types shown are introduced in the next section):<br>
<pre>
morgana% misc-progs/datasize
arch   Size:  char  short  int  long   ptr long-long  u8 u16 u32 u64
i686            1     2     4     4     4     8        1   2   4   8
</pre>
The program can be used to show that <font class="fixd">long</font> integers and pointers feature a different
size on 64-bit platforms, as demonstrated by running the program on different Linux
computers:<br>
<pre>
arch   Size:  char  short  int  long   ptr long-long  u8 u16 u32 u64
i386            1     2     4     4     4     8        1   2   4   8
alpha           1     2     4     8     8     8        1   2   4   8
armv4l          1     2     4     4     4     8        1   2   4   8
ia64            1     2     4     8     8     8        1   2   4   8
m68k            1     2     4     4     4     8        1   2   4   8
mips            1     2     4     4     4     8        1   2   4   8
ppc             1     2     4     4     4     8        1   2   4   8
sparc           1     2     4     4     4     8        1   2   4   8
sparc64         1     2     4     4     4     8        1   2   4   8
x86_64          1     2     4     8     8     8        1   2   4   8
</pre>
It's interesting to note that the SPARC 64 architecture runs with a 32-bit user space,
so pointers are 32 bits wide there, even though they are 64 bits wide in kernel space.
This can be verified by loading the <i>kdatasize </i>module (available in the directory <i>miscmodules
</i>within the sample files). The module reports size information at load time
using <i>printk</i> and returns an error (so there's no need to unload it):<br>
<pre>
kernel: arch   Size:  char short int long  ptr long-long u8 u16 u32 u64
kernel: sparc64         1    2    4    8    8     8       1   2   4   8
</pre>
Although you must be careful when mixing different data types, sometimes there are
good reasons to do so. One such situation is for memory addresses, which are special
as far as the kernel is concerned. Although, conceptually, addresses are pointers,
memory administration is often better accomplished by using an unsigned integer
type; the kernel treats physical memory like a huge array, and a memory address is
just an index into the array. Furthermore, a pointer is easily dereferenced; when dealing
directly with memory addresses, you almost never want to dereference them in
this manner. Using an integer type prevents this dereferencing, thus avoiding bugs.
Therefore, generic memory addresses in the kernel are usually <font class="fixd">unsigned long</font>, exploiting
the fact that pointers and long integers are always the same size, at least on all the
platforms currently supported by Linux.<br>
<br>
For what it's worth, the C99 standard defines the <font class="fixd">intptr_t</font> and <font class="fixd">uintptr_t</font> types for
an integer variable that can hold a pointer value. These types are almost unused in
the 2.6 kernel, however.<br>
<br>
<A name="290"></a><font color="blue">PAGE 290</font><br>
<br>
<a name="AssigningAnExplicitSizeToDataItems"></a><font color="red"><b>Assigning an Explicit Size to Data Items</b></font><br>
<br>
Sometimes kernel code requires data items of a specific size, perhaps to match predefined
binary structures,* to communicate with user space, or to align data within
structures by inserting "padding" fields (but refer to the section "Data Alignment"
for information about alignment issues).<br>
<br>
The kernel offers the following data types to use whenever you need to know the size
of your data. All the types are declared in <i>&lt;asm/types.h&gt;</i>, which, in turn, is included
by <i>&lt;linux/types.h&gt;</i>:<br>
<pre>
u8;   /* unsigned byte (8 bits) */
u16;  /* unsigned word (16 bits) */
u32;  /* unsigned 32-bit value */
u64;  /* unsigned 64-bit value */
</pre>
The corresponding signed types exist, but are rarely needed; just replace <font class="fixd">u</font> with <font class="fixd">s</font> in
the name if you need them.<br>
<br>
If a user-space program needs to use these types, it can prefix the names with a double
underscore: <font class="fixd">__u8</font> and the other types are defined independent of <font class="fixd">__KERNEL__</font>. If,
for example, a driver needs to exchange binary structures with a program running in
user space by means of <i>ioctl</i>, the header files should declare 32-bit fields in the structures
as <font class="fixd">__u32.</font><br>
<br>
It's important to remember that these types are Linux specific, and using them hinders
porting software to other Unix flavors. Systems with recent compilers support
the C99-standard types, such as <font class="fixd">uint8_t</font> and <font class="fixd">uint32_t;</font> if portability is a concern,
those types can be used in favor of the Linux-specific variety.<br>
<br>
You might also note that sometimes the kernel uses conventional types, such as
<font class="fixd">unsigned int</font>, for items whose dimension is architecture independent. This is usually
done for backward compatibility. When <font class="fixd">u32</font> and friends were introduced in Version
1.1.67, the developers couldn't change existing data structures to the new types
because the compiler issues a warning when there is a type mismatch between the
structure field and the value being assigned to it.&#134; Linus didn't expect the operating
system (OS) he wrote for his own use to become multiplatform; as a result, old structures
are sometimes loosely typed.<br>
<br>
* This happens when reading partition tables, when executing a binary file, or when decoding a network packet.<br>
<br>
&#134; As a matter of fact, the compiler signals type inconsistencies even if the two types are just different 
names for the same object, such as <font class="fixd">unsigned long</font> and <font class="fixd">u32</font> on the PC.<br>
<br>
<A name="291"></a><font color="blue">PAGE 291</font><br>
<br>
<a name="InterfaceSpecificTypes"></a><font color="red"><b>Interface-Specific Types</b></font><br>
<br>
Some of the commonly used data types in the kernel have their own <font class="fixd">typedef</font> statements,
thus preventing any portability problems. For example, a process identifier
(pid) is usually <font class="fixd">pid_t</font> instead of <font class="fixd">int.</font> Using <font class="fixd">pid_t</font> masks any possible difference in the
actual data typing. We use the expression <i>interface-specific </i>to refer to a type defined
by a library in order to provide an interface to a specific data structure.<br>
<br>
Note that, in recent times, relatively few new interface-specific types have been
defined. Use of the <font class="fixd">typedef</font> statement has gone out of favor among many kernel
developers, who would rather see the real type information used directly in the code,
rather than hidden behind a user-defined type. Many older interface-specific types
remain in the kernel, however, and they will not be going away anytime soon.<br>
<br>
Even when no interface-specific type is defined, it's always important to use the
proper data type in a way consistent with the rest of the kernel. A jiffy count, for
instance, is always <font class="fixd">unsigned long</font>, independent of its actual size, so the <font class="fixd">unsigned long</font>
type should always be used when working with jiffies. In this section we concentrate
on use of <font class="fixd">_t</font> types.<br>
<br>
Many <font class="fixd">_t</font> types are defined in <i>&lt;linux/types.h&gt;</i>, but the list is rarely useful. When you
need a specific type, you'll find it in the prototype of the functions you need to call or
in the data structures you use.<br>
<br>
Whenever your driver uses functions that require such "custom" types and you don't
follow the convention, the compiler issues a warning; if you use the <i>-Wall </i>compiler
flag and are careful to remove all the warnings, you can feel confident that your code
is portable.<br>
<br>
The main problem with <font class="fixd">_t</font> data items is that when you need to print them, it's not
always easy to choose the right <i>printk </i>or <i>printf </i>format, and warnings you resolve on
one architecture reappear on another. For example, how would you print a <font class="fixd">size_t,</font>
that is <font class="fixd">unsigned long</font> on some platforms and <font class="fixd">unsigned int</font> on some others?<br>
<br>
Whenever you need to print some interface-specific data, the best way to do it is by
casting the value to the biggest possible type (usually <font class="fixd">long</font> or <font class="fixd">unsigned long</font>) and then
printing it through the corresponding format. This kind of tweaking won't generate
errors or warnings because the format matches the type, and you won't lose data bits
because the cast is either a null operation or an extension of the item to a bigger data
type.<br>
<br>
In practice, the data items we're talking about aren't usually meant to be printed, so
the issue applies only to debugging messages. Most often, the code needs only to
store and compare the interface-specific types, in addition to passing them as arguments
to library or kernel functions.<br>
<br>
Although <font class="fixd">_t</font> types are the correct solution for most situations, sometimes the right type
doesn't exist. This happens for some old interfaces that haven't yet been cleaned up.<br>
<br>
<A name="292"></a><font color="blue">PAGE 292</font><br>
<br>
The one ambiguous point we've found in the kernel headers is data typing for I/O
functions, which is loosely defined (see the section "Platform Dependencies" in
Chapter 9). The loose typing is mainly there for historical reasons, but it can create
problems when writing code. For example, one can get into trouble by swapping the
arguments to functions like <i>outb</i>; if there were a <font class="fixd">port_t</font> type, the compiler would find
this type of error.<br>
<br>
<a name="OtherPortabilityIssues"></a><font color="red"><b>Other Portability Issues</b></font><br>
<br>
In addition to data typing, there are a few other software issues to keep in mind
when writing a driver if you want it to be portable across Linux platforms.<br>
<br>
A general rule is to be suspicious of explicit constant values. Usually the code has
been parameterized using preprocessor macros. This section lists the most important
portability problems. Whenever you encounter other values that have been
parameterized, you can find hints in the header files and in the device drivers distributed
with the official kernel.<br>
<br>
<a name="TimeIntervals"></a><font color="red"><b>Time Intervals</b></font><br>
<br>
When dealing with time intervals, don't assume that there are 1000 jiffies per second.
Although this is currently true for the i386 architecture, not every Linux platform
runs at this speed. The assumption can be false even for the x86 if you play
with the <font class="fixd">HZ</font> value (as some people do), and nobody knows what will happen in future
kernels. Whenever you calculate time intervals using jiffies</font>, scale your times using <font class="fixd">HZ</font>
(the number of timer interrupts per second). For example, to check against a timeout
of half a second, compare the elapsed time against <font class="fixd">HZ/2.</font> More generally, the
number of <font class="fixd">jiffies</font> corresponding to <font class="fixd">msec</font> milliseconds is always <font class="fixd">msec*HZ/1000.</font><br>
<br>
<a name="PageSize"></a><font color="red"><b>Page Size</b></font><br>
<br>
When playing games with memory, remember that a memory page is <font class="fixd">PAGE_SIZE</font>
bytes, not 4 KB. Assuming that the page size is 4 KB and hard-coding the value is a
common error among PC programmers, instead, supported platforms show page
sizes from 4 KB to 64 KB, and sometimes they differ between different implementations
of the same platform. The relevant macros are <font class="fixd">PAGE_SIZE</font> and <font class="fixd">PAGE_SHIFT</font>. The
latter contains the number of bits to shift an address to get its page number. The
number currently is 12 or greater for pages that are 4 KB and larger. The macros are
defined in <i>&lt;asm/page.h&gt;</i>; user-space programs can use the <i>getpagesize </i>library function
if they ever need the information.<br>
<br>
<A name="293"></a><font color="blue">PAGE 293</font><br>
<br>
Let's look at a nontrivial situation. If a driver needs 16 KB for temporary data, it
shouldn't specify an order of 2 to <i>get_free_pages</i>. You need a portable solution. Such a
solution, fortunately, has been written by the kernel developers and is called <i>get_order</i>:<br>
<pre>
#include &lt;asm/page.h&gt;
int order = get_order(16*1024);
buf = get_free_pages(GFP_KERNEL, order);
</pre>
Remember that the argument to <i>get_order</i> must be a power of two.<br>
<br>
<a name="ByteOrder"></a><font color="red"><b>Byte Order</b></font><br>
<br>
Be careful not to make assumptions about byte ordering. Whereas the PC stores
multibyte values low-byte first (little end first, thus little-endian), some high-level
platforms work the other way (big-endian). Whenever possible, your code should be
written such that it does not care about byte ordering in the data it manipulates.
However, sometimes a driver needs to build an integer number out of single bytes or
do the opposite, or it must communicate with a device that expects a specific order.<br>
<br>
The include file <i>&lt;asm/byteorder.h&gt; </i>defines either <font class="fixd">__BIG_ENDIAN</font> or <font class="fixd">__LITTLE_ENDIAN,</font>
depending on the processor's byte ordering. When dealing with byte ordering issues,
you could code a bunch of <font class="fixd">#ifdef __LITTLE_ENDIAN</font> conditionals, but there is a better
way. The Linux kernel defines a set of macros that handle conversions between
the processor's byte ordering and that of the data you need to store or load in a specific
byte order. For example:<br>
<pre>
u32 cpu_to_le32 (u32);
u32 le32_to_cpu (u32);
</pre>
These two macros convert a value from whatever the CPU uses to an unsigned, littleendian,
32-bit quantity and back. They work whether your CPU is big-endian or little-endian
and, for that matter, whether it is a 32-bit processor or not. They return
their argument unchanged in cases where there is no work to be done. Use of these
macros makes it easy to write portable code without having to use a lot of conditional
compilation constructs.<br>
<br>
There are dozens of similar routines; you can see the full list in <i>&lt;linux/byteorder/
<font class="fixd">big_endian</font>.h&gt; </i>and <i>&lt;linux/byteorder/little_endian.h&gt;</i>. After a while, the pattern is
not hard to follow. <i>be64_to_cpu </i>converts an unsigned, big-endian, 64-bit value to
the internal CPU representation. <i>le16_to_cpus</i>, instead, handles signed, littleendian,
16-bit quantities. When dealing with pointers, you can also use functions
like <i>cpu_to_le32p</i>, which take a pointer to the value to be converted rather than the
value itself. See the include file for the rest.<br>
<br>
<a name="DataAlignment"></a><font color="red"><b>Data Alignment</b></font><br>
<br>
The last problem worth considering when writing portable code is how to access
unaligned data--for example, how to read a 4-byte value stored at an address that<br>
<br>
<A name="294"></a><font color="blue">PAGE 294</font><br>
<br>
isn't a multiple of 4 bytes. i386 users often access unaligned data items, but not all
architectures permit it. Many modern architectures generate an exception every time
the program tries unaligned data transfers; data transfer is handled by the exception
handler, with a great performance penalty. If you need to access unaligned data, you
should use the following macros:<br>
<pre>
#include &lt;asm/unaligned.h&gt;
get_unaligned(ptr);
put_unaligned(val, ptr);
</pre>
These macros are typeless and work for every data item, whether it's one, two, four,
or eight bytes long. They are defined with any kernel version.<br>
<br>
Another issue related to alignment is portability of data structures across platforms.
The same data structure (as defined in the C-language source file) can be compiled
differently on different platforms. The compiler arranges structure fields to be
aligned according to conventions that differ from platform to platform.<br>
<br>
In order to write data structures for data items that can be moved across architectures,
you should always enforce natural alignment of the data items in addition to
standardizing on a specific endianness. <i>Natural alignment </i>means storing data items
at an address that is a multiple of their size (for instance, 8-byte items go in an
address multiple of 8). To enforce natural alignment while preventing the compiler
to arrange the fields in unpredictable ways, you should use filler fields that avoid
leaving holes in the data structure.<br>
<br>
To show how alignment is enforced by the compiler, the <i>dataalign </i>program is distributed
in the <i>misc-progs </i>directory of the sample code, and an equivalent <i>kdataalign
</i>module is part of <i>misc-modules</i>. This is the output of the program on several platforms
and the output of the module on the SPARC64:<br>
<pre>
arch  Align:  char  short  int  long   ptr long-long  u8 u16 u32 u64
i386            1     2     4     4     4     4        1   2   4   4
i686            1     2     4     4     4     4        1   2   4   4
alpha           1     2     4     8     8     8        1   2   4   8
armv4l          1     2     4     4     4     4        1   2   4   4
ia64            1     2     4     8     8     8        1   2   4   8
mips            1     2     4     4     4     8        1   2   4   8
ppc             1     2     4     4     4     8        1   2   4   8
sparc           1     2     4     4     4     8        1   2   4   8
sparc64         1     2     4     4     4     8        1   2   4   8
x86_64          1     2     4     8     8     8        1   2   4   8

kernel: arch  Align: char short int long  ptr long-long u8 u16 u32 u64
kernel: sparc64        1    2    4    8    8     8       1   2   4   8
</pre>
It's interesting to note that not all platforms align 64-bit values on 64-bit boundaries,
so you need filler fields to enforce alignment and ensure portability.<br>
<br>
Finally, be aware that the compiler may quietly insert padding into structures itself to
ensure that every field is aligned for good performance on the target processor. If you<br>
<br>
<A name="295"></a><font color="blue">PAGE 295</font><br>
<br>
are defining a structure that is intended to match a structure expected by a device,
this automatic padding may thwart your attempt. The way around this problem is to
tell the compiler that the structure must be "packed," with no fillers added. For
example, the kernel header file <i>&lt;linux/edd.h&gt; </i>defines several data structures used in
interfacing with the x86 BIOS, and it includes the following definition:<br>
<pre>
struct {
        u16 id;
        u64 lun;
        u16 reserved1;
        u32 reserved2;
} __attribute__ ((packed)) scsi;
</pre>
Without the <font class="fixd">__attribute__ ((packed)),</font> the <font class="fixd">lun</font> field would be preceded by two filler
bytes or six if we compile the structure on a 64-bit platform.<br>
<br>
<a name="PointersAndErrorValues"></a><font color="red"><b>Pointers and Error Values</b></font><br>
<br>
Many internal kernel functions return a pointer value to the caller. Many of those
functions can also fail. In most cases, failure is indicated by returning a <font class="fixd">NULL</font> pointer
value. This technique works, but it is unable to communicate the exact nature of the
problem. Some interfaces really need to return an actual error code so that the caller
can make the right decision based on what actually went wrong.<br>
<br>
A number of kernel interfaces return this information by encoding the error code in a
pointer value. Such functions must be used with care, since their return value cannot
simply be compared against <font class="fixd">NULL</font>. To help in the creation and use of this sort of interface,
a small set of functions has been made available (in <i>&lt;linux/err.h&gt;</i>).<br>
<br>
A function returning a pointer type can return an error value with:<br>
<pre>
void *ERR_PTR(long error);
</pre>
where <font class="fixd">error</font> is the usual negative error code. The caller can use <i><font class="fixd">IS_ERR</font> </i>to test
whether a returned pointer is an error code or not:<br>
<pre>
long IS_ERR(const void *ptr);
</pre>
If you need the actual error code, it can be extracted with:<br>
<pre>
long PTR_ERR(const void *ptr);
</pre>
You should use <i><font class="fixd">PTR_ERR</font> </i>only on a value for which <i><font class="fixd">IS_ERR</font> </i>returns a true value;
any other value is a valid pointer.<br>
<br>
<a name="LinkedLists"></a><font color="red"><b>Linked Lists</b></font><br>
<br>
Operating system kernels, like many other programs, often need to maintain lists of
data structures. The Linux kernel has, at times, been host to several linked list implementations
at the same time. To reduce the amount of duplicated code, the kernel<br>
<br>
<A name="296"></a><font color="blue">PAGE 296</font><br>
<br>
developers have created a standard implementation of circular, doubly linked lists;
others needing to manipulate lists are encouraged to use this facility.<br>
<br>
When working with the linked list interface, you should always bear in mind that the
list functions perform no locking. If there is a possibility that your driver could
attempt to perform concurrent operations on the same list, it is your responsibility to
implement a locking scheme. The alternatives (corrupted list structures, data loss,
kernel panics) tend to be difficult to diagnose.<br>
<br>
To use the list mechanism, your driver must include the file <i>&lt;linux/list.h&gt;</i>. This file
defines a simple structure of type list_head:<br>
<pre>
struct list_head {
    struct list_head *next, *prev;
};
</pre>
Linked lists used in real code are almost invariably made up of some type of structure,
each one describing one entry in the list. To use the Linux list facility in your
code, you need only embed a <font class="fixd">list_head</font> inside the structures that make up the list. If
your driver maintains a list of things to do, say, its declaration would look something
like this:<br>
<pre>
struct todo_struct {
    struct list_head list;
    int priority; /* driver specific */
    /* ... add other driver-specific fields */
};
</pre>
The head of the list is usually a stand alone <font class="fixd">list_head</font> structure. Figure 11-1 shows
how the simple struct <font class="fixd">list_head</font> is used to maintain a list of data structures.<br>
<br><br>
<center>
<img src="fig11-1.gif">
</center>
<br>
<i>Figure 11-1. The <font class="fixd">list_head</font> data structure</i><br>
<br>
<A name="297"></a><font color="blue">PAGE 297</font><br>
<br>
List heads must be initialized prior to use with the <font class="fixd">INIT_LIST_HEAD</font> macro. A "things
to do" list head could be declared and initialized with:<br>
<pre>
struct <font class="fixd">list_head</font> todo_list;

INIT_LIST_HEAD(&amp;todo_list);
</pre>
Alternatively, lists can be initialized at compile time:<br>
<pre>
LIST_HEAD(todo_list);
</pre>
Several functions are defined in <i>&lt;linux/list.h&gt;</i> that work with lists:<br>
<br>
<font class="fixd">list_add(struct list_head *new, struct list_head *head);</font><br>
<div class="bq">
Adds the <font class="fixd">new</font> entry immediately after the list head--normally at the beginning of
the list. Therefore, it can be used to build stacks. Note, however, that the head
need not be the nominal head of the list; if you pass a <font class="fixd">list_head</font> structure that
happens to be in the middle of the list somewhere, the new entry goes immediately
after it. Since Linux lists are circular, the head of the list is not generally different
from any other entry.</div>
<br>
<font class="fixd">list_add_tail(struct list_head *new, struct list_head *head);</font><br>
<div class="bq">
Adds a new entry just before the given list head--at the end of the list, in other
words. <i>list_add_tail</i> can, thus, be used to build first-in first-out queues.</div>
<br>
<font class="fixd">list_del(struct list_head *entry);<br>
list_del_init(struct list_head *entry);</font><br>
<div class="bq">
The given entry is removed from the list. If the entry might ever be reinserted
into another list, you should use <i>list_del_init</i>, which reinitializes the linked list
pointers.</div>
<br>
<font class="fixd">list_move(struct list_head *entry, struct list_head *head);<br>
list_move_tail(struct list_head *entry, struct list_head *head);</font><br>
<div class="bq">
The given entry is removed from its current list and added to the beginning of
<font class="fixd">head.</font> To put the entry at the end of the new list, use <i>list_move_tail</i> instead.</div>
<br>
<font class="fixd">list_empty(struct list_head *head);</font><br>
<div class="bq">
Returns a nonzero value if the given list is empty.</div>
<br>
<font class="fixd">list_splice(struct list_head *list, struct list_head *head);</font><br>
<div class="bq">
Joins two lists by inserting list immediately after <font class="fixd">head.</font></div>
<br>
The <font class="fixd">list_head</font> structures are good for implementing a list of like structures, but the
invoking program is usually more interested in the larger structures that make up the
list as a whole. A macro, <i>list_entry</i>, is provided that maps a <font class="fixd">list_head</font> structure
pointer back into a pointer to the structure that contains it. It is invoked as follows:<br>
<pre>
list_entry(struct list_head *ptr, type_of_struct, field_name);
</pre>
where <font class="fixd">ptr</font> is a pointer to the struct <font class="fixd">list_head</font> being used, <font class="fixd">type_of_struct</font> is the type
of the structure containing the <font class="fixd">ptr</font>, and <font class="fixd">field_name</font> is the name of the list field within<br>
<br>
<A name="298"></a><font color="blue">PAGE 298</font><br>
<br>
the structure. In our <font class="fixd">todo_struct</font> structure from before, the list field is called simply
<font class="fixd">list.</font> Thus, we would turn a list entry into its containing structure with a line such as:<br>
<pre>
struct todo_struct *todo_ptr =
    list_entry(listptr, struct todo_struct, list);
</pre>
The <i>list_entry</i> macro takes a little getting used to but is not that hard to use.<br>
<br>
The traversal of linked lists is easy: one need only follow the <font class="fixd">prev</font> and <font class="fixd">next</font> pointers.
As an example, suppose we want to keep the list of <font class="fixd">todo_struct</font> items sorted in
descending priority order. A function to add a new entry would look something like
this:<br>
<pre>
void todo_add_entry(struct todo_struct *new)
{
    struct list_head *ptr;
    struct todo_struct *entry;

    for (ptr = todo_list.next; ptr != &amp;todo_list; ptr = ptr-&gt;next) {
        entry = list_entry(ptr, struct todo_struct, list);
        if (entry-&gt;priority &lt; new-&gt;priority) {
            list_add_tail(&amp;new-&gt;list, ptr);
            return;
        }
    }
    list_add_tail(&amp;new-&gt;list, &amp;todo_struct)
}
</pre>
However, as a general rule, it is better to use one of a set of predefined macros for
creating loops that iterate through lists. The previous loop, for example, could be
coded as:<br>
<pre>
void todo_add_entry(struct todo_struct *new)
{
    struct list_head *ptr;
    struct todo_struct *entry;

    list_for_each(ptr, &amp;todo_list) {
        entry = list_entry(ptr, struct todo_struct, list);
        if (entry-&gt;priority &lt; new-&gt;priority) {
            list_add_tail(&amp;new-&gt;list, ptr);
            return;
        }
    }
    list_add_tail(&amp;new-&gt;list, &amp;todo_struct)
}
</pre>
<A name="299"></a><font color="blue">PAGE 299</font><br>
<br>
Using the provided macros helps avoid simple programming errors; the developers of
these macros have also put some effort into ensuring that they perform well. A few
variants exist:<br>
<br>
<font class="fixd">list_for_each(struct list_head *cursor, struct list_head *list)</font><br>
<div class="bq">
This macro creates a for loop that executes once with <font class="fixd">cursor</font> pointing at each
successive entry in the list. Be careful about changing the list while iterating
through it.</div>
<br>
<font class="fixd">list_for_each_prev(struct list_head *cursor, struct list_head *list)</font><br>
<div class="bq">
This version iterates backward through the list.</div>
<br>
<font class="fixd">list_for_each_safe(struct list_head *cursor, struct list_head *next, struct list_head *list)</font><br>
<div class="bq">
If your loop may delete entries in the list, use this version. It simply stores the
next entry in the list in <font class="fixd">next</font> at the beginning of the loop, so it does not get confused
if the entry pointed to by <font class="fixd">cursor</font> is deleted.</div>
<br>
<font class="fixd">list_for_each_entry(type *cursor, struct list_head *list, member)<br>
list_for_each_entry_safe(type *cursor, type *next, struct list_head *list, member)</font><br>
<div class="bq">
These macros ease the process of dealing with a list containing a given <font class="fixd">type</font> of
structure. Here, <font class="fixd">cursor</font> is a pointer to the containing structure type, and <font class="fixd">member</font>
is the name of the <font class="fixd">list_head</font> structure within the containing structure. With
these macros, there is no need to put <font class="fixd">list_entry</font> calls inside the loop.</div>
<br>
If you look inside <i>&lt;linux/list.h&gt;</i>, you see some additional declarations. The <font class="fixd">hlist</font>
type is a doubly linked list with a separate, single-pointer list head type; it is often
used for creation of hash tables and similar structures. There are also macros for iterating
through both types of lists that are intended to work with the read-copy-update
mechanism (described in the section "Read-Copy-Update" in Chapter 5). These
primitives are unlikely to be useful in device drivers; see the header file if you would
like more information on how they work.<br>
<br>
<a name="QuickReference11"></a><font color="red"><b>Quick Reference</b></font><br>
<br>
The following symbols were introduced in this chapter:<br>
<br>
<font class="fixd">#include &lt;linux/types.h&gt;<br>
typedef u8;<br>
typedef u16;<br>
typedef u32;<br>
typedef u64;</font><br>
<div class="bq">
Types guaranteed to be 8-, 16-, 32-, and 64-bit unsigned integer values. The
equivalent signed types exist as well. In user space, you can refer to the types
as <font class="fixd">__u8, __u16,</font> and so forth.</div>
<br>
<A name="300"></a><font color="blue">PAGE 300</font><br>
<br>
<font class="fixd">#include &lt;asm/page.h&gt;<br>
PAGE_SIZE<br>
PAGE_SHIFT</font><br>
<div class="bq">
Symbols that define the number of bytes per page for the current architecture
and the number of bits in the page offset (12 for 4-KB pages and 13 for 8-KB
pages).</div>
<br>
<font class="fixd">#include &lt;asm/byteorder.h&gt;<br>
__LITTLE_ENDIAN<br>
__BIG_ENDIAN</font><br>
<div class="bq">
Only one of the two symbols is defined, depending on the architecture.</div>
<br>
<font class="fixd">#include &lt;asm/byteorder.h&gt;<br>
u32 __cpu_to_le32 (u32);<br>
u32 __le32_to_cpu (u32);</font><br>
<div class="bq">
Functions that convert between known byte orders and that of the processor.
There are more than 60 such functions; see the various files in <i>include/linux/
byteorder/</i> for a full list and the ways in which they are defined.</div>
<br>
<font class="fixd">#include &lt;asm/unaligned.h&gt;<br>
get_unaligned(ptr);<br>
put_unaligned(val, ptr);</font><br>
<div class="bq">
Some architectures need to protect unaligned data access using these macros.
The macros expand to normal pointer dereferencing for architectures that permit
you to access unaligned data.</div>
<br>
<font class="fixd">#include &lt;linux/err.h&gt;<br>
void *ERR_PTR(long error);<br>
long PTR_ERR(const void *ptr);<br>
long IS_ERR(const void *ptr);</font><br>
<div class="bq">
Functions allow error codes to be returned by functions that return a pointer
value.</div>
<br>
<font class="fixd">#include &lt;linux/list.h&gt;<br>
list_add(struct list_head *new, struct list_head *head);<br>
list_add_tail(struct list_head *new, struct list_head *head);<br>
list_del(struct list_head *entry);<br>
list_del_init(struct list_head *entry);<br>
list_empty(struct list_head *head);<br>
list_entry(entry, type, member);<br>
list_move(struct list_head *entry, struct list_head *head);<br>
list_move_tail(struct list_head *entry, struct list_head *head);<br>
list_splice(struct list_head *list, struct list_head *head);</font><br>
<div class="bq">
Functions that manipulate circular, doubly linked lists.</div>
<br>
<A name="301"></a><font color="blue">PAGE 301</font><br>
<br>
<font class="fixd">list_for_each(struct list_head *cursor, struct list_head *list)<br>
list_for_each_prev(struct list_head *cursor, struct list_head *list)<br>
list_for_each_safe(struct list_head *cursor, struct list_head *next, struct list_head *list)<br>
list_for_each_entry(type *cursor, struct list_head *list, member)<br>
list_for_each_entry_safe(type *cursor, type *next struct list_head *list, member)</font><br>
<div class="bq">
Convenience macros for iterating through linked lists.</div>
<br>
<A name="302"></a><font color="blue">PAGE 302</font><br>
<br>
<a name="CHAPTER12"></a><font color="red"><b>CHAPTER 12</b></font><br>
<br>
<a name="PCIDrivers"></a><font color="#7519FF" size="+1"><b>PCI Drivers</b></font><br>
<br>
While Chapter 9 introduced the lowest levels of hardware control, this chapter provides
an overview of the higher-level bus architectures. A bus is made up of both an
electrical interface and a programming interface. In this chapter, we deal with the
programming interface.<br>
<br>
This chapter covers a number of bus architectures. However, the primary focus is on
the kernel functions that access Peripheral Component Interconnect (PCI) peripherals,
because these days the PCI bus is the most commonly used peripheral bus on
desktops and bigger computers. The bus is the one that is best supported by the kernel.
ISA is still common for electronic hobbyists and is described later, although it is
pretty much a bare-metal kind of bus, and there isn't much to say in addition to
what is covered in Chapters 9 and 10.<br>
<br>
<a name="ThePCIInterface"></a><font color="red"><b>The PCI Interface</b></font><br>
<br>
Although many computer users think of PCI as a way of laying out electrical wires, it
is actually a complete set of specifications defining how different parts of a computer
should interact.<br>
<br>
The PCI specification covers most issues related to computer interfaces. We are not
going to cover it all here; in this section, we are mainly concerned with how a PCI
driver can find its hardware and gain access to it. The probing techniques discussed
in the sections "Module Parameters" in Chapter 2 and "Auto-Detecting the IRQ
Number" in Chapter 10 can be used with PCI devices, but the specification offers an
alternative that is preferable to probing.<br>
<br>
The PCI architecture was designed as a replacement for the ISA standard, with three
main goals: to get better performance when transferring data between the computer
and its peripherals, to be as platform independent as possible, and to simplify adding
and removing peripherals to the system.<br>
<br>
<A name="303"></a><font color="blue">PAGE 303</font><br>
<br>
The PCI bus achieves better performance by using a higher clock rate than ISA; its
clock runs at 25 or 33 MHz (its actual rate being a factor of the system clock), and
66-MHz and even 133-MHz implementations have recently been deployed as well.
Moreover, it is equipped with a 32-bit data bus, and a 64-bit extension has been
included in the specification. Platform independence is often a goal in the design of a
computer bus, and it's an especially important feature of PCI, because the PC world
has always been dominated by processor-specific interface standards. PCI is currently
used extensively on IA-32, Alpha, PowerPC, SPARC64, and IA-64 systems,
and some other platforms as well.<br>
<br>
What is most relevant to the driver writer, however, is PCI's support for auto-detection
of interface boards. PCI devices are jumperless (unlike most older peripherals)
and are automatically configured at boot time. Then, the device driver must be able
to access configuration information in the device in order to complete initialization.
This happens without the need to perform any probing.<br>
<br>
<a name="PCIAddressing"></a><font color="red"><b>PCI Addressing</b></font><br>
<br>
Each PCI peripheral is identified by a <i>bus </i>number, a <i>device </i>number, and a <i>function
</i>number. The PCI specification permits a single system to host up to 256 buses, but
because 256 buses are not sufficient for many large systems, Linux now supports PCI
<i>domains</i>. Each PCI domain can host up to 256 buses. Each bus hosts up to 32
devices, and each device can be a multifunction board (such as an audio device with
an accompanying CD-ROM drive) with a maximum of eight functions. Therefore,
each function can be identified at hardware level by a 16-bit address, or key. Device
drivers written for Linux, though, don't need to deal with those binary addresses,
because they use a specific data structure, called <font class="fixd">pci_dev,</font> to act on the devices.<br>
<br>
Most recent workstations feature at least two PCI buses. Plugging more than one bus
in a single system is accomplished by means of <i>bridges</i>, special-purpose PCI peripherals
whose task is joining two buses. The overall layout of a PCI system is a tree where
each bus is connected to an upper-layer bus, up to bus 0 at the root of the tree. The
CardBus PC-card system is also connected to the PCI system via bridges. A typical
PCI system is represented in Figure 12-1, where the various bridges are highlighted.<br>
<br>
The 16-bit hardware addresses associated with PCI peripherals, although mostly hidden
in the <font class="fixd">struct pci_dev</font> object, are still visible occasionally, especially when lists of
devices are being used. One such situation is the output of <i>lspci </i>(part of the <i>pciutils
</i>package, available with most distributions) and the layout of information in <i>/proc/pci
</i>and <i>/proc/bus/pci</i>. The sysfs representation of PCI devices also shows this addressing
scheme, with the addition of the PCI domain information.* When the hardware
address is displayed, it can be shown as two values (an 8-bit bus number and an 8-bit<br>
<br>
* Some architectures also display the PCI domain information in the <i>/proc/pci</i> and <i>/proc/bus/pci</i> files.<br>
<br>
<A name="304"></a><font color="blue">PAGE 304</font><br>
<br>
<center>
<img src="fig12-1.gif">
</center>
<br>
<i>Figure 12-1. Layout of a typical PCI system</i><br>
<br>
device and function number), as three values (bus, device, and function), or as four
values (domain, bus, device, and function); all the values are usually displayed in
hexadecimal.<br>
<br>
For example, <i>/proc/bus/pci/devices </i>uses a single 16-bit field (to ease parsing and sorting),
while <i>/proc/bus/busnumber </i>splits the address into three fields. The following
shows how those addresses appear, showing only the beginning of the output lines:<br>
<pre>
$ <b>lspci | cut -d: -f1-3
</b>0000:00:00.0 Host bridge
0000:00:00.1 RAM memory
0000:00:00.2 RAM memory
0000:00:02.0 USB Controller
0000:00:04.0 Multimedia audio controller
0000:00:06.0 Bridge
0000:00:07.0 ISA bridge
0000:00:09.0 USB Controller
0000:00:09.1 USB Controller
0000:00:09.2 USB Controller
0000:00:0c.0 CardBus bridge
0000:00:0f.0 IDE interface
0000:00:10.0 Ethernet controller
0000:00:12.0 Network controller
0000:00:13.0 FireWire (IEEE 1394)
0000:00:14.0 VGA compatible controller
$ <b>cat /proc/bus/pci/devices | cut -f1
</b>0000
0001
0002
0010
0020
0030
</pre>
<A name="305"></a><font color="blue">PAGE 305</font><br>
<pre>
0038
0048
0049
004a
0060
0078
0080
0090
0098
00a0
$ <b>tree /sys/bus/pci/devices/
</b>/sys/bus/pci/devices/
|-- 0000:00:00.0 -&gt; ../../../devices/pci0000:00/0000:00:00.0
|-- 0000:00:00.1 -&gt; ../../../devices/pci0000:00/0000:00:00.1
|-- 0000:00:00.2 -&gt; ../../../devices/pci0000:00/0000:00:00.2
|-- 0000:00:02.0 -&gt; ../../../devices/pci0000:00/0000:00:02.0
|-- 0000:00:04.0 -&gt; ../../../devices/pci0000:00/0000:00:04.0
|-- 0000:00:06.0 -&gt; ../../../devices/pci0000:00/0000:00:06.0
|-- 0000:00:07.0 -&gt; ../../../devices/pci0000:00/0000:00:07.0
|-- 0000:00:09.0 -&gt; ../../../devices/pci0000:00/0000:00:09.0
|-- 0000:00:09.1 -&gt; ../../../devices/pci0000:00/0000:00:09.1
|-- 0000:00:09.2 -&gt; ../../../devices/pci0000:00/0000:00:09.2
|-- 0000:00:0c.0 -&gt; ../../../devices/pci0000:00/0000:00:0c.0
|-- 0000:00:0f.0 -&gt; ../../../devices/pci0000:00/0000:00:0f.0
|-- 0000:00:10.0 -&gt; ../../../devices/pci0000:00/0000:00:10.0
|-- 0000:00:12.0 -&gt; ../../../devices/pci0000:00/0000:00:12.0
|-- 0000:00:13.0 -&gt; ../../../devices/pci0000:00/0000:00:13.0
`-- 0000:00:14.0 -&gt; ../../../devices/pci0000:00/0000:00:14.0
</pre>
All three lists of devices are sorted in the same order, since <i>lspci </i>uses the <i>/proc </i>files as
its source of information. Taking the VGA video controller as an example, <font class="fixd">0x00a0</font>
means <font class="fixd">0000:00:14.0</font> when split into domain (16 bits), bus (8 bits), device (5 bits) and
function (3 bits).<br>
<br>
The hardware circuitry of each peripheral board answers queries pertaining to three
address spaces: memory locations, I/O ports, and configuration registers. The first
two address spaces are shared by all the devices on the same PCI bus (i.e., when you
access a memory location, all the devices on that PCI bus see the bus cycle at the
same time). The configuration space, on the other hand, exploits <i>geographical
addressing</i>. Configuration queries address only one slot at a time, so they never collide.<br>
<br>
As far as the driver is concerned, memory and I/O regions are accessed in the usual
ways via <i>inb</i>, <i>readb</i>, and so forth. Configuration transactions, on the other hand, are
performed by calling specific kernel functions to access configuration registers. With
regard to interrupts, every PCI slot has four interrupt pins, and each device function
can use one of them without being concerned about how those pins are routed to the
CPU. Such routing is the responsibility of the computer platform and is implemented
outside of the PCI bus. Since the PCI specification requires interrupt lines to
be shareable, even a processor with a limited number of IRQ lines, such as the x86,
can host many PCI interface boards (each with four interrupt pins).<br>
<br>
<A name="306"></a><font color="blue">PAGE 306</font><br>
<br>
The I/O space in a PCI bus uses a 32-bit address bus (leading to 4 GB of I/O ports),
while the memory space can be accessed with either 32-bit or 64-bit addresses. 64-bit
addresses are available on more recent platforms. Addresses are supposed to be
unique to one device, but software may erroneously configure two devices to the
same address, making it impossible to access either one. But this problem never
occurs unless a driver is willingly playing with registers it shouldn't touch. The good
news is that every memory and I/O address region offered by the interface board can
be remapped by means of configuration transactions. That is, the firmware initializes
PCI hardware at system boot, mapping each region to a different address to
avoid collisions.* The addresses to which these regions are currently mapped can be
read from the configuration space, so the Linux driver can access its devices without
probing. After reading the configuration registers, the driver can safely access its
hardware.<br>
<br>
The PCI configuration space consists of 256 bytes for each device function (except
for PCI Express devices, which have 4 KB of configuration space for each function),
and the layout of the configuration registers is standardized. Four bytes of the configuration
space hold a unique function ID, so the driver can identify its device by looking
for the specific ID for that peripheral.&#134; In summary, each device board is
geographically addressed to retrieve its configuration registers; the information in
those registers can then be used to perform normal I/O access, without the need for
further geographic addressing.<br>
<br>
It should be clear from this description that the main innovation of the PCI interface
standard over ISA is the configuration address space. Therefore, in addition to the
usual driver code, a PCI driver needs the ability to access the configuration space, in
order to save itself from risky probing tasks.<br>
<br>
For the remainder of this chapter, we use the word <i>device </i>to refer to a device function,
because each function in a multifunction board acts as an independent entity.
When we refer to a device, we mean the tuple "domain number, bus number, device
number, and function number."<br>
<br>
<a name="BootTime"></a><font color="red"><b>Boot Time</b></font><br>
<br>
To see how PCI works, we start from system boot, since that's when the devices are
configured.<br>
<br>
* Actually, that configuration is not restricted to the time the system boots; hotpluggable devices, for example,
cannot be available at boot time and appear later instead. The main point here is that the device driver must
not change the address of I/O or memory regions.<br>
<br>
&#134; You'll find the ID of any device in its own hardware manual. A list is included in the file <i>pci.ids</i>, part 
of the<i>pciutils </i>package and the kernel sources; it doesn't pretend to be complete but just lists the most renowned
vendors and devices. The kernel version of this file will not be included in future kernel series.<br>
<br>
<A name="307"></a><font color="blue">PAGE 307</font><br>
<br>
When power is applied to a PCI device, the hardware remains inactive. In other
words, the device responds only to configuration transactions. At power on, the
device has no memory and no I/O ports mapped in the computer's address space;
every other device-specific feature, such as interrupt reporting, is disabled as well.<br>
<br>
Fortunately, every PCI motherboard is equipped with PCI-aware firmware, called the
BIOS, NVRAM, or PROM, depending on the platform. The firmware offers access to
the device configuration address space by reading and writing registers in the PCI
controller.<br>
<br>
At system boot, the firmware (or the Linux kernel, if so configured) performs configuration
transactions with every PCI peripheral in order to allocate a safe place for
each address region it offers. By the time a device driver accesses the device, its memory
and I/O regions have already been mapped into the processor's address space.
The driver can change this default assignment, but it never needs to do that.<br>
<br>
As suggested, the user can look at the PCI device list and the devices' configuration
registers by reading <i>/proc/bus/pci/devices </i>and <i>/proc/bus/pci/*/*</i>. The former is a text file
with (hexadecimal) device information, and the latter are binary files that report a
snapshot of the configuration registers of each device, one file per device. The individual
PCI device directories in the sysfs tree can be found in <i>/sys/bus/pci/devices</i>. A
PCI device directory contains a number of different files:<br>
<pre>
$ <b>tree /sys/bus/pci/devices/0000:00:10.0
</b>/sys/bus/pci/devices/0000:00:10.0
|-- class
|-- config
|-- detach_state
|-- device
|-- irq
|-- power
|   `-- state
|-- resource
|-- subsystem_device
|-- subsystem_vendor
`-- vendor
</pre>
The file <i>config </i>is a binary file that allows the raw PCI config information to be read
from the device (just like the <i>/proc/bus/pci/*/* </i>provides.) The files <i>vendor</i>, <i>device</i>,
<i>subsystem_device</i>, <i>subsystem_vendor</i>, and <i>class </i>all refer to the specific values of this
PCI device (all PCI devices provide this information.) The file <i>irq </i>shows the current
IRQ assigned to this PCI device, and the file <i>resource </i>shows the current memory
resources allocated by this device.<br>
<br>
<A name="308"></a><font color="blue">PAGE 308</font><br>
<br>
<a name="ConfigurationRegistersAndInitialization"></a><font color="red"><b>Configuration Registers and Initialization</b></font><br>
<br>
In this section, we look at the configuration registers that PCI devices contain. All
PCI devices feature at least a 256-byte address space. The first 64 bytes are standardized,
while the rest are device dependent. Figure 12-2 shows the layout of the device-independent
configuration space.<br>
<br><br>
<center>
<img src="fig12-2.gif">
</center>
<br>
<i>Figure 12-2. The standardized PCI configuration registers</i><br>
<br>
As the figure shows, some of the PCI configuration registers are required and some
are optional. Every PCI device must contain meaningful values in the required registers,
whereas the contents of the optional registers depend on the actual capabilities
of the peripheral. The optional fields are not used unless the contents of the required
fields indicate that they are valid. Thus, the required fields assert the board's capabilities,
including whether the other fields are usable.<br>
<br>
It's interesting to note that the PCI registers are always little-endian. Although the
standard is designed to be architecture independent, the PCI designers sometimes
show a slight bias toward the PC environment. The driver writer should be careful
about byte ordering when accessing multibyte configuration registers; code that
works on the PC might not work on other platforms. The Linux developers have
taken care of the byte-ordering problem (see the next section, "Accessing the Configuration
Space"), but the issue must be kept in mind. If you ever need to convert data
from host order to PCI order or vice versa, you can resort to the functions defined in
<i>&lt;asm/byteorder.h&gt;</i>, introduced in Chapter 11, knowing that PCI byte order is little-endian.<br>
<br>
<A name="309"></a><font color="blue">PAGE 309</font><br>
<br>
Describing all the configuration items is beyond the scope of this book. Usually, the
technical documentation released with each device describes the supported registers.
What we're interested in is how a driver can look for its device and how it can access
the device's configuration space.<br>
<br>
Three or five PCI registers identify a device: <font class="fixd">vendorID, deviceID,</font> and <font class="fixd">class</font> are the
three that are always used. Every PCI manufacturer assigns proper values to these
read-only registers, and the driver can use them to look for the device. Additionally,
the fields <font class="fixd">subsystem vendorID</font> and <font class="fixd">subsystem deviceID</font> are sometimes set by the vendor
to further differentiate similar devices.<br>
<br>
Let's look at these registers in more detail:<br>
<br>
<font class="fixd">vendorID</font><br>
<div class="bq">
This 16-bit register identifies a hardware manufacturer. For instance, every Intel
device is marked with the same vendor number, <font class="fixd">0x8086.</font> There is a global registry
of such numbers, maintained by the PCI Special Interest Group, and manufacturers
must apply to have a unique number assigned to them.</div>
<br>
<font class="fixd">deviceID</font><br>
<div class="bq">
This is another 16-bit register, selected by the manufacturer; no official registration
is required for the device ID. This ID is usually paired with the vendor ID to
make a unique 32-bit identifier for a hardware device. We use the word <i>signature
</i>to refer to the vendor and device ID pair. A device driver usually relies on
the signature to identify its device; you can find what value to look for in the
hardware manual for the target device.</div>
<br>
<font class="fixd">class</font><br>
<div class="bq">
Every peripheral device belongs to a <i>class</i>. The <font class="fixd">class</font> register is a 16-bit value
whose top 8 bits identify the "base class" (or <i>group</i>). For example, "ethernet"
and "token ring" are two classes belonging to the "network" group, while the
"serial" and "parallel" classes belong to the "communication" group. Some drivers
can support several similar devices, each of them featuring a different signature
but all belonging to the same class; these drivers can rely on the <font class="fixd">class</font>
register to identify their peripherals, as shown later.</div>
<br>
<font class="fixd">subsystem vendorID<br>
subsystem deviceID</font><br>
<div class="bq">
These fields can be used for further identification of a device. If the chip is a
generic interface chip to a local (onboard) bus, it is often used in several completely
different roles, and the driver must identify the actual device it is talking
with. The subsystem identifiers are used to this end.</div>
<br>
Using these different identifiers, a PCI driver can tell the kernel what kind of devices it
supports. The struct <font class="fixd">pci_device_id</font> structure is used to define a list of the different<br>
<br>
<A name="310"></a><font color="blue">PAGE 310</font><br>
<br>
types of PCI devices that a driver supports. This structure contains the following
fields:<br>
<br>
<font class="fixd">__u32 vendor;<br>
__u32 device;</font><br>
<div class="bq">
These specify the PCI vendor and device IDs of a device. If a driver can handle
any vendor or device ID, the value <font class="fixd">PCI_ANY_ID</font> should be used for these fields.</div>
<br>
<font class="fixd">__u32 subvendor;<br>
__u32 subdevice;</font><br>
<div class="bq">
These specify the PCI subsystem vendor and subsystem device IDs of a device. If
a driver can handle any type of subsystem ID, the value <font class="fixd">PCI_ANY_ID</font> should be
used for these fields.</div>
<br>
<font class="fixd">__u32 class;<br>
__u32 class_mask;</font><br>
<div class="bq">
These two values allow the driver to specify that it supports a type of PCI class
device. The different classes of PCI devices (a VGA controller is one example)
are described in the PCI specification. If a driver can handle any type of subsystem
ID, the value <font class="fixd">PCI_ANY_ID</font> should be used for these fields.</div>
<br>
<font class="fixd">kernel_ulong_t driver_data;</font><br>
<div class="bq">
This value is not used to match a device but is used to hold information that the
PCI driver can use to differentiate between different devices if it wants to.</div>
<br>
There are two helper macros that should be used to initialize a <font class="fixd">struct pci_device_id</font>
structure:<br>
<br>
<font class="fixd">PCI_DEVICE(vendor, device)</font><br>
<div class="bq">
This creates a <font class="fixd">struct pci_device_id</font> that matches only the specific vendor and
device ID. The macro sets the subvendor and subdevice fields of the structure to
<font class="fixd">PCI_ANY_ID</font>.</div>
<br>
<font class="fixd">PCI_DEVICE_CLASS(device_class, device_class_mask)</font><br>
<div class="bq">
This creates a <font class="fixd">struct pci_device_id</font> that matches a specific PCI class.</div>
<br>
An example of using these macros to define the type of devices a driver supports can
be found in the following kernel files:<br>
<pre>
drivers/usb/host/ehci-hcd.c:

static const struct pci_device_id pci_ids[ ] = { {
        /* handle any USB 2.0 EHCI controller */
        PCI_DEVICE_CLASS(((PCI_CLASS_SERIAL_USB &lt;&lt; 8) | 0x20), ~0),
        .driver_data =  (unsigned long) &amp;ehci_driver,
        },
        { /* end: all zeroes */ }
};

drivers/i2c/busses/i2c-i810.c:
</pre>
<A name="311"></a><font color="blue">PAGE 311</font><br>
<pre>
static struct pci_device_id i810_ids[ ] = {
    { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82810_IG1) },
    { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82810_IG3) },
    { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82810E_IG) },
    { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82815_CGC) },
    { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82845G_IG) },
    { 0, },
};
</pre>
These examples create a list of <font class="fixd">struct pci_device_id</font> structures, with an empty structure
set to all zeros as the last value in the list. This array of IDs is used in the <font class="fixd">struct pci_driver</font> 
(described below), and it is also used to tell user space which devices this specific driver supports.<br>
<br>
<a name="MODULEDEVICETABLE"></a><font color="red"><b><font class="fixd">MODULE_DEVICE_TABLE</font></b></font><br>
<br>
This <font class="fixd">pci_device_id</font> structure needs to be exported to user space to allow the hotplug
and module loading systems know what module works with what hardware devices.
The macro <font class="fixd">MODULE_DEVICE_TABLE</font> accomplishes this. An example is:<br>
<pre>
MODULE_DEVICE_TABLE(pci, i810_ids);
</pre>
This statement creates a local variable called <font class="fixd">__mod_pci_device_table</font> that points to
the list of <font class="fixd">struct pci_device_id</font>. Later in the kernel build process, the <font class="fixd">depmod</font> program
searches all modules for the symbol <font class="fixd">__mod_pci_device_table</font>. If that symbol is
found, it pulls the data out of the module and adds it to the file <i>/lib/modules/
KERNEL_VERSION/modules.pcimap</i>. After <font class="fixd">depmod</font> completes, all PCI devices that
are supported by modules in the kernel are listed, along with their module names, in
that file. When the kernel tells the hotplug system that a new PCI device has been
found, the hotplug system uses the <i>modules.pcimap </i>file to find the proper driver to
load.<br>
<br>
<a name="RegisteringAPCIDriver"></a><font color="red"><b>Registering a PCI Driver</b></font><br>
<br>
The main structure that all PCI drivers must create in order to be registered with the
kernel properly is the <font class="fixd">struct pci_driver</font> structure. This structure consists of a number
of function callbacks and variables that describe the PCI driver to the PCI core.
Here are the fields in this structure that a PCI driver needs to be aware of:<br>
<br>
<font class="fixd">const char *name;</font><br>
<div class="bq">
The name of the driver. It must be unique among all PCI drivers in the kernel
and is normally set to the same name as the module name of the driver. It shows
up in sysfs under <i>/sys/bus/pci/drivers/</i> when the driver is in the kernel.</div>
<br>
<font class="fixd">const struct pci_device_id *id_table;</font><br>
<div class="bq">
Pointer to the <font class="fixd">struct pci_device_id</font> table described earlier in this chapter.</div>
<br>
<A name="312"></a><font color="blue">PAGE 312</font><br>
<br>
<font class="fixd">int (*probe) (struct pci_dev *dev, const struct pci_device_id *id);</font><br>
<div class="bq">
Pointer to the probe function in the PCI driver. This function is called by the PCI
core when it has a <font class="fixd">struct pci_dev</font> that it thinks this driver wants to control. A
pointer to the <font class="fixd">struct pci_device_id</font> that the PCI core used to make this decision
is also passed to this function. If the PCI driver claims the <font class="fixd">struct pci_dev</font> that is
passed to it, it should initialize the device properly and return 0. If the driver
does not want to claim the device, or an error occurs, it should return a negative
error value. More details about this function follow later in this chapter.</div>
<br>
<font class="fixd">void (*remove) (struct pci_dev *dev);</font><br>
<div class="bq">
Pointer to the function that the PCI core calls when the <font class="fixd">struct pci_dev</font> is being
removed from the system, or when the PCI driver is being unloaded from the
kernel. More details about this function follow later in this chapter.</div>
<br>
<font class="fixd">int (*suspend) (struct pci_dev *dev, u32 state);</font><br>
<div class="bq">
Pointer to the function that the PCI core calls when the <font class="fixd">struct pci_dev</font> is being
suspended. The suspend state is passed in the state variable. This function is
optional; a driver does not have to provide it.</div>
<br>
<font class="fixd">int (*resume) (struct pci_dev *dev);</font><br>
<div class="bq">
Pointer to the function that the PCI core calls when the <font class="fixd">struct pci_dev</font> is being
resumed. It is always called after suspend has been called. This function is
optional; a driver does not have to provide it.</div>
<br>
In summary, to create a proper <font class="fixd">struct pci_driver</font> structure, only four fields need to
be initialized:<br>
<pre>
static struct pci_driver pci_driver = {
    .name = &quot;pci_skel&quot;,
    .id_table = ids,
    .probe = probe,
    .remove = remove,
};
</pre>
To register the <font class="fixd">struct pci_driver</font> with the PCI core, a call to <i>pci_register_driver </i>is
made with a pointer to the <font class="fixd">struct pci_driver</font>. This is traditionally done in the module
initialization code for the PCI driver:<br>
<pre>
static int __init pci_skel_init(void)
{
    return pci_register_driver(&amp;pci_driver);
}
</pre>
Note that the <i>pci_register_driver </i>function either returns a negative error number or 0
if everything was registered successfully. It does not return the number of devices
that were bound to the driver or an error number if no devices were bound to the<br>
<br>
<A name="313"></a><font color="blue">PAGE 313</font><br>
<br>
driver. This is a change from kernels prior to the 2.6 release and was done because of
the following situations:<br>
<ul>
<li> On systems that support PCI hotplug, or CardBus systems, a PCI device can
appear or disappear at any point in time. It is helpful if drivers can be loaded
before the device appears, to reduce the time it takes to initialize a device.
<li> The 2.6 kernel allows new PCI IDs to be dynamically allocated to a driver after it
has been loaded. This is done through the file <font class="fixd">new_id</font> that is created in all PCI
driver directories in sysfs. This is very useful if a new device is being used that
the kernel doesn't know about just yet. A user can write the PCI ID values to the
<i>new_id </i>file, and then the driver binds to the new device. If a driver was not
allowed to load until a device was present in the system, this interface would not
be able to work.
</ul>
When the PCI driver is to be unloaded, the <font class="fixd">struct pci_driver</font> needs to be unregistered
from the kernel. This is done with a call to <i>pci_unregister_driver</i>. When this call
happens, any PCI devices that were currently bound to this driver are removed, and
the <i>remove </i>function for this PCI driver is called before the <i>pci_unregister_driver </i>function
returns.<br>
<pre>
static void __exit pci_skel_exit(void)
{
    pci_unregister_driver(&amp;pci_driver);
}
</pre>
<a name="OldStylePCIProbing"></a><font color="red"><b>Old-Style PCI Probing</b></font><br>
<br>
In older kernel versions, the function, <i>pci_register_driver</i>, was not always used by
PCI drivers. Instead, they would either walk the list of PCI devices in the system by
hand, or they would call a function that could search for a specific PCI device. The
ability to walk the list of PCI devices in the system within a driver has been removed
from the 2.6 kernel in order to prevent drivers from crashing the kernel if they happened
to modify the PCI device lists while a device was being removed at the same
time.<br>
<br>
If the ability to find a specific PCI device is really needed, the following functions are
available:<br>
<br>
<font class="fixd">struct pci_dev *pci_get_device(unsigned int vendor, unsigned int device, struct pci_dev *from);</font><br>
<div class="bq">
This function scans the list of PCI devices currently present in the system, and if
the input arguments match the specified vendor and device IDs, it increments
the reference count on the <font class="fixd">struct pci_dev</font> variable found, and returns it to the
caller. This prevents the structure from disappearing without any notice and
ensures that the kernel does not oops. After the driver is done with the <font class="fixd">struct
pci_dev</font> returned by the function, it must call the function <i>pci_dev_put </i>to decrement</div>
<br>
<A name="314"></a><font color="blue">PAGE 314</font><br>
<br>
<div class="bq">the usage count properly back to allow the kernel to clean up the device if
it is removed.<br>
<br>
The <font class="fixd">from</font> argument is used to get hold of multiple devices with the same signature;
the argument should point to the last device that has been found, so that
the search can continue instead of restarting from the head of the list. To find
the first device, <font class="fixd">from</font> is specified as <font class="fixd">NULL</font>. If no (further) device is found, <font class="fixd">NULL</font> is
returned.<br>
<br>
An example of how to use this function properly is:<br>
<pre>
struct pci_dev *dev;
dev = pci_get_device(PCI_VENDOR_FOO, PCI_DEVICE_FOO, NULL);
if (dev) {
    /* Use the PCI device */
    ...
    pci_dev_put(dev);
}
</pre>
This function can not be called from interrupt context. If it is, a warning is
printed out to the system log.</div>
<br>
<font class="fixd">struct pci_dev *pci_get_subsys(unsigned int vendor, unsigned int device, 
unsigned int ss_vendor, unsigned int ss_device, struct pci_dev *from);</font><br>
<div class="bq">
This function works just like <i>pci_get_device</i>, but it allows the subsystem vendor
and subsystem device IDs to be specified when looking for the device.<br>
<br>
This function can not be called from interrupt context. If it is, a warning is
printed out to the system log.</div>
<br>
<font class="fixd">struct pci_dev *pci_get_slot(struct pci_bus *bus, unsigned int devfn);</font><br>
<div class="bq">
This function searches the list of PCI devices in the system on the specified
struct <font class="fixd">pci_bus</font> for the specified device and function number of the PCI device. If
a device is found that matches, its reference count is incremented and a pointer
to it is returned. When the caller is finished accessing the struct pci_dev, it must
call <i>pci_dev_put</i>.</div>
<br>
All of these functions can not be called from interrupt context. If they are, a warning
is printed out to the system log.<br>
<br>
<a name="EnablingThePCIDevice"></a><font color="red"><b>Enabling the PCI Device</b></font><br>
<br>
In the <i>probe </i>function for the PCI driver, before the driver can access any device resource
(I/O region or interrupt) of the PCI device, the driver must call the <i>pci_enable_device
</i>function:<br>
<br>
<font class="fixd">int pci_enable_device(struct pci_dev *dev);</font><br>
<div class="bq">
This function actually enables the device. It wakes up the device and in some
cases also assigns its interrupt line and I/O regions. This happens, for example,
with CardBus devices (which have been made completely equivalent to PCI at
the driver level).</div>
<br>
<A name="315"></a><font color="blue">PAGE 315</font><br>
<br>
<a name="AccessingTheConfigurationSpace"></a><font color="red"><b>Accessing the Configuration Space</b></font><br>
<br>
After the driver has detected the device, it usually needs to read from or write to the
three address spaces: memory, port, and configuration. In particular, accessing the
configuration space is vital to the driver, because it is the only way it can find out
where the device is mapped in memory and in the I/O space.<br>
<br>
Because the microprocessor has no way to access the configuration space directly,
the computer vendor has to provide a way to do it. To access configuration space,
the CPU must write and read registers in the PCI controller, but the exact implementation
is vendor dependent and not relevant to this discussion, because Linux offers a
standard interface to access the configuration space.<br>
<br>
As far as the driver is concerned, the configuration space can be accessed through 8bit,
16-bit, or 32-bit data transfers. The relevant functions are prototyped in <i>&lt;linux/
pci.h&gt;</i>:<br>
<br>
<font class="fixd">int pci_read_config_byte(struct pci_dev *dev, int where, u8 *val);<br>
int pci_read_config_word(struct pci_dev *dev, int where, u16 *val);<br>
int pci_read_config_dword(struct pci_dev *dev, int where, u32 *val);</font><br>
<div class="bq">
Read one, two, or four bytes from the configuration space of the device identified
by <font class="fixd">dev.</font> The <font class="fixd">where</font> argument is the byte offset from the beginning of the configuration
space. The value fetched from the configuration space is returned
through the <font class="fixd">val</font> pointer, and the return value of the functions is an error code.
The <i>word </i>and <i>dword </i>functions convert the value just read from little-endian to
the native byte order of the processor, so you need not deal with byte ordering.</div>
<br>
<font class="fixd">int pci_write_config_byte(struct pci_dev *dev, int where, u8 val);<br>
int pci_write_config_word(struct pci_dev *dev, int where, u16 val);<br>
int pci_write_config_dword(struct pci_dev *dev, int where, u32 val);</font><br>
<div class="bq">
Write one, two, or four bytes to the configuration space. The device is identified
by <font class="fixd">dev </font>as usual, and the value being written is passed as <font class="fixd">val.</font> The <i>word </i>and
<i>dword </i>functions convert the value to little-endian before writing to the peripheral
device.</div>
<br>
All of the previous functions are implemented as inline functions that really call the
following functions. Feel free to use these functions instead of the above in case the
driver does not have access to a <font class="fixd">struct pci_dev</font> at any paticular moment in time:<br>
<br>
<font class="fixd">int pci_bus_read_config_byte (struct pci_bus *bus, unsigned int devfn, int where, u8 *val);<br>
int pci_bus_read_config_word (struct pci_bus *bus, unsigned int devfn, int where, u16 *val);<br>
int pci_bus_read_config_dword (struct pci_bus *bus, unsigned int devfn, int where, u32 *val);</font><br>
<div class="bq">
Just like the <i>pci_read_ </i>functions, but <font class="fixd">struct pci_bus *</font> and <font class="fixd">devfn</font> variables are
needed instead of a <font class="fixd">struct pci_dev *.</font></div>
<br>
<A name="316"></a><font color="blue">PAGE 316</font><br>
<br>
<font class="fixd">int pci_bus_write_config_byte (struct pci_bus *bus, unsigned int devfn, int where, u8 val);<br>
int pci_bus_write_config_word (struct pci_bus *bus, unsigned int devfn, int where, u16 val);<br>
int pci_bus_write_config_dword (struct pci_bus *bus, unsigned int devfn, int where, u32 val);</font><br>
<div class="bq">
Just like the <i>pci_write_ </i>functions, but <font class="fixd">struct pci_bus *</font> and <font class="fixd">devfn</font> variables are
needed instead of a <font class="fixd">struct pci_dev *.</font></div>
<br>
The best way to address the configuration variables using the <i>pci_read_ </i>functions is
by means of the symbolic names defined in <i>&lt;linux/pci.h&gt;</i>. For example, the following
small function retrieves the revision ID of a device by passing the symbolic name
for where to <i>pci_read_config_byte</i>:<br>
<pre>
static unsigned char skel_get_revision(struct pci_dev *dev)
{
    u8 revision;

    pci_read_config_byte(dev, PCI_REVISION_ID, &amp;revision);
    return revision;
}
</pre>
<a name="AccessingTheIOAndMemorySpaces"></a><font color="red"><b>Accessing the I/O and Memory Spaces</b></font><br>
<br>
A PCI device implements up to six I/O address regions. Each region consists of either
memory or I/O locations. Most devices implement their I/O registers in memory
regions, because it's generally a saner approach (as explained in the section "I/O
Ports and I/O Memory," in Chapter 9). However, unlike normal memory, I/O registers
should not be cached by the CPU because each access can have side effects. The
PCI device that implements I/O registers as a memory region marks the difference by
setting a "memory-is-prefetchable" bit in its configuration register.* If the memory
region is marked as prefetchable, the CPU can cache its contents and do all sorts of
optimization with it; nonprefetchable memory access, on the other hand, can't be
optimized because each access can have side effects, just as with I/O ports. Peripherals
that map their control registers to a memory address range declare that range as
nonprefetchable, whereas something like video memory on PCI boards is prefetchable.
In this section, we use the word <i>region </i>to refer to a generic I/O address space
that is memory-mapped or port-mapped.<br>
<br>
An interface board reports the size and current location of its regions using configuration
registers--the six 32-bit registers shown in Figure 12-2, whose symbolic names
are <font class="fixd">PCI_BASE_ADDRESS_0</font> through <font class="fixd">PCI_BASE_ADDRESS_5.</font> Since the I/O space defined by
PCI is a 32-bit address space, it makes sense to use the same configuration interface<br>
<br>
* The information lives in one of the low-order bits of the base address PCI registers. 
The bits are defined in <i>&lt;linux/pci.h&gt;</i>.<br>
<br>
<A name="317"></a><font color="blue">PAGE 317</font><br>
<br>
for memory and I/O. If the device uses a 64-bit address bus, it can declare regions in
the 64-bit memory space by using two consecutive <font class="fixd">PCI_BASE_ADDRESS</font> registers for each
region, low bits first. It is possible for one device to offer both 32-bit regions and 64bit
regions.<br>
<br>
In the kernel, the I/O regions of PCI devices have been integrated into the generic
resource management. For this reason, you don't need to access the configuration
variables in order to know where your device is mapped in memory or I/O space.
The preferred interface for getting region information consists of the following
functions:<br>
<br>
<font class="fixd">unsigned long pci_resource_start(struct pci_dev *dev, int bar);</font><br>
<div class="bq">
The function returns the first address (memory address or I/O port number)
associated with one of the six PCI I/O regions. The region is selected by the integer
<font class="fixd">bar</font> (the base address register), ranging from 0-5 (inclusive).</div>
<br>
<font class="fixd">unsigned long pci_resource_end(struct pci_dev *dev, int bar);</font><br>
<div class="bq">
The function returns the last address that is part of the I/O region number <font class="fixd">bar.</font>
Note that this is the last usable address, not the first address after the region.</div>
<br>
<font class="fixd">unsigned long pci_resource_flags(struct pci_dev *dev, int bar);</font><br>
<div class="bq">
This function returns the flags associated with this resource.</div>
<br>
Resource flags are used to define some features of the individual resource. For PCI
resources associated with PCI I/O regions, the information is extracted from the base
address registers, but can come from elsewhere for resources not associated with PCI
devices.<br>
<br>
All resource flags are defined in <i>&lt;linux/ioport.h&gt;</i>; the most important are:<br>
<br>
<font class="fixd">IORESOURCE_IO<br>
IORESOURCE_MEM</font><br>
<div class="bq">
If the associated I/O region exists, one and only one of these flags is set.</div>
<br>
<font class="fixd">IORESOURCE_PREFETCH<br>
IORESOURCE_READONLY</font><br>
<div class="bq">
These flags tell whether a memory region is prefetchable and/or write protected.
The latter flag is never set for PCI resources.</div>
<br>
By making use of the <i>pci_resource_ </i>functions, a device driver can completely ignore
the underlying PCI registers, since the system already used them to structure
resource information.<br>
<br>
<a name="PCIInterrupts"></a><font color="red"><b>PCI Interrupts</b></font><br>
<br>
As far as interrupts are concerned, PCI is easy to handle. By the time Linux boots,
the computer's firmware has already assigned a unique interrupt number to the
device, and the driver just needs to use it. The interrupt number is stored in configuration
register 60 (<font class="fixd">PCI_INTERRUPT_LINE</font>), which is one byte wide. This allows for as<br>
<br>
<A name="318"></a><font color="blue">PAGE 318</font><br>
<br>
many as 256 interrupt lines, but the actual limit depends on the CPU being used.
The driver doesn't need to bother checking the interrupt number, because the value
found in <font class="fixd">PCI_INTERRUPT_LINE</font> is guaranteed to be the right one.<br>
<br>
If the device doesn't support interrupts, register 61 (<font class="fixd">PCI_INTERRUPT_PIN</font>) is 0; otherwise,
it's nonzero. However, since the driver knows if its device is interrupt driven or
not, it doesn't usually need to read <font class="fixd">PCI_INTERRUPT_PIN</font>.<br>
<br>
Thus, PCI-specific code for dealing with interrupts just needs to read the configuration
byte to obtain the interrupt number that is saved in a local variable, as shown in
the following code. Beyond that, the information in Chapter 10 applies.<br>
<pre>
result = pci_read_config_byte(dev, PCI_INTERRUPT_LINE, &amp;myirq);
if (result) {
    /* deal with error */
}
</pre>
The rest of this section provides additional information for the curious reader but
isn't needed for writing drivers.<br>
<br>
A PCI connector has four interrupt pins, and peripheral boards can use any or all of
them. Each pin is individually routed to the motherboard's interrupt controller, so
interrupts can be shared without any electrical problems. The interrupt controller is
then responsible for mapping the interrupt wires (pins) to the processor's hardware;
this platform-dependent operation is left to the controller in order to achieve platform
independence in the bus itself.<br>
<br>
The read-only configuration register located at <font class="fixd">PCI_INTERRUPT_PIN</font> is used to tell the
computer which single pin is actually used. It's worth remembering that each device
board can host up to eight devices; each device uses a single interrupt pin and reports
it in its own configuration register. Different devices on the same device board can
use different interrupt pins or share the same one.<br>
<br>
The <font class="fixd">PCI_INTERRUPT_LINE</font> register, on the other hand, is read/write. When the computer
is booted, the firmware scans its PCI devices and sets the register for each
device according to how the interrupt pin is routed for its PCI slot. The value is
assigned by the firmware, because only the firmware knows how the motherboard
routes the different interrupt pins to the processor. For the device driver, however,
the <font class="fixd">PCI_INTERRUPT_LINE</font> register is read-only. Interestingly, recent versions of the
Linux kernel under some circumstances can assign interrupt lines without resorting
to the BIOS.<br>
<br>
<a name="HardwareAbstractions"></a><font color="red"><b>Hardware Abstractions</b></font><br>
<br>
We complete the discussion of PCI by taking a quick look at how the system handles
the plethora of PCI controllers available on the marketplace. This is just an
informational section, meant to show the curious reader how the object-oriented layout
of the kernel extends down to the lowest levels.<br>
<br>
<A name="319"></a><font color="blue">PAGE 319</font><br>
<br>
The mechanism used to implement hardware abstraction is the usual structure containing
methods. It's a powerful technique that adds just the minimal overhead of
dereferencing a pointer to the normal overhead of a function call. In the case of PCI
management, the only hardware-dependent operations are the ones that read and
write configuration registers, because everything else in the PCI world is accomplished
by directly reading and writing the I/O and memory address spaces, and
those are under direct control of the CPU.<br>
<br>
Thus, the relevant structure for configuration register access includes only two fields:<br>
<pre>
struct pci_ops {
    int (*read)(struct pci_bus *bus, unsigned int devfn, int where, int size,
                u32 *val);
    int (*write)(struct pci_bus *bus, unsigned int devfn, int where, int size,
                 u32 val);
};
</pre>
The structure is defined in <i>&lt;linux/pci.h&gt; </i>and used by <i>drivers/pci/pci.c</i>, where the
actual public functions are defined.<br>
<br>
The two functions that act on the PCI configuration space have more overhead
than dereferencing a pointer; they use cascading pointers due to the high object-orientedness
of the code, but the overhead is not an issue in operations that are
performed quite rarely and never in speed-critical paths. The actual implementation
of <i>pci_read_config_byte(dev, where, val)</i>, for instance, expands to:<br>
<pre>
dev-&gt;bus-&gt;ops-&gt;read(bus, devfn, where, 8, val);
</pre>
The various PCI buses in the system are detected at system boot, and that's when the
struct <font class="fixd">pci_bus</font> items are created and associated with their features, including the ops
field.<br>
<br>
Implementing hardware abstraction via "hardware operations" data structures is typical
in the Linux kernel. One important example is the <font class="fixd">struct alpha_machine_vector</font>
data structure. It is defined in <i>&lt;asm-alpha/machvec.h&gt; </i>and takes care of everything
that may change across different Alpha-based computers.<br>
<br>
<a name="ALookBackISA"></a><font color="red"><b>A Look Back: ISA</b></font><br>
<br>
The ISA bus is quite old in design and is a notoriously poor performer, but it still
holds a good part of the market for extension devices. If speed is not important and
you want to support old motherboards, an ISA implementation is preferable to PCI.
An additional advantage of this old standard is that if you are an electronic hobbyist,
you can easily build your own ISA devices, something definitely not possible with
PCI.<br>
<br>
<A name="320"></a><font color="blue">PAGE 320</font><br>
<br>
On the other hand, a great disadvantage of ISA is that it's tightly bound to the PC
architecture; the interface bus has all the limitations of the 80286 processor and
causes endless pain to system programmers. The other great problem with the ISA
design (inherited from the original IBM PC) is the lack of geographical addressing,
which has led to many problems and lengthy unplug-rejumper-plug-test cycles to
add new devices. It's interesting to note that even the oldest Apple II computers were
already exploiting geographical addressing, and they featured jumperless expansion
boards.<br>
<br>
Despite its great disadvantages, ISA is still used in several unexpected places. For
example, the VR41xx series of MIPS processors used in several palmtops features an
ISA-compatible expansion bus, strange as it seems. The reason behind these unexpected
uses of ISA is the extreme low cost of some legacy hardware, such as 8390based
Ethernet cards, so a CPU with ISA electrical signaling can easily exploit the
awful, but cheap, PC devices.<br>
<br>
<a name="HardwareResources"></a><font color="red"><b>Hardware Resources</b></font><br>
<br>
An ISA device can be equipped with I/O ports, memory areas, and interrupt lines.<br>
<br>
Even though the x86 processors support 64 KB of I/O port memory (i.e., the processor
asserts 16 address lines), some old PC hardware decodes only the lowest 10
address lines. This limits the usable address space to 1024 ports, because any address
in the range 1 KB to 64 KB is mistaken for a low address by any device that decodes
only the low address lines. Some peripherals circumvent this limitation by mapping
only one port into the low kilobyte and using the high address lines to select between
different device registers. For example, a device mapped at <font class="fixd">0x340</font> can safely use port
<font class="fixd">0x740, 0xB40,</font> and so on.<br>
<br>
If the availability of I/O ports is limited, memory access is still worse. An ISA device
can use only the memory range between 640 KB and 1 MB and between 15 MB and
16 MB for I/O register and device control. The 640-KB to 1-MB range is used by the
PC BIOS, by VGA-compatible video boards, and by various other devices, leaving little
space available for new devices. Memory at 15 MB, on the other hand, is not
directly supported by Linux, and hacking the kernel to support it is a waste of programming
time nowadays.<br>
<br>
The third resource available to ISA device boards is interrupt lines. A limited number
of interrupt lines is routed to the ISA bus, and they are shared by all the interface
boards. As a result, if devices aren't properly configured, they can find themselves
using the same interrupt lines.<br>
<br>
<A name="321"></a><font color="blue">PAGE 321</font><br>
<br>
Although the original ISA specification doesn't allow interrupt sharing across
devices, most device boards allow it.* Interrupt sharing at the software level is
described in the section "Interrupt Sharing," in Chapter 10.<br>
<br>
<a name="ISAProgramming"></a><font color="red"><b>ISA Programming</b></font><br>
<br>
As far as programming is concerned, there's no specific aid in the kernel or the BIOS
to ease access to ISA devices (like there is, for example, for PCI). The only facilities
you can use are the registries of I/O ports and IRQ lines, described in the section
"Installing an Interrupt Handler" in Chapter 10.<br>
<br>
The programming techniques shown throughout the first part of this book apply to
ISA devices; the driver can probe for I/O ports, and the interrupt line must be auto-detected
with one of the techniques shown in the section "Auto-Detecting the IRQ Number" in Chapter 10.<br>
<br>
The helper functions <i>isa_readb </i>and friends have been briefly introduced in the section
"Using I/O Memory" in Chapter 9, and there's nothing more to say about them.<br>
<br>
<a name="ThePlugandPlaySpecification"></a><font color="red"><b>The Plug-and-Play Specification</b></font><br>
<br>
Some new ISA device boards follow peculiar design rules and require a special initialization
sequence intended to simplify installation and configuration of add-on interface
boards. The specification for the design of these boards is called <i>plug and play
</i>(PnP) and consists of a cumbersome rule set for building and configuring jumperless
ISA devices. PnP devices implement relocatable I/O regions; the PC's BIOS is responsible
for the relocation--reminiscent of PCI.<br>
<br>
In short, the goal of PnP is to obtain the same flexibility found in PCI devices without
changing the underlying electrical interface (the ISA bus). To this end, the specs
define a set of device-independent configuration registers and a way to geographically
address the interface boards, even though the physical bus doesn't carry perboard
(geographical) wiring--every ISA signal line connects to every available slot.<br>
<br>
Geographical addressing works by assigning a small integer, called the <i>card select
number </i>(CSN), to each PnP peripheral in the computer. Each PnP device features a
unique serial identifier, 64 bits wide, that is hardwired into the peripheral board.
CSN assignment uses the unique serial number to identify the PnP devices. But the
CSNs can be assigned safely only at boot time, which requires the BIOS to be PnP<br>
<br>
* The problem with interrupt sharing is a matter of electrical engineering: if a device 
drives the signal line inactive--by applying a low-impedance voltage level--the interrupt 
can't be shared. If, on the other hand, the device uses a pull-up resistor to the inactive 
logic level, sharing is possible. This is the norm nowadays. However, there's still a 
potential risk of losing interrupt events since ISA interrupts are edge triggered instead of
level triggered. Edge-triggered interrupts are easier to implement in hardware but don't 
lend themselves to safe sharing.<br>
<br>
<A name="322"></a><font color="blue">PAGE 322</font><br>
<br>
aware. For this reason, old computers require the user to obtain and insert a specific
configuration diskette, even if the device is PnP capable.<br>
<br>
Interface boards following the PnP specs are complicated at the hardware level. They
are much more elaborate than PCI boards and require complex software. It's not
unusual to have difficulty installing these devices, and even if the installation goes
well, you still face the performance constraints and the limited I/O space of the ISA
bus. It's much better to install PCI devices whenever possible and enjoy the new
technology instead.<br>
<br>
If you are interested in the PnP configuration software, you can browse <i>drivers/net/
3c509.c</i>, whose probing function deals with PnP devices. The 2.6 kernel saw a lot of
work in the PnP device support area, so a lot of the inflexible interfaces have been
cleaned up compared to previous kernel releases.<br>
<br>
<a name="PC104AndPC104"></a><font color="red"><b>PC/104 and PC/104+</b></font><br>
<br>
Currently in the industrial world, two bus architectures are quite fashionable: PC/104
and PC/104+. Both are standard in PC-class single-board computers.<br>
<br>
Both standards refer to specific form factors for printed circuit boards, as well as
electrical/mechanical specifications for board interconnections. The practical advantage
of these buses is that they allow circuit boards to be stacked vertically using a
plug-and-socket kind of connector on one side of the device.<br>
<br>
The electrical and logical layout of the two buses is identical to ISA (PC/104) and
PCI (PC/104+), so software won't notice any difference between the usual desktop
buses and these two.<br>
<br>
<a name="OtherPCBuses"></a><font color="red"><b>Other PC Buses</b></font><br>
<br>
PCI and ISA are the most commonly used peripheral interfaces in the PC world, but
they aren't the only ones. Here's a summary of the features of other buses found in
the PC market.<br>
<br>
<a name="MCA"></a><font color="red"><b>MCA</b></font><br>
<br>
Micro Channel Architecture (MCA) is an IBM standard used in PS/2 computers and
some laptops. At the hardware level, Micro Channel has more features than ISA. It
supports multimaster DMA, 32-bit address and data lines, shared interrupt lines, and
geographical addressing to access per-board configuration registers. Such registers
are called <i>Programmable Option Select </i>(POS), but they don't have all the features of
the PCI registers. Linux support for Micro Channel includes functions that are
exported to modules.<br>
<br>
<A name="323"></a><font color="blue">PAGE 323</font><br>
<br>
A device driver can read the integer value <font class="fixd">MCA_bus</font> to see if it is running on a Micro
Channel computer. If the symbol is a preprocessor macro, the macro <font class="fixd">MCA_bus__is_a_macro </font>
is defined as well. If <font class="fixd">MCA_bus__is_a_macro</font> is undefined, then <font class="fixd">MCA_bus</font> is an integer
variable exported to modularized code. Both <font class="fixd">MCA_BUS</font> and <font class="fixd">MCA_bus__is_a_macro</font>
are defined in <i>&lt;asm/processor.h&gt;</i>.<br>
<br>
<a name="EISA"></a><font color="red"><b>EISA</b></font><br>
<br>
The Extended ISA (EISA) bus is a 32-bit extension to ISA, with a compatible interface
connector; ISA device boards can be plugged into an EISA connector. The additional
wires are routed under the ISA contacts.<br>
<br>
Like PCI and MCA, the EISA bus is designed to host jumperless devices, and it has
the same features as MCA: 32-bit address and data lines, multimaster DMA, and
shared interrupt lines. EISA devices are configured by software, but they don't need
any particular operating system support. EISA drivers already exist in the Linux kernel
for Ethernet devices and SCSI controllers.<br>
<br>
An EISA driver checks the value <font class="fixd">EISA_bus</font> to determine if the host computer carries
an EISA bus. Like <font class="fixd">MCA_bus, EISA_bus</font> is either a macro or a variable, depending on
whether <font class="fixd">EISA_bus__is_a_macro</font> is defined. Both symbols are defined in <i>&lt;asm/
processor.h&gt;</i>.<br>
<br>
The kernel has full EISA support for devices with sysfs and resource management
functionality. This is located in the <i>drivers/eisa</i> directory.<br>
<br>
<a name="VLB"></a><font color="red"><b>VLB</b></font><br>
<br>
Another extension to ISA is the VESA Local Bus (VLB) interface bus, which extends
the ISA connectors by adding a third lengthwise slot. A device can just plug into this
extra connector (without plugging in the two associated ISA connectors), because
the VLB slot duplicates all important signals from the ISA connectors. Such "stand alone"
VLB peripherals not using the ISA slot are rare, because most devices need to
reach the back panel so that their external connectors are available.<br>
<br>
The VESA bus is much more limited in its capabilities than the EISA, MCA, and PCI
buses and is disappearing from the market. No special kernel support exists for VLB.
However, both the Lance Ethernet driver and the IDE disk driver in Linux 2.0 can
deal with VLB versions of their devices.<br>
<br>
<a name="SBus"></a><font color="red"><b>SBus</b></font><br>
<br>
While most computers nowadays are equipped with a PCI or ISA interface bus, most
older SPARC-based workstations use SBus to connect their peripherals.<br>
<br>
<A name="324"></a><font color="blue">PAGE 324</font><br>
<br>
SBus is quite an advanced design, although it has been around for a long time. It is
meant to be processor independent (even though only SPARC computers use it) and
is optimized for I/O peripheral boards. In other words, you can't plug additional
RAM into SBus slots (RAM expansion boards have long been forgotten even in the
ISA world, and PCI does not support them either). This optimization is meant to
simplify the design of both hardware devices and system software, at the expense of
some additional complexity in the motherboard.<br>
<br>
This I/O bias of the bus results in peripherals using <i>virtual </i>addresses to transfer data,
thus bypassing the need to allocate a contiguous DMA buffer. The motherboard is
responsible for decoding the virtual addresses and mapping them to physical
addresses. This requires attaching an MMU (memory management unit) to the bus;
the chipset in charge of the task is called IOMMU. Although somehow more complex
than using physical addresses on the interface bus, this design is greatly simplified
by the fact that SPARC processors have always been designed by keeping the
MMU core separate from the CPU core (either physically or at least conceptually).
Actually, this design choice is shared by other smart processor designs and is beneficial
overall. Another feature of this bus is that device boards exploit massive geographical
addressing, so there's no need to implement an address decoder in every
peripheral or to deal with address conflicts.<br>
<br>
SBus peripherals use the Forth language in their PROMs to initialize themselves.
Forth was chosen because the interpreter is lightweight and, therefore, can be easily
implemented in the firmware of any computer system. In addition, the SBus specification
outlines the boot process, so that compliant I/O devices fit easily into the system
and are recognized at system boot. This was a great step to support multiplatform
devices; it's a completely different world from the PC-centric ISA stuff we
were used to. However, it didn't succeed for a variety of commercial reasons.<br>
<br>
Although current kernel versions offer quite full-featured support for SBus devices,
the bus is used so little nowadays that it's not worth covering in detail here. Interested
readers can look at source files in <i>arch/sparc/kernel</i> and <i>arch/sparc/mm</i>.<br>
<br>
<a name="NuBus"></a><font color="red"><b>NuBus</b></font><br>
<br>
Another interesting, but nearly forgotten, interface bus is NuBus. It is found on older
Mac computers (those with the M68k family of CPUs).<br>
<br>
All of the bus is memory-mapped (like everything with the M68k), and the devices
are only geographically addressed. This is good and typical of Apple, as the much<br>
<br>
<A name="325"></a><font color="blue">PAGE 325</font><br>
<br>
older Apple II already had a similar bus layout. What is bad is that it's almost impossible
to find documentation on NuBus, due to the close-everything policy Apple has
always followed with its Mac computers (and unlike the previous Apple II, whose
source code and schematics were available at little cost).<br>
<br>
The file <i>drivers/nubus/nubus.c </i>includes almost everything we know about this bus,
and it's interesting reading; it shows how much hard reverse engineering developers
had to do.<br>
<br>
<a name="ExternalBuses"></a><font color="red"><b>External Buses</b></font><br>
<br>
One of the most recent entries in the field of interface buses is the whole class of
external buses. This includes USB, FireWire, and IEEE1284 (parallel-port-based
external bus). These interfaces are somewhat similar to older and not-so-external
technology, such as PCMCIA/CardBus and even SCSI.<br>
<br>
Conceptually, these buses are neither full-featured interface buses (like PCI is) nor
dumb communication channels (like the serial ports are). It's hard to classify the
software that is needed to exploit their features, as it's usually split into two levels:
the driver for the hardware controller (like drivers for PCI SCSI adaptors or PCI controllers
introduced in the section "The PCI Interface") and the driver for the specific
"client" device (like <i>sd.c </i>handles generic SCSI disks and so-called PCI drivers deal
with cards plugged in the bus).<br>
<br>
<a name="QuickReference12"></a><font color="red"><b>Quick Reference</b></font><br>
<br>
This section summarizes the symbols introduced in the chapter:<br>
<br>
<font class="fixd">#include &lt;linux/pci.h&gt;</font><br>
<div class="bq">
Header that includes symbolic names for the PCI registers and several vendor
and device ID values.</div>
<br>
<font class="fixd">struct pci_dev;</font><br>
<div class="bq">
Structure that represents a PCI device within the kernel.</div>
<br>
<font class="fixd">struct pci_driver;</font><br>
<div class="bq">
Structure that represents a PCI driver. All PCI drivers must define this.</div>
<br>
<font class="fixd">struct pci_device_id;</font><br>
<div class="bq">
Structure that describes the types of PCI devices this driver supports.</div>
<br>
<font class="fixd">int pci_register_driver(struct pci_driver *drv);<br>
int pci_module_init(struct pci_driver *drv);<br>
void pci_unregister_driver(struct pci_driver *drv);</font><br>
<div class="bq">
Functions that register or unregister a PCI driver from the kernel.</div>
<br>
<A name="326"></a><font color="blue">PAGE 326</font><br>
<br>
<font class="fixd">struct pci_dev *pci_find_device(unsigned int vendor, unsigned int device, struct pci_dev *from);<br>
struct pci_dev *pci_find_device_reverse(unsigned int vendor, unsigned int device, const struct pci_dev *from);<br>
struct pci_dev *pci_find_subsys (unsigned int vendor, unsigned int device, unsigned int ss_vendor, unsigned int ss_device, const struct pci_dev *from);<br>
struct pci_dev *pci_find_class(unsigned int class, struct pci_dev *from);</font><br>
<div class="bq">
Functions that search the device list for devices with a specific signature or those
belonging to a specific class. The return value is <font class="fixd">NULL</font> if none is found. <font class="fixd">from</font> is
used to continue a search; it must be <font class="fixd">NULL</font> the first time you call either function,
and it must point to the device just found if you are searching for more devices.
These functions are not recommended to be used, use the <font class="fixd">pci_get_</font> variants
instead.</div>
<br>
<font class="fixd">struct pci_dev *pci_get_device(unsigned int vendor, unsigned int device, struct pci_dev *from);<br>
struct pci_dev *pci_get_subsys(unsigned int vendor, unsigned int device, unsigned int ss_vendor, unsigned int ss_device, struct pci_dev *from);<br>
struct pci_dev *pci_get_slot(struct pci_bus *bus, unsigned int devfn);</font><br>
<div class="bq">
Functions that search the device list for devices with a specific signature or
belonging to a specific class. The return value is <font class="fixd">NULL</font> if none is found. <font class="fixd">from</font> is
used to continue a search; it must be <font class="fixd">NULL</font> the first time you call either function,
and it must point to the device just found if you are searching for more devices.
The structure returned has its reference count incremented, and after the caller is
finished with it, the function <i>pci_dev_put</i> must be called.</div>
<br>
<font class="fixd">int pci_read_config_byte(struct pci_dev *dev, int where, u8 *val);<br>
int pci_read_config_word(struct pci_dev *dev, int where, u16 *val);<br>
int pci_read_config_dword(struct pci_dev *dev, int where, u32 *val);<br>
int pci_write_config_byte (struct pci_dev *dev, int where, u8 *val);<br>
int pci_write_config_word (struct pci_dev *dev, int where, u16 *val);<br>
int pci_write_config_dword (struct pci_dev *dev, int where, u32 *val);</font><br>
<div class="bq">
Functions that read or write a PCI configuration register. Although the Linux
kernel takes care of byte ordering, the programmer must be careful about byte
ordering when assembling multibyte values from individual bytes. The PCI bus
is little-endian.</div>
<br>
<font class="fixd">int pci_enable_device(struct pci_dev *dev);</font><br>
<div class="bq">
Enables a PCI device.</div>
<br>
<font class="fixd">unsigned long pci_resource_start(struct pci_dev *dev, int bar);<br>
unsigned long pci_resource_end(struct pci_dev *dev, int bar);<br>
unsigned long pci_resource_flags(struct pci_dev *dev, int bar);</font><br>
<div class="bq">
Functions that handle PCI device resources.</div>
<br>
<A name="327"></a><font color="blue">PAGE 327</font><br>
<br>
<a name="CHAPTER13"></a><font color="red"><b>CHAPTER 13</b></font><br>
<br>
<a name="USBDrivers"></a><font color="#7519FF" size="+1"><b>USB Drivers</b></font><br>
<br>
The universal serial bus (USB) is a connection between a host computer and a number
of peripheral devices. It was originally created to replace a wide range of slow
and different buses--the parallel, serial, and keyboard connections--with a single
bus type that all devices could connect to.* USB has grown beyond these slow connections
and now supports almost every type of device that can be connected to a
PC. The latest revision of the USB specification added high-speed connections with a
theoretical speed limit of 480 MBps.<br>
<br>
Topologically, a USB subsystem is not laid out as a bus; it is rather a tree built out of
several point-to-point links. The links are four-wire cables (ground, power, and two
signal wires) that connect a device and a hub, just like twisted-pair Ethernet. The
USB host controller is in charge of asking every USB device if it has any data to send.
Because of this topology, a USB device can never start sending data without first
being asked to by the host controller. This configuration allows for a very easy plugand-play
type of system, whereby devices can be automatically configured by the
host computer.<br>
<br>
The bus is very simple at the technological level, as it's a single-master implementation
in which the host computer polls the various peripheral devices. Despite this
intrinsic limitation, the bus has some interesting features, such as the ability for a
device to request a fixed bandwidth for its data transfers in order to reliably support
video and audio I/O. Another important feature of USB is that it acts merely as a
communication channel between the device and the host, without requiring specific
meaning or structure to the data it delivers.&#134;<br>
<br>
* Portions of this chapter are based on the in-kernel documentation for the Linux kernel USB code, which were 
written by the kernel USB developers and released under the GPL.<br>
<br>
&#134; Actually, some structure is there, but it mostly reduces to a requirement for the communication to fit into 
one of a few predefined classes: a keyboard won't allocate bandwidth, for example, while some video cameras
will.<br>
<br>
<A name="328"></a><font color="blue">PAGE 328</font><br>
<br>
The USB protocol specifications define a set of standards that any device of a specific
type can follow. If a device follows that standard, then a special driver for that
device is not necessary. These different types are called classes and consist of things
like storage devices, keyboards, mice, joysticks, network devices, and modems.
Other types of devices that do not fit into these classes require a special vendor-specific
driver to be written for that specific device. Video devices and USB-to-serial
devices are a good example where there is no defined standard, and a driver is
needed for every different device from different manufacturers.<br>
<br>
These features, together with the inherent hotplug capability of the design, make
USB a handy, low-cost mechanism to connect (and disconnect) several devices to the
computer without the need to shut the system down, open the cover, and swear over
screws and wires.<br>
<br>
The Linux kernel supports two main types of USB drivers: drivers on a host system
and drivers on a device. The USB drivers for a host system control the USB devices
that are plugged into it, from the host's point of view (a common USB host is a desktop
computer.) The USB drivers in a device, control how that single device looks to
the host computer as a USB device. As the term "USB device drivers" is very confusing,
the USB developers have created the term "USB gadget drivers" to describe the
drivers that control a USB device that connects to a computer (remember that Linux
also runs in those tiny embedded devices, too.) This chapter details how the USB system
that runs on a desktop computer works. USB gadget drivers are outside the
realm of this book at this point in time.<br>
<br>
As Figure 13-1 shows, USB drivers live between the different kernel subsytems
(block, net, char, etc.) and the USB hardware controllers. The USB core provides an
interface for USB drivers to use to access and control the USB hardware, without
having to worry about the different types of USB hardware controllers that are
present on the system.<br>
<br>
<a name="USBDeviceBasics"></a><font color="red"><b>USB Device Basics</b></font><br>
<br>
A USB device is a very complex thing, as described in the official USB documentation
(available at <a href="http://www.usb.org" target="_blank"><i>http://www.usb.org</i></a>). Fortunately, the Linux kernel provides a subsystem
called the <i>USB core </i>to handle most of the complexity. This chapter describes
the interaction between a driver and the USB core. Figure 13-2 shows how USB
devices consist of configurations, interfaces, and endpoints and how USB drivers
bind to USB interfaces, not the entire USB device.<br>
<br>
<a name="Endpoints"></a><font color="red"><b>Endpoints</b></font><br>
<br>
The most basic form of USB communication is through something called an <i>endpoint</i>.
A USB endpoint can carry data in only one direction, either from the host<br>
<br>
<A name="329"></a><font color="blue">PAGE 329</font><br>
<br>
<center>
<img src="fig13-1.gif">
</center>
<br>
<i>Figure 13-1. USB driver overview</i><br>
<br>
<center>
<img src="fig13-2.gif">
</center>
<br>
<i>Figure 13-2. USB device overview</i><br>
<br>
computer to the device (called an <i>OUT </i>endpoint) or from the device to the host computer
(called an <i>IN</i> endpoint). Endpoints can be thought of as unidirectional pipes.<br>
<br>
A USB endpoint can be one of four different types that describe how the data is
transmitted:<br>
<br>
<i>CONTROL</i><br>
<div class="bq">
Control endpoints are used to allow access to different parts of the USB device.
They are commonly used for configuring the device, retrieving information
about the device, sending commands to the device, or retrieving status reports
about the device. These endpoints are usually small in size. Every USB device has</div>
<br>
<A name="330"></a><font color="blue">PAGE 330</font><br>
<br>
<div class="bq">a control endpoint called "endpoint 0" that is used by the USB core to configure
the device at insertion time. These transfers are guaranteed by the USB protocol
to always have enough reserved bandwidth to make it through to the device.</div>
<br>
<i>INTERRUPT</i><br>
<div class="bq">
Interrupt endpoints transfer small amounts of data at a fixed rate every time the
USB host asks the device for data. These endpoints are the primary transport
method for USB keyboards and mice. They are also commonly used to send data
to USB devices to control the device, but are not generally used to transfer large
amounts of data. These transfers are guaranteed by the USB protocol to always
have enough reserved bandwidth to make it through.</div>
<br>
<i>BULK</i><br>
<div class="bq">
Bulk endpoints transfer large amounts of data. These endpoints are usually
much larger (they can hold more characters at once) than interrupt endpoints.
They are common for devices that need to transfer any data that must get
through with no data loss. These transfers are not guaranteed by the USB protocol
to always make it through in a specific amount of time. If there is not enough
room on the bus to send the whole BULK packet, it is split up across multiple
transfers to or from the device. These endpoints are common on printers, storage,
and network devices.</div>
<br>
<i>ISOCHRONOUS</i><br>
<div class="bq">
Isochronous endpoints also transfer large amounts of data, but the data is not
always guaranteed to make it through. These endpoints are used in devices that
can handle loss of data, and rely more on keepinga constant stream of data
flowing. Real-time data collections, such as audio and video devices, almost
always use these endpoints.</div>
<br>
Control and bulk endpoints are used for asynchronous data transfers, whenever the
driver decides to use them. Interrupt and isochronous endpoints are periodic. This
means that these endpoints are set up to transfer data at fixed times continuously,
which causes their bandwidth to be reserved by the USB core.<br>
<br>
USB endpoints are described in the kernel with the structure <font class="fixd">struct usb_host_endpoint</font>.
This structure contains the real endpoint information in another structure called
<font class="fixd">struct usb_endpoint_descriptor</font>. The latter structure contains all of the USB-specific
data in the exact format that the device itself specified. The fields of this structure that
drivers care about are:<br>
<br>
<font class="fixd">bEndpointAddress</font><br>
<div class="bq">
This is the USB address of this specific endpoint. Also included in this 8-bit
value is the direction of the endpoint. The bitmasks <font class="fixd">USB_DIR_OUT</font> and <font class="fixd">USB_DIR_IN</font>
can be placed against this field to determine if the data for this endpoint is
directed to the device or to the host.</div>
<br>
<font class="fixd">bmAttributes</font><br>
<div class="bq">
This is the type of endpoint. The bitmask <font class="fixd">USB_ENDPOINT_XFERTYPE_MASK</font> should
be placed against this value in order to determine if the endpoint is of type</div>
<br>
<A name="331"></a><font color="blue">PAGE 331</font><br>
<br>
<div class="bq"><font class="fixd">USB_ENDPOINT_XFER_ISOC, USB_ENDPOINT_XFER_BULK,</font> or of 
type <font class="fixd">USB_ENDPOINT_XFER_INT</font>. These macros define a isochronous, bulk, 
and interrupt endpoint, respectively.</div>
<br>
<font class="fixd">wMaxPacketSize</font><br>
<div class="bq">
This is the maximum size in bytes that this endpoint can handle at once. Note
that it is possible for a driver to send amounts of data to an endpoint that is bigger
than this value, but the data will be divided up into <font class="fixd">wMaxPacketSize</font> chunks
when actually transmitted to the device. For high-speed devices, this field can be
used to support a high-bandwidth mode for the endpoint by using a few extra
bits in the upper part of the value. See the USB specification for more details
about how this is done.</div>
<br>
<font class="fixd">bInterval</font><br>
<div class="bq">
If this endpoint is of type interrupt, this value is the interval setting for the endpoint--that
is, the time between interrupt requests for the endpoint. The value is
represented in milliseconds.</div>
<br>
The fields of this structure do not have a "traditional" Linux kernel naming scheme.
This is because these fields directly correspond to the field names in the USB specification.
The USB kernel programmers felt that it was more important to use the specified
names, so as to reduce confusion when reading the specification, than it was to
have variable names that look familiar to Linux programmers.<br>
<br>
<a name="Interfaces"></a><font color="red"><b>Interfaces</b></font><br>
<br>
USB endpoints are bundled up into <i>interfaces</i>. USB interfaces handle only one type of
a USB logical connection, such as a mouse, a keyboard, or a audio stream. Some USB
devices have multiple interfaces, such as a USB speaker that might consist of two
interfaces: a USB keyboard for the buttons and a USB audio stream. Because a USB
interface represents basic functionality, each USB driver controls an interface; so, for
the speaker example, Linux needs two different drivers for one hardware device.<br>
<br>
USB interfaces may have alternate settings, which are different choices for parameters
of the interface. The initial state of a interface is in the first setting, numbered 0.
Alternate settings can be used to control individual endpoints in different ways, such
as to reserve different amounts of USB bandwidth for the device. Each device with an
isochronous endpoint uses alternate settings for the same interface.<br>
<br>
USB interfaces are described in the kernel with the struct <font class="fixd">usb_interface</font> structure.
This structure is what the USB core passes to USB drivers and is what the USB driver
then is in charge of controlling. The important fields in this structure are:<br>
<br>
<font class="fixd">struct usb_host_interface *altsetting</font><br>
<div class="bq">
An array of interface structures containing all of the alternate settings that may
be selected for this interface. Each struct <font class="fixd">usb_host_interface</font> consists of a set of</div>
<br>
<A name="332"></a><font color="blue">PAGE 332</font><br>
<br>
<div class="bq">endpoint configurations as defined by the struct <font class="fixd">usb_host_endpoint</font> structure
described above. Note that these interface structures are in no particular order.</div>
<br>
<font class="fixd">unsigned num_altsetting</font><br>
<div class="bq">
The number of alternate settings pointed to by the <font class="fixd">altsetting</font> pointer.</div>
<br>
<font class="fixd">struct usb_host_interface *cur_altsetting</font><br>
<div class="bq">
A pointer into the array <font class="fixd">altsetting,</font> denoting the currently active setting for this
interface.</div>
<br>
<font class="fixd">int minor</font><br>
<div class="bq">
If the USB driver bound to this interface uses the USB major number, this variable
contains the minor number assigned by the USB core to the interface. This
is valid only after a successful call to <font class="fixd">usb_register_dev</font> (described later in this
chapter).</div>
<br>
There are other fields in the <font class="fixd">struct usb_interface</font> structure, but USB drivers do not
need to be aware of them.<br>
<br>
<a name="Configurations"></a><font color="red"><b>Configurations</b></font><br>
<br>
USB interfaces are themselves bundled up into <i>configurations</i>. A USB device can have
multiple configurations and might switch between them in order to change the state
of the device. For example, some devices that allow firmware to be downloaded to
them contain multiple configurations to accomplish this. A single configuration can
be enabled only at one point in time. Linux does not handle multiple configuration
USB devices very well, but, thankfully, they are rare.<br>
<br>
Linux describes USB configurations with the structure <font class="fixd">struct usb_host_config</font> and
entire USB devices with the structure <font class="fixd">struct usb_device</font>. USB device drivers do not
generally ever need to read or write to any values in these structures, so they are not
defined in detail here. The curious reader can find descriptions of them in the file
<i>include/linux/usb.h</i> in the kernel source tree.<br>
<br>
A USB device driver commonly has to convert data from a given struct usb_interface
structure into a <font class="fixd">struct usb_device</font> structure that the USB core needs for a wide range of
function calls. To do this, the function <i>interface_to_usbdev </i>is provided. Hopefully, in the
future, all USB calls that currently need a <font class="fixd">struct usb_device</font> will be converted to take a
<font class="fixd">struct usb_interface</font> parameter and will not require the drivers to do the conversion.<br>
<br>
So to summarize, USB devices are quite complex and are made up of lots of different
logical units. The relationships among these units can be simply described as follows:<br>
<ul>
<li> Devices usually have one or more configurations.
<li> Configurations often have one or more interfaces.
<li> Interfaces usually have one or more settings.
<li> Interfaces have zero or more endpoints.
</ul>
<A name="333"></a><font color="blue">PAGE 333</font><br>
<br>
<a name="USBAndSysfs"></a><font color="red"><b>USB and Sysfs</b></font><br>
<br>
Due to the complexity of a single USB physical device, the representation of that
device in sysfs is also quite complex. Both the physical USB device (as represented by
a <font class="fixd">struct usb_device</font>) and the individual USB interfaces (as represented by a <font class="fixd">struct
usb_interface</font>) are shown in sysfs as individual devices. (This is because both of
those structures contain a <font class="fixd">struct device</font> structure.) As an example, for a simple USB
mouse that contains only one USB interface, the following would be the sysfs directory
tree for that device:<br>
<pre>
/sys/devices/pci0000:00/0000:00:09.0/usb2/2-1
|-- 2-1:1.0
|   |-- bAlternateSetting
|   |-- bInterfaceClass
|   |-- bInterfaceNumber
|   |-- bInterfaceProtocol
|   |-- bInterfaceSubClass
|   |-- bNumEndpoints
|   |-- detach_state
|   |-- iInterface
|   `-- power
|       `-- state
|-- bConfigurationValue
|-- bDeviceClass
|-- bDeviceProtocol
|-- bDeviceSubClass
|-- bMaxPower
|-- bNumConfigurations
|-- bNumInterfaces
|-- bcdDevice
|-- bmAttributes
|-- detach_state
|-- devnum
|-- idProduct
|-- idVendor
|-- maxchild
|-- power
|   `-- state
|-- speed
`-- version
</pre>
The <font class="fixd">struct usb_device</font> is represented in the tree at:<br>
<pre>
/sys/devices/pci0000:00/0000:00:09.0/usb2/2-1
</pre>
while the USB interface for the mouse--the interface that the USB mouse driver is
bound to--is located at the directory:<br>
<pre>
/sys/devices/pci0000:00/0000:00:09.0/usb2/2-1/2-1:1.0
</pre>
To help understand what this longdevice path means, we describe how the kernel
labels the USB devices.<br>
<br>
<A name="334"></a><font color="blue">PAGE 334</font><br>
<br>
The first USB device is a root hub. This is the USB controller, usually contained in a
PCI device. The controller is so named because it controls the whole USB bus connected
to it. The controller is a bridge between the PCI bus and the USB bus, as well
as being the first USB device on that bus.<br>
<br>
All root hubs are assigned a unique number by the USB core. In our example, the
root hub is called <font class="fixd">usb2,</font> as it is the second root hub that was registered with the USB
core. There is no limit on the number of root hubs that can be contained in a single
system at any time.<br>
<br>
Every device that is on a USB bus takes the number of the root hub as the first number
in its name. That is followed by a - character and then the number of the port
that the device is plugged into. As the device in our example is plugged into the first
port, a <font class="fixd">1</font> is added to the name. So the device name for the main USB mouse device is
<font class="fixd">2-1.</font> Because this USB device contains one interface, that causes another device in the
tree to be added to the sysfs path. The naming scheme for USB interfaces is the
device name up to this point: in our example, it's <font class="fixd">2-1</font> followed by a colon and the
USB configuration number, then a period and the interface number. So for this
example, the device name is <font class="fixd">2-1:1.0</font> because it is the first configuration and has
interface number zero.<br>
<br>
So to summarize, the USB sysfs device naming scheme is:<br>
<pre>
<i>root_hub</i>-<i>hub_port</i>:<i>config</i>.<i>interface</i>
</pre>
As the devices go further down in the USB tree, and as more and more USB hubs are
used, the hub port number is added to the string following the previous hub port
number in the chain. For a two-deep tree, the device name looks like:<br>
<pre>
<i>root_hub</i>-<i>hub_port</i>-<i>hub_port</i>:<i>config</i>.<i>interface</i>
</pre>
As can be seen in the previous directory listing of the USB device and interface, all of
the USB specific information is available directly through sysfs (for example, the idVendor,
idProduct, and bMaxPower information). One of these files, <i>bConfigurationValue</i>,
can be written to in order to change the active USB configuration that is being used.
This is useful for devices that have multiple configurations, when the kernel is unable
to determine what configuration to select in order to properly operate the device. A
number of USB modems need to have the proper configuration value written to this file
in order to have the correct USB driver bind to the device.<br>
<br>
Sysfs does not expose all of the different parts of a USB device, as it stops at the interface
level. Any alternate configurations that the device may contain are not shown, as
well as the details of the endpoints associated with the interfaces. This information
can be found in the <i>usbfs </i>filesystem, which is mounted in the <i>/proc/bus/usb/ </i>directory
on the system. The file <i>/proc/bus/usb/devices </i>does show all of the same information
exposed in sysfs, as well as the alternate configuration and endpoint information<br>
<br>
<A name="335"></a><font color="blue">PAGE 335</font><br>
<br>
for all USB devices that are present in the system. <i>usbfs </i>also allows user-space programs
to directly talk to USB devices, which has enabled a lot of kernel drivers to be
moved out to user space, where it is easier to maintain and debug. The USB scanner
driver is a good example of this, as it is no longer present in the kernel because its
functionality is now contained in the user-space SANE library programs.<br>
<br>
<a name="USBUrbs"></a><font color="red"><b>USB Urbs</b></font><br>
<br>
The USB code in the Linux kernel communicates with all USB devices using something called
a <i>urb </i>(USB request block). This request block is described with the
struct urb structure and can be found in the <i>include/linux/usb.h </i>file.<br>
<br>
A urb is used to send or receive data to or from a specific USB endpoint on a specific
USB device in an asynchronous manner. It is used much like a kiocb structure is used
in the filesystem async I/O code or as a <font class="fixd">struct skbuff</font> is used in the networking code.
A USB device driver may allocate many urbs for a single endpoint or may reuse a single
urb for many different endpoints, depending on the need of the driver. Every endpoint
in a device can handle a queue of urbs, so that multiple urbs can be sent to the
same endpoint before the queue is empty. The typical lifecycle of a urb is as follows:<br>
<ul>
<li> Created by a USB device driver.
<li> Assigned to a specific endpoint of a specific USB device.
<li> Submitted to the USB core, by the USB device driver.
<li> Submitted to the specific USB host controller driver for the specified device by the USB core.
<li> Processed by the USB host controller driver that makes a USB transfer to the device.
<li> When the urb is completed, the USB host controller driver notifies the USB device driver.
</ul>
Urbs can also be canceled any time by the driver that submitted the urb, or by the
USB core if the device is removed from the system. urbs are dynamically created and
contain an internal reference count that enables them to be automatically freed when
the last user of the urb releases it.<br>
<br>
The procedure described in this chapter for handling urbs is useful, because it permits
streaming and other complex, overlapping communications that allow drivers
to achieve the highest possible data transfer speeds. But less cumbersome procedures
are available if you just want to send individual bulk or control messages and
do not care about data throughput rates. (See the section "USB Transfers Without Urbs.")<br>
<br>
<A name="336"></a><font color="blue">PAGE 336</font><br>
<br>
<a name="StructUrb"></a><font color="red"><b>struct urb</b></font><br>
<br>
The fields of the <font class="fixd">struct urb</font> structure that matter to a USB device driver are:<br>
<br>
<font class="fixd">struct usb_device *dev</font><br>
<br>
Pointer to the <font class="fixd">struct usb_device</font> to which this urb is sent. This variable must be
initialized by the USB driver before the urb can be sent to the USB core.<br>
<br>
<font class="fixd">unsigned int pipe</font><br>
<div class="bq">
Endpoint information for the specific <font class="fixd">struct usb_device</font> that this urb is to be
sent to. This variable must be initialized by the USB driver before the urb can be sent to the USB core.<br>
<br>
To set fields of this structure, the driver uses the following functions as appropriate,
depending on the direction of traffic. Note that every endpoint can be of only one type.<br>
<br>
<font class="fixd">unsigned int usb_sndctrlpipe(struct usb_device *dev, unsigned int endpoint)</font><br>
<div class="bq">
Specifies a control OUT endpoint for the specified USB device with the specified endpoint number.</div>
<br>
<font class="fixd">unsigned int usb_rcvctrlpipe(struct usb_device *dev, unsigned int endpoint)</font><br>
<div class="bq">
Specifies a control IN endpoint for the specified USB device with the specified endpoint number.</div>
<br>
<font class="fixd">unsigned int usb_sndbulkpipe(struct usb_device *dev, unsigned int endpoint)</font><br>
<div class="bq">
Specifies a bulk OUT endpoint for the specified USB device with the specified endpoint number.</div>
<br>
<font class="fixd">unsigned int usb_rcvbulkpipe(struct usb_device *dev, unsigned int endpoint)</font><br>
<div class="bq">
Specifies a bulk IN endpoint for the specified USB device with the specified endpoint number.</div>
<br>
<font class="fixd">unsigned int usb_sndintpipe(struct usb_device *dev, unsigned int endpoint)</font><br>
<div class="bq">
Specifies an interrupt OUT endpoint for the specified USB device with the specified endpoint number.</div>
<br>
<font class="fixd">unsigned int usb_rcvintpipe(struct usb_device *dev, unsigned int endpoint)</font><br>
<div class="bq">
Specifies an interrupt IN endpoint for the specified USB device with the specified endpoint number.</div></div>
<br>
<A name="337"></a><font color="blue">PAGE 337</font><br>
<br>
<div class="bq">
<font class="fixd">unsigned int usb_sndisocpipe(struct usb_device *dev, unsigned int endpoint)</font><br>
<div class="bq">
Specifies an isochronous OUT endpoint for the specified USB device with
the specified endpoint number.</div>
<br>
<font class="fixd">unsigned int usb_rcvisocpipe(struct usb_device *dev, unsigned int endpoint)</font><br>
<div class="bq">
Specifies an isochronous IN endpoint for the specified USB device with the
specified endpoint number.</div></div>
<br>
<font class="fixd">unsigned int transfer_flags</font><br>
<div class="bq">
This variable can be set to a number of different bit values, depending on what
the USB driver wants to happen to the urb. The available values are:<br>
<br>
<font class="fixd">URB_SHORT_NOT_OK</font><br>
<div class="bq">
When set, it specifies that any short read on an IN endpoint that might
occur should be treated as an error by the USB core. This value is useful only
for urbs that are to be read from the USB device, not for write urbs.</div>
<br>
<font class="fixd">URB_ISO_ASAP</font><br>
<div class="bq">
If the urb is isochronous, this bit can be set if the driver wants the urb to be
scheduled, as soon as the bandwidth utilization allows it to be, and to set
the <font class="fixd">start_frame</font> variable in the urb at that point. If this bit is not set for an
isochronous urb, the driver must specify the <font class="fixd">start_frame</font> value and must be
able to recover properly if the transfer cannot start at that moment. See the
upcoming section about isochronous urbs for more information.</div>
<br>
<font class="fixd">URB_NO_TRANSFER_DMA_MAP</font><br>
<div class="bq">
Should be set when the urb contains a DMA buffer to be transferred. The
USB core uses the buffer pointed to by the <font class="fixd">transfer_dma</font> variable and not the
buffer pointed to by the <font class="fixd">transfer_buffer</font> variable.</div>
<br>
<font class="fixd">URB_NO_SETUP_DMA_MAP</font><br>
<div class="bq">
Like the <font class="fixd">URB_NO_TRANSFER_DMA_MAP</font> bit, this bit is used for control urbs that
have a DMA buffer already set up. If it is set, the USB core uses the buffer
pointed to by the <font class="fixd">setup_dma</font> variable instead of the <font class="fixd">setup_packet</font> variable.</div>
<br>
<font class="fixd">URB_ASYNC_UNLINK</font><br>
<div class="bq">
If set, the call to <i>usb_unlink_urb </i>for this urb returns almost immediately,
and the urb is unlinked in the background. Otherwise, the function waits
until the urb is completely unlinked and finished before returning. Use this
bit with care, because it can make synchronization issues very difficult to
debug.</div></div>
<br>
<A name="338"></a><font color="blue">PAGE 338</font><br>
<br>
<div class="bq">
<font class="fixd">URB_NO_FSBR</font><br>
<div class="bq">
Used by only the UHCI USB Host controller driver and tells it to not try to
do Front Side Bus Reclamation logic. This bit should generally not be set,
because machines with a UHCI host controller create a lot of CPU overhead,
and the PCI bus is saturated waiting on a urb that sets this bit.</div>
<br>
<font class="fixd">URB_ZERO_PACKET</font><br>
<div class="bq">
If set, a bulk out urb finishes by sending a short packet containing no data
when the data is aligned to an endpoint packet boundary. This is needed by
some broken USB devices (such as a number of USB to IR devices) in order
to work properly.</div>
<br>
<font class="fixd">URB_NO_INTERRUPT</font><br>
<div class="bq">
If set, the hardware may not generate an interrupt when the urb is finished.
This bit should be used with care and only when queuing multiple urbs to
the same endpoint. The USB core functions use this in order to do DMA
buffer transfers.</div></div>
<br>
<font class="fixd">void *transfer_buffer</font><br>
<div class="bq">
Pointer to the buffer to be used when sending data to the device (for an OUT
urb) or when receiving data from the device (for an IN urb). In order for the host
controller to properly access this buffer, it must be created with a call to <font class="fixd">kmalloc,</font>
not on the stack or statically. For control endpoints, this buffer is for the data
stage of the transfer.</div>
<br>
<font class="fixd">dma_addr_t transfer_dma</font><br>
<div class="bq">
Buffer to be used to transfer data to the USB device using DMA.</div>
<br>
<font class="fixd">int transfer_buffer_length</font><br>
<div class="bq">
The length of the buffer pointed to by the <font class="fixd">transfer_buffer</font> or the <font class="fixd">transfer_dma</font>
variable (as only one can be used for a urb). If this is 0, neither transfer buffers
are used by the USB core.<br>
<br>
For an OUT endpoint, if the endpoint maximum size is smaller than the value
specified in this variable, the transfer to the USB device is broken up into smaller
chunks in order to properly transfer the data. This large transfer occurs in consecutive
USB frames. It is much faster to submit a large block of data in one urb,
and have the USB host controller split it up into smaller pieces, than it is to send
smaller buffers in consecutive order.</div>
<br>
<font class="fixd">unsigned char *setup_packet</font><br>
<div class="bq">
Pointer to the setup packet for a control urb. It is transferred before the data in
the transfer buffer. This variable is valid only for control urbs.</div>
<br>
<font class="fixd">dma_addr_t setup_dma</font><br>
<div class="bq">
DMA buffer for the setup packet for a control urb. It is transferred before the
data in the normal transfer buffer. This variable is valid only for control urbs.</div>
<br>
<A name="339"></a><font color="blue">PAGE 339</font><br>
<br>
<font class="fixd">usb_complete_t complete</font><br>
<div class="bq">
Pointer to the completion handler function that is called by the USB core when
the urb is completely transferred or when an error occurs to the urb. Within this
function, the USB driver may inspect the urb, free it, or resubmit it for another
transfer. (See the section "CompletingUrbs: The Completion Callback Handler"
for more details about the completion handler.)
<br>
The <font class="fixd">usb_complete_t</font> typedef is defined as:<br>
<pre>typedef void (*usb_complete_t)(struct urb *, struct pt_regs *);</pre>
</div>
<font class="fixd">void *context</font><br>
<div class="bq">
Pointer to a data blob that can be set by the USB driver. It can be used in the
completion handler when the urb is returned to the driver. See the following section
for more details about this variable.</div>
<br>
<font class="fixd">int actual_length</font><br>
<div class="bq">
When the urb is finished, this variable is set to the actual length of the data
either sent by the urb (for OUT urbs) or received by the urb (for IN urbs.) For
IN urbs, this must be used instead of the <font class="fixd">transfer_buffer_length</font> variable,
because the data received could be smaller than the whole buffer size.</div>
<br>
<font class="fixd">int status</font><br>
<div class="bq">
When the urb is finished, or being processed by the USB core, this variable is set
to the current status of the urb. The only time a USB driver can safely access this
variable is in the urb completion handler function (described in the section
"CompletingUrbs: The Completion Callback Handler"). This restriction is to
prevent race conditions that occur while the urb is being processed by the USB
core. For isochronous urbs, a successful value (0) in this variable merely indicates
whether the urb has been unlinked. To obtain a detailed status on isochronous
urbs, the <font class="fixd">iso_frame_desc</font> variables should be checked.<br>
<br>
Valid values for this variable include:<br>
<br>
<font class="fixd">0</font><br>
<div class="bq">
The urb transfer was successful.</div>
<br>
<font class="fixd">-ENOENT</font><br>
<div class="bq">
The urb was stopped by a call to <i>usb_kill_urb</i>.</div>
<br>
<font class="fixd">-ECONNRESET</font><br>
<div class="bq">
The urb was unlinked by a call to <i>usb_unlink_urb</i>, and the transfer_flags
variable of the urb was set to <font class="fixd">URB_ASYNC_UNLINK</font>.</div>
<br>
<font class="fixd">-EINPROGRESS</font><br>
<div class="bq">
The urb is still being processed by the USB host controllers. If your driver
ever sees this value, it is a bug in your driver.</div>
<br>
<font class="fixd">-EPROTO</font><br>
<div class="bq">
One of the following errors occurred with this urb:</div>
<ul>
<li> A bitstuff error happened during the transfer.
<li> No response packet was received in time by the hardware.
</ul></div>
<A name="340"></a><font color="blue">PAGE 340</font><br>
<br>
<div class="bq">
<font class="fixd">-EILSEQ</font><br>
<div class="bq">
There was a CRC mismatch in the urb transfer.</div>
<br>
<font class="fixd">-EPIPE</font><br>
<div class="bq">
The endpoint is now stalled. If the endpoint involved is not a control endpoint,
this error can be cleared through a call to the function <i>usb_clear_halt</i>.</div>
<br>
<font class="fixd">-ECOMM</font><br>
<div class="bq">
Data was received faster during the transfer than it could be written to system
memory. This error value happens only for an IN urb.</div>
<br>
<font class="fixd">-ENOSR</font><br>
<div class="bq">
Data could not be retrieved from the system memory during the transfer fast
enough to keep up with the requested USB data rate. This error value happens
only for an OUT urb.</div>
<br>
<font class="fixd">-EOVERFLOW</font><br>
<div class="bq">
A "babble" error happened to the urb. A "babble" error occurs when the
endpoint receives more data than the endpoint's specified maximum packet
size.</div>
<br>
<font class="fixd">-EREMOTEIO</font><br>
<div class="bq">
Occurs only if the <font class="fixd">URB_SHORT_NOT_OK</font> flag is set in the urb's transfer_flags
variable and means that the full amount of data requested by the urb was
not received.</div>
<br>
<font class="fixd">-ENODEV</font><br>
<div class="bq">
The USB device is now gone from the system.</div>
<br>
<font class="fixd">-EXDEV</font><br>
<div class="bq">
Occurs only for a isochronous urb and means that the transfer was only partially
completed. In order to determine what was transferred, the driver
must look at the individual frame status.</div>
<br>
<font class="fixd">-EINVAL</font><br>
<div class="bq">
Something very bad happened with the urb. The USB kernel documentation
describes what this value means:<br>
<pre>
ISO madness, if this happens: Log off and go home
</pre>
It also can happen if a parameter is incorrectly set in the urb stucture or if an
incorrect function parameter in the <i>usb_submit_urb </i>call submitted the urb to
the USB core.</div>
<br>
<font class="fixd">-ESHUTDOWN</font><br>
<div class="bq">
There was a severe error with the USB host controller driver; it has now
been disabled, or the device was disconnected from the system, and the urb
was submitted after the device was removed. It can also occur if the configuration
was changed for the device, while the urb was submitted to the
device.</div></div>
<br>
<A name="341"></a><font color="blue">PAGE 341</font><br>
<br>
<div class="bq">Generally, the error values <font class="fixd">-EPROTO, -EILSEQ,</font> and <font class="fixd">-EOVERFLOW</font> indicate hardware
problems with the device, the device firmware, or the cable connecting the device to the computer.</div>
<br>
<font class="fixd">int start_frame</font><br>
<div class="bq">
Sets or returns the initial frame number for isochronous transfers to use.</div>
<br>
<font class="fixd">int interval</font><br>
<div class="bq">
The interval at which the urb is polled. This is valid only for interrupt or isochronous
urbs. The value's units differ depending on the speed of the device. For
low-speed and full-speed devices, the units are frames, which are equivalent to
milliseconds. For devices, the units are in microframes, which is equivalent to
units of 1/8 milliseconds. This value must be set by the USB driver for isochronous
or interrupt urbs before the urb is sent to the USB core.</div>
<br>
<font class="fixd">int number_of_packets</font><br>
<div class="bq">
Valid only for isochronous urbs and specifies the number of isochronous transfer
buffers to be handled by this urb. This value must be set by the USB driver
for isochronous urbs before the urb is sent to the USB core.</div>
<br>
<font class="fixd">int error_count</font><br>
<div class="bq">
Set by the USB core only for isochronous urbs after their completion. It specifies
the number of isochronous transfers that reported any type of error.</div>
<br>
<font class="fixd">struct usb_iso_packet_descriptor iso_frame_desc[0]</font><br>
<div class="bq">
Valid only for isochronous urbs. This variable is an array of the <font class="fixd">struct usb_iso_packet_descriptor</font> 
structures that make up this urb. This structure allows a single
urb to define a number of isochronous transfers at once. It is also used to collect
the transfer status of each individual transfer.<br>
<br>
The <font class="fixd">struct usb_iso_packet_descriptor</font> is made up of the following fields:<br>
<br>
<font class="fixd">unsigned int offset</font><br>
<div class="bq">
The offset into the transfer buffer (starting at 0 for the first byte) where this
packet's data is located.</div>
<br>
<font class="fixd">unsigned int length</font><br>
<div class="bq">
The length of the transfer buffer for this packet.</div>
<br>
<font class="fixd">unsigned int actual_length</font><br>
<div class="bq">
The length of the data received into the transfer buffer for this isochronous
packet.</div>
<br>
<font class="fixd">unsigned int status</font><br>
<div class="bq">
The status of the individual isochronous transfer of this packet. It can take
the same return values as the main <font class="fixd">struct urb</font> structure's status variable.</div></div>
<br>
<a name="CreatingAndDestroyingUrbs"></a><font color="red"><b>Creating and Destroying Urbs</b></font><br>
<br>
The <font class="fixd">struct urb</font> structure must never be created statically in a driver or within
another structure, because that would break the reference counting scheme used by<br>
<br>
<A name="342"></a><font color="blue">PAGE 342</font><br>
<br>
the USB core for urbs. It must be created with a call to the <i>usb_alloc_urb </i>function.
This function has the prototype:<br>
<pre>
struct urb *usb_alloc_urb(int iso_packets, int mem_flags);
</pre>
The first parameter, <font class="fixd">iso_packets,</font> is the number of isochronous packets this urb
should contain. If you do not want to create an isochronous urb, this variable should
be set to 0. The second parameter, <font class="fixd">mem_flags,</font> is the same type of flag that is passed
to the <i>kmalloc </i>function call to allocate memory from the kernel (see the section "The
Flags Argument" in Chapter 8 for the details on these flags). If the function is successful
in allocating enough space for the urb, a pointer to the urb is returned to the
caller. If the return value is <font class="fixd">NULL</font>, some error occurred within the USB core, and the
driver needs to clean up properly.<br>
<br>
After a urb has been created, it must be properly initialized before it can be used by
the USB core. See the next sections for how to initialize different types of urbs.<br>
<br>
In order to tell the USB core that the driver is finished with the urb, the driver must
call the <i>usb_free_urb</i> function. This function only has one argument:<br>
<pre>
void usb_free_urb(struct urb *urb);
</pre>
The argument is a pointer to the <font class="fixd">struct urb</font> you want to release. After this function
is called, the urb structure is gone, and the driver cannot access it any more.<br>
<br>
<a name="InterruptUrbs"></a><font color="red"><b>Interrupt urbs</b></font><br>
<br>
The function <i>usb_fill_int_urb </i>is a helper function to properly initialize a urb to be
sent to a interrupt endpoint of a USB device:<br>
<pre>
void usb_fill_int_urb(struct urb *urb, struct usb_device *dev,
                      unsigned int pipe, void *transfer_buffer,
                      int buffer_length, usb_complete_t complete,
                      void *context, int interval);
</pre>
This function contains a lot of parameters:<br>
<br>
<font class="fixd">struct urb *urb</font><br>
<div class="bq">
A pointer to the urb to be initialized.</div>
<br>
<font class="fixd">struct usb_device *dev</font><br>
<div class="bq">
The USB device to which this urb is to be sent.</div>
<br>
<font class="fixd">unsigned int pipe</font><br>
<div class="bq">
The specific endpoint of the USB device to which this urb is to be sent. This
value is created with the previously mentioned <i>usb_sndintpipe </i>or <i>usb_rcvintpipe
</i>functions.</div>
<br>
<font class="fixd">void *transfer_buffer</font><br>
<div class="bq">
A pointer to the buffer from which outgoing data is taken or into which incoming data
is received. Note that this can not be a static buffer and must be created
with a call to <i>kmalloc</i>.</div>
<br>
<A name="343"></a><font color="blue">PAGE 343</font><br>
<br>
<font class="fixd">int buffer_length</font><br>
<div class="bq">
The length of the buffer pointed to by the <font class="fixd">transfer_buffer</font> pointer.</div>
<br>
<font class="fixd">usb_complete_t complete</font><br>
<div class="bq">
Pointer to the completion handler that is called when this urb is completed.</div>
<br>
<font class="fixd">void *context</font><br>
<div class="bq">
Pointer to the blob that is added to the urb structure for later retrieval by the
completion handler function.</div>
<br>
<font class="fixd">int interval</font><br>
<div class="bq">
The interval at which that this urb should be scheduled. See the previous
description of the <font class="fixd">struct urb</font> structure to find the proper units for this value.</div>
<br>
<a name="BulkUrbs"></a><font color="red"><b>Bulk urbs</b></font><br>
<br>
Bulk urbs are initialized much like interrupt urbs. The function that does this is
<i>usb_fill_bulk_urb</i>, and it looks like:<br>
<pre>
void usb_fill_bulk_urb(struct urb *urb, struct usb_device *dev,
                       unsigned int pipe, void *transfer_buffer,
                       int buffer_length, usb_complete_t complete,
                       void *context);
</pre>
The function parameters are all the same as in the <i>usb_fill_int_urb </i>function. However,
there is no interval parameter because bulk urbs have no interval value. Please
note that the <font class="fixd">unsigned int pipe</font> variable must be initialized with a call to the <i>usb_sndbulkpipe</i>
or <i>usb_rcvbulkpipe</i> function.<br>
<br>
The <i>usb_fill_int_urb </i>function does not set the <font class="fixd">transfer_flags</font> variable in the urb, so
any modification to this field has to be done by the driver itself.<br>
<br>
<a name="ControlUrbs"></a><font color="red"><b>Control urbs</b></font><br>
<br>
Control urbs are initialized almost the same way as bulk urbs, with a call to the function
<i>usb_fill_control_urb</i>:<br>
<pre>
void usb_fill_control_urb(struct urb *urb, struct usb_device *dev,
                          unsigned int pipe, unsigned char *setup_packet,
                          void *transfer_buffer, int buffer_length,
                          usb_complete_t complete, void *context);
</pre>
The function parameters are all the same as in the <i>usb_fill_bulk_urb </i>function, except
that there is a new parameter, <font class="fixd">unsigned char *setup_packet,</font> which must point to the
setup packet data that is to be sent to the endpoint. Also, the <font class="fixd">unsigned int pipe</font> variable
must be initialized with a call to the <i>usb_sndctrlpipe</i> or <i>usb_rcvictrlpipe</i> function.<br>
<br>
The <i>usb_fill_control_urb </i>function does not set the <font class="fixd">transfer_flags</font> variable in the urb,
so any modification to this field has to be done by the driver itself. Most drivers do
not use this function, as it is much simpler to use the synchronous API calls as
described in the section "USB Transfers Without Urbs."<br>
<br>
<A name="344"></a><font color="blue">PAGE 344</font><br>
<br>
<a name="IsochronousUrbs"></a><font color="red"><b>Isochronous urbs</b></font><br>
<br>
Isochronous urbs unfortunately do not have an initializer function like the interrupt,
control, and bulk urbs do. So they must be initialized "by hand" in the driver before
they can be submitted to the USB core. The following is an example of how to properly
initialize this type of urb. It was taken from the <i>konicawc.c </i>kernel driver located
in the <i>drivers/usb/media</i> directory in the main kernel source tree.<br>
<pre>
urb-&gt;dev = dev;
urb-&gt;context = uvd;
urb-&gt;pipe = usb_rcvisocpipe(dev, uvd-&gt;video_endp-1);
urb-&gt;interval = 1;
urb-&gt;transfer_flags = URB_ISO_ASAP;
urb-&gt;transfer_buffer = cam-&gt;sts_buf[i];
urb-&gt;complete = konicawc_isoc_irq;
urb-&gt;number_of_packets = FRAMES_PER_DESC;
urb-&gt;transfer_buffer_length = FRAMES_PER_DESC;
for (j=0; j &lt; FRAMES_PER_DESC; j++) {
        urb-&gt;iso_frame_desc[j].offset = j;
        urb-&gt;iso_frame_desc[j].length = 1;
}
</pre>
<a name="SubmittingUrbs"></a><font color="red"><b>Submitting Urbs</b></font><br>
<br>
Once the urb has been properly created and initialized by the USB driver, it is ready
to be submitted to the USB core to be sent out to the USB device. This is done with a
call to the function <i>usb_submit_urb</i>:<br>
<pre>
int usb_submit_urb(struct urb *urb, int mem_flags);
</pre>
The urb parameter is a pointer to the urb that is to be sent to the device. The <font class="fixd">mem_flags</font>
parameter is equivalent to the same parameter that is passed to the <i>kmalloc </i>call and is
used to tell the USB core how to allocate any memory buffers at this moment in time.<br>
<br>
After a urb has been submitted to the USB core successfully, it should never try to
access any fields of the urb structure until the <i>complete</i> function is called.<br>
<br>
Because the function <i>usb_submit_urb </i>can be called at any time (including from
within an interrupt context), the specification of the <font class="fixd">mem_flags</font> variable must be correct.
There are really only three valid values that should be used, depending on when
<i>usb_submit_urb</i> is being called:<br>
<br>
<font class="fixd">GFP_ATOMIC</font><br>
<div class="bq">
This value should be used whenever the following are true:<br>
<ul>
<li> The caller is within a urb completion handler, an interrupt, a bottom half, a tasklet, or a timer callback.
<li> The caller is holding a spinlock or rwlock. Note that if a semaphore is being held, this value is not necessary.
<li> The <font class="fixd">current-&gt;state</font> is not <font class="fixd">TASK_RUNNING</font>. The state is 
always <font class="fixd">TASK_RUNNING</font> unless the driver has changed the current state itself.
</ul></div>
<A name="345"></a><font color="blue">PAGE 345</font><br>
<br>
<font class="fixd">GFP_NOIO</font><br>
<div class="bq">
This value should be used if the driver is in the block I/O patch. It should also be
used in the error handling path of all storage-type devices.</div>
<br>
<font class="fixd">GFP_KERNEL</font><br>
<div class="bq">
This should be used for all other situations that do not fall into one of the previously
mentioned categories.</div>
<br>
<a name="CompletingUrbsTheCompletionCallbackHandler"></a><font color="red"><b>Completing Urbs: The Completion Callback Handler</b></font><br>
<br>
If the call to <i>usb_submit_urb </i>was successful, transferring control of the urb to the
USB core, the function returns 0; otherwise, a negative error number is returned. If
the function succeeds, the completion handler of the urb (as specified by the <i>complete
</i>function pointer) is called exactly once when the urb is completed. When this
function is called, the USB core is finished with the URB, and control of it is now
returned to the device driver.<br>
<br>
There are only three ways a urb can be finished and have the <i>complete </i>function
called:<br>
<ul>
<li> The urb is successfully sent to the device, and the device returns the proper
acknowledgment. For an OUT urb, the data was successfully sent, and for an IN
urb, the requested data was successfully received. If this has happened, the
<font class="fixd">status</font> variable in the urb is set to 0.
<li> Some kind of error happened when sending or receiving data from the device.
This is noted by the error value in the <font class="fixd">status</font> variable in the urb structure.
<li> The urb was "unlinked" from the USB core. This happens either when the driver
tells the USB core to cancel a submitted urb with a call to <i>usb_unlink_urb </i>or
<i>usb_kill_urb</i>, or when a device is removed from the system and a urb had been
submitted to it.
</ul>
An example of how to test for the different return values within a urb completion call
is shown later in this chapter.<br>
<br>
<a name="CancelingUrbs"></a><font color="red"><b>Canceling Urbs</b></font><br>
<br>
To stop a urb that has been submitted to the USB core, the functions <i>usb_kill_urb </i>or
<i>usb_unlink_urb</i> should be called:<br>
<pre>
int usb_kill_urb(struct urb *urb);
int usb_unlink_urb(struct urb *urb);
</pre>
The <font class="fixd">urb</font> parameter for both of these functions is a pointer to the urb that is to be
canceled.<br>
<br>
<A name="346"></a><font color="blue">PAGE 346</font><br>
<br>
When the function is <i>usb_kill_urb</i>, the urb lifecycle is stopped. This function is
usually used when the device is disconnected from the system, in the disconnect
callback.<br>
<br>
For some drivers, the <i>usb_unlink_urb </i>function should be used to tell the USB core to
stop an urb. This function does not wait for the urb to be fully stopped before
returning to the caller. This is useful for stopping the urb while in an interrupt handler
or when a spinlock is held, as waiting for a urb to fully stop requires the ability
for the USB core to put the calling process to sleep. This function requires
that the <font class="fixd">URB_ASYNC_UNLINK</font> flag value be set in the urb that is being asked to be
stopped in order to work properly.<br>
<br>
<a name="WritingAUSBDriver"></a><font color="red"><b>Writing a USB Driver</b></font><br>
<br>
The approach to writing a USB device driver is similar to a <font class="fixd">pci_driver:</font> the driver registers
its driver object with the USB subsystem and later uses vendor and device identifiers
to tell if its hardware has been installed.<br>
<br>
<a name="WhatDevicesDoesTheDriverSupport"></a><font color="red"><b>What Devices Does the Driver Support?</b></font><br>
<br>
The <font class="fixd">struct usb_device_id</font> structure provides a list of different types of USB devices
that this driver supports. This list is used by the USB core to decide which driver to
give a device to, and by the hotplug scripts to decide which driver to automatically
load when a specific device is plugged into the system.<br>
<br>
The struct <font class="fixd">usb_device_id</font> structure is defined with the following fields:<br>
<br>
<font class="fixd">__u16 match_flags</font><br>
<div class="bq">
Determines which of the following fields in the structure the device should be
matched against. This is a bit field defined by the different <font class="fixd">USB_DEVICE_ID_MATCH_*</font>
values specified in the <i>include/linux/mod_devicetable.h </i>file. This field is usually
never set directly but is initialized by the <font class="fixd">USB_DEVICE</font> type macros described later.</div>
<br>
<font class="fixd">__u16 idVendor</font><br>
<div class="bq">
The USB vendor ID for the device. This number is assigned by the USB forum to
its members and cannot be made up by anyone else.</div>
<br>
<font class="fixd">__u16 idProduct</font><br>
<div class="bq">
The USB product ID for the device. All vendors that have a vendor ID assigned
to them can manage their product IDs however they choose to.</div>
<br>
<font class="fixd">__u16 bcdDevice_lo<br>
__u16 bcdDevice_hi</font><br>
<div class="bq">
Define the low and high ends of the range of the vendor-assigned product version
number. The <font class="fixd">bcdDevice_hi</font> value is inclusive; its value is the number of the
highest-numbered device. Both of these values are expressed in binary-coded</div>
<br>
<A name="347"></a><font color="blue">PAGE 347</font><br>
<br>
<div class="bq">decimal (BCD) form. These variables, combined with the <font class="fixd">idVendor</font> and
<font class="fixd">idProduct,</font> are used to define a specific version of a device.</div>
<br>
<font class="fixd">__u8 bDeviceClass<br>
__u8 bDeviceSubClass<br>
__u8 bDeviceProtocol</font><br>
<div class="bq">
Define the class, subclass, and protocol of the device, respectively. These numbers
are assigned by the USB forum and are defined in the USB specification.
These values specify the behavior for the whole device, including all interfaces
on this device.</div>
<br>
<font class="fixd">__u8 bInterfaceClass<br>
__u8 bInterfaceSubClass<br>
__u8 bInterfaceProtocol</font><br>
<div class="bq">
Much like the device-specific values above, these define the class, subclass, and
protocol of the individual interface, respectively. These numbers are assigned by
the USB forum and are defined in the USB specification.</div>
<br>
<font class="fixd">kernel_ulong_t driver_info</font><br>
<div class="bq">
This value is not used to match against, but it holds information that the driver
can use to differentiate the different devices from each other in the <font class="fixd">probe</font> callback
function to the USB driver.</div>
<br>
As with PCI devices, there are a number of macros that are used to initialize this
structure:<br>
<br>
<font class="fixd">USB_DEVICE(vendor, product)</font><br>
<div class="bq">
Creates a struct <font class="fixd">usb_device_id</font> that can be used to match only the specified vendor
and product ID values. This is very commonly used for USB devices that
need a specific driver.</div>
<br>
<font class="fixd">USB_DEVICE_VER(vendor, product, lo, hi)</font><br>
<div class="bq">
Creates a struct <font class="fixd">usb_device_id</font> that can be used to match only the specified vendor
and product ID values within a version range.</div>
<br>
<font class="fixd">USB_DEVICE_INFO(class, subclass, protocol)</font><br>
<div class="bq">
Creates a struct <font class="fixd">usb_device_id</font> that can be used to match a specific class of USB
devices.</div>
<br>
<font class="fixd">USB_INTERFACE_INFO(class, subclass, protocol)</font><br>
<div class="bq">
Creates a struct <font class="fixd">usb_device_id</font> that can be used to match a specific class of USB
interfaces.</div>
<br>
So, for a simple USB device driver that controls only a single USB device from a single
vendor, the struct <font class="fixd">usb_device_id</font> table would be defined as:<br>
<pre>
/* table of devices that work with this driver */
static struct usb_device_id skel_table [ ] = {
    { USB_DEVICE(USB_SKEL_VENDOR_ID, USB_SKEL_PRODUCT_ID) },
    { }                 /* Terminating entry */
};
MODULE_DEVICE_TABLE (usb, skel_table);
</pre>
<A name="348"></a><font color="blue">PAGE 348</font><br>
<br>
As with a PCI driver, the <font class="fixd">MODULE_DEVICE_TABLE</font> macro is necessary to allow user-space
tools to figure out what devices this driver can control. But for USB drivers, the string
<font class="fixd">usb</font> must be the first value in the macro.<br>
<br>
<a name="RegisteringAUSBDriver"></a><font color="red"><b>Registering a USB Driver</b></font><br>
<br>
The main structure that all USB drivers must create is a <font class="fixd">struct usb_driver</font>. This
structure must be filled out by the USB driver and consists of a number of function
callbacks and variables that describe the USB driver to the USB core code:<br>
<br>
<font class="fixd">struct module *owner</font><br>
<div class="bq">
Pointer to the module owner of this driver. The USB core uses it to properly reference
count this USB driver so that it is not unloaded at inopportune moments.
The variable should be set to the <font class="fixd">THIS_MODULE</font> macro.</div>
<br>
<font class="fixd">const char *name</font><br>
<div class="bq">
Pointer to the name of the driver. It must be unique among all USB drivers in the
kernel and is normally set to the same name as the module name of the driver. It
shows up in sysfs under <i>/sys/bus/usb/drivers/</i> when the driver is in the kernel.</div>
<br>
<font class="fixd">const struct usb_device_id *id_table</font><br>
<div class="bq">
Pointer to the <font class="fixd">struct usb_device_id</font> table that contains a list of all of the different
kinds of USB devices this driver can accept. If this variable is not set, the
probe function callback in the USB driver is never called. If you want your driver
always to be called for every USB device in the system, create a entry that sets
only the <font class="fixd">driver_info</font> field:</div>
<pre>
static struct usb_device_id usb_ids[ ] = {
    {.driver_info = 42},
    { }
};
</pre>
<font class="fixd">int (*probe) (struct usb_interface *intf, const struct usb_device_id *id)</font><br>
<div class="bq">
Pointer to the probe function in the USB driver. This function (described in the
section "probe and disconnect in Detail") is called by the USB core when it
thinks it has a <font class="fixd">struct usb_interface</font> that this driver can handle. A pointer to the
<font class="fixd">struct usb_device_id</font> that the USB core used to make this decision is also passed
to this function. If the USB driver claims the <font class="fixd">struct usb_interface</font> that is passed
to it, it should initialize the device properly and return 0. If the driver does not
want to claim the device, or an error occurs, it should return a negative error value.</div>
<br>
<font class="fixd">void (*disconnect) (struct usb_interface *intf)</font><br>
<div class="bq">
Pointer to the disconnect function in the USB driver. This function (described in
the section "probe and disconnect in Detail") is called by the USB core when the
<font class="fixd">struct usb_interface</font> has been removed from the system or when the driver is
being unloaded from the USB core.</div>
<br>
<A name="349"></a><font color="blue">PAGE 349</font><br>
<br>
So, to create a value <font class="fixd">struct usb_driver</font> structure, only five fields need to be initialized:<br>
<pre>
static struct usb_driver skel_driver = {
    .owner = THIS_MODULE,
    .name = &quot;skeleton&quot;,
    .id_table = skel_table,
    .probe = skel_probe,
    .disconnect = skel_disconnect,
};
</pre>
The <font class="fixd">struct usb_driver</font> does contain a few more callbacks, which are generally not
used very often, and are not required in order for a USB driver to work properly:<br>
<br>
<font class="fixd">int (*ioctl) (struct usb_interface *intf, unsigned int code, void *buf)</font><br>
<div class="bq">
Pointer to an <i>ioctl </i>function in the USB driver. If it is present, it is called when a
user-space program makes a <i>ioctl </i>call on the <i>usbfs </i>filesystem device entry associated
with a USB device attached to this USB driver. In practice, only the USB hub
driver uses this ioctl, as there is no other real need for any other USB driver to use it.</div>
<br>
<font class="fixd">int (*suspend) (struct usb_interface *intf, u32 state)</font><br>
<div class="bq">
Pointer to a suspend function in the USB driver. It is called when the device is to
be suspended by the USB core.</div>
<br>
<font class="fixd">int (*resume) (struct usb_interface *intf)</font><br>
<div class="bq">
Pointer to a resume function in the USB driver. It is called when the device is
being resumed by the USB core.</div>
<br>
To register the <font class="fixd">struct usb_driver</font> with the USB core, a call to <i>usb_register_driver </i>is
made with a pointer to the <font class="fixd">struct usb_driver</font>. This is traditionally done in the module
initialization code for the USB driver:<br>
<pre>
static int __init usb_skel_init(void)
{
    int result;

    /* register this driver with the USB subsystem */
    result = usb_register(&amp;skel_driver);
    if (result)
        err(&quot;usb_register failed. Error number %d&quot;, result);

    return result;
}
</pre>
When the USB driver is to be unloaded, the <font class="fixd">struct usb_driver</font> needs to be unregistered
from the kernel. This is done with a call to <i>usb_deregister_driver</i>. When this
call happens, any USB interfaces that were currently bound to this driver are disconnected,
and the <i>disconnect</i> function is called for them.<br>
<pre>
static void __exit usb_skel_exit(void)
{
    /* deregister this driver with the USB subsystem */
    usb_deregister(&amp;skel_driver);
}
</pre>
<A name="350"></a><font color="blue">PAGE 350</font><br>
<br>
<a name="ProbeAndDisconnectInDetail"></a><font color="red"><b>probe and disconnect in Detail</b></font><br>
<br>
In the <font class="fixd">struct usb_driver</font> structure described in the previous section, the driver specified
two functions that the USB core calls at appropriate times. The <i>probe </i>function is
called when a device is installed that the USB core thinks this driver should handle;
the <i>probe </i>function should perform checks on the information passed to it about the
device and decide whether the driver is really appropriate for that device. The <i>disconnect
</i>function is called when the driver should no longer control the device for some
reason and can do clean-up.<br>
<br>
Both the <i>probe </i>and <i>disconnect </i>function callbacks are called in the context of the USB
hub kernel thread, so it is legal to sleep within them. However, it is recommended
that the majority of work be done when the device is opened by a user if possible, in
order to keep the USB probingtime to a minimum. This is because the USB core
handles the addition and removal of USB devices within a single thread, so any slow
device driver can cause the USB device detection time to slow down and become
noticeable by the user.<br>
<br>
In the <i>probe </i>function callback, the USB driver should initialize any local structures
that it might use to manage the USB device. It should also save any information that
it needs about the device to the local structure, as it is usually easier to do so at this
time. As an example, USB drivers usually want to detect what the endpoint address
and buffer sizes are for the device, as they are needed in order to communicate with
the device. Here is some example code that detects both IN and OUT endpoints of
BULK type and saves some information about them in a local device structure:<br>
<pre>
/* set up the endpoint information */
/* use only the first bulk-in and bulk-out endpoints */
iface_desc = interface-&gt;cur_altsetting;
for (i = 0; i &lt; iface_desc-&gt;desc.bNumEndpoints; ++i) {
    endpoint = &amp;iface_desc-&gt;endpoint[i].desc;

    if (!dev-&gt;bulk_in_endpointAddr &amp;&amp;
        (endpoint-&gt;bEndpointAddress &amp; USB_DIR_IN) &amp;&amp;
        ((endpoint-&gt;bmAttributes &amp; USB_ENDPOINT_XFERTYPE_MASK)
                = = USB_ENDPOINT_XFER_BULK)) {
        /* we found a bulk in endpoint */
        buffer_size = endpoint-&gt;wMaxPacketSize;
        dev-&gt;bulk_in_size = buffer_size;
        dev-&gt;bulk_in_endpointAddr = endpoint-&gt;bEndpointAddress;
        dev-&gt;bulk_in_buffer = kmalloc(buffer_size, GFP_KERNEL);
        if (!dev-&gt;bulk_in_buffer) {
            err(&quot;Could not allocate bulk_in_buffer&quot;);
            goto error;
        }
    }

    if (!dev-&gt;bulk_out_endpointAddr &amp;&amp;
        !(endpoint-&gt;bEndpointAddress &amp; USB_DIR_IN) &amp;&amp;
        ((endpoint-&gt;bmAttributes &amp; USB_ENDPOINT_XFERTYPE_MASK)
</pre>
<A name="351"></a><font color="blue">PAGE 351</font><br>
<pre>
                = = USB_ENDPOINT_XFER_BULK)) {
        /* we found a bulk out endpoint */
        dev-&gt;bulk_out_endpointAddr = endpoint-&gt;bEndpointAddress;
    }
}
if (!(dev-&gt;bulk_in_endpointAddr &amp;&amp; dev-&gt;bulk_out_endpointAddr)) {
    err(&quot;Could not find both bulk-in and bulk-out endpoints&quot;);
    goto error;
}
</pre>
This block of code first loops over every endpoint that is present in this interface and
assigns a local pointer to the endpoint structure to make it easier to access later:<br>
<pre>
for (i = 0; i &lt; iface_desc-&gt;desc.bNumEndpoints; ++i) {
    endpoint = &amp;iface_desc-&gt;endpoint[i].desc;
</pre>
Then, after we have an endpoint, and we have not found a bulk IN type endpoint
already, we look to see if this endpoint's direction is IN. That can be tested by seeing
whether the bitmask <font class="fixd">USB_DIR_IN</font> is contained in the <font class="fixd">bEndpointAddress </font>endpoint variable.
If this is true, we determine whether the endpoint type is bulk or not, by first
maskingoff the <font class="fixd">bmAttributes</font> variable with the <font class="fixd">USB_ENDPOINT_XFERTYPE_MASK</font> bitmask,
and then checking if it matches the value <font class="fixd">USB_ENDPOINT_XFER_BULK:</font><br>
<pre>
if (!dev-&gt;bulk_in_endpointAddr &amp;&amp;
    (endpoint-&gt;bEndpointAddress &amp; USB_DIR_IN) &amp;&amp;
    ((endpoint-&gt;bmAttributes &amp; USB_ENDPOINT_XFERTYPE_MASK)
            = = USB_ENDPOINT_XFER_BULK)) {
</pre>
If all of these tests are true, the driver knows it found the proper type of endpoint
and can save the information about the endpoint that it will later need to communicate
over it in a local structure:<br>
<pre>
/* we found a bulk in endpoint */
buffer_size = endpoint-&gt;wMaxPacketSize;
dev-&gt;bulk_in_size = buffer_size;
dev-&gt;bulk_in_endpointAddr = endpoint-&gt;bEndpointAddress;
dev-&gt;bulk_in_buffer = kmalloc(buffer_size, GFP_KERNEL);
if (!dev-&gt;bulk_in_buffer) {
    err(&quot;Could not allocate bulk_in_buffer&quot;);
    goto error;
}
</pre>
Because the USB driver needs to retrieve the local data structure that is associated
with this <font class="fixd">struct usb_interface</font> later in the lifecycle of the device, the function
<i>usb_set_intfdata</i> can be called:<br>
<pre>
/* save our data pointer in this interface device */
usb_set_intfdata(interface, dev);
</pre>
This function accepts a pointer to any data type and saves it in the <font class="fixd">struct usb_interface</font>
structure for later access. To retrieve the data, the function <i>usb_get_intfdata </i>should
be called:<br>
<pre>
struct usb_skel *dev;
struct usb_interface *interface;
</pre>
<A name="352"></a><font color="blue">PAGE 352</font><br>
<pre>
int subminor;
int retval = 0;

subminor = iminor(inode);

interface = usb_find_interface(&amp;skel_driver, subminor);
if (!interface) {
    err (&quot;%s - error, can't find device for minor %d&quot;,
         __FUNCTION__, subminor);
    retval = -ENODEV;
    goto exit;
}

dev = usb_get_intfdata(interface);
if (!dev) {
    retval = -ENODEV;
    goto exit;
}
</pre>
<i>usb_get_intfdata </i>is usually called in the <i>open </i>function of the USB driver and again in
the <i>disconnect </i>function. Thanks to these two functions, USB drivers do not need to
keep a static array of pointers that store the individual device structures for all current
devices in the system. The indirect reference to device information allows an
unlimited number of devices to be supported by any USB driver.<br>
<br>
If the USB driver is not associated with another type of subsystem that handles the
user interaction with the device (such as input, tty, video, etc.), the driver can use the
USB major number in order to use the traditional char driver interface with user
space. To do this, the USB driver must call the <i>usb_register_dev </i>function in the <i>probe
</i>function when it wants to register a device with the USB core. Make sure that the
device and driver are in a proper state to handle a user wanting to access the device
as soon as this function is called.<br>
<pre>
/* we can register the device now, as it is ready */
retval = usb_register_dev(interface, &amp;skel_class);
if (retval) {
    /* something prevented us from registering this driver */
    err(&quot;Not able to get a minor for this device.&quot;);
    usb_set_intfdata(interface, NULL);
    goto error;
}
</pre>
The <i>usb_register_dev </i>function requires a pointer to a <font class="fixd">struct usb_interface</font> and a
pointer to a struct <font class="fixd">usb_class_driver</font>. This struct <font class="fixd">usb_class_driver</font> is used to define
a number of different parameters that the USB driver wants the USB core to know
when registering for a minor number. This structure consists of the following variables:<br>
<br>
<font class="fixd">char *name</font><br>
<div class="bq">
The name that sysfs uses to describe the device. A leading pathname, if present,
is used only in devfs and is not covered in this book. If the number of the device
needs to be in the name, the characters <font class="fixd">%d</font> should be in the name string. For</div>
<br>
<A name="353"></a><font color="blue">PAGE 353</font><br>
<br>
<div class="bq">example, to create the devfs name <font class="fixd">usb/foo1</font> and the sysfs class name <font class="fixd">foo1,</font> the
name string should be set to <font class="fixd">usb/foo%d.</font></div>
<br>
<font class="fixd">struct file_operations *fops;</font><br>
<div class="bq">
Pointer to the <font class="fixd">struct file_operations</font> that this driver has defined to use to register
as the character device. See Chapter 3 for more information about this structure.</div>
<br>
<font class="fixd">mode_t mode;</font><br>
<div class="bq">
The mode for the devfs file to be created for this driver; unused otherwise. A typical
setting for this variable would be the value <font class="fixd">S_IRUSR</font> combined with the value
<font class="fixd">S_IWUSR,</font> which would provide only read and write access by the owner of the
device file.</div>
<br>
<font class="fixd">int minor_base;</font><br>
<div class="bq">
This is the start of the assigned minor range for this driver. All devices associated
with this driver are created with unique, increasing minor numbers beginning with
this value. Only 16 devices are allowed to be associated with this
driver at any one time unless the <font class="fixd">CONFIG_USB_DYNAMIC_MINORS</font> configuration
option has been enabled for the kernel. If so, this variable is ignored, and all
minor numbers for the device are allocated on a first-come, first-served manner.
It is recommended that systems that have enabled this option use a program
such as <i>udev </i>to manage the device nodes in the system, as a static <i>/dev </i>tree will
not work properly.</div>
<br>
When the USB device is disconnected, all resources associated with the device
should be cleaned up, if possible. At this time, if <i>usb_register_dev </i>has been called to
allocate a minor number for this USB device during the <i>probe </i>function, the function
<i>usb_deregister_dev</i> must be called to give the minor number back to the USB core.<br>
<br>
In the <i>disconnect </i>function, it is also important to retrieve from the interface any data
that was previously set with a call to <i>usb_set_intfdata</i>. Then set the data pointer in
the <font class="fixd">struct usb_interface</font> structure to <font class="fixd">NULL</font> to prevent any further mistakes in accessing
the data improperly:<br>
<pre>
static void skel_disconnect(struct usb_interface *interface)
{
    struct usb_skel *dev;
    int minor = interface-&gt;minor;

    /* prevent skel_open( ) from racing skel_disconnect( ) */
    lock_kernel( );

    dev = usb_get_intfdata(interface);
    usb_set_intfdata(interface, NULL);

    /* give back our minor */
    usb_deregister_dev(interface, &amp;skel_class);

    unlock_kernel( );
</pre>
<A name="354"></a><font color="blue">PAGE 354</font>
<pre>
    /* decrement our usage count */
    kref_put(&amp;dev-&gt;kref, skel_delete);

    info(&quot;USB Skeleton #%d now disconnected&quot;, minor);
}
</pre>
Note the call to <i>lock_kernel </i>in the previous code snippet. This takes the big kernel
lock, so that the <i>disconnect </i>callback does not encounter a race condition with the
open call when trying to get a pointer to the correct interface data structure. Because
the open is called with the bigkernel lock taken, if the <i>disconnect </i>also takes that same
lock, only one portion of the driver can access and then set the interface data pointer.<br>
<br>
Just before the <i>disconnect </i>function is called for a USB device, all urbs that are currently
in transmission for the device are canceled by the USB core, so the driver does
not have to explicitly call <i>usb_kill_urb </i>for these urbs. If a driver tries to submit a urb
to a USB device after it has been disconnected with a call to <i>usb_submit_urb</i>, the submission
will fail with an error value of <font class="fixd">-EPIPE.</font><br>
<br>
<a name="SubmittingAndControllingAUrb"></a><font color="red"><b>Submitting and Controlling a Urb</b></font><br>
<br>
When the driver has data to send to the USB device (as typically happens in a driver's
write function), a urb must be allocated for transmitting the data to the device:<br>
<pre>
urb = usb_alloc_urb(0, GFP_KERNEL);
if (!urb) {
    retval = -ENOMEM;
    goto error;
}
</pre>
After the urb is allocated successfully, a DMA buffer should also be created to send
the data to the device in the most efficient manner, and the data that is passed to the
driver should be copied into that buffer:<br>
<pre>
buf = usb_buffer_alloc(dev-&gt;udev, count, GFP_KERNEL, &amp;urb-&gt;transfer_dma);
if (!buf) {
    retval = -ENOMEM;
    goto error;
}
if (copy_from_user(buf, user_buffer, count)) {
    retval = -EFAULT;
    goto error;
}
</pre>
Once the data is properly copied from the user space into the local buffer, the urb
must be initialized correctly before it can be submitted to the USB core:<br>
<pre>
/* initialize the urb properly */
usb_fill_bulk_urb(urb, dev-&gt;udev,
          usb_sndbulkpipe(dev-&gt;udev, dev-&gt;bulk_out_endpointAddr),
          buf, count, skel_write_bulk_callback, dev);
urb-&gt;transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
</pre>
<A name="355"></a><font color="blue">PAGE 355</font><br>
<br>
Now that the urb is properly allocated, the data is properly copied, and the urb is
properly initialized, it can be submitted to the USB core to be transmitted to the
device:<br>
<pre>
/* send the data out the bulk port */
retval = usb_submit_urb(urb, GFP_KERNEL);
if (retval) {
    err(&quot;%s - failed submitting write urb, error %d&quot;, __FUNCTION__, retval);
    goto error;
}
</pre>
After the urb is successfully transmitted to the USB device (or something happens in
transmission), the urb callback is called by the USB core. In our example, we initialized
the urb to point to the function <i>skel_write_bulk_callback</i>, and that is the function
that is called:<br>
<pre>
static void skel_write_bulk_callback(struct urb *urb, struct pt_regs *regs)
{
    /* sync/async unlink faults aren't errors */
    if (urb-&gt;status &amp;&amp;
        !(urb-&gt;status = = -ENOENT ||
          urb-&gt;status = = -ECONNRESET ||
          urb-&gt;status = = -ESHUTDOWN)) {
        dbg(&quot;%s - nonzero write bulk status received: %d&quot;,
            __FUNCTION__, urb-&gt;status);
    }

    /* free up our allocated buffer */
    usb_buffer_free(urb-&gt;dev, urb-&gt;transfer_buffer_length,
            urb-&gt;transfer_buffer, urb-&gt;transfer_dma);
}
</pre>
The first thing the callback function does is check the status of the urb to determine
if this urb completed successfully or not. The error values, <font class="fixd">-ENOENT, -ECONNRESET,</font> and
<font class="fixd">-ESHUTDOWN</font> are not real transmission errors, just reports about conditions accompanying a
successful transmission. (See the list of possible errors for urbs detailed in the
section "<font class="fixd">struct urb</font>.") Then the callback frees up the allocated buffer that was
assigned to this urb to transmit.<br>
<br>
It's common for another urb to be submitted to the device while the urb callback
function is running. This is useful when streaming data to a device. Remember that
the urb callback is running in interrupt context, so it should do any memory allocation,
hold any semaphores, or do anything else that could cause the process to sleep.
When submitting a urb from within a callback, use the <font class="fixd">GFP_ATOMIC</font> flag to tell the
USB core to not sleep if it needs to allocate new memory chunks during the submission
process.<br>
<br>
<A name="356"></a><font color="blue">PAGE 356</font><br>
<br>
<a name="USBTransfersWithoutUrbs"></a><font color="red"><b>USB Transfers Without Urbs</b></font><br>
<br>
Sometimes a USB driver does not want to go through all of the hassle of creating a
<font class="fixd">struct urb</font>, initializing it, and then waiting for the urb completion function to run,
just to send or receive some simple USB data. Two functions are available to provide
a simpler interface.<br>
<br>
<a name="Usbbulkmsg"></a><font color="red"><b>usb_bulk_msg</b></font><br>
<br>
<i>usb_bulk_msg </i>creates a USB bulk urb and sends it to the specified device, then waits
for it to complete before returning to the caller. It is defined as:<br>
<pre>
int usb_bulk_msg(struct usb_device *usb_dev, unsigned int pipe,
                 void *data, int len, int *actual_length,
                 int timeout);
</pre>
The parameters of this function are:<br>
<br>
<font class="fixd">struct usb_device *usb_dev</font><br>
<div class="bq">
A pointer to the USB device to send the bulk message to.</div>
<br>
<font class="fixd">unsigned int pipe</font><br>
<div class="bq">
The specific endpoint of the USB device to which this bulk message is to be sent.
This value is created with a call to either <i>usb_sndbulkpipe</i> or <i>usb_rcvbulkpipe</i>.</div>
<br>
<font class="fixd">void *data</font><br>
<div class="bq">
A pointer to the data to send to the device if this is an OUT endpoint. If this is
an IN endpoint, this is a pointer to where the data should be placed after being
read from the device.</div>
<br>
<font class="fixd">int len</font><br>
<div class="bq">
The length of the buffer that is pointed to by the data parameter.</div>
<br>
<font class="fixd">int *actual_length</font><br>
<div class="bq">
A pointer to where the function places the actual number of bytes that have
either been transferred to the device or received from the device, depending on
the direction of the endpoint.</div>
<br>
<font class="fixd">int timeout</font><br>
<div class="bq">
The amount of time, in jiffies, that should be waited before timing out. If this
value is 0, the function waits forever for the message to complete.</div>
<br>
If the function is successful, the return value is 0; otherwise, a negative error number
is returned. This error number matches up with the error numbers previously
described for urbs in the section "<font class="fixd">struct urb</font>." If successful, the <font class="fixd">actual_length</font> parameter
contains the number of bytes that were transferred or received from this message.<br>
<br>
The following is an example of using this function call:<br>
<pre>
/* do a blocking bulk read to get data from the device */
retval = usb_bulk_msg(dev-&gt;udev,
              usb_rcvbulkpipe(dev-&gt;udev, dev-&gt;bulk_in_endpointAddr),
</pre>
<A name="357"></a><font color="blue">PAGE 357</font><br>
<pre>
              dev-&gt;bulk_in_buffer,
              min(dev-&gt;bulk_in_size, count),
              &amp;count, HZ*10);

/* if the read was successful, copy the data to user space */
if (!retval) {
    if (copy_to_user(buffer, dev-&gt;bulk_in_buffer, count))
        retval = -EFAULT;
    else
        retval = count;
}
</pre>
This example shows a simple bulk read from an IN endpoint. If the read is successful,
the data is then copied to user space. This is typically done in a <font class="fixd">read</font> function for
a USB driver.<br>
<br>
The <i>usb_bulk_msg </i>function cannot be called from within interrupt context or with a
spinlock held. Also, this function cannot be canceled by any other function, so be
careful when using it; make sure that your driver's <i>disconnect </i>knows enough to wait
for the call to complete before allowing itself to be unloaded from memory.<br>
<br>
<a name="Usbcontrolmsg"></a><font color="red"><b>usb_control_msg</b></font><br>
<br>
The <i>usb_control_msg </i>function works just like the <i>usb_bulk_msg </i>function, except it
allows a driver to send and receive USB control messages:<br>
<pre>
int usb_control_msg(struct usb_device *dev, unsigned int pipe,
                    __u8 request, __u8 requesttype,
                    __u16 value, __u16 index,
                    void *data, __u16 size, int timeout);
</pre>
The parameters of this function are almost the same as <i>usb_bulk_msg</i>, with a few
important differences:<br>
<br>
<font class="fixd">struct usb_device *dev</font><br>
<div class="bq">
A pointer to the USB device to send the control message to.</div>
<br>
<font class="fixd">unsigned int pipe</font><br>
<div class="bq">
The specific endpoint of the USB device that this control message is to be sent
to. This value is created with a call to either <i>usb_sndctrlpipe</i> or <i>usb_rcvctrlpipe</i>.</div>
<br>
<font class="fixd">__u8 request</font><br>
<div class="bq">
The USB request value for the control message.</div>
<br>
<font class="fixd">__u8 requesttype</font><br>
<div class="bq">
The USB request type value for the control message</div>
<br>
<font class="fixd">__u16 value</font><br>
<div class="bq">
The USB message value for the control message.</div>
<br>
<font class="fixd">__u16 index</font><br>
<div class="bq">
The USB message index value for the control message.</div>
<br>
<A name="358"></a><font color="blue">PAGE 358</font><br>
<br>
<font class="fixd">void *data</font><br>
<div class="bq">
A pointer to the data to send to the device if this is an OUT endpoint. If this is
an IN endpoint, this is a pointer to where the data should be placed after being
read from the device.</div>
<br>
<font class="fixd">__u16 size</font><br>
<div class="bq">
The size of the buffer that is pointed to by the data parameter.</div>
<br>
<font class="fixd">int timeout</font><br>
<div class="bq">
The amount of time, in jiffies, that should be waited before timing out. If this
value is 0, the function will wait forever for the message to complete.</div>
<br>
If the function is successful, it returns the number of bytes that were transferred to or
from the device. If it is not successful, it returns a negative error number.<br>
<br>
The parameters <font class="fixd">request, requesttype, value,</font> and <font class="fixd">index</font> all directly map to the USB
specification for how a USB control message is defined. For more information on the
valid values for these parameters and how they are used, see Chapter 9 of the USB
specification.<br>
<br>
Like the function <i>usb_bulk_msg</i>, the function <i>usb_control_msg </i>cannot be called from
within interrupt context or with a spinlock held. Also, this function cannot be canceled
by any other function, so be careful when using it; make sure that your driver
<i>disconnect </i>function knows enough to wait for the call to complete before allowing
itself to be unloaded from memory.<br>
<br>
<a name="OtherUSBDataFunctions"></a><font color="red"><b>Other USB Data Functions</b></font><br>
<br>
A number of helper functions in the USB core can be used to retrieve standard information
from all USB devices. These functions cannot be called from within interrupt
context or with a spinlock held.<br>
<br>
The function <i>usb_get_descriptor </i>retrieves the specified USB descriptor from the specified
device. The function is defined as:<br>
<pre>
int usb_get_descriptor(struct usb_device *dev, unsigned char type,
                       unsigned char index, void *buf, int size);
</pre>
This function can be used by a USB driver to retrieve from the struct usb_device
structure any of the device descriptors that are not already present in the existing
<font class="fixd">struct usb_device</font> and <font class="fixd">struct usb_interface</font> structures, such as audio descriptors or
other class specific information. The parameters of the function are:<br>
<br>
<font class="fixd">struct usb_device *usb_dev</font><br>
<div class="bq">
A pointer to the USB device that the descriptor should be retrieved from.</div>
<br>
<font class="fixd">unsigned char type<</font>br>
<div class="bq">
The descriptor type. This type is described in the USB specification and can be
one of the following types:<br>
<pre>
USB_DT_DEVICE
USB_DT_CONFIG
</pre></div>
<A name="359"></a><font color="blue">PAGE 359</font><br>
<div class="bq"><pre>
USB_DT_STRING
USB_DT_INTERFACE
USB_DT_ENDPOINT
USB_DT_DEVICE_QUALIFIER
USB_DT_OTHER_SPEED_CONFIG
USB_DT_INTERFACE_POWER
USB_DT_OTG
USB_DT_DEBUG
USB_DT_INTERFACE_ASSOCIATION
USB_DT_CS_DEVICE
USB_DT_CS_CONFIG
USB_DT_CS_STRING
USB_DT_CS_INTERFACE
USB_DT_CS_ENDPOINT
</pre></div>
<font class="fixd">unsigned char index</font><br>
<div class="bq">
The number of the descriptor that should be retrieved from the device.</div>
<br>
<font class="fixd">void *buf</font><br>
<div class="bq">
A pointer to the buffer to which you copy the descriptor.</div>
<br>
<font class="fixd">int size</font><br>
<div class="bq">
The size of the memory pointed to by the <font class="fixd">buf</font> variable.</div>
<br>
If this function is successful, it returns the number of bytes read from the device.
Otherwise, it returns a negative error number returned by the underlying call to
<i>usb_control_msg</i> that this function makes.<br>
<br>
One of the more common uses for the <i>usb_get_descriptor </i>call is to retrieve a string
from the USB device. Because this is quite common, there is a helper function for it
called <i>usb_get_string</i>:<br>
<pre>
int usb_get_string(struct usb_device *dev, unsigned short langid,
                   unsigned char index, void *buf, int size);
</pre>
If successful, this function returns the number of bytes received by the device for the
string. Otherwise, it returns a negative error number returned by the underlying call
to <i>usb_control_msg</i> that this function makes.<br>
<br>
If this function is successful, it returns a string-encoded in the UTF-16LE format (Unicode,
16 bits per character, in little-endian byte order) in the buffer pointed to by the buf
parameter. As this format is usually not very useful, there is another function, called
<i>usb_string</i>, that returns a string that is read from a USB device and is already converted
into an ISO 8859-1 format string. This character set is a 8-bit subset of Unicode and is
the most common format for strings in English and other Western European languages.
As this is typically the format that the USB device's strings are in, it is recommended
that the <i>usb_string</i> function be used instead of the <i>usb_get_string</i> function.<br>
<br>
<A name="360"></a><font color="blue">PAGE 360</font><br>
<br>
<a name="QuickReference13"></a><font color="red"><b>Quick Reference</b></font><br>
<br>
This section summarizes the symbols introduced in the chapter:<br>
<br>
<font class="fixd">#include &lt;linux/usb.h&gt;</font><br>
<div class="bq">
Header file where everything related to USB resides. It must be included by all
USB device drivers.</div>
<br>
<font class="fixd">struct usb_driver;</font><br>
<div class="bq">
Structure that describes a USB driver.</div>
<br>
<font class="fixd">struct usb_device_id;</font><br>
<div class="bq">
Structure that describes the types of USB devices this driver supports.</div>
<br>
<font class="fixd">int usb_register(struct usb_driver *d);<br>
void usb_deregister(struct usb_driver *d);</font><br>
<div class="bq">
Functions used to register and unregister a USB driver from the USB core.</div>
<br>
<font class="fixd">struct usb_device *interface_to_usbdev(struct usb_interface *intf);</font><br>
<div class="bq">
Retrieves the controlling struct usb_device * out of a struct usb_interface *.</div>
<br>
<font class="fixd">struct usb_device;</font><br>
<div class="bq">
Structure that controls an entire USB device.</div>
<br>
<font class="fixd">struct usb_interface;</font><br>
<div class="bq">
Main USB device structure that all USB drivers use to communicate with the
USB core.</div>
<br>
<font class="fixd">void usb_set_intfdata(struct usb_interface *intf, void *data);<br>
void *usb_get_intfdata(struct usb_interface *intf);</font><br>
<div class="bq">
Functions to set and get access to the private data pointer section within the
<font class="fixd">struct usb_interface</font>.</div>
<br>
<font class="fixd">struct usb_class_driver;</font><br>
<div class="bq">
A structure that describes a USB driver that wants to use the USB major number
to communicate with user-space programs.</div>
<br>
<font class="fixd">int usb_register_dev(struct usb_interface *intf, struct usb_class_driver
                     *class_driver);<br>
void usb_deregister_dev(struct usb_interface *intf, struct usb_class_driver
                        *class_driver);</font><br>
<div class="bq">
Functions used to register and unregister a specific struct usb_interface * structure
with a struct usb_class_driver * structure.</div>
<br>
<font class="fixd">struct urb;</font><br>
<div class="bq">
Structure that describes a USB data transmission.</div>
<br>
<font class="fixd">struct urb *usb_alloc_urb(int iso_packets, int mem_flags);<br>
void usb_free_urb(struct urb *urb);</font><br>
<div class="bq">
Functions used to create and destroy a struct usb urb *.</div>
<br>
<A name="361"></a><font color="blue">PAGE 361</font><br>
<br>
<font class="fixd">int usb_submit_urb(struct urb *urb, int mem_flags);<br>
int usb_kill_urb(struct urb *urb);<br>
int usb_unlink_urb(struct urb *urb);</font><br>
<div class="bq">
Functions used to start and stop a USB data transmission.</div>
<br>
<font class="fixd">void usb_fill_int_urb(struct urb *urb, struct usb_device *dev, unsigned int
  pipe, void *transfer_buffer, int buffer_length, usb_complete_t complete,
  void *context, int interval);<br>
void usb_fill_bulk_urb(struct urb *urb, struct usb_device *dev, unsigned int
  pipe, void *transfer_buffer, int buffer_length, usb_complete_t complete,
  void *context);<br>
void usb_fill_control_urb(struct urb *urb, struct usb_device *dev, unsigned
  int pipe, unsigned char *setup_packet, void *transfer_buffer, int
  buffer_ length, usb_complete_t complete, void *context);</font><br>
<div class="bq">
Functions used to initialize a struct urb before it is submitted to the USB core.</div>
<br>
<font class="fixd">int usb_bulk_msg(struct usb_device *usb_dev, unsigned int pipe, void *data,
  int len, int *actual_length, int timeout);<br>
int usb_control_msg(struct usb_device *dev, unsigned int pipe, __u8 request,
  __u8 requesttype, __u16 value, __u16 index, void *data, __u16 size,
  int timeout);</font><br>
<div class="bq">
Functions used to send or receive USB data without having to use a struct urb.</div>
<br>
<A name="362"></a><font color="blue">PAGE 362</font><br>
<br>
<a name="CHAPTER14"></a><font color="red"><b>CHAPTER 14</b></font><br>
<br>
<a name="TheLinuxDeviceModel"></a><font color="#7519FF" size="+1"><b>The Linux Device Model</b></font><br>
<br>
One of the stated goals for the 2.5 development cycle was the creation of a unified
device model for the kernel. Previous kernels had no single data structure to which
they could turn to obtain information about how the system is put together. Despite
this lack of information, things worked well for some time. The demands of newer
systems, with their more complicated topologies and need to support features such
as power management, made it clear, however, that a general abstraction describing
the structure of the system was needed.<br>
<br>
The 2.6 device model provides that abstraction. It is now used within the kernel to
support a wide variety of tasks, including:<br>
<br>
<i>Power management and system shutdown</i><br>
<div class="bq">
These require an understanding of the system's structure. For example, a USB
host adaptor cannot be shut down before dealing with all of the devices connected
to that adaptor. The device model enables a traversal of the system's
hardware in the right order.</div>
<br>
<i>Communications with user space</i><br>
<div class="bq">
The implementation of the sysfs virtual filesystem is tightly tied into the device
model and exposes the structure represented by it. The provision of information
about the system to user space and knobs for changing operating parameters is
increasingly done through sysfs and, therefore, through the device model.</div>
<br>
<i>Hotpluggable devices</i><br>
<div class="bq">
Computer hardware is increasingly dynamic; peripherals can come and go at the
whim of the user. The hotplug mechanism used within the kernel to handle and
(especially) communicate with user space about the plugging and unplugging of
devices is managed through the device model.</div>
<br>
<i>Device classes</i><br>
<div class="bq">
Many parts of the system have little interest in how devices are connected, but
they need to know what kinds of devices are available. The device model
includes a mechanism for assigning devices to <i>classes</i>, which describe those</div>
<br>
<A name="363"></a><font color="blue">PAGE 363</font><br>
<br>
<div class="bq">devices at a higher, functional level and allow them to be discovered from user
space.</div>
<br>
<i>Object lifecycles</i><br>
<div class="bq">
Many of the functions described above, including hotplug support and sysfs,
complicate the creation and manipulation of objects created within the kernel.
The implementation of the device model required the creation of a set of mechanisms
for dealing with object lifecycles, their relationships to each other, and
their representation in user space.</div>
<br>
The Linux device model is a complex data structure. For example, consider
Figure 14-1, which shows (in simplified form) a tiny piece of the device model structure
associated with a USB mouse. Down the center of the diagram, we see the part
of the core "devices" tree that shows how the mouse is connected to the system. The
"bus" tree tracks what is connected to each bus, while the subtree under "classes"
concerns itself with the functions provided by the devices, regardless of how they are
connected. The device model tree on even a simple system contains hundreds of
nodes like those shown in the diagram; it is a difficult data structure to visualize as a
whole.<br>
<br><br>
<center>
<img src="fig14-1.gif">
</center>
<br>
<i>Figure 14-1. A small piece of the device model</i><br>
<br>
For the most part, the Linux device model code takes care of all these considerations
without imposing itself upon driver authors. It sits mostly in the background; direct
interaction with the device model is generally handled by bus-level logic and various
other kernel subsystems. As a result, many driver authors can ignore the device
model entirely, and trust it to take care of itself.<br>
<br>
There are times, however, when an understanding of the device model is a good
thing to have. There are times when the device model "leaks out" from behind the
other layers; for example, the generic DMA code (which we encounter in<br>
<br>
<A name="364"></a><font color="blue">PAGE 364</font><br>
<br>
Chapter 15) works with <font class="fixd">struct device.</font> You may want to use some of the capabilities
provided by the device model, such as the reference counting and related features
provided by kobjects. Communication with user space via sysfs is also a device
model function; this chapter explains how that communication works.<br>
<br>
We start, however, with a bottom-up presentation of the device model. The complexity
of the device model makes it hard to understand by starting with a high-level
view. Our hope is that, by showing how the low-level device components work, we
can prepare you for the challenge of grasping how those components are used to
build the larger structure.<br>
<br>
For many readers, this chapter can be treated as advanced material that need not be
read the first time through. Those who are interested in how the Linux device model
works are encouraged to press ahead, however, as we get into the low-level details.<br>
<br>
<a name="KobjectsKsetsAndSubsystems"></a><font color="red"><b>Kobjects, Ksets, and Subsystems</b></font><br>
<br>
The <i>kobject </i>is the fundamental structure that holds the device model together. It was
initially conceived as a simple reference counter, but its responsibilities have grown
over time, and so have its fields. The tasks handled by <font class="fixd">struct kobject</font> and its supporting
code now include:<br>
<br>
<i>Reference counting of objects</i><br>
<div class="bq">
Often, when a kernel object is created, there is no way to know just how long it
will exist. One way of tracking the lifecycle of such objects is through reference
counting. When no code in the kernel holds a reference to a given object, that
object has finished its useful life and can be deleted.</div>
<br>
<i>Sysfs representation</i><br>
<div class="bq">
Every object that shows up in sysfs has, underneath it, a kobject that interacts
with the kernel to create its visible representation.</div>
<br>
<i>Data structure glue</i><br>
<div class="bq">
The device model is, in its entirety, a fiendishly complicated data structure made
up of multiple hierarchies with numerous links between them. The kobject
implements this structure and holds it together.</div>
<br>
<i>Hotplug event handling</i><br>
<div class="bq">
The kobject subsystem handles the generation of events that notify user space
about the comings and goings of hardware on the system.</div>
<br>
One might conclude from the preceding list that the kobject is a complicated structure.
One would be right. By looking at one piece at a time, however, it is possible to
understand this structure and how it works.<br>
<br>
<A name="365"></a><font color="blue">PAGE 365</font><br>
<br>
<a name="KobjectBasics"></a><font color="red"><b>Kobject Basics</b></font><br>
<br>
A kobject has the type <font class="fixd">struct kobject;</font> it is defined in <i>&lt;linux/kobject.h&gt;</i>. That file
also includes declarations for a number of other structures related to kobjects and, of
course, a long list of functions for manipulating them.<br>
<br>
<a name="EmbeddingKobjects"></a><font color="red"><b>Embedding kobjects</b></font><br>
<br>
Before we get into the details, it is worth taking a moment to understand how kobjects
are used. If you look back at the list of functions handled by kobjects, you see
that they are all services performed on behalf of other objects. A kobject, in other
words, is of little interest on its own; it exists only to tie a higher-level object into the
device model.<br>
<br>
Thus, it is rare (even unknown) for kernel code to create a stand alone kobject;
instead, kobjects are used to control access to a larger, domain-specific object. To
this end, kobjects are found embedded in other structures. If you are used to thinking
of things in object-oriented terms, kobjects can be seen as a top-level, abstract
class from which other classes are derived. A kobject implements a set of capabilities
that are not particularly useful by themselves but that are nice to have in other
objects. The C language does not allow for the direct expression of inheritance, so
other techniques--such as embedding one structure in another--must be used.<br>
<br>
As an example, let's look back at <font class="fixd">struct cdev</font>, which we encountered in Chapter 3.
That structure, as found in the 2.6.10 kernel, looks like this:<br>
<pre>
struct cdev {
    struct kobject kobj;
    struct module *owner;
    struct file_operations *ops;
    struct list_head list;
    dev_t dev;
    unsigned int count;
};
</pre>
As we can see, the <font class="fixd">cdev</font> structure has a kobject embedded within it. If you have one
of these structures, finding its embedded kobject is just a matter of using the <font class="fixd">kobj</font>
field. Code that works with kobjects often has the opposite problem, however: given
a <font class="fixd">struct kobject</font> pointer, what is the pointer to the containing structure? You should
avoid tricks (such as assuming that the kobject is at the beginning of the structure),
and, instead, use the <i>container_of </i>macro (introduced in the section "The open
Method" in Chapter 3). So the way to convert a pointer to a <font class="fixd">struct kobject</font> called <font class="fixd">kp</font>
embedded within a <font class="fixd">struct cdev</font> would be:<br>
<pre>
struct cdev *device = container_of(kp, struct cdev, kobj);
</pre>
Programmers often define a simple macro for "back-casting" kobject pointers to the
containing type.<br>
<br>
<A name="366"></a><font color="blue">PAGE 366</font><br>
<br>
<a name="KobjectInitialization"></a><font color="red"><b>Kobject initialization</b></font><br>
<br>
This book has presented a number of types with simple mechanisms for initialization
at compile or runtime. The initialization of a kobject is a bit more complicated,
especially when all of its functions are used. Regardless of how a kobject is used,
however, a few steps must be performed.<br>
<br>
The first of those is to simply set the entire kobject to 0, usually with a call to <i>memset</i>.
Often this initialization happens as part of the zeroing of the structure into which
the kobject is embedded. Failure to zero out a kobject often leads to very strange
crashes further down the line; it is not a step you want to skip.<br>
<br>
The next step is to set up some of the internal fields with a call to <i>kobject_init( )</i>:<br>
<pre>
void kobject_init(struct kobject *kobj);
</pre>
Among other things, <i>kobject_init </i>sets the kobject's reference count to one. Calling
<i>kobject_init </i>is not sufficient, however. Kobject users must, at a minimum, set the
name of the kobject; this is the name that is used in sysfs entries. If you dig through
the kernel source, you can find the code that copies a string directly into the kobject's
name field, but that approach should be avoided. Instead, use:<br>
<pre>
int kobject_set_name(struct kobject *kobj, const char *format, ...);
</pre>
This function takes a <i>printk</i>-style variable argument list. Believe it or not, it is actually
possible for this operation to fail (it may try to allocate memory); conscientious
code should check the return value and react accordingly.<br>
<br>
The other kobject fields that should be set, directly or indirectly, by the creator are
<font class="fixd">ktype, kset,</font> and <font class="fixd">parent.</font> We will get to these later in this chapter.<br>
<br>
<a name="ReferenceCountManipulation"></a><font color="red"><b>Reference count manipulation</b></font><br>
<br>
One of the key functions of a kobject is to serve as a reference counter for the object
in which it is embedded. As long as references to the object exist, the object (and the
code that supports it) must continue to exist. The low-level functions for manipulating
a kobject's reference counts are:<br>
<pre>
struct kobject *kobject_get(struct kobject *kobj);
void kobject_put(struct kobject *kobj);
</pre>
A successful call to <i>kobject_get </i>increments the kobject's reference counter and
returns a pointer to the kobject. If, however, the kobject is already in the process of
being destroyed, the operation fails, and <i>kobject_get </i>returns <font class="fixd">NULL</font>. This return value
must always be tested, or no end of unpleasant race conditions could result.<br>
<br>
When a reference is released, the call to <i>kobject_put </i>decrements the reference count
and, possibly, frees the object. Remember that <i>kobject_init </i>sets the reference count to
one; so when you create a kobject, you should make sure that the corresponding
<i>kobject_put</i> call is made when that initial reference is no longer needed.<br>
<br>
<A name="367"></a><font color="blue">PAGE 367</font><br>
<br>
Note that, in many cases, the reference count in the kobject itself may not be sufficient
to prevent race conditions. The existence of a kobject (and its containing structure)
may well, for example, require the continued existence of the module that
created that kobject. It would not do to unload that module while the kobject is still
being passed around. That is why the <font class="fixd">cdev</font> structure we saw above 
contains a <font class="fixd">struct module</font> pointer. Reference counting for <font class="fixd">struct cdev</font> is implemented as follows:<br>
<pre>
struct kobject *cdev_get(struct cdev *p)
{
    struct module *owner = p-&gt;owner;
    struct kobject *kobj;

    if (owner &amp;&amp; !try_module_get(owner))
        return NULL;
    kobj = kobject_get(&amp;p-&gt;kobj);
    if (!kobj)
        module_put(owner);
    return kobj;
}
</pre>
Creating a reference to a <font class="fixd">cdev</font> structure requires creating a reference also to the module
that owns it. So <i>cdev_get </i>uses <i>try_module_get </i>to attempt to increment that module's
usage count. If that operation succeeds, <i>kobject_get </i>is used to increment the
kobject's reference count as well. That operation could fail, of course, so the code
checks the return value from <i>kobject_get </i>and releases its reference to the module if
things don't work out.<br>
<br>
<a name="ReleaseFunctionsAndKobjectTypes"></a><font color="red"><b>Release functions and kobject types</b></font><br>
<br>
One important thing still missing from the discussion is what happens to a kobject
when its reference count reaches 0. The code that created the kobject generally does
not know when that will happen; if it did, there would be little point in using a reference
count in the first place. Even predictable object life cycles become more complicated
when sysfs is brought in; user-space programs can keep a reference to a kobject
(by keeping one of its associated sysfs files open) for an arbitrary period of time.<br>
<br>
The end result is that a structure protected by a kobject cannot be freed at any single, predictable
point in the driver's lifecycle, but in code that must be prepared to
run at whatever moment the kobject's reference count goes to 0. The reference count
is not under the direct control of the code that created the kobject. So that code must
be notified asynchronously whenever the last reference to one of its kobjects goes
away.<br>
<br>
This notification is done through a kobject's <i>release </i>method. Usually, this method
has a form such as:<br>
<pre>
void my_object_release(struct kobject *kobj)
{
    struct my_object *mine = container_of(kobj, struct my_object, kobj);
</pre>
<A name="368"></a><font color="blue">PAGE 368</font><br>
<pre>
    /* Perform any additional cleanup on this object, then... */
    kfree(mine);
}
</pre>
One important point cannot be overstated: every kobject must have a <i>release
</i>method, and the kobject must persist (in a consistent state) until that method is
called. If these constraints are not met, the code is flawed. It risks freeing the object
when it is still in use, or it fails to release the object after the last reference is
returned.<br>
<br>
Interestingly, the <i>release </i>method is not stored in the kobject itself; instead, it is associated
with the type of the structure that contains the kobject. This type is tracked
with a structure of type <font class="fixd">struct kobj_type</font>, often simply called a "ktype." This structure
looks like the following:<br>
<pre>
struct kobj_type {
    void (*release)(struct kobject *);
    struct sysfs_ops *sysfs_ops;
    struct attribute **default_attrs;
};
</pre>
The release field in <font class="fixd">struct kobj_type</font> is, of course, a pointer to the <i>release </i>method
for this type of kobject. We will come back to the other two fields (sysfs_ops and
default_attrs) later in this chapter.<br>
<br>
Every kobject needs to have an associated <font class="fixd">kobj_type</font> structure. Confusingly, the
pointer to this structure can be found in two different places. The kobject structure
itself contains a field (called <font class="fixd">ktype</font>) that can contain this pointer. If, however, this
kobject is a member of a kset, the <font class="fixd">kobj_type</font> pointer is provided by that kset instead.
(We will look at ksets in the next section.) Meanwhile, the macro:<br>
<pre>
struct kobj_type *get_ktype(struct kobject *kobj);
</pre>
finds the <font class="fixd">kobj_type</font> pointer for a given kobject.<br>
<br>
<a name="KobjectHierarchiesKsetsAndSubsystems"></a><font color="red"><b>Kobject Hierarchies, Ksets, and Subsystems</b></font><br>
<br>
The kobject structure is often used to link together objects into a hierarchical structure
that matches the structure of the subsystem being modeled. There are two separate
mechanisms for this linking: the parent pointer and ksets.<br>
<br>
The parent field in <font class="fixd">struct kobject</font> is a pointer to another kobject--the one representing
the next level up in the hierarchy. If, for example, a kobject represents a USB
device, its <font class="fixd">parent</font> pointer may indicate the object representing the hub into which the
device is plugged.<br>
<br>
The main use for the parent pointer is to position the object in the sysfs hierarchy.
We'll see how this works in the section "Low-Level Sysfs Operations."<br>
<br>
<A name="369"></a><font color="blue">PAGE 369</font><br>
<br>
<a name="Ksets"></a><font color="red"><b>Ksets</b></font><br>
<br>
In many ways, a kset looks like an extension of the <font class="fixd">kobj_type</font> structure; a kset is a
collection of kobjects embedded within structures of the same type. However, while
<font class="fixd">struct kobj_type</font> concerns itself with the type of an object, <font class="fixd">struct kset</font> is concerned
with aggregation and collection. The two concepts have been separated so that
objects of identical type can appear in distinct sets.<br>
<br>
Therefore, the main function of a kset is containment; it can be thought of as the
top-level container class for kobjects. In fact, each kset contains its own kobject
internally, and it can, in many ways, be treated the same way as a kobject. It is worth
noting that ksets are always represented in sysfs; once a kset has been set up and
added to the system, there will be a sysfs directory for it. Kobjects do not necessarily
show up in sysfs, but every kobject that is a member of a kset is represented there.<br>
<br>
Adding a kobject to a kset is usually done when the object is created; it is a two-step
process. The kobject's <font class="fixd">kset</font> field must be pointed at the kset of interest; then the
kobject should be passed to:<br>
<pre>
int kobject_add(struct kobject *kobj);
</pre>
As always, programmers should be aware that this function can fail (in which case it
returns a negative error code) and respond accordingly. There is a convenience function
provided by the kernel:<br>
<pre>
extern int kobject_register(struct kobject *kobj);
</pre>
This function is simply a combination of <i>kobject_init</i> and <i>kobject_add</i>.<br>
<br>
When a kobject is passed to <i>kobject_add</i>, its reference count is incremented. Containment
within the kset is, after all, a reference to the object. At some point, the
kobject will probably have to be removed from the kset to clear that reference; that is
done with:<br>
<pre>
void kobject_del(struct kobject *kobj);
</pre>
There is also a <i>kobject_unregister </i>function, which is a combination of <i>kobject_del </i>and
<i>kobject_put</i>.<br>
<br>
A kset keeps its children in a standard kernel linked list. In almost all cases, the contained
kobjects also have pointers to the kset (or, strictly, its embedded kobject) in
their parent's fields. So, typically, a kset and its kobjects look something like what
you see in Figure 14-2. Bear in mind that:<br>
<ul>
<li> All of the contained kobjects in the diagram are actually embedded within some
other type, possibly even other ksets.
<li> It is not required that a kobject's parent be the containing kset (although any
other organization would be strange and rare).
</ul>
<A name="370"></a><font color="blue">PAGE 370</font><br>
<br>
<center>
<img src="fig14-2.gif">
</center>
<br>
<i>Figure 14-2. A simple kset hierarchy</i><br>
<br>
<a name="OperationsOnKsets"></a><font color="red"><b>Operations on ksets</b></font><br>
<br>
For initialization and setup, ksets have an interface very similar to that of kobjects.
The following functions exist:<br>
<pre>
void kset_init(struct kset *kset);
int kset_add(struct kset *kset);
int kset_register(struct kset *kset);
void kset_unregister(struct kset *kset);
</pre>
For the most part, these functions just call the analogous <i>kobject_ </i>function on the
kset's embedded kobject.<br>
<br>
To manage the reference counts of ksets, the situation is about the same:<br>
<pre>
struct kset *kset_get(struct kset *kset);
void kset_put(struct kset *kset);
</pre>
A kset also has a name, which is stored in the embedded kobject. So, if you have a
kset called <font class="fixd">my_set,</font> you would set its name with:<br>
<pre>
kobject_set_name(&amp;my_set-&gt;kobj, &quot;The name&quot;);
</pre>
Ksets also have a pointer (in the <font class="fixd">ktype</font> field) to the <font class="fixd">kobj_type</font> structure describing the
kobjects it contains. This type is used in preference to the <font class="fixd">ktype</font> field in a kobject
itself. As a result, in typical usage, the <font class="fixd">ktype</font> field in <font class="fixd">struct kobject</font> is left <font class="fixd">NULL</font>,
because the same field within the kset is the one actually used.<br>
<br>
Finally, a kset contains a subsystem pointer (called subsys). So it's time to talk about
subsystems.<br>
<br>
<a name="Subsystems"></a><font color="red"><b>Subsystems</b></font><br>
<br>
A subsystem is a representation for a high-level portion of the kernel as a whole. Subsystems
usually (but not always) show up at the top of the sysfs hierarchy. Some
example subsystems in the kernel include <font class="fixd">block_subsys</font> (<i>/sys/block</i>, for block
devices), <font class="fixd">devices_subsys</font> (<i>/sys/devices</i>, the core device hierarchy), and a specific subsystem
for every bus type known to the kernel. A driver author almost never needs to<br>
<br>
<A name="371"></a><font color="blue">PAGE 371</font><br>
<br>
create a new subsystem; if you feel tempted to do so, think again. What you probably
want, in the end, is to add a new class, as discussed in the section "Classes."<br>
<br>
A subsystem is represented by a simple structure:<br>
<pre>
struct subsystem {
    struct kset kset;
    struct rw_semaphore rwsem;
};
</pre>
A subsystem, thus, is really just a wrapper around a kset, with a semaphore thrown in.<br>
<br>
Every kset must belong to a subsystem. The subsystem membership helps establish
the kset's position in the hierarchy, but, more importantly, the subsystem's <font class="fixd">rwsem</font>
semaphore is used to serialize access to a kset's internal-linked list. This membership
is represented by the <font class="fixd">subsys</font> pointer in <font class="fixd">struct kset</font>. Thus, one can find each
kset's containing subsystem from the kset's structure, but one cannot find the multiple
ksets contained in a subsystem directly from the subsystem structure.<br>
<br>
Subsystems are often declared with a special macro:<br>
<pre>
decl_subsys(name, struct kobj_type *type,
            struct kset_hotplug_ops *hotplug_ops);
</pre>
This macro creates a <font class="fixd">struct subsystem</font> with a name formed by taking the <font class="fixd">name</font> given
to the macro and appending <font class="fixd">_subsys</font> to it. The macro also initializes the internal kset
with the given <font class="fixd">type</font> and <font class="fixd">hotplug_ops</font>. (We discuss hotplug operations later in this
chapter.)<br>
<br>
Subsystems have the usual list of setup and teardown functions:<br>
<pre>
void subsystem_init(struct subsystem *subsys);
int subsystem_register(struct subsystem *subsys);
void subsystem_unregister(struct subsystem *subsys);
struct subsystem *subsys_get(struct subsystem *subsys)
void subsys_put(struct subsystem *subsys);
</pre>
Most of these operations just act upon the subsystem's kset.<br>
<br>
<a name="LowLevelSysfsOperations"></a><font color="red"><b>Low-Level Sysfs Operations</b></font><br>
<br>
Kobjects are the mechanism behind the sysfs virtual filesystem. For every directory
found in sysfs, there is a kobject lurking somewhere within the kernel. Every kobject
of interest also exports one or more <i>attributes</i>, which appear in that kobject's sysfs
directory as files containing kernel-generated information. This section examines
how kobjects and sysfs interact at a low level.<br>
<br>
Code that works with sysfs should include <i>&lt;linux/sysfs.h&gt;</i>.<br>
<br>
Getting a kobject to show up in sysfs is simply a matter of calling <i>kobject_add</i>. We
have already seen that function as the way to add a kobject to a kset; creating entries<br>
<br>
<A name="372"></a><font color="blue">PAGE 372</font><br>
<br>
in sysfs is also part of its job. There are a couple of things worth knowing about how
the sysfs entry is created:<br>
<ul>
<li> Sysfs entries for kobjects are always directories, so a call to <i>kobject_add </i>results in
the creation of a directory in sysfs. Usually that directory contains one or more
attributes; we see how attributes are specified shortly.
<li> The name assigned to the kobject (with <i>kobject_set_name</i>) is the name used for
the sysfs directory. Thus, kobjects that appear in the same part of the sysfs hierarchy
must have unique names. Names assigned to kobjects should also be reasonable
file names: they cannot contain the slash character, and the use of white
space is strongly discouraged.
<li> The sysfs entry is located in the directory corresponding to the kobject's <font class="fixd">parent</font>
pointer. If <font class="fixd">parent</font> is <font class="fixd">NULL</font> when <i>kobject_add </i>is called, it is set to the kobject
embedded in the new kobject's kset; thus, the sysfs hierarchy usually matches
the internal hierarchy created with ksets. If both <font class="fixd">parent</font> and <font class="fixd">kset</font> are <font class="fixd">NULL</font>, the
sysfs directory is created at the top level, which is almost certainly not what you want.
</ul>
Using the mechanisms we have described so far, we can use a kobject to create an
empty directory in sysfs. Usually, you want to do something a little more interesting
than that, so it is time to look at the implementation of attributes.<br>
<br>
<a name="DefaultAttributes"></a><font color="red"><b>Default Attributes</b></font><br>
<br>
When created, every kobject is given a set of default attributes. These attributes are
specified by way of the <font class="fixd">kobj_type</font> structure. That structure, remember, looks like
this:<br>
<pre>
struct kobj_type {
    void (*release)(struct kobject *);
    struct sysfs_ops *sysfs_ops;
    struct attribute **default_attrs;
};
</pre>
The <font class="fixd">default_attrs</font> field lists the attributes to be created for every kobject of this
type, and <font class="fixd">sysfs_ops</font> provides the methods to implement those attributes. We start
with <font class="fixd">default_attrs,</font> which points to an array of pointers to attribute structures:<br>
<pre>
struct attribute {
    char *name;
    struct module *owner;
    mode_t mode;
};
</pre>
In this structure, <font class="fixd">name</font> is the name of the attribute (as it appears within the kobject's
sysfs directory), <font class="fixd">owner</font> is a pointer to the module (if any) that is responsible for the
implementation of this attribute, and <font class="fixd">mode</font> is the protection bits that are to be applied
to this attribute. The mode is usually <font class="fixd">S_IRUGO</font> for read-only attributes; if the attribute<br>
<br>
<A name="373"></a><font color="blue">PAGE 373</font><br>
<br>
is writable, you can toss in <font class="fixd">S_IWUSR</font> to give write access to root only (the macros for
modes are defined in <i>&lt;linux/stat.h&gt;</i>). The last entry in the <font class="fixd">default_attrs</font> list must be
zero-filled.<br>
<br>
The <font class="fixd">default_attrs</font> array says what the attributes are but does not tell sysfs how to
actually implement those attributes. That task falls to the <font class="fixd">kobj_type-&gt;sysfs_ops</font> field,
which points to a structure defined as:<br>
<pre>
struct sysfs_ops {
    ssize_t (*show)(struct kobject *kobj, struct attribute *attr,
                    char *buffer);
    ssize_t (*store)(struct kobject *kobj, struct attribute *attr,
                     const char *buffer, size_t size);
};
</pre>
Whenever an attribute is read from user space, the <i>show </i>method is called with a
pointer to the kobject and the appropriate <font class="fixd">attribute</font> structure. That method should
encode the value of the given attribute into <font class="fixd">buffer,</font> being sure not to overrun it (it is
<font class="fixd">PAGE_SIZE</font> bytes), and return the actual length of the returned data. The conventions
for sysfs state that each attribute should contain a single, human-readable value; if
you have a lot of information to return, you may want to consider splitting it into
multiple attributes.<br>
<br>
The same <i>show </i>method is used for all attributes associated with a given kobject. The
<font class="fixd">attr</font> pointer passed into the function can be used to determine which attribute is
being requested. Some <i>show </i>methods include a series of tests on the attribute name.
Other implementations embed the <font class="fixd">attribute</font> structure within another structure that
contains the information needed to return the attribute's value; in this case,
<i>container_of </i>may be used within the <i>show </i>method to obtain a pointer to the embedding
structure.<br>
<br>
The <i>store </i>method is similar; it should decode the data stored in <font class="fixd">buffer</font> (<font class="fixd">size</font> contains
the length of that data, which does not exceed <font class="fixd">PAGE_SIZE</font>), store and respond to
the new value in whatever way makes sense, and return the number of bytes actually
decoded. The <i>store </i>method can be called only if the attribute's permissions allow
writes. When writing a <i>store </i>method, never forget that you are receiving arbitrary
information from user space; you should validate it very carefully before taking any
action in response. If the incoming data does not match expectations, return a negative
error value rather than possibly doing something unwanted and unrecoverable.
If your device exports a <font class="fixd">self_destruct</font> attribute, you should require that a specific
string be written there to invoke that functionality; an accidental, random write
should yield only an error.<br>
<br>
<a name="NondefaultAttributes"></a><font color="red"><b>Nondefault Attributes</b></font><br>
<br>
In many cases, the kobject type's <font class="fixd">default_attrs</font> field describes all the attributes that
kobject will ever have. But that's not a restriction in the design; attributes can be<br>
<br>
<A name="374"></a><font color="blue">PAGE 374</font><br>
<br>
added and removed to kobjects at will. If you wish to add a new attribute to a kobject's
sysfs directory, simply fill in an <font class="fixd">attribute</font> structure and pass it to:<br>
<pre>
int sysfs_create_file(struct kobject *kobj, struct attribute *attr);
</pre>
If all goes well, the file is created with the name given in the <font class="fixd">attribute</font> structure, and
the return value is 0; otherwise, the usual negative error code is returned.<br>
<br>
Note that the same <i>show( ) </i>and <i>store( ) </i>functions are called to implement operations
on the new attribute. Before you add a new, nondefault attribute to a kobject, you
should take whatever steps are necessary to ensure that those functions know how to
implement that attribute.<br>
<br>
To remove an attribute, call:<br>
<pre>
int sysfs_remove_file(struct kobject *kobj, struct attribute *attr);
</pre>
After the call, the attribute no longer appears in the kobject's sysfs entry. Do be
aware, however, that a user-space process could have an open file descriptor for that
attribute and that <i>show </i>and <i>store </i>calls are still possible after the attribute has been
removed.<br>
<br>
<a name="BinaryAttributes"></a><font color="red"><b>Binary Attributes</b></font><br>
<br>
The sysfs conventions call for all attributes to contain a single value in a human-readable
text format. That said, there is an occasional, rare need for the creation of
attributes that can handle larger chunks of binary data. That need really only comes
about when data must be passed, untouched, between user space and the device. For
example, uploading firmware to devices requires this feature. When such a device is
encountered in the system, a user-space program can be started (via the hotplug
mechanism); that program then passes the firmware code to the kernel via a binary
sysfs attribute, as is shown in the section "The Kernel Firmware Interface."<br>
<br>
Binary attributes are described with a <font class="fixd">bin_attribute</font> structure:<br>
<pre>
struct bin_attribute {
    struct attribute attr;
    size_t size;
    ssize_t (*read)(struct kobject *kobj, char *buffer,
                    loff_t pos, size_t size);
    ssize_t (*write)(struct kobject *kobj, char *buffer,
                    loff_t pos, size_t size);
};
</pre>
Here, <font class="fixd">attr</font> is an <font class="fixd">attribute</font> structure giving the name, owner, and permissions for the
binary attribute, and <font class="fixd">size</font> is the maximum size of the binary attribute (or 0 if there is
no maximum). The <i>read </i>and <i>write </i>methods work similarly to the normal char driver
equivalents; they can be called multiple times for a single load with a maximum of
one page worth of data in each call. There is no way for sysfs to signal the last of a set<br>
<br>
<A name="375"></a><font color="blue">PAGE 375</font><br>
<br>
of write operations, so code implementing a binary attribute must be able to determine
the end of the data some other way.<br>
<br>
Binary attributes must be created explicitly; they cannot be set up as default
attributes. To create a binary attribute, call:<br>
<pre>
int sysfs_create_bin_file(struct kobject *kobj,
                          struct bin_attribute *attr);
</pre>
Binary attributes can be removed with:<br>
<pre>
int sysfs_remove_bin_file(struct kobject *kobj,
                          struct bin_attribute *attr);
</pre>
<a name="SymbolicLinks"></a><font color="red"><b>Symbolic Links</b></font><br>
<br>
The sysfs filesystem has the usual tree structure, reflecting the hierarchical organization
of the kobjects it represents. The relationships between objects in the kernel are
often more complicated than that, however. For example, one sysfs subtree (<i>/sys/
devices</i>) represents all of the devices known to the system, while other subtrees
(under <i>/sys/bus</i>) represent the device drivers. These trees do not, however, represent
the relationships between the drivers and the devices they manage. Showing these
additional relationships requires extra pointers which, in sysfs, are implemented
through symbolic links.<br>
<br>
Creating a symbolic link within sysfs is easy:<br>
<pre>
int sysfs_create_link(struct kobject *kobj, struct kobject *target,
                      char *name);
</pre>
This function creates a link (called <font class="fixd">name</font>) pointing to target's sysfs entry as an
attribute of <font class="fixd">kobj.</font> It is a relative link, so it works regardless of where sysfs is mounted
on any particular system.<br>
<br>
The link persists even if <font class="fixd">target</font> is removed from the system. If you are creating symbolic
links to other kobjects, you should probably have a way of knowing about
changes to those kobjects, or some sort of assurance that the target kobjects will not
disappear. The consequences (dead symbolic links within sysfs) are not particularly
grave, but they are not representative of the best programming style and can cause
confusion in user space.<br>
<br>
Symbolic links can be removed with:<br>
<pre>
void sysfs_remove_link(struct kobject *kobj, char *name);
</pre>
<a name="HotplugEventGeneration"></a><font color="red"><b>Hotplug Event Generation</b></font><br>
<br>
A <i>hotplug event </i>is a notification to user space from the kernel that something has
changed in the system's configuration. They are generated whenever a kobject is created
or destroyed. Such events are generated, for example, when a digital camera is<br>
<br>
<A name="376"></a><font color="blue">PAGE 376</font><br>
<br>
plugged in with a USB cable, when a user switches console modes, or when a disk is
repartitioned. Hotplug events turn into an invocation of <i>/sbin/hotplug</i>, which can
respond to each event by loading drivers, creating device nodes, mounting partitions,
or taking any other action that is appropriate.<br>
<br>
The last major kobject function we look at is the generation of these events. The
actual event generation takes place when a kobject is passed to <i>kobject_add </i>or
<i>kobject_del</i>. Before the event is handed to user space, code associated with the kobject
(or, more specifically, the kset to which it belongs) has the opportunity to add
information for user space or to disable event generation entirely.<br>
<br>
<a name="HotplugOperations"></a><font color="red"><b>Hotplug Operations</b></font><br>
<br>
Actual control of hotplug events is exercised by way of a set of methods stored in the
<font class="fixd">kset_hotplug_ops</font> structure:<br>
<pre>
struct kset_hotplug_ops {
    int (*filter)(struct kset *kset, struct kobject *kobj);
    char *(*name)(struct kset *kset, struct kobject *kobj);
    int (*hotplug)(struct kset *kset, struct kobject *kobj,
                   char **envp, int num_envp, char *buffer,
                   int buffer_size);
};
</pre>
A pointer to this structure is found in the <font class="fixd">hotplug_ops</font> field of the kset structure. If a
given kobject is not contained within a kset, the kernel searchs up through the hierarchy
(via the parent pointer) until it finds a kobject that <i>does </i>have a kset; that kset's
hotplug operations are then used.<br>
<br>
The <i>filter </i>hotplug operation is called whenever the kernel is considering generating
an event for a given kobject. If <i>filter </i>returns 0, the event is not created. This method,
therefore, gives the kset code an opportunity to decide which events should be
passed on to user space and which should not.<br>
<br>
As an example of how this method might be used, consider the block subsystem.
There are at least three types of kobjects used there, representing disks, partitions,
and request queues. User space may want to react to the addition of a disk or a partition, but
it does not normally care about request queues. So the <i>filter </i>method allows
event generation only for kobjects representing disks and partitions. It looks like this:<br>
<pre>
static int block_hotplug_filter(struct kset *kset, struct kobject *kobj)
{
    struct kobj_type *ktype = get_ktype(kobj);

    return ((ktype = = &amp;ktype_block) || (ktype = = &amp;ktype_part));
}
</pre>
Here, a quick test on the type of kobject is sufficient to decide whether the event
should be generated or not.<br>
<br>
<A name="377"></a><font color="blue">PAGE 377</font><br>
<br>
When the user-space hotplug program is invoked, it is passed to the name of the relevant
subsystem as its one and only parameter. The <i>name </i>hotplug method is charged
with providing that name. It should return a simple string suitable for passing to user
space.<br>
<br>
Everything else that the hotplug script might want to know is passed in the environment.
The final hotplug method (<i>hotplug</i>) gives an opportunity to add useful environment
variables prior to the invocation of that script. Again, this method's
prototype is:<br>
<pre>
int (*hotplug)(struct kset *kset, struct kobject *kobj,
               char **envp, int num_envp, char *buffer,
               int buffer_size);
</pre>
As usual, <font class="fixd">kset</font> and <font class="fixd">kobject</font> describe the object for which the event is being generated.
The <font class="fixd">envp</font> array is a place to store additional environment variable definitions (in
the usual <font class="fixd">NAME=value</font> format); it has <font class="fixd">num_envp</font> entries available. The variables themselves
should be encoded into <font class="fixd">buffer,</font> which is <font class="fixd">buffer_size</font> bytes long. If you add
any variables to <font class="fixd">envp,</font> be sure to add a <font class="fixd">NULL</font> entry after your last addition so that the
kernel knows where the end is. The return value should normally be 0; any nonzero
return aborts the generation of the hotplug event.<br>
<br>
The generation of hotplug events (like much of the work in the device model) is usually
handled by logic at the bus driver level.<br>
<br>
<a name="BusesDevicesAndDrivers"></a><font color="red"><b>Buses, Devices, and Drivers</b></font><br>
<br>
So far, we have seen a great deal of low-level infrastructures and a relative shortage of
examples. We try to make up for that in the rest of this chapter as we get into the
higher levels of the Linux device model. To that end, we introduce a new virtual bus,
which we call <i>lddbus</i>,* and modify the <i>scullp</i> driver to "connect" to that bus.<br>
<br>
Once again, much of the material covered here will never be needed by many driver
authors. Details at this level are generally handled at the bus level, and few authors
need to add a new bus type. This information is useful, however, for anybody wondering
what is happening inside the PCI, USB, etc. layers or who needs to make
changes at that level.<br>
<br>
<a name="Buses"></a><font color="red"><b>Buses</b></font><br>
<br>
A bus is a channel between the processor and one or more devices. For the purposes
of the device model, all devices are connected via a bus, even if it is an internal, virtual, "platform"
bus. Buses can plug into each other--a USB controller is usually a<br>
<br>
* The logical name for this bus, of course, would have been "sbus," but that name was 
already taken by a real, physical bus.<br>
<br>
<A name="378"></a><font color="blue">PAGE 378</font><br>
<br>
PCI device, for example. The device model represents the actual connections
between buses and the devices they control.<br>
<br>
In the Linux device model, a bus is represented by the <font class="fixd">bus_type</font> structure, defined in
<i>&lt;linux/device.h&gt;</i>. This structure looks like:<br>
<pre>
struct bus_type {
    char *name;
    struct subsystem subsys;
    struct kset drivers;
    struct kset devices;
    int (*match)(struct device *dev, struct device_driver *drv);
    struct device *(*add)(struct device * parent, char * bus_id);
    int (*hotplug) (struct device *dev, char **envp,
                    int num_envp, char *buffer, int buffer_size);
    /* Some fields omitted */
};
</pre>
The <font class="fixd">name</font> field is the name of the bus, something such as <font class="fixd">pci.</font> You can see from the
structure that each bus is its own subsystem; these subsystems do not live at the top
level in sysfs, however. Instead, they are found underneath the <font class="fixd">bus</font> subsystem. A bus
contains two ksets, representing the known drivers for that bus and all devices
plugged into the bus. Then, there is a set of methods that we will get to shortly.<br>
<br>
<a name="BusRegistration"></a><font color="red"><b>Bus registration</b></font><br>
<br>
As we mentioned, the example source includes a virtual bus implementation called
<i>lddbus</i>. This bus sets up its <font class="fixd">bus_type</font> structure as follows:<br>
<pre>
struct bus_type ldd_bus_type = {
    .name = &quot;ldd&quot;,
    .match = ldd_match,
    .hotplug  = ldd_hotplug,
};
</pre>
Note that very few of the <font class="fixd">bus_type</font> fields require initialization; most of that is handled
by the device model core. We do have to specify the name of the bus, however,
and any methods that go along with it.<br>
<br>
Inevitably, a new bus must be registered with the system via a call to <i>bus_register</i>.
The <i>lddbus</i> code does so in this way:<br>
<pre>
ret = bus_register(&amp;ldd_bus_type);
if (ret)
    return ret;
</pre>
This call can fail, of course, so the return value must always be checked. If it succeeds, the
new bus subsystem has been added to the system; it is visible in sysfs
under <i>/sys/bus</i>, and it is possible to start adding devices.<br>
<br>
Should it be necessary to remove a bus from the system (when the associated module
is removed, for example), <i>bus_unregister</i> should be called:<br>
<pre>
void bus_unregister(struct bus_type *bus);
</pre>
<A name="379"></a><font color="blue">PAGE 379</font><br>
<br>
<a name="BusMethods"></a><font color="red"><b>Bus methods</b></font><br>
<br>
There are several methods defined for the <font class="fixd">bus_type</font> structure; they allow the bus code
to serve as an intermediary between the device core and individual drivers. The
methods defined in the 2.6.10 kernel are:<br>
<br>
<font class="fixd">int (*match)(struct device *device, struct device_driver *driver);</font><br>
<div class="bq">
This method is called, perhaps multiple times, whenever a new device or driver
is added for this bus. It should return a nonzero value if the given device can be
handled by the given driver. (We get to the details of the <font class="fixd">device</font> 
and <font class="fixd">device_driver</font> structures shortly). This function must be handled at the bus level,
because that is where the proper logic exists; the core kernel cannot know how
to match devices and drivers for every possible bus type.</div>
<br>
<font class="fixd">int (*hotplug) (struct device *device, char **envp, int num_envp, char *buffer, int buffer_size);</font><br>
<div class="bq">
This method allows the bus to add variables to the environment prior to the generation
of a hotplug event in user space. The parameters are the same as for the kset
<i>hotplug</i> method (described in the earlier section "Hotplug Event Generation").</div>
<br>
The <i>lddbus </i>driver has a very simple <i>match </i>function, which simply compares the
driver and device names:<br>
<pre>
static int ldd_match(struct device *dev, struct device_driver *driver)
{
    return !strncmp(dev-&gt;bus_id, driver-&gt;name, strlen(driver-&gt;name));
}
</pre>
When real hardware is involved, the <i>match </i>function usually makes some sort of comparison
between the hardware ID provided by the device itself and the IDs supported
by the driver.<br>
<br>
The <i>lddbus hotplug</i> method looks like this:<br>
<pre>
static int ldd_hotplug(struct device *dev, char **envp, int num_envp,
        char *buffer, int buffer_size)
{
    envp[0] = buffer;
    if (snprintf(buffer, buffer_size, &quot;LDDBUS_VERSION=%s&quot;,
                Version) &gt;= buffer_size)
        return -ENOMEM;
    envp[1] = NULL;
    return 0;
}
</pre>
Here, we add in the current revision number of the <i>lddbus </i>source, just in case anybody
is curious.<br>
<br>
<a name="IteratingOverDevicesAndDrivers"></a><font color="red"><b>Iterating over devices and drivers</b></font><br>
<br>
If you are writing bus-level code, you may find yourself having to perform some
operation on all devices or drivers that have been registered with your bus. It may be<br>
<br>
<A name="380"></a><font color="blue">PAGE 380</font><br>
<br>
tempting to dig directly into the structures in the <font class="fixd">bus_type</font> structure, but it is better
to use the helper functions that have been provided.<br>
<br>
To operate on every device known to the bus, use:<br>
<pre>
int bus_for_each_dev(struct bus_type *bus, struct device *start,
                     void *data, int (*fn)(struct device *, void *));
</pre>
This function iterates over every device on <font class="fixd">bus,</font> passing the associated <font class="fixd">device structure</font>
to <font class="fixd">fn,</font> along with the value passed in as <font class="fixd">data.</font> If start is <font class="fixd">NULL</font>, the iteration begins
with the first device on the bus; otherwise iteration starts with the first device after
<font class="fixd">start.</font> If fn returns a nonzero value, iteration stops and that value is returned from
<i>bus_for_each_dev</i>.<br>
<br>
There is a similar function for iterating over drivers:<br>
<pre>
int bus_for_each_drv(struct bus_type *bus, struct device_driver *start,
                     void *data, int (*fn)(struct device_driver *, void *));
</pre>
This function works just like <i>bus_for_each_dev</i>, except, of course, that it works with
drivers instead.<br>
<br>
It should be noted that both of these functions hold the bus subsystem's reader/writer
semaphore for the duration of the work. So an attempt to use the two of them
together will deadlock--each will be trying to obtain the same semaphore. Operations
that modify the bus (such as unregistering devices) will also lock up. So, use the
<i>bus_for_each</i> functions with some care.<br>
<br>
<a name="BusAttributes"></a><font color="red"><b>Bus attributes</b></font><br>
<br>
Almost every layer in the Linux device model provides an interface for the addition
of attributes, and the bus layer is no exception. The <font class="fixd">bus_attribute</font> type is defined in
<i>&lt;linux/device.h&gt;</i> as follows:<br>
<pre>
struct bus_attribute {
    struct attribute attr;
    ssize_t (*show)(struct bus_type *bus, char *buf);
    ssize_t (*store)(struct bus_type *bus, const char *buf,
                     size_t count);
};
</pre>
We have already seen <font class="fixd">struct attribute</font> in the section "Default Attributes." The
<font class="fixd">bus_attribute</font> type also includes two methods for displaying and setting the value
of the attribute. Most device model layers above the kobject level work this way.<br>
<br>
A convenience macro has been provided for the compile-time creation and initialization
of <font class="fixd">bus_attribute</font> structures:<br>
<pre>
BUS_ATTR(name, mode, show, store);
</pre>
This macro declares a structure, generating its name by prepending the string <font class="fixd">bus_attr_</font>
to the given <font class="fixd">name.</font><br>
<br>
<A name="381"></a><font color="blue">PAGE 381</font><br>
<br>
Any attributes belonging to a bus should be created explicitly with <i>bus_create_file</i>:<br>
<pre>
int bus_create_file(struct bus_type *bus, struct bus_attribute *attr);
</pre>
Attributes can also be removed with:<br>
<pre>
void bus_remove_file(struct bus_type *bus, struct bus_attribute *attr);
</pre>
The <i>lddbus </i>driver creates a simple attribute file containing, once again, the source
version number. The <i>show</i> method and <font class="fixd">bus_attribute</font> structure are set up as follows:<br>
<pre>
static ssize_t show_bus_version(struct bus_type *bus, char *buf)
{
    return snprintf(buf, PAGE_SIZE, &quot;%s\n&quot;, Version);
}

static BUS_ATTR(version, S_IRUGO, show_bus_version, NULL);
</pre>
Creating the attribute file is done at module load time:<br>
<pre>
if (bus_create_file(&amp;ldd_bus_type, &amp;bus_attr_version))
    printk(KERN_NOTICE &quot;Unable to create version attribute\n&quot;);
</pre>
This call creates an attribute file (<i>/sys/bus/ldd/version</i>) containing the revision number
for the <i>lddbus</i> code.<br>
<br>
<a name="Devices"></a><font color="red"><b>Devices</b></font><br>
<br>
At the lowest level, every device in a Linux system is represented by an instance of
<font class="fixd">struct device:</font><br>
<pre>
struct device {
    struct device *parent;
    struct kobject kobj;
    char bus_id[BUS_ID_SIZE];
    struct bus_type *bus;
    struct device_driver *driver;
    void *driver_data;
    void (*release)(struct device *dev);
    /* Several fields omitted */
};
</pre>
There are many other <font class="fixd">struct device</font> fields that are of interest only to the device core
code. These fields, however, are worth knowing about:<br>
<br>
<font class="fixd">struct device *parent</font><br>
<div class="bq">
The device's "parent" device--the device to which it is attached. In most cases, a
parent device is some sort of bus or host controller. If <font class="fixd">parent</font> is <font class="fixd">NULL</font>, the device
is a top-level device, which is not usually what you want.</div>
<br>
<font class="fixd">struct kobject kobj;</font><br>
<div class="bq">
The kobject that represents this device and links it into the hierarchy. Note that,
as a general rule, <font class="fixd">device-&gt;kobj-&gt;parent</font> is equal to <font class="fixd">&amp;device-&gt;parent-&gt;kobj.</font></div>
<br>
<A name="382"></a><font color="blue">PAGE 382</font><br>
<br>
<font class="fixd">char bus_id[BUS_ID_SIZE];</font><br>
<div class="bq">
A string that uniquely identifies this device on the bus. PCI devices, for example, use
the standard PCI ID format containing the domain, bus, device, and function numbers.</div>
<br>
<font class="fixd">struct bus_type *bus;</font><br>
<div class="bq">
Identifies which kind of bus the device sits on.</div>
<br>
<font class="fixd">struct device_driver *driver;</font><br>
<div class="bq">
The driver that manages this device; we examine <font class="fixd">struct device_driver</font> in the next section.</div>
<br>
<font class="fixd">void *driver_data;</font><br>
<div class="bq">
A private data field that may be used by the device driver.</div>
<br>
<font class="fixd">void (*release)(struct device *dev);</font><br>
<div class="bq">
The method is called when the last reference to the device is removed; it is called
from the embedded kobject's <i>release </i>method. All device structures registered with
the core must have a <i>release</i> method, or the kernel prints out scary complaints.</div>
<br>
At a minimum, the <font class="fixd">parent, bus_id, bus,</font> and <font class="fixd">release</font> fields must be set before the
device structure can be registered.<br>
<br>
<a name="DeviceRegistration"></a><font color="red"><b>Device registration</b></font><br>
<br>
The usual set of registration and unregistration functions exists:<br>
<pre>
int device_register(struct device *dev);
void device_unregister(struct device *dev);
</pre>
We have seen how the <i>lddbus </i>code registers its bus type. However, an actual bus is a
device and must be registered separately. For simplicity, the <i>lddbus </i>module supports
only a single virtual bus, so the driver sets up its device at compile time:<br>
<pre>
static void ldd_bus_release(struct device *dev)
{
    printk(KERN_DEBUG &quot;lddbus release\n&quot;);
}

struct device ldd_bus = {
    .bus_id   = &quot;ldd0&quot;,
    .release  = ldd_bus_release
};
</pre>
This is a top-level bus, so the <font class="fixd">parent</font> and <font class="fixd">bus</font> fields are left <font class="fixd">NULL</font>. We have a simple,
no-op <i>release </i>method, and, as the first (and only) bus, its name is <font class="fixd">ldd0.</font> This bus
device is registered with:<br>
<pre>
ret = device_register(&amp;ldd_bus);
if (ret)
    printk(KERN_NOTICE &quot;Unable to register ldd0\n&quot;);
</pre>
Once that call is complete, the new bus can be seen under <i>/sys/devices </i>in sysfs. Any
devices added to this bus then shows up under <i>/sys/devices/ldd0/</i>.<br>
<br>
<A name="383"></a><font color="blue">PAGE 383</font><br>
<br>
<a name="DeviceAttributes"></a><font color="red"><b>Device attributes</b></font><br>
<br>
Device entries in sysfs can have attributes. The relevant structure is:<br>
<pre>
struct device_attribute {
    struct attribute attr;
    ssize_t (*show)(struct device *dev, char *buf);
    ssize_t (*store)(struct device *dev, const char *buf,
                     size_t count);
};
</pre>
These attribute structures can be set up at compile time with this macro:<br>
<pre>
DEVICE_ATTR(name, mode, show, store);
</pre>
The resulting structure is named by prepending <font class="fixd">dev_attr_</font> to the given <font class="fixd">name.</font> The
actual management of attribute files is handled with the usual pair of functions:<br>
<pre>
int device_create_file(struct device *device,
                       struct device_attribute *entry);
void device_remove_file(struct device *dev,
                        struct device_attribute *attr);
</pre>
The <font class="fixd">dev_attrs</font> field of <font class="fixd">struct bus_type</font> points to a list of default attributes created for
every device added to that bus.<br>
<br>
<a name="DeviceStructureEmbedding"></a><font color="red"><b>Device structure embedding</b></font><br>
<br>
The <font class="fixd">device</font> structure contains the information that the device model core needs to
model the system. Most subsystems, however, track additional information about
the devices they host. As a result, it is rare for devices to be represented by bare
device structures; instead, that structure, like kobject structures, is usually embedded
within a higher-level representation of the device. If you look at the definitions of
<font class="fixd">struct pci_dev</font> or <font class="fixd">struct usb_device,</font> you will find a <font class="fixd">struct device</font> buried inside.
Usually, low-level drivers are not even aware of that <font class="fixd">struct device,</font> but there can be
exceptions.<br>
<br>
The <i>lddbus </i>driver creates its own device type (<font class="fixd">struct ldd_device</font>) and expects individual
device drivers to register their devices using that type. It is a simple structure:<br>
<pre>
struct ldd_device {
    char *name;
    struct ldd_driver *driver;
    struct device dev;
};

#define to_ldd_device(dev) container_of(dev, struct ldd_device, dev);
</pre>
This structure allows the driver to provide an actual name for the device (which can be
distinct from its bus ID, stored in the <font class="fixd">device</font> structure) and a pointer to driver information.
Structures for real devices usually also contain information about the vendor,
device model, device configuration, resources used, and so on. Good examples can be<br>
<br>
<A name="384"></a><font color="blue">PAGE 384</font><br>
<br>
found in <font class="fixd">struct pci_dev</font> (<i>&lt;linux/pci.h&gt;</i>) or <font class="fixd">struct usb_device</font> (<i>&lt;linux/usb.h&gt;</i>). A convenience
macro (<i>to_ldd_device</i>) is also defined for <font class="fixd">struct ldd_device</font> to make it easy to
turn pointers to the embedded device structure into <font class="fixd">ldd_device</font> pointers.<br>
<br>
The registration interface exported by <i>lddbus</i> looks like this:<br>
<pre>
int register_ldd_device(struct ldd_device *ldddev)
{
    ldddev-&gt;dev.bus = &amp;ldd_bus_type;
    ldddev-&gt;dev.parent = &amp;ldd_bus;
    ldddev-&gt;dev.release = ldd_dev_release;
    strncpy(ldddev-&gt;dev.bus_id, ldddev-&gt;name, BUS_ID_SIZE);
    return device_register(&amp;ldddev-&gt;dev);
}
EXPORT_SYMBOL(register_ldd_device);
</pre>
Here, we simply fill in some of the embedded <font class="fixd">device</font> structure fields (which individual
drivers should not need to know about), and register the device with the driver
core. If we wanted to add bus-specific attributes to the device, we could do so here.<br>
<br>
To show how this interface is used, let us introduce another sample driver, which we
have called <i>sculld</i>. It is yet another variant on the <i>scullp </i>driver first introduced in
Chapter 8. It implements the usual memory area device, but <i>sculld </i>also works with
the Linux device model by way of the <i>lddbus</i> interface.<br>
<br>
The <i>sculld </i>driver adds an attribute of its own to its device entry; this attribute, called
dev, simply contains the associated device number. This attribute could be used by a
module loading the script or the hotplug subsystem to automatically create device
nodes when the device is added to the system. The setup for this attribute follows the
usual patterns:<br>
<pre>
static ssize_t sculld_show_dev(struct device *ddev, char *buf)
{
    struct sculld_dev *dev = ddev-&gt;driver_data;

    return print_dev_t(buf, dev-&gt;cdev.dev);
}

static DEVICE_ATTR(dev, S_IRUGO, sculld_show_dev, NULL);
</pre>
Then, at initialization time, the device is registered, and the <font class="fixd">dev</font> attribute is created
through the following function:<br>
<pre>
static void sculld_register_dev(struct sculld_dev *dev, int index)
{
    sprintf(dev-&gt;devname, &quot;sculld%d&quot;, index);
    dev-&gt;ldev.name = dev-&gt;devname;
    dev-&gt;ldev.driver = &amp;sculld_driver;
    dev-&gt;ldev.dev.driver_data = dev;
    register_ldd_device(&amp;dev-&gt;ldev);
    device_create_file(&amp;dev-&gt;ldev.dev, &amp;dev_attr_dev);
}
</pre>
<A name="385"></a><font color="blue">PAGE 385</font><br>
<br>
Note that we make use of the <font class="fixd">driver_data</font> field to store the pointer to our own, internal
device structure.<br>
<br>
<a name="DeviceDrivers"></a><font color="red"><b>Device Drivers</b></font><br>
<br>
The device model tracks all of the drivers known to the system. The main reason for
this tracking is to enable the driver core to match up drivers with new devices. Once
drivers are known objects within the system, however, a number of other things
become possible. Device drivers can export information and configuration variables
that are independent of any specific device, for example.<br>
<br>
Drivers are defined by the following structure:<br>
<pre>
struct device_driver {
    char *name;
    struct bus_type *bus;
    struct kobject kobj;
    struct list_head devices;
    int (*probe)(struct device *dev);
    int (*remove)(struct device *dev);
    void (*shutdown) (struct device *dev);
};
</pre>
Once again, several of the structure's fields have been omitted (see <i>&lt;linux/device.h&gt;
</i>for the full story). Here, <font class="fixd">name</font> is the name of the driver (it shows up in sysfs), <font class="fixd">bus</font> is
the type of bus this driver works with, <font class="fixd">kobj</font> is the inevitable kobject, <font class="fixd">devices</font> is a list
of all devices currently bound to this driver, <i>probe </i>is a function called to query the
existence of a specific device (and whether this driver can work with it), <font class="fixd">remove</font> is
called when the device is removed from the system, and <font class="fixd">shutdown</font> is called at shutdown
time to quiesce the device.<br>
<br>
The form of the functions for working with <font class="fixd">device_driver</font> structures should be looking
familiar by now (so we cover them very quickly). The registration functions are:<br>
<pre>
int driver_register(struct device_driver *drv);
void driver_unregister(struct device_driver *drv);
</pre>
The usual attribute structure exists:<br>
<pre>
struct driver_attribute {
    struct attribute attr;
    ssize_t (*show)(struct device_driver *drv, char *buf);
    ssize_t (*store)(struct device_driver *drv, const char *buf,
                     size_t count);
};
DRIVER_ATTR(name, mode, show, store);
</pre>
And attribute files are created in the usual way:<br>
<pre>
int driver_create_file(struct device_driver *drv,
                       struct driver_attribute *attr);
void driver_remove_file(struct device_driver *drv,
                        struct driver_attribute *attr);
</pre>
<A name="386"></a><font color="blue">PAGE 386</font><br>
<br>
The <font class="fixd">bus_type</font> structure contains a field (<font class="fixd">drv_attrs</font>) that points to a set of default
attributes, which are created for all drivers associated with that bus.<br>
<br>
<a name="DriverStructureEmbedding"></a><font color="red"><b>Driver structure embedding</b></font><br>
<br>
As is the case with most driver core structures, the <font class="fixd">device_driver</font> structure is usually
found embedded within a higher-level, bus-specific structure. The <i>lddbus </i>subsystem
would never go against such a trend, so it has defined its own <font class="fixd">ldd_driver</font> structure:<br>
<pre>
struct ldd_driver {
    char *version;
    struct module *module;
    struct device_driver driver;
    struct driver_attribute version_attr;
};

#define to_ldd_driver(drv) container_of(drv, struct ldd_driver, driver);
</pre>
Here, we require each driver to provide its current software version, and <i>lddbus
</i>exports that version string for every driver it knows about. The bus-specific driver
registration function is:<br>
<pre>
int register_ldd_driver(struct ldd_driver *driver)
{
    int ret;

    driver-&gt;driver.bus = &amp;ldd_bus_type;
    ret = driver_register(&amp;driver-&gt;driver);
    if (ret)
        return ret;
    driver-&gt;version_attr.attr.name = &quot;version&quot;;
    driver-&gt;version_attr.attr.owner = driver-&gt;module;
    driver-&gt;version_attr.attr.mode = S_IRUGO;
    driver-&gt;version_attr.show = show_version;
    driver-&gt;version_attr.store = NULL;
    return driver_create_file(&amp;driver-&gt;driver, &amp;driver-&gt;version_attr);
}
</pre>
The first half of the function simply registers the low-level <font class="fixd">device_driver</font> structure
with the core; the rest sets up the <font class="fixd">version</font> attribute. Since this attribute is created at
runtime, we can't use the <font class="fixd">DRIVER_ATTR</font> macro; instead, the <font class="fixd">driver_attribute</font> structure
must be filled in by hand. Note that we set the owner of the attribute to the
driver module, rather than the <i>lddbus </i>module; the reason for this can be seen in the
implementation of the <i>show</i> function for this attribute:<br>
<pre>
static ssize_t show_version(struct device_driver *driver, char *buf)
{
    struct ldd_driver *ldriver = to_ldd_driver(driver);

    sprintf(buf, &quot;%s\n&quot;, ldriver-&gt;version);
    return strlen(buf);
}
</pre>
<A name="387"></a><font color="blue">PAGE 387</font><br>
<br>
One might think that the attribute owner should be the <i>lddbus </i>module, since the
function that implements the attribute is defined there. This function, however, is
working with the <font class="fixd">ldd_driver</font> structure created (and owned) by the driver itself. If
that structure were to go away while a user-space process tried to read the version
number, things could get messy. Designating the driver module as the owner of the
attribute prevents the module from being unloaded, while user-space holds the
attribute file open. Since each driver module creates a reference to the <i>lddbus </i>module,
we can be sure that <i>lddbus</i> will not be unloaded at an inopportune time.<br>
<br>
For completeness, <i>sculld</i> creates its <font class="fixd">ldd_driver</font> structure as follows:<br>
<pre>
static struct ldd_driver sculld_driver = {
    .version = &quot;$Revision: 1.1 $&quot;,
    .module = THIS_MODULE,
    .driver = {
        .name = &quot;sculld&quot;,
    },
};
</pre>
A simple call to <i>register_ldd_driver </i>adds it to the system. Once initialization is complete,
the driver information can be seen in sysfs:<br>
<pre>
$ <b>tree /sys/bus/ldd/drivers
</b>/sys/bus/ldd/drivers
`-- sculld
    |-- sculld0 -&gt; ../../../../devices/ldd0/sculld0
    |-- sculld1 -&gt; ../../../../devices/ldd0/sculld1
    |-- sculld2 -&gt; ../../../../devices/ldd0/sculld2
    |-- sculld3 -&gt; ../../../../devices/ldd0/sculld3
    `-- version
</pre>
<a name="Classes"></a><font color="red"><b>Classes</b></font><br>
<br>
The final device model concept we examine in this chapter is the <i>class</i>. A class is a
higher-level view of a device that abstracts out low-level implementation details.
Drivers may see a SCSI disk or an ATA disk, but, at the class level, they are all simply
disks. Classes allow user space to work with devices based on what they do,
rather than how they are connected or how they work.<br>
<br>
Almost all classes show up in sysfs under <i>/sys/class</i>. Thus, for example, all network
interfaces can be found under <i>/sys/class/net</i>, regardless of the type of interface. Input
devices can be found in <i>/sys/class/input</i>, and serial devices are in <i>/sys/class/tty</i>. The
one exception is block devices, which can be found under <i>/sys/block </i>for historical
reasons.<br>
<br>
Class membership is usually handled by high-level code without the need for explicit
support from drivers. When the <i>sbull </i>driver (see Chapter 16) creates a virtual disk
device, it automatically appears in <i>/sys/block</i>. The <i>snull </i>network driver (see
Chapter 17) does not have to do anything special for its interfaces to be represented<br>
<br>
<A name="388"></a><font color="blue">PAGE 388</font><br>
<br>
in <i>/sys/class/net</i>. There will be times, however, when drivers end up dealing with
classes directly.<br>
<br>
In many cases, the class subsystem is the best way of exporting information to user
space. When a subsystem creates a class, it owns the class entirely, so there is no
need to worry about which module owns the attributes found there. It also takes very little
time wandering around in the more hardware-oriented parts of sysfs to realize that it
can be an unfriendly place for direct browsing. Users more happily find information in
<i>/sys/class/some-widget</i> than under, say,<br>
<br>
<i>/sys/devices/pci0000:00/0000:00:10.0/usb2/2-0:1.0</i>.<br>
<br>
The driver core exports two distinct interfaces for managing classes. The <i>class_simple
</i>routines are designed to make it as easy as possible to add new classes to the system;
their main purpose, usually, is to expose attributes containing device numbers to
enable the automatic creation of device nodes. The regular class interface is more
complex but offers more features as well. We start with the simple version.<br>
<br>
<a name="TheClasssimpleInterface"></a><font color="red"><b>The <font class="fixd">class_simple</font> Interface</b></font><br>
<br>
The <i>class_simple </i>interface was intended to be so easy to use that nobody would have
any excuse for not exporting, at a minimum, an attribute containing a device's
assigned number. Using this interface is simply a matter of a couple of function calls,
with little of the usual boilerplate associated with the Linux device model.<br>
<br>
The first step is to create the class itself. That is accomplished with a call to <i>class_
simple_create</i>:<br>
<pre>
struct class_simple *class_simple_create(struct module *owner, char *name);
</pre>
This function creates a class with the given <font class="fixd">name.</font> The operation can fail, of course, so
the return value should always be checked (using <i><font class="fixd">IS_ERR</font></i>, described in the section
"Pointers and Error Values" in Chapter 1) before continuing.<br>
<br>
A simple class can be destroyed with:<br>
<pre>
void class_simple_destroy(struct class_simple *cs);
</pre>
The real purpose of creating a simple class is to add devices to it; that task is
achieved with:<br>
<pre>
struct class_device *class_simple_device_add(struct class_simple *cs,
                                             dev_t devnum,
                                             struct device *device,
                                             const char *fmt, ...);
</pre>
Here, <font class="fixd">cs</font> is the previously created simple class, <font class="fixd">devnum</font> is the assigned device number,
device is the <font class="fixd">struct device</font> representing this device, and the remaining parameters
are a <i>printk</i>-style format string and arguments to create the device name. This call
adds an entry to the class containing one attribute, <font class="fixd">dev,</font> which holds the device number.
If the <font class="fixd">device</font> parameter is not <font class="fixd">NULL</font>, a symbolic link (called device) points to the
device's entry under <i>/sys/devices</i>.<br>
<br>
<A name="389"></a><font color="blue">PAGE 389</font><br>
<br>
It is possible to add other attributes to a device entry. It is just a matter of using
<i>class_device_create_file</i>, which we discuss in the next section with the rest of the full
class subsystem.<br>
<br>
Classes generate hotplug events when devices come and go. If your driver needs to
add variables to the environment for the user-space event handler, it can set up a hotplug
callback with:<br>
<pre>
int class_simple_set_hotplug(struct class_simple *cs,
                             int (*hotplug)(struct class_device *dev,
                                            char **envp, int num_envp,
                                            char *buffer, int buffer_size));
</pre>
When your device goes away, the class entry should be removed with:<br>
<pre>
void class_simple_device_remove(dev_t dev);
</pre>
Note that the <font class="fixd">class_device</font> structure returned by <i>class_simple_device_add </i>is not
needed here; the device number (which should certainly be unique) is sufficient.<br>
<br>
<a name="TheFullClassInterface"></a><font color="red"><b>The Full Class Interface</b></font><br>
<br>
The <i>class_simple </i>interface suffices for many needs, but sometimes more flexibility is
required. The following discussion describes how to use the full class mechanism,
upon which <i>class_simple </i>is based. It is brief: the class functions and structures follow
the same patterns as the rest of the device model, so there is little that is truly
new here.<br>
<br>
<a name="ManagingClasses"></a><font color="red"><b>Managing classes</b></font><br>
<br>
A class is defined by an instance of <font class="fixd">struct class</font>:<br>
<pre>
struct class {
    char *name;
    struct class_attribute *class_attrs;
    struct class_device_attribute *class_dev_attrs;
    int (*hotplug)(struct class_device *dev, char **envp,
                   int num_envp, char *buffer, int buffer_size);
    void (*release)(struct class_device *dev);
    void (*class_release)(struct class *class);
    /* Some fields omitted */
};
</pre>
Each class needs a unique <font class="fixd">name,</font> which is how this class appears under <i>/sys/class</i>.
When the class is registered, all of the attributes listed in the (<font class="fixd">NULL</font>-terminated) array
pointed to by <font class="fixd">class_attrs</font> is created. There is also a set of default attributes for every
device added to the class; <font class="fixd">class_dev_attrs</font> points to those. There is the usual <i>hotplug
</i>function for adding variables to the environment when events are generated.
There are also two <i>release </i>methods: <i>release </i>is called whenever a device is removed
from the class, while <i>class_release</i> is called when the class itself is released.<br>
<br>
<A name="390"></a><font color="blue">PAGE 390</font><br>
<br>
The registration functions are:<br>
<pre>
int class_register(struct class *cls);
void class_unregister(struct class *cls);
</pre>
The interface for working with attributes should not surprise anybody at this point:<br>
<pre>
struct class_attribute {
    struct attribute attr;
    ssize_t (*show)(struct class *cls, char *buf);
    ssize_t (*store)(struct class *cls, const char *buf, size_t count);
};

CLASS_ATTR(name, mode, show, store);

int class_create_file(struct class *cls,
                      const struct class_attribute *attr);
void class_remove_file(struct class *cls,
                       const struct class_attribute *attr);
</pre>
<a name="ClassDevices"></a><font color="red"><b>Class devices</b></font><br>
<br>
The real purpose of a class is to serve as a container for the devices that are members
of that class. A member is represented by <font class="fixd">struct class_device</font>:<br>
<pre>
struct class_device {
    struct kobject kobj;
    struct class *class;
    struct device *dev;
    void *class_data;
    char class_id[BUS_ID_SIZE];
};
</pre>
The <font class="fixd">class_id</font> field holds the name of this device as it appears in sysfs. The class
pointer should point to the class holding this device, and <font class="fixd">dev</font> should point to the
associated <font class="fixd">device</font> structure. Setting <font class="fixd">dev</font> is optional; if it is <font class="fixd">non-NULL</font>, it is used to create
a symbolic link from the class entry to the corresponding entry under <i>/sys/devices</i>,
making it easy to find the device entry in user space. The class can use <font class="fixd">class_data</font> to
hold a private pointer.<br>
<br>
The usual registration functions have been provided:<br>
<pre>
int class_device_register(struct class_device *cd);
void class_device_unregister(struct class_device *cd);
</pre>
The class device interface also allows the renaming of an already registered entry:<br>
<pre>
int class_device_rename(struct class_device *cd, char *new_name);
</pre>
Class device entries have attributes:<br>
<pre>
struct class_device_attribute {
   struct attribute attr;
   ssize_t (*show)(struct class_device *cls, char *buf);
   ssize_t (*store)(struct class_device *cls, const char *buf,
                    size_t count);
};
</pre>
<A name="391"></a><font color="blue">PAGE 391</font><br>
<pre>
CLASS_DEVICE_ATTR(name, mode, show, store);

int class_device_create_file(struct class_device *cls,
                             const struct class_device_attribute *attr);
void class_device_remove_file(struct class_device *cls,
                              const struct class_device_attribute *attr);
</pre>
A default set of attributes, in the class's <font class="fixd">class_dev_attrs</font> field, is created when the
class device is registered; <i>class_device_create_file </i>may be used to create additional
attributes. Attributes may also be added to class devices created with the <i>class_simple
</i>interface.<br>
<br>
<a name="ClassInterfaces"></a><font color="red"><b>Class interfaces</b></font><br>
<br>
The class subsystem has an additional concept not found in other parts of the Linux
device model. This mechanism is called an <i>interface</i>, but it is, perhaps, best thought
of as a sort of trigger mechanism that can be used to get notification when devices
enter or leave the class.<br>
<br>
An interface is represented by:<br>
<pre>
struct class_interface {
    struct class *class;
    int (*add) (struct class_device *cd);
    void (*remove) (struct class_device *cd);
};
</pre>
Interfaces can be registered and unregistered with:<br>
<pre>
int class_interface_register(struct class_interface *intf);
void class_interface_unregister(struct class_interface *intf);
</pre>
The functioning of an interface is straightforward. Whenever a class device is added
to the <font class="fixd">class</font> specified in the <font class="fixd">class_interface</font> structure, the interface's <i>add </i>function is
called. That function can perform any additional setup required for that device; this
setup often takes the form of adding more attributes, but other applications are possible.
When the device is removed from the class, the <i>remove </i>method is called to perform
any required cleanup.<br>
<br>
Multiple interfaces can be registered for a class.<br>
<br>
<a name="PuttingItAllTogether"></a><font color="red"><b>Putting It All Together</b></font><br>
<br>
To better understand what the driver model does, let us walk through the steps of a
device's lifecycle within the kernel. We describe how the PCI subsystem interacts
with the driver model, the basic concepts of how a driver is added and removed, and
how a device is added and removed from the system. These details, while describing
the PCI kernel code specifically, apply to all other subsystems that use the driver core
to manage their drivers and devices.<br>
<br>
<A name="392"></a><font color="blue">PAGE 392</font><br>
<br>
The interaction between the PCI core, driver core, and the individual PCI drivers is
quite complex, as Figure 14-3 shows.<br>
<br><br>
<center>
<img src="fig14-3.gif">
</center>
<br>
<i>Figure 14-3. Device-creation process</i><br>
<br>
<a name="AddADevice"></a><font color="red"><b>Add a Device</b></font><br>
<br>
The PCI subsystem declares a single <font class="fixd">struct bus_type</font> called <font class="fixd">pci_bus_type,</font> which is
initialized with the following values:<br>
<pre>
struct bus_type pci_bus_type = {
    .name      = &quot;pci&quot;,
    .match     = pci_bus_match,
    .hotplug   = pci_hotplug,
    .suspend   = pci_device_suspend,
    .resume    = pci_device_resume,
    .dev_attrs = pci_dev_attrs,
};
</pre>
This <font class="fixd">pci_bus_type</font> variable is registered with the driver core when the PCI subsystem
is loaded in the kernel with a call to <i>bus_register</i>. When that happens, the driver core
creates a sysfs directory in <i>/sys/bus/pci </i>that consists of two directories: <i>devices </i>and
<i>drivers</i>.<br>
<br>
All PCI drivers must define a <font class="fixd">struct pci_driver</font> variable that defines the different
functions that this PCI driver can do (for more information about the PCI subsystem<br>
<br>
<A name="393"></a><font color="blue">PAGE 393</font><br>
<br>
and how to write a PCI driver, see Chapter 12). That structure contains a 
<font class="fixd">struct device_driver</font> that is then initialized by the PCI core when the PCI driver is registered:<br>
<pre>
/* initialize common driver fields */
drv-&gt;driver.name = drv-&gt;name;
drv-&gt;driver.bus = &amp;pci_bus_type;
drv-&gt;driver.probe = pci_device_probe;
drv-&gt;driver.remove = pci_device_remove;
drv-&gt;driver.kobj.ktype = &amp;pci_driver_kobj_type;
</pre>
This code sets up the bus for the driver to point to the <font class="fixd">pci_bus_type</font> and points the
<i>probe </i>and <i>remove </i>functions to point to functions within the PCI core. The <font class="fixd">ktype</font> for
the driver's <font class="fixd">kobject</font> is set to the variable <font class="fixd">pci_driver_kobj_type,</font> in order for the PCI
driver's attribute files to work properly. Then the PCI core registers the PCI driver
with the driver core:<br>
<pre>
/* register with core */
error = driver_register(&amp;drv-&gt;driver);
</pre>
The driver is now ready to be bound to any PCI devices it supports.<br>
<br>
The PCI core, with help from the architecture-specific code that actually talks to the
PCI bus, starts probing the PCI address space, looking for all PCI devices. When
a PCI device is found, the PCI core creates a new variable in memory of type 
<font class="fixd">struct pci_dev</font>. A portion of the <font class="fixd">struct pci_dev</font> structure looks like the following:<br>
<pre>
struct pci_dev {
    /* ... */
    unsigned int   devfn;
    unsigned short vendor;
    unsigned short device;
    unsigned short subsystem_vendor;
    unsigned short subsystem_device;
    unsigned int   class;
    /* ... */
    struct pci_driver *driver;
    /* ... */
    struct device dev;
    /* ... */
};
</pre>
The bus-specific fields of this PCI device are initialized by the PCI core (the <font class="fixd">devfn,
vendor, device,</font> and other fields), and the <font class="fixd">struct device</font> variable's <font class="fixd">parent</font> variable is
set to the PCI bus device that this PCI device lives on. The <font class="fixd">bus</font> variable is set to point
at the <font class="fixd">pci_bus_type</font> structure. Then the <font class="fixd">name</font> and <font class="fixd">bus_id</font> variables are set, depending
on the name and ID that is read from the PCI device.<br>
<br>
After the PCI device structure is initialized, the device is registered with the driver
core with a call to:<br>
<pre>
device_register(&amp;dev-&gt;dev);
</pre>
<A name="394"></a><font color="blue">PAGE 394</font><br>
<br>
Within the <i>device_register </i>function, the driver core initializes a number of the
device's fields, registers the device's kobject with the kobject core (which causes a
hotplug event to be generated, but we discuss that later in this chapter), and then
adds the device to the list of devices that are held by the device's parent. This is done
so that all devices can be walked in the proper order, always knowing where in the
hierarchy of devices each one lives.<br>
<br>
The device is then added to the bus-specific list of all devices, in this example, the
<font class="fixd">pci_bus_type</font> list. Then the list of all drivers that are registered with the bus is walked,
and the <i>match </i>function of the bus is called for every driver, specifying this device. For
the <font class="fixd">pci_bus_type</font> bus, the <i>match </i>function was set to point to the <i>pci_bus_match </i>function
by the PCI core before the device was submitted to the driver core.<br>
<br>
The <i>pci_bus_match </i>function casts the <font class="fixd">struct device</font> that was passed to it by the
driver core, back into a <font class="fixd">struct pci_dev</font>. It also casts the <font class="fixd">struct device_driver</font> back
into a <font class="fixd">struct pci_driver</font> and then looks at the PCI device-specific information of the
device and driver to see if the driver states that it can support this kind of device. If
the match is not successful, the function returns 0 back to the driver core, and the
driver core moves on to the next driver in its list.<br>
<br>
If the match is successful, the function returns 1 back to the driver core. This causes
the driver core to set the <font class="fixd">driver</font> pointer in the <font class="fixd">struct device</font> to point to this driver,
and then it calls the <i>probe</i> function that is specified in the <font class="fixd">struct device_driver</font>.<br>
<br>
Earlier, before the PCI driver was registered with the driver core, the <font class="fixd">probe</font> variable
was set to point at the <i>pci_device_probe </i>function. This function casts (yet again) the
<font class="fixd">struct device</font> back into a <font class="fixd">struct pci_dev</font> and the <font class="fixd">struct driver</font> that is set in the
device back into a <font class="fixd">struct pci_driver</font>. It again verifies that this driver states that it can
support this device (which seems to be a redundant extra check for some unknown
reason), increments the reference count of the device, and then calls the PCI driver's
<i>probe</i> function with a pointer to the <font class="fixd">struct pci_dev</font> structure it should bind to.<br>
<br>
If the PCI driver's <i>probe </i>function determines that it can not handle this device for
some reason, it returns a negative error value, which is propagated back to the driver
core and causes it to continue looking through the list of drivers to match one up
with this device. If the <i>probe </i>function can claim the device, it does all the initialization
that it needs to do to handle the device properly, and then it returns 0 back up
to the driver core. This causes the driver core to add the device to the list of all
devices currently bound by this specific driver and creates a symlink within the
driver's directory in sysfs to the device that it is now controlling. This symlink allows
users to see exactly which devices are bound to which devices. This can be seen as:<br>
<pre>
$ tree /sys/bus/pci
/sys/bus/pci/
|-- devices
|   |-- 0000:00:00.0 -&gt; ../../../devices/pci0000:00/0000:00:00.0
|   |-- 0000:00:00.1 -&gt; ../../../devices/pci0000:00/0000:00:00.1
|   |-- 0000:00:00.2 -&gt; ../../../devices/pci0000:00/0000:00:00.2
</pre>
<A name="395"></a><font color="blue">PAGE 395</font><br>
<pre>
|   |-- 0000:00:02.0 -&gt; ../../../devices/pci0000:00/0000:00:02.0
|   |-- 0000:00:04.0 -&gt; ../../../devices/pci0000:00/0000:00:04.0
|   |-- 0000:00:06.0 -&gt; ../../../devices/pci0000:00/0000:00:06.0
|   |-- 0000:00:07.0 -&gt; ../../../devices/pci0000:00/0000:00:07.0
|   |-- 0000:00:09.0 -&gt; ../../../devices/pci0000:00/0000:00:09.0
|   |-- 0000:00:09.1 -&gt; ../../../devices/pci0000:00/0000:00:09.1
|   |-- 0000:00:09.2 -&gt; ../../../devices/pci0000:00/0000:00:09.2
|   |-- 0000:00:0c.0 -&gt; ../../../devices/pci0000:00/0000:00:0c.0
|   |-- 0000:00:0f.0 -&gt; ../../../devices/pci0000:00/0000:00:0f.0
|   |-- 0000:00:10.0 -&gt; ../../../devices/pci0000:00/0000:00:10.0
|   |-- 0000:00:12.0 -&gt; ../../../devices/pci0000:00/0000:00:12.0
|   |-- 0000:00:13.0 -&gt; ../../../devices/pci0000:00/0000:00:13.0
|   `-- 0000:00:14.0 -&gt; ../../../devices/pci0000:00/0000:00:14.0
`-- drivers
    |-- ALI15x3_IDE
    |   `-- 0000:00:0f.0 -&gt; ../../../../devices/pci0000:00/0000:00:0f.0
    |-- ehci_hcd
    |   `-- 0000:00:09.2 -&gt; ../../../../devices/pci0000:00/0000:00:09.2
    |-- ohci_hcd
    |   |-- 0000:00:02.0 -&gt; ../../../../devices/pci0000:00/0000:00:02.0
    |   |-- 0000:00:09.0 -&gt; ../../../../devices/pci0000:00/0000:00:09.0
    |   `-- 0000:00:09.1 -&gt; ../../../../devices/pci0000:00/0000:00:09.1
    |-- orinoco_pci
    |   `-- 0000:00:12.0 -&gt; ../../../../devices/pci0000:00/0000:00:12.0
    |-- radeonfb
    |   `-- 0000:00:14.0 -&gt; ../../../../devices/pci0000:00/0000:00:14.0
    |-- serial
    `-- trident
        `-- 0000:00:04.0 -&gt; ../../../../devices/pci0000:00/0000:00:04.0
</pre>
<a name="RemoveADevice"></a><font color="red"><b>Remove a Device</b></font><br>
<br>
A PCI device can be removed from a system in a number of different ways. All CardBus
devices are really PCI devices in a different physical form factor, and the kernel
PCI core does not differentiate between them. Systems that allow the removal or
addition of PCI devices while the machine is still running are becoming more popular, and
Linux supports them. There is also a fake PCI Hotplug driver that allows
developers to test to see if their PCI driver properly handles the removal of a device
while the system is running. This module is called <font class="fixd">fakephp</font> and causes the kernel to
think the PCI device is gone, but it does not allow users to physically remove a PCI
device from a system that does not have the proper hardware to do so. See the documentation
with this driver for more information on how to use it to test your PCI
drivers.<br>
<br>
The PCI core exerts a lot less effort to remove a device than it does to add it. When a
PCI device is to be removed, the <i>pci_remove_bus_device </i>function is called. This function
does some PCI-specific cleanups and housekeeping, and then calls the <i>device_unregister
</i>function with a pointer to the <font class="fixd">struct pci_dev's struct device</font> member.<br>
<br>
<A name="396"></a><font color="blue">PAGE 396</font><br>
<br>
In the <i>device_unregister </i>function, the driver core merely unlinks the sysfs files from
the driver bound to the device (if there was one), removes the device from its internal
list of devices, and calls <i>kobject_del </i>with a pointer to the <font class="fixd">struct kobject</font> that is
contained in the <font class="fixd">struct device</font> structure. That function makes a hotplug call to user
space stating that the kobject is now removed from the system, and then it deletes all
sysfs files associated with the kobject and the sysfs directory itself that the kobject
had originally created.<br>
<br>
The <i>kobject_del </i>function also removes the kobject reference of the device itself. If
that reference was the last one (meaning no user-space files were open for the sysfs
entry of the device), then the <i>release </i>function for the PCI device itself, <i>pci_release_dev</i>,
is called. That function merely frees up the memory that the <font class="fixd">struct pci_dev</font> took up.<br>
<br>
After this, all sysfs entries associated with the device are removed, and the memory
associated with the device is released. The PCI device is now totally removed from
the system.<br>
<br>
<a name="AddADriver"></a><font color="red"><b>Add a Driver</b></font><br>
<br>
A PCI driver is added to the PCI core when it calls the <i>pci_register_driver </i>function.
This function merely initializes the <font class="fixd">struct device_driver</font> structure that is contained
within the <font class="fixd">struct pci_driver</font> structure, as previously mentioned in the section
about adding a device. Then the PCI core calls the <i>driver_register </i>function in the
driver core with a pointer to the <font class="fixd">struct device_driver</font> structure contained in the
<font class="fixd">struct pci_driver</font> structure.<br>
<br>
The <i>driver_register </i>function initializes a few locks in the <font class="fixd">struct device_driver</font> structure, and
then calls the <i>bus_add_driver </i>function. This function does the following
steps:<br>
<ul>
<li> Looks up the bus that the driver is to be associated with. If this bus is not found,
the function instantly returns.
<li> The driver's sysfs directory is created based on the name of the driver and the
bus that it is associated with.
<li> The bus's internal lock is grabbed, and then all devices that have been registered
</ul>
with the bus are walked, and the match function is called for them, just like
when a new device is added. If that match function succeeds, then the rest of the
binding process occurs, as described in the previous section.

<a name="RemoveADriver"></a><font color="red"><b>Remove a Driver</b></font><br>
<br>
Removing a driver is a very simple action. For a PCI driver, the driver calls the
<i>pci_unregister_driver </i>function. This function merely calls the driver core function
<i>driver_unregister</i>, with a pointer to the <font class="fixd">struct device_driver</font> portion of the struct
<font class="fixd">pci_driver</font> structure passed to it.<br>
<br>
<A name="397"></a><font color="blue">PAGE 397</font><br>
<br>
The <i>driver_unregister </i>function handles some basic housekeeping by cleaning up
some sysfs attributes that were attached to the driver's entry in the sysfs tree. It then
iterates over all devices that were attached to this driver and calls the <i>release </i>function
for it. This happens exactly like the previously mentioned <i>release </i>function for
when a device is removed from the system.<br>
<br>
After all devices are unbound from the driver, the driver code does this unique bit of
logic:<br>
<pre>
down(&amp;drv-&gt;unload_sem);
up(&amp;drv-&gt;unload_sem);
</pre>
This is done right before returning to the caller of the function. This lock is grabbed
because the code needs to wait for all reference counts on this driver to be dropped
to 0 before it is safe to return. This is needed because the <i>driver_unregister </i>function is
most commonly called as the exit path of a module that is being unloaded. The module
needs to remain in memory for as long as the driver is being referenced by devices
and by waiting for this lock to be freed, this allows the kernel to know when it is safe
to remove the driver from memory.<br>
<br>
<a name="Hotplug"></a><font color="red"><b>Hotplug</b></font><br>
<br>
There are two different ways to view hotplugging. The kernel views hotplugging as
an interaction between the hardware, the kernel, and the kernel driver. Users view
hotplugging as the interaction between the kernel and user space through the program
called <i>/sbin/hotplug</i>. This program is called by the kernel when it wants to
notify user space that some type of hotplug event has just happened within the kernel.<br>
<br>
<a name="DynamicDevices"></a><font color="red"><b>Dynamic Devices</b></font><br>
<br>
The most commonly used meaning of the term "hotplug" happens when discussing
the fact that most all computer systems can now handle devices appearing or disappearing
while the system is powered on. This is very different from the computer systems
of only a few years ago, where the programmers knew that they needed to scan
for all devices only at boot time, and they never had to worry about their devices disappearing
until the power was turned off to the whole machine. Now, with the
advent of USB, CardBus, PCMCIA, IEEE1394, and PCI Hotplug controllers, the
Linux kernel needs to be able to reliably run no matter what hardware is added or
removed from the system. This places an added burden on the device driver author,
as they must now always handle a device being suddenly ripped out from underneath
them without any notice.<br>
<br>
Each different bus type handles the loss of a device in a different way. For example,
when a PCI, CardBus, or PCMCIA device is removed from the system, it is usually a
while before the driver is notified of this action through its <i>remove </i>function. Before
that happens, all reads from the PCI bus return all bits set. This means that drivers<br>
<br>
<A name="398"></a><font color="blue">PAGE 398</font><br>
<br>
need to always check the value of the data they read from the PCI bus and properly
be able to handle a <font class="fixd">0xff</font> value.<br>
<br>
An example of this can be seen in the <i>drivers/usb/host/ehci-hcd.c </i>driver, which is a
PCI driver for a USB 2.0 (high-speed) controller card. It has the following code in its
main handshake loop to detect if the controller card has been removed from the system:<br>
<pre>
result = readl(ptr);
if (result = = ~(u32)0)    /* card removed */
    return -ENODEV;
</pre>
For USB drivers, when the device that a USB driver is bound to is removed from the
system, any pending urbs that were submitted to the device start failing with the
error <font class="fixd">-ENODEV</font>. The driver needs to recognize this error and properly clean up any
pending I/O if it occurs.<br>
<br>
Hotpluggable devices are not limited only to traditional devices such as mice, keyboards, and
network cards. There are numerous systems that now support removal
and addition of entire CPUs and memory sticks. Fortunately the Linux kernel properly
handles the addition and removal of such core "system" devices so that individual
device drivers do not need to pay attention to these things.<br>
<br>
<a name="TheSbinhotplugUtility"></a><font color="red"><b>The /sbin/hotplug Utility</b></font><br>
<br>
As alluded to earlier in this chapter, whenever a device is added or removed from the
system, a "hotplug event" is generated. This means that the kernel calls the userspace
program <i>/sbin/hotplug</i>. This program is typically a very small bash script that
merely passes execution on to a list of other programs that are placed in the <i>/etc/hotplug.d/</i>
directory tree. For most Linux distributions, this script looks like the following:<br>
<pre>
DIR=&quot;/etc/hotplug.d&quot;
for I in &quot;${DIR}/$1/&quot;*.hotplug &quot;${DIR}/&quot;default/*.hotplug ; do
    if [ -f $I ]; then
        test -x $I &amp;&amp; $I $1 ;
    fi
done
exit 1
</pre>
In other words, the script searches for all programs bearing a <i>.hotplug </i>suffix that
might be interested in this event and invokes them, passing to them a number of different
environment variables that have been set by the kernel. More details about
how the <i>/sbin/hotplug </i>script works can be found in the comments in the program and
in the <i>hotplug(8)</i> manpage.<br>
<br>
<A name="399"></a><font color="blue">PAGE 399</font><br>
<br>
As mentioned previously, <i>/sbin/hotplug </i>is called whenever a kobject is created or
destroyed. The hotplug program is called with a single command-line argument providing
a name for the event. The core kernel and specific subsystem involved also set
a series of environment variables (described below) with information on what has
just occurred. These variables are used by the hotplug programs to determine what
has just happened in the kernel, and if there is any specific action that should take
place.<br>
<br>
The command-line argument passed to <i>/sbin/hotplug </i>is the name associated with this
hotplug event, as determined by the kset assigned to the kobject. This name can be
set by a call to the <i>name </i>function that is part of the kset's <font class="fixd">hotplug_ops</font> structure
described earlier in this chapter; if that function is not present or never called, the
name is that of the kset itself.<br>
<br>
The default environment variables that are always set for the <i>/sbin/hotplug </i>program
are:<br>
<br>
<font class="fixd">ACTION</font><br>
<div class="bq">
The string <font class="fixd">add</font> or <font class="fixd">remove,</font> depending on whether the object in question was just
created or destroyed.</div>
<br>
<font class="fixd">DEVPATH</font><br>
<div class="bq">
A directory path, within the sysfs filesystem, that points to the kobject that is
being either created or destroyed. Note that the mount point of the sysfs filesystem
is not added to this path, so it is up to the user-space program to determine
that.</div>
<br>
<font class="fixd">SEQNUM</font><br>
<div class="bq">
The sequence number for this hotplug event. The sequence number is a 64-bit
number that is incremented for every hotplug event that is generated. This
allows user space to sort the hotplug events in the order in which the kernel generates
them, as it is possible for a user-space program to be run out of order.</div>
<br>
<font class="fixd">SUBSYSTEM</font><br>
<div class="bq">
The same string passed as the command-line argument as described above.</div>
<br>
A number of the different bus subsystems all add their own environment variables to
the <i>/sbin/hotplug </i>call, when devices associated with the bus are added or removed
from the system. They do this in their <i>hotplug </i>callback that is specified in the struct
<font class="fixd">kset_hotplug_ops</font> assigned to their bus (as described in the section "Hotplug Operations").
This allows user space to be able to automatically load any necessary module
that might be needed to control the device that has been found by the bus. Here is a
list of the different bus types and what environment variables they add to the <i>/sbin/
hotplug</i> call.<br>
<br>
<A name="400"></a><font color="blue">PAGE 400</font><br>
<br>
<a name="IEEE1394FireWire"></a><font color="red"><b>IEEE1394 (FireWire)</b></font><br>
<br>
Any devices on the IEEE1394 bus, also known as Firewire, have the <i>/sbin/hotplug
</i>parameter name and the <font class="fixd">SUBSYSTEM</font> environment variable set to the value <font class="fixd">ieee1394.</font>
The <font class="fixd">ieee1394</font> subsystem also always adds the following four environment variables:<br>
<br>
<font class="fixd">VENDOR_ID</font><br>
<div class="bq">
The 24-bit vendor ID for the IEEE1394 device</div>
<br>
<font class="fixd">MODEL_ID</font><br>
<div class="bq">
The 24-bit model ID for the IEEE1394 device</div>
<br>
<font class="fixd">GUID</font><br>
<div class="bq">
The 64-bit GUID for the device</div>
<br>
<font class="fixd">SPECIFIER_ID</font><br>
<div class="bq">
The 24-bit value specifying the owner of the protocol spec for this device</div>
<br>
<font class="fixd">VERSION</font><br>
<div class="bq">
The value that specifies the version of the protocol spec for this device</div>
<br>
<a name="Networking"></a><font color="red"><b>Networking</b></font><br>
<br>
All network devices create a hotplug event when the device is registered or unregistered
in the kernel. The <i>/sbin/hotplug </i>call has the parameter name and the <font class="fixd">SUBSYSTEM</font>
environment variable set to the value <font class="fixd">net,</font> and just adds the following environment
variable:<br>
<br>
<font class="fixd">INTERFACE</font><br>
<div class="bq">
The name of the interface that has been registered or unregistered from the kernel.
Examples of this are <font class="fixd">lo</font> and <font class="fixd">eth0.</font></div>
<br>
<a name="PCI"></a><font color="red"><b>PCI</b></font><br>
<br>
Any devices on the PCI bus have the parameter name and the <font class="fixd">SUBSYSTEM</font> environment
variable set to the value <font class="fixd">pci.</font> The PCI subsystem also always adds the following
four environment variables:<br>
<br>
<font class="fixd">PCI_CLASS</font><br>
<div class="bq">
The PCI class number for the device, in hex.</div>
<br>
<font class="fixd">PCI_ID</font><br>
<div class="bq">
The PCI vendor and device IDs for the device, in hex, combined in the format
<font class="fixd">vendor:device.</font></div>
<br>
<font class="fixd">PCI_SUBSYS_ID</font><br>
<div class="bq">
The PCI subsystem vendor and subsystem device IDs, combined in the format
<font class="fixd">subsys_vendor:subsys_device.</font></div>
<br>
<font class="fixd">PCI_SLOT_NAME</font><br>
<div class="bq">
The PCI slot "name" that is given to the device by the kernel. It is in the format
<font class="fixd">domain:bus:slot:function.</font> An example might be <font class="fixd">0000:00:0d.0.</font></div>
<br>
<A name="401"></a><font color="blue">PAGE 401</font><br>
<br>
<a name="Input"></a><font color="red"><b>Input</b></font><br>
<br>
For all input devices (mice, keyboards, joysticks, etc.), a hotplug event is generated
when the device is added and removed from the kernel. The <i>/sbin/hotplug </i>parameter
and the <font class="fixd">SUBSYSTEM</font> environment variable are set to the value <font class="fixd">input.</font> The input subsystem
also always adds the following environment variable:<br>
<br>
<font class="fixd">PRODUCT</font><br>
<div class="bq">
A multivalue string listing values in hex with no leading zeros. It is in the format
<font class="fixd">bustype:vendor:product:version.</font></div>
<br>
The following environment variables may be present, if the device supports it:<br>
<br>
<font class="fixd">NAME</font><br>
<div class="bq">
The name of the input device as given by the device.</div>
<br>
<font class="fixd">PHYS</font><br>
<div class="bq">
The device's physical address that the input subsystem gave to this device. It is
supposed to be stable, depending on the bus position into which the device was
plugged.</div>
<br>
<font class="fixd">EV<br>
KEY<br>
REL<br>
ABS<br>
MSC<br>
LED<br>
SND<br>
FF</font><br>
<div class="bq">
These all come from the input device descriptor and are set to the appropriate
values if the specific input device supports it.</div>
<br>
<a name="USB"></a><font color="red"><b>USB</b></font><br>
<br>
Any devices on the USB bus have the parameter name and the <font class="fixd">SUBSYSTEM</font> environment
variable set to the value <font class="fixd">usb.</font> The USB subsystem also always adds the following
environment variables:<br>
<br>
<font class="fixd">PRODUCT</font><br>
<div class="bq">
A string in the format <font class="fixd">idVendor/idProduct/bcdDevice</font> that specifies those USB
device-specific fields</div>
<br>
<font class="fixd">TYPE</font><br>
<div class="bq">
A string in the format <font class="fixd">bDeviceClass/bDeviceSubClass/bDeviceProtocol</font> that specifies
those USB device-specific fields</div>
<br>
If the <font class="fixd">bDeviceClass</font> field is set to 0, the following environment variable is also set:<br>
<br>
<font class="fixd">INTERFACE</font><br>
<div class="bq">
A string in the format <font class="fixd">bInterfaceClass/bInterfaceSubClass/bInterfaceProtocol</font>
that specifies those USB device-specific fields.</div>
<br>
<A name="402"></a><font color="blue">PAGE 402</font><br>
<br>
If the kernel build option, <font class="fixd">CONFIG_USB_DEVICEFS,</font> which selects the <font class="fixd">usbfs</font> filesystem to
be built in the kernel, is selected, the following environment variable is also set:<br>
<br>
<font class="fixd">DEVICE</font><br>
<div class="bq">
A string that shows where in the <font class="fixd">usbfs</font> filesystem the device is located. This
string is in the format <font class="fixd">/proc/bus/usb/USB_BUS_NUMBER/USB_DEVICE_NUMBER,</font> in
which <font class="fixd">USB_BUS_NUMBER</font> is the three-digit number of the USB bus that the device is
on, and <font class="fixd">USB_DEVICE_NUMBER</font> is the three-digit number that has been assigned by
the kernel to that USB device.</div>
<br>
<a name="SCSI"></a><font color="red"><b>SCSI</b></font><br>
<br>
All SCSI devices create a hotplug event when the SCSI device is created or removed
from the kernel. The <i>/sbin/hotplug </i>call has the parameter name and the <font class="fixd">SUBSYSTEM</font>
environment variable set to the value scsi for every SCSI device that is added or
removed from the system. There are no additional environment variables added by
the SCSI system, but it is mentioned here because there is a SCSI-specific user-space
script that can determine what SCSI drivers (disk, tape, generic, etc.) should be
loaded for the specified SCSI device.<br>
<br>
<a name="LaptopDockingStations"></a><font color="red"><b>Laptop docking stations</b></font><br>
<br>
If a Plug-and-Play-supported laptop docking station is added or removed from the
running Linux system (by inserting the laptop into the station, or removing it), a hotplug
event is created. The <i>/sbin/hotplug </i>call has the parameter name and the
<font class="fixd">SUBSYSTEM</font> environment variable set to the value dock. No other environment variables
are set.<br>
<br>
<a name="S390AndZSeries"></a><font color="red"><b>S/390 and zSeries</b></font><br>
<br>
On the S/390 architecture, the channel bus architecture supports a wide range of
hardware, all of which generate <i>/sbin/hotplug </i>events when they are added or removed
from the Linux virtual system. These devices all have the <i>/sbin/hotplug </i>parameter
name and the <font class="fixd">SUBSYSTEM</font> environment variable set to the value dasd. No other environment
variables are set.<br>
<br>
<a name="UsingSbinhotplug"></a><font color="red"><b>Using /sbin/hotplug</b></font><br>
<br>
Now that the Linux kernel is calling <i>/sbin/hotplug </i>for every device added and
removed from the kernel, a number of very useful tools have been created in user
space that take advantage of this. Two of the most popular tools are the Linux Hotplug
scripts and <i>udev</i>.<br>
<br>
<A name="403"></a><font color="blue">PAGE 403</font><br>
<br>
<a name="LinuxHotplugScripts"></a><font color="red"><b>Linux hotplug scripts</b></font><br>
<br>
The Linux hotplug scripts started out as the very first user of the <i>/sbin/hotplug </i>call.
These scripts look at the different environment variables that the kernel sets to
describe the device that was just discovered and then tries to find a kernel module
that matches up with that device.<br>
<br>
As has been described before, when a driver uses the <font class="fixd">MODULE_DEVICE_TABLE</font> macro, the
program, <font class="fixd">depmod</font>, takes that information and creates the files located in <i>/lib/module/
KERNEL_VERSION/modules.*map</i>. The * is different, depending on the bus type
that the driver supports. Currently, the module map files are generated for drivers
that work for devices that support the PCI, USB, IEEE1394, INPUT, ISAPNP, and
CCW subsystems.<br>
<br>
The hotplug scripts use these module map text files to determine what module to try
to load to support the device that was recently discovered by the kernel. They load
all modules and do not stop at the first match, in order to let the kernel work out
what module works best. These scripts do not unload any modules when devices are
removed. If they were to try to do that, they could accidentally shut down devices
that were also controlled by the same driver of the device that was removed.<br>
<br>
Note, now that the <font class="fixd">modprobe</font> program can read the <font class="fixd">MODULE_DEVICE_TABLE</font> information
directly from the modules without the need of the module map files, the hotplug
scripts might be reduced to a small wrapper around the modprobe program.<br>
<br>
<a name="Udev"></a><font color="red"><b>udev</b></font><br>
<br>
One of the main reasons for creating the unified driver model in the kernel was to
allow user space to manage the <i>/dev </i>tree in a dynamic fashion. This had previously
been done in user space with the implementation of devfs, but that code base has
slowly rotted away, due to a lack of an active maintainer and some unfixable core
bugs. A number of kernel developers realized that if all device information was
exported to user space, it could perform all the necessary management of the <i>/dev
</i>tree.<br>
<br>
devfs has some very fundamental flaws in its design. It requires every device driver to
be modified to support it, and it requires that device driver to specify the name and
location within the <i>/dev </i>tree where it is placed. It also does not properly handle
dynamic major and minor numbers, and it does not allow user space to override the
naming of a device in a simple manner, forcing the device naming policy to reside
within the kernel and not in user space. Linux kernel developers really hate having
policy within the kernel, and since the devfs naming policy does not follow the Linux
Standard Base specification, it really bothers them.<br>
<br>
As the Linux kernel started to be installed on huge servers, a lot of users ran into the
problem of how to manage very large numbers of devices. Disk drive arrays of over
10,000 unique devices presented the very difficult task of ensuring that a specific disk<br>
<br>
<A name="404"></a><font color="blue">PAGE 404</font><br>
<br>
was always named with the same exact name, no matter where it was placed in the
disk array or when it was discovered by the kernel. This same problem also plagued
desktop users who tried to plug two USB printers into their system and then realized
that they had no way of ensuring that the printer known as <i>/dev/lpt0 </i>would not
change and be assigned to the other printer if the system was rebooted.<br>
<br>
So, <i>udev </i>was created. It relies on all device information being exported to user space
through sysfs and on being notified by <i>/sbin/hotplug </i>that a device was added or
removed. Policy decisions, such as what name to give a device, can be specified in
user space, outside of the kernel. This ensures that the naming policy is removed
from the kernel and allows a large amount of flexibility about the name of each
device.<br>
<br>
For more information on how to use <i>udev </i>and how to configure it, please see the
documentation that comes included with the <i>udev</i> package in your distribution.<br>
<br>
All that a device driver needs to do, for <i>udev </i>to work properly with it, is ensure that
any major and minor numbers assigned to a device controlled by the driver are
exported to user space through sysfs. For any driver that uses a subsystem to assign it
a major and minor number, this is already done by the subsystem, and the driver
doesn't have to do any work. Examples of subsystems that do this are the tty, misc,
usb, input, scsi, block, i2c, network, and frame buffer subsystems. If your driver handles
getting a major and minor number on its own, through a call to the <i>cdev_init
</i>function or the older <i>register_chrdev </i>function, the driver needs to be modified in
order for <i>udev</i> to work properly with it.<br>
<br>
<i>udev </i>looks for a file called dev in the <i>/class/ </i>tree of sysfs, in order to determine what
major and minor number is assigned to a specific device when it is called by the kernel
through the <i>/sbin/hotplug </i>interface. A device driver merely needs to create that file
for every device it controls. The <font class="fixd">class_simple</font> interface is usually the easiest way to
do this.<br>
<br>
As mentioned in the section "The <font class="fixd">class_simple</font> Interface," the first step in using
the <font class="fixd">class_simple</font> interface is to create a <font class="fixd">struct class_simple</font> with a call to the
<i>class_simple_create</i> function:<br>
<pre>
static struct class_simple *foo_class;
...
foo_class = class_simple_create(THIS_MODULE, &quot;foo&quot;);
if (IS_ERR(foo_class)) {
    printk(KERN_ERR &quot;Error creating foo class.\n&quot;);
    goto error;
}
</pre>
This code creates a directory in sysfs in <i>/sys/class/foo</i>.<br>
<br>
Whenever a new device is found by your driver, and you assign it a minor number as
described in Chapter 3, the driver should call the <i>class_simple_device_add</i> function:<br>
<pre>
class_simple_device_add(foo_class, MKDEV(FOO_MAJOR, minor), NULL, &quot;foo%d&quot;, minor);
</pre>
<A name="405"></a><font color="blue">PAGE 405</font><br>
<br>
This code causes a subdirectory under <i>/sys/class/foo </i>to be created called <i>fooN</i>, where
<i>N </i>is the minor number for this device. There is one file created in this directory, <i>dev</i>,
which is exactly what <i>udev</i> needs in order to create a device node for your device.<br>
<br>
When your driver is unbound from a device, and you give up the minor number that
it was attached to, a call to <i>class_simple_device_remove </i>is needed to remove the sysfs
entries for this device:<br>
<pre>
class_simple_device_remove(MKDEV(FOO_MAJOR, minor));
</pre>
Later, when your entire driver is being shut down, a call to <i>class_simple_destroy </i>is
needed to remove the class that you created originally with the call to <i>class_simple_
create</i>:<br>
<pre>
class_simple_destroy(foo_class);
</pre>
The <i>dev </i>file that is created by the call to <i>class_simple_device_add </i>consists of the
major and minor numbers, separated by a : character. If your driver does not want to
use the <font class="fixd">class_simple</font> interface because you want to provide other files within the
class directory for the subsystem, use the <i>print_dev_t </i>function to properly format the
major and minor number for the specific device.<br>
<br>
<a name="DealingWithFirmware"></a><font color="red"><b>Dealing with Firmware</b></font><br>
<br>
As a driver author, you may find yourself confronted with a device that must have
firmware downloaded into it before it functions properly. The competition in many
parts of the hardware market is so intense that even the cost of a bit of EEPROM for
the device's controlling firmware is more than the manufacturer is willing to spend.
So the firmware is distributed on a CD with the hardware, and the operating system
is charged with conveying the firmware to the device itself.<br>
<br>
You may be tempted to solve the firmware problem with a declaration like this:<br>
<pre>
static char my_firmware[ ] = { 0x34, 0x78, 0xa4, ... };
</pre>
That approach is almost certainly a mistake, however. Coding firmware into a driver
bloats the driver code, makes upgrading the firmware hard, and is very likely to run
into licensing problems. It is highly unlikely that the vendor has released the firmware
image under the GPL, so mixing it with GPL-licensed code is usually a mistake.
For this reason, drivers containing wired-in firmware are unlikely to be accepted into
the mainline kernel or included by Linux distributors.<br>
<br>
<a name="TheKernelFirmwareInterface"></a><font color="red"><b>The Kernel Firmware Interface</b></font><br>
<br>
The proper solution is to obtain the firmware from user space when you need it.
Please resist the temptation to try to open a file containing firmware directly from
kernel space, however; that is an error-prone operation, and it puts policy (in the<br>
<br>
<A name="406"></a><font color="blue">PAGE 406</font><br>
<br>
form of a file name) into the kernel. Instead, the correct approach is to use the firmware
interface, which was created just for this purpose:<br>
<pre>
#include &lt;linux/firmware.h&gt;
int request_firmware(const struct firmware **fw, char *name,
                     struct device *device);
</pre>
A call to <i>request_firmware </i>requests that user space locate and provide a firmware
image to the kernel; we look at the details of how it works in a moment. The <font class="fixd">name</font>
should identify the firmware that is desired; the normal usage is the name of the
firmware file as provided by the vendor. Something like <i>my_firmware.bin </i>is typical. If
the firmware is successfully loaded, the return value is 0 (otherwise the usual error
code is returned), and the <font class="fixd">fw</font> argument is pointed to one of these structures:<br>
<pre>
struct firmware {
        size_t size;
        u8 *data;
};
</pre>
That structure contains the actual firmware, which can now be downloaded to the
device. Be aware that this firmware is unchecked data from user space; you should
apply any and all tests you can think of to convince yourself that it is a proper firmware
image before sending it to the hardware. Device firmware usually contains identification
strings, checksums, and so on; check them all before trusting the data.<br>
<br>
After you have sent the firmware to the device, you should release the in-kernel
structure with:<br>
<pre>
void release_firmware(struct firmware *fw);
</pre>
Since <i>request_firmware </i>asks user space to help, it is guaranteed to sleep before
returning. If your driver is not in a position to sleep when it must ask for firmware,
the asynchronous alternative may be used:<br>
<pre>
int request_firmware_nowait(struct module *module,
                            char *name, struct device *device, void *context,
                            void (*cont)(const struct firmware *fw, void *context));
</pre>
The additional arguments here are <font class="fixd">module</font> (which will almost always be <font class="fixd">THIS_MODULE</font>),
<font class="fixd">context</font> (a private data pointer that is not used by the firmware subsystem), and cont.
If all goes well, <i>request_firmware_nowait </i>begins the firmware load process and
returns 0. At some future time, cont will be called with the result of the load. If the
firmware load fails for some reason, <font class="fixd">fw</font> is <font class="fixd">NULL</font>.<br>
<br>
<A name="407"></a><font color="blue">PAGE 407</font><br>
<br>
<a name="HowItWorks"></a><font color="red"><b>How It Works</b></font><br>
<br>
The firmware subsystem works with sysfs and the hotplug mechanism. When a call
is made to <i>request_firmware</i>, a new directory is created under <i>/sys/class/firmware
</i>using your device's name. That directory contains three attributes:<br>
<br>
<font class="fixd">loading</font><br>
<div class="bq">
This attribute should be set to one by the user-space process that is loading the
firmware. When the load process is complete, it should be set to 0. Writing a
value of <font class="fixd">-1</font> to <font class="fixd">loading</font> aborts the firmware loading process.</div>
<br>
<font class="fixd">data</font><br>
<div class="bq">
<font class="fixd">data</font> is a binary attribute that receives the firmware data itself. After setting
<font class="fixd">loading,</font> the user-space process should write the firmware to this attribute.</div>
<br>
<font class="fixd">device</font><br>
<div class="bq">
This attribute is a symbolic link to the associated entry under <i>/sys/devices</i>.</div>
<br>
Once the sysfs entries have been created, the kernel generates a hotplug event for
your device. The environment passed to the hotplug handler includes a variable
<font class="fixd">FIRMWARE,</font> which is set to the name provided to <i>request_firmware</i>. The handler should
locate the firmware file, and copy it into the kernel using the attributes provided. If
the file cannot be found, the handler should set the <i>loading</i> attribute to <font class="fixd">-1.</font><br>
<br>
If a firmware request is not serviced within 10 seconds, the kernel gives up and
returns a failure status to the driver. That time-out period can be changed via the
sysfs attribute <i>/sys/class/firmware/timeout</i>.<br>
<br>
Using the <i>request_firmware </i>interface allows you to distribute the device firmware
with your driver. When properly integrated into the hotplug mechanism, the firmware
loading subsystem allows devices to simply work "out of the box." It is clearly
the best way of handling the problem.<br>
<br>
Please indulge us as we pass on one more warning, however: device firmware should
not be distributed without the permission of the manufacturer. Many manufacturers
will agree to license their firmware under reasonable terms when asked politely;
some others can be less cooperative. Either way, copying and distributing their firmware
without permission is a violation of copyright law and an invitation for trouble.<br>
<br>
<a name="QuickReference14"></a><font color="red"><b>Quick Reference</b></font><br>
<br>
Many functions have been introduced in this chapter; here is a quick summary of
them all.<br>
<br>
<A name="408"></a><font color="blue">PAGE 408</font><br>
<br>
<a name="Kobjects"></a><font color="red"><b>Kobjects</b></font><br>
<br>
<font class="fixd">#include &lt;linux/kobject.h&gt;</font><br>
<div class="bq">
The include file containing definitions for kobjects, related structures, and
functions.</div>
<br>
<font class="fixd">void kobject_init(struct kobject *kobj);<br>
int kobject_set_name(struct kobject *kobj, const char *format, ...);</font><br>
<div class="bq">
Functions for kobject initialization.</div>
<br>
<font class="fixd">struct kobject *kobject_get(struct kobject *kobj);<br>
void kobject_put(struct kobject *kobj);</font><br>
<div class="bq">
Functions that manage reference counts for kobjects.</div>
<br>
<font class="fixd">struct kobj_type;<br>
struct kobj_type *get_ktype(struct kobject *kobj);</font><br>
<div class="bq">
Represents the type of structure within which a kobject is embedded. Use
<i>get_ktype</i> to get the <font class="fixd">kobj_type</font> associated with a given kobject.</div>
<br>
<font class="fixd">int kobject_add(struct kobject *kobj);<br>
extern int kobject_register(struct kobject *kobj);<br>
void kobject_del(struct kobject *kobj);<br>
void kobject_unregister(struct kobject *kobj);</font><br>
<div class="bq">
<i>kobject_add </i>adds a kobject to the system, handling kset membership, sysfs representation, and
hotplug event generation. <i>kobject_register </i>is a convenience function
that combines <i>kobject_init </i>and <i>kobject_add</i>. Use <i>kobject_del </i>to remove a
kobject or <i>kobject_unregister</i>, which combines <i>kobject_del</i> and <i>kobject_put</i>.</div>
<br>
<font class="fixd">void kset_init(struct kset *kset);<br>
int kset_add(struct kset *kset);<br>
int kset_register(struct kset *kset);<br>
void kset_unregister(struct kset *kset);</font><br>
<div class="bq">
Initialization and registration functions for ksets.</div>
<br>
<font class="fixd">decl_subsys(name, type, hotplug_ops);</font><br>
<div class="bq">
A macro that makes it easier to declare subsystems.</div>
<br>
<font class="fixd">void subsystem_init(struct subsystem *subsys);<br>
int subsystem_register(struct subsystem *subsys);<br>
void subsystem_unregister(struct subsystem *subsys);<br>
struct subsystem *subsys_get(struct subsystem *subsys)<br>
void subsys_put(struct subsystem *subsys);</font><br>
<div class="bq">
Operations on subsystems.</div>
<br>
<A name="409"></a><font color="blue">PAGE 409</font><br>
<br>
<a name="SysfsOperations"></a><font color="red"><b>Sysfs Operations</b></font><br>
<br>
<font class="fixd">#include &lt;linux/sysfs.h&gt;</font><br>
<div class="bq">
The include file containing declarations for sysfs.</div>
<br>
<font class="fixd">int sysfs_create_file(struct kobject *kobj, struct attribute *attr);<br>
int sysfs_remove_file(struct kobject *kobj, struct attribute *attr);<br>
int sysfs_create_bin_file(struct kobject *kobj, struct bin_attribute *attr);<br>
int sysfs_remove_bin_file(struct kobject *kobj, struct bin_attribute *attr);<br>
int sysfs_create_link(struct kobject *kobj, struct kobject *target, char *name);<br>
void sysfs_remove_link(struct kobject *kobj, char *name);</font><br>
<div class="bq">
Functions for creating and removing attribute files associated with a kobject.</div>
<br>
<a name="BusesDevicesAndDrivers2"></a><font color="red"><b>Buses, Devices, and Drivers</b></font><br>
<br>
<font class="fixd">int bus_register(struct bus_type *bus);<br>
void bus_unregister(struct bus_type *bus);</font><br>
<div class="bq">
Functions that perform registration and unregistration of buses in the device
model.</div>
<br>
<font class="fixd">int bus_for_each_dev(struct bus_type *bus, struct device *start, void *data, int (*fn)(struct device *, void *));<br>
int bus_for_each_drv(struct bus_type *bus, struct device_driver *start, void *data, int (*fn)(struct device_driver *, void *));</font><br>
<div class="bq">
Functions that iterate over each of the devices and drivers, respectively, that are
attached to the given bus.</div>
<br>
<font class="fixd">BUS_ATTR(name, mode, show, store);<br>
int bus_create_file(struct bus_type *bus, struct bus_attribute *attr);<br>
void bus_remove_file(struct bus_type *bus, struct bus_attribute *attr);</font><br>
<div class="bq">
The <i><font class="fixd">BUS_ATTR</font> </i>macro may be used to declare a <font class="fixd">bus_attribute</font> structure, which
may then be added and removed with the above two functions.</div>
<br>
<font class="fixd">int device_register(struct device *dev);<br>
void device_unregister(struct device *dev);</font><br>
<div class="bq">
Functions that handle device registration.</div>
<br>
<font class="fixd">DEVICE_ATTR(name, mode, show, store);<br>
int device_create_file(struct device *device, struct device_attribute *entry);<br>
void device_remove_file(struct device *dev, struct device_attribute *attr);</font><br>
<div class="bq">
Macros and functions that deal with device attributes.</div>
<br>
<A name="410"></a><font color="blue">PAGE 410</font><br>
<br>
<font class="fixd">int driver_register(struct device_driver *drv);<br>
void driver_unregister(struct device_driver *drv);</font><br>
<div class="bq">
Functions that register and unregister a device driver.</div>
<br>
<font class="fixd">DRIVER_ATTR(name, mode, show, store);<br>
int driver_create_file(struct device_driver *drv, struct driver_attribute *attr);<br>
void driver_remove_file(struct device_driver *drv, struct driver_attribute *attr);</font><br>
<div class="bq">
Macros and functions that manage driver attributes.</div>
<br>
<a name="Classes2"></a><font color="red"><b>Classes</b></font><br>
<br>
<font class="fixd">struct class_simple *class_simple_create(struct module *owner, char *name);<br>
void class_simple_destroy(struct class_simple *cs);<br>
struct class_device *class_simple_device_add(struct class_simple *cs, dev_t devnum, struct device *device, const char *fmt, ...);<br>
void class_simple_device_remove(dev_t dev);<br>
int class_simple_set_hotplug(struct class_simple *cs, int (*hotplug)(struct class_device *dev, char **envp, int num_envp, char *buffer, int buffer_size));</font><br>
<div class="bq">
Functions that implement the <font class="fixd">class_simple</font> interface; they manage simple class
entries containing a dev attribute and little else.</div>
<br>
<font class="fixd">int class_register(struct class *cls);<br>
void class_unregister(struct class *cls);</font><br>
<div class="bq">
Registration and unregistration of classes.</div>
<br>
<font class="fixd">CLASS_ATTR(name, mode, show, store);<br>
int class_create_file(struct class *cls, const struct class_attribute *attr);<br>
void class_remove_file(struct class *cls, const struct class_attribute *attr);</font><br>
<div class="bq">
The usual macros and functions for dealing with class attributes.</div>
<br>
<font class="fixd">int class_device_register(struct class_device *cd);<br>
void class_device_unregister(struct class_device *cd);<br>
int class_device_rename(struct class_device *cd, char *new_name);<br>
CLASS_DEVICE_ATTR(name, mode, show, store);<br>
int class_device_create_file(struct class_device *cls, const struct class_device_attribute *attr);<br>
void class_device_remove_file(struct class_device *cls, const struct class_device_attribute *attr);</font><br>
<div class="bq">
Functions and macros that implement the class device interface.</div>
<br>
<font class="fixd">int class_interface_register(struct class_interface *intf);<br>
void class_interface_unregister(struct class_interface *intf);</font><br>
<div class="bq">
Functions that add an interface to a class (or remove it).</div>
<br>
<A name="411"></a><font color="blue">PAGE 411</font><br>
<br>
<a name="Firmware"></a><font color="red"><b>Firmware</b></font><br>
<br>
<font class="fixd">#include &lt;linux/firmware.h&gt;<br>
int request_firmware(const struct firmware **fw, char *name, struct device *device);<br>
int request_firmware_nowait(struct module *module, char *name, struct device *device, void *context, void (*cont)(const struct firmware *fw, void *context));<br>
void release_firmware(struct firmware *fw);</font><br>
<div class="bq">
Functions that implement the kernel firmware-loading interface.</div>
<br>
<A name="412"></a><font color="blue">PAGE 412</font><br>
<br>
<a name="CHAPTER15"></a><font color="red"><b>CHAPTER 15</b></font><br>
<br>
<a name="MemoryMappingbrandDMA"></a><font color="#7519FF" size="+1"><b>Memory Mapping and DMA</b></font><br>
<br>
This chapter delves into the area of Linux memory management, with an emphasis
on techniques that are useful to the device driver writer. Many types of driver programming
require some understanding of how the virtual memory subsystem works;
the material we cover in this chapter comes in handy more than once as we get into
some of the more complex and performance-critical subsystems. The virtual memory
subsystem is also a highly interesting part of the core Linux kernel and, therefore,
it merits a look.<br>
<br>
The material in this chapter is divided into three sections:<br>
<ul>
<li> The first covers the implementation of the <i>mmap </i>system call, which allows the
mapping of device memory directly into a user process's address space. Not all
devices require <i>mmap </i>support, but, for some, mapping device memory can yield
significant performance improvements.
<li> We then look at crossing the boundary from the other direction with a discussion of direct access to user-space pages. Relatively few drivers need this capability;
in many cases, the kernel performs this sort of mapping without the driver
even being aware of it. But an awareness of how to map user-space memory into
the kernel (with <i>get_user_pages</i>) can be useful.
<li> The final section covers direct memory access (DMA) I/O operations, which provide peripherals with direct access to system memory.
</ul>
Of course, all of these techniques require an understanding of how Linux memory
management works, so we start with an overview of that subsystem.<br>
<br>
<a name="MemoryManagementInLinux"></a><font color="red"><b>Memory Management in Linux</b></font><br>
<br>
Rather than describing the theory of memory management in operating systems, this
section tries to pinpoint the main features of the Linux implementation. Although
you do not need to be a Linux virtual memory guru to implement <i>mmap</i>, a basic
overview of how things work is useful. What follows is a fairly lengthy description of<br>
<br>
<A name="413"></a><font color="blue">PAGE 413</font><br>
<br>
the data structures used by the kernel to manage memory. Once the necessary background
has been covered, we can get into working with these structures.<br>
<br>
<a name="AddressTypes"></a><font color="red"><b>Address Types</b></font><br>
<br>
Linux is, of course, a virtual memory system, meaning that the addresses seen by
user programs do not directly correspond to the physical addresses used by the hardware.
Virtual memory introduces a layer of indirection that allows a number of nice
things. With virtual memory, programs running on the system can allocate far more
memory than is physically available; indeed, even a single process can have a virtual
address space larger than the system's physical memory. Virtual memory also allows
the program to play a number of tricks with the process's address space, including
mapping the program's memory to device memory.<br>
<br>
Thus far, we have talked about virtual and physical addresses, but a number of the
details have been glossed over. The Linux system deals with several types of
addresses, each with its own semantics. Unfortunately, the kernel code is not always
very clear on exactly which type of address is being used in each situation, so the
programmer must be careful.<br>
<br>
The following is a list of address types used in Linux. Figure 15-1 shows how these
address types relate to physical memory.<br>
<br>
<i>User virtual addresses</i><br>
<div class="bq">
These are the regular addresses seen by user-space programs. User addresses are
either 32 or 64 bits in length, depending on the underlying hardware architecture,
and each process has its own virtual address space.</div>
<br>
<i>Physical addresses</i><br>
<div class="bq">
The addresses used between the processor and the system's memory. Physical
addresses are 32- or 64-bit quantities; even 32-bit systems can use larger physical
addresses in some situations.</div>
<br>
<i>Bus addresses</i><br>
<div class="bq">
The addresses used between peripheral buses and memory. Often, they are the
same as the physical addresses used by the processor, but that is not necessarily
the case. Some architectures can provide an I/O memory management unit
(IOMMU) that remaps addresses between a bus and main memory. An IOMMU
can make life easier in a number of ways (making a buffer scattered in memory
appear contiguous to the device, for example), but programming the IOMMU is
an extra step that must be performed when setting up DMA operations. Bus
addresses are highly architecture dependent, of course.</div>
<br>
<i>Kernel logical addresses</i><br>
<div class="bq">
These make up the normal address space of the kernel. These addresses map
some portion (perhaps all) of main memory and are often treated as if they were
physical addresses. On most architectures, logical addresses and their associated</div>
<br>
<A name="414"></a><font color="blue">PAGE 414</font><br>
<br>
<div class="bq">physical addresses differ only by a constant offset. Logical addresses use the
hardware's native pointer size and, therefore, may be unable to address all of
physical memory on heavily equipped 32-bit systems. Logical addresses are usually
stored in variables of type <font class="fixd">unsigned long</font> or <font class="fixd">void *.</font> Memory returned from
<i>kmalloc</i> has a kernel logical address.</div>
<br>
<i>Kernel virtual addresses</i><br>
<div class="bq">
Kernel virtual addresses are similar to logical addresses in that they are a mapping
from a kernel-space address to a physical address. Kernel virtual addresses
do not necessarily have the linear, one-to-one mapping to physical addresses that
characterize the logical address space, however. All logical addresses <i>are </i>kernel
virtual addresses, but many kernel virtual addresses are not logical addresses.
For example, memory allocated by <i>vmalloc </i>has a virtual address (but no direct
physical mapping). The <i>kmap </i>function (described later in this chapter) also
returns virtual addresses. Virtual addresses are usually stored in pointer variables.</div>
<br><br>
<center>
<img src="fig15-1.gif">
</center>
<br>
<i>Figure 15-1. Address types used in Linux</i><br>
<br>
If you have a logical address, the macro <i>__pa( ) </i>(defined in <i>&lt;asm/page.h&gt;</i>) returns its
associated physical address. Physical addresses can be mapped back to logical
addresses with <i>__va( )</i>, but only for low-memory pages.<br>
<br>
<A name="415"></a><font color="blue">PAGE 415</font><br>
<br>
Different kernel functions require different types of addresses. It would be nice if
there were different C types defined, so that the required address types were explicit,
but we have no such luck. In this chapter, we try to be clear on which types of
addresses are used where.<br>
<br>
<a name="PhysicalAddressesAndPages"></a><font color="red"><b>Physical Addresses and Pages</b></font><br>
<br>
Physical memory is divided into discrete units called <i>pages</i>. Much of the system's
internal handling of memory is done on a per-page basis. Page size varies from one
architecture to the next, although most systems currently use 4096-byte pages. The
constant <font class="fixd">PAGE_SIZE</font> (defined in <i>&lt;asm/page.h&gt;</i>) gives the page size on any given
architecture.<br>
<br>
If you look at a memory address--virtual or physical--it is divisible into a page number
and an offset within the page. If 4096-byte pages are being used, for example, the
12 least-significant bits are the offset, and the remaining, higher bits indicate the
page number. If you discard the offset and shift the rest of an offset to the right, the
result is called a <i>page frame number </i>(PFN). Shifting bits to convert between page
frame numbers and addresses is a fairly common operation; the macro <font class="fixd">PAGE_SHIFT</font>
tells how many bits must be shifted to make this conversion.<br>
<br>
<a name="HighAndLowMemory"></a><font color="red"><b>High and Low Memory</b></font><br>
<br>
The difference between logical and kernel virtual addresses is highlighted on 32-bit
systems that are equipped with large amounts of memory. With 32 bits, it is possible
to address 4 GB of memory. Linux on 32-bit systems has, until recently, been limited
to substantially less memory than that, however, because of the way it sets up
the virtual address space.<br>
<br>
The kernel (on the x86 architecture, in the default configuration) splits the 4-GB virtual
address space between user-space and the kernel; the same set of mappings is
used in both contexts. A typical split dedicates 3 GB to user space, and 1 GB for kernel
space.* The kernel's code and data structures must fit into that space, but the biggest
consumer of kernel address space is virtual mappings for physical memory. The
kernel cannot directly manipulate memory that is not mapped into the kernel's
address space. The kernel, in other words, needs its own virtual address for any
memory it must touch directly. Thus, for many years, the maximum amount of physical
memory that could be handled by the kernel was the amount that could be
mapped into the kernel's portion of the virtual address space, minus the space<br>
<br>
* Many non-x86 architectures are able to efficiently do without the kernel/user-space split described here, so 
they can work with up to a 4-GB kernel address space on 32-bit systems. The constraints described in this
section still apply to such systems when more than 4 GB of memory are installed, however.<br>
<br>
<A name="416"></a><font color="blue">PAGE 416</font><br>
<br>
needed for the kernel code itself. As a result, x86-based Linux systems could work
with a maximum of a little under 1 GB of physical memory.<br>
<br>
In response to commercial pressure to support more memory while not breaking 32bit
application and the system's compatibility, the processor manufacturers have
added "address extension" features to their products. The result is that, in many
cases, even 32-bit processors can address more than 4 GB of physical memory. The
limitation on how much memory can be directly mapped with logical addresses
remains, however. Only the lowest portion of memory (up to 1 or 2 GB, depending
on the hardware and the kernel configuration) has logical addresses;* the rest (high
memory) does not. Before accessing a specific high-memory page, the kernel must set
up an explicit virtual mapping to make that page available in the kernel's address
space. Thus, many kernel data structures must be placed in low memory; high memory
tends to be reserved for user-space process pages.<br>
<br>
The term "high memory" can be confusing to some, especially since it has other
meanings in the PC world. So, to make things clear, we'll define the terms here:<br>
<br>
<i>Low memory</i><br>
<div class="bq">
Memory for which logical addresses exist in kernel space. On almost every system
you will likely encounter, all memory is low memory.</div>
<br>
<i>High memory</i><br>
<div class="bq">
Memory for which logical addresses do not exist, because it is beyond the
address range set aside for kernel virtual addresses.</div>
<br>
On i386 systems, the boundary between low and high memory is usually set at just
under 1 GB, although that boundary can be changed at kernel configuration time.
This boundary is not related in any way to the old 640 KB limit found on the original
PC, and its placement is not dictated by the hardware. It is, instead, a limit set by
the kernel itself as it splits the 32-bit address space between kernel and user space.<br>
<br>
We will point out limitations on the use of high memory as we come to them in this
chapter.<br>
<br>
<a name="TheMemoryMapAndStructPage"></a><font color="red"><b>The Memory Map and Struct Page</b></font><br>
<br>
Historically, the kernel has used logical addresses to refer to pages of physical memory.
The addition of high-memory support, however, has exposed an obvious problem
with that approach--logical addresses are not available for high memory.
Therefore, kernel functions that deal with memory are increasingly using pointers to
struct page (defined in <i>&lt;linux/mm.h&gt;</i>) instead. This data structure is used to keep
track of just about everything the kernel needs to know about physical memory;<br>
<br>
* The 2.6 kernel (with an added patch) can support a "4G/4G" mode on x86 hardware, which enables 
larger kernel and user virtual address spaces at a mild performance cost.<br>
<br>
<A name="417"></a><font color="blue">PAGE 417</font><br>
<br>
there is one <font class="fixd">struct page</font> for each physical page on the system. Some of the fields of
this structure include the following:<br>
<br>
<font class="fixd">atomic_t count;</font><br>
<div class="bq">
The number of references there are to this page. When the count drops to 0, the
page is returned to the free list.</div>
<br>
<font class="fixd">void *virtual;</font><br>
<div class="bq">
The kernel virtual address of the page, if it is mapped; <font class="fixd">NULL</font>, otherwise. Low memory
pages are always mapped; high-memory pages usually are not. This
field does not appear on all architectures; it generally is compiled only where the
kernel virtual address of a page cannot be easily calculated. If you want to look
at this field, the proper method is to use the <i>page_address </i>macro, described
below.</div>
<br>
<font class="fixd">unsigned long flags;</font><br>
<div class="bq">
A set of bit flags describing the status of the page. These include <font class="fixd">PG_locked,</font>
which indicates that the page has been locked in memory, and <font class="fixd">PG_reserved,</font>
which prevents the memory management system from working with the page at
all.</div>
<br>
There is much more information within <font class="fixd">struct page</font>, but it is part of the deeper
black magic of memory management and is not of concern to driver writers.<br>
<br>
The kernel maintains one or more arrays of <font class="fixd">struct page</font> entries that track all of the
physical memory on the system. On some systems, there is a single array called <font class="fixd">mem_map</font>.
On some systems, however, the situation is more complicated. Nonuniform memory
access (NUMA) systems and those with widely discontiguous physical memory may
have more than one memory map array, so code that is meant to be portable should
avoid direct access to the array whenever possible. Fortunately, it is usually quite easy to
just work with <font class="fixd">struct page</font> pointers without worrying about where they come from.<br>
<br>
Some functions and macros are defined for translating between <font class="fixd">struct page</font> pointers
and virtual addresses:<br>
<br>
<font class="fixd">struct page *virt_to_page(void *kaddr);</font><br>
<div class="bq">
This macro, defined in <i>&lt;asm/page.h&gt;</i>, takes a kernel logical address and returns
its associated <font class="fixd">struct page</font> pointer. Since it requires a logical address, it does not
work with memory from <i>vmalloc</i> or high memory.</div>
<br>
<font class="fixd">struct page *pfn_to_page(int pfn);</font><br>
<div class="bq">
Returns the <font class="fixd">struct page</font> pointer for the given page frame number. If necessary,
it checks a page frame number for validity with <i>pfn_valid </i>before passing it to
<i>pfn_to_page</i>.</div>
<br>
<font class="fixd">void *page_address(struct page *page);</font><br>
<div class="bq">
Returns the kernel virtual address of this page, if such an address exists. For high
memory, that address exists only if the page has been mapped. This function is</div>
<br>
<A name="418"></a><font color="blue">PAGE 418</font><br>
<br>
<div class="bq">defined in <i>&lt;linux/mm.h&gt;</i>. In most situations, you want to use a version of <i>kmap
</i>rather than <i>page_address</i>.</div>
<br>
<font class="fixd">#include &lt;linux/highmem.h&gt;<br>
void *kmap(struct page *page);<br>
void kunmap(struct page *page);</font><br>
<div class="bq">
<i>kmap </i>returns a kernel virtual address for any page in the system. For low-memory
pages, it just returns the logical address of the page; for high-memory pages,
<i>kmap </i>creates a special mapping in a dedicated part of the kernel address space.
Mappings created with <i>kmap </i>should always be freed with <i>kunmap</i>; a limited
number of such mappings is available, so it is better not to hold on to them for
too long. <i>kmap </i>calls maintain a counter, so if two or more functions both call
<i>kmap </i>on the same page, the right thing happens. Note also that <i>kmap </i>can sleep
if no mappings are available.</div>
<br>
<font class="fixd">#include &lt;linux/highmem.h&gt;<br>
#include &lt;asm/kmap_types.h&gt;<br>
void *kmap_atomic(struct page *page, enum km_type type);<br>
void kunmap_atomic(void *addr, enum km_type type);</font><br>
<div class="bq">
<i>kmap_atomic </i>is a high-performance form of <i>kmap</i>. Each architecture maintains a
small list of slots (dedicated page table entries) for atomic kmaps; a caller of
<i>kmap_atomic </i>must tell the system which of those slots to use in the type argument.
The only slots that make sense for drivers are <font class="fixd">KM_USER0</font> and <font class="fixd">KM_USER1</font> (for
code running directly from a call from user space), and <font class="fixd">KM_IRQ0</font> and <font class="fixd">KM_IRQ1</font> (for
interrupt handlers). Note that atomic kmaps must be handled atomically; your
code cannot sleep while holding one. Note also that nothing in the kernel keeps
two functions from trying to use the same slot and interfering with each other
(although there is a unique set of slots for each CPU). In practice, contention for
atomic kmap slots seems to not be a problem.</div>
<br>
We see some uses of these functions when we get into the example code, later in this
chapter and in subsequent chapters.<br>
<br>
<a name="PageTables"></a><font color="red"><b>Page Tables</b></font><br>
<br>
On any modern system, the processor must have a mechanism for translating virtual
addresses into its corresponding physical addresses. This mechanism is called a <i>page
table</i>; it is essentially a multilevel tree-structured array containing virtual-to-physical
mappings and a few associated flags. The Linux kernel maintains a set of page tables
even on architectures that do not use such tables directly.<br>
<br>
A number of operations commonly performed by device drivers can involve manipulating
page tables. Fortunately for the driver author, the 2.6 kernel has eliminated
any need to work with page tables directly. As a result, we do not describe them in
any detail; curious readers may want to have a look at <i>Understanding The Linux Kernel</i>
by Daniel P. Bovet and Marco Cesati (O'Reilly) for the full story.<br>
<br>
<A name="419"></a><font color="blue">PAGE 419</font><br>
<br>
<a name="VirtualMemoryAreas"></a><font color="red"><b>Virtual Memory Areas</b></font><br>
<br>
The virtual memory area (VMA) is the kernel data structure used to manage distinct
regions of a process's address space. A VMA represents a homogeneous region in the
virtual memory of a process: a contiguous range of virtual addresses that have the
same permission flags and are backed up by the same object (a file, say, or swap
space). It corresponds loosely to the concept of a "segment," although it is better
described as "a memory object with its own properties." The memory map of a process
is made up of (at least) the following areas:<br>
<ul>
<li> An area for the program's executable code (often called text)
<li> Multiple areas for data, including initialized data (that which has an explicitly
assigned value at the beginning of execution), uninitialized data (BSS),* and the
program stack
<li> One area for each active memory mapping
</ul>
The memory areas of a process can be seen by looking in <i>/proc/&lt;pid/maps&gt; </i>(in which
<i>pid</i>, of course, is replaced by a process ID). <i>/proc/self </i>is a special case of <i>/proc/pid</i>,
because it always refers to the current process. As an example, here are a couple of
memory maps (to which we have added short comments in italics):<br>
<pre>
# <b>cat /proc/1/maps</b>
<i>look at init</i>
08048000-0804e000 r-xp 00000000 03:01 64652      /sbin/init <i>text</i>
0804e000-0804f000 rw-p 00006000 03:01 64652      /sbin/init <i>data</i>
0804f000-08053000 rwxp 00000000 00:00 0          <i>zero-mapped BSS</i>
40000000-40015000 r-xp 00000000 03:01 96278      /lib/ld-2.3.2.so <i>text</i>
40015000-40016000 rw-p 00014000 03:01 96278      /lib/ld-2.3.2.so <i>data</i>
40016000-40017000 rw-p 00000000 00:00 0          <i>BSS for ld.so</i>
42000000-4212e000 r-xp 00000000 03:01 80290      /lib/tls/libc-2.3.2.so <i>text</i>
4212e000-42131000 rw-p 0012e000 03:01 80290      /lib/tls/libc-2.3.2.so <i>data</i>
42131000-42133000 rw-p 00000000 00:00 0          <i>BSS for libc</i>
bffff000-c0000000 rwxp 00000000 00:00 0          <i>Stack segment</i>
ffffe000-fffff000 ---p 00000000 00:00 0          <i>vsyscall page</i>

# rsh wolf cat /proc/self/maps  #### x86-64 (trimmed)
00400000-00405000 r-xp 00000000 03:01 1596291     /bin/cat <i>text</i>
00504000-00505000 rw-p 00004000 03:01 1596291     /bin/cat <i>data</i>
00505000-00526000 rwxp 00505000 00:00 0                    <i>bss</i>
3252200000-3252214000 r-xp 00000000 03:01 1237890 /lib64/ld-2.3.3.so
3252300000-3252301000 r--p 00100000 03:01 1237890 /lib64/ld-2.3.3.so
3252301000-3252302000 rw-p 00101000 03:01 1237890 /lib64/ld-2.3.3.so
7fbfffe000-7fc0000000 rw-p 7fbfffe000 00:00 0              <i>stack</i>
ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0    <i>vsyscall</i>
</pre>
The fields in each line are:<br>
<pre>
<i>start</i>-<i>end perm offset major</i>:<i>minor inode image</i>
</pre>
* The name <i>BSS </i>is a historical relic from an old assembly operator meaning "block started by symbol." 
The BSS segment of executable files isn't stored on disk, and the kernel maps the zero page to the BSS address
range.<br>
<br>
<A name="420"></a><font color="blue">PAGE 420</font><br>
<br>
Each field in <i>/proc/*/maps </i>(except the image name) corresponds to a field in struct
<font class="fixd">vm_area_struct:</font><br>
<br>
<font class="fixd">start<br>
end</font><br>
<div class="bq">
The beginning and ending virtual addresses for this memory area.</div>
<br>
<font class="fixd">perm</font><br>
<div class="bq">
A bit mask with the memory area's read, write, and execute permissions. This
field describes what the process is allowed to do with pages belonging to the
area. The last character in the field is either <font class="fixd">p</font> for "private" or <font class="fixd">s</font> for "shared."</div>
<br>
<font class="fixd">offset</font><br>
<div class="bq">
Where the memory area begins in the file that it is mapped to. An offset of 0
means that the beginning of the memory area corresponds to the beginning of
the file.</div>
<br>
<font class="fixd">major<br>
minor</font><br>
<div class="bq">
The major and minor numbers of the device holding the file that has been
mapped. Confusingly, for device mappings, the major and minor numbers refer
to the disk partition holding the device special file that was opened by the user,
and not the device itself.</div>
<br>
<font class="fixd">inode</font><br>
<div class="bq">
The <font class="fixd">inode</font> number of the mapped file.</div>
<br>
<font class="fixd">image</font><br>
<div class="bq">
The name of the file (usually an executable image) that has been mapped.</div>
<br>
<a name="TheVmareastructStructure"></a><font color="red"><b>The <font class="fixd">vm_area_struct</font> structure</b></font><br>
<br>
When a user-space process calls <i>mmap </i>to map device memory into its address space,
the system responds by creating a new VMA to represent that mapping. A driver that
supports <i>mmap </i>(and, thus, that implements the <i>mmap </i>method) needs to help that
process by completing the initialization of that VMA. The driver writer should, therefore,
have at least a minimal understanding of VMAs in order to support <i>mmap</i>.<br>
<br>
Let's look at the most important fields in struct <font class="fixd">vm_area_struct</font> (defined in <i>&lt;linux/
mm.h&gt;</i>). These fields may be used by device drivers in their <i>mmap </i>implementation.
Note that the kernel maintains lists and trees of VMAs to optimize area lookup, and
several fields of <font class="fixd">vm_area_struct</font> are used to maintain this organization. Therefore,
VMAs can't be created at will by a driver, or the structures break. The main fields of<br>
<br>
<A name="421"></a><font color="blue">PAGE 421</font><br>
<br>
VMAs are as follows (note the similarity between these fields and the <i>/proc </i>output we
just saw):<br>
<br>
<font class="fixd">unsigned long vm_start;<br>
unsigned long vm_end;</font><br>
<div class="bq">
The virtual address range covered by this VMA. These fields are the first two
fields shown in <i>/proc/*/maps</i>.</div>
<br>
<font class="fixd">struct file *vm_file;</font><br>
<div class="bq">
A pointer to the <font class="fixd">struct file</font> structure associated with this area (if any).</div>
<br>
<font class="fixd">unsigned long vm_pgoff;</font><br>
<div class="bq">
The offset of the area in the file, in pages. When a file or device is mapped, this is
the file position of the first page mapped in this area.</div>
<br>
<font class="fixd">unsigned long vm_flags;</font><br>
<div class="bq">
A set of flags describing this area. The flags of the most interest to device driver
writers are <font class="fixd">VM_IO</font> and <font class="fixd">VM_RESERVED</font>. <font class="fixd">VM_IO</font> marks a VMA as being a memory-mapped
I/O region. Among other things, the <font class="fixd">VM_IO</font> flag prevents the region from
being included in process core dumps. <font class="fixd">VM_RESERVED</font> tells the memory management
system not to attempt to swap out this VMA; it should be set in most
device mappings.</div>
<br>
<font class="fixd">struct vm_operations_struct *vm_ops;</font><br>
<div class="bq">
A set of functions that the kernel may invoke to operate on this memory area. Its
presence indicates that the memory area is a kernel "object," like the <font class="fixd">struct file</font>
we have been using throughout the book.</div>
<br>
<font class="fixd">void *vm_private_data;</font><br>
<div class="bq">
A field that may be used by the driver to store its own information.</div>
<br>
Like struct <font class="fixd">vm_area_struct,</font> the <font class="fixd">vm_operations_struct</font> is defined in <i>&lt;linux/mm.h&gt;</i>; it
includes the operations listed below. These operations are the only ones needed to
handle the process's memory needs, and they are listed in the order they are
declared. Later in this chapter, some of these functions are implemented.<br>
<br>
<font class="fixd">void (*open)(struct vm_area_struct *vma);</font><br>
<div class="bq">
The <i>open </i>method is called by the kernel to allow the subsystem implementing
the VMA to initialize the area. This method is invoked any time a new reference
to the VMA is made (when a process forks, for example). The one exception
happens when the VMA is first created by <i>mmap</i>; in this case, the driver's <i>mmap
</i>method is called instead.</div>
<br>
<font class="fixd">void (*close)(struct vm_area_struct *vma);</font><br>
<div class="bq">
When an area is destroyed, the kernel calls its <i>close </i>operation. Note that there's
no usage count associated with VMAs; the area is opened and closed exactly
once by each process that uses it.</div>
<br>
<A name="422"></a><font color="blue">PAGE 422</font><br>
<br>
<font class="fixd">struct page *(*nopage)(struct vm_area_struct *vma, unsigned long address, int *type);</font><br>
<div class="bq">
When a process tries to access a page that belongs to a valid VMA, but that is
currently not in memory, the <i>nopage </i>method is called (if it is defined) for the
related area. The method returns the <font class="fixd">struct page</font> pointer for the physical page
after, perhaps, having read it in from secondary storage. If the <i>nopage </i>method
isn't defined for the area, an empty page is allocated by the kernel.</div>
<br>
<font class="fixd">int (*populate)(struct vm_area_struct *vm, unsigned long address, unsigned long len, pgprot_t prot, unsigned long pgoff, int nonblock);</font><br>
<div class="bq">
This method allows the kernel to "prefault" pages into memory before they are
accessed by user space. There is generally no need for drivers to implement the
<i>populate</i> method.</div>
<br>
<a name="TheProcessMemoryMap"></a><font color="red"><b>The Process Memory Map</b></font><br>
<br>
The final piece of the memory management puzzle is the process memory map structure,
which holds all of the other data structures together. Each process in the system
(with the exception of a few kernel-space helper threads) has a <font class="fixd">struct mm_struct</font>
(defined in <i>&lt;linux/sched.h&gt;</i>) that contains the process's list of virtual memory areas,
page tables, and various other bits of memory management housekeeping information,
along with a semaphore (<font class="fixd">mmap_sem</font>) and a spinlock (<font class="fixd">page_table_lock</font>). The
pointer to this structure is found in the task structure; in the rare cases where a driver
needs to access it, the usual way is to use <font class="fixd">current-&gt;mm.</font> Note that the memory management
structure can be shared between processes; the Linux implementation of
threads works in this way, for example.<br>
<br>
That concludes our overview of Linux memory management data structures. With
that out of the way, we can now proceed to the implementation of the <i>mmap </i>system
call.<br>
<br>
<a name="TheMmapDeviceOperation"></a><font color="red"><b>The mmap Device Operation</b></font><br>
<br>
Memory mapping is one of the most interesting features of modern Unix systems. As
far as drivers are concerned, memory mapping can be implemented to provide user
programs with direct access to device memory.<br>
<br>
A definitive example of <i>mmap </i>usage can be seen by looking at a subset of the virtual
memory areas for the X Window System server:<br>
<pre>
<b>cat /proc/731/maps</b>
000a0000-000c0000 rwxs 000a0000 03:01 282652      /dev/mem
000f0000-00100000 r-xs 000f0000 03:01 282652      /dev/mem
00400000-005c0000 r-xp 00000000 03:01 1366927     /usr/X11R6/bin/Xorg
006bf000-006f7000 rw-p 001bf000 03:01 1366927     /usr/X11R6/bin/Xorg
2a95828000-2a958a8000 rw-s fcc00000 03:01 282652  /dev/mem
2a958a8000-2a9d8a8000 rw-s e8000000 03:01 282652  /dev/mem
...
</pre>
<A name="423"></a><font color="blue">PAGE 423</font><br>
<br>
The full list of the X server's VMAs is lengthy, but most of the entries are not of interest
here. We do see, however, four separate mappings of <i>/dev/mem</i>, which give some
insight into how the X server works with the video card. The first mapping is at
<font class="fixd">a0000,</font> which is the standard location for video RAM in the 640-KB ISA hole. Further
down, we see a large mapping at <font class="fixd">e8000000,</font> an address which is above the highest
RAM address on the system. This is a direct mapping of the video memory on the
adapter.<br>
<br>
These regions can also be seen in <i>/proc/iomem</i>:<br>
<pre>
000a0000-000bffff : Video RAM area
000c0000-000ccfff : Video ROM
000d1000-000d1fff : Adapter ROM
000f0000-000fffff : System ROM
d7f00000-f7efffff : PCI Bus #01
  e8000000-efffffff : 0000:01:00.0
fc700000-fccfffff : PCI Bus #01
  fcc00000-fcc0ffff : 0000:01:00.0
</pre>
Mapping a device means associating a range of user-space addresses to device memory.
Whenever the program reads or writes in the assigned address range, it is actually
accessing the device. In the X server example, using <i>mmap </i>allows quick and easy
access to the video card's memory. For a performance-critical application like this,
direct access makes a large difference.<br>
<br>
As you might suspect, not every device lends itself to the <i>mmap </i>abstraction; it makes
no sense, for instance, for serial ports and other stream-oriented devices. Another
limitation of <i>mmap </i>is that mapping is <font class="fixd">PAGE_SIZE</font> grained. The kernel can manage virtual
addresses only at the level of page tables; therefore, the mapped area must be a
multiple of <font class="fixd">PAGE_SIZE</font> and must live in physical memory starting at an address that is
a multiple of <font class="fixd">PAGE_SIZE</font>. The kernel forces size granularity by making a region slightly
bigger if its size isn't a multiple of the page size.<br>
<br>
These limits are not a big constraint for drivers, because the program accessing the
device is device dependent anyway. Since the program must know about how the
device works, the programmer is not unduly bothered by the need to see to details
like page alignment. A bigger constraint exists when ISA devices are used on some
non-x86 platforms, because their hardware view of ISA may not be contiguous. For
example, some Alpha computers see ISA memory as a scattered set of 8-bit, 16-bit,
or 32-bit items, with no direct mapping. In such cases, you can't use <i>mmap </i>at all.
The inability to perform direct mapping of ISA addresses to Alpha addresses is due
to the incompatible data transfer specifications of the two systems. Whereas early
Alpha processors could issue only 32-bit and 64-bit memory accesses, ISA can do
only 8-bit and 16-bit transfers, and there's no way to transparently map one protocol
onto the other.<br>
<br>
There are sound advantages to using <i>mmap </i>when it's feasible to do so. For instance,
we have already looked at the X server, which transfers a lot of data to and from<br>
<br>
<A name="424"></a><font color="blue">PAGE 424</font><br>
<br>
video memory; mapping the graphic display to user space dramatically improves the
throughput, as opposed to an <i>lseek</i>/<i>write </i>implementation. Another typical example
is a program controlling a PCI device. Most PCI peripherals map their control registers
to a memory address, and a high-performance application might prefer to have
direct access to the registers instead of repeatedly having to call <i>ioctl </i>to get its work
done.<br>
<br>
The <i>mmap </i>method is part of the <font class="fixd">file_operations</font> structure and is invoked when the
<i>mmap </i>system call is issued. With <i>mmap</i>, the kernel performs a good deal of work
before the actual method is invoked, and, therefore, the prototype of the method is
quite different from that of the system call. This is unlike calls such as <i>ioctl </i>and <i>poll</i>,
where the kernel does not do much before calling the method.<br>
<br>
The system call is declared as follows (as described in the <i>mmap(2)</i> manual page):<br>
<pre>
mmap (caddr_t addr, size_t len, int prot, int flags, int fd, off_t offset)
</pre>
On the other hand, the file operation is declared as:<br>
<pre>
int (*mmap) (struct file *filp, struct vm_area_struct *vma);
</pre>
The <font class="fixd">filp</font> argument in the method is the same as that introduced in Chapter 3, while
vma contains the information about the virtual address range that is used to access
the device. Therefore, much of the work has been done by the kernel; to implement
<i>mmap</i>, the driver only has to build suitable page tables for the address range and, if
necessary, replace <font class="fixd">vma-&gt;vm_ops</font> with a new set of operations.<br>
<br>
There are two ways of building the page tables: doing it all at once with a function
called <font class="fixd">remap_pfn_range</font> or doing it a page at a time via the <i>nopage </i>VMA method.
Each method has its advantages and limitations. We start with the "all at once"
approach, which is simpler. From there, we add the complications needed for a real world
implementation.<br>
<br>
<a name="UsingRemappfnrange"></a><font color="red"><b>Using remap_pfn_range</b></font><br>
<br>
The job of building new page tables to map a range of physical addresses is handled
by <i>remap_pfn_range</i> and <i>io_remap_page_range</i>, which have the following prototypes:<br>
<pre>
int remap_pfn_range(struct vm_area_struct *vma,
                     unsigned long virt_addr, unsigned long pfn,
                     unsigned long size, pgprot_t prot);
int io_remap_page_range(struct vm_area_struct *vma,
                        unsigned long virt_addr, unsigned long phys_addr,
                        unsigned long size, pgprot_t prot);
</pre>
<A name="425"></a><font color="blue">PAGE 425</font><br>
<br>
The value returned by the function is the usual 0 or a negative error code. Let's look
at the exact meaning of the function's arguments:<br>
<br>
<font class="fixd">vma</font><br>
<div class="bq">
The virtual memory area into which the page range is being mapped.</div>
<br>
<font class="fixd">virt_addr</font><br>
<div class="bq">
The user virtual address where remapping should begin. The function builds
page tables for the virtual address range between <font class="fixd">virt_addr</font> and <font class="fixd">virt_addr+size.</font></div>
<br>
<font class="fixd">pfn</font><br>
<div class="bq">
The page frame number corresponding to the physical address to which the virtual
address should be mapped. The page frame number is simply the physical
address right-shifted by <font class="fixd">PAGE_SHIFT</font> bits. For most uses, the <font class="fixd">vm_pgoff</font> field of the
VMA structure contains exactly the value you need. The function affects physical
addresses from <font class="fixd">(pfn&lt;&lt;PAGE_SHIFT)</font> to <font class="fixd">(pfn&lt;&lt;PAGE_SHIFT)+size.</font></div>
<br>
<font class="fixd">size</font><br>
<div class="bq">
The dimension, in bytes, of the area being remapped.</div>
<br>
<font class="fixd">prot</font><br>
<div class="bq">
The "protection" requested for the new VMA. The driver can (and should) use
the value found in <font class="fixd">vma-&gt;vm_page_prot.</font></div>
<br>
The arguments to <i>remap_pfn_range </i>are fairly straightforward, and most of them are
already provided to you in the VMA when your <i>mmap </i>method is called. You may be
wondering why there are two functions, however. The first (<i>remap_pfn_range</i>) is
intended for situations where pfn refers to actual system RAM, while <i>io_remap_
<font class="fixd">page_range</font> </i>should be used when <font class="fixd">phys_addr</font> points to I/O memory. In practice, the
two functions are identical on every architecture except the SPARC, and you see
<i>remap_pfn_range </i>used in most situations. In the interest of writing portable drivers,
however, you should use the variant of <i>remap_pfn_range </i>that is suited to your particular
situation.<br>
<br>
One other complication has to do with caching: usually, references to device memory
should not be cached by the processor. Often the system BIOS sets things up
properly, but it is also possible to disable caching of specific VMAs via the protection
field. Unfortunately, disabling caching at this level is highly processor dependent.
The curious reader may wish to look at the <i>pgprot_noncached </i>function from
<i>drivers/char/mem.c</i> to see what's involved. We won't discuss the topic further here.<br>
<br>
<a name="ASimpleImplementation"></a><font color="red"><b>A Simple Implementation</b></font><br>
<br>
If your driver needs to do a simple, linear mapping of device memory into a user address
space, <i>remap_pfn_range </i>is almost all you really need to do the job. The following code is<br>
<br>
<A name="426"></a><font color="blue">PAGE 426</font><br>
<br>
derived from <i>drivers/char/mem.c </i>and shows how this task is performed in a typical module
called <i>simple</i> (Simple Implementation Mapping Pages with Little Enthusiasm):<br>
<pre>
static int simple_remap_mmap(struct file *filp, struct vm_area_struct *vma)
{
    if (remap_pfn_range(vma, vma-&gt;vm_start, vm-&gt;vm_pgoff,
                vma-&gt;vm_end - vma-&gt;vm_start,
                vma-&gt;vm_page_prot))
        return -EAGAIN;

    vma-&gt;vm_ops = &amp;simple_remap_vm_ops;
    simple_vma_open(vma);
    return 0;
}
</pre>
As you can see, remapping memory just a matter of calling <i>remap_pfn_range </i>to create
the necessary page tables.<br>
<br>
<a name="AddingVMAOperations"></a><font color="red"><b>Adding VMA Operations</b></font><br>
<br>
As we have seen, the <font class="fixd">vm_area_struct</font> structure contains a set of operations that may
be applied to the VMA. Now we look at providing those operations in a simple way.
In particular, we provide <i>open </i>and <i>close </i>operations for our VMA. These operations
are called whenever a process opens or closes the VMA; in particular, the <i>open
</i>method is invoked anytime a process forks and creates a new reference to the VMA.
The <i>open </i>and <i>close </i>VMA methods are called in addition to the processing performed
by the kernel, so they need not reimplement any of the work done there. They exist
as a way for drivers to do any additional processing that they may require.<br>
<br>
As it turns out, a simple driver such as <i>simple </i>need not do any extra processing in
particular. So we have created <i>open </i>and <i>close </i>methods, which print a message to the
system log informing the world that they have been called. Not particularly useful,
but it does allow us to show how these methods can be provided, and see when they
are invoked.<br>
<br>
To this end, we override the default <font class="fixd">vma-&gt;vm_ops</font> with operations that call <i>printk</i>:<br>
<pre>
void simple_vma_open(struct vm_area_struct *vma)
{
    printk(KERN_NOTICE &quot;Simple VMA open, virt %lx, phys %lx\n&quot;,
            vma-&gt;vm_start, vma-&gt;vm_pgoff &lt;&lt; PAGE_SHIFT);
}

void simple_vma_close(struct vm_area_struct *vma)
{
    printk(KERN_NOTICE &quot;Simple VMA close.\n&quot;);
}

static struct vm_operations_struct simple_remap_vm_ops = {
    .open =  simple_vma_open,
    .close = simple_vma_close,
};
</pre>
<A name="427"></a><font color="blue">PAGE 427</font><br>
<br>
To make these operations active for a specific mapping, it is necessary to store a
pointer to <font class="fixd">simple_remap_vm_ops</font> in the <font class="fixd">vm_ops</font> field of the relevant VMA. This is usually
done in the <i>mmap </i>method. If you turn back to the <i>simple_remap_mmap </i>example,
you see these lines of code:<br>
<pre>
vma-&gt;vm_ops = &amp;simple_remap_vm_ops;
simple_vma_open(vma);
</pre>
Note the explicit call to <i>simple_vma_open</i>. Since the <i>open </i>method is not invoked on
the initial <i>mmap</i>, we must call it explicitly if we want it to run.<br>
<br>
<a name="MappingMemoryWithNopage"></a><font color="red"><b>Mapping Memory with nopage</b></font><br>
<br>
Although <i>remap_pfn_range </i>works well for many, if not most, driver <i>mmap </i>implementations,
sometimes it is necessary to be a little more flexible. In such situations,
an implementation using the <i>nopage</i> VMA method may be called for.<br>
<br>
One situation in which the <i>nopage </i>approach is useful can be brought about by the
<i>mremap </i>system call, which is used by applications to change the bounding addresses
of a mapped region. As it happens, the kernel does not notify drivers directly when a
mapped VMA is changed by <i>mremap</i>. If the VMA is reduced in size, the kernel can
quietly flush out the unwanted pages without telling the driver. If, instead, the VMA
is expanded, the driver eventually finds out by way of calls to <i>nopage </i>when mappings
must be set up for the new pages, so there is no need to perform a separate
notification. The <i>nopage </i>method, therefore, must be implemented if you want to
support the <i>mremap </i>system call. Here, we show a simple implementation of <i>nopage
</i>for the <i>simple</i> device.<br>
<br>
The <i>nopage</i> method, remember, has the following prototype:<br>
<pre>
struct page *(*nopage)(struct vm_area_struct *vma,
                       unsigned long address, int *type);
</pre>
When a user process attempts to access a page in a VMA that is not present in memory,
the associated <i>nopage </i>function is called. The <font class="fixd">address</font> parameter contains the virtual
address that caused the fault, rounded down to the beginning of the page. The
<i>nopage </i>function must locate and return the <font class="fixd">struct page</font> pointer that refers to the
page the user wanted. This function must also take care to increment the usage
count for the page it returns by calling the <i>get_page</i> macro:<br>
<pre>
 get_page(struct page *pageptr);
</pre>
This step is necessary to keep the reference counts correct on the mapped pages. The
kernel maintains this count for every page; when the count goes to 0, the kernel
knows that the page may be placed on the free list. When a VMA is unmapped, the
kernel decrements the usage count for every page in the area. If your driver does not
increment the count when adding a page to the area, the usage count becomes 0 prematurely,
and the integrity of the system is compromised.<br>
<br>
<A name="428"></a><font color="blue">PAGE 428</font><br>
<br>
The <i>nopage </i>method should also store the type of fault in the location pointed to by
the <font class="fixd">type</font> argument--but only if that argument is not <font class="fixd">NULL</font>. In device drivers, the
proper value for type will invariably be <font class="fixd">VM_FAULT_MINOR</font>.<br>
<br>
If you are using <i>nopage</i>, there is usually very little work to be done when <i>mmap </i>is
called; our version looks like this:<br>
<pre>
static int simple_nopage_mmap(struct file *filp, struct vm_area_struct *vma)
{
    unsigned long offset = vma-&gt;vm_pgoff &lt;&lt; PAGE_SHIFT;

    if (offset &gt;= __pa(high_memory) || (filp-&gt;f_flags &amp; O_SYNC))
        vma-&gt;vm_flags |= VM_IO;
    vma-&gt;vm_flags |= VM_RESERVED;

    vma-&gt;vm_ops = &amp;simple_nopage_vm_ops;
    simple_vma_open(vma);
    return 0;
}
</pre>
The main thing <i>mmap </i>has to do is to replace the default (<font class="fixd">NULL</font>) <font class="fixd">vm_ops</font> pointer with
our own operations. The <i>nopage </i>method then takes care of "remapping" one page at
a time and returning the address of its <font class="fixd">struct page</font> structure. Because we are just
implementing a window onto physical memory here, the remapping step is simple:
we only need to locate and return a pointer to the <font class="fixd">struct page</font> for the desired
address. Our <i>nopage</i> method looks like the following:<br>
<pre>
struct page *simple_vma_nopage(struct vm_area_struct *vma,
                unsigned long address, int *type)
{
    struct page *pageptr;
    unsigned long offset = vma-&gt;vm_pgoff &lt;&lt; PAGE_SHIFT;
    unsigned long physaddr = address - vma-&gt;vm_start + offset;
    unsigned long pageframe = physaddr &gt;&gt; PAGE_SHIFT;

    if (!pfn_valid(pageframe))
        return NOPAGE_SIGBUS;
    pageptr = pfn_to_page(pageframe);
    get_page(pageptr);
    if (type)
        *type = VM_FAULT_MINOR;
    return pageptr;
}
</pre>
Since, once again, we are simply mapping main memory here, the <i>nopage </i>function
need only find the correct <font class="fixd">struct page</font> for the faulting address and increment its reference
count. Therefore, the required sequence of events is to calculate the desired physical
address, and turn it into a page frame number by right-shifting it <font class="fixd">PAGE_SHIFT</font> bits.
Since user space can give us any address it likes, we must ensure that we have a valid
page frame; the <i>pfn_valid </i>function does that for us. If the address is out of range, we
return <font class="fixd">NOPAGE_SIGBUS,</font> which causes a bus signal to be delivered to the calling process.<br>
<br>
<A name="429"></a><font color="blue">PAGE 429</font><br>
<br>
Otherwise, <i>pfn_to_page </i>gets the necessary <font class="fixd">struct page</font> pointer; we can increment its
reference count (with a call to <i>get_page</i>) and return it.<br>
<br>
The <i>nopage </i>method normally returns a pointer to a <font class="fixd">struct page</font>. If, for some reason,
a normal page cannot be returned (e.g., the requested address is beyond the device's
memory region), <font class="fixd">NOPAGE_SIGBUS</font> can be returned to signal the error; that is what the
<i>simple </i>code above does. <i>nopage </i>can also return <font class="fixd">NOPAGE_OOM</font> to indicate failures caused
by resource limitations.<br>
<br>
Note that this implementation works for ISA memory regions but not for those on
the PCI bus. PCI memory is mapped above the highest system memory, and there are
no entries in the system memory map for those addresses. Because there is no <font class="fixd">struct
page</font> to return a pointer to, <i>nopage </i>cannot be used in these situations; you must use
<i>remap_pfn_range</i> instead.<br>
<br>
If the <i>nopage </i>method is left <font class="fixd">NULL</font>, kernel code that handles page faults maps the zero
page to the faulting virtual address. The <i>zero page </i>is a copy-on-write page that reads
as 0 and that is used, for example, to map the BSS segment. Any process referencing
the zero page sees exactly that: a page filled with zeroes. If the process writes to the
page, it ends up modifying a private copy. Therefore, if a process extends a mapped
region by calling <i>mremap</i>, and the driver hasn't implemented <i>nopage</i>, the process
ends up with zero-filled memory instead of a segmentation fault.<br>
<br>
<a name="RemappingSpecificIORegions"></a><font color="red"><b>Remapping Specific I/O Regions</b></font><br>
<br>
All the examples we've seen so far are reimplementations of <i>/dev/mem</i>; they remap
physical addresses into user space. The typical driver, however, wants to map only
the small address range that applies to its peripheral device, not all memory. In order
to map to user space only a subset of the whole memory range, the driver needs only
to play with the offsets. The following does the trick for a driver mapping a region of
<font class="fixd">simple_region_size</font> bytes, beginning at physical address <font class="fixd">simple_region_start</font> (which
should be page-aligned):<br>
<pre>
unsigned long off = vma-&gt;vm_pgoff &lt;&lt; PAGE_SHIFT;
unsigned long physical = <font class="fixd">simple_region_start</font> + off;
unsigned long vsize = vma-&gt;vm_end - vma-&gt;vm_start;
unsigned long psize = <font class="fixd">simple_region_size</font> - off;

if (vsize &gt; psize)
    return -EINVAL; /*  spans too high */
remap_pfn_range(vma, vma_&gt;vm_start, physical, vsize, vma-&gt;vm_page_prot);
</pre>
In addition to calculating the offsets, this code introduces a check that reports an
error when the program tries to map more memory than is available in the I/O region
of the target device. In this code, <font class="fixd">psize</font> is the physical I/O size that is left after the offset
has been specified, and <font class="fixd">vsize</font> is the requested size of virtual memory; the function
refuses to map addresses that extend beyond the allowed memory range.<br>
<br>
<A name="430"></a><font color="blue">PAGE 430</font><br>
<br>
Note that the user process can always use <i>mremap </i>to extend its mapping, possibly
past the end of the physical device area. If your driver fails to define a <i>nopage
</i>method, it is never notified of this extension, and the additional area maps to the
zero page. As a driver writer, you may well want to prevent this sort of behavior;
mapping the zero page onto the end of your region is not an explicitly bad thing to
do, but it is highly unlikely that the programmer wanted that to happen.<br>
<br>
The simplest way to prevent extension of the mapping is to implement a simple
<i>nopage </i>method that always causes a bus signal to be sent to the faulting process.
Such a method would look like this:<br>
<pre>
struct page *simple_nopage(struct vm_area_struct *vma,
                           unsigned long address, int *type);
{ return NOPAGE_SIGBUS; /* send a SIGBUS */}
</pre>
As we have seen, the <i>nopage </i>method is called only when the process dereferences an
address that is within a known VMA but for which there is currently no valid page
table entry. If we have used <i>remap_pfn_range </i>to map the entire device region, the
<i>nopage </i>method shown here is called only for references outside of that region. Thus,
it can safely return <font class="fixd">NOPAGE_SIGBUS</font> to signal an error. Of course, a more thorough
implementation of <i>nopage </i>could check to see whether the faulting address is within
the device area, and perform the remapping if that is the case. Once again, however,
<i>nopage </i>does not work with PCI memory areas, so extension of PCI mappings is not
possible.<br>
<br>
<a name="RemappingRAM"></a><font color="red"><b>Remapping RAM</b></font><br>
<br>
An interesting limitation of <i>remap_pfn_range </i>is that it gives access only to reserved
pages and physical addresses above the top of physical memory. In Linux, a page of
physical addresses is marked as "reserved" in the memory map to indicate that it is
not available for memory management. On the PC, for example, the range between
640 KB and 1 MB is marked as reserved, as are the pages that host the kernel code
itself. Reserved pages are locked in memory and are the only ones that can be safely
mapped to user space; this limitation is a basic requirement for system stability.<br>
<br>
Therefore, <i>remap_pfn_range </i>won't allow you to remap conventional addresses,
which include the ones you obtain by calling <i>get_free_page</i>. Instead, it maps in the
zero page. Everything appears to work, with the exception that the process sees private,
zero-filled pages rather than the remapped RAM that it was hoping for. Nonetheless,
the function does everything that most hardware drivers need it to do,
because it can remap high PCI buffers and ISA memory.<br>
<br>
The limitations of <i>remap_pfn_range </i>can be seen by running <i>mapper</i>, one of the sample
programs in <i>misc-progs </i>in the files provided on O'Reilly's FTP site. <i>mapper </i>is a
simple tool that can be used to quickly test the <i>mmap </i>system call; it maps read-only
parts of a file specified by command-line options and dumps the mapped region to
standard output. The following session, for instance, shows that <i>/dev/mem </i>doesn't<br>
<br>
<A name="431"></a><font color="blue">PAGE 431</font><br>
<br>
map the physical page located at address 64 KB--instead, we see a page full of zeros
(the host computer in this example is a PC, but the result would be the same on
other platforms):<br>
<pre>
morgana.root# ./mapper /dev/mem 0x10000 0x1000 | od -Ax -t x1
mapped &quot;/dev/mem&quot; from 65536 to 69632
000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*
001000
</pre>
The inability of <i>remap_pfn_range </i>to deal with RAM suggests that memory-based
devices like <i>scull </i>can't easily implement <i>mmap</i>, because its device memory is conventional
RAM, not I/O memory. Fortunately, a relatively easy work-around is available
to any driver that needs to map RAM into user space; it uses the <i>nopage </i>method that
we have seen earlier.<br>
<br>
<a name="RemappingRAMWithTheNopageMethod"></a><font color="red"><b>Remapping RAM with the nopage method</b></font><br>
<br>
The way to map real RAM to user space is to use <font class="fixd">vm_ops-&gt;nopage</font> to deal with page
faults one at a time. A sample implementation is part of the <i>scullp </i>module, introduced
in Chapter 8.<br>
<br>
<i>scullp </i>is a page-oriented char device. Because it is page oriented, it can implement
<i>mmap </i>on its memory. The code implementing memory mapping uses some of the
concepts introduced in the section "Memory Management in Linux."<br>
<br>
Before examining the code, let's look at the design choices that affect the <i>mmap
</i>implementation in <i>scullp</i>:<br>
<ul>
<li> <i>scullp </i>doesn't release device memory as long as the device is mapped. This is a
matter of policy rather than a requirement, and it is different from the behavior
of <i>scull </i>and similar devices, which are truncated to a length of 0 when opened for
writing. Refusing to free a mapped <i>scullp </i>device allows a process to overwrite
regions actively mapped by another process, so you can test and see how processes
and device memory interact. To avoid releasing a mapped device, the
driver must keep a count of active mappings; the <font class="fixd">vmas</font> field in the device structure
is used for this purpose.
<li> Memory mapping is performed only when the <i>scullp </i><font class="fixd">order</font> parameter (set at module load time) is 0. The parameter controls how <i>__get_free_pages </i>is invoked (see
the section "get_free_page and Friends" in Chapter 8). The zero-order limitation
(which forces pages to be allocated one at a time, rather than in larger groups) is
dictated by the internals of <i>__get_free_pages</i>, the allocation function used by
<i>scullp</i>. To maximize allocation performance, the Linux kernel maintains a list of
free pages for each allocation order, and only the reference count of the first page
in a cluster is incremented by <i>get_free_pages </i>and decremented by <i>free_pages</i>. The
<i>mmap </i>method is disabled for a <i>scullp </i>device if the allocation order is greater than
zero, because <i>nopage </i>deals with single pages rather than clusters of pages. <i>scullp</i>
</ul>
<A name="432"></a><font color="blue">PAGE 432</font><br>
<ul>
simply does not know how to properly manage reference counts for pages that
are part of higher-order allocations. (Return to the section "A scull Using Whole
Pages: scullp" in Chapter 8 if you need a refresher on <i>scullp </i>and the memory allocation
order value.)
</ul>
The zero-order limitation is mostly intended to keep the code simple. It <i>is </i>possible to
correctly implement <i>mmap </i>for multipage allocations by playing with the usage count
of the pages, but it would only add to the complexity of the example without introducing
any interesting information.<br>
<br>
Code that is intended to map RAM according to the rules just outlined needs to
implement the <i>open</i>, <i>close</i>, and <i>nopage </i>VMA methods; it also needs to access the
memory map to adjust the page usage counts.<br>
<br>
This implementation of <i>scullp_mmap </i>is very short, because it relies on the <i>nopage
</i>function to do all the interesting work:<br>
<pre>
int scullp_mmap(struct file *filp, struct vm_area_struct *vma)
{
    struct inode *inode = filp-&gt;f_dentry-&gt;d_inode;

    /* refuse to map if order is not 0 */
    if (scullp_devices[iminor(inode)].order)
        return -ENODEV;

    /* don't do anything here: &quot;nopage&quot; will fill the holes */
    vma-&gt;vm_ops = &amp;scullp_vm_ops;
    vma-&gt;vm_flags |= VM_RESERVED;
    vma-&gt;vm_private_data = filp-&gt;private_data;
    scullp_vma_open(vma);
    return 0;
}
</pre>
The purpose of the if statement is to avoid mapping devices whose allocation order
is not 0. <i>scullp</i>'s operations are stored in the <font class="fixd">vm_ops</font> field, and a pointer to the device
structure is stashed in the <font class="fixd">vm_private_data</font> field. At the end, <font class="fixd">vm_ops-&gt;open</font> is called to
update the count of active mappings for the device.<br>
<br>
<i>open</i> and <i>close</i> simply keep track of the mapping count and are defined as follows:<br>
<pre>
void scullp_vma_open(struct vm_area_struct *vma)
{
    struct scullp_dev *dev = vma-&gt;vm_private_data;

    dev-&gt;vmas++;
}

void scullp_vma_close(struct vm_area_struct *vma)
{
    struct scullp_dev *dev = vma-&gt;vm_private_data;

    dev-&gt;vmas--;
}
</pre>
<A name="433"></a><font color="blue">PAGE 433</font><br>
<br>
Most of the work is then performed by <i>nopage</i>. In the <i>scullp </i>implementation, the
address parameter to <i>nopage </i>is used to calculate an offset into the device; the offset is
then used to look up the correct page in the <i>scullp</i> memory tree:<br>
<pre>
struct page *scullp_vma_nopage(struct vm_area_struct *vma,
                                unsigned long address, int *type)
{
    unsigned long offset;
    struct scullp_dev *ptr, *dev = vma-&gt;vm_private_data;
    struct page *page = NOPAGE_SIGBUS;
    void *pageptr = NULL; /* default to &quot;missing&quot; */

    down(&amp;dev-&gt;sem);
    offset = (address - vma-&gt;vm_start) + (vma-&gt;vm_pgoff &lt;&lt; PAGE_SHIFT);
    if (offset &gt;= dev-&gt;size) goto out; /* out of range */

    /*
     * Now retrieve the scullp device from the list, then the page.
     * If the device has holes, the process receives a SIGBUS when
     * accessing the hole.
     */
    offset &gt;&gt;= PAGE_SHIFT; /* offset is a number of pages */
    for (ptr = dev; ptr &amp;&amp; offset &gt;= dev-&gt;qset;) {
        ptr = ptr-&gt;next;
        offset -= dev-&gt;qset;
    }
    if (ptr &amp;&amp; ptr-&gt;data) pageptr = ptr-&gt;data[offset];
    if (!pageptr) goto out; /* hole or end-of-file */
    page = virt_to_page(pageptr);

    /* got it, now increment the count */
    get_page(page);
    if (type)
        *type = VM_FAULT_MINOR;
  out:
    up(&amp;dev-&gt;sem);
    return page;
}
</pre>
<i>scullp </i>uses memory obtained with <i>get_free_pages</i>. That memory is addressed using
logical addresses, so all <i>scullp_nopage </i>has to do to get a <font class="fixd">struct page</font> pointer is to call
<i>virt_to_page</i>.<br>
<br>
The <i>scullp </i>device now works as expected, as you can see in this sample output from
the <i>mapper </i>utility. Here, we send a directory listing of <i>/dev </i>(which is long) to the
<i>scullp </i>device and then use the <i>mapper </i>utility to look at pieces of that listing with
<i>mmap</i>:<br>
<pre>
morgana% <b>ls -l /dev &gt; /dev/scullp
</b>morgana% <b>./mapper /dev/scullp 0 140
</b>mapped &quot;/dev/scullp&quot; from 0 (0x00000000) to 140 (0x0000008c)
total 232
crw-------    1 root     root      10,  10 Sep 15 07:40 adbmouse
</pre>
<A name="434"></a><font color="blue">PAGE 434</font><br>
<pre>
crw-r--r--    1 root     root      10, 175 Sep 15 07:40 agpgart
morgana% <b>./mapper /dev/scullp 8192 200
</b>mapped &quot;/dev/scullp&quot; from 8192 (0x00002000) to 8392 (0x000020c8)
d0h1494
brw-rw----    1 root     floppy     2,  92 Sep 15 07:40 fd0h1660
brw-rw----    1 root     floppy     2,  20 Sep 15 07:40 fd0h360
brw-rw----    1 root     floppy     2,  12 Sep 15 07:40 fd0H360
</pre>
<a name="RemappingKernelVirtualAddresses"></a><font color="red"><b>Remapping Kernel Virtual Addresses</b></font><br>
<br>
Although it's rarely necessary, it's interesting to see how a driver can map a kernel
virtual address to user space using <i>mmap</i>. A true kernel virtual address, remember, is
an address returned by a function such as <i>vmalloc</i>--that is, a virtual address mapped
in the kernel page tables. The code in this section is taken from <i>scullv</i>, which is the
module that works like <i>scullp</i> but allocates its storage through <i>vmalloc</i>.<br>
<br>
Most of the <i>scullv </i>implementation is like the one we've just seen for <i>scullp</i>, except
that there is no need to check the order parameter that controls memory allocation.
The reason for this is that <i>vmalloc </i>allocates its pages one at a time, because singlepage
allocations are far more likely to succeed than multipage allocations. Therefore,
the allocation order problem doesn't apply to <i>vmalloc</i>ed space.<br>
<br>
Beyond that, there is only one difference between the <i>nopage </i>implementations used by
<i>scullp </i>and <i>scullv</i>. Remember that <i>scullp</i>, once it found the page of interest, would obtain
the corresponding <font class="fixd">struct page</font> pointer with <i>virt_to_page</i>. That function does not work
with kernel virtual addresses, however. Instead, you must use <i>vmalloc_to_page</i>. So the
final part of the <i>scullv</i> version of <i>nopage</i> looks like:<br>
<pre>
  /*
   * After scullv lookup, &quot;page&quot; is now the address of the page
   * needed by the current process. Since it's a vmalloc address,
   * turn it into a struct page.
   */
  page = vmalloc_to_page(pageptr);

  /* got it, now increment the count */
  get_page(page);
  if (type)
      *type = VM_FAULT_MINOR;
out:
  up(&amp;dev-&gt;sem);
  return page;
</pre>
Based on this discussion, you might also want to map addresses returned by <i>ioremap
</i>to user space. That would be a mistake, however; addresses from <i>ioremap </i>are special
and cannot be treated like normal kernel virtual addresses. Instead, you should use
<i>remap_pfn_range</i> to remap I/O memory areas into user space.<br>
<br>
<A name="435"></a><font color="blue">PAGE 435</font><br>
<br>
<a name="PerformingDirectIO"></a><font color="red"><b>Performing Direct I/O</b></font><br>
<br>
Most I/O operations are buffered through the kernel. The use of a kernel-space
buffer allows a degree of separation between user space and the actual device; this
separation can make programming easier and can also yield performance benefits in
many situations. There are cases, however, where it can be beneficial to perform I/O
directly to or from a user-space buffer. If the amount of data being transferred is
large, transferring data directly without an extra copy through kernel space can
speed things up.<br>
<br>
One example of direct I/O use in the 2.6 kernel is the SCSI tape driver. Streaming
tapes can pass a lot of data through the system, and tape transfers are usually record oriented,
so there is little benefit to buffering data in the kernel. So, when the conditions
are right (the user-space buffer is page-aligned, for example), the SCSI tape
driver performs its I/O without copying the data.<br>
<br>
That said, it is important to recognize that direct I/O does not always provide the
performance boost that one might expect. The overhead of setting up direct I/O
(which involves faulting in and pinning down the relevant user pages) can be significant,
and the benefits of buffered I/O are lost. For example, the use of direct I/O
requires that the <i>write </i>system call operate synchronously; otherwise the application
does not know when it can reuse its I/O buffer. Stopping the application until each
write completes can slow things down, which is why applications that use direct I/O
often use asynchronous I/O operations as well.<br>
<br>
The real moral of the story, in any case, is that implementing direct I/O in a char
driver is usually unnecessary and can be hurtful. You should take that step only if
you are sure that the overhead of buffered I/O is truly slowing things down. Note
also that block and network drivers need not worry about implementing direct I/O at
all; in both cases, higher-level code in the kernel sets up and makes use of direct I/O
when it is indicated, and driver-level code need not even know that direct I/O is
being performed.<br>
<br>
The key to implementing direct I/O in the 2.6 kernel is a function called <i>get_user_pages</i>,
which is declared in <i>&lt;linux/mm.h&gt;</i> with the following prototype:<br>
<pre>
int get_user_pages(struct task_struct *tsk,
                   struct mm_struct *mm,
                   unsigned long start,
                   int len,
                   int write,
                   int force,
                   struct page **pages,
                   struct vm_area_struct **vmas);
</pre>
<A name="436"></a><font color="blue">PAGE 436</font><br>
<br>
This function has several arguments:<br>
<br>
<font class="fixd">tsk</font><br>
<div class="bq">
A pointer to the task performing the I/O; its main purpose is to tell the kernel
who should be charged for any page faults incurred while setting up the buffer.
This argument is almost always passed as <font class="fixd">current.</font></div>
<br>
<font class="fixd">mm</font><br>
<div class="bq">
A pointer to the memory management structure describing the address space to
be mapped. The <font class="fixd">mm_struct</font> structure is the piece that ties together all of the parts
(VMAs) of a process's virtual address space. For driver use, this argument should
always be <font class="fixd">current-&gt;mm.</font></div>
<br>
<font class="fixd">start<br>
len</font><br>
<div class="bq">
start is the (page-aligned) address of the user-space buffer, and <font class="fixd">len</font> is the length
of the buffer in pages.</div>
<br>
<font class="fixd">write<br>
force</font><br>
<div class="bq">
If write is nonzero, the pages are mapped for write access (implying, of course,
that user space is performing a read operation). The <font class="fixd">force</font> flag tells <i>get_user_pages
</i>to override the protections on the given pages to provide the requested access;
drivers should always pass 0 here.</div>
<br>
<font class="fixd">pages<br>
vmas</font><br>
<div class="bq">
Output parameters. Upon successful completion, <font class="fixd">pages</font> contain a list of pointers
to the <font class="fixd">struct page</font> structures describing the user-space buffer, and <font class="fixd">vmas</font> contains
pointers to the associated VMAs. The parameters should, obviously, point to
arrays capable of holding at least len pointers. Either parameter can be <font class="fixd">NULL</font>, but
you need, at least, the <font class="fixd">struct page</font> pointers to actually operate on the buffer.</div>
<br>
<i>get_user_pages </i>is a low-level memory management function, with a suitably complex
interface. It also requires that the mmap reader/writer semaphore for the address
space be obtained in read mode before the call. As a result, calls to <i>get_user_pages
</i>usually look something like:<br>
<pre>
down_read(&amp;current-&gt;mm-&gt;mmap_sem);
result = get_user_pages(current, current-&gt;mm, ...);
up_read(&amp;current-&gt;mm-&gt;mmap_sem);
</pre>
The return value is the number of pages actually mapped, which could be fewer than
the number requested (but greater than zero).<br>
<br>
Upon successful completion, the caller has a <font class="fixd">pages</font> array pointing to the user-space
buffer, which is locked into memory. To operate on the buffer directly, the kernelspace
code must turn each <font class="fixd">struct page</font> pointer into a kernel virtual address with
<i>kmap </i>or <i>kmap_atomic</i>. Usually, however, devices for which direct I/O is justified are
using DMA operations, so your driver will probably want to create a scatter/gather<br>
<br>
<A name="437"></a><font color="blue">PAGE 437</font><br>
<br>
list from the array of <font class="fixd">struct page</font> pointers. We discuss how to do this in the section,
"Scatter/gather mappings."<br>
<br>
Once your direct I/O operation is complete, you must release the user pages. Before
doing so, however, you must inform the kernel if you changed the contents of those
pages. Otherwise, the kernel may think that the pages are "clean," meaning that they
match a copy found on the swap device, and free them without writing them out to
backing store. So, if you have changed the pages (in response to a user-space read
request), you must mark each affected page dirty with a call to:<br>
<pre>
void SetPageDirty(struct page *page);
</pre>
(This macro is defined in <i>&lt;linux/page-flags.h&gt;</i>). Most code that performs this operation
checks first to ensure that the page is not in the reserved part of the memory
map, which is never swapped out. Therefore, the code usually looks like:<br>
<pre>
if (! PageReserved(page))
    SetPageDirty(page);
</pre>
Since user-space memory is not normally marked reserved, this check should not
strictly be necessary, but when you are getting your hands dirty deep within the
memory management subsystem, it is best to be thorough and careful.<br>
<br>
Regardless of whether the pages have been changed, they must be freed from the
page cache, or they stay there forever. The call to use is:<br>
<pre>
void page_cache_release(struct page *page);
</pre>
This call should, of course, be made <i>after</i> the page has been marked dirty, if need be.<br>
<br>
<a name="AsynchronousIO"></a><font color="red"><b>Asynchronous I/O</b></font><br>
<br>
One of the new features added to the 2.6 kernel was the <i>asynchronous I/O </i>capability.
Asynchronous I/O allows user space to initiate operations without waiting for
their completion; thus, an application can do other processing while its I/O is in
flight. A complex, high-performance application can also use asynchronous I/O to
have multiple operations going at the same time.<br>
<br>
The implementation of asynchronous I/O is optional, and very few driver authors
bother; most devices do not benefit from this capability. As we will see in the coming
chapters, block and network drivers are fully asynchronous at all times, so only
char drivers are candidates for explicit asynchronous I/O support. A char device can
benefit from this support if there are good reasons for having more than one I/O
operation outstanding at any given time. One good example is streaming tape drives,
where the drive can stall and slow down significantly if I/O operations do not arrive
quickly enough. An application trying to get the best performance out of a streaming
drive could use asynchronous I/O to have multiple operations ready to go at any
given time.<br>
<br>
<A name="438"></a><font color="blue">PAGE 438</font><br>
<br>
For the rare driver author who needs to implement asynchronous I/O, we present a
quick overview of how it works. We cover asynchronous I/O in this chapter, because
its implementation almost always involves direct I/O operations as well (if you are
buffering data in the kernel, you can usually implement asynchronous behavior without
imposing the added complexity on user space).<br>
<br>
Drivers supporting asynchronous I/O should include <i>&lt;linux/aio.h&gt;</i>. There are three
<i>file_operations</i> methods for the implementation of asynchronous I/O:<br>
<pre>
ssize_t (*aio_read) (struct kiocb *iocb, char *buffer,
                     size_t count, loff_t offset);
ssize_t (*aio_write) (struct kiocb *iocb, const char *buffer,
                      size_t count, loff_t offset);
int (*aio_fsync) (struct kiocb *iocb, int datasync);
</pre>
The <i>aio_fsync </i>operation is only of interest to filesystem code, so we do not discuss it
further here. The other two, <i>aio_read </i>and <i>aio_write</i>, look very much like the regular
<i>read </i>and <i>write </i>methods but with a couple of exceptions. One is that the <font class="fixd">offset</font>
parameter is passed by value; asynchronous operations never change the file position,
so there is no reason to pass a pointer to it. These methods also take the <font class="fixd">iocb</font>
("I/O control block") parameter, which we get to in a moment.<br>
<br>
The purpose of the <i>aio_read </i>and <i>aio_write </i>methods is to initiate a read or write operation
that may or may not be complete by the time they return. If it <i>is </i>possible to
complete the operation immediately, the method should do so and return the usual
status: the number of bytes transferred or a negative error code. Thus, if your driver
has a <i>read </i>method called <i>my_read</i>, the following <i>aio_read </i>method is entirely correct
(though rather pointless):<br>
<pre>
static ssize_t my_aio_read(struct kiocb *iocb, char *buffer,
                           ssize_t count, loff_t offset)
{
    return my_read(iocb-&gt;ki_filp, buffer, count, &amp;offset);
}
</pre>
Note that the <font class="fixd">struct file</font> pointer is found in the <font class="fixd">ki_filp</font> field of the <font class="fixd">kiocb</font> structure.<br>
<br>
If you support asynchronous I/O, you must be aware of the fact that the kernel can,
on occasion, create "synchronous IOCBs." These are, essentially, asynchronous
operations that must actually be executed synchronously. One may well wonder why
things are done this way, but it's best to just do what the kernel asks. Synchronous
operations are marked in the IOCB; your driver should query that status with:<br>
<pre>
int is_sync_kiocb(struct kiocb *iocb);
</pre>
If this function returns a nonzero value, your driver must execute the operation
synchronously.<br>
<br>
In the end, however, the point of all this structure is to enable asynchronous operations.
If your driver is able to initiate the operation (or, simply, to queue it until some
future time when it can be executed), it must do two things: remember everything it<br>
<br>
<A name="439"></a><font color="blue">PAGE 439</font><br>
<br>
needs to know about the operation, and return <font class="fixd">-EIOCBQUEUED</font> to the caller. Remembering
the operation information includes arranging access to the user-space buffer;
once you return, you will not again have the opportunity to access that buffer while
running in the context of the calling process. In general, that means you will likely
have to set up a direct kernel mapping (with <i>get_user_pages</i>) or a DMA mapping.
The <font class="fixd">-EIOCBQUEUED</font> error code indicates that the operation is not yet complete, and its
final status will be posted later.<br>
<br>
When "later" comes, your driver must inform the kernel that the operation has completed.
That is done with a call to <i>aio_complete</i>:<br>
<pre>
int aio_complete(struct kiocb *iocb, long res, long res2);
</pre>
Here, <font class="fixd">iocb</font> is the same IOCB that was initially passed to you, and <font class="fixd">res</font> is the usual
result status for the operation. <font class="fixd">res2</font> is a second result code that will be returned to
user space; most asynchronous I/O implementations pass <font class="fixd">res2</font> as <font class="fixd">0.</font> Once you call
<i>aio_complete</i>, you should not touch the IOCB or user buffer again.<br>
<br>
<a name="AnAsynchronousIOExample"></a><font color="red"><b>An asynchronous I/O example</b></font><br>
<br>
The page-oriented <i>scullp </i>driver in the example source implements asynchronous I/O.
The implementation is simple, but it is enough to show how asynchronous operations
should be structured.<br>
<br>
The <i>aio_read</i> and <i>aio_write</i> methods don't actually do much:<br>
<pre>
static ssize_t scullp_aio_read(struct kiocb *iocb, char *buf, size_t count,
        loff_t pos)
{
    return scullp_defer_op(0, iocb, buf, count, pos);
}

static ssize_t scullp_aio_write(struct kiocb *iocb, const char *buf,
        size_t count, loff_t pos)
{
    return scullp_defer_op(1, iocb, (char *) buf, count, pos);
}
</pre>
These methods simply call a common function:<br>
<pre>
struct async_work {
    struct kiocb *iocb;
    int result;
    struct work_struct work;
};

static int scullp_defer_op(int write, struct kiocb *iocb, char *buf,
        size_t count, loff_t pos)
{
    struct async_work *stuff;
    int result;
</pre>
<A name="440"></a><font color="blue">PAGE 440</font><br>
<pre>
    /* Copy now while we can access the buffer */
    if (write)
        result = scullp_write(iocb-&gt;ki_filp, buf, count, &amp;pos);
    else
        result = scullp_read(iocb-&gt;ki_filp, buf, count, &amp;pos);

    /* If this is a synchronous IOCB, we return our status now. */
    if (is_sync_kiocb(iocb))
        return result;

    /* Otherwise defer the completion for a few milliseconds. */
    stuff = kmalloc (sizeof (*stuff), GFP_KERNEL);
    if (stuff = = NULL)
        return result; /* No memory, just complete now */
    stuff-&gt;iocb = iocb;
    stuff-&gt;result = result;
    INIT_WORK(&amp;stuff-&gt;work, scullp_do_deferred_op, stuff);
    schedule_delayed_work(&amp;stuff-&gt;work, HZ/100);
    return -EIOCBQUEUED;
}
</pre>
A more complete implementation would use <i>get_user_pages </i>to map the user buffer
into kernel space. We chose to keep life simple by just copying over the data at the
outset. Then a call is made to <i>is_sync_kiocb </i>to see if this operation must be completed
synchronously; if so, the result status is returned, and we are done. Otherwise
we remember the relevant information in a little structure, arrange for "completion"
via a workqueue, and return <font class="fixd">-EIOCBQUEUED</font>. At this point, control returns to user
space.<br>
<br>
Later on, the workqueue executes our completion function:<br>
<pre>
static void scullp_do_deferred_op(void *p)
{
    struct async_work *stuff = (struct async_work *) p;
    aio_complete(stuff-&gt;iocb, stuff-&gt;result, 0);
    kfree(stuff);
}
</pre>
Here, it is simply a matter of calling <i>aio_complete </i>with our saved information. A real
driver's asynchronous I/O implementation is somewhat more complicated, of
course, but it follows this sort of structure.<br>
<br>
<a name="DirectMemoryAccess"></a><font color="red"><b>Direct Memory Access</b></font><br>
<br>
Direct memory access, or DMA, is the advanced topic that completes our overview
of memory issues. DMA is the hardware mechanism that allows peripheral components
to transfer their I/O data directly to and from main memory without the need
to involve the system processor. Use of this mechanism can greatly increase throughput
to and from a device, because a great deal of computational overhead is eliminated.<br>
<br>
<A name="441"></a><font color="blue">PAGE 441</font><br>
<br>
<a name="OverviewOfADMADataTransfer"></a><font color="red"><b>Overview of a DMA Data Transfer</b></font><br>
<br>
Before introducing the programming details, let's review how a DMA transfer takes
place, considering only input transfers to simplify the discussion.<br>
<br>
Data transfer can be triggered in two ways: either the software asks for data (via a
function such as <i>read</i>) or the hardware asynchronously pushes data to the system.<br>
<br>
In the first case, the steps involved can be summarized as follows:<br>
<ol>
<li>When a process calls <i>read</i>, the driver method allocates a DMA buffer and
instructs the hardware to transfer its data into that buffer. The process is put to sleep.
<li>The hardware writes data to the DMA buffer and raises an interrupt when it's done.
<li>The interrupt handler gets the input data, acknowledges the interrupt, and
awakens the process, which is now able to read data.
</ol>
The second case comes about when DMA is used asynchronously. This happens, for
example, with data acquisition devices that go on pushing data even if nobody is
reading them. In this case, the driver should maintain a buffer so that a subsequent
<i>read </i>call will return all the accumulated data to user space. The steps involved in this
kind of transfer are slightly different:<br>
<ol>
<li>The hardware raises an interrupt to announce that new data has arrived.
<li>The interrupt handler allocates a buffer and tells the hardware where to transfer its data.
<li>The peripheral device writes the data to the buffer and raises another interrupt when it's done.
<li>The handler dispatches the new data, wakes any relevant process, and takes care of housekeeping.
</ol>
A variant of the asynchronous approach is often seen with network cards. These
cards often expect to see a circular buffer (often called a <i>DMA ring buffer</i>) established
in memory shared with the processor; each incoming packet is placed in the
next available buffer in the ring, and an interrupt is signaled. The driver then passes
the network packets to the rest of the kernel and places a new DMA buffer in the
ring.<br>
<br>
The processing steps in all of these cases emphasize that efficient DMA handling
relies on interrupt reporting. While it is possible to implement DMA with a polling
driver, it wouldn't make sense, because a polling driver would waste the performance
benefits that DMA offers over the easier processor-driven I/O.*<br>
<br>
* There are, of course, exceptions to everything; see the section "Receive Interrupt Mitigation" in 
Chapter 17 for a demonstration of how high-performance network drivers are best implemented using polling.<br>
<br>
<A name="442"></a><font color="blue">PAGE 442</font><br>
<br>
Another relevant item introduced here is the DMA buffer. DMA requires device drivers
to allocate one or more special buffers suited to DMA. Note that many drivers
allocate their buffers at initialization time and use them until shutdown--the word
<i>allocate </i>in the previous lists, therefore, means "get hold of a previously allocated
buffer."<br>
<br>
<a name="AllocatingTheDMABuffer"></a><font color="red"><b>Allocating the DMA Buffer</b></font><br>
<br>
This section covers the allocation of DMA buffers at a low level; we introduce a
higher-level interface shortly, but it is still a good idea to understand the material
presented here.<br>
<br>
The main issue that arrises with DMA buffers is that, when they are bigger than one
page, they must occupy contiguous pages in physical memory because the device
transfers data using the ISA or PCI system bus, both of which carry physical
addresses. It's interesting to note that this constraint doesn't apply to the SBus (see
the section "SBus" in Chapter 12), which uses virtual addresses on the peripheral
bus. Some architectures <i>can </i>also use virtual addresses on the PCI bus, but a portable
driver cannot count on that capability.<br>
<br>
Although DMA buffers can be allocated either at system boot or at runtime, modules
can allocate their buffers only at runtime. (Chapter 8 introduced these techniques;
the section "Obtaining Large Buffers" covered allocation at system boot,
while "The Real Story of kmalloc" and "get_free_page and Friends" described allocation
at runtime.) Driver writers must take care to allocate the right kind of memory
when it is used for DMA operations; not all memory zones are suitable. In particular,
high memory may not work for DMA on some systems and with some devices-the
peripherals simply cannot work with addresses that high.<br>
<br>
Most devices on modern buses can handle 32-bit addresses, meaning that normal
memory allocations work just fine for them. Some PCI devices, however, fail to
implement the full PCI standard and cannot work with 32-bit addresses. And ISA
devices, of course, are limited to 24-bit addresses only.<br>
<br>
For devices with this kind of limitation, memory should be allocated from the DMA
zone by adding the <font class="fixd">GFP_DMA</font> flag to the <i>kmalloc </i>or <i>get_free_pages </i>call. When this flag
is present, only memory that can be addressed with 24 bits is allocated. Alternatively,
you can use the generic DMA layer (which we discuss shortly) to allocate buffers
that work around your device's limitations.<br>
<br>
<a name="DoityourselfAllocation"></a><font color="red"><b>Do-it-yourself allocation</b></font><br>
<br>
We have seen how <i>get_free_pages </i>can allocate up to a few megabytes (as order can
range up to <font class="fixd">MAX_ORDER,</font> currently 11), but high-order requests are prone to fail even<br>
<br>
<A name="443"></a><font color="blue">PAGE 443</font><br>
<br>
when the requested buffer is far less than 128 KB, because system memory becomes
fragmented over time.*<br>
<br>
When the kernel cannot return the requested amount of memory or when you need
more than 128 KB (a common requirement for PCI frame grabbers, for example), an
alternative to returning <font class="fixd">-ENOMEM</font> is to allocate memory at boot time or reserve the top
of physical RAM for your buffer. We described allocation at boot time in the section
"Obtaining Large Buffers" in Chapter 8, but it is not available to modules. Reserving
the top of RAM is accomplished by passing a <font class="fixd">mem=</font> argument to the kernel at boot
time. For example, if you have 256 MB, the argument <font class="fixd">mem=255M</font> keeps the kernel from
using the top megabyte. Your module could later use the following code to gain
access to such memory:<br>
<pre>
dmabuf = ioremap (0xFF00000 /* 255M */, 0x100000 /* 1M */);
</pre>
The <i>allocator</i>, part of the sample code accompanying the book, offers a simple API to
probe and manage such reserved RAM and has been used successfully on several
architectures. However, this trick doesn't work when you have an high-memory system
(i.e., one with more physical memory than could fit in the CPU address space).<br>
<br>
Another option, of course, is to allocate your buffer with the <font class="fixd">GFP_NOFAIL</font> allocation
flag. This approach does, however, severely stress the memory management subsystem,
and it runs the risk of locking up the system altogether; it is best avoided
unless there is truly no other way.<br>
<br>
If you are going to such lengths to allocate a large DMA buffer, however, it is worth
putting some thought into alternatives. If your device can do scatter/gather I/O, you
can allocate your buffer in smaller pieces and let the device do the rest. Scatter/gather
I/O can also be used when performing direct I/O into user space, which may well be
the best solution when a truly huge buffer is required.<br>
<br>
<a name="BusAddresses"></a><font color="red"><b>Bus Addresses</b></font><br>
<br>
A device driver using DMA has to talk to hardware connected to the interface bus,
which uses physical addresses, whereas program code uses virtual addresses.<br>
<br>
As a matter of fact, the situation is slightly more complicated than that. DMA-based
hardware uses <i>bus</i>, rather than <i>physical</i>, addresses. Although ISA and PCI bus
addresses are simply physical addresses on the PC, this is not true for every platform.
Sometimes the interface bus is connected through bridge circuitry that maps I/O
addresses to different physical addresses. Some systems even have a page-mapping
scheme that can make arbitrary pages appear contiguous to the peripheral bus.<br>
<br>
* The word <i>fragmentation </i>is usually applied to disks to express the idea that files are not 
stored consecutively on the magnetic medium. The same concept applies to memory, where each virtual 
address space gets scattered throughout physical RAM, and it becomes difficult to retrieve 
consecutive free pages when a DMA buffer is requested.<br>
<br>
<A name="444"></a><font color="blue">PAGE 444</font><br>
<br>
At the lowest level (again, we'll look at a higher-level solution shortly), the Linux kernel
provides a portable solution by exporting the following functions, defined in
<i>&lt;asm/io.h&gt;</i>. The use of these functions is strongly discouraged, because they work
properly only on systems with a very simple I/O architecture; nonetheless, you may
encounter them when working with kernel code.<br>
<pre>
unsigned long virt_to_bus(volatile void *address);
void *bus_to_virt(unsigned long address);
</pre>
These functions perform a simple conversion between kernel logical addresses and
bus addresses. They do not work in any situation where an I/O memory management
unit must be programmed or where bounce buffers must be used. The right
way of performing this conversion is with the generic DMA layer, so we now move
on to that topic.<br>
<br>
<a name="TheGenericDMALayer"></a><font color="red"><b>The Generic DMA Layer</b></font><br>
<br>
DMA operations, in the end, come down to allocating a buffer and passing bus
addresses to your device. However, the task of writing portable drivers that perform
DMA safely and correctly on all architectures is harder than one might think. Different
systems have different ideas of how cache coherency should work; if you do not
handle this issue correctly, your driver may corrupt memory. Some systems have
complicated bus hardware that can make the DMA task easier--or harder. And not
all systems can perform DMA out of all parts of memory. Fortunately, the kernel
provides a bus- and architecture-independent DMA layer that hides most of these
issues from the driver author. We strongly encourage you to use this layer for DMA
operations in any driver you write.<br>
<br>
Many of the functions below require a pointer to a <font class="fixd">struct device</font>. This structure is
the low-level representation of a device within the Linux device model. It is not
something that drivers often have to work with directly, but you do need it when
using the generic DMA layer. Usually, you can find this structure buried inside the
bus specific that describes your device. For example, it can be found as the <font class="fixd">dev</font> field
in <font class="fixd">struct pci_device</font> or <font class="fixd">struct usb_device</font>. The device structure is covered in detail
in Chapter 14.<br>
<br>
Drivers that use the following functions should include <i>&lt;linux/dma-mapping.h&gt;</i>.<br>
<br>
<a name="DealingWithDifficultHardware"></a><font color="red"><b>Dealing with difficult hardware</b></font><br>
<br>
The first question that must be answered before attempting DMA is whether the
given device is capable of such an operation on the current host. Many devices are
limited in the range of memory they can address, for a number of reasons. By default,
the kernel assumes that your device can perform DMA to any 32-bit address. If this is
not the case, you should inform the kernel of that fact with a call to:<br>
<pre>
    int dma_set_mask(struct device *dev, u64 mask);
</pre>
<A name="445"></a><font color="blue">PAGE 445</font><br>
<br>
The <font class="fixd">mask</font> should show the bits that your device can address; if it is limited to 24 bits,
for example, you would pass <font class="fixd">mask</font> as <font class="fixd">0x0FFFFFF.</font> The return value is nonzero if DMA
is possible with the given <font class="fixd">mask;</font> if <i>dma_set_mask </i>returns 0, you are not able to use
DMA operations with this device. Thus, the initialization code in a driver for a device
limited to 24-bit DMA operations might look like:<br>
<pre>
if (dma_set_mask (dev, 0xffffff))
    card-&gt;use_dma = 1;
else {
    card-&gt;use_dma = 0;   /* We'll have to live without DMA */
    printk (KERN_WARN, &quot;mydev: DMA not supported\n&quot;);
}
</pre>
Again, if your device supports normal, 32-bit DMA operations, there is no need to
call <i>dma_set_mask</i>.<br>
<br>
<a name="DMAMappings"></a><font color="red"><b>DMA mappings</b></font><br>
<br>
A <i>DMA mapping </i>is a combination of allocating a DMA buffer and generating an
address for that buffer that is accessible by the device. It is tempting to get that
address with a simple call to <i>virt_to_bus</i>, but there are strong reasons for avoiding
that approach. The first of those is that reasonable hardware comes with an IOMMU
that provides a set of <i>mapping registers </i>for the bus. The IOMMU can arrange for any
physical memory to appear within the address range accessible by the device, and it
can cause physically scattered buffers to look contiguous to the device. Making use
of the IOMMU requires using the generic DMA layer; <i>virt_to_bus </i>is not up to the
task.<br>
<br>
Note that not all architectures have an IOMMU; in particular, the popular x86 platform
has no IOMMU support. A properly written driver need not be aware of the I/O
support hardware it is running over, however.<br>
<br>
Setting up a useful address for the device may also, in some cases, require the establishment
of a <i>bounce buffer</i>. Bounce buffers are created when a driver attempts to
perform DMA on an address that is not reachable by the peripheral device--a high memory
address, for example. Data is then copied to and from the bounce buffer as
needed. Needless to say, use of bounce buffers can slow things down, but sometimes
there is no alternative.<br>
<br>
DMA mappings must also address the issue of cache coherency. Remember that modern
processors keep copies of recently accessed memory areas in a fast, local cache;
without this cache, reasonable performance is not possible. If your device changes an
area of main memory, it is imperative that any processor caches covering that area be
invalidated; otherwise the processor may work with an incorrect image of main memory,
and data corruption results. Similarly, when your device uses DMA to read data
from main memory, any changes to that memory residing in processor caches must be
flushed out first. These <i>cache coherency </i>issues can create no end of obscure and difficult-to-find
bugs if the programmer is not careful. Some architectures manage cache<br>
<br>
<A name="446"></a><font color="blue">PAGE 446</font><br>
<br>
coherency in the hardware, but others require software support. The generic DMA
layer goes to great lengths to ensure that things work correctly on all architectures,
but, as we will see, proper behavior requires adherence to a small set of rules.<br>
<br>
The DMA mapping sets up a new type, <font class="fixd">dma_addr_t,</font> to represent bus addresses. Variables
of type <font class="fixd">dma_addr_t</font> should be treated as opaque by the driver; the only allowable
operations are to pass them to the DMA support routines and to the device
itself. As a bus address, <font class="fixd">dma_addr_t</font> may lead to unexpected problems if used directly
by the CPU.<br>
<br>
The PCI code distinguishes between two types of DMA mappings, depending on
how long the DMA buffer is expected to stay around:<br>
<br>
<i>Coherent DMA mappings</i><br>
<div class="bq">
These mappings usually exist for the life of the driver. A coherent buffer must be
simultaneously available to both the CPU and the peripheral (other types of
mappings, as we will see later, can be available only to one or the other at any
given time). As a result, coherent mappings must live in cache-coherent memory.
Coherent mappings can be expensive to set up and use.</div>
<br>
<i>Streaming DMA mappings</i><br>
<div class="bq">
Streaming mappings are usually set up for a single operation. Some architectures
allow for significant optimizations when streaming mappings are used, as
we see, but these mappings also are subject to a stricter set of rules in how they
may be accessed. The kernel developers recommend the use of streaming mappings
over coherent mappings whenever possible. There are two reasons for this
recommendation. The first is that, on systems that support mapping registers,
each DMA mapping uses one or more of them on the bus. Coherent mappings,
which have a long lifetime, can monopolize these registers for a long time, even
when they are not being used. The other reason is that, on some hardware,
streaming mappings can be optimized in ways that are not available to coherent
mappings.</div>
<br>
The two mapping types must be manipulated in different ways; it's time to look at
the details.<br>
<br>
<a name="SettingUpCoherentDMAMappings"></a><font color="red"><b>Setting up coherent DMA mappings</b></font><br>
<br>
A driver can set up a coherent mapping with a call to <i>dma_alloc_coherent</i>:<br>
<pre>
void *dma_alloc_coherent(struct device *dev, size_t size,
                         dma_addr_t *dma_handle, int flag);
</pre>
This function handles both the allocation and the mapping of the buffer. The first two
arguments are the device structure and the size of the buffer needed. The function
returns the result of the DMA mapping in two places. The return value from the function
is a kernel virtual address for the buffer, which may be used by the driver; the
associated bus address, meanwhile, is returned in <font class="fixd">dma_handle</font>. Allocation is handled in<br>
<br>
<A name="447"></a><font color="blue">PAGE 447</font><br>
<br>
this function so that the buffer is placed in a location that works with DMA; usually
the memory is just allocated with <i>get_free_pages </i>(but note that the size is in bytes,
rather than an order value). The <font class="fixd">flag</font> argument is the usual <font class="fixd">GFP_</font> value describing how
the memory is to be allocated; it should usually be <font class="fixd">GFP_KERNEL</font> (usually) or <font class="fixd">GFP_ATOMIC</font>
(when running in atomic context).<br>
<br>
When the buffer is no longer needed (usually at module unload time), it should be
returned to the system with <i>dma_free_coherent</i>:<br>
<pre>
void dma_free_coherent(struct device *dev, size_t size,
                        void *vaddr, dma_addr_t dma_handle);
</pre>
Note that this function, like many of the generic DMA functions, requires that all of
the size, CPU address, and bus address arguments be provided.<br>
<br>
<a name="DMAPools"></a><font color="red"><b>DMA pools</b></font><br>
<br>
A <i>DMA pool </i>is an allocation mechanism for small, coherent DMA mappings. Mappings
obtained from <i>dma_alloc_coherent </i>may have a minimum size of one page. If
your device needs smaller DMA areas than that, you should probably be using a
DMA pool. DMA pools are also useful in situations where you may be tempted to
perform DMA to small areas embedded within a larger structure. Some very obscure
driver bugs have been traced down to cache coherency problems with structure fields
adjacent to small DMA areas. To avoid this problem, you should always allocate
areas for DMA operations explicitly, away from other, non-DMA data structures.<br>
<br>
The DMA pool functions are defined in <i>&lt;linux/dmapool.h&gt;</i>.<br>
<br>
A DMA pool must be created before use with a call to:<br>
<pre>
struct dma_pool *dma_pool_create(const char *name, struct device *dev,
                                 size_t size, size_t align,
                                 size_t allocation);
</pre>
Here, <font class="fixd">name</font> is a name for the pool, <font class="fixd">dev</font> is your device structure, <font class="fixd">size</font> is the size of the
buffers to be allocated from this pool, <font class="fixd">align</font> is the required hardware alignment for
allocations from the pool (expressed in bytes), and <font class="fixd">allocation</font> is, if nonzero, a memory
boundary that allocations should not exceed. If <font class="fixd">allocation</font> is passed as 4096, for
example, the buffers allocated from this pool do not cross 4-KB boundaries.<br>
<br>
When you are done with a pool, it can be freed with:<br>
<pre>
void dma_pool_destroy(struct dma_pool *pool);
</pre>
You should return all allocations to the pool before destroying it.<br>
<br>
Allocations are handled with <i>dma_pool_alloc</i>:<br>
<pre>
void *dma_pool_alloc(struct dma_pool *pool, int mem_flags,
                     dma_addr_t *handle);
</pre>
For this call, <font class="fixd">mem_flags</font> is the usual set of <font class="fixd">GFP_</font> allocation flags. If all goes well, a
region of memory (of the size specified when the pool was created) is allocated and<br>
<br>
<A name="448"></a><font color="blue">PAGE 448</font><br>
<br>
returned. As with <i>dma_alloc_coherent</i>, the address of the resulting DMA buffer is
returned as a kernel virtual address and stored in <font class="fixd">handle</font> as a bus address.<br>
<br>
Unneeded buffers should be returned to the pool with:<br>
<pre>
void dma_pool_free(struct dma_pool *pool, void *vaddr, dma_addr_t addr);
</pre>
<a name="SettingUpStreamingDMAMappings"></a><font color="red"><b>Setting up streaming DMA mappings</b></font><br>
<br>
Streaming mappings have a more complicated interface than the coherent variety, for
a number of reasons. These mappings expect to work with a buffer that has already
been allocated by the driver and, therefore, have to deal with addresses that they did
not choose. On some architectures, streaming mappings can also have multiple, discontiguous
pages and multipart "scatter/gather" buffers. For all of these reasons,
streaming mappings have their own set of mapping functions.<br>
<br>
When setting up a streaming mapping, you must tell the kernel in which direction
the data is moving. Some symbols (of type <font class="fixd">enum dma_data_direction</font>) have been
defined for this purpose:<br>
<br>
<font class="fixd">DMA_TO_DEVICE<br>
DMA_FROM_DEVICE</font><br>
<div class="bq">
These two symbols should be reasonably self-explanatory. If data is being sent to
the device (in response, perhaps, to a <i>write </i>system call), <font class="fixd">DMA_TO_DEVICE</font> should be
used; data going to the CPU, instead, is marked with <font class="fixd">DMA_FROM_DEVICE</font>.</div>
<br>
<font class="fixd">DMA_BIDIRECTIONAL</font><br>
<div class="bq">
If data can move in either direction, use <font class="fixd">DMA_BIDIRECTIONAL</font>.</div>
<br>
<font class="fixd">DMA_NONE</font><br>
<div class="bq">
This symbol is provided only as a debugging aid. Attempts to use buffers with
this "direction" cause a kernel panic.</div>
<br>
It may be tempting to just pick <font class="fixd">DMA_BIDIRECTIONAL</font> at all times, but driver authors
should resist that temptation. On some architectures, there is a performance penalty
to pay for that choice.<br>
<br>
When you have a single buffer to transfer, map it with <i>dma_map_single</i>:<br>
<pre>
dma_addr_t dma_map_single(struct device *dev, void *buffer, size_t size,
                          enum dma_data_direction direction);
</pre>
The return value is the bus address that you can pass to the device or <font class="fixd">NULL</font> if something
goes wrong.<br>
<br>
Once the transfer is complete, the mapping should be deleted with <i>dma_unmap_single</i>:<br>
<pre>
void dma_unmap_single(struct device *dev, dma_addr_t dma_addr, size_t size,
                      enum dma_data_direction direction);
</pre>
Here, the <font class="fixd">size</font> and <font class="fixd">direction</font> arguments must match those used to map the buffer.<br>
<br>
<A name="449"></a><font color="blue">PAGE 449</font><br>
<br>
Some important rules apply to streaming DMA mappings:<br>
<ul>
<li> The buffer must be used only for a transfer that matches the direction value given when it was mapped.
<li> Once a buffer has been mapped, it belongs to the device, not the processor. Until
the buffer has been unmapped, the driver should not touch its contents in any
way. Only after <i>dma_unmap_single </i>has been called is it safe for the driver to
access the contents of the buffer (with one exception that we see shortly).
Among other things, this rule implies that a buffer being written to a device cannot
be mapped until it contains all the data to write.
<li> The buffer must not be unmapped while DMA is still active, or serious system instability is guaranteed.
</ul>
You may be wondering why the driver can no longer work with a buffer once it has
been mapped. There are actually two reasons why this rule makes sense. First, when
a buffer is mapped for DMA, the kernel must ensure that all of the data in that buffer
has actually been written to memory. It is likely that some data is in the processor's
cache when <i>dma_unmap_single </i>is issued, and must be explicitly flushed. Data written
to the buffer by the processor after the flush may not be visible to the device.<br>
<br>
Second, consider what happens if the buffer to be mapped is in a region of memory
that is not accessible to the device. Some architectures simply fail in this case, but
others create a bounce buffer. The bounce buffer is just a separate region of memory
that <i>is </i>accessible to the device. If a buffer is mapped with a direction of <font class="fixd">DMA_TO_DEVICE,</font> 
and a bounce buffer is required, the contents of the original buffer are copied
as part of the mapping operation. Clearly, changes to the original buffer after the
copy are not seen by the device. Similarly, <font class="fixd">DMA_FROM_DEVICE</font> bounce buffers are copied
back to the original buffer by <i>dma_unmap_single</i>; the data from the device is not
present until that copy has been done.<br>
<br>
Incidentally, bounce buffers are one reason why it is important to get the direction
right. <font class="fixd">DMA_BIDIRECTIONAL</font> bounce buffers are copied both before and after the operation,
which is often an unnecessary waste of CPU cycles.<br>
<br>
Occasionally a driver needs to access the contents of a streaming DMA buffer without
unmapping it. A call has been provided to make this possible:<br>
<pre>
void dma_sync_single_for_cpu(struct device *dev, dma_handle_t bus_addr,
                             size_t size, enum dma_data_direction direction);
</pre>
This function should be called before the processor accesses a streaming DMA
buffer. Once the call has been made, the CPU "owns" the DMA buffer and can work
with it as needed. Before the device accesses the buffer, however, ownership should
be transferred back to it with:<br>
<pre>
void dma_sync_single_for_device(struct device *dev, dma_handle_t bus_addr,
                                size_t size, enum dma_data_direction direction);
</pre>
<A name="450"></a><font color="blue">PAGE 450</font><br>
<br>
The processor, once again, should not access the DMA buffer after this call has been
made.<br>
<br>
<a name="SinglepageStreamingMappings"></a><font color="red"><b>Single-page streaming mappings</b></font><br>
<br>
Occasionally, you may want to set up a mapping on a buffer for which you have a
<font class="fixd">struct page</font> pointer; this can happen, for example, with user-space buffers mapped
with <i>get_user_pages</i>. To set up and tear down streaming mappings using <font class="fixd">struct page</font>
pointers, use the following:<br>
<pre>
dma_addr_t dma_map_page(struct device *dev, struct page *page,
                        unsigned long offset, size_t size,
                        enum dma_data_direction direction);

void dma_unmap_page(struct device *dev, dma_addr_t dma_address,
                    size_t size, enum dma_data_direction direction);
</pre>
The <font class="fixd">offset</font> and <font class="fixd">size</font> arguments can be used to map part of a page. It is recommended,
however, that partial-page mappings be avoided unless you are really sure
of what you are doing. Mapping part of a page can lead to cache coherency problems
if the allocation covers only part of a cache line; that, in turn, can lead to memory
corruption and extremely difficult-to-debug bugs.<br>
<br>
<a name="ScattergatherMappings"></a><font color="red"><b>Scatter/gather mappings</b></font><br>
<br>
Scatter/gather mappings are a special type of streaming DMA mapping. Suppose you
have several buffers, all of which need to be transferred to or from the device. This
situation can come about in several ways, including from a <i>readv </i>or <i>writev </i>system
call, a clustered disk I/O request, or a list of pages in a mapped kernel I/O buffer.
You could simply map each buffer, in turn, and perform the required operation, but
there are advantages to mapping the whole list at once.<br>
<br>
Many devices can accept a <i>scatterlist </i>of array pointers and lengths, and transfer them
all in one DMA operation; for example, "zero-copy" networking is easier if packets
can be built in multiple pieces. Another reason to map scatterlists as a whole is to
take advantage of systems that have mapping registers in the bus hardware. On such
systems, physically discontiguous pages can be assembled into a single, contiguous
array from the device's point of view. This technique works only when the entries in
the scatterlist are equal to the page size in length (except the first and last), but when
it does work, it can turn multiple operations into a single DMA, and speed things up
accordingly.<br>
<br>
Finally, if a bounce buffer must be used, it makes sense to coalesce the entire list into
a single buffer (since it is being copied anyway).<br>
<br>
So now you're convinced that mapping of scatterlists is worthwhile in some situations.
The first step in mapping a scatterlist is to create and fill in an array of <font class="fixd">struct scatterlist</font>
describing the buffers to be transferred. This structure is architecture<br>
<br>
<A name="451"></a><font color="blue">PAGE 451</font><br>
<br>
dependent, and is described in <i>&lt;asm/scatterlist.h&gt;</i>. However, it always contains three
fields:<br>
<br>
<font class="fixd">struct page *page;</font><br>
<div class="bq">
The <font class="fixd">struct page</font> pointer corresponding to the buffer to be used in the scatter/gather
operation.</div>
<br>
<font class="fixd">unsigned int length;<br>
unsigned int offset;</font><br>
<div class="bq">
The length of that buffer and its offset within the page</div>
<br>
To map a scatter/gather DMA operation, your driver should set the <font class="fixd">page, offset,</font> and
<font class="fixd">length</font> fields in a <font class="fixd">struct scatterlist</font> entry for each buffer to be transferred. Then
call:<br>
<pre>
int dma_map_sg(struct device *dev, struct scatterlist *sg, int nents,
               enum dma_data_direction direction)
</pre>
where <font class="fixd">nents</font> is the number of scatterlist entries passed in. The return value is the
number of DMA buffers to transfer; it may be less than <font class="fixd">nents.</font><br>
<br>
For each buffer in the input scatterlist, <i>dma_map_sg </i>determines the proper bus
address to give to the device. As part of that task, it also coalesces buffers that are
adjacent to each other in memory. If the system your driver is running on has an I/O
memory management unit, <i>dma_map_sg </i>also programs that unit's mapping registers,
with the possible result that, from your device's point of view, you are able to
transfer a single, contiguous buffer. You will never know what the resulting transfer
will look like, however, until after the call.<br>
<br>
Your driver should transfer each buffer returned by <i>pci_map_sg</i>. The bus address and
length of each buffer are stored in the <font class="fixd">struct scatterlist</font> entries, but their location
in the structure varies from one architecture to the next. Two macros have been
defined to make it possible to write portable code:<br>
<br>
<font class="fixd">dma_addr_t sg_dma_address(struct scatterlist *sg);</font><br>
<div class="bq">
Returns the bus (DMA) address from this scatterlist entry.</div>
<br>
<font class="fixd">unsigned int sg_dma_len(struct scatterlist *sg);</font><br>
<div class="bq">
Returns the length of this buffer.</div>
<br>
Again, remember that the address and length of the buffers to transfer may be different
from what was passed in to <i>dma_map_sg</i>.<br>
<br>
Once the transfer is complete, a scatter/gather mapping is unmapped with a call to
<i>dma_unmap_sg</i>:<br>
<pre>
void dma_unmap_sg(struct device *dev, struct scatterlist *list,
                  int nents, enum dma_data_direction direction);
</pre>
Note that <font class="fixd">nents</font> must be the number of entries that you originally passed to <i>dma_map_sg
</i>and not the number of DMA buffers the function returned to you.<br>
<br>
<A name="452"></a><font color="blue">PAGE 452</font><br>
<br>
Scatter/gather mappings are streaming DMA mappings, and the same access rules
apply to them as to the single variety. If you must access a mapped scatter/gather list,
you must synchronize it first:<br>
<pre>
void dma_sync_sg_for_cpu(struct device *dev, struct scatterlist *sg,
                         int nents, enum dma_data_direction direction);
void dma_sync_sg_for_device(struct device *dev, struct scatterlist *sg,
                         int nents, enum dma_data_direction direction);
</pre>
<a name="PCIDoubleaddressCycleMappings"></a><font color="red"><b>PCI double-address cycle mappings</b></font><br>
<br>
Normally, the DMA support layer works with 32-bit bus addresses, possibly
restricted by a specific device's DMA mask. The PCI bus, however, also supports a
64-bit addressing mode, the <i>double-address cycle </i>(DAC). The generic DMA layer
does not support this mode for a couple of reasons, the first of which being that it is
a PCI-specific feature. Also, many implementations of DAC are buggy at best, and,
because DAC is slower than a regular, 32-bit DMA, there can be a performance cost.
Even so, there are applications where using DAC can be the right thing to do; if you
have a device that is likely to be working with very large buffers placed in high memory,
you may want to consider implementing DAC support. This support is available
only for the PCI bus, so PCI-specific routines must be used.<br>
<br>
To use DAC, your driver must include <i>&lt;linux/pci.h&gt;</i>. You must set a separate DMA
mask:<br>
<pre>
int pci_dac_set_dma_mask(struct pci_dev *pdev, u64 mask);
</pre>
You can use DAC addressing only if this call returns 0.<br>
<br>
A special type (dma64_addr_t) is used for DAC mappings. To establish one of these
mappings, call <i>pci_dac_page_to_dma</i>:<br>
<pre>
dma64_addr_t pci_dac_page_to_dma(struct pci_dev *pdev, struct page *page,
                                 unsigned long offset, int direction);
</pre>
DAC mappings, you will notice, can be made only from <font class="fixd">struct page</font> pointers (they
should live in high memory, after all, or there is no point in using them); they
must be created a single page at a time. The <font class="fixd">direction</font> argument is the PCI equivalent
of the <font class="fixd">enum dma_data_direction</font> used in the generic DMA layer; it should be
<font class="fixd">PCI_DMA_TODEVICE, PCI_DMA_FROMDEVICE,</font> or <font class="fixd">PCI_DMA_BIDIRECTIONAL</font>.<br>
<br>
DAC mappings require no external resources, so there is no need to explicitly release
them after use. It is necessary, however, to treat DAC mappings like other streaming
mappings, and observe the rules regarding buffer ownership. There is a set of functions
for synchronizing DMA buffers that is analogous to the generic variety:<br>
<pre>
void pci_dac_dma_sync_single_for_cpu(struct pci_dev *pdev,
                                     dma64_addr_t dma_addr,
                                     size_t len,
                                     int direction);
</pre>
<A name="453"></a><font color="blue">PAGE 453</font><br>
<pre>
void pci_dac_dma_sync_single_for_device(struct pci_dev *pdev,
                                        dma64_addr_t dma_addr,
                                        size_t len,
                                        int direction);
</pre>
<a name="ASimplePCIDMAExample"></a><font color="red"><b>A simple PCI DMA example</b></font><br>
<br>
As an example of how the DMA mappings might be used, we present a simple example
of DMA coding for a PCI device. The actual form of DMA operations on the PCI
bus is very dependent on the device being driven. Thus, this example does not apply
to any real device; instead, it is part of a hypothetical driver called <i>dad </i>(DMA Acquisition
Device). A driver for this device might define a transfer function like this:<br>
<pre>
int dad_transfer(struct dad_dev *dev, int write, void *buffer,
                 size_t count)
{
    dma_addr_t bus_addr;

    /* Map the buffer for DMA */
    dev-&gt;dma_dir = (write ? DMA_TO_DEVICE : DMA_FROM_DEVICE);
    dev-&gt;dma_size = count;
    bus_addr = dma_map_single(&amp;dev-&gt;pci_dev-&gt;dev, buffer, count,
                              dev-&gt;dma_dir);
    dev-&gt;dma_addr = bus_addr;

    /* Set up the device */

    writeb(dev-&gt;registers.command, DAD_CMD_DISABLEDMA);
    writeb(dev-&gt;registers.command, write ? <font class="fixd">DAD_CMD_WR</font> : DAD_CMD_RD);
    writel(dev-&gt;registers.addr, cpu_to_le32(bus_addr));
    writel(dev-&gt;registers.len, cpu_to_le32(count));

    /* Start the operation */
    writeb(dev-&gt;registers.command, DAD_CMD_ENABLEDMA);
    return 0;
}
</pre>
This function maps the buffer to be transferred and starts the device operation. The
other half of the job must be done in the interrupt service routine, which looks something
like this:<br>
<pre>
void dad_interrupt(int irq, void *dev_id, struct pt_regs *regs)
{
    struct dad_dev *dev = (struct dad_dev *) dev_id;

    /* Make sure it's really our device interrupting */

    /* Unmap the DMA buffer */
    dma_unmap_single(dev-&gt;pci_dev-&gt;dev, dev-&gt;dma_addr,
                     dev-&gt;dma_size, dev-&gt;dma_dir);

    /* Only now is it safe to access the buffer, copy to user, etc. */
    ...
}
</pre>
<A name="454"></a><font color="blue">PAGE 454</font><br>
<br>
Obviously, a great deal of detail has been left out of this example, including whatever
steps may be required to prevent attempts to start multiple, simultaneous DMA
operations.<br>
<br>
<a name="DMAForISADevices"></a><font color="red"><b>DMA for ISA Devices</b></font><br>
<br>
The ISA bus allows for two kinds of DMA transfers: native DMA and ISA bus master
DMA. Native DMA uses standard DMA-controller circuitry on the motherboard
to drive the signal lines on the ISA bus. ISA bus master DMA, on the other hand, is
handled entirely by the peripheral device. The latter type of DMA is rarely used and
doesn't require discussion here, because it is similar to DMA for PCI devices, at least
from the driver's point of view. An example of an ISA bus master is the 1542 SCSI
controller, whose driver is <i>drivers/scsi/aha1542.c</i> in the kernel sources.<br>
<br>
As far as native DMA is concerned, there are three entities involved in a DMA data
transfer on the ISA bus:<br>
<br>
<i>The 8237 DMA controller (DMAC)</i><br>
<div class="bq">
The controller holds information about the DMA transfer, such as the direction,
the memory address, and the size of the transfer. It also contains a counter that
tracks the status of ongoing transfers. When the controller receives a DMA
request signal, it gains control of the bus and drives the signal lines so that the
device can read or write its data.</div>
<br>
<i>The peripheral device</i><br>
<div class="bq">
The device must activate the DMA request signal when it's ready to transfer
data. The actual transfer is managed by the DMAC; the hardware device sequentially
reads or writes data onto the bus when the controller strobes the device.
The device usually raises an interrupt when the transfer is over.</div>
<br>
<i>The device driver</i><br>
<div class="bq">
The driver has little to do; it provides the DMA controller with the direction, bus
address, and size of the transfer. It also talks to its peripheral to prepare it for
transferring the data and responds to the interrupt when the DMA is over.</div>
<br>
The original DMA controller used in the PC could manage four "channels," each
associated with one set of DMA registers. Four devices could store their DMA information
in the controller at the same time. Newer PCs contain the equivalent of two
DMAC devices:* the second controller (master) is connected to the system processor,
and the first (slave) is connected to channel 0 of the second controller.&#134;<br>
<br>
* These circuits are now part of the motherboard's chipset, but a few years ago they were two separate 8237 chips.<br>
<br>
&#134; The original PCs had only one controller; the second was added in 286-based platforms. However, 
the second controller is connected as the master because it handles 16-bit transfers; the first transfers 
only eight bits at a time and is there for backward compatibility.<br>
<br>
<A name="455"></a><font color="blue">PAGE 455</font><br>
<br>
The channels are numbered from 0-7: channel 4 is not available to ISA peripherals,
because it is used internally to cascade the slave controller onto the master. The
available channels are, thus, 0-3 on the slave (the 8-bit channels) and 5-7 on the
master (the 16-bit channels). The size of any DMA transfer, as stored in the controller,
is a 16-bit number representing the number of bus cycles. The maximum transfer
size is, therefore, 64 KB for the slave controller (because it transfers eight bits in
one cycle) and 128 KB for the master (which does 16-bit transfers).<br>
<br>
Because the DMA controller is a system-wide resource, the kernel helps deal with it.
It uses a DMA registry to provide a request-and-free mechanism for the DMA channels
and a set of functions to configure channel information in the DMA controller.<br>
<br>
<a name="RegisteringDMAUsage"></a><font color="red"><b>Registering DMA usage</b></font><br>
<br>
You should be used to kernel registries--we've already seen them for I/O ports and
interrupt lines. The DMA channel registry is similar to the others. After <i>&lt;asm/dma.h&gt;
</i>has been included, the following functions can be used to obtain and release ownership
of a DMA channel:<br>
<pre>
int request_dma(unsigned int channel, const char *name);
void free_dma(unsigned int channel);
</pre>
The <font class="fixd">channel</font> argument is a number between 0 and 7 or, more precisely, a positive
number less than <font class="fixd">MAX_DMA_CHANNELS</font>. On the PC, <font class="fixd">MAX_DMA_CHANNELS</font> is defined as 8 to
match the hardware. The <font class="fixd">name</font> argument is a string identifying the device. The specified
name appears in the file <i>/proc/dma</i>, which can be read by user programs.<br>
<br>
The return value from <i>request_dma </i>is 0 for success and <font class="fixd">-EINVAL</font> or <font class="fixd">-EBUSY</font> if there was
an error. The former means that the requested channel is out of range, and the latter
means that another device is holding the channel.<br>
<br>
We recommend that you take the same care with DMA channels as with I/O ports
and interrupt lines; requesting the channel at <i>open </i>time is much better than requesting
it from the module initialization function. Delaying the request allows some sharing
between drivers; for example, your sound card and your analog I/O interface can
share the DMA channel as long as they are not used at the same time.<br>
<br>
We also suggest that you request the DMA channel <i>after </i>you've requested the interrupt
line and that you release it <i>before </i>the interrupt. This is the conventional order
for requesting the two resources; following the convention avoids possible deadlocks.
Note that every device using DMA needs an IRQ line as well; otherwise, it
couldn't signal the completion of data transfer.<br>
<br>
In a typical case, the code for <i>open </i>looks like the following, which refers to our hypothetical
<i>dad </i>module. The <i>dad </i>device as shown uses a fast interrupt handler without
support for shared IRQ lines.<br>
<pre>
int dad_open (struct inode *inode, struct file *filp)
{
    struct dad_device *my_device;
</pre>
<A name="456"></a><font color="blue">PAGE 456</font><br>
<pre>
    /* ... */
    if ( (error = request_irq(my_device.irq, dad_interrupt,
                              SA_INTERRUPT, &quot;dad&quot;, NULL)) )
        return error; /* or implement blocking open */

    if ( (error = request_dma(my_device.dma, &quot;dad&quot;)) ) {
        free_irq(my_device.irq, NULL);
        return error; /* or implement blocking open */
    }
    /* ... */
    return 0;
}
</pre>
The <i>close</i> implementation that matches the <i>open</i> just shown looks like this:<br>
<pre>
void dad_close (struct inode *inode, struct file *filp)
{
    struct dad_device *my_device;

    /* ... */
    free_dma(my_device.dma);
    free_irq(my_device.irq, NULL);
    /* ... */
}
</pre>
Here's how the <i>/proc/dma</i> file looks on a system with the sound card installed:<br>
<pre>
merlino% <b>cat /proc/dma
</b> 1: Sound Blaster8
 4: cascade
</pre>
It's interesting to note that the default sound driver gets the DMA channel at system
boot and never releases it. The <font class="fixd">cascade</font> entry is a placeholder, indicating that channel
4 is not available to drivers, as explained earlier.<br>
<br>
<a name="TalkingToTheDMAController"></a><font color="red"><b>Talking to the DMA controller</b></font><br>
<br>
After registration, the main part of the driver's job consists of configuring the DMA
controller for proper operation. This task is not trivial, but fortunately, the kernel
exports all the functions needed by the typical driver.<br>
<br>
The driver needs to configure the DMA controller either when <i>read </i>or <i>write </i>is called,
or when preparing for asynchronous transfers. This latter task is performed either at
<i>open </i>time or in response to an <i>ioctl </i>command, depending on the driver and the policy
it implements. The code shown here is the code that is typically called by the <i>read
</i>or <i>write</i> device methods.<br>
<br>
This subsection provides a quick overview of the internals of the DMA controller so
you understand the code introduced here. If you want to learn more, we'd urge you
to read <i>&lt;asm/dma.h&gt; </i>and some hardware manuals describing the PC architecture. In<br>
<br>
<A name="457"></a><font color="blue">PAGE 457</font><br>
<br>
particular, we don't deal with the issue of 8-bit versus 16-bit data transfers. If you are
writing device drivers for ISA device boards, you should find the relevant information
in the hardware manuals for the devices.<br>
<br>
The DMA controller is a shared resource, and confusion could arise if more than one
processor attempts to program it simultaneously. For that reason, the controller is
protected by a spinlock, called <font class="fixd">dma_spin_lock</font>. Drivers should not manipulate the
lock directly; however, two functions have been provided to do that for you:<br>
<br>
<font class="fixd">unsigned long claim_dma_lock( );</font><br>
<div class="bq">
Acquires the DMA spinlock. This function also blocks interrupts on the local
processor; therefore, the return value is a set of flags describing the previous
interrupt state; it must be passed to the following function to restore the interrupt
state when you are done with the lock.</div>
<br>
<font class="fixd">void release_dma_lock(unsigned long flags);</font><br>
<div class="bq">
Returns the DMA spinlock and restores the previous interrupt status.</div>
<br>
The spinlock should be held when using the functions described next. It should <i>not
</i>be held during the actual I/O, however. A driver should never sleep when holding a
spinlock.<br>
<br>
The information that must be loaded into the controller consists of three items: the
RAM address, the number of atomic items that must be transferred (in bytes or
words), and the direction of the transfer. To this end, the following functions are
exported by <i>&lt;asm/dma.h&gt;</i>:<br>
<br>
<font class="fixd">void set_dma_mode(unsigned int channel, char mode);</font><br>
<div class="bq">
Indicates whether the channel must read from the device (<font class="fixd">DMA_MODE_READ</font>) or
write to it (<font class="fixd">DMA_MODE_WRITE</font>). A third mode exists, <font class="fixd">DMA_MODE_CASCADE,</font> which is
used to release control of the bus. Cascading is the way the first controller is connected
to the top of the second, but it can also be used by true ISA bus-master
devices. We won't discuss bus mastering here.</div>
<br>
<font class="fixd">void set_dma_addr(unsigned int channel, unsigned int addr);</font><br>
<div class="bq">
Assigns the address of the DMA buffer. The function stores the 24 least significant
bits of addr in the controller. The <font class="fixd">addr</font> argument must be a <i>bus </i>address (see
the section "Bus Addresses" earlier in this chapter).</div>
<br>
<font class="fixd">void set_dma_count(unsigned int channel, unsigned int count);</font><br>
<div class="bq">
Assigns the number of bytes to transfer. The <font class="fixd">count</font> argument represents bytes for
16-bit channels as well; in this case, the number <i>must</i> be even.</div>
<br>
<A name="458"></a><font color="blue">PAGE 458</font><br>
<br>
In addition to these functions, there are a number of housekeeping facilities that
must be used when dealing with DMA devices:<br>
<br>
<font class="fixd">void disable_dma(unsigned int channel);</font><br>
<div class="bq">
A DMA channel can be disabled within the controller. The channel should be
disabled before the controller is configured to prevent improper operation. (Otherwise,
corruption can occur because the controller is programmed via 8-bit data
transfers and, therefore, none of the previous functions is executed atomically).</div>
<br>
<font class="fixd">void enable_dma(unsigned int channel);</font><br>
<div class="bq">
This function tells the controller that the DMA channel contains valid data.</div>
<br>
<font class="fixd">int get_dma_residue(unsigned int channel);</font><br>
<div class="bq">
The driver sometimes needs to know whether a DMA transfer has been completed.
This function returns the number of bytes that are still to be transferred.
The return value is 0 after a successful transfer and is unpredictable (but not 0)
while the controller is working. The unpredictability springs from the need to
obtain the 16-bit residue through two 8-bit input operations.</div>
<br>
<font class="fixd">void clear_dma_ff(unsigned int channel)</font><br>
<div class="bq">
This function clears the DMA flip-flop. The flip-flop is used to control access to
16-bit registers. The registers are accessed by two consecutive 8-bit operations,
and the flip-flop is used to select the least significant byte (when it is clear) or the
most significant byte (when it is set). The flip-flop automatically toggles when
eight bits have been transferred; the programmer must clear the flip-flop (to set
it to a known state) before accessing the DMA registers.</div>
<br>
Using these functions, a driver can implement a function like the following to prepare
for a DMA transfer:<br>
<pre>
int dad_dma_prepare(int channel, int mode, unsigned int buf,
                    unsigned int count)
{
    unsigned long flags;

    flags = claim_dma_lock( );
    disable_dma(channel);
    clear_dma_ff(channel);
    set_dma_mode(channel, mode);
    set_dma_addr(channel, virt_to_bus(buf));
    set_dma_count(channel, count);
    enable_dma(channel);
    release_dma_lock(flags);

    return 0;
}
</pre>
Then, a function like the next one is used to check for successful completion of
DMA:<br>
<pre>
int dad_dma_isdone(int channel)
{
</pre>
<A name="459"></a><font color="blue">PAGE 459</font><br>
<pre>
    int residue;
    unsigned long flags = claim_dma_lock ( );
    residue = get_dma_residue(channel);
    release_dma_lock(flags);
    return (residue = = 0);
}
</pre>
The only thing that remains to be done is to configure the device board. This device-specific
task usually consists of reading or writing a few I/O ports. Devices differ in
significant ways. For example, some devices expect the programmer to tell the hardware
how big the DMA buffer is, and sometimes the driver has to read a value that is
hardwired into the device. For configuring the board, the hardware manual is your
only friend.<br>
<br>
<a name="QuickReference15"></a><font color="red"><b>Quick Reference</b></font><br>
<br>
This chapter introduced the following symbols related to memory handling.<br>
<br>
<a name="IntroductoryMaterial"></a><font color="red"><b>Introductory Material</b></font><br>
<br>
<font class="fixd">#include &lt;linux/mm.h&gt;<br>
#include &lt;asm/page.h&gt;</font><br>
<div class="bq">
Most of the functions and structures related to memory management are prototyped
and defined in these header files.</div>
<br>
<font class="fixd">void *__va(unsigned long physaddr);<br>
unsigned long __pa(void *kaddr);</font><br>
<div class="bq">
Macros that convert between kernel logical addresses and physical addresses.</div>
<br>
<font class="fixd">PAGE_SIZE<br>
PAGE_SHIFT</font><br>
<div class="bq">
Constants that give the size (in bytes) of a page on the underlying hardware and
the number of bits that a page frame number must be shifted to turn it into a
physical address.</div>
<br>
<font class="fixd">struct page</font><br>
<div class="bq">
Structure that represents a hardware page in the system memory map.</div>
<br>
<font class="fixd">struct page *virt_to_page(void *kaddr);<br>
void *page_address(struct page *page);<br>
struct page *pfn_to_page(int pfn);</font><br>
<div class="bq">
Macros that convert between kernel logical addresses and their associated memory
map entries. <i>page_address </i>works only for low-memory pages or high-memory
pages that have been explicitly mapped. <i>pfn_to_page </i>converts a page frame number
to its associated <font class="fixd">struct page</font> pointer.</div>
<br>
<A name="460"></a><font color="blue">PAGE 460</font><br>
<br>
<font class="fixd">unsigned long kmap(struct page *page);<br>
void kunmap(struct page *page);</font><br>
<div class="bq">
<i>kmap </i>returns a kernel virtual address that is mapped to the given page, creating
the mapping if need be. <i>kunmap</i> deletes the mapping for the given page.</div>
<br>
<font class="fixd">#include &lt;linux/highmem.h&gt;<br>
#include &lt;asm/kmap_types.h&gt;<br>
void *kmap_atomic(struct page *page, enum km_type type);<br>
void kunmap_atomic(void *addr, enum km_type type);</font><br>
<div class="bq">
The high-performance version of <i>kmap</i>; the resulting mappings can be held only by
atomic code. For drivers, type should be <font class="fixd">KM_USER0, KM_USER1, KM_IRQ0,</font> or <font class="fixd">KM_IRQ1.</font></div>
<br>
<font class="fixd">struct vm_area_struct;</font><br>
<div class="bq">
Structure describing a VMA.</div>
<br>
<a name="ImplementingMmap"></a><font color="red"><b>Implementing mmap</b></font><br>
<br>
<font class="fixd">int remap_pfn_range(struct vm_area_struct *vma, unsigned long virt_add, unsigned long pfn, unsigned long size, pgprot_t prot);<br>
int io_remap_page_range(struct vm_area_struct *vma, unsigned long virt_add, unsigned long phys_add, unsigned long size, pgprot_t prot);</font><br>
<div class="bq">
Functions that sit at the heart of <i>mmap</i>. They map <font class="fixd">size</font> bytes of physical
addresses, starting at the page number indicated by <font class="fixd">pfn</font> to the virtual address
<font class="fixd">virt_add</font>. The protection bits associated with the virtual space are specified in
prot. <i>io_remap_page_range </i>should be used when the target address is in I/O
memory space.</div>
<br>
<font class="fixd">struct page *vmalloc_to_page(void *vmaddr);</font><br>
<div class="bq">
Converts a kernel virtual address obtained from <i>vmalloc </i>to its corresponding
<font class="fixd">struct page</font> pointer.</div>
<br>
<a name="ImplementingDirectIO"></a><font color="red"><b>Implementing Direct I/O</b></font><br>
<br>
<font class="fixd">int get_user_pages(struct task_struct *tsk, struct mm_struct *mm, unsigned long start, int len, int write, int force, struct page **pages, struct vm_area_struct **vmas);</font><br>
<div class="bq">
Function that locks a user-space buffer into memory and returns the corresponding
<font class="fixd">struct page</font> pointers. The caller must hold <font class="fixd">mm-&gt;mmap_sem.</font></div>
<br>
<font class="fixd">SetPageDirty(struct page *page);</font><br>
<div class="bq">
Macro that marks the given page as "dirty" (modified) and in need of writing to
its backing store before it can be freed.</div>
<br>
<font class="fixd">void page_cache_release(struct page *page);</font><br>
<div class="bq">
Frees the given page from the page cache.</div>
<br>
<A name="461"></a><font color="blue">PAGE 461</font><br>
<br>
<font class="fixd">int is_sync_kiocb(struct kiocb *iocb);</font><br>
<div class="bq">
Macro that returns nonzero if the given IOCB requires synchronous execution.</div>
<br>
<font class="fixd">int aio_complete(struct kiocb *iocb, long res, long res2);</font><br>
<div class="bq">
Function that indicates completion of an asynchronous I/O operation.</div>
<br>
<a name="DirectMemoryAccess2"></a><font color="red"><b>Direct Memory Access</b></font><br>
<br>
<font class="fixd">#include &lt;asm/io.h&gt;<br>
unsigned long virt_to_bus(volatile void * address);<br>
void * bus_to_virt(unsigned long address);</font><br>
<div class="bq">
Obsolete and deprecated functions that convert between kernel, virtual, and bus
addresses. Bus addresses must be used to talk to peripheral devices.</div>
<br>
<font class="fixd">#include &lt;linux/dma-mapping.h&gt;</font><br>
<div class="bq">
Header file required to define the generic DMA functions.</div>
<br>
<font class="fixd">int dma_set_mask(struct device *dev, u64 mask);</font><br>
<div class="bq">
For peripherals that cannot address the full 32-bit range, this function informs
the kernel of the addressable range and returns nonzero if DMA is possible.</div>
<br>
<font class="fixd">void *dma_alloc_coherent(struct device *dev, size_t size, dma_addr_t *bus_addr, int flag)<br>
void dma_free_coherent(struct device *dev, size_t size, void *cpuaddr, dma_handle_t bus_addr);</font><br>
<div class="bq">
Allocate and free coherent DMA mappings for a buffer that will last the lifetime
of the driver.</div>
<br>
<font class="fixd">#include &lt;linux/dmapool.h&gt;<br>
struct dma_pool *dma_pool_create(const char *name, struct device *dev, size_t size, size_t align, size_t allocation);<br>
void dma_pool_destroy(struct dma_pool *pool);<br>
void *dma_pool_alloc(struct dma_pool *pool, int mem_flags, dma_addr_t *handle);<br>
void dma_pool_free(struct dma_pool *pool, void *vaddr, dma_addr_t handle);</font><br>
<div class="bq">
Functions that create, destroy, and use DMA pools to manage small DMA areas.</div>
<br>
<font class="fixd">enum dma_data_direction;<br>
DMA_TO_DEVICE<br>
DMA_FROM_DEVICE<br>
DMA_BIDIRECTIONAL<br>
DMA_NONE</font><br>
<div class="bq">
Symbols used to tell the streaming mapping functions the direction in which
data is moving to or from the buffer.</div>
<br>
<A name="462"></a><font color="blue">PAGE 462</font><br>
<br>
<font class="fixd">dma_addr_t dma_map_single(struct device *dev, void *buffer, size_t size, enum dma_data_direction direction);<br>
void dma_unmap_single(struct device *dev, dma_addr_t bus_addr, size_t size, enum dma_data_direction direction);</font><br>
<div class="bq">
Create and destroy a single-use, streaming DMA mapping.</div>
<br>
<font class="fixd">void dma_sync_single_for_cpu(struct device *dev, dma_handle_t bus_addr, size_t size, enum dma_data_direction direction);<br>
void dma_sync_single_for_device(struct device *dev, dma_handle_t bus_addr, size_t size, enum dma_data_direction direction);</font><br>
<div class="bq">
Synchronizes a buffer that has a streaming mapping. These functions must be
used if the processor must access a buffer while the streaming mapping is in
place (i.e., while the device owns the buffer).</div>
<br>
<font class="fixd">#include &lt;asm/scatterlist.h&gt;<br>
struct scatterlist { /* ... */ };<br>
dma_addr_t sg_dma_address(struct scatterlist *sg);<br>
unsigned int sg_dma_len(struct scatterlist *sg);</font><br>
<div class="bq">
The <font class="fixd">scatterlist</font> structure describes an I/O operation that involves more than
one buffer. The macros <i>sg_dma_address </i>and <i>sg_dma_len </i>may be used to extract
bus addresses and buffer lengths to pass to the device when implementing scatter/gather
operations.</div>
<br>
<font class="fixd">dma_map_sg(struct device *dev, struct scatterlist *list, int nents, enum dma_data_direction direction);<br>
dma_unmap_sg(struct device *dev, struct scatterlist *list, int nents, enum dma_data_direction direction);<br>
void dma_sync_sg_for_cpu(struct device *dev, struct scatterlist *sg, int nents, enum dma_data_direction direction);<br>
void dma_sync_sg_for_device(struct device *dev, struct scatterlist *sg, int nents, enum dma_data_direction direction);</font><br>
<div class="bq">
<i>dma_map_sg </i>maps a scatter/gather operation, and <i>dma_unmap_sg </i>undoes
that mapping. If the buffers must be accessed while the mapping is active,
<i>dma_sync_sg_*</i> may be used to synchronize things.</div>
<br>
<font class="fixd">/proc/dma</font><br>
<div class="bq">
File that contains a textual snapshot of the allocated channels in the DMA controllers.
PCI-based DMA is not shown because each board works independently,
without the need to allocate a channel in the DMA controller.</div>
<br>
<font class="fixd">#include &lt;asm/dma.h&gt;</font><br>
<div class="bq">
Header that defines or prototypes all the functions and macros related to DMA.
It must be included to use any of the following symbols.</div>
<br>
<A name="463"></a><font color="blue">PAGE 463</font><br>
<br>
<font class="fixd">int request_dma(unsigned int channel, const char *name);<br>
void free_dma(unsigned int channel);</font><br>
<div class="bq">
Access the DMA registry. Registration must be performed before using ISA DMA
channels.</div>
<br>
<font class="fixd">unsigned long claim_dma_lock( );<br>
void release_dma_lock(unsigned long flags);</font><br>
<div class="bq">
Acquire and release the DMA spinlock, which must be held prior to calling the
other ISA DMA functions described later in this list. They also disable and reenable
interrupts on the local processor.</div>
<br>
<font class="fixd">void set_dma_mode(unsigned int channel, char mode);<br>
void set_dma_addr(unsigned int channel, unsigned int addr);<br>
void set_dma_count(unsigned int channel, unsigned int count);</font><br>
<div class="bq">
Program DMA information in the DMA controller. addr is a bus address.</div>
<br>
<font class="fixd">void disable_dma(unsigned int channel);<br>
void enable_dma(unsigned int channel);</font><br>
<div class="bq">
A DMA channel must be disabled during configuration. These functions change
the status of the DMA channel.</div>
<br>
<font class="fixd">int get_dma_residue(unsigned int channel);</font><br>
<div class="bq">
If the driver needs to know how a DMA transfer is proceeding, it can call this
function, which returns the number of data transfers that are yet to be completed.
After successful completion of DMA, the function returns 0; the value is
unpredictable while data is being transferred.</div>
<br>
<font class="fixd">void clear_dma_ff(unsigned int channel)</font><br>
<div class="bq">
The DMA flip-flop is used by the controller to transfer 16-bit values by means of
two 8-bit operations. It must be cleared before sending any data to the controller.</div>
<br>
<A name="464"></a><font color="blue">PAGE 464</font><br>
<br>
<a name="CHAPTER16"></a><font color="red"><b>CHAPTER 16</b></font><br>
<br>
<a name="BlockDrivers"></a><font color="#7519FF" size="+1"><b>Block Drivers</b></font><br>
<br>
So far, our discussion has been limited to char drivers. There are other types of drivers
in Linux systems, however, and the time has come for us to widen our focus
somewhat. Accordingly, this chapter discusses block drivers.<br>
<br>
A block driver provides access to devices that transfer randomly accessible data in
fixed-size blocks--disk drives, primarily. The Linux kernel sees block devices as
being fundamentally different from char devices; as a result, block drivers have a distinct
interface and their own particular challenges.<br>
<br>
Efficient block drivers are critical for performance--and not just for explicit reads
and writes in user applications. Modern systems with virtual memory work by shifting
(hopefully) unneeded data to secondary storage, which is usually a disk drive.
Block drivers are the conduit between core memory and secondary storage; therefore,
they can be seen as making up part of the virtual memory subsystem. While it is
possible to write a block driver without knowing about <font class="fixd">struct page</font> and other important
memory concepts, anybody needing to write a high-performance driver has to
draw upon the material covered in Chapter 15.<br>
<br>
Much of the design of the block layer is centered on performance. Many char devices
can run below their maximum speed, and the performance of the system as a whole
is not affected. The system cannot run well, however, if its block I/O subsystem is
not well-tuned. The Linux block driver interface allows you to get the most out of a
block device but imposes, necessarily, a degree of complexity that you must deal
with. Happily, the 2.6 block interface is much improved over what was found in
older kernels.<br>
<br>
The discussion in this chapter is, as one would expect, centered on an example driver
that implements a block-oriented, memory-based device. It is, essentially, a ramdisk.
The kernel already contains a far superior ramdisk implementation, but our driver
(called <i>sbull</i>) lets us demonstrate the creation of a block driver while minimizing
unrelated complexity.<br>
<br>
<A name="465"></a><font color="blue">PAGE 465</font><br>
<br>
Before getting into the details, let's define a couple of terms precisely. A <i>block </i>is a
fixed-size chunk of data, the size being determined by the kernel. Blocks are often
4096 bytes, but that value can vary depending on the architecture and the exact filesystem
being used. A <i>sector</i>, in contrast, is a small block whose size is usually determined
by the underlying hardware. The kernel expects to be dealing with devices
that implement 512-byte sectors. If your device uses a different size, the kernel
adapts and avoids generating I/O requests that the hardware cannot handle. It is
worth keeping in mind, however, that any time the kernel presents you with a sector
number, it is working in a world of 512-byte sectors. If you are using a different
hardware sector size, you have to scale the kernel's sector numbers accordingly. We
see how that is done in the <i>sbull</i> driver.<br>
<br>
<a name="Registration"></a><font color="red"><b>Registration</b></font><br>
<br>
Block drivers, like char drivers, must use a set of registration interfaces to make their
devices available to the kernel. The concepts are similar, but the details of block
device registration are all different. You have a whole new set of data structures and
device operations to learn.<br>
<br>
<a name="BlockDriverRegistration"></a><font color="red"><b>Block Driver Registration</b></font><br>
<br>
The first step taken by most block drivers is to register themselves with the kernel.
The function for this task is <i>register_blkdev</i> (which is declared in <i>&lt;linux/fs.h&gt;</i>):<br>
<pre>
int register_blkdev(unsigned int major, const char *name);
</pre>
The arguments are the major number that your device will be using and the associated
name (which the kernel will display in <i>/proc/devices</i>). If <font class="fixd">major</font> is passed as 0, the
kernel allocates a new major number and returns it to the caller. As always, a negative
return value from <i>register_blkdev</i> indicates that an error has occurred.<br>
<br>
The corresponding function for canceling a block driver registration is:<br>
<pre>
int unregister_blkdev(unsigned int major, const char *name);
</pre>
Here, the arguments must match those passed to <i>register_blkdev</i>, or the function
returns <font class="fixd">-EINVAL</font> and not unregister anything.<br>
<br>
In the 2.6 kernel, the call to <i>register_blkdev </i>is entirely optional. The functions performed
by <i>register_blkdev </i>have been decreasing over time; the only tasks performed
by this call at this point are (1) allocating a dynamic major number if requested, and
(2) creating an entry in <i>/proc/devices</i>. In future kernels, <i>register_blkdev </i>may be
removed altogether. Meanwhile, however, most drivers still call it; it's traditional.<br>
<br>
<A name="466"></a><font color="blue">PAGE 466</font><br>
<br>
<a name="DiskRegistration"></a><font color="red"><b>Disk Registration</b></font><br>
<br>
While <i>register_blkdev </i>can be used to obtain a major number, it does not make any
disk drives available to the system. There is a separate registration interface that you
must use to manage individual drives. Using this interface requires familiarity with a
pair of new structures, so that is where we start.<br>
<br>
<a name="BlockDeviceOperations"></a><font color="red"><b>Block device operations</b></font><br>
<br>
Char devices make their operations available to the system by way of the <font class="fixd">file_operations</font> 
structure. A similar structure is used with block devices; it is <font class="fixd">struct block_device_operations,</font>
which is declared in <i>&lt;linux/fs.h&gt;</i>. The following is a brief
overview of the fields found in this structure; we revisit them in more detail when we
get into the details of the <i>sbull</i> driver:<br>
<br>
<font class="fixd">int (*open)(struct inode *inode, struct file *filp);<br>
int (*release)(struct inode *inode, struct file *filp);</font><br>
<div class="bq">
Functions that work just like their char driver equivalents; they are called whenever
the device is opened and closed. A block driver might respond to an open
call by spinning up the device, locking the door (for removable media), etc. If
you lock media into the device, you should certainly unlock it in the <i>release
</i>method.</div>
<br>
<font class="fixd">int (*ioctl)(struct inode *inode, struct file *filp, unsigned int cmd, unsigned long arg);</font><br>
<div class="bq">
Method that implements the <i>ioctl </i>system call. The block layer first intercepts a
large number of standard requests, however; so most block driver <i>ioctl </i>methods
are fairly short.</div>
<br>
<font class="fixd">int (*media_changed) (struct gendisk *gd);</font><br>
<div class="bq">
Method called by the kernel to check whether the user has changed the media in
the drive, returning a nonzero value if so. Obviously, this method is only applicable
to drives that support removable media (and that are smart enough to
make a "media changed" flag available to the driver); it can be omitted in other
cases.<br>
<br>
The <font class="fixd">struct gendisk</font> argument is how the kernel represents a single disk; we will
be looking at that structure in the next section.</div>
<br>
<font class="fixd">int (*revalidate_disk) (struct gendisk *gd);</font><br>
<div class="bq">
The <i>revalidate_disk </i>method is called in response to a media change; it gives the
driver a chance to perform whatever work is required to make the new media
ready for use. The function returns an <font class="fixd">int</font> value, but that value is ignored by the
kernel.</div>
<br>
<font class="fixd">struct module *owner;</font><br>
<div class="bq">
A pointer to the module that owns this structure; it should usually be initialized
to <font class="fixd">THIS_MODULE</font>.</div>
<br>
<A name="467"></a><font color="blue">PAGE 467</font><br>
<br>
Attentive readers may have noticed an interesting omission from this list: there are
no functions that actually read or write data. In the block I/O subsystem, these operations
are handled by the <i>request </i>function, which deserves a large section of its own
and is discussed later in the chapter. Before we can talk about servicing requests, we
must complete our discussion of disk registration.<br>
<br>
<a name="TheGendiskStructure"></a><font color="red"><b>The gendisk structure</b></font><br>
<br>
<font class="fixd">struct gendisk</font> (declared in <i>&lt;linux/genhd.h&gt;</i>) is the kernel's representation of an individual
disk device. In fact, the kernel also uses <font class="fixd">gendisk</font> structures to represent partitions,
but driver authors need not be aware of that. There are several fields in struct
gendisk that must be initialized by a block driver:<br>
<br>
<font class="fixd">int major;<br>
int first_minor;<br>
int minors;</font><br>
<div class="bq">
Fields that describe the device number(s) used by the disk. At a minimum, a
drive must use at least one minor number. If your drive is to be partitionable,
however (and most should be), you want to allocate one minor number for each
possible partition as well. A common value for <font class="fixd">minors</font> is 16, which allows for the
"full disk" device and 15 partitions. Some disk drivers use 64 minor numbers for
each device.</div>
<br>
<font class="fixd">char disk_name[32];</font><br>
<div class="bq">
Field that should be set to the name of the disk device. It shows up in <i>/proc/
partitions</i> and sysfs.</div>
<br>
<font class="fixd">struct block_device_operations *fops;</font><br>
<div class="bq">
Set of device operations from the previous section.</div>
<br>
<font class="fixd">struct request_queue *queue;</font><br>
<div class="bq">
Structure used by the kernel to manage I/O requests for this device; we examine
it in the section "Request Processing."</div>
<br>
<font class="fixd">int flags;</font><br>
<div class="bq">
A (little-used) set of flags describing the state of the drive. If your device has
removable media, you should set <font class="fixd">GENHD_FL_REMOVABLE</font>. CD-ROM drives can set
<font class="fixd">GENHD_FL_CD</font>. If, for some reason, you do not want partition information to
show up in <i>/proc/partitions</i>, set <font class="fixd">GENHD_FL_SUPPRESS_PARTITION_INFO</font>.</div>
<br>
<font class="fixd">sector_t capacity;</font><br>
<div class="bq">
The capacity of this drive, in 512-byte sectors. The <font class="fixd">sector_t</font> type can be 64 bits
wide. Drivers should not set this field directly; instead, pass the number of sectors
to <i>set_capacity</i>.</div>
<br>
<font class="fixd">void *private_data;</font><br>
<div class="bq">
Block drivers may use this field for a pointer to their own internal data.</div>
<br>
<A name="468"></a><font color="blue">PAGE 468</font><br>
<br>
The kernel provides a small set of functions for working with <font class="fixd">gendisk</font> structures. We
introduce them here, then see how <i>sbull </i>uses them to make its disk devices available
to the system.<br>
<br>
<font class="fixd">struct gendisk</font> is a dynamically allocated structure that requires special kernel
manipulation to be initialized; drivers cannot allocate the structure on their own.
Instead, you must call:<br>
<pre>
struct gendisk *alloc_disk(int minors);
</pre>
The <font class="fixd">minors</font> argument should be the number of minor numbers this disk uses; note
that you cannot change the <font class="fixd">minors</font> field later and expect things to work properly.<br>
<br>
When a disk is no longer needed, it should be freed with:<br>
<pre>
void del_gendisk(struct gendisk *gd);
</pre>
A <font class="fixd">gendisk</font> is a reference-counted structure (it contains a kobject). There are <i>get_disk
</i>and <i>put_disk </i>functions available to manipulate the reference count, but drivers
should never need to do that. Normally, the call to <i>del_gendisk </i>removes the final reference
to a gendisk, but there are no guarantees of that. Thus, it is possible that the
structure could continue to exist (and your methods could be called) after a call to
<i>del_gendisk</i>. If you delete the structure when there are no users (that is, after the final
<i>release </i>or in your module <i>cleanup </i>function), however, you can be sure that you will
not hear from it again.<br>
<br>
Allocating a <font class="fixd">gendisk</font> structure does not make the disk available to the system. To do
that, you must initialize the structure and call <i>add_disk</i>:<br>
<pre>
void add_disk(struct gendisk *gd);
</pre>
Keep one important thing in mind here: as soon as you call <i>add_disk</i>, the disk is
"live" and its methods can be called at any time. In fact, the first such calls will probably
happen even before <i>add_disk </i>returns; the kernel will read the first few blocks in
an attempt to find a partition table. So you should not call <i>add_disk </i>until your driver
is completely initialized and ready to respond to requests on that disk.<br>
<br>
<a name="InitializationInSbull"></a><font color="red"><b>Initialization in sbull</b></font><br>
<br>
It is time to get down to some examples. The <i>sbull </i>driver (available from O'Reilly's
FTP site with the rest of the example source) implements a set of in-memory virtual
disk drives. For each drive, <i>sbull </i>allocates (with <i>vmalloc</i>, for simplicity) an array of
memory; it then makes that array available via block operations. The <i>sbull </i>driver can
be tested by partitioning the virtual device, building filesystems on it, and mounting
it in the system hierarchy.<br>
<br>
Like our other example drivers, <i>sbull </i>allows a major number to be specified at compile
or module load time. If no number is specified, one is allocated dynamically.
Since a call to <i>register_blkdev</i> is required for dynamic allocation, <i>sbull</i> does so:<br>
<pre>
sbull_major = register_blkdev(sbull_major, &quot;sbull&quot;);
if (sbull_major &lt;= 0) {
</pre>
<A name="469"></a><font color="blue">PAGE 469</font>
<pre>
    printk(KERN_WARNING &quot;sbull: unable to get major number\n&quot;);
    return -EBUSY;
 }
</pre>
Also, like the other virtual devices we have presented in this book, the <i>sbull </i>device is
described by an internal structure:<br>
<pre>
struct sbull_dev {
        int size;                       /* Device size in sectors */
        u8 *data;                       /* The data array */
        short users;                    /* How many users */
        short media_change;             /* Flag a media change? */
        spinlock_t lock;                /* For mutual exclusion */
        struct request_queue *queue;    /* The device request queue */
        struct gendisk *gd;             /* The gendisk structure */
        struct timer_list timer;        /* For simulated media changes */
};
</pre>
Several steps are required to initialize this structure and make the associated device
available to the system. We start with basic initialization and allocation of the underlying
memory:<br>
<pre>
memset (dev, 0, sizeof (struct sbull_dev));
dev-&gt;size = nsectors*hardsect_size;
dev-&gt;data = vmalloc(dev-&gt;size);
if (dev-&gt;data = = NULL) {
    printk (KERN_NOTICE &quot;vmalloc failure.\n&quot;);
    return;
}
spin_lock_init(&amp;dev-&gt;lock);
</pre>
It's important to allocate and initialize a spinlock before the next step, which is the
allocation of the request queue. We look at this process in more detail when we get
to request processing; for now, suffice it to say that the necessary call is:<br>
<pre>
dev-&gt;queue = blk_init_queue(sbull_request, &amp;dev-&gt;lock);
</pre>
Here, <i>sbull_request </i>is our <i>request </i>function--the function that actually performs
block read and write requests. When we allocate a request queue, we must provide a
spinlock that controls access to that queue. The lock is provided by the driver rather
than the general parts of the kernel because, often, the request queue and other
driver data structures fall within the same critical section; they tend to be accessed
together. As with any function that allocates memory, <i>blk_init_queue </i>can fail, so you
must check the return value before continuing.<br>
<br>
Once we have our device memory and request queue in place, we can allocate, initialize,
and install the corresponding <font class="fixd">gendisk</font> structure. The code that does this work is:<br>
<pre>
dev-&gt;gd = alloc_disk(SBULL_MINORS);
if (! dev-&gt;gd) {
    printk (KERN_NOTICE &quot;alloc_disk failure\n&quot;);
    goto out_vfree;
}
dev-&gt;gd-&gt;major = sbull_major;
</pre>
<A name="470"></a><font color="blue">PAGE 470</font><br>
<pre>
dev-&gt;gd-&gt;first_minor = which*SBULL_MINORS;
dev-&gt;gd-&gt;fops = &amp;sbull_ops;
dev-&gt;gd-&gt;queue = dev-&gt;queue;
dev-&gt;gd-&gt;private_data = dev;
snprintf (dev-&gt;gd-&gt;disk_name, 32, &quot;sbull%c&quot;, which + 'a');
set_capacity(dev-&gt;gd, nsectors*(hardsect_size/KERNEL_SECTOR_SIZE));
add_disk(dev-&gt;gd);
</pre>
Here, <font class="fixd">SBULL_MINORS</font> is the number of minor numbers each <i>sbull </i>device supports.
When we set the first minor number for each device, we must take into account all of
the numbers taken by prior devices. The name of the disk is set such that the first
one is <i>sbulla</i>, the second <i>sbullb</i>, and so on. User space can then add partition numbers
so that the third partition on the second device might be <i>/dev/sbullb3</i>.<br>
<br>
Once everything is set up, we finish with a call to <i>add_disk</i>. Chances are that several
of our methods will have been called for that disk by the time <i>add_disk </i>returns, so we
take care to make that call the very last step in the initialization of our device.<br>
<br>
<a name="ANoteOnSectorSizes"></a><font color="red"><b>A Note on Sector Sizes</b></font><br>
<br>
As we have mentioned before, the kernel treats every disk as a linear array of 512byte
sectors. Not all hardware uses that sector size, however. Getting a device with a
different sector size to work is not particularly hard; it is just a matter of taking care
of a few details. The <i>sbull </i>device exports a <font class="fixd">hardsect_size</font> parameter that can be used
to change the "hardware" sector size of the device; by looking at its implementation,
you can see how to add this sort of support to your own drivers.<br>
<br>
The first of those details is to inform the kernel of the sector size your device supports.
The hardware sector size is a parameter in the request queue, rather than in
the <font class="fixd">gendisk</font> structure. This size is set with a call to <i>blk_queue_hardsect_size </i>immediately
after the queue is allocated:<br>
<pre>
blk_queue_hardsect_size(dev-&gt;queue, hardsect_size);
</pre>
Once that is done, the kernel adheres to your device's hardware sector size. All I/O
requests are properly aligned at the beginning of a hardware sector, and the length of
each request is an integral number of sectors. You must remember, however, that the
kernel always expresses itself in 512-byte sectors; thus, it is necessary to translate all
sector numbers accordingly. So, for example, when <i>sbull </i>sets the capacity of the
device in its <font class="fixd">gendisk</font> structure, the call looks like:<br>
<pre>
set_capacity(dev-&gt;gd, nsectors*(hardsect_size/KERNEL_SECTOR_SIZE));
</pre>
<font class="fixd">KERNEL_SECTOR_SIZE</font> is a locally-defined constant that we use to scale between the kernel's
512-byte sectors and whatever size we have been told to use. This sort of calculation
pops up frequently as we look at the <i>sbull</i> request processing logic.<br>
<br>
<A name="471"></a><font color="blue">PAGE 471</font><br>
<br>
<a name="TheBlockDeviceOperations"></a><font color="red"><b>The Block Device Operations</b></font><br>
<br>
We had a brief introduction to the <font class="fixd">block_device_operations</font> structure in the previous
section. Now we take some time to look at these operations in a bit more detail
before getting into request processing. To that end, it is time to mention one other
feature of the <i>sbull </i>driver: it pretends to be a removable device. Whenever the last
user closes the device, a 30-second timer is set; if the device is not opened during that
time, the contents of the device are cleared, and the kernel will be told that the media
has been changed. The 30-second delay gives the user time to, for example, mount
an <i>sbull</i> device after creating a filesystem on it.<br>
<br>
<a name="TheOpenAndReleaseMethods"></a><font color="red"><b>The open and release Methods</b></font><br>
<br>
To implement the simulated media removal, <i>sbull </i>must know when the last user has
closed the device. A count of users is maintained by the driver. It is the job of the
<i>open</i> and <i>close</i> methods to keep that count current.<br>
<br>
The <i>open </i>method looks very similar to its char-driver equivalent; it takes the relevant
<font class="fixd">inode</font> and <font class="fixd">file</font> structure pointers as arguments. When an inode refers to a block
device, the field <font class="fixd">i_bdev-&gt;bd_disk</font> contains a pointer to the associated <font class="fixd">gendisk</font> structure;
this pointer can be used to get to a driver's internal data structures for the
device. That is, in fact, the first thing that the <i>sbull open</i> method does:<br>
<pre>
static int sbull_open(struct inode *inode, struct file *filp)
{
    struct sbull_dev *dev = inode-&gt;i_bdev-&gt;bd_disk-&gt;private_data;

    del_timer_sync(&amp;dev-&gt;timer);
    filp-&gt;private_data = dev;
    spin_lock(&amp;dev-&gt;lock);
    if (! dev-&gt;users)
        check_disk_change(inode-&gt;i_bdev);
    dev-&gt;users++;
    spin_unlock(&amp;dev-&gt;lock);
    return 0;
}
</pre>
Once <i>sbull_open </i>has its device structure pointer, it calls <i>del_timer_sync </i>to remove the
"media removal" timer, if any is active. Note that we do not lock the device spinlock
until after the timer has been deleted; doing otherwise invites deadlock if the timer
function runs before we can delete it. With the device locked, we call a kernel function
called <i>check_disk_change </i>to check whether a media change has happened. One
might argue that the kernel should make that call, but the standard pattern is for
drivers to handle it at <i>open</i> time.<br>
<br>
The last step is to increment the user count and return.<br>
<br>
<A name="472"></a><font color="blue">PAGE 472</font><br>
<br>
The task of the <i>release </i>method is, in contrast, to decrement the user count and, if
indicated, start the media removal timer:<br>
<pre>
static int sbull_release(struct inode *inode, struct file *filp)
{
    struct sbull_dev *dev = inode-&gt;i_bdev-&gt;bd_disk-&gt;private_data;

    spin_lock(&amp;dev-&gt;lock);
    dev-&gt;users--;

    if (!dev-&gt;users) {
        dev-&gt;timer.expires = jiffies + INVALIDATE_DELAY;
        add_timer(&amp;dev-&gt;timer);
    }
    spin_unlock(&amp;dev-&gt;lock);

    return 0;
}
</pre>
In a driver that handles a real, hardware device, the <i>open </i>and <i>release </i>methods would
set the state of the driver and hardware accordingly. This work could involve spinning
the disk up or down, locking the door of a removable device, allocating DMA
buffers, etc.<br>
<br>
You may be wondering who actually opens a block device. There are some operations
that cause a block device to be opened directly from user space; these include
partitioning a disk, building a filesystem on a partition, or running a filesystem
checker. A block driver also sees an <i>open </i>call when a partition is mounted. In this
case, there is no user-space process holding an open file descriptor for the device; the
open file is, instead, held by the kernel itself. A block driver cannot tell the difference
between a <i>mount </i>operation (which opens the device from kernel space) and the
invocation of a utility such as <i>mkfs</i> (which opens it from user space).<br>
<br>
<a name="SupportingRemovableMedia"></a><font color="red"><b>Supporting Removable Media</b></font><br>
<br>
The <font class="fixd">block_device_operations</font> structure includes two methods for supporting removable
media. If you are writing a driver for a nonremovable device, you can safely omit
these methods. Their implementation is relatively straightforward.<br>
<br>
The <i>media_changed </i>method is called (from <i>check_disk_change</i>) to see whether the
media has been changed; it should return a nonzero value if this has happened. The
<i>sbull </i>implementation is simple; it queries a flag that has been set if the media
removal timer has expired:<br>
<pre>
int sbull_media_changed(struct gendisk *gd)
{
    struct sbull_dev *dev = gd-&gt;private_data;

    return dev-&gt;media_change;
}
</pre>
<A name="473"></a><font color="blue">PAGE 473</font><br>
<br>
The <i>revalidate </i>method is called after a media change; its job is to do whatever is
required to prepare the driver for operations on the new media, if any. After the call
to <i>revalidate</i>, the kernel attempts to reread the partition table and start over with the
device. The <i>sbull </i>implementation simply resets the <font class="fixd">media_change</font> flag and zeroes out
the device memory to simulate the insertion of a blank disk.<br>
<pre>
int sbull_revalidate(struct gendisk *gd)
{
    struct sbull_dev *dev = gd-&gt;private_data;

    if (dev-&gt;media_change) {
        dev-&gt;media_change = 0;
        memset (dev-&gt;data, 0, dev-&gt;size);
    }
    return 0;
}
</pre>
<a name="TheIoctlMethod2"></a><font color="red"><b>The ioctl Method</b></font><br>
<br>
Block devices can provide an <i>ioctl </i>method to perform device control functions. The
higher-level block subsystem code intercepts a number of <i>ioctl </i>commands before
your driver ever gets to see them, however (see <i>drivers/block/ioctl.c </i>in the kernel
source for the full set). In fact, a modern block driver may not have to implement
very many <i>ioctl</i> commands at all.<br>
<br>
The <i>sbull ioctl </i>method handles only one command--a request for the device's
geometry:<br>
<pre>
int sbull_ioctl (struct inode *inode, struct file *filp,
                 unsigned int cmd, unsigned long arg)
{
    long size;
    struct hd_geometry geo;
    struct sbull_dev *dev = filp-&gt;private_data;

    switch(cmd) {
        case HDIO_GETGEO:
        /*
         * Get geometry: since we are a virtual device, we have to make
         * up something plausible.  So we claim 16 sectors, four heads,
         * and calculate the corresponding number of cylinders.  We set the
         * start of data at sector four.
         */
        size = dev-&gt;size*(hardsect_size/KERNEL_SECTOR_SIZE);
        geo.cylinders = (size &amp; ~0x3f) &gt;&gt; 6;
        geo.heads = 4;
        geo.sectors = 16;
        geo.start = 4;
        if (copy_to_user((void __user *) arg, &amp;geo, sizeof(geo)))
            return -EFAULT;
</pre>
<A name="474"></a><font color="blue">PAGE 474</font><br>
<pre>
        return 0;
    }

    return -ENOTTY; /* unknown command */
}
</pre>
Providing geometry information may seem like a curious task, since our device is
purely virtual and has nothing to do with tracks and cylinders. Even most real-block
hardware has been furnished with much more complicated structures for many
years. The kernel is not concerned with a block device's geometry; it sees it simply as
a linear array of sectors. There are certain user-space utilities that still expect to be
able to query a disk's geometry, however. In particular, the <i>fdisk </i>tool, which edits
partition tables, depends on cylinder information and does not function properly if
that information is not available.<br>
<br>
We would like the <i>sbull </i>device to be partitionable, even with older, simple-minded
tools. So, we have provided an <i>ioctl </i>method that comes up with a credible fiction for
a geometry that could match the capacity of our device. Most disk drivers do something
similar. Note that, as usual, the sector count is translated, if need be, to match
the 512-byte convention used by the kernel.<br>
<br>
<a name="RequestProcessing"></a><font color="red"><b>Request Processing</b></font><br>
<br>
The core of every block driver is its <i>request </i>function. This function is where the real
work gets done--or at least started; all the rest is overhead. Consequently, we spend
a fair amount of time looking at request processing in block drivers.<br>
<br>
A disk driver's performance can be a critical part of the performance of the system as
a whole. Therefore, the kernel's block subsystem has been written with performance
very much in mind; it does everything possible to enable your driver to get the most
out of the devices it controls. This is a good thing, in that it enables blindingly fast I/O.
On the other hand, the block subsystem unnecessarily exposes a great deal of complexity
in the driver API. It is possible to write a very simple <i>request </i>function (we will
see one shortly), but if your driver must perform at a high level on complex hardware,
it will be anything but simple.<br>
<br>
<a name="IntroductionToTheRequestMethod"></a><font color="red"><b>Introduction to the request Method</b></font><br>
<br>
The block driver <i>request</i> method has the following prototype:<br>
<pre>
void request(request_queue_t *queue);
</pre>
This function is called whenever the kernel believes it is time for your driver to process
some reads, writes, or other operations on the device. The <i>request </i>function does
not need to actually complete all of the requests on the queue before it returns;
indeed, it probably does not complete any of them for most real devices. It must,<br>
<br>
<A name="475"></a><font color="blue">PAGE 475</font><br>
<br>
however, make a start on those requests and ensure that they are all, eventually, processed
by the driver.<br>
<br>
Every device has a request queue. This is because actual transfers to and from a disk
can take place far away from the time the kernel requests them, and because the kernel
needs the flexibility to schedule each transfer at the most propitious moment
(grouping together, for instance, requests that affect sectors close together on the
disk). And the <i>request </i>function, you may remember, is associated with a request
queue when that queue is created. Let us look back at how <i>sbull</i> makes its queue:<br>
<pre>
dev-&gt;queue = blk_init_queue(sbull_request, &amp;dev-&gt;lock);
</pre>
Thus, when the queue is created, the <i>request </i>function is associated with it. We also
provided a spinlock as part of the queue creation process. Whenever our <i>request
</i>function is called, that lock is held by the kernel. As a result, the <i>request </i>function is
running in an atomic context; it must follow all of the usual rules for atomic code
discussed in Chapter 5.<br>
<br>
The queue lock also prevents the kernel from queuing any other requests for your
device while your <i>request </i>function holds the lock. Under some conditions, you may
want to consider dropping that lock while the <i>request </i>function runs. If you do so,
however, you must be sure not to access the request queue, or any other data structure
protected by the lock, while the lock is not held. You must also reacquire the
lock before the <i>request</i> function returns.<br>
<br>
Finally, the invocation of the <i>request </i>function is (usually) entirely asynchronous with
respect to the actions of any user-space process. You cannot assume that the kernel is
running in the context of the process that initiated the current request. You do not
know if the I/O buffer provided by the request is in kernel or user space. So any sort
of operation that explicitly accesses user space is in error and will certainly lead to
trouble. As you will see, everything your driver needs to know about the request is
contained within the structures passed to you via the request queue.<br>
<br>
<a name="ASimpleRequestMethod"></a><font color="red"><b>A Simple request Method</b></font><br>
<br>
The <i>sbull </i>example driver provides a few different methods for request processing. By
default, <i>sbull </i>uses a method called <i>sbull_request</i>, which is meant to be an example of
the simplest possible <i>request</i> method. Without further ado, here it is:<br>
<pre>
static void sbull_request(request_queue_t *q)
{
    struct request *req;

    while ((req = elv_next_request(q)) != NULL) {
        struct sbull_dev *dev = req-&gt;rq_disk-&gt;private_data;
        if (! blk_fs_request(req)) {
</pre>
<A name="476"></a><font color="blue">PAGE 476</font><br>
<pre>
            printk (KERN_NOTICE &quot;Skip non-fs request\n&quot;);
            end_request(req, 0);
            continue;
        }
        sbull_transfer(dev, req-&gt;sector, req-&gt;current_nr_sectors,
                req-&gt;buffer, rq_data_dir(req));
        end_request(req, 1);
    }
}
</pre>
This function introduces the <font class="fixd">struct request</font> structure. We will 
examine <font class="fixd">struct request</font> in great detail later on; for now, suffice 
it to say that it represents a block I/O request for us to execute.<br>
<br>
The kernel provides the function <i>elv_next_request </i>to obtain the first incomplete
request on the queue; that function returns <font class="fixd">NULL</font> when there are no requests to be
processed. Note that <i>elv_next_request </i>does not remove the request from the queue. If
you call it twice with no intervening operations, it returns the same request structure
both times. In this simple mode of operation, requests are taken off the queue
only when they are complete.<br>
<br>
A block request queue can contain requests that do not actually move blocks to and
from a disk. Such requests can include vendor-specific, low-level diagnostics operations
or instructions relating to specialized device modes, such as the packet writing mode for
recordable media. Most block drivers do not know how to handle such requests and
simply fail them; <i>sbull </i>works in this way as well. The call to <i>block_fs_request </i>tells us
whether we are looking at a filesystem request--one that moves blocks of data. If a
request is not a filesystem request, we pass it to <i>end_request</i>:<br>
<pre>
void end_request(struct request *req, int succeeded);
</pre>
When we dispose of nonfilesystem requests, we pass <font class="fixd">succeeded</font> as <font class="fixd">0</font> to indicate that
we did not successfully complete the request. Otherwise, we call <i>sbull_transfer </i>to
actually move the data, using a set of fields provided in the <font class="fixd">request</font> structure:<br>
<br>
<font class="fixd">sector_t sector;</font><br>
<div class="bq">
The index of the beginning sector on our device. Remember that this sector
number, like all such numbers passed between the kernel and the driver, is
expressed in 512-byte sectors. If your hardware uses a different sector size, you
need to scale <font class="fixd">sector</font> accordingly. For example, if the hardware uses 2048-byte
sectors, you need to divide the beginning sector number by four before putting it
into a request for the hardware.</div>
<br>
<font class="fixd">unsigned long nr_sectors;</font><br>
<div class="bq">
The number of (512-byte) sectors to be transferred.</div>
<br>
<A name="477"></a><font color="blue">PAGE 477</font><br>
<br>
<font class="fixd">char *buffer;</font><br>
<div class="bq">
A pointer to the buffer to or from which the data should be transferred. This
pointer is a kernel virtual address and can be dereferenced directly by the driver
if need be.</div>
<br>
<font class="fixd">rq_data_dir(struct request *req);</font><br>
<div class="bq">
This macro extracts the direction of the transfer from the request; a zero return
value denotes a read from the device, and a nonzero return value denotes a write
to the device.</div>
<br>
Given this information, the <i>sbull </i>driver can implement the actual data transfer with a
simple <i>memcpy </i>call--our data is already in memory, after all. The function that performs
this copy operation (<i>sbull_transfer</i>) also handles the scaling of sector sizes and
ensures that we do not try to copy beyond the end of our virtual device:<br>
<pre>
static void sbull_transfer(struct sbull_dev *dev, unsigned long sector,
        unsigned long nsect, char *buffer, int write)
{
    unsigned long offset = sector*KERNEL_SECTOR_SIZE;
    unsigned long nbytes = nsect*KERNEL_SECTOR_SIZE;

    if ((offset + nbytes) &gt; dev-&gt;size) {
        printk (KERN_NOTICE &quot;Beyond-end write (%ld %ld)\n&quot;, offset, nbytes);
        return;
    }
    if (write)
        memcpy(dev-&gt;data + offset, buffer, nbytes);
    else
        memcpy(buffer, dev-&gt;data + offset, nbytes);
}
</pre>
With the code, <i>sbull </i>implements a complete, simple RAM-based disk device. It is
not, however, a realistic driver for many types of devices, for a couple of reasons.<br>
<br>
The first of those reasons is that <i>sbull </i>executes requests synchronously, one at a time.
High-performance disk devices are capable of having numerous requests outstanding
at the same time; the disk's onboard controller can then choose to execute them
in the optimal order (one hopes). As long as we process only the first request in the
queue, we can never have multiple requests being fulfilled at a given time. Being able
to work with more than one request requires a deeper understanding of request
queues and the <font class="fixd">request</font> structure; the next few sections help build that understanding.<br>
<br>
There is another issue to consider, however. The best performance is obtained from
disk devices when the system performs large transfers involving multiple sectors that
are located together on the disk. The highest cost in a disk operation is always the
positioning of the read and write heads; once that is done, the time required to actually
read or write the data is almost insignificant. The developers who design and
implement filesystems and virtual memory subsystems understand this, so they do
their best to locate related data contiguously on the disk and to transfer as many sectors
as possible in a single request. The block subsystem also helps in this regard;<br>
<br>
<A name="478"></a><font color="blue">PAGE 478</font><br>
<br>
request queues contain a great deal of logic aimed at finding adjacent requests and
coalescing them into larger operations.<br>
<br>
The <i>sbull </i>driver, however, takes all that work and simply ignores it. Only one buffer
is transferred at a time, meaning that the largest single transfer is almost never going
to exceed the size of a single page. A block driver can do much better than that, but
it requires a deeper understanding of <font class="fixd">request</font> structures and the <font class="fixd">bio</font> structures from
which requests are built.<br>
<br>
The next few sections delve more deeply into how the block layer does its job and
the data structures that result from that work.<br>
<br>
<a name="RequestQueues"></a><font color="red"><b>Request Queues</b></font><br>
<br>
In the simplest sense, a block request queue is exactly that: a queue of block I/O
requests. If you look under the hood, a request queue turns out to be a surprisingly
complex data structure. Fortunately, drivers need not worry about most of that
complexity.<br>
<br>
Request queues keep track of outstanding block I/O requests. But they also play a
crucial role in the creation of those requests. The request queue stores parameters
that describe what kinds of requests the device is able to service: their maximum size,
how many separate segments may go into a request, the hardware sector size, alignment
requirements, etc. If your request queue is properly configured, it should never
present you with a request that your device cannot handle.<br>
<br>
Request queues also implement a plug-in interface that allows the use of multiple <i>I/O
schedulers </i>(or <i>elevators</i>) to be used. An I/O scheduler's job is to present I/O requests
to your driver in a way that maximizes performance. To this end, most I/O schedulers
accumulate a batch of requests, sort them into increasing (or decreasing) block
index order, and present the requests to the driver in that order. The disk head,
when given a sorted list of requests, works its way from one end of the disk to the
other, much like a full elevator moves in a single direction until all of its "requests"
(people waiting to get off) have been satisfied. The 2.6 kernel includes a "deadline
scheduler," which makes an effort to ensure that every request is satisfied within a
preset maximum time, and an "anticipatory scheduler," which actually stalls a device
briefly after a read request in anticipation that another, adjacent read will arrive
almost immediately. As of this writing, the default scheduler is the anticipatory
scheduler, which seems to give the best interactive system performance.<br>
<br>
The I/O scheduler is also charged with merging adjacent requests. When a new I/O
request is handed to the scheduler, it searches the queue for requests involving adjacent
sectors; if one is found and if the resulting request would not be too large, the
two requests are merged.<br>
<br>
Request queues have a type of struct <font class="fixd">request_queue</font> or <font class="fixd">request_queue_t</font>. This type,
and the many functions that operate on it, are defined in <i>&lt;linux/blkdev.h&gt;</i>. If you are<br>
<br>
<A name="479"></a><font color="blue">PAGE 479</font><br>
<br>
interested in the implementation of request queues, you can find most of the code in
<i>drivers/block/ll_rw_block.c</i> and <i>elevator.c</i>.<br>
<br>
<a name="QueueCreationAndDeletion"></a><font color="red"><b>Queue creation and deletion</b></font><br>
<br>
As we saw in our example code, a request queue is a dynamic data structure that
must be created by the block I/O subsystem. The function to create and initialize a
request queue is:<br>
<pre>
request_queue_t *blk_init_queue(request_fn_proc *request, spinlock_t *lock);
</pre>
The arguments are, of course, the <i>request </i>function for this queue and a spinlock that
controls access to the queue. This function allocates memory (quite a bit of memory,
actually) and can fail because of this; you should always check the return value
before attempting to use the queue.<br>
<br>
As part of the initialization of a request queue, you can set the field <font class="fixd">queuedata</font> (which
is a <font class="fixd">void *</font> pointer) to any value you like. This field is the request queue's equivalent
to the <font class="fixd">private_data</font> we have seen in other structures.<br>
<br>
To return a request queue to the system (at module unload time, generally), call
<i>blk_cleanup_queue</i>:<br>
<pre>
void blk_cleanup_queue(request_queue_t *);
</pre>
After this call, your driver sees no more requests from the given queue and should
not reference it again.<br>
<br>
<a name="QueueingFunctions"></a><font color="red"><b>Queueing functions</b></font><br>
<br>
There is a very small set of functions for the manipulation of requests on queues--at
least, as far as drivers are concerned. You must hold the queue lock before you call
these functions.<br>
<br>
The function that returns the next request to process is <i>elv_next_request</i>:<br>
<pre>
struct request *elv_next_request(request_queue_t *queue);
</pre>
We have already seen this function in the simple <i>sbull </i>example. It returns a pointer
to the next request to process (as determined by the I/O scheduler) or <font class="fixd">NULL</font> if no
more requests remain to be processed. <i>elv_next_request </i>leaves the request on the
queue but marks it as being active; this mark prevents the I/O scheduler from
attempting to merge other requests with this one once you start to execute it.<br>
<br>
To actually remove a request from a queue, use <i>blkdev_dequeue_request</i>:<br>
<pre>
void blkdev_dequeue_request(struct request *req);
</pre>
If your driver operates on multiple requests from the same queue simultaneously, it
must dequeue them in this manner.<br>
<br>
<A name="480"></a><font color="blue">PAGE 480</font><br>
<br>
Should you need to put a dequeued request back on the queue for some reason, you
can call:<br>
<pre>
void elv_requeue_request(request_queue_t *queue, struct request *req);
</pre>
<a name="QueueControlFunctions"></a><font color="red"><b>Queue control functions</b></font><br>
<br>
The block layer exports a set of functions that can be used by a driver to control how
a request queue operates. These functions include:<br>
<br>
<font class="fixd">void blk_stop_queue(request_queue_t *queue);<br>
void blk_start_queue(request_queue_t *queue);</font><br>
<div class="bq">
If your device has reached a state where it can handle no more outstanding commands,
you can call <i>blk_stop_queue </i>to tell the block layer. After this call, your
<i>request </i>function will not be called until you call <i>blk_start_queue</i>. Needless to say,
you should not forget to restart the queue when your device can handle more
requests. The queue lock must be held when calling either of these functions.</div>
<br>
<font class="fixd">void blk_queue_bounce_limit(request_queue_t *queue, u64 dma_addr);</font><br>
<div class="bq">
Function that tells the kernel the highest physical address to which your device
can perform DMA. If a request comes in containing a reference to memory above
the limit, a bounce buffer will be used for the operation; this is, of course, an
expensive way to perform block I/O and should be avoided whenever possible.
You can provide any reasonable physical address in this argument, or make use
of the predefined symbols <font class="fixd">BLK_BOUNCE_HIGH</font> (use bounce buffers for high-memory
pages), <font class="fixd">BLK_BOUNCE_ISA</font> (the driver can DMA only into the 16-MB ISA zone),
or <font class="fixd">BLK_BOUNCE_ANY</font> (the driver can perform DMA to any address). The default
value is <font class="fixd">BLK_BOUNCE_HIGH</font>.</div>
<br>
<font class="fixd">void blk_queue_max_sectors(request_queue_t *queue, unsigned short max);<br>
void blk_queue_max_phys_segments(request_queue_t *queue, unsigned short max);<br>
void blk_queue_max_hw_segments(request_queue_t *queue, unsigned short max);<br>
void blk_queue_max_segment_size(request_queue_t *queue, unsigned int max);</font><br>
<div class="bq">
Functions that set parameters describing the requests that can be satisfied by this
device. <i>blk_queue_max_sectors </i>can be used to set the maximum size of any
request in (512-byte) sectors; the default is 255. <i>blk_queue_max_phys_segments
</i>and <i>blk_queue_max_hw_segments </i>both control how many physical segments
(nonadjacent areas in system memory) may be contained within a single request.
Use <i>blk_queue_max_phys_segments </i>to say how many segments your driver is
prepared to cope with; this may be the size of a staticly allocated scatterlist, for
example. <i>blk_queue_max_hw_segments</i>, in contrast, is the maximum number of
segments that the device itself can handle. Both of these parameters default to
128. Finally, <i>blk_queue_max_segment_size </i>tells the kernel how large any individual
segment of a request can be in bytes; the default is 65,536 bytes.</div>
<br>
<A name="481"></a><font color="blue">PAGE 481</font><br>
<br>
<font class="fixd">blk_queue_segment_boundary(request_queue_t *queue, unsigned long mask);</font><br>
<div class="bq">
Some devices cannot handle requests that cross a particular size memory boundary;
if your device is one of those, use this function to tell the kernel about that
boundary. For example, if your device has trouble with requests that cross a 4MB
boundary, pass in a mask of <font class="fixd">0x3fffff.</font> The default mask is <font class="fixd">0xffffffff</font>.</div>
<br>
<font class="fixd">void blk_queue_dma_alignment(request_queue_t *queue, int mask);</font><br>
<div class="bq">
Function that tells the kernel about the memory alignment constraints your
device imposes on DMA transfers. All requests are created with the given alignment,
and the length of the request also matches the alignment. The default
mask is <font class="fixd">0x1ff,</font> which causes all requests to be aligned on 512-byte boundaries.</div>
<br>
<font class="fixd">void blk_queue_hardsect_size(request_queue_t *queue, unsigned short max);</font><br>
<div class="bq">
Tells the kernel about your device's hardware sector size. All requests generated
by the kernel are a multiple of this size and are properly aligned. All communications
between the block layer and the driver continues to be expressed in 512 byte
sectors, however.</div>
<br>
<a name="TheAnatomyOfARequest"></a><font color="red"><b>The Anatomy of a Request</b></font><br>
<br>
In our simple example, we encountered the <font class="fixd">request</font> structure. However, we have
barely scratched the surface of that complicated data structure. In this section, we
look, in some detail, at how block I/O requests are represented in the Linux kernel.<br>
<br>
Each <font class="fixd">request</font> structure represents one block I/O request, although it may have been
formed through a merger of several independent requests at a higher level. The sectors
to be transferred for any particular request may be distributed throughout main
memory, although they always correspond to a set of consecutive sectors on the
block device. The request is represented as a set of segments, each of which corresponds
to one in-memory buffer. The kernel may join multiple requests that involve
adjacent sectors on the disk, but it never combines read and write operations within
a single <font class="fixd">request</font> structure. The kernel also makes sure not to combine requests if the
result would violate any of the request queue limits described in the previous section.<br>
<br>
A <font class="fixd">request</font> structure is implemented, essentially, as a linked list of <font class="fixd">bio</font> structures combined
with some housekeeping information to enable the driver to keep track of its
position as it works through the request. The <font class="fixd">bio</font> structure is a low-level description
of a portion of a block I/O request; we take a look at it now.<br>
<br>
<a name="TheBioStructure"></a><font color="red"><b>The <font class="fixd">bio</font> structure</b></font><br>
<br>
When the kernel, in the form of a filesystem, the virtual memory subsystem, or a system
call, decides that a set of blocks must be transferred to or from a block I/O
device; it puts together a <font class="fixd">bio</font> structure to describe that operation. That structure is
then handed to the block I/O code, which merges it into an existing <font class="fixd">request</font> structure
or, if need be, creates a new one. The <font class="fixd">bio</font> structure contains everything that a<br>
<br>
<A name="482"></a><font color="blue">PAGE 482</font><br>
<br>
block driver needs to carry out the request without reference to the user-space process
that caused that request to be initiated.<br>
<br>
The <font class="fixd">bio</font> structure, which is defined in <i>&lt;linux/bio.h&gt;</i>, contains a number of fields that
may be of use to driver authors:<br>
<br>
<font class="fixd">sector_t bi_sector;</font><br>
<div class="bq">
The first (512-byte) sector to be transferred for this <font class="fixd">bio.</font></div>
<br>
<font class="fixd">unsigned int bi_size;</font><br>
<div class="bq">
The size of the data to be transferred, in bytes. Instead, it is often easier to use
<font class="fixd">bio_sectors(bio),</font> a macro that gives the size in sectors.</div>
<br>
<font class="fixd">unsigned long bi_flags;</font><br>
<div class="bq">
A set of flags describing the <font class="fixd">bio;</font> the least significant bit is set if this is a write
request (although the macro <font class="fixd">bio_data_dir(bio)</font> should be used instead of looking
at the flags directly).</div>
<br>
<font class="fixd">unsigned short bio_phys_segments;
unsigned short bio_hw_segments;</font><br>
<div class="bq">
The number of physical segments contained within this BIO and the number of
segments seen by the hardware after DMA mapping is done, respectively.</div>
<br>
The core of a bio, however, is an array called <font class="fixd">bi_io_vec,</font> which is made up of the following
structure:<br>
<pre>
struct bio_vec {
        struct page     *bv_page;
        unsigned int    bv_len;
        unsigned int    bv_offset;
};
</pre>
Figure 16-1 shows how these structures all tie together. As you can see, by the time a
block I/O request is turned into a <font class="fixd">bio</font> structure, it has been broken down into individual
pages of physical memory. All a driver needs to do is to step through this array
of structures (there are <font class="fixd">bi_vcnt</font> of them), and transfer data within each page (but
only len bytes starting at <font class="fixd">offset</font>).<br>
<br><br>
<center>
<img src="fig16-1.gif">
</center>
<br>
<i>Figure 16-1. The bio structure</i><br>
<br>
<A name="483"></a><font color="blue">PAGE 483</font><br>
<br>
Working directly with the <font class="fixd">bi_io_vec</font> array is discouraged in the interest of kernel
developers being able to change the <font class="fixd">bio</font> structure in the future without breaking
things. To that end, a set of macros has been provided to ease the process of working
with the <font class="fixd">bio</font> structure. The place to start is with <font class="fixd">bio_for_each_segment,</font> which
simply loops through every unprocessed entry in the <font class="fixd">bi_io_vec</font> array. This macro
should be used as follows:<br>
<pre>
int segno;
struct bio_vec *bvec;

bio_for_each_segment(bvec, bio, segno) {
    /* Do something with this segment
}<br>
</pre>
Within this loop, <font class="fixd">bvec</font> points to the current <font class="fixd">bio_vec</font> entry, and <font class="fixd">segno</font> is the current
segment number. These values can be used to set up DMA transfers (an alternative
way using <i>blk_rq_map_sg </i>is described in the section "Block requests and DMA"). If
you need to access the pages directly, you should first ensure that a proper kernel virtual
address exists; to that end, you can use:<br>
<pre>
char *__bio_kmap_atomic(struct bio *bio, int i, enum km_type type);
void __bio_kunmap_atomic(char *buffer, enum km_type type);
</pre>
This low-level function allows you to directly map the buffer found in a given <font class="fixd">bio_vec,</font>
as indicated by the index <font class="fixd">i.</font> An atomic kmap is created; the caller must provide the
appropriate slot to use (as described in the section "The Memory Map and Struct
Page" in Chapter 15).<br>
<br>
The block layer also maintains a set of pointers within the <font class="fixd">bio</font> structure to keep track
of the current state of request processing. Several macros exist to provide access to
that state:<br>
<br>
<font class="fixd">struct page *bio_page(struct bio *bio);</font><br>
<div class="bq">
Returns a pointer to the page structure representing the page to be transferred next.</div>
<br>
<font class="fixd">int bio_offset(struct bio *bio);</font><br>
<div class="bq">
Returns the offset within the page for the data to be transferred.</div>
<br>
<font class="fixd">int bio_cur_sectors(struct bio *bio);</font><br>
<div class="bq">
Returns the number of sectors to be transferred out of the current page.</div>
<br>
<font class="fixd">char *bio_data(struct bio *bio);</font><br>
<div class="bq">
Returns a kernel logical address pointing to the data to be transferred. Note that
this address is available only if the page in question is not located in high memory;
calling it in other situations is a bug. By default, the block subsystem does
not pass high-memory buffers to your driver, but if you have changed that setting
with <i>blk_queue_bounce_limit</i>, you probably should not be using <font class="fixd">bio_data</font>.</div>
<br>
<A name="484"></a><font color="blue">PAGE 484</font><br>
<br>
<font class="fixd">char *bio_kmap_irq(struct bio *bio, unsigned long *flags);<br>
void bio_kunmap_irq(char *buffer, unsigned long *flags);</font><br>
<div class="bq">
<i>bio_kmap_irq </i>returns a kernel virtual address for any buffer, regardless of
whether it resides in high or low memory. An atomic kmap is used, so your
driver cannot sleep while this mapping is active. Use <i>bio_kunmap_irq </i>to unmap
the buffer. Note that the <font class="fixd">flags</font> argument is passed by pointer here. Note also
that since an atomic kmap is used, you cannot map more than one segment at a
time.</div>
<br>
All of the functions just described access the "current" buffer--the first buffer that,
as far as the kernel knows, has not been transferred. Drivers often want to work
through several buffers in the <font class="fixd">bio</font> before signaling completion on any of them (with
<i>end_that_request_first</i>, to be described shortly), so these functions are often not useful.
Several other macros exist for working with the internals of the <font class="fixd">bio</font> structure (see
<i>&lt;linux/bio.h&gt;</i> for details).<br>
<br>
<a name="RequestStructureFields"></a><font color="red"><b><font class="fixd">request</font> structure fields</b></font><br>
<br>
Now that we have an idea of how the <font class="fixd">bio</font> structure works, we can get deep into
<font class="fixd">struct request</font> and see how request processing works. The fields of this structure
include:<br>
<br>
<font class="fixd">sector_t hard_sector;<br>
unsigned long hard_nr_sectors;<br>
unsigned int hard_cur_sectors;</font><br>
<div class="bq">
Fields that track the sectors that the driver has yet to complete. The first sector
that has <i>not </i>been transferred is stored in <font class="fixd">hard_sector,</font> the total number of sectors
yet to transfer is in <font class="fixd">hard_nr_sectors,</font> and the number of sectors remaining in
the current bio is <font class="fixd">hard_cur_sectors</font>. These fields are intended for use only within
the block subsystem; drivers should not make use of them.</div>
<br>
<font class="fixd">struct bio *bio;</font><br>
<div class="bq">
bio is the linked list of <font class="fixd">bio</font> structures for this request. You should not access this
field directly; use <i>rq_for_each_bio</i> (described later) instead.</div>
<br>
<font class="fixd">char *buffer;</font><br>
<div class="bq">
The simple driver example earlier in this chapter used this field to find the buffer
for the transfer. With our deeper understanding, we can now see that this field is
simply the result of calling <i>bio_data</i> on the current <font class="fixd">bio.</font></div>
<br>
<font class="fixd">unsigned short nr_phys_segments;</font><br>
<div class="bq">
The number of distinct segments occupied by this request in physical memory
after adjacent pages have been merged.</div>
<br>
<font class="fixd">struct list_head queuelist;</font><br>
<div class="bq">
The linked-list structure (as described in the section "Linked Lists" in
Chapter 11) that links the request into the request queue. If (and only if) you</div>
<br>
<A name="485"></a><font color="blue">PAGE 485</font><br>
<br>
<div class="bq">remove the request from the queue with <i>blkdev_dequeue_request</i>, you may use
this list head to track the request in an internal list maintained by your driver.</div>
<br>
Figure 16-2 shows how the <font class="fixd">request</font> structure and its component <font class="fixd">bio</font> structures fit
together. In the figure, the request has been partially satisfied; the <font class="fixd">cbio</font> and <font class="fixd">buffer</font>
fields point to the first <font class="fixd">bio</font> that has not yet been transferred.<br>
<br><br>
<center>
<img src="fig16-2.gif">
</center>
<br>
<i>Figure 16-2. A request queue with a partially processed request</i><br>
<br>
There are many other fields inside the <font class="fixd">request</font> structure, but the list in this section
should be enough for most driver writers.<br>
<br>
<a name="BarrierRequests"></a><font color="red"><b>Barrier requests</b></font><br>
<br>
The block layer reorders requests before your driver sees them to improve I/O performance.
Your driver, too, can reorder requests if there is a reason to do so. Often, this
reordering happens by passing multiple requests to the drive and letting the hardware
figure out the optimal ordering. There is a problem with unrestricted reordering
of requests, however: some applications require guarantees that certain
operations will complete before others are started. Relational database managers, for
example, must be absolutely sure that their journaling information has been flushed
to the drive before executing a transaction on the database contents. Journaling filesystems,
which are now in use on most Linux systems, have very similar ordering
constraints. If the wrong operations are reordered, the result can be severe, undetected
data corruption.<br>
<br>
The 2.6 block layer addresses this problem with the concept of a <i>barrier request</i>. If a
request is marked with the <font class="fixd">REQ_HARDBARRER</font> flag, it must be written to the drive before
any following request is initiated. By "written to the drive," we mean that the data
must actually reside and be persistent on the physical media. Many drives perform
caching of write requests; this caching improves performance, but it can defeat the purpose
of barrier requests. If a power failure occurs when the critical data is still sitting in<br>
<br>
<A name="486"></a><font color="blue">PAGE 486</font><br>
<br>
the drive's cache, that data is still lost even if the drive has reported completion. So a
driver that implements barrier requests must take steps to force the drive to actually
write the data to the media.<br>
<br>
If your driver honors barrier requests, the first step is to inform the block layer of this
fact. Barrier handling is another of the request queues; it is set with:<br>
<pre>
void blk_queue_ordered(request_queue_t *queue, int flag);
</pre>
To indicate that your driver implements barrier requests, set the <font class="fixd">flag</font> parameter to a
nonzero value.<br>
<br>
The actual implementation of barrier requests is simply a matter of testing for the
associated flag in the <font class="fixd">request</font> structure. A macro has been provided to perform this
test:
<pre>
int blk_barrier_rq(struct request *req);
</pre>
If this macro returns a nonzero value, the request is a barrier request. Depending on
how your hardware works, you may have to stop taking requests from the queue
until the barrier request has been completed. Other drives can understand barrier
requests themselves; in this case, all your driver has to do is to issue the proper operations
for those drives.<br>
<br>
<a name="NonretryableRequests"></a><font color="red"><b>Nonretryable requests</b></font><br>
<br>
Block drivers often attempt to retry requests that fail the first time. This behavior can
lead to a more reliable system and help to avoid data loss. The kernel, however,
sometimes marks requests as not being retryable. Such requests should simply fail as
quickly as possible if they cannot be executed on the first try.<br>
<br>
If your driver is considering retrying a failed request, it should first make a call to:<br>
<pre>
int blk_noretry_request(struct request *req);
</pre>
If this macro returns a nonzero value, your driver should simply abort the request
with an error code instead of retrying it.<br>
<br>
<a name="RequestCompletionFunctions"></a><font color="red"><b>Request Completion Functions</b></font><br>
<br>
There are, as we will see, several different ways of working through a <font class="fixd">request</font> structure.
All of them make use of a couple of common functions, however, which handle
the completion of an I/O request or parts of a request. Both of these functions are
atomic and can be safely called from an atomic context.<br>
<br>
When your device has completed transferring some or all of the sectors in an I/O
request, it must inform the block subsystem with:<br>
<pre>
int end_that_request_first(struct request *req, int success, int count);
</pre>
This function tells the block code that your driver has finished with the transfer of
<font class="fixd">count</font> sectors starting where you last left off. If the I/O was successful, pass <font class="fixd">success</font><br>
<br>
<A name="487"></a><font color="blue">PAGE 487</font><br>
<br>
as 1; otherwise pass 0. Note that you must signal completion in order from the first
sector to the last; if your driver and device somehow conspire to complete requests
out of order, you have to store the out-of-order completion status until the intervening
sectors have been transferred.<br>
<br>
The return value from <i>end_that_request_first </i>is an indication of whether all sectors in
this request have been transferred or not. A return value of 0 means that all sectors
have been transferred and that the request is complete. At that point, you must
dequeue the request with <i>blkdev_dequeue_request </i>(if you have not already done so)
and pass it to:<br>
<pre>
void end_that_request_last(struct request *req);
</pre>
<i>end_that_request_last </i>informs whoever is waiting for the request that it has completed
and recycles the <font class="fixd">request</font> structure; it must be called with the queue lock held.<br>
<br>
In our simple <i>sbull </i>example, we didn't use any of the above functions. That example,
instead, is called <i>end_request</i>. To show the effects of this call, here is the entire
<i>end_request</i> function as seen in the 2.6.10 kernel:<br>
<pre>
void end_request(struct request *req, int uptodate)
{
    if (!end_that_request_first(req, uptodate, req-&gt;hard_cur_sectors)) {
        add_disk_randomness(req-&gt;rq_disk);
        blkdev_dequeue_request(req);
        end_that_request_last(req);
    }
}
</pre>
The function <i>add_disk_randomness </i>uses the timing of block I/O requests to contribute
entropy to the system's random number pool; it should be called only if the disk's
timing is truly random. That is true for most mechanical devices, but it is not true for
a memory-based virtual device, such as <i>sbull</i>. For this reason, the more complicated
version of <i>sbull</i> shown in the next section does not call <i>add_disk_randomness</i>.<br>
<br>
<a name="WorkingWithBios"></a><font color="red"><b>Working with bios</b></font><br>
<br>
You now know enough to write a block driver that works directly with the <font class="fixd">bio</font> structures
that make up a request. An example might help, however. If the <i>sbull </i>driver is
loaded with the <font class="fixd">request_mode</font> parameter set to <font class="fixd">1,</font> it registers a <font class="fixd">bio-aware</font> <i>request </i>function
instead of the simple function we saw above. That function looks like this:<br>
<pre>
static void sbull_full_request(request_queue_t *q)
{
    struct request *req;
    int sectors_xferred;
    struct sbull_dev *dev = q-&gt;queuedata;

    while ((req = elv_next_request(q)) != NULL) {
        if (! blk_fs_request(req)) {
            printk (KERN_NOTICE &quot;Skip non-fs request\n&quot;);
</pre>
<A name="488"></a><font color="blue">PAGE 488</font><br>
<pre>
            end_request(req, 0);
            continue;
        }
        sectors_xferred = sbull_xfer_request(dev, req);
        if (! end_that_request_first(req, 1, sectors_xferred)) {
            blkdev_dequeue_request(req);
            end_that_request_last(req);
        }
    }
}
</pre>
This function simply takes each request, passes it to <i>sbull_xfer_request</i>, then completes
it with <i>end_that_request_first </i>and, if necessary, <i>end_that_request_last</i>. Thus,
this function is handling the high-level queue and request management parts of the
problem. The job of actually executing a request, however, falls to <i>sbull_xfer_request</i>:<br>
<pre>
static int sbull_xfer_request(struct sbull_dev *dev, struct request *req)
{
    struct bio *bio;
    int nsect = 0;

    rq_for_each_bio(bio, req) {
        sbull_xfer_bio(dev, bio);
        nsect += bio-&gt;bi_size/KERNEL_SECTOR_SIZE;
    }
    return nsect;
}
</pre>
Here we introduce another macro: <i>rq_for_each_bio</i>. As you might expect, this macro
simply steps through each <font class="fixd">bio</font> structure in the request, giving us a pointer that we
can pass to <i>sbull_xfer_bio</i> for the transfer. That function looks like:<br>
<pre>
static int sbull_xfer_bio(struct sbull_dev *dev, struct bio *bio)
{
    int i;
    struct bio_vec *bvec;
    sector_t sector = bio-&gt;bi_sector;

    /* Do each segment independently. */
    bio_for_each_segment(bvec, bio, i) {
        char *buffer = __bio_kmap_atomic(bio, i, KM_USER0);
        sbull_transfer(dev, sector, bio_cur_sectors(bio),
                buffer, bio_data_dir(bio) = = WRITE);
        sector += bio_cur_sectors(bio);
        __bio_kunmap_atomic(bio, KM_USER0);
    }
    return 0; /* Always &quot;succeed&quot; */
}
</pre>
This function simply steps through each segment in the <font class="fixd">bio</font> structure, gets a kernel
virtual address to access the buffer, then calls the same <i>sbull_transfer </i>function we
saw earlier to copy the data over.<br>
<br>
<A name="489"></a><font color="blue">PAGE 489</font><br>
<br>
Each device has its own needs, but, as a general rule, the code just shown should
serve as a model for many situations where digging through the <font class="fixd">bio</font> structures is
needed.<br>
<br>
<a name="BlockRequestsAndDMA"></a><font color="red"><b>Block requests and DMA</b></font><br>
<br>
If you are working on a high-performance block driver, chances are you will be using
DMA for the actual data transfers. A block driver can certainly step through the <font class="fixd">bio</font> structures, 
as described above, create a DMA mapping for each one, and pass the result
to the device. There is an easier way, however, if your device can do scatter/gather I/O.
The function:<br>
<pre>
int blk_rq_map_sg(request_queue_t *queue, struct request *req,
                  struct scatterlist *list);
</pre>
fills in the given <font class="fixd">list</font> with the full set of segments from the given request. Segments
that are adjacent in memory are coalesced prior to insertion into the scatterlist, so
you need not try to detect them yourself. The return value is the number of entries in
the list. The function also passes back, in its third argument, a scatterlist suitable for
passing to <i>dma_map_sg</i>. (See the section "Scatter-gather mappings" in Chapter 15
for more information on <i>dma_map_sg</i>.)<br>
<br>
Your driver must allocate the storage for the scatterlist before calling <i>blk_rq_map_sg</i>.
The list must be able to hold at least as many entries as the request has physical segments;
the <font class="fixd">struct request</font> field <font class="fixd">nr_phys_segments</font> holds that count, which will not
exceed the maximum number of physical segments specified with <i>blk_queue_max_
phys_segments</i>.<br>
<br>
If you do not want <i>blk_rq_map_sg </i>to coalesce adjacent segments, you can change the
default behavior with a call such as:<br>
<pre>
clear_bit(QUEUE_FLAG_CLUSTER, &amp;queue-&gt;queue_flags);
</pre>
Some SCSI disk drivers mark their request queue in this way, since they do not benefit
from the coalescing of requests.<br>
<br>
<a name="DoingWithoutARequestQueue"></a><font color="red"><b>Doing without a request queue</b></font><br>
<br>
Previously, we have discussed the work the kernel does to optimize the order of
requests in the queue; this work involves sorting requests and, perhaps, even stalling
the queue to allow an anticipated request to arrive. These techniques help the system's
performance when dealing with a real, spinning disk drive. They are completely
wasted, however, with a device like <i>sbull</i>. Many block-oriented devices, such
as flash memory arrays, readers for media cards used in digital cameras, and RAM
disks have truly random-access performance and do not benefit from advanced request
queueing logic. Other devices, such as software RAID arrays or virtual disks
created by logical volume managers, do not have the performance characteristics for
which the block layer's request queues are optimized. For this kind of device, it<br>
<br>
<A name="490"></a><font color="blue">PAGE 490</font><br>
<br>
would be better to accept requests directly from the block layer and not bother with
the request queue at all.<br>
<br>
For these situations, the block layer supports a "no queue" mode of operation. To
make use of this mode, your driver must provide a "make request" function, rather
than a <i>request</i> function. The <i>make_request</i> function has this prototype:<br>
<pre>
typedef int (make_request_fn) (request_queue_t *q, struct bio *bio);
</pre>
Note that a request queue is still present, even though it will never actually hold any
requests. The <i>make_request </i>function takes as its main parameter a <font class="fixd">bio</font> structure,
which represents one or more buffers to be transferred. The <i>make_request </i>function
can do one of two things: it can either perform the transfer directly, or it can redirect
the request to another device.<br>
<br>
Performing the transfer directly is just a matter of working through the <font class="fixd">bio</font> with the
accessor methods we described earlier. Since there is no <font class="fixd">request</font> structure to work
with, however, your function should signal completion directly to the creator of the
<font class="fixd">bio</font> structure with a call to <i>bio_endio</i>:<br>
<pre>
void bio_endio(struct bio *bio, unsigned int bytes, int error);
</pre>
Here, <font class="fixd">bytes</font> is the number of bytes you have transferred so far. It can be less than the
number of bytes represented by the <font class="fixd">bio</font> as a whole; in this way, you can signal partial
completion, and update the internal "current buffer" pointers within the <font class="fixd">bio.</font>
You should either call <i>bio_endio </i>again as your device makes further process, or signal
an error if you are unable to complete the request. Errors are indicated by providing
a nonzero value for the <font class="fixd">error</font> parameter; this value is normally an error code such
as <font class="fixd">-EIO.</font> The <i>make_request</i> should return 0, regardless of whether the I/O is successful.<br>
<br>
If <i>sbull </i>is loaded with <font class="fixd">request_mode=2,</font> it operates with a <i>make_request </i>function.
Since <i>sbull </i>already has a function that can transfer a single <font class="fixd">bio,</font> the <i>make_request
</i>function is simple:<br>
<pre>
static int sbull_make_request(request_queue_t *q, struct bio *bio)
{
    struct sbull_dev *dev = q-&gt;queuedata;
    int status;

    status = sbull_xfer_bio(dev, bio);
    bio_endio(bio, bio-&gt;bi_size, status);
    return 0;
}
</pre>
Please note that you should never call <i>bio_endio </i>from a regular <i>request </i>function; that
job is handled by <i>end_that_request_first</i> instead.<br>
<br>
Some block drivers, such as those implementing volume managers and software
RAID arrays, really need to redirect the request to another device that handles the
actual I/O. Writing such a driver is beyond the scope of this book. We note, however,
that if the <i>make_request </i>function returns a nonzero value, the <font class="fixd">bio</font> is submitted<br>
<br>
<A name="491"></a><font color="blue">PAGE 491</font><br>
<br>
again. A "stacking" driver can, therefore, modify the <font class="fixd">bi_bdev</font> field to point to a different
device, change the starting sector value, then return; the block system then
passes the <font class="fixd">bio</font> to the new device. There is also a <i>bio_split </i>call that can be used to split
a <font class="fixd">bio</font> into multiple chunks for submission to more than one device. Although if the
queue parameters are set up correctly, splitting a <font class="fixd">bio</font> in this way should almost never
be necessary.<br>
<br>
Either way, you must tell the block subsystem that your driver is using a custom
<i>make_request</i> function. To do so, you must allocate a request queue with:<br>
<pre>
request_queue_t *blk_alloc_queue(int flags);
</pre>
This function differs from <i>blk_init_queue </i>in that it does not actually set up the queue
to hold requests. The <font class="fixd">flags</font> argument is a set of allocation flags to be used in allocating
memory for the queue; usually the right value is <font class="fixd">GFP_KERNEL</font>. Once you have a
queue, pass it and your <i>make_request</i> function to <i>blk_queue_make_request</i>:<br>
<pre>
void blk_queue_make_request(request_queue_t *queue, make_request_fn *func);
</pre>
The <i>sbull</i> code to set up the <i>make_request</i> function looks like:<br>
<pre>
dev-&gt;queue = blk_alloc_queue(GFP_KERNEL);
if (dev-&gt;queue = = NULL)
    goto out_vfree;
blk_queue_make_request(dev-&gt;queue, sbull_make_request);
</pre>
For the curious, some time spent digging through <i>drivers/block/ll_rw_block.c </i>shows
that all queues have a <i>make_request </i>function. The default version, <i>generic_make_request</i>, 
handles the incorporation of the <font class="fixd">bio</font> into a <font class="fixd">request</font> structure. By providing a
<i>make_request </i>function of its own, a driver is really just overriding a specific <i>request
queue</i> method and sorting out much of the work.<br>
<br>
<a name="SomeOtherDetails"></a><font color="red"><b>Some Other Details</b></font><br>
<br>
This section covers a few other aspects of the block layer that may be of interest for
advanced drivers. None of the following facilities need to be used to write a correct
driver, but they may be helpful in some situations.<br>
<br>
<a name="CommandPrePreparation"></a><font color="red"><b>Command Pre-Preparation</b></font><br>
<br>
The block layer provides a mechanism for drivers to examine and preprocess
requests before they are returned from <i>elv_next_request</i>. This mechanism allows
drivers to set up the actual drive commands ahead of time, decide whether the
request can be handled at all, or perform other sorts of housekeeping.<br>
<br>
If you want to use this feature, create a command preparation function that fits this
prototype:<br>
<pre>
typedef int (prep_rq_fn) (request_queue_t *queue, struct request *req);
</pre>
<A name="492"></a><font color="blue">PAGE 492</font><br>
<br>
The <font class="fixd">request</font> structure includes a field called <font class="fixd">cmd</font>, which is an array of <font class="fixd">BLK_MAX_CDB</font>
bytes; this array may be used by the preparation function to store the actual hardware
command (or any other useful information). This function should return one of
the following values:<br>
<br>
<font class="fixd">BLKPREP_OK</font><br>
<div class="bq">
Command preparation went normally, and the request can be handed to your
driver's <i>request</i> function.</div>
<br>
<font class="fixd">BLKPREP_KILL</font><br>
<div class="bq">
This request cannot be completed; it is failed with an error code.</div>
<br>
<font class="fixd">BLKPREP_DEFER</font><br>
<div class="bq">
This request cannot be completed at this time. It stays at the front of the queue
but is not handed to the <i>request</i> function.</div>
<br>
The preparation function is called by <i>elv_next_request </i>immediately before the
request is returned to your driver. If this function returns <font class="fixd">BLKPREP_DEFER,</font> the return
value from <i>elv_next_request </i>to your driver is <font class="fixd">NULL</font>. This mode of operation can be
useful if, for example, your device has reached the maximum number of requests it
can have outstanding.<br>
<br>
To have the block layer call your preparation function, pass it to:<br>
<pre>
void blk_queue_prep_rq(request_queue_t *queue, prep_rq_fn *func);
</pre>
By default, request queues have no preparation function.<br>
<br>
<a name="TaggedCommandQueueing"></a><font color="red"><b>Tagged Command Queueing</b></font><br>
<br>
Hardware that can have multiple requests active at once usually supports some form
of <i>tagged command queueing </i>(TCQ). TCQ is simply the technique of attaching an
integer "tag" to each request so that when the drive completes one of those requests,
it can tell the driver which one. In previous versions of the kernel, block drivers that
implemented TCQ had to do all of the work themselves; in 2.6, a TCQ support
infrastructure has been added to the block layer for all drivers to use.<br>
<br>
If your drive performs tagged command queueing, you should inform the kernel of
that fact at initialization time with a call to:<br>
<pre>
int blk_queue_init_tags(request_queue_t *queue, int depth,
                        struct blk_queue_tag *tags);
</pre>
Here, <font class="fixd">queue</font> is your request queue, and <font class="fixd">depth</font> is the number of tagged requests your
device can have outstanding at any given time. <font class="fixd">tags</font> is an optional pointer to an array of
<font class="fixd">struct blk_queue_tag</font> structures; there must be <font class="fixd">depth</font> of them. Normally, <font class="fixd">tags</font> can be
passed as <font class="fixd">NULL</font>, and <i>blk_queue_init_tags </i>allocates the array. If, however, you need to
share the same tags between multiple devices, you can pass the tags array pointer
(stored in the <font class="fixd">queue_tags</font> field) from another request queue. You should never actually<br>
<br>
<A name="493"></a><font color="blue">PAGE 493</font><br>
<br>
allocate the <font class="fixd">tags</font> array yourself; the block layer needs to initialize the array and does
not export the initialization function to modules.<br>
<br>
Since <i>blk_queue_init_tags </i>allocates memory, it can fail; it returns a negative error
code to the caller in that case.<br>
<br>
If the number of tags your device can handle changes, you can inform the kernel
with:<br>
<pre>
int blk_queue_resize_tags(request_queue_t *queue, int new_depth);
</pre>
The queue lock must be held during the call. This call can fail, returning a negative
error code in that case.<br>
<br>
The association of a tag with a <font class="fixd">request</font> structure is done with <i>blk_queue_start_tag</i>,
which must be called with the queue lock held:<br>
<pre>
int blk_queue_start_tag(request_queue_t *queue, struct request *req);
</pre>
If a tag is available, this function allocates it for this request, stores the tag number in
<font class="fixd">req-&gt;tag,</font> and returns <font class="fixd">0.</font> It also dequeues the request from the queue and links it into
its own tag-tracking structure, so your driver should take care not to dequeue the
request itself if it's using tags. If no more tags are available, <i>blk_queue_start_tag
</i>leaves the request on the queue and returns a nonzero value.<br>
<br>
When all transfers for a given request have been completed, your driver should
return the tag with:<br>
<pre>
void blk_queue_end_tag(request_queue_t *queue, struct request *req);
</pre>
Once again, you must hold the queue lock before calling this function. The call
should be made after <i>end_that_request_first </i>returns 0 (meaning that the request is
complete) but before calling <i>end_that_request_last</i>. Remember that the request is
already dequeued, so it would be a mistake for your driver to do so at this point.<br>
<br>
If you need to find the request associated with a given tag (when the drive reports
completion, for example), use <i>blk_queue_find_tag</i>:<br>
<pre>
struct request *blk_queue_find_tag(request_queue_t *qeue, int tag);
</pre>
The return value is the associated <font class="fixd">request</font> structure, unless something has gone truly
wrong.<br>
<br>
If things really do go wrong, your driver may find itself having to reset or perform
some other act of violence against one of its devices. In that case, any outstanding
tagged commands will not be completed. The block layer provides a function that
can help with the recovery effort in such situations:<br>
<pre>
void blk_queue_invalidate_tags(request_queue_t *queue);
</pre>
This function returns all outstanding tags to the pool and puts the associated
requests back into the request queue. The queue lock must be held when you call
this function.<br>
<br>
<A name="494"></a><font color="blue">PAGE 494</font><br>
<br>
<a name="QuickReference16"></a><font color="red"><b>Quick Reference</b></font><br>
<br>
<font class="fixd">#include &lt;linux/fs.h&gt;<br>
int register_blkdev(unsigned int major, const char *name);<br>
int unregister_blkdev(unsigned int major, const char *name);</font><br>
<div class="bq">
<i>register_blkdev </i>registers a block driver with the kernel and, optionally, obtains a
major number. A driver can be unregistered with <i>unregister_blkdev</i>.</div>
<br>
<font class="fixd">struct block_device_operations</font><br>
<div class="bq">
Structure that holds most of the methods for block drivers.</div>
<br>
<font class="fixd">#include &lt;linux/genhd.h&gt;<br>
struct gendisk;</font><br>
<div class="bq">
Structure that describes a single block device within the kernel.</div>
<br>
<font class="fixd">struct gendisk *alloc_disk(int minors);<br>
void add_disk(struct gendisk *gd);</font><br>
<div class="bq">
Functions that allocate <font class="fixd">gendisk</font> structures and return them to the system.</div>
<br>
<font class="fixd">void set_capacity(struct gendisk *gd, sector_t sectors);</font><br>
<div class="bq">
Stores the capacity of the device (in 512-byte sectors) within the <font class="fixd">gendisk</font> structure.</div>
<br>
<font class="fixd">void add_disk(struct gendisk *gd);</font><br>
<div class="bq">
Adds a disk to the kernel. As soon as this function is called, your disk's methods
can be invoked by the kernel.</div>
<br>
<font class="fixd">int check_disk_change(struct block_device *bdev);</font><br>
<div class="bq">
A kernel function that checks for a media change in the given disk drive and
takes the required cleanup action when such a change is detected.</div>
<br>
<font class="fixd">#include &lt;linux/blkdev.h&gt;<br>
request_queue_t blk_init_queue(request_fn_proc *request, spinlock_t *lock);<br>
void blk_cleanup_queue(request_queue_t *);</font><br>
<div class="bq">
Functions that handle the creation and deletion of block request queues.</div>
<br>
<font class="fixd">struct request *elv_next_request(request_queue_t *queue);<br>
void end_request(struct request *req, int success);</font><br>
<div class="bq">
<i>elv_next_request </i>obtains the next request from a request queue; <i>end_request </i>may
be used in very simple drivers to mark the completion of (or part of) a request.</div>
<br>
<font class="fixd">void blkdev_dequeue_request(struct request *req);<br>
void elv_requeue_request(request_queue_t *queue, struct request *req);</font><br>
<div class="bq">
Functions that remove a request from a queue and put it back on if necessary.</div>
<br>
<font class="fixd">void blk_stop_queue(request_queue_t *queue);<br>
void blk_start_queue(request_queue_t *queue);</font><br>
<div class="bq">
If you need to prevent further calls to your <i>request </i>method, a call to <i>blk_stop_queue
</i>does the trick. A call to <i>blk_start_queue </i>is necessary to cause your <i>request </i>method
to be invoked again.</div>
<br>
<A name="495"></a><font color="blue">PAGE 495</font><br>
<br>
<font class="fixd">void blk_queue_bounce_limit(request_queue_t *queue, u64 dma_addr);<br>
void blk_queue_max_sectors(request_queue_t *queue, unsigned short max);<br>
void blk_queue_max_phys_segments(request_queue_t *queue, unsigned short max);<br>
void blk_queue_max_hw_segments(request_queue_t *queue, unsigned short max);<br>
void blk_queue_max_segment_size(request_queue_t *queue, unsigned int max);<br>
blk_queue_segment_boundary(request_queue_t *queue, unsigned long mask);<br>
void blk_queue_dma_alignment(request_queue_t *queue, int mask);<br>
void blk_queue_hardsect_size(request_queue_t *queue, unsigned short max);</font><br>
<div class="bq">
Functions that set various queue parameters that control how requests are created
for a particular device; the parameters are described in the section "Queue
control functions."</div>
<br>
<font class="fixd">#include &lt;linux/bio.h&gt;<br>
struct bio;</font><br>
<div class="bq">
Low-level structure representing a portion of a block I/O request.</div>
<br>
<font class="fixd">bio_sectors(struct bio *bio);<br>
bio_data_dir(struct bio *bio);</font><br>
<div class="bq">
Two macros that yield the size and direction of a transfer described by a <font class="fixd">bio</font> structure.</div>
<br>
<font class="fixd">bio_for_each_segment(bvec, bio, segno);</font><br>
<div class="bq">
A pseudo-control structure used to loop through the segments that make up a <font class="fixd">bio</font> structure.</div>
<br>
<font class="fixd">char *__bio_kmap_atomic(struct bio *bio, int i, enum km_type type);<br>
void __bio_kunmap_atomic(char *buffer, enum km_type type);</font><br>
<div class="bq">
<i>__bio_kmap_atomic </i>may be used to create a kernel virtual address for a given
segment within a <font class="fixd">bio</font> structure. The mapping must be 
undone with <i>__bio_kunmap_atomic</i>.</div>
<br>
<font class="fixd">struct page *bio_page(struct bio *bio);<br>
int bio_offset(struct bio *bio);<br>
int bio_cur_sectors(struct bio *bio);<br>
char *bio_data(struct bio *bio);<br>
char *bio_kmap_irq(struct bio *bio, unsigned long *flags);<br>
void bio_kunmap_irq(char *buffer, unsigned long *flags);</font><br>
<div class="bq">
A set of accessor macros that provide access to the "current" segment within a
<font class="fixd">bio</font> structure.</div>
<br>
<font class="fixd">void blk_queue_ordered(request_queue_t *queue, int flag);<br>
int blk_barrier_rq(struct request *req);</font><br>
<div class="bq">
Call <i>blk_queue_ordered </i>if your driver implements barrier requests--as it should.
The macro <i>blk_barrier_rq </i>returns a nonzero value if the current request is a barrier
request.</div>
<br>
<A name="496"></a><font color="blue">PAGE 496</font><br>
<br>
<font class="fixd">int blk_noretry_request(struct request *req);</font><br>
<div class="bq">
This macro returns a nonzero value if the given request should not be retried on
errors.</div>
<br>
<font class="fixd">int end_that_request_first(struct request *req, int success, int count);<br>
void end_that_request_last(struct request *req);</font><br>
<div class="bq">
Use <i>end_that_request_first </i>to indicate completion of a portion of a block I/O
request. When that function returns 0, the request is complete and should be
passed to <i>end_that_request_last</i>.</div>
<br>
<font class="fixd">rq_for_each_bio(bio, request)</font><br>
<div class="bq">
Another macro-implemented control structure; it steps through each <font class="fixd">bio</font> that
makes up a request.</div>
<br>
<font class="fixd">int blk_rq_map_sg(request_queue_t *queue, struct request *req, struct scatterlist *list);</font><br>
<div class="bq">
Fills the given scatterlist with the information needed to map the buffers in the
given request for a DMA transfer.</div>
<br>
<font class="fixd">typedef int (make_request_fn) (request_queue_t *q, struct bio *bio);</font><br>
<div class="bq">
The prototype for the <i>make_request</i> function.</div>
<br>
<font class="fixd">void bio_endio(struct bio *bio, unsigned int bytes, int error);</font><br>
<div class="bq">
Signal completion for a given <font class="fixd">bio</font>. This function should be used only if your
driver obtained the <font class="fixd">bio</font> directly from the block layer via the <i>make_request</i> function.</div>
<br>
<font class="fixd">request_queue_t *blk_alloc_queue(int flags);<br>
void blk_queue_make_request(request_queue_t *queue, make_request_fn *func);</font><br>
<div class="bq">
Use <i>blk_alloc_queue </i>to allocate a request queue that is used with a custom
<i>make_request </i>function. That function should be set with <i>blk_queue_make_request</i>.</div>
<br>
<font class="fixd">typedef int (prep_rq_fn) (request_queue_t *queue, struct request *req);<br>
void blk_queue_prep_rq(request_queue_t *queue, prep_rq_fn *func);</font><br>
<div class="bq">
The prototype and setup functions for a command preparation function, which
can be used to prepare the necessary hardware command before the request is
passed to your <i>request</i> function.</div>
<br>
<font class="fixd">int blk_queue_init_tags(request_queue_t *queue, int depth, struct blk_queue_tag *tags);<br>
int blk_queue_resize_tags(request_queue_t *queue, int new_depth);<br>
int blk_queue_start_tag(request_queue_t *queue, struct request *req);<br>
void blk_queue_end_tag(request_queue_t *queue, struct request *req);<br>
struct request *blk_queue_find_tag(request_queue_t *qeue, int tag);<br>
void blk_queue_invalidate_tags(request_queue_t *queue);</font><br>
<div class="bq">
Support functions for drivers using tagged command queueing.</div>
<br>
<A name="497"></a><font color="blue">PAGE 497</font><br>
<br>
<a name="CHAPTER17"></a><font color="red"><b>CHAPTER 17</b></font><br>
<br>
<a name="NetworkDrivers"></a><font color="#7519FF" size="+1"><b>Network Drivers</b></font><br>
<br>
Having discussed char and block drivers, we are now ready to move on to the world
of networking. Network interfaces are the third standard class of Linux devices, and
this chapter describes how they interact with the rest of the kernel.<br>
<br>
The role of a network interface within the system is similar to that of a mounted
block device. A block device registers its disks and methods with the kernel, and
then "transmits" and "receives" blocks on request, by means of its <i>request </i>function.
Similarly, a network interface must register itself within specific kernel data structures
in order to be invoked when packets are exchanged with the outside world.<br>
<br>
There are a few important differences between mounted disks and packet-delivery
interfaces. To begin with, a disk exists as a special file in the <i>/dev </i>directory, whereas a
network interface has no such entry point. The normal file operations (read, write,
and so on) do not make sense when applied to network interfaces, so it is not possible
to apply the Unix "everything is a file" approach to them. Thus, network interfaces
exist in their own namespace and export a different set of operations.<br>
<br>
Although you may object that applications use the <i>read </i>and <i>write </i>system calls when
using sockets, those calls act on a software object that is distinct from the interface.
Several hundred sockets can be multiplexed on the same physical interface.<br>
<br>
But the most important difference between the two is that block drivers operate only
in response to requests from the kernel, whereas network drivers receive packets
asynchronously from the outside. Thus, while a block driver is <i>asked </i>to send a buffer
toward the kernel, the network device <i>asks </i>to push incoming packets toward the kernel.
The kernel interface for network drivers is designed for this different mode of
operation.<br>
<br>
Network drivers also have to be prepared to support a number of administrative
tasks, such as setting addresses, modifying transmission parameters, and maintaining
traffic and error statistics. The API for network drivers reflects this need and,
therefore, looks somewhat different from the interfaces we have seen so far.<br>
<br>
<A name="498"></a><font color="blue">PAGE 498</font><br>
<br>
The network subsystem of the Linux kernel is designed to be completely protocol independent.
This applies to both networking protocols (Internet protocol [IP] versus
IPX or other protocols) and hardware protocols (Ethernet versus token ring, etc.).
Interaction between a network driver and the kernel properly deals with one network
packet at a time; this allows protocol issues to be hidden neatly from the driver and
the physical transmission to be hidden from the protocol.<br>
<br>
This chapter describes how the network interfaces fit in with the rest of the Linux
kernel and provides examples in the form of a memory-based modularized network
interface, which is called (you guessed it) <i>snull</i>. To simplify the discussion, the interface
uses the Ethernet hardware protocol and transmits IP packets. The knowledge
you acquire from examining <i>snull </i>can be readily applied to protocols other than IP,
and writing a non-Ethernet driver is different only in tiny details related to the actual
network protocol.<br>
<br>
This chapter doesn't talk about IP numbering schemes, network protocols, or other
general networking concepts. Such topics are not (usually) of concern to the driver
writer, and it's impossible to offer a satisfactory overview of networking technology
in less than a few hundred pages. The interested reader is urged to refer to other
books describing networking issues.<br>
<br>
One note on terminology is called for before getting into network devices. The networking
world uses the term <i>octet </i>to refer to a group of eight bits, which is generally
the smallest unit understood by networking devices and protocols. The term byte is
almost never encountered in this context. In keeping with standard usage, we will
use octet when talking about networking devices.<br>
<br>
The term "header" also merits a quick mention. A header is a set of bytes (err, octets)
prepended to a packet as it is passed through the various layers of the networking
subsystem. When an application sends a block of data through a TCP socket, the
networking subsystem breaks that data up into packets and puts a TCP header,
describing where each packet fits within the stream, at the beginning. The lower levels
then put an IP header, used to route the packet to its destination, in front of the
TCP header. If the packet moves over an Ethernet-like medium, an Ethernet header,
interpreted by the hardware, goes in front of the rest. Network drivers need not concern
themselves with higher-level headers (usually), but they often must be involved
in the creation of the hardware-level header.<br>
<br>
<a name="HowSnullIsDesigned"></a><font color="red"><b>How snull Is Designed</b></font><br>
<br>
This section discusses the design concepts that led to the <i>snull </i>network interface.
Although this information might appear to be of marginal use, failing to understand
it might lead to problems when you play with the sample code.<br>
<br>
The first, and most important, design decision was that the sample interfaces should
remain independent of real hardware, just like most of the sample code used in this<br>
<br>
<A name="499"></a><font color="blue">PAGE 499</font><br>
<br>
book. This constraint led to something that resembles the loopback interface. <i>snull </i>is
not a loopback interface; however, it simulates conversations with real remote hosts
in order to better demonstrate the task of writing a network driver. The Linux loopback
driver is actually quite simple; it can be found in <i>drivers/net/loopback.c</i>.<br>
<br>
Another feature of <i>snull </i>is that it supports only IP traffic. This is a consequence of the
internal workings of the interface--<i>snull </i>has to look inside and interpret the packets
to properly emulate a pair of hardware interfaces. Real interfaces don't depend on
the protocol being transmitted, and this limitation of <i>snull </i>doesn't affect the fragments
of code shown in this chapter.<br>
<br>
<a name="AssigningIPNumbers"></a><font color="red"><b>Assigning IP Numbers</b></font><br>
<br>
The <i>snull </i>module creates two interfaces. These interfaces are different from a simple
loopback, in that whatever you transmit through one of the interfaces loops back to
the other one, not to itself. It looks like you have two external links, but actually
your computer is replying to itself.<br>
<br>
Unfortunately, this effect can't be accomplished through IP number assignments
alone, because the kernel wouldn't send out a packet through interface A that was
directed to its own interface B. Instead, it would use the loopback channel without
passing through <i>snull</i>. To be able to establish a communication through the <i>snull
</i>interfaces, the source and destination addresses need to be modified during data
transmission. In other words, packets sent through one of the interfaces should be
received by the other, but the receiver of the outgoing packet shouldn't be recognized
as the local host. The same applies to the source address of received packets.<br>
<br>
To achieve this kind of "hidden loopback," the <i>snull </i>interface toggles the least significant
bit of the third octet of both the source and destination addresses; that is, it
changes both the network number and the host number of class C IP numbers. The
net effect is that packets sent to network A (connected to <font class="fixd">sn0,</font> the first interface)
appear on the <font class="fixd">sn1</font> interface as packets belonging to network B.<br>
<br>
To avoid dealing with too many numbers, let's assign symbolic names to the IP numbers
involved:<br>
<ul>
<li><font class="fixd">snullnet0</font> is the network that is connected to the <font class="fixd">sn0</font> interface. Similarly,
<font class="fixd">snullnet1</font> is the network connected to <font class="fixd">sn1.</font> The addresses of these networks
should differ only in the least significant bit of the third octet. These networks
must have 24-bit netmasks.
<li><font class="fixd">local0</font> is the IP address assigned to the <font class="fixd">sn0</font> interface; it belongs to <font class="fixd">snullnet0.</font>
The address associated with <font class="fixd">sn1</font> is <font class="fixd">local1. local0</font> and <font class="fixd">local1</font> must differ in the
least significant bit of their third octet and in the fourth octet.
<li><font class="fixd">remote0</font> is a host in <font class="fixd">snullnet0,</font> and its fourth octet is the same as that of <font class="fixd">local1.</font>
Any packet sent to <font class="fixd">remote0</font> reaches <font class="fixd">local1</font> after its network address has been
</ul>
<A name="500"></a><font color="blue">PAGE 500</font>
<ul>
modified by the interface code. The host <font class="fixd">remote1</font> belongs to <font class="fixd">snullnet1,</font> and its
fourth octet is the same as that of <font class="fixd">local0.</font>
</ul>
The operation of the <i>snull </i>interfaces is depicted in Figure 17-1, in which the hostname
associated with each interface is printed near the interface name.<br>
<br><br>
<center>
<img src="fig17-1.gif">
</center>
<br>
<i>Figure 17-1. How a host sees its interfaces</i><br>
<br>
Here are possible values for the network numbers. Once you put these lines in <i>/etc/
networks</i>, you can call your networks by name. The values were chosen from the
range of numbers reserved for private use.<br>
<pre>
snullnet0       192.168.0.0
snullnet1       192.168.1.0
</pre>
The following are possible host numbers to put into <i>/etc/hosts</i>:<br>
<pre>
192.168.0.1   local0
192.168.0.2   remote0
192.168.1.2   local1
192.168.1.1   remote1
</pre>
The important feature of these numbers is that the host portion of <font class="fixd">local0</font> is the same
as that of <font class="fixd">remote1</font>, and the host portion of <font class="fixd">local1</font> is the same as that of <font class="fixd">remote0</font>. You
can use completely different numbers as long as this relationship applies.<br>
<br>
Be careful, however, if your computer is already connected to a network. The numbers
you choose might be real Internet or intranet numbers, and assigning them to
your interfaces prevents communication with the real hosts. For example, although<br>
<br>
<A name="501"></a><font color="blue">PAGE 501</font><br>
<br>
the numbers just shown are not routable Internet numbers, they could already be
used by your private network.<br>
<br>
Whatever numbers you choose, you can correctly set up the interfaces for operation
by issuing the following commands:<br>
<pre>
ifconfig sn0 local0
ifconfig sn1 local1
</pre>
You may need to add the netmask 255.255.255.0 parameter if the address range chosen
is not a class C range.<br>
<br>
At this point, the "remote" end of the interface can be reached. The following screendump
shows how a host reaches <font class="fixd">remote0</font> and <font class="fixd">remote1</font> through the <i>snull</i> interface:<br>
<pre>
morgana% <b>ping -c 2 remote0
</b>64 bytes from 192.168.0.99: icmp_seq=0 ttl=64 time=1.6 ms
64 bytes from 192.168.0.99: icmp_seq=1 ttl=64 time=0.9 ms
2 packets transmitted, 2 packets received, 0% packet loss

morgana% <b>ping -c 2 remote1
</b>64 bytes from 192.168.1.88: icmp_seq=0 ttl=64 time=1.8 ms
64 bytes from 192.168.1.88: icmp_seq=1 ttl=64 time=0.9 ms
2 packets transmitted, 2 packets received, 0% packet loss
</pre>
Note that you won't be able to reach any other "host" belonging to the two networks,
because the packets are discarded by your computer after the address has
been modified and the packet has been received. For example, a packet aimed at
192.168.0.32 will leave through <font class="fixd">sn0</font> and reappear at <font class="fixd">sn1</font> with a destination address of
192.168.1.32, which is not a local address for the host computer.<br>
<br>
<a name="ThePhysicalTransportOfPackets"></a><font color="red"><b>The Physical Transport of Packets</b></font><br>
<br>
As far as data transport is concerned, the <i>snull</i> interfaces belong to the Ethernet class.<br>
<br>
<i>snull </i>emulates Ethernet because the vast majority of existing networks--at least the
segments that a workstation connects to--are based on Ethernet technology, be it
10base-T, 100base-T, or Gigabit. Additionally, the kernel offers some generalized
support for Ethernet devices, and there's no reason not to use it. The advantage of
being an Ethernet device is so strong that even the <i>plip </i>interface (the interface that
uses the printer ports) declares itself as an Ethernet device.<br>
<br>
The last advantage of using the Ethernet setup for <i>snull </i>is that you can run <i>tcpdump
</i>on the interface to see the packets go by. Watching the interfaces with <i>tcpdump </i>can
be a useful way to see how the two interfaces work.<br>
<br>
As was mentioned previously, <i>snull </i>works only with IP packets. This limitation is a
result of the fact that <i>snull </i>snoops in the packets and even modifies them, in order for
the code to work. The code modifies the source, destination, and checksum in the IP
header of each packet without checking whether it actually conveys IP information.<br>
<br>
<A name="502"></a><font color="blue">PAGE 502</font><br>
<br>
This quick-and-dirty data modification destroys non-IP packets. If you want to deliver
other protocols through <i>snull</i>, you must modify the module's source code.<br>
<br>
<a name="ConnectingToTheKernel"></a><font color="red"><b>Connecting to the Kernel</b></font><br>
<br>
We start looking at the structure of network drivers by dissecting the <i>snull </i>source.
Keeping the source code for several drivers handy might help you follow the discussion
and to see how real-world Linux network drivers operate. As a place to start, we
suggest <i>loopback.c</i>, <i>plip.c</i>, and <i>e100.c</i>, in order of increasing complexity. All these
files live in <i>drivers/net</i>, within the kernel source tree.<br>
<br>
<a name="DeviceRegistration17"></a><font color="red"><b>Device Registration</b></font><br>
<br>
When a driver module is loaded into a running kernel, it requests resources and
offers facilities; there's nothing new in that. And there's also nothing new in the way
resources are requested. The driver should probe for its device and its hardware location
(I/O ports and IRQ line)--but not register them--as described in "Installing an
Interrupt Handler" in Chapter 10. The way a network driver is registered by its module
initialization function is different from char and block drivers. Since there is no
equivalent of major and minor numbers for network interfaces, a network driver
does not request such a number. Instead, the driver inserts a data structure for each
newly detected interface into a global list of network devices.<br>
<br>
Each interface is described by a <font class="fixd">struct net_device</font> item, which is defined in <i>&lt;linux/
netdevice.h&gt;</i>. The <i>snull </i>driver keeps pointers to two of these structures (for <font class="fixd">sn0</font> and
<font class="fixd">sn1</font>) in a simple array:<br>
<pre>
struct net_device *snull_devs[2];
</pre>
The <font class="fixd">net_device</font> structure, like many other kernel structures, contains a kobject and
is, therefore, reference-counted and exported via sysfs. As with other such structures,
it must be allocated dynamically. The kernel function provided to perform this
allocation is <i>alloc_netdev</i>, which has the following prototype:<br>
<pre>
struct net_device *alloc_netdev(int sizeof_priv,
                                const char *name,
                                void (*setup)(struct net_device *));
</pre>
Here, <font class="fixd">sizeof_priv</font> is the size of the driver's "private data" area; with network devices,
that area is allocated along with the <font class="fixd">net_device</font> structure. In fact, the two are allocated
together in one large chunk of memory, but driver authors should pretend that
they don't know that. <font class="fixd">name</font> is the name of this interface, as is seen by user space; this
name can have a <i>printf</i>-style <font class="fixd">%d</font> in it. The kernel replaces the <font class="fixd">%d</font> with the next available
interface number. Finally, <font class="fixd">setup</font> is a pointer to an initialization function that is called
to set up the rest of the <font class="fixd">net_device</font> structure. We get to the initialization function<br>
<br>
<A name="503"></a><font color="blue">PAGE 503</font><br>
<br>
shortly, but, for now, suffice it to say that <i>snull </i>allocates its two device structures in
this way:<br>
<pre>
snull_devs[0] = alloc_netdev(sizeof(struct snull_priv), &quot;sn%d&quot;,
        snull_init);
snull_devs[1] = alloc_netdev(sizeof(struct snull_priv), &quot;sn%d&quot;,
        snull_init);
if (snull_devs[0] = = NULL || snull_devs[1] = = NULL)
    goto out;
</pre>
As always, we must check the return value to ensure that the allocation succeeded.<br>
<br>
The networking subsystem provides a number of helper functions wrapped around
<i>alloc_netdev </i>for various types of interfaces. The most common is <i>alloc_etherdev</i>,
which is defined in <i>&lt;linux/etherdevice.h&gt;</i>:<br>
<pre>
struct net_device *alloc_etherdev(int sizeof_priv);
</pre>
This function allocates a network device using <font class="fixd">eth%d</font> for the name argument. It provides
its own initialization function (<i>ether_setup</i>) that sets several <font class="fixd">net_device</font> fields
with appropriate values for Ethernet devices. Thus, there is no driver-supplied initialization
function for <i>alloc_etherdev</i>; the driver should simply do its required initialization
directly after a successful allocation. Writers of drivers for other types of devices
may want to take advantage of one of the other helper functions, such as <i>alloc_fcdev
</i>(defined in <i>&lt;linux/fcdevice.h&gt;</i>) for fiber-channel devices, <i>alloc_fddidev </i>(<i>&lt;linux/
fddidevice.h&gt;</i>) for FDDI devices, or <i>alloc_trdev </i>(<i>&lt;linux/trdevice.h&gt;</i>) for token ring
devices.<br>
<br>
<i>snull </i>could use <i>alloc_etherdev </i>without trouble; we chose to use <i>alloc_netdev </i>instead,
as a way of demonstrating the lower-level interface and to give us control over the
name assigned to the interface.<br>
<br>
Once the <font class="fixd">net_device</font> structure has been initialized, completing the process is just a
matter of passing the structure to <i>register_netdev</i>. In <i>snull</i>, the call looks as follows:<br>
<pre>
for (i = 0; i &lt; 2;  i++)
    if ((result = register_netdev(snull_devs[i])))
        printk(&quot;snull: error %i registering device \&quot;%s\&quot;\n&quot;,
                result, snull_devs[i]-&gt;name);
</pre>
The usual cautions apply here: as soon as you call <i>register_netdev</i>, your driver may be
called to operate on the device. Thus, you should not register the device until everything
has been completely initialized.<br>
<br>
<a name="InitializingEachDevice"></a><font color="red"><b>Initializing Each Device</b></font><br>
<br>
We have looked at the allocation and registration of <font class="fixd">net_device</font> structures, but we
passed over the intermediate step of completely initializing that structure. Note that
<font class="fixd">struct net_device</font> is always put together at runtime; it cannot be set up at compile
time in the same manner as a <font class="fixd">file_operations</font> or <font class="fixd">block_device_operations</font> structure.
This initialization must be complete before calling <i>register_netdev</i>. The <font class="fixd">net_device</font><br>
<br>
<A name="504"></a><font color="blue">PAGE 504</font><br>
<br>
structure is large and complicated; fortunately, the kernel takes care of some Ethernet wide
defaults through the <i>ether_setup</i> function (which is called by <i>alloc_etherdev</i>).<br>
<br>
Since <i>snull </i>uses <i>alloc_netdev</i>, it has a separate initialization function. The core of this
function (<i>snull_init</i>) is as follows:<br>
<pre>
ether_setup(dev); /* assign some of the fields */

dev-&gt;open            = snull_open;
dev-&gt;stop            = snull_release;
dev-&gt;set_config      = snull_config;
dev-&gt;hard_start_xmit = snull_tx;
dev-&gt;do_ioctl        = snull_ioctl;
dev-&gt;get_stats       = snull_stats;
dev-&gt;rebuild_header  = snull_rebuild_header;
dev-&gt;hard_header     = snull_header;
dev-&gt;tx_timeout      = snull_tx_timeout;
dev-&gt;watchdog_timeo = timeout;
/* keep the default flags, just add NOARP */
dev-&gt;flags           |= IFF_NOARP;
dev-&gt;features        |= NETIF_F_NO_CSUM;
dev-&gt;hard_header_cache = NULL;      /* Disable caching */
</pre>
The above code is a fairly routine initialization of the <font class="fixd">net_device</font> structure; it is
mostly a matter of storing pointers to our various driver functions. The single
unusual feature of the code is setting <font class="fixd">IFF_NOARP</font> in the flags. This specifies that the
interface cannot use the Address Resolution Protocol (ARP). ARP is a low-level
Ethernet protocol; its job is to turn IP addresses into Ethernet medium access control
(MAC) addresses. Since the "remote" systems simulated by <i>snull </i>do not really
exist, there is nobody available to answer ARP requests for them. Rather than complicate
<i>snull </i>with the addition of an ARP implementation, we chose to mark the
interface as being unable to handle that protocol. The assignment to <font class="fixd">hard_header_cache </font>
is there for a similar reason: it disables the caching of the (nonexistent) ARP
replies on this interface. This topic is discussed in detail in the section "MAC
Address Resolution" later in this chapter.<br>
<br>
The initialization code also sets a couple of fields (<font class="fixd">tx_timeout</font> and <font class="fixd">watchdog_timeo</font>)
that relate to the handling of transmission timeouts. We cover this topic thoroughly
in the section "Transmission Timeouts."<br>
<br>
We look now at one more <font class="fixd">struct net_device</font> field, <font class="fixd">priv.</font> Its role is similar to that of
the <font class="fixd">private_data</font> pointer that we used for char drivers. Unlike <font class="fixd">fops-&gt;private_data,</font>
this <font class="fixd">priv</font> pointer is allocated along with the <font class="fixd">net_device</font> structure. Direct access to the
<font class="fixd">priv</font> field is also discouraged, for performance and flexibility reasons. When a driver
needs to get access to the private data pointer, it should use the <i>netdev_priv </i>function.
Thus, the <i>snull</i> driver is full of declarations such as:<br>
<pre>
struct snull_priv *priv = netdev_priv(dev);
</pre>
<A name="505"></a><font color="blue">PAGE 505</font><br>
<br>
The <i>snull</i> module declares a <font class="fixd">snull_priv</font> data structure to be used for <font class="fixd">priv:</font><br>
<pre>
struct snull_priv {
    struct net_device_stats stats;
    int status;
    struct snull_packet *ppool;
    struct snull_packet *rx_queue;  /* List of incoming packets */
    int rx_int_enabled;
    int tx_packetlen;
    u8 *tx_packetdata;
    struct sk_buff *skb;
    spinlock_t lock;
};
</pre>
The structure includes, among other things, an instance of <font class="fixd">struct net_device_stats,</font>
which is the standard place to hold interface statistics. The following lines in <i>snull_init
</i>allocate and initialize <font class="fixd">dev-&gt;priv:</font><br>
<pre>
priv = netdev_priv(dev);
memset(priv, 0, sizeof(struct snull_priv));
spin_lock_init(&amp;priv-&gt;lock);
snull_rx_ints(dev, 1);      /* enable receive interrupts */
</pre>
<a name="ModuleUnloading"></a><font color="red"><b>Module Unloading</b></font><br>
<br>
Nothing special happens when the module is unloaded. The module cleanup function
simply unregisters the interfaces, performs whatever internal cleanup is
required, and releases the <font class="fixd">net_device</font> structure back to the system:<br>
<pre>
void snull_cleanup(void)
{
    int i;

    for (i = 0; i &lt; 2;  i++) {
        if (snull_devs[i]) {
            unregister_netdev(snull_devs[i]);
            snull_teardown_pool(snull_devs[i]);
            free_netdev(snull_devs[i]);
        }
    }
    return;
}
</pre>
The call to <i>unregister_netdev </i>removes the interface from the system; <i>free_netdev
</i>returns the <font class="fixd">net_device</font> structure to the kernel. If a reference to that structure exists
somewhere, it may continue to exist, but your driver need not care about that. Once
you have unregistered the interface, the kernel no longer calls its methods.<br>
<br>
Note that our internal cleanup (done in <i>snull_teardown_pool</i>) cannot happen until the
device has been unregistered. It must, however, happen before we return the <font class="fixd">net_device</font>
structure to the system; once we have called <i>free_netdev</i>, we cannot make any further
references to the device or our private area.<br>
<br>
<A name="506"></a><font color="blue">PAGE 506</font><br>
<br>
<a name="TheNetdeviceStructureInDetail"></a><font color="red"><b>The <font class="fixd">net_device</font> Structure in Detail</b></font><br>
<br>
The <font class="fixd">net_device</font> structure is at the very core of the network driver layer and deserves a
complete description. This list describes all the fields, but more to provide a reference
than to be memorized. The rest of this chapter briefly describes each field as
soon as it is used in the sample code, so you don't need to keep referring back to this
section.<br>
<br>
<a name="GlobalInformation"></a><font color="red"><b>Global Information</b></font><br>
<br>
The first part of <font class="fixd">struct net_device</font> is composed of the following fields:<br>
<br>
<font class="fixd">char name[IFNAMSIZ];</font><br>
<div class="bq">
The name of the device. If the name set by the driver contains a <font class="fixd">%d</font> format string,
<i>register_netdev </i>replaces it with a number to make a unique name; assigned numbers
start at 0.</div>
<br>
<font class="fixd">unsigned long state;</font><br>
<div class="bq">
Device state. The field includes several flags. Drivers do not normally manipulate
these flags directly; instead, a set of utility functions has been provided.
These functions are discussed shortly when we get into driver operations.</div>
<br>
<font class="fixd">struct net_device *next;</font><br>
<div class="bq">
Pointer to the next device in the global linked list. This field shouldn't be
touched by the driver.</div>
<br>
<font class="fixd">int (*init)(struct net_device *dev);</font><br>
<div class="bq">
An initialization function. If this pointer is set, the function is called by <i>register_netdev
</i>to complete the initialization of the <font class="fixd">net_device</font> structure. Most modern network
drivers do not use this function any longer; instead, initialization is performed
before registering the interface.</div>
<br>
<a name="HardwareInformation"></a><font color="red"><b>Hardware Information</b></font><br>
<br>
The following fields contain low-level hardware information for relatively simple
devices. They are a holdover from the earlier days of Linux networking; most modern
drivers do make use of them (with the possible exception of <font class="fixd">if_port</font>). We list
them here for completeness.<br>
<br>
<font class="fixd">unsigned long rmem_end;<br>
unsigned long rmem_start;<br>
unsigned long mem_end;<br>
unsigned long mem_start;</font><br>
<div class="bq">
Device memory information. These fields hold the beginning and ending
addresses of the shared memory used by the device. If the device has different
receive and transmit memories, the <font class="fixd">mem</font> fields are used for transmit memory and
the <font class="fixd">rmem</font> fields for receive memory. The <font class="fixd">rmem</font> fields are never referenced outside</div>
<br>
<A name="507"></a><font color="blue">PAGE 507</font><br>
<br>
<div class="bq">of the driver itself. By convention, the <font class="fixd">end</font> fields are set so that <font class="fixd">end - start</font> is the
amount of available onboard memory.</div>
<br>
<font class="fixd">unsigned long base_addr;</font><br>
<div class="bq">
The I/O base address of the network interface. This field, like the previous ones,
is assigned by the driver during the device probe. The <i>ifconfig </i>command can be
used to display or modify the current value. The <font class="fixd">base_addr</font> can be explicitly
assigned on the kernel command line at system boot (via the <font class="fixd">netdev=</font> parameter)
or at module load time. The field, like the memory fields described above, is not
used by the kernel.</div>
<br>
<font class="fixd">unsigned char irq;</font><br>
<div class="bq">
The assigned interrupt number. The value of <font class="fixd">dev-&gt;irq</font> is printed by <i>ifconfig </i>when
interfaces are listed. This value can usually be set at boot or load time and modified
later using <i>ifconfig</i>.</div>
<br>
<font class="fixd">unsigned char if_port;</font><br>
<div class="bq">
The port in use on multiport devices. This field is used, for example, with devices
that support both coaxial (<font class="fixd">IF_PORT_10BASE2</font>) and twisted-pair (<font class="fixd">IF_PORT_100BASET</font>)
Ethernet connections. The full set of known port types is defined in <i>&lt;linux/netdevice.h&gt;</i>.</div>
<br>
<font class="fixd">unsigned char dma;</font><br>
<div class="bq">
The DMA channel allocated by the device. The field makes sense only with some
peripheral buses, such as ISA. It is not used outside of the device driver itself but
for informational purposes (in <i>ifconfig</i>).</div>
<br>
<a name="InterfaceInformation"></a><font color="red"><b>Interface Information</b></font><br>
<br>
Most of the information about the interface is correctly set up by the <i>ether_setup
</i>function (or whatever other setup function is appropriate for the given hardware
type). Ethernet cards can rely on this general-purpose function for most of these
fields, but the <font class="fixd">flags</font> and <font class="fixd">dev_addr</font> fields are device specific and must be explicitly
assigned at initialization time.<br>
<br>
Some non-Ethernet interfaces can use helper functions similar to <i>ether_setup</i>. <i>drivers/
net/net_init.c</i> exports a number of such functions, including the following:<br>
<br>
<font class="fixd">void ltalk_setup(struct net_device *dev);</font><br>
<div class="bq">
Sets up the fields for a LocalTalk device</div>
<br>
<font class="fixd">void fc_setup(struct net_device *dev);</font><br>
<div class="bq">
Initializes fields for fiber-channel devices</div>
<br>
<font class="fixd">void fddi_setup(struct net_device *dev);</font><br>
<div class="bq">
Configures an interface for a Fiber Distributed Data Interface (FDDI) network</div>
<br>
<A name="508"></a><font color="blue">PAGE 508</font><br>
<br>
<font class="fixd">void hippi_setup(struct net_device *dev);</font><br>
<div class="bq">
Prepares fields for a High-Performance Parallel Interface (HIPPI) high-speed
interconnect driver</div>
<br>
<font class="fixd">void tr_setup(struct net_device *dev);</font><br>
<div class="bq">
Handles setup for token ring network interfaces</div>
<br>
Most devices are covered by one of these classes. If yours is something radically new
and different, however, you need to assign the following fields by hand:<br>
<br>
<font class="fixd">unsigned short hard_header_len;</font><br>
<div class="bq">
The hardware header length, that is, the number of octets that lead the transmitted
packet before the IP header, or other protocol information. The value of
<font class="fixd">hard_header_len</font> is <font class="fixd">14 (ETH_HLEN)</font> for Ethernet interfaces.</div>
<br>
<font class="fixd">unsigned mtu;</font><br>
<div class="bq">
The maximum transfer unit (MTU). This field is used by the network layer to
drive packet transmission. Ethernet has an MTU of 1500 octets (<font class="fixd">ETH_DATA_LEN</font>).
This value can be changed with <i>ifconfig</i>.</div>
<br>
<font class="fixd">unsigned long tx_queue_len;</font><br>
<div class="bq">
The maximum number of frames that can be queued on the device's transmission
queue. This value is set to 1000 by <i>ether_setup</i>, but you can change it. For
example, <i>plip </i>uses 10 to avoid wasting system memory (<i>plip </i>has a lower
throughput than a real Ethernet interface).</div>
<br>
<font class="fixd">unsigned short type;</font><br>
<div class="bq">
The hardware type of the interface. The <font class="fixd">type</font> field is used by ARP to determine
what kind of hardware address the interface supports. The proper value for
Ethernet interfaces is <font class="fixd">ARPHRD_ETHER,</font> and that is the value set by <i>ether_setup</i>. The
recognized types are defined in <i>&lt;linux/if_arp.h&gt;</i>.</div>
<br>
<font class="fixd">unsigned char addr_len;<br>
unsigned char broadcast[MAX_ADDR_LEN];<br>
unsigned char dev_addr[MAX_ADDR_LEN];</font><br>
<div class="bq">
Hardware (MAC) address length and device hardware addresses. The Ethernet
address length is six octets (we are referring to the hardware ID of the interface
board), and the broadcast address is made up of six <font class="fixd">0xff</font> octets; <i>ether_setup
</i>arranges for these values to be correct. The device address, on the other hand,
must be read from the interface board in a device-specific way, and the driver
should copy it to <font class="fixd">dev_addr</font>. The hardware address is used to generate correct
Ethernet headers before the packet is handed over to the driver for transmission.
The <i>snull </i>device doesn't use a physical interface, and it invents its own hardware
address.</div>
<br>
<font class="fixd">unsigned short flags;<br>
int features;</font><br>
<div class="bq">
Interface flags (detailed next).</div>
<br>
<A name="509"></a><font color="blue">PAGE 509</font><br>
<br>
The <font class="fixd">flags</font> field is a bit mask including the following bit values. The <font class="fixd">IFF_prefix</font>
stands for "interface flags." Some flags are managed by the kernel, and some are set
by the interface at initialization time to assert various capabilities and other features
of the interface. The valid flags, which are defined in <i>&lt;linux/if.h&gt;</i>, are:<br>
<br>
<font class="fixd">IFF_UP</font><br>
<div class="bq">
This flag is read-only for the driver. The kernel turns it on when the interface is
active and ready to transfer packets.</div>
<br>
<font class="fixd">IFF_BROADCAST</font><br>
<div class="bq">
This flag (maintained by the networking code) states that the interface allows
broadcasting. Ethernet boards do.</div>
<br>
<font class="fixd">IFF_DEBUG</font><br>
<div class="bq">
This marks debug mode. The flag can be used to control the verbosity of your
<i>printk </i>calls or for other debugging purposes. Although no in-tree driver currently
uses this flag, it can be set and reset by user programs via <i>ioctl</i>, and your
driver can use it. The <i>misc-progs/netifdebug </i>program can be used to turn the flag
on and off.</div>
<br>
<font class="fixd">IFF_LOOPBACK</font><br>
<div class="bq">
This flag should be set only in the loopback interface. The kernel checks for
<font class="fixd">IFF_LOOPBACK</font> instead of hard-wiring the lo name as a special interface.</div>
<br>
<font class="fixd">IFF_POINTOPOINT</font><br>
<div class="bq">
This flag signals that the interface is connected to a point-to-point link. It is set
by the driver or, sometimes, by <i>ifconfig</i>. For example, <i>plip </i>and the PPP driver
have it set.</div>
<br>
<font class="fixd">IFF_NOARP</font><br>
<div class="bq">
This means that the interface can't perform ARP. For example, point-to-point
interfaces don't need to run ARP, which would only impose additional traffic
without retrieving useful information. <i>snull </i>runs without ARP capabilities, so it
sets the flag.</div>
<br>
<font class="fixd">IFF_PROMISC</font><br>
<div class="bq">
This flag is set (by the networking code) to activate promiscuous operation. By
default, Ethernet interfaces use a hardware filter to ensure that they receive
broadcast packets and packets directed to that interface's hardware address
only. Packet sniffers such as <i>tcpdump </i>set promiscuous mode on the interface in
order to retrieve all packets that travel on the interface's transmission medium.</div>
<br>
<font class="fixd">IFF_MULTICAST</font><br>
<div class="bq">
This flag is set by drivers to mark interfaces that are capable of multicast transmission.
<i>ether_setup </i>sets <font class="fixd">IFF_MULTICAST</font> by default, so if your driver does not
support multicast, it must clear the flag at initialization time.</div>
<br>
<font class="fixd">IFF_ALLMULTI</font><br>
<div class="bq">
This flag tells the interface to receive all multicast packets. The kernel sets it when
the host performs multicast routing, only if <font class="fixd">IFF_MULTICAST</font> is set. <font class="fixd">IFF_ALLMULTI</font> is</div>
<br>
<A name="510"></a><font color="blue">PAGE 510</font><br>
<br>
<div class="bq">read-only for the driver. Multicast flags are used in the section "Multicast," later
in this chapter.</div>
<br>
<font class="fixd">IFF_MASTER<br>
IFF_SLAVE</font><br>
<div class="bq">
These flags are used by the load equalization code. The interface driver doesn't
need to know about them.</div>
<br>
<font class="fixd">IFF_PORTSEL<br>
IFF_AUTOMEDIA</font><br>
<div class="bq">
These flags signal that the device is capable of switching between multiple media
types; for example, unshielded twisted pair (UTP) versus coaxial Ethernet cables.
If <font class="fixd">IFF_AUTOMEDIA</font> is set, the device selects the proper medium automatically. In
practice, the kernel makes no use of either flag.</div>
<br>
<font class="fixd">IFF_DYNAMIC</font><br>
<div class="bq">
This flag, set by the driver, indicates that the address of this interface can
change. It is not currently used by the kernel.</div>
<br>
<font class="fixd">IFF_RUNNING</font><br>
<div class="bq">
This flag indicates that the interface is up and running. It is mostly present for
BSD compatibility; the kernel makes little use of it. Most network drivers need
not worry about <font class="fixd">IFF_RUNNING</font>.</div>
<br>
<font class="fixd">IFF_NOTRAILERS</font><br>
<div class="bq">
This flag is unused in Linux, but it exists for BSD compatibility.</div>
<br>
When a program changes <font class="fixd">IFF_UP,</font> the <i>open </i>or <i>stop </i>device method is called. Furthermore,
when <font class="fixd">IFF_UP</font> or any other flag is modified, the <i>set_multicast_list </i>method is
invoked. If the driver needs to perform some action in response to a modification of
the flags, it must take that action in <i>set_multicast_list</i>. For example, when <font class="fixd">IFF_PROMISC</font>
is set or reset, <i>set_multicast_list </i>must notify the onboard hardware filter. The responsibilities
of this device method are outlined in the section "Multicast."<br>
<br>
The features field of the <font class="fixd">net_device</font> structure is set by the driver to tell the kernel
about any special hardware capabilities that this interface has. We will discuss some
of these features; others are beyond the scope of this book. The full set is:<br>
<br>
<font class="fixd">NETIF_F_SG<br>
NETIF_F_FRAGLIST</font><br>
<div class="bq">
Both of these flags control the use of scatter/gather I/O. If your interface can transmit
a packet that has been split into several distinct memory segments, you should
set <font class="fixd">NETIF_F_SG</font>. Of course, you have to actually implement the scatter/gather I/O (we
describe how that is done in the section "Scatter/Gather I/O"). <font class="fixd">NETIF_F_FRAGLIST</font>
states that your interface can cope with packets that have been fragmented; only the
loopback driver does this in 2.6.<br>
<br>
Note that the kernel does not perform scatter/gather I/O to your device if it does
not also provide some form of checksumming as well. The reason is that, if the</div>
<br>
<A name="511"></a><font color="blue">PAGE 511</font><br>
<br>
<div class="bq">kernel has to make a pass over a fragmented ("nonlinear") packet to calculate
the checksum, it might as well copy the data and coalesce the packet at the same
time.</div>
<br>
<font class="fixd">NETIF_F_IP_CSUM<br>
NETIF_F_NO_CSUM<br>
NETIF_F_HW_CSUM</font><br>
<div class="bq">
These flags are all ways of telling the kernel that it need not apply checksums to
some or all packets leaving the system by this interface. Set <font class="fixd">NETIF_F_IP_CSUM</font> if
your interface can checksum IP packets but not others. If no checksums are ever
required for this interface, set <font class="fixd">NETIF_F_NO_CSUM</font>. The loopback driver sets this
flag, and <i>snull </i>does, too; since packets are only transferred through system memory,
there is (one hopes!) no opportunity for them to be corrupted, and no need
to check them. If your hardware does checksumming itself, set <font class="fixd">NETIF_F_HW_CSUM</font>.</div>
<br>
<font class="fixd">NETIF_F_HIGHDMA</font><br>
<div class="bq">
Set this flag if your device can perform DMA to high memory. In the absence of
this flag, all packet buffers provided to your driver are allocated in low memory.</div>
<br>
<font class="fixd">NETIF_F_HW_VLAN_TX<br>
NETIF_F_HW_VLAN_RX<br>
NETIF_F_HW_VLAN_FILTER<br>
NETIF_F_VLAN_CHALLENGED</font><br>
<div class="bq">
These options describe your hardware's support for 802.1q VLAN packets. VLAN
support is beyond what we can cover in this chapter. If VLAN packets confuse
your device (which they really shouldn't), set the <font class="fixd">NETIF_F_VLAN_CHALLENGED</font> flag.</div>
<br>
<font class="fixd">NETIF_F_TSO</font><br>
<div class="bq">
Set this flag if your device can perform TCP segmentation offloading. TSO is an
advanced feature that we cannot cover here.</div>
<br>
<a name="TheDeviceMethods"></a><font color="red"><b>The Device Methods</b></font><br>
<br>
As happens with the char and block drivers, each network device declares the functions
that act on it. Operations that can be performed on network interfaces are
listed in this section. Some of the operations can be left <font class="fixd">NULL</font>, and others are usually
untouched because <i>ether_setup</i> assigns suitable methods to them.<br>
<br>
Device methods for a network interface can be divided into two groups: fundamental
and optional. Fundamental methods include those that are needed to be able to
use the interface; optional methods implement more advanced functionalities that
are not strictly required. The following are the fundamental methods:<br>
<br>
<font class="fixd">int (*open)(struct net_device *dev);</font><br>
<div class="bq">
Opens the interface. The interface is opened whenever <i>ifconfig </i>activates it. The
<i>open </i>method should register any system resource it needs (I/O ports, IRQ,</div>
<br>
<A name="512"></a><font color="blue">PAGE 512</font><br>
<br>
<div class="bq">DMA, etc.), turn on the hardware, and perform any other setup your device
requires.</div>
<br>
<font class="fixd">int (*stop)(struct net_device *dev);</font><br>
<div class="bq">
Stops the interface. The interface is stopped when it is brought down. This function
should reverse operations performed at open time.</div>
<br>
<font class="fixd">int (*hard_start_xmit) (struct sk_buff *skb, struct net_device *dev);</font><br>
<div class="bq">
Method that initiates the transmission of a packet. The full packet (protocol
headers and all) is contained in a socket buffer (<font class="fixd">sk_buff</font>) structure. Socket buffers
are introduced later in this chapter.</div>
<br>
<font class="fixd">int (*hard_header) (struct sk_buff *skb, struct net_device *dev, unsigned short type, void *daddr, void *saddr, unsigned len);</font><br>
<div class="bq">
Function (called before <i>hard_start_xmit</i>) that builds the hardware header from
the source and destination hardware addresses that were previously retrieved; its
job is to organize the information passed to it as arguments into an appropriate,
device-specific hardware header. <i>eth_header </i>is the default function for Ethernet like
interfaces, and <i>ether_setup</i> assigns this field accordingly.</div>
<br>
<font class="fixd">int (*rebuild_header)(struct sk_buff *skb);</font><br>
<div class="bq">
Function used to rebuild the hardware header after ARP resolution completes
but before a packet is transmitted. The default function used by Ethernet devices
uses the ARP support code to fill the packet with missing information.</div>
<br>
<font class="fixd">void (*tx_timeout)(struct net_device *dev);</font><br>
<div class="bq">
Method called by the networking code when a packet transmission fails to complete
within a reasonable period, on the assumption that an interrupt has been
missed or the interface has locked up. It should handle the problem and resume
packet transmission.</div>
<br>
<font class="fixd">struct net_device_stats *(*get_stats)(struct net_device *dev);</font><br>
<div class="bq">
Whenever an application needs to get statistics for the interface, this method is
called. This happens, for example, when <i>ifconfig </i>or <i>netstat -i </i>is run. A sample
implementation for <i>snull</i> is introduced in the section "Statistical Information."</div>
<br>
<font class="fixd">int (*set_config)(struct net_device *dev, struct ifmap *map);</font><br>
<div class="bq">
Changes the interface configuration. This method is the entry point for configuring
the driver. The I/O address for the device and its interrupt number can be
changed at runtime using <i>set_config</i>. This capability can be used by the system
administrator if the interface cannot be probed for. Drivers for modern hardware
normally do not need to implement this method.</div>
<br>
<A name="513"></a><font color="blue">PAGE 513</font><br>
<br>
The remaining device operations are optional:<br>
<br>
<font class="fixd">int weight;<br>
int (*poll)(struct net_device *dev; int *quota);</font><br>
<div class="bq">
Method provided by NAPI-compliant drivers to operate the interface in a polled
mode, with interrupts disabled. NAPI (and the <font class="fixd">weight</font> field) are covered in the
section "Receive Interrupt Mitigation."</div>
<br>
<font class="fixd">void (*poll_controller)(struct net_device *dev);</font><br>
<div class="bq">
Function that asks the driver to check for events on the interface in situations
where interrupts are disabled. It is used for specific in-kernel networking tasks,
such as remote consoles and kernel debugging over the network.</div>
<br>
<font class="fixd">int (*do_ioctl)(struct net_device *dev, struct ifreq *ifr, int cmd);</font><br>
<div class="bq">
Performs interface-specific <i>ioctl </i>commands. (Implementation of those commands
is described in the section "Custom ioctl Commands.") The corresponding
field in <font class="fixd">struct net_device</font> can be left as <font class="fixd">NULL</font> if the interface doesn't need any
interface-specific commands.</div>
<br>
<font class="fixd">void (*set_multicast_list)(struct net_device *dev);</font><br>
<div class="bq">
Method called when the multicast list for the device changes and when the
flags change. See the section "Multicast" for further details and a sample
implementation.</div>
<br>
<font class="fixd">int (*set_mac_address)(struct net_device *dev, void *addr);</font><br>
<div class="bq">
Function that can be implemented if the interface supports the ability to change its
hardware address. Many interfaces don't support this ability at all. Others use the
default <i>eth_mac_addr </i>implementation (from <i>drivers/net/net_init.c</i>). <i>eth_mac_addr
</i>only copies the new address into <font class="fixd">dev-&gt;dev_addr,</font> and it does so only if the interface
is not running. Drivers that use <i>eth_mac_addr </i>should set the hardware MAC
address from <font class="fixd">dev-&gt;dev_addr</font> in their <i>open</i> method.</div>
<br>
<font class="fixd">int (*change_mtu)(struct net_device *dev, int new_mtu);</font><br>
<div class="bq">
Function that takes action if there is a change in the maximum transfer unit (MTU)
for the interface. If the driver needs to do anything particular when the MTU is
changed by the user, it should declare its own function; otherwise, the default does
the right thing. <i>snull</i> has a template for the function if you are interested.</div>
<br>
<font class="fixd">int (*header_cache) (struct neighbour *neigh, struct hh_cache *hh);</font><br>
<div class="bq">
<i>header_cache </i>is called to fill in the <font class="fixd">hh_cache</font> structure with the results of an ARP
query. Almost all Ethernet-like drivers can use the default <i>eth_header_cache
</i>implementation.</div>
<br>
<A name="514"></a><font color="blue">PAGE 514</font><br>
<br>
<font class="fixd">int (*header_cache_update) (struct hh_cache *hh, struct net_device *dev, unsigned char *haddr);</font><br>
<div class="bq">
Method that updates the destination address in the <font class="fixd">hh_cache</font> structure in
response to a change. Ethernet devices use <i>eth_header_cache_update</i>.</div>
<br>
<font class="fixd">int (*hard_header_parse) (struct sk_buff *skb, unsigned char *haddr);</font><br>
<div class="bq">
The <i>hard_header_parse </i>method extracts the source address from the packet contained
in <font class="fixd">skb,</font> copying it into the buffer at <font class="fixd">haddr.</font> The return value from the function
is the length of that address. Ethernet devices normally use <i>eth_header_parse</i>.</div>
<br>
<a name="UtilityFields"></a><font color="red"><b>Utility Fields</b></font><br>
<br>
The remaining <font class="fixd">struct net_device</font> data fields are used by the interface to hold useful
status information. Some of the fields are used by <i>ifconfig </i>and <i>netstat </i>to provide the
user with information about the current configuration. Therefore, an interface
should assign values to these fields:<br>
<br>
<font class="fixd">unsigned long trans_start;<br>
unsigned long last_rx;</font><br>
<div class="bq">
Fields that hold a jiffies value. The driver is responsible for updating these values
when transmission begins and when a packet is received, respectively. The
<font class="fixd">trans_start</font> value is used by the networking subsystem to detect transmitter
lockups. <font class="fixd">last_rx</font> is currently unused, but the driver should maintain this field
anyway to be prepared for future use.</div>
<br>
<font class="fixd">int watchdog_timeo;</font><br>
<div class="bq">
The minimum time (in jiffies) that should pass before the networking layer
decides that a transmission timeout has occurred and calls the driver's <i>tx_timeout</i>
function.</div>
<br>
<font class="fixd">void *priv;</font><br>
<div class="bq">
The equivalent of <font class="fixd">filp-&gt;private_data.</font> In modern drivers, this field is set by
<i>alloc_netdev</i> and should not be accessed directly; use <i>netdev_priv</i> instead.</div>
<br>
<font class="fixd">struct dev_mc_list *mc_list;<br>
int mc_count;</font><br>
<div class="bq">
Fields that handle multicast transmission. <font class="fixd">mc_count</font> is the count of items in <font class="fixd">mc_list</font>.
See the section "Multicast" for further details.</div>
<br>
<font class="fixd">spinlock_t xmit_lock;<br>
int xmit_lock_owner;</font><br>
<div class="bq">
The <font class="fixd">xmit_lock</font> is used to avoid multiple simultaneous calls to the driver's
<i>hard_start_xmit </i>function. <font class="fixd">xmit_lock_owner</font> is the number of the CPU that has
obtained <font class="fixd">xmit_lock</font>. The driver should make no changes to these fields.</div>
<br>
There are other fields in <font class="fixd">struct net_device,</font> but they are not used by network drivers.<br>
<br>
<A name="515"></a><font color="blue">PAGE 515</font><br>
<br>
<a name="OpeningAndClosing"></a><font color="red"><b>Opening and Closing</b></font><br>
<br>
Our driver can probe for the interface at module load time or at kernel boot. Before the
interface can carry packets, however, the kernel must open it and assign an address to
it. The kernel opens or closes an interface in response to the <i>ifconfig</i> command.<br>
<br>
When <i>ifconfig </i>is used to assign an address to the interface, it performs two tasks.
First, it assigns the address by means of <font class="fixd">ioctl(SIOCSIFADDR)</font> (Socket I/O Control Set
Interface Address). Then it sets the <font class="fixd">IFF_UP</font> bit in <font class="fixd">dev-&gt;flag</font> by means of
<font class="fixd">ioctl(SIOCSIFFLAGS)</font> (Socket I/O Control Set Interface Flags) to turn the interface on.<br>
<br>
As far as the device is concerned, <font class="fixd">ioctl(SIOCSIFADDR)</font> does nothing. No driver function
is invoked--the task is device independent, and the kernel performs it. The latter
command (<font class="fixd">ioctl(SIOCSIFFLAGS)</font>), however, calls the <i>open</i> method for the device.<br>
<br>
Similarly, when the interface is shut down, <i>ifconfig </i>uses <font class="fixd">ioctl(SIOCSIFFLAGS)</font> to clear
<font class="fixd">IFF_UP,</font> and the <i>stop</i> method is called.<br>
<br>
Both device methods return 0</font> in case of success and the usual negative value in case of error.<br>
<br>
As far as the actual code is concerned, the driver has to perform many of the same
tasks as the char and block drivers do. <i>open </i>requests any system resources it needs
and tells the interface to come up; <i>stop </i>shuts down the interface and releases system
resources. Network drivers must perform some additional steps at <i>open</i> time, however.<br>
<br>
First, the hardware (MAC) address needs to be copied from the hardware device to
<font class="fixd">dev-&gt;dev_addr</font> before the interface can communicate with the outside world. The
hardware address can then be copied to the device at open time. The <i>snull </i>software
interface assigns it from within <i>open</i>; it just fakes a hardware number using an ASCII
string of length <font class="fixd">ETH_ALEN,</font> the length of Ethernet hardware addresses.<br>
<br>
The <i>open </i>method should also start the interface's transmit queue (allowing it to
accept packets for transmission) once it is ready to start sending data. The kernel
provides a function to start the queue:<br>
<pre>
void netif_start_queue(struct net_device *dev);
</pre>
The <i>open</i> code for <i>snull</i> looks like the following:<br>
<pre>
int snull_open(struct net_device *dev)
{
    /* request_region( ), request_irq( ), ....  (like fops-&gt;open) */

    /*
     * Assign the hardware address of the board: use &quot;\0SNULx&quot;, where
     * x is 0 or 1. The first byte is '\0' to avoid being a multicast
     * address (the first byte of multicast addrs is odd).
     */
    memcpy(dev-&gt;dev_addr, &quot;\0SNUL0&quot;, ETH_ALEN);
    if (dev = = snull_devs[1])
</pre>
<A name="516"></a><font color="blue">PAGE 516</font><br>
<pre>
        dev-&gt;dev_addr[ETH_ALEN-1]++; /* \0SNUL1 */
    netif_start_queue(dev);
    return 0;
}
</pre>
As you can see, in the absence of real hardware, there is little to do in the <i>open
</i>method. The same is true of the <i>stop </i>method; it just reverses the operations of <i>open</i>.
For this reason, the function implementing <i>stop</i> is often called <i>close</i> or <i>release</i>.<br>
<pre>
int snull_release(struct net_device *dev)
{
    /* release ports, irq and such -- like fops-&gt;close */

    netif_stop_queue(dev); /* can't transmit any more */
    return 0;
}
</pre>
The function:<br>
<pre>
void netif_stop_queue(struct net_device *dev);
</pre>
is the opposite of <i>netif_start_queue</i>; it marks the device as being unable to transmit
any more packets. The function must be called when the interface is closed (in the
<i>stop </i>method) but can also be used to temporarily stop transmission, as explained in
the next section.<br>
<br>
<a name="PacketTransmission"></a><font color="red"><b>Packet Transmission</b></font><br>
<br>
The most important tasks performed by network interfaces are data transmission
and reception. We start with transmission because it is slightly easier to understand.<br>
<br>
<i>Transmission </i>refers to the act of sending a packet over a network link. Whenever the
kernel needs to transmit a data packet, it calls the driver's <i>hard_start_transmit
</i>method to put the data on an outgoing queue. Each packet handled by the kernel is
contained in a socket buffer structure (<font class="fixd">struct sk_buff</font>), whose definition is found in
<i>&lt;linux/skbuff.h&gt;</i>. The structure gets its name from the Unix abstraction used to represent
a network connection, the <i>socket</i>. Even if the interface has nothing to do with
sockets, each network packet belongs to a socket in the higher network layers, and
the input/output buffers of any socket are lists of <font class="fixd">struct sk_buff</font> structures. The
same <font class="fixd">sk_buff</font> structure is used to host network data throughout all the Linux
network subsystems, but a socket buffer is just a packet as far as the interface is
concerned.<br>
<br>
A pointer to <font class="fixd">sk_buff</font> is usually called <font class="fixd">skb,</font> and we follow this practice both in the
sample code and in the text.<br>
<br>
The socket buffer is a complex structure, and the kernel offers a number of functions
to act on it. The functions are described later in the section "The Socket Buffers";
for now, a few basic facts about <font class="fixd">sk_buff</font> are enough for us to write a working
driver.<br>
<br>
<A name="517"></a><font color="blue">PAGE 517</font><br>
<br>
The socket buffer passed to <i>hard_start_xmit </i>contains the physical packet as it should
appear on the media, complete with the transmission-level headers. The interface
doesn't need to modify the data being transmitted. <font class="fixd">skb-&gt;data</font> points to the packet
being transmitted, and <font class="fixd">skb-&gt;len</font> is its length in octets. This situation gets a little more
complicated if your driver can handle scatter/gather I/O; we get to that in the section
"Scatter/Gather I/O."<br>
<br>
The <i>snull </i>packet transmission code follows; the physical transmission machinery has
been isolated in another function, because every interface driver must implement it
according to the specific hardware being driven:<br>
<pre>
int snull_tx(struct sk_buff *skb, struct net_device *dev)
{
    int len;
    char *data, shortpkt[ETH_ZLEN];
    struct snull_priv *priv = netdev_priv(dev);

    data = skb-&gt;data;
    len = skb-&gt;len;
    if (len &lt; ETH_ZLEN) {
        memset(shortpkt, 0, ETH_ZLEN);
        memcpy(shortpkt, skb-&gt;data, skb-&gt;len);
        len = ETH_ZLEN;
        data = shortpkt;
    }
    dev-&gt;trans_start = jiffies; /* save the timestamp */

    /* Remember the skb, so we can free it at interrupt time */
    priv-&gt;skb = skb;

    /* actual deliver of data is device-specific, and not shown here */
    snull_hw_tx(data, len, dev);

    return 0; /* Our simple device can not fail */
}
</pre>
The transmission function, thus, just performs some sanity checks on the packet and
transmits the data through the hardware-related function. Do note, however, the
care that is taken when the packet to be transmitted is shorter than the minimum
length supported by the underlying media (which, for <i>snull</i>, is our virtual "Ethernet").
Many Linux network drivers (and those for other operating systems as well)
have been found to leak data in such situations. Rather than create that sort of security
vulnerability, we copy short packets into a separate array that we can explicitly
zero-pad out to the full length required by the media. (We can safely put that data on
the stack, since the minimum length--60 bytes--is quite small).<br>
<br>
The return value from <i>hard_start_xmit </i>should be 0 on success; at that point, your
driver has taken responsibility for the packet, should make its best effort to ensure
that transmission succeeds, and must free the skb at the end. A nonzero return value
indicates that the packet could not be transmitted at this time; the kernel will retry<br>
<br>
<A name="518"></a><font color="blue">PAGE 518</font><br>
<br>
later. In this situation, your driver should stop the queue until whatever situation
caused the failure has been resolved.<br>
<br>
The "hardware-related" transmission function (<i>snull_hw_tx</i>) is omitted here since it
is entirely occupied with implementing the trickery of the <i>snull </i>device, including
manipulating the source and destination addresses, and has little of interest to
authors of real network drivers. It is present, of course, in the sample source for
those who want to go in and see how it works.<br>
<br>
<a name="ControllingTransmissionConcurrency"></a><font color="red"><b>Controlling Transmission Concurrency</b></font><br>
<br>
The <i>hard_start_xmit </i>function is protected from concurrent calls by a spinlock
(<font class="fixd">xmit_lock</font>) in the <font class="fixd">net_device</font> structure. As soon as the function returns, however, it
may be called again. The function returns when the software is done instructing the
hardware about packet transmission, but hardware transmission will likely not have
been completed. This is not an issue with <i>snull</i>, which does all of its work using the
CPU, so packet transmission is complete before the transmission function returns.<br>
<br>
Real hardware interfaces, on the other hand, transmit packets asynchronously and
have a limited amount of memory available to store outgoing packets. When that
memory is exhausted (which, for some hardware, happens with a single outstanding
packet to transmit), the driver needs to tell the networking system not to start any
more transmissions until the hardware is ready to accept new data.<br>
<br>
This notification is accomplished by calling <i>netif_stop_queue</i>, the function introduced
earlier to stop the queue. Once your driver has stopped its queue, it <i>must
</i>arrange to restart the queue at some point in the future, when it is again able to
accept packets for transmission. To do so, it should call:<br>
<pre>
void netif_wake_queue(struct net_device *dev);
</pre>
This function is just like <i>netif_start_queue</i>, except that it also pokes the networking
system to make it start transmitting packets again.<br>
<br>
Most modern network hardware maintains an internal queue with multiple packets
to transmit; in this way it can get the best performance from the network. Network
drivers for these devices must support having multiple transmisions outstanding at
any given time, but device memory can fill up whether or not the hardware supports
multiple outstanding transmissions. Whenever device memory fills to the point that
there is no room for the largest possible packet, the driver should stop the queue
until space becomes available again.<br>
<br>
If you must disable packet transmission from anywhere other than your <i>hard_start_xmit
</i>function (in response to a reconfiguration request, perhaps), the function you want to
use is:<br>
<pre>
void netif_tx_disable(struct net_device *dev);
</pre>
<A name="519"></a><font color="blue">PAGE 519</font><br>
<br>
This function behaves much like <i>netif_stop_queue</i>, but it also ensures that, when it
returns, your <i>hard_start_xmit </i>method is not running on another CPU. The queue
can be restarted with <i>netif_wake_queue</i>, as usual.<br>
<br>
<a name="TransmissionTimeouts"></a><font color="red"><b>Transmission Timeouts</b></font><br>
<br>
Most drivers that deal with real hardware have to be prepared for that hardware to
fail to respond occasionally. Interfaces can forget what they are doing, or the system
can lose an interrupt. This sort of problem is common with some devices designed to
run on personal computers.<br>
<br>
Many drivers handle this problem by setting timers; if the operation has not completed
by the time the timer expires, something is wrong. The network system, as it
happens, is essentially a complicated assembly of state machines controlled by a
mass of timers. As such, the networking code is in a good position to detect transmission
timeouts as part of its regular operation.<br>
<br>
Thus, network drivers need not worry about detecting such problems themselves.
Instead, they need only set a timeout period, which goes in the <font class="fixd">watchdog_timeo</font> field
of the <font class="fixd">net_device</font> structure. This period, which is in jiffies, should be long enough to
account for normal transmission delays (such as collisions caused by congestion on
the network media).<br>
<br>
If the current system time exceeds the device's <font class="fixd">trans_start time</font> by at least the timeout
period, the networking layer eventually calls the driver's <i>tx_timeout </i>method.
That method's job is to do whatever is needed to clear up the problem and to ensure
the proper completion of any transmissions that were already in progress. It is
important, in particular, that the driver not lose track of any socket buffers that have
been entrusted to it by the networking code.<br>
<br>
<i>snull </i>has the ability to simulate transmitter lockups, which is controlled by two loadtime
parameters:<br>
<pre>
static int lockup = 0;
module_param(lockup, int, 0);

static int timeout = SNULL_TIMEOUT;
module_param(timeout, int, 0);
</pre>
If the driver is loaded with the parameter <font class="fixd">lockup=n,</font> a lockup is simulated once every
n packets transmitted, and the <font class="fixd">watchdog_timeo</font> field is set to the given <font class="fixd">timeout</font> value.
When simulating lockups, <i>snull </i>also calls <i>netif_stop_queue </i>to prevent other transmission
attempts from occurring.<br>
<br>
The <i>snull</i> transmission timeout handler looks like this:<br>
<pre>
void snull_tx_timeout (struct net_device *dev)
{
    struct snull_priv *priv = netdev_priv(dev);
</pre>
<A name="520"></a><font color="blue">PAGE 520</font><br>
<pre>
    PDEBUG(&quot;Transmit timeout at %ld, latency %ld\n&quot;, jiffies,
            jiffies - dev-&gt;trans_start);
        /* Simulate a transmission interrupt to get things moving */
    priv-&gt;status = SNULL_TX_INTR;
    snull_interrupt(0, dev, NULL);
    priv-&gt;stats.tx_errors++;
    netif_wake_queue(dev);
    return;
}
</pre>
When a transmission timeout happens, the driver must mark the error in the interface
statistics and arrange for the device to be reset to a sane state so that new packets can
be transmitted. When a timeout happens in <i>snull</i>, the driver calls <i>snull_interrupt </i>to fill
in the "missing" interrupt and restarts the transmit queue with <i>netif_wake_queue</i>.<br>
<br>
<a name="ScatterGatherIO"></a><font color="red"><b>Scatter/Gather I/O</b></font><br>
<br>
The process of creating a packet for transmission on the network involves assembling
multiple pieces. Packet data must often be copied in from user space, and the
headers used by various levels of the network stack must be added as well. This
assembly can require a fair amount of data copying. If, however, the network interface
that is destined to transmit the packet can perform scatter/gather I/O, the
packet need not be assembled into a single chunk, and much of that copying can be
avoided. Scatter/gather I/O also enables "zero-copy" transmission of network data
directly from user-space buffers.<br>
<br>
The kernel does not pass scattered packets to your <i>hard_start_xmit </i>method unless
the <font class="fixd">NETIF_F_SG</font> bit has been set in the <font class="fixd">features</font> field of your device structure. If you
have set that flag, you need to look at a special "shared info" field within the skb to
see whether the packet is made up of a single fragment or many and to find the scattered
fragments if need be. A special macro exists to access this information; it is
called <i>skb_shinfo</i>. The first step when transmitting potentially fragmented packets
usually looks something like this:<br>
<pre>
if (skb_shinfo(skb)-&gt;nr_frags = = 0) {
    /* Just use skb-&gt;data and skb-&gt;len as usual */
}
</pre>
The <font class="fixd">nr_frags</font> field tells how many fragments have been used to build the packet. If it
is <font class="fixd">0,</font> the packet exists in a single piece and can be accessed via the <font class="fixd">data</font> field as usual.
If, however, it is nonzero, your driver must pass through and arrange to transfer each
individual fragment. The data field of the <font class="fixd">skb</font> structure points conveniently to the first
fragment (as compared to the full packet, as in the unfragmented case). The length of
the fragment must be calculated by subtracting <font class="fixd">skb-&gt;data_len</font> from <font class="fixd">skb-&gt;len</font> (which
still contains the length of the full packet). The remaining fragments are to be found
in an array called <font class="fixd">frags</font> in the shared information structure; each entry in <font class="fixd">frags</font> is an
<font class="fixd">skb_frag_struct</font> structure:<br>
<pre>
struct skb_frag_struct {
    struct page *page;
</pre>
<A name="521"></a><font color="blue">PAGE 521</font><br>
<pre>
    __u16 page_offset;
    __u16 size;
};
</pre>
As you can see, we are once again dealing with <font class="fixd">page</font> structures, rather than kernel virtual
addresses. Your driver should loop through the fragments, mapping each for a
DMA transfer and not forgetting the first fragment, which is pointed to by the skb
directly. Your hardware, of course, must assemble the fragments and transmit them
as a single packet. Note that, if you have set the <font class="fixd">NETIF_F_HIGHDMA</font> feature flag, some
or all of the fragments may be located in high memory.<br>
<br>
<a name="PacketReception"></a><font color="red"><b>Packet Reception</b></font><br>
<br>
Receiving data from the network is trickier than transmitting it, because an <font class="fixd">sk_buff</font>
must be allocated and handed off to the upper layers from within an atomic context.
There are two modes of packet reception that may be implemented by network drivers:
interrupt driven and polled. Most drivers implement the interrupt-driven technique,
and that is the one we cover first. Some drivers for high-bandwidth adapters
may also implement the polled technique; we look at this approach in the section
"Receive Interrupt Mitigation."<br>
<br>
The implementation of <i>snull </i>separates the "hardware" details from the device-independent
housekeeping. Therefore, the function <i>snull_rx </i>is called from the <i>snull
</i>"interrupt" handler after the hardware has received the packet, and it is already in
the computer's memory. <i>snull_rx </i>receives a pointer to the data and the length of the
packet; its sole responsibility is to send the packet and some additional information
to the upper layers of networking code. This code is independent of the way the data
pointer and length are obtained.<br>
<pre>
void snull_rx(struct net_device *dev, struct snull_packet *pkt)
{
    struct sk_buff *skb;
    struct snull_priv *priv = netdev_priv(dev);

    /*
     * The packet has been retrieved from the transmission
     * medium. Build an skb around it, so upper layers can handle it
     */
    skb = dev_alloc_skb(pkt-&gt;datalen + 2);
    if (!skb) {
        if (printk_ratelimit( ))
            printk(KERN_NOTICE &quot;snull rx: low on mem - packet dropped\n&quot;);
        priv-&gt;stats.rx_dropped++;
        goto out;
    }
    memcpy(skb_put(skb, pkt-&gt;datalen), pkt-&gt;data, pkt-&gt;datalen);

    /* Write metadata, and then pass to the receive level */
    skb-&gt;dev = dev;
</pre>
<A name="522"></a><font color="blue">PAGE 522</font><br>
<pre>
    skb-&gt;protocol = eth_type_trans(skb, dev);
    skb-&gt;ip_summed = CHECKSUM_UNNECESSARY; /* don't check it */
    priv-&gt;stats.rx_packets++;
    priv-&gt;stats.rx_bytes += pkt-&gt;datalen;
    netif_rx(skb);
  out:
    return;
}
</pre>
The function is sufficiently general to act as a template for any network driver, but
some explanation is necessary before you can reuse this code fragment with confidence.<br>
<br>
The first step is to allocate a buffer to hold the packet. Note that the buffer allocation
function (<i>dev_alloc_skb</i>) needs to know the data length. The information is used
by the function to allocate space for the buffer. <i>dev_alloc_skb </i>calls <i>kmalloc </i>with
atomic priority, so it can be used safely at interrupt time. The kernel offers other
interfaces to socket-buffer allocation, but they are not worth introducing here; socket
buffers are explained in detail in the section "The Socket Buffers."<br>
<br>
Of course, the return value from <i>dev_alloc_skb </i>must be checked, and <i>snull </i>does so.
We call <i>printk_ratelimit </i>before complaining about failures, however. Generating
hundreds or thousands of console messages per second is a good way to bog down
the system entirely and hide the real source of problems; <i>printk_ratelimit </i>helps prevent
that problem by returning <font class="fixd">0</font> when too much output has gone to the console, and
things need to be slowed down a bit.<br>
<br>
Once there is a valid <font class="fixd">skb</font> pointer, the packet data is copied into the buffer by calling
<i>memcpy</i>; the <i>skb_put </i>function updates the end-of-data pointer in the buffer and
returns a pointer to the newly created space.<br>
<br>
If you are writing a high-performance driver for an interface that can do full bus-mastering
I/O, there is a possible optimization that is worth considering here. Some drivers
allocate socket buffers for incoming packets prior to their reception, then instruct
the interface to place the packet data directly into the socket buffer's space. The networking
layer cooperates with this strategy by allocating all socket buffers in DMA capable
space (which may be in high memory if your device has the <font class="fixd">NETIF_F_HIGHDMA</font>
feature flag set). Doing things this way avoids the need for a separate copy operation
to fill the socket buffer, but requires being careful with buffer sizes because you
won't know in advance how big the incoming packet is. The implementation of a
<i>change_mtu </i>method is also important in this situation, since it allows the driver to
respond to a change in the maximum packet size.<br>
<br>
The network layer needs to have some information spelled out before it can make
sense of the packet. To this end, the <font class="fixd">dev</font> and <font class="fixd">protocol</font> fields must be assigned before
the buffer is passed upstairs. The Ethernet support code exports a helper function
(<i>eth_type_trans</i>), which finds an appropriate value to put into <font class="fixd">protocol.</font> Then we
need to specify how checksumming is to be performed or has been performed on the<br>
<br>
<A name="523"></a><font color="blue">PAGE 523</font><br>
<br>
packet (<i>snull </i>does not need to perform any checksums). The possible policies for
<font class="fixd">skb-&gt;ip_summed</font> are:<br>
<br>
<font class="fixd">CHECKSUM_HW</font><br>
<div class="bq">
The device has already performed checksums in hardware. An example of a
hardware checksum is the SPARC HME interface.</div>
<br>
<font class="fixd">CHECKSUM_NONE</font><br>
<div class="bq">
Checksums have not yet been verified, and the task must be accomplished by
system software. This is the default in newly allocated buffers.</div>
<br>
<font class="fixd">CHECKSUM_UNNECESSARY</font><br>
<div class="bq">
Don't do any checksums. This is the policy in <i>snull</i> and in the loopback interface.</div>
<br>
You may be wondering why the checksum status must be specified here when we
have already set a flag in the features field of our <font class="fixd">net_device</font> structure. The answer is
that the features flag tells the kernel about how our device treats outgoing packets.
It is not used for incoming packets, which must, instead, be marked individually.<br>
<br>
Finally, the driver updates its statistics counter to record that a packet has been
received. The statistics structure is made up of several fields; the most important are
<font class="fixd">rx_packets, rx_bytes, tx_packets,</font> and <font class="fixd">tx_bytes,</font> which contain the number of packets
received and transmitted and the total number of octets transferred. All the fields
are thoroughly described in the section "Statistical Information."<br>
<br>
The last step in packet reception is performed by <i>netif_rx</i>, which hands off the socket
buffer to the upper layers. <i>netif_rx </i>actually returns an integer value; <font class="fixd">NET_RX_SUCCESS</font>
(0) means that the packet was successfully received; any other value indicates trouble.
There are three return values (<font class="fixd">NET_RX_CN_LOW, NET_RX_CN_MOD,</font> and <font class="fixd">NET_RX_CN_HIGH</font>) that
indicate increasing levels of congestion in the networking subsystem; <font class="fixd">NET_RX_DROP</font>
means the packet was dropped. A driver could use these values to stop feeding packets
into the kernel when congestion gets high, but, in practice, most drivers ignore the
return value from <i>netif_rx</i>. If you are writing a driver for a high-bandwidth device and
wish to do the right thing in response to congestion, the best approach is to implement
NAPI, which we get to after a quick discussion of interrupt handlers.<br>
<br>
<a name="TheInterruptHandler"></a><font color="red"><b>The Interrupt Handler</b></font><br>
<br>
Most hardware interfaces are controlled by means of an interrupt handler. The hardware
interrupts the processor to signal one of two possible events: a new packet has
arrived or transmission of an outgoing packet is complete. Network interfaces can
also generate interrupts to signal errors, link status changes, and so on.<br>
<br>
The usual interrupt routine can tell the difference between a new-packet-arrived interrupt
and a done-transmitting notification by checking a status register found on the
physical device. The <i>snull </i>interface works similarly, but its status word is implemented<br>
<br>
<A name="524"></a><font color="blue">PAGE 524</font><br>
<br>
in software and lives in <font class="fixd">dev-&gt;priv.</font> The interrupt handler for a network interface looks
like this:<br>
<pre>
static void snull_regular_interrupt(int irq, void *dev_id, struct pt_regs *regs)
{
    int statusword;
    struct snull_priv *priv;
    struct snull_packet *pkt = NULL;
    /*
     * As usual, check the &quot;device&quot; pointer to be sure it is
     * really interrupting.
     * Then assign &quot;struct device *dev&quot;
     */
    struct net_device *dev = (struct net_device *)dev_id;
    /* ... and check with hw if it's really ours */

    /* paranoid */
    if (!dev)
        return;

    /* Lock the device */
    priv = netdev_priv(dev);
    spin_lock(&amp;priv-&gt;lock);

    /* retrieve statusword: real netdevices use I/O instructions */
    statusword = priv-&gt;status;
    priv-&gt;status = 0;
    if (statusword &amp; SNULL_RX_INTR) {
        /* send it to snull_rx for handling */
        pkt = priv-&gt;rx_queue;
        if (pkt) {
            priv-&gt;rx_queue = pkt-&gt;next;
            snull_rx(dev, pkt);
        }
    }
    if (statusword &amp; SNULL_TX_INTR) {
        /* a transmission is over: free the skb */
        priv-&gt;stats.tx_packets++;
        priv-&gt;stats.tx_bytes += priv-&gt;tx_packetlen;
        dev_kfree_skb(priv-&gt;skb);
    }

    /* Unlock the device and we are done */
    spin_unlock(&amp;priv-&gt;lock);
    if (pkt) snull_release_buffer(pkt); /* Do this outside the lock! */
    return;
}
</pre>
The handler's first task is to retrieve a pointer to the correct <font class="fixd">struct net_device</font>. This
pointer usually comes from the <font class="fixd">dev_id</font> pointer received as an argument.<br>
<br>
The interesting part of this handler deals with the "transmission done" situation. In
this case, the statistics are updated, and <i>dev_kfree_skb </i>is called to return the (no<br>
<br>
<A name="525"></a><font color="blue">PAGE 525</font><br>
<br>
longer needed) socket buffer to the system. There are, actually, three variants of this
function that may be called:<br>
<br>
<font class="fixd">dev_kfree_skb(struct sk_buff *skb);</font><br>
<div class="bq">
This version should be called when you know that your code will not be running
in interrupt context. Since <i>snull </i>has no actual hardware interrupts, this is
the version we use.</div>
<br>
<font class="fixd">dev_kfree_skb_irq(struct sk_buff *skb);</font><br>
<div class="bq">
If you know that you will be freeing the buffer in an interrupt handler, use this
version, which is optimized for that case.</div>
<br>
<font class="fixd">dev_kfree_skb_any(struct sk_buff *skb);</font><br>
<div class="bq">
This is the version to use if the relevant code could be running in either interrupt
or noninterrupt context.</div>
<br>
Finally, if your driver has temporarily stopped the transmission queue, this is usually
the place to restart it with <i>netif_wake_queue</i>.<br>
<br>
Packet reception, in contrast to transmission, doesn't need any special interrupt handling.
Calling <i>snull_rx</i> (which we have already seen) is all that's required.<br>
<br>
<a name="ReceiveInterruptMitigation"></a><font color="red"><b>Receive Interrupt Mitigation</b></font><br>
<br>
When a network driver is written as we have described above, the processor is interrupted
for every packet received by your interface. In many cases, that is the desired
mode of operation, and it is not a problem. High-bandwidth interfaces, however, can
receive thousands of packets per second. With that sort of interrupt load, the overall
performance of the system can suffer.<br>
<br>
As a way of improving the performance of Linux on high-end systems, the networking
subsystem developers have created an alternative interface (called NAPI)* based
on polling. "Polling" can be a dirty word among driver developers, who often see
polling techniques as inelegant and inefficient. Polling is inefficient, however, only if
the interface is polled when there is no work to do. When the system has a high speed
interface handling heavy traffic, there is <i>always </i>more packets to process. There
is no need to interrupt the processor in such situations; it is enough that the new
packets be collected from the interface every so often.<br>
<br>
Stopping receive interrupts can take a substantial amount of load off the processor.
NAPI-compliant drivers can also be told not to feed packets into the kernel if those
packets are just dropped in the networking code due to congestion, which can also
help performance when that help is needed most. For various reasons, NAPI drivers
are also less likely to reorder packets.<br>
<br>
* NAPI stands for "new API"; the networking hackers are better at creating interfaces than naming them.<br>
<br>
<A name="526"></a><font color="blue">PAGE 526</font><br>
<br>
Not all devices can operate in the NAPI mode, however. A NAPI-capable interface
must be able to store several packets (either on the card itself, or in an in-memory
DMA ring). The interface should be capable of disabling interrupts for received packets,
while continuing to interrupt for successful transmissions and other events.
There are other subtle issues that can make writing a NAPI-compliant driver harder;
see <i>Documentation/networking/NAPI_HOWTO.txt </i>in the kernel source tree for the
details.<br>
<br>
Relatively few drivers implement the NAPI interface. If you are writing a driver for an
interface that may generate a huge number of interrupts, however, taking the time to
implement NAPI may well prove worthwhile.<br>
<br>
The <i>snull </i>driver, when loaded with the <font class="fixd">use_napi</font> parameter set to a nonzero value,
operates in the NAPI mode. At initialization time, we have to set up a couple of extra
<font class="fixd">struct net_device</font> fields:<br>
<pre>
if (use_napi) {
    dev-&gt;poll        = snull_poll;
    dev-&gt;weight      = 2;
}
</pre>
The <font class="fixd">poll</font> field must be set to your driver's polling function; we look at <i>snull_poll
</i>shortly. The <font class="fixd">weight</font> field describes the relative importance of the interface: how much
traffic should be accepted from the interface when resources are tight. There are no
strict rules for how the <font class="fixd">weight</font> parameter should be set; by convention, 10 MBps
Ethernet interfaces <font class="fixd">set weight</font> to <font class="fixd">16,</font> while faster interfaces use <font class="fixd">64.</font> You should not set
<font class="fixd">weight</font> to a value greater than the number of packets your interface can store. In
<i>snull</i>, we set the <font class="fixd">weight</font> to two as a way of demonstrating deferred packet reception.<br>
<br>
The next step in the creation of a NAPI-compliant driver is to change the interrupt
handler. When your interface (which should start with receive interrupts enabled)
signals that a packet has arrived, the interrupt handler should <i>not </i>process that
packet. Instead, it should disable further receive interrupts and tell the kernel that it
is time to start polling the interface. In the <i>snull </i>"interrupt" handler, the code that
responds to packet reception interrupts has been changed to the following:<br>
<pre>
if (statusword &amp; SNULL_RX_INTR) {
    snull_rx_ints(dev, 0);  /* Disable further interrupts */
    netif_rx_schedule(dev);
}
</pre>
When the interface tells us that a packet is available, the interrupt handler leaves it in
the interface; all that needs to happen at this point is a call to <i>netif_rx_schedule</i>,
which causes our <i>poll</i> method to be called at some future point.<br>
<br>
The <i>poll</i> method has this prototype:<br>
<pre>
int (*poll)(struct net_device *dev, int *budget);
</pre>
<A name="527"></a><font color="blue">PAGE 527</font><br>
<br>
The <i>snull</i> implementation of the <i>poll</i> method looks like this:<br>
<pre>
static int snull_poll(struct net_device *dev, int *budget)
{
    int npackets = 0, quota = min(dev-&gt;quota, *budget);
    struct sk_buff *skb;
    struct snull_priv *priv = netdev_priv(dev);
    struct snull_packet *pkt;

    while (npackets &lt; quota &amp;&amp; priv-&gt;rx_queue) {
        pkt = snull_dequeue_buf(dev);
        skb = dev_alloc_skb(pkt-&gt;datalen + 2);
        if (! skb) {
            if (printk_ratelimit( ))
                printk(KERN_NOTICE &quot;snull: packet dropped\n&quot;);
            priv-&gt;stats.rx_dropped++;
            snull_release_buffer(pkt);
            continue;
        }
        memcpy(skb_put(skb, pkt-&gt;datalen), pkt-&gt;data, pkt-&gt;datalen);
        skb-&gt;dev = dev;
        skb-&gt;protocol = eth_type_trans(skb, dev);
        skb-&gt;ip_summed = CHECKSUM_UNNECESSARY; /* don't check it */
        netif_receive_skb(skb);

            /* Maintain stats */
        npackets++;
        priv-&gt;stats.rx_packets++;
        priv-&gt;stats.rx_bytes += pkt-&gt;datalen;
        snull_release_buffer(pkt);
    }
    /* If we processed all packets, we're done; tell the kernel and reenable ints */
    *budget -= npackets;
    dev-&gt;quota -= npackets;
    if (! priv-&gt;rx_queue) {
        netif_rx_complete(dev);
        snull_rx_ints(dev, 1);
        return 0;
    }
    /* We couldn't process everything. */
    return 1;
}
</pre>
The central part of the function is concerned with the creation of an skb holding the
packet; this code is the same as what we saw in <i>snull_rx </i>before. A number of things
are different, however:<br>
<ul>
<li> The <font class="fixd">budget</font> parameter provides a maximum number of packets that we are
allowed to pass into the kernel. Within the device structure, the <font class="fixd">quota</font> field gives
another maximum; the <i>poll </i>method must respect the lower of the two limits. It
should also decrement both <font class="fixd">dev-&gt;quota</font> and <font class="fixd">*budget</font> by the number of packets
actually received. The <font class="fixd">budget</font> value is a maximum number of packets that the
current CPU can receive from all interfaces, while <font class="fixd">quota</font> is a per-interface value
</ul>
<A name="528"></a><font color="blue">PAGE 528</font>
<ul>
that usually starts out as the <font class="fixd">weight</font> assigned to the interface at initialization time.
<li> Packets should be fed to the kernel with <i>netif_receive_skb</i>, rather than <i>netif_rx</i>.
<li> If the <i>poll </i>method is able to process all of the available packets within the limits
given to it, it should re-enable receive interrupts, call <i>netif_rx_complete </i>to turn
off polling, and return <font class="fixd">0.</font> A return value of <font class="fixd">1</font> indicates that there are packets
remaining to be processed.
</ul>
The networking subsystem guarantees that any given device's <i>poll </i>method will not
be called concurrently on more than one processor. Calls to <i>poll </i>can still happen
concurrently with calls to your other device methods, however.<br>
<br>
<a name="ChangesInLinkState"></a><font color="red"><b>Changes in Link State</b></font><br>
<br>
Network connections, by definition, deal with the world outside the local system.
Therefore, they are often affected by outside events, and they can be transient things.
The networking subsystem needs to know when network links go up or down, and it
provides a few functions that the driver may use to convey that information.<br>
<br>
Most networking technologies involving an actual, physical connection provide a
<i>carrier </i>state; the presence of the carrier means that the hardware is present and ready
to function. Ethernet adapters, for example, sense the carrier signal on the wire;
when a user trips over the cable, that carrier vanishes, and the link goes down. By
default, network devices are assumed to have a carrier signal present. The driver can
change that state explicitly, however, with these functions:<br>
<pre>
void netif_carrier_off(struct net_device *dev);
void netif_carrier_on(struct net_device *dev);
</pre>
If your driver detects a lack of carrier on one of its devices, it should call <i>netif_carrier_off
</i>to inform the kernel of this change. When the carrier returns, <i>netif_carrier_on </i>should be
called. Some drivers also call <i>netif_carrier_off </i>when making major configuration
changes (such as media type); once the adapter has finished resetting itself, the new carrier
is detected and traffic can resume.<br>
<br>
An integer function also exists:<br>
<pre>
int netif_carrier_ok(struct net_device *dev);
</pre>
This can be used to test the current carrier state (as reflected in the device structure).<br>
<br>
<a name="TheSocketBuffers"></a><font color="red"><b>The Socket Buffers</b></font><br>
<br>
We've now covered most of the issues related to network interfaces. What's still
missing is some more detailed discussion of the <font class="fixd">sk_buff</font> structure. The structure is at
the core of the network subsystem of the Linux kernel, and we now introduce both
the main fields of the structure and the functions used to act on it.<br>
<br>
<A name="529"></a><font color="blue">PAGE 529</font><br>
<br>
Although there is no strict need to understand the internals of <font class="fixd">sk_buff,</font> the ability to
look at its contents can be helpful when you are tracking down problems and when
you are trying to optimize your code. For example, if you look in <i>loopback.c</i>, you'll
find an optimization based on knowledge of the <font class="fixd">sk_buff</font> internals. The usual warning
applies here: if you write code that takes advantage of knowledge of the <font class="fixd">sk_buff</font>
structure, you should be prepared to see it break with future kernel releases. Still,
sometimes the performance advantages justify the additional maintenance cost.<br>
<br>
We are not going to describe the whole structure here, just the fields that might be
used from within a driver. If you want to see more, you can look at <i>&lt;linux/skbuff.h&gt;</i>,
where the structure is defined and the functions are prototyped. Additional details
about how the fields and functions are used can be easily retrieved by grepping in the
kernel sources.<br>
<br>
<a name="TheImportantFields"></a><font color="red"><b>The Important Fields</b></font><br>
<br>
The fields introduced here are the ones a driver might need to access. They are listed
in no particular order.<br>
<br>
<font class="fixd">struct net_device *dev;</font><br>
<div class="bq">
The device receiving or sending this buffer.</div>
<br>
<font class="fixd">union { /* ... */ } h;<br>
union { /* ... */ } nh;<br>
union { /*... */} mac;</font><br>
<div class="bq">
Pointers to the various levels of headers contained within the packet. Each field
of the union is a pointer to a different type of data structure. <font class="fixd">h</font> hosts pointers to
transport layer headers (for example, <font class="fixd">struct tcphdr *th</font>); <font class="fixd">nh</font> includes network
layer headers (such as <font class="fixd">struct iphdr *iph</font>); and <font class="fixd">mac</font> collects pointers to link-layer
headers (such as <font class="fixd">struct ethdr *ethernet</font>).<br>
<br>
If your driver needs to look at the source and destination addresses of a TCP
packet, it can find them in <font class="fixd">skb-&gt;h.th.</font> See the header file for the full set of header
types that can be accessed in this way.<br>
<br>
Note that network drivers are responsible for setting the <font class="fixd">mac</font> pointer for incoming
packets. This task is normally handled by <i>eth_type_trans</i>, but non-Ethernet
drivers have to set <font class="fixd">skb-&gt;mac.raw</font> directly, as shown in the section "Non-Ethernet
Headers."</div>
<br>
<font class="fixd">unsigned char *head;<br>
unsigned char *data;<br>
unsigned char *tail;<br>
unsigned char *end;</font><br>
<div class="bq">
Pointers used to address the data in the packet. <font class="fixd">head</font> points to the beginning of
the allocated space, <font class="fixd">data</font> is the beginning of the valid octets (and is usually
slightly greater than <font class="fixd">head</font>), <font class="fixd">tail</font> is the end of the valid octets, and <font class="fixd">end</font> points to</div>
<br>
<A name="530"></a><font color="blue">PAGE 530</font><br>
<br>
<div class="bq">the maximum address<font class="fixd"> tail</font> can reach. Another way to look at it is that the <i>available
</i>buffer space is <font class="fixd">skb-&gt;end - skb-&gt;head,</font> and the <i>currently used </i>data space is
<font class="fixd">skb-&gt;tail - skb-&gt;data.</font></div>
<br>
<font class="fixd">unsigned int len;<br>
unsigned int data_len;</font><br>
<div class="bq">
len is the full length of the data in the packet, while <font class="fixd">data_len</font> is the length of the
portion of the packet stored in separate fragments. The <font class="fixd">data_len</font> field is <font class="fixd">0</font> unless
scatter/gather I/O is being used.</div>
<br>
<font class="fixd">unsigned char ip_summed;</font><br>
<div class="bq">
The checksum policy for this packet. The field is set by the driver on incoming
packets, as described in the section "Packet Reception."</div>
<br>
<font class="fixd">unsigned char pkt_type;</font><br>
<div class="bq">
Packet classification used in its delivery. The driver is responsible for setting it to
<font class="fixd">PACKET_HOST</font> (this packet is for me), <font class="fixd">PACKET_OTHERHOST</font> (no, this packet is not for
me), <font class="fixd">PACKET_BROADCAST</font>, or <font class="fixd">PACKET_MULTICAST</font>. Ethernet drivers don't 
modify <font class="fixd">pkt_type</font> explicitly because <i>eth_type_trans</i> does it for them.</div>
<br>
<font class="fixd">shinfo(struct sk_buff *skb);<br>
unsigned int shinfo(skb)-&gt;nr_frags;<br>
skb_frag_t shinfo(skb)-&gt;frags;</font><br>
<div class="bq">
For performance reasons, some skb information is stored in a separate structure
that appears immediately after the skb in memory. This "shared info" (so called
because it can be shared among copies of the skb within the networking code)
must be accessed via the <i>shinfo </i>macro. There are several fields in this structure,
but most of them are beyond the scope of this book. We saw <font class="fixd">nr_frags</font> and <font class="fixd">frags</font>
in the section "Scatter/Gather I/O."</div>
<br>
The remaining fields in the structure are not particularly interesting. They are used to
maintain lists of buffers, to account for memory belonging to the socket that owns
the buffer, and so on.<br>
<br>
<a name="FunctionsActingOnSocketBuffers"></a><font color="red"><b>Functions Acting on Socket Buffers</b></font><br>
<br>
Network devices that use an <font class="fixd">sk_buff</font> structure act on it by means of the official interface
functions. Many functions operate on socket buffers; here are the most interesting
ones:<br>
<br>
<font class="fixd">struct sk_buff *alloc_skb(unsigned int len, int priority);<br>
struct sk_buff *dev_alloc_skb(unsigned int len);</font><br>
<div class="bq">
Allocate a buffer. The <i>alloc_skb </i>function allocates a buffer and initializes both
<font class="fixd">skb-&gt;data</font> and <font class="fixd">skb-&gt;tail</font> to <font class="fixd">skb-&gt;head.</font> The <i>dev_alloc_skb </i>function is a shortcut
that calls <i>alloc_skb </i>with <font class="fixd">GFP_ATOMIC</font> priority and reserves some space between
<font class="fixd">skb-&gt;head</font> and <font class="fixd">skb-&gt;data.</font> This data space is used for optimizations within the
network layer and should not be touched by the driver.</div>
<br>
<A name="531"></a><font color="blue">PAGE 531</font><br>
<br>
<font class="fixd">void kfree_skb(struct sk_buff *skb);<br>
void dev_kfree_skb(struct sk_buff *skb);<br>
void dev_kfree_skb_irq(struct sk_buff *skb);<br>
void dev_kfree_skb_any(struct sk_buff *skb);</font><br>
<div class="bq">
Free a buffer. The <i>kfree_skb </i>call is used internally by the kernel. A driver should
use one of the forms of <i>dev_kfree_skb </i>instead: <i>dev_kfree_skb </i>for noninterrupt
context, <i>dev_kfree_skb_irq </i>for interrupt context, or <i>dev_kfree_skb_any </i>for code
that can run in either context.</div>
<br>
<font class="fixd">unsigned char *skb_put(struct sk_buff *skb, int len);<br>
unsigned char *__skb_put(struct sk_buff *skb, int len);</font><br>
<div class="bq">
Update the <font class="fixd">tail</font> and <font class="fixd">len</font> fields of the <font class="fixd">sk_buff</font> structure; they are used to add data
to the end of the buffer. Each function's return value is the previous value of
<font class="fixd">skb-&gt;tail</font> (in other words, it points to the data space just created). Drivers can
use the return value to copy data by invoking <font class="fixd">memcpy(skb_put(...), data, len)</font>
or an equivalent. The difference between the two functions is that <i>skb_put
</i>checks to be sure that the data fits in the buffer, whereas <i>__skb_put </i>omits the
check.</div>
<br>
<font class="fixd">unsigned char *skb_push(struct sk_buff *skb, int len);<br>
unsigned char *__skb_push(struct sk_buff *skb, int len);</font><br>
<div class="bq">
Functions to decrement <font class="fixd">skb-&gt;data</font> and increment <font class="fixd">skb-&gt;len.</font> They are similar to
<i>skb_put</i>, except that data is added to the beginning of the packet instead of the
end. The return value points to the data space just created. The functions are used
to add a hardware header before transmitting a packet. Once again, <i>__skb_push
</i>differs in that it does not check for adequate available space.</div>
<br>
<font class="fixd">int skb_tailroom(struct sk_buff *skb);</font><br>
<div class="bq">
Returns the amount of space available for putting data in the buffer. If a driver
puts more data into the buffer than it can hold, the system panics. Although you
might object that a <i>printk </i>would be sufficient to tag the error, memory corruption
is so harmful to the system that the developers decided to take definitive
action. In practice, you shouldn't need to check the available space if the buffer
has been correctly allocated. Since drivers usually get the packet size before allocating
a buffer, only a severely broken driver puts too much data in the buffer,
and a panic might be seen as due punishment.</div>
<br>
<font class="fixd">int skb_headroom(struct sk_buff *skb);</font><br>
<div class="bq">
Returns the amount of space available in front of data, that is, how many octets
one can "push" to the buffer.</div>
<br>
<font class="fixd">void skb_reserve(struct sk_buff *skb, int len);</font><br>
<div class="bq">
Increments both <font class="fixd">data</font> and <font class="fixd">tail.</font> The function can be used to reserve headroom
before filling the buffer. Most Ethernet interfaces reserve two bytes in front of
the packet; thus, the IP header is aligned on a 16-byte boundary, after a 14-byte
Ethernet header. <i>snull </i>does this as well, although the instruction was not shown
in "Packet Reception" to avoid introducing extra concepts at that point.</div>
<br>
<A name="532"></a><font color="blue">PAGE 532</font><br>
<br>
<font class="fixd">unsigned char *skb_pull(struct sk_buff *skb, int len);</font><br>
<div class="bq">
Removes data from the head of the packet. The driver won't need to use this
function, but it is included here for completeness. It decrements <font class="fixd">skb-&gt;len</font> and
increments <font class="fixd">skb-&gt;data;</font> this is how the hardware header (Ethernet or equivalent)
is stripped from the beginning of incoming packets.</div>
<br>
<font class="fixd">int skb_is_nonlinear(struct sk_buff *skb);</font><br>
<div class="bq">
Returns a true value if this skb is separated into multiple fragments for scatter/gather
I/O.</div>
<br>
<font class="fixd">int skb_headlen(struct sk_buff *skb);</font><br>
<div class="bq">
Returns the length of the first segment of the skb (that part pointed to by <font class="fixd">skb-&gt;data</font>).</div>
<br>
<font class="fixd">void *kmap_skb_frag(skb_frag_t *frag);<br>
void kunmap_skb_frag(void *vaddr);</font><br>
<div class="bq">
If you must directly access fragments in a nonlinear skb from within the kernel,
these functions map and unmap them for you. An atomic kmap is used, so you
cannot have more than one fragment mapped at a time.</div>
<br>
The kernel defines several other functions that act on socket buffers, but they are
meant to be used in higher layers of networking code, and the driver doesn't need them.<br>
<br>
<a name="MACAddressResolution"></a><font color="red"><b>MAC Address Resolution</b></font><br>
<br>
An interesting issue with Ethernet communication is how to associate the MAC
addresses (the interface's unique hardware ID) with the IP number. Most protocols
have a similar problem, but we concentrate on the Ethernet-like case here. We try to
offer a complete description of the issue, so we show three situations: ARP, Ethernet
headers without ARP (such as <i>plip</i>), and non-Ethernet headers.<br>
<br>
<a name="UsingARPWithEthernet"></a><font color="red"><b>Using ARP with Ethernet</b></font><br>
<br>
The usual way to deal with address resolution is by using the Address Resolution
Protocol (ARP). Fortunately, ARP is managed by the kernel, and an Ethernet interface
doesn't need to do anything special to support ARP. As long as <font class="fixd">dev-&gt;addr</font> and
<font class="fixd">dev-&gt;addr_len</font> are correctly assigned at open time, the driver doesn't need to worry
about resolving IP numbers to MAC addresses; <i>ether_setup </i>assigns the correct device
methods to <font class="fixd">dev-&gt;hard_header</font> and <font class="fixd">dev-&gt;rebuild_header.</font><br>
<br>
Although the kernel normally handles the details of address resolution (and caching
of the results), it calls upon the interface driver to help in the building of the packet.
After all, the driver knows about the details of the physical layer header, while the
authors of the networking code have tried to insulate the rest of the kernel from that
knowledge. To this end, the kernel calls the driver's <i>hard_header </i>method to lay out<br>
<br>
<A name="533"></a><font color="blue">PAGE 533</font><br>
<br>
the packet with the results of the ARP query. Normally, Ethernet driver writers need
not know about this process--the common Ethernet code takes care of everything.<br>
<br>
<a name="OverridingARP"></a><font color="red"><b>Overriding ARP</b></font><br>
<br>
Simple point-to-point network interfaces, such as <i>plip</i>, might benefit from using
Ethernet headers, while avoiding the overhead of sending ARP packets back and
forth. The sample code in <i>snull </i>also falls into this class of network devices. <i>snull </i>cannot
use ARP because the driver changes IP addresses in packets being transmitted,
and ARP packets exchange IP addresses as well. Although we could have implemented
a simple ARP reply generator with little trouble, it is more illustrative to
show how to handle physical-layer headers directly.<br>
<br>
If your device wants to use the usual hardware header without running ARP, you
need to override the default <i>dev-&gt;hard_header </i>method. This is how <i>snull </i>implements
it, as a very short function:<br>
<pre>
int snull_header(struct sk_buff *skb, struct net_device *dev,
                unsigned short type, void *daddr, void *saddr,
                unsigned int len)
{
    struct ethhdr *eth = (struct ethhdr *)skb_push(skb,ETH_HLEN);

    eth-&gt;h_proto = htons(type);
    memcpy(eth-&gt;h_source, saddr ? saddr : dev-&gt;dev_addr, dev-&gt;addr_len);
    memcpy(eth-&gt;h_dest,   daddr ? daddr : dev-&gt;dev_addr, dev-&gt;addr_len);
    eth-&gt;h_dest[ETH_ALEN-1]   ^= 0x01;   /* dest is us xor 1 */
    return (dev-&gt;hard_header_len);
}
</pre>
The function simply takes the information provided by the kernel and formats it into
a standard Ethernet header. It also toggles a bit in the destination Ethernet address,
for reasons described later.<br>
<br>
When a packet is received by the interface, the hardware header is used in a couple
of ways by <i>eth_type_trans</i>. We have already seen this call in <i>snull_rx</i>:<br>
<pre>
skb-&gt;protocol = eth_type_trans(skb, dev);
</pre>
The function extracts the protocol identifier (<font class="fixd">ETH_P_IP,</font> in this case) from the Ethernet
header; it also assigns <font class="fixd">skb-&gt;mac.raw,</font> removes the hardware header from packet data
(with <i>skb_pull</i>), and sets <font class="fixd">skb-&gt;pkt_type.</font> This last item defaults to <font class="fixd">PACKET_HOST</font> at <font class="fixd">skb</font>
allocation (which indicates that the packet is directed to this host), and <i>eth_type_trans
</i>changes it to reflect the Ethernet destination address: if that address does not match the
address of the interface that received it, the <font class="fixd">pkt_type</font> field is set to <font class="fixd">PACKET_OTHERHOST</font>.
Subsequently, unless the interface is in promiscuous mode or packet forwarding is
enabled in the kernel, <i>netif_rx </i>drops any packet of type <font class="fixd">PACKET_OTHERHOST</font>. For this reason,
<i>snull_header </i>is careful to make the destination hardware address match that of the
"receiving" interface.<br>
<br>
<A name="534"></a><font color="blue">PAGE 534</font><br>
<br>
If your interface is a point-to-point link, you won't want to receive unexpected multicast
packets. To avoid this problem, remember that a destination address whose first
octet has <font class="fixd">0</font> as the least significant bit (LSB) is directed to a single host (i.e., it is either
<font class="fixd">PACKET_HOST</font> or <font class="fixd">PACKET_OTHERHOST</font>). The <i>plip </i>driver uses <font class="fixd">0xfc</font> as the first octet of its
hardware address, while <i>snull </i>uses <font class="fixd">0x00.</font> Both addresses result in a working Ethernet like
point-to-point link.<br>
<br>
<a name="NonEthernetHeaders"></a><font color="red"><b>Non-Ethernet Headers</b></font><br>
<br>
We have just seen that the hardware header contains some information in addition to
the destination address, the most important being the communication protocol. We
now describe how hardware headers can be used to encapsulate relevant information.
If you need to know the details, you can extract them from the kernel sources or the
technical documentation for the particular transmission medium. Most driver writers
are able to ignore this discussion and just use the Ethernet implementation.<br>
<br>
It's worth noting that not all information has to be provided by every protocol. A
point-to-point link such as <i>plip </i>or <i>snull </i>could avoid transferring the whole Ethernet
header without losing generality. The <i>hard_header </i>device method, shown earlier as
implemented by <i>snull_header</i>, receives the delivery information--both protocol-level
and hardware addresses--from the kernel. It also receives the 16-bit protocol number
in the type argument; IP, for example, is identified by <font class="fixd">ETH_P_IP</font>. The driver is
expected to correctly deliver both the packet data and the protocol number to the
receiving host. A point-to-point link could omit addresses from its hardware header,
transferring only the protocol number, because delivery is guaranteed independent of
the source and destination addresses. An IP-only link could even avoid transmitting
any hardware header whatsoever.<br>
<br>
When the packet is picked up at the other end of the link, the receiving function in the
driver should correctly set the fields <font class="fixd">skb-&gt;protocol, skb-&gt;pkt_type, and skb-&gt;mac.raw.</font><br>
<br>
<font class="fixd">skb-&gt;mac.raw</font> is a char pointer used by the address-resolution mechanism implemented
in higher layers of the networking code (for instance, <i>net/ipv4/arp.c</i>). It must
point to a machine address that matches <font class="fixd">dev-&gt;type.</font> The possible values for the
device type are defined in <i>&lt;linux/if_arp.h&gt;</i>; Ethernet interfaces use <font class="fixd">ARPHRD_ETHER</font>. For
example, here is how <i>eth_type_trans </i>deals with the Ethernet header for received
packets:<br>
<pre>
skb-&gt;mac.raw = skb-&gt;data;
skb_pull(skb, dev-&gt;hard_header_len);
</pre>
In the simplest case (a point-to-point link with no headers), <font class="fixd">skb-&gt;mac.raw</font> can point
to a static buffer containing the hardware address of this interface, <font class="fixd">protocol</font> can be
set to <font class="fixd">ETH_P_IP,</font> and <font class="fixd">packet_type</font> can be left with its default value of <font class="fixd">PACKET_HOST</font>.<br>
<br>
Because every hardware type is unique, it is hard to give more specific advice than
already discussed. The kernel is full of examples, however. See, for example, the<br>
<br>
<A name="535"></a><font color="blue">PAGE 535</font><br>
<br>
AppleTalk driver (<i>drivers/net/appletalk/cops.c</i>), the infrared drivers (such as <i>drivers/
net/irda/smc_ircc.c</i>), or the PPP driver (<i>drivers/net/ppp_generic.c</i>).<br>
<br>
<a name="CustomIoctlCommands"></a><font color="red"><b>Custom ioctl Commands</b></font><br>
<br>
We have seen that the <i>ioctl </i>system call is implemented for sockets; <font class="fixd">SIOCSIFADDR</font> and
<font class="fixd">SIOCSIFMAP</font> are examples of "socket <i>ioctls</i>." Now let's see how the third argument of
the system call is used by networking code.<br>
<br>
When the <i>ioctl </i>system call is invoked on a socket, the command number is one of the
symbols defined in <i>&lt;linux/sockios.h&gt;</i>, and the <i>sock_ioctl </i>function directly invokes a
protocol-specific function (where "protocol" refers to the main network protocol
being used, for example, IP or AppleTalk).<br>
<br>
Any <i>ioctl </i>command that is not recognized by the protocol layer is passed to the
device layer. These device-related <i>ioctl </i>commands accept a third argument from user
space, a <font class="fixd">struct ifreq*.</font> This structure is defined in <i>&lt;linux/if.h&gt;</i>. The <font class="fixd">SIOCSIFADDR</font>
and <font class="fixd">SIOCSIFMAP</font> commands actually work on the <font class="fixd">ifreq</font> structure. The extra argument
to <font class="fixd">SIOCSIFMAP</font>, although defined as <font class="fixd">ifmap,</font> is just a field of <font class="fixd">ifreq.</font><br>
<br>
In addition to using the standardized calls, each interface can define its own <i>ioctl
</i>commands. The <i>plip </i>interface, for example, allows the interface to modify its internal
timeout values via <i>ioctl</i>. The <i>ioctl </i>implementation for sockets recognizes 16 commands
as private to the interface: <font class="fixd">SIOCDEVPRIVATE</font> through <font class="fixd">SIOCDEVPRIVATE+15.*</font><br>
<br>
When one of these commands is recognized, <font class="fixd">dev-&gt;do_ioctl</font> is called in the relevant
interface driver. The function receives the same <font class="fixd">struct ifreq*</font> pointer that the
general-purpose <i>ioctl</i> function uses:<br>
<pre>
int (*do_ioctl)(struct net_device *dev, struct ifreq *ifr, int cmd);
</pre>
The <font class="fixd">ifr</font> pointer points to a kernel-space address that holds a copy of the structure
passed by the user. After <i>do_ioctl </i>returns, the structure is copied back to user space;
Therefore, the driver can use the private commands to both receive and return data.<br>
<br>
The device-specific commands can choose to use the fields in </font>struct ifreq,</font> but they
already convey a standardized meaning, and it's unlikely that the driver can adapt
the structure to its needs. The field <font class="fixd">ifr_data</font> is a <font class="fixd">caddr_t</font> item (a pointer) that is
meant to be used for device-specific needs. The driver and the program used to
invoke its <i>ioctl </i>commands should agree about the use of <font class="fixd">ifr_data</font>. For example, <i>pppstats
</i>uses device-specific commands to retrieve information from the <i>ppp </i>interface
driver.<br>
<br>
* Note that, according to <i>&lt;linux/sockios.h&gt;</i>, the <font class="fixd">SIOCDEVPRIVATE</font> commands are deprecated. 
What should replace them is not clear, however, and numerous in-tree drivers still use them.<br>
<br>
<A name="536"></a><font color="blue">PAGE 536</font><br>
<br>
It's not worth showing an implementation of <i>do_ioctl </i>here, but with the information
in this chapter and the kernel examples, you should be able to write one when you
need it. Note, however, that the <i>plip </i>implementation uses <font class="fixd">ifr_data</font> incorrectly and
should not be used as an example for an <i>ioctl</i> implementation.<br>
<br>
<a name="StatisticalInformation"></a><font color="red"><b>Statistical Information</b></font><br>
<br>
The last method a driver needs is <i>get_stats</i>. This method returns a pointer to the statistics
for the device. Its implementation is pretty easy; the one shown works even
when several interfaces are managed by the same driver, because the statistics are
hosted within the device data structure.<br>
<pre>
struct net_device_stats *snull_stats(struct net_device *dev)
{
    struct snull_priv *priv = netdev_priv(dev);
    return &amp;priv-&gt;stats;
}
</pre>
The real work needed to return meaningful statistics is distributed throughout the
driver, where the various fields are updated. The following list shows the most interesting
fields in <font class="fixd">struct net_device_stats:</font><br>
<br>
<font class="fixd">unsigned long rx_packets;<br>
unsigned long tx_packets;</font><br>
<div class="bq">
The total number of incoming and outgoing packets successfully transferred by
the interface.</div>
<br>
<font class="fixd">unsigned long rx_bytes;<br>
unsigned long tx_bytes;</font><br>
<div class="bq">
The number of bytes received and transmitted by the interface.</div>
<br>
<font class="fixd">unsigned long rx_errors;<br>
unsigned long tx_errors;</font><br>
<div class="bq">
The number of erroneous receptions and transmissions. There's no end of things
that can go wrong with packet transmission, and the <font class="fixd">net_device_stats</font> structure
includes six counters for specific receive errors and five for transmit errors. See
<i>&lt;linux/netdevice.h&gt; </i>for the full list. If possible, your driver should maintain
detailed error statistics, because they can be most helpful to system administrators
trying to track down a problem.</div>
<br>
<font class="fixd">unsigned long rx_dropped;<br>
unsigned long tx_dropped;</font><br>
<div class="bq">
The number of packets dropped during reception and transmission. Packets are
dropped when there's no memory available for packet data. <font class="fixd">tx_dropped</font> is rarely
used.</div>
<br>
<A name="537"></a><font color="blue">PAGE 537</font><br>
<br>
<font class="fixd">unsigned long collisions;</font><br>
<div class="bq">
The number of collisions due to congestion on the medium.</div>
<br>
<font class="fixd">unsigned long multicast;</font><br>
<div class="bq">
The number of multicast packets received.</div>
<br>
It is worth repeating that the <i>get_stats </i>method can be called at any time--even when
the interface is down--so the driver must retain statistical information for as long as
the <font class="fixd">net_device</font> structure exists.<br>
<br>
<a name="Multicast"></a><font color="red"><b>Multicast</b></font><br>
<br>
A <i>multicast </i>packet is a network packet meant to be received by more than one host,
but not by all hosts. This functionality is obtained by assigning special hardware
addresses to groups of hosts. Packets directed to one of the special addresses should
be received by all the hosts in that group. In the case of Ethernet, a multicast address
has the least significant bit of the first address octet set in the destination address,
while every device board has that bit clear in its own hardware address.<br>
<br>
The tricky part of dealing with host groups and hardware addresses is performed by
applications and the kernel, and the interface driver doesn't need to deal with these
problems.<br>
<br>
Transmission of multicast packets is a simple problem because they look exactly like
any other packets. The interface transmits them over the communication medium
without looking at the destination address. It's the kernel that has to assign a correct
hardware destination address; the <i>hard_header </i>device method, if defined, doesn't
need to look in the data it arranges.<br>
<br>
The kernel handles the job of tracking which multicast addresses are of interest at
any given time. The list can change frequently, since it is a function of the applications
that are running at any given time and the users' interest. It is the driver's job to
accept the list of interesting multicast addresses and deliver to the kernel any packets
sent to those addresses. How the driver implements the multicast list is somewhat
dependent on how the underlying hardware works. Typically, hardware
belongs to one of three classes, as far as multicast is concerned:<br>
<ul>
<li> Interfaces that cannot deal with multicast. These interfaces either receive 
packets directed specifically to their hardware address (plus broadcast packets) or
receive every packet. They can receive multicast packets only by receiving every
packet, thus, potentially overwhelming the operating system with a huge number
of "uninteresting" packets. You don't usually count these interfaces as multicast
capable, and the driver won't set <font class="fixd">IFF_MULTICAST</font> in <font class="fixd">dev-&gt;flags.</font><br>
<br>
Point-to-point interfaces are a special case because they always receive every
packet without performing any hardware filtering.
</ul>
<A name="538"></a><font color="blue">PAGE 538</font>
<ul>
<li> Interfaces that can tell multicast packets from other packets (host-to-host or
broadcast). These interfaces can be instructed to receive every multicast packet
and let the software determine if the address is interesting for this host. The
overhead introduced in this case is acceptable, because the number of multicast
packets on a typical network is low.
<li> Interfaces that can perform hardware detection of multicast addresses. These
interfaces can be passed a list of multicast addresses for which packets are to be
received, and ignore other multicast packets. This is the optimal case for the kernel,
because it doesn't waste processor time dropping "uninteresting" packets
received by the interface.
</ul>
The kernel tries to exploit the capabilities of high-level interfaces by supporting the
third device class, which is the most versatile, at its best. Therefore, the kernel notifies
the driver whenever the list of valid multicast addresses is changed, and it passes
the new list to the driver so it can update the hardware filter according to the new
information.<br>
<br>
<a name="KernelSupportForMulticasting"></a><font color="red"><b>Kernel Support for Multicasting</b></font><br>
<br>
Support for multicast packets is made up of several items: a device method, a data
structure, and device flags:<br>
<br>
<font class="fixd">void (*dev-&gt;set_multicast_list)(struct net_device *dev);</font><br>
<div class="bq">
Device method called whenever the list of machine addresses associated with the
device changes. It is also called when <font class="fixd">dev-&gt;flags</font> is modified, because some flags
(e.g., <font class="fixd">IFF_PROMISC</font>) may also require you to reprogram the hardware filter. The
method receives a pointer to <font class="fixd">struct net_device</font> as an argument and returns
<font class="fixd">void.</font> A driver not interested in implementing this method can leave the field set
to NULL.</div>
<br>
<font class="fixd">struct dev_mc_list *dev-&gt;mc_list;</font><br>
<div class="bq">
A linked list of all the multicast addresses associated with the device. The actual
definition of the structure is introduced at the end of this section.</div>
<br>
<font class="fixd">int dev-&gt;mc_count;</font><br>
<div class="bq">
The number of items in the linked list. This information is somewhat redundant,
but checking <font class="fixd">mc_count</font> against <font class="fixd">0</font> is a useful shortcut for checking the list.</div>
<br>
<font class="fixd">IFF_MULTICAST</font><br>
<div class="bq">
Unless the driver sets this flag in <font class="fixd">dev-&gt;flags,</font> the interface won't be asked to handle
multicast packets. Nonetheless, the kernel calls the driver's <i>set_multicast_list
</i>method when <font class="fixd">dev-&gt;flags</font> changes, because the multicast list may have changed
while the interface was not active.</div>
<br>
<A name="539"></a><font color="blue">PAGE 539</font><br>
<br>
<font class="fixd">IFF_ALLMULTI</font><br>
<div class="bq">
Flag set in <font class="fixd">dev-&gt;flags</font> by the networking software to tell the driver to retrieve all
multicast packets from the network. This happens when multicast routing is
enabled. If the flag is set, <font class="fixd">dev-&gt;mc_list</font> shouldn't be used to filter multicast packets.</div>
<br>
<font class="fixd">IFF_PROMISC</font><br>
<div class="bq">
Flag set in <font class="fixd">dev-&gt;flags</font> when the interface is put into promiscuous mode. Every
packet should be received by the interface, independent of <font class="fixd">dev-&gt;mc_list.</font></div>
<br>
The last bit of information needed by the driver developer is the definition of <font class="fixd">struct dev_mc_list, </font>
which lives in <i>&lt;linux/netdevice.h&gt;</i>:<br>
<pre>
struct dev_mc_list {
    struct dev_mc_list   *next;          /* Next address in list */
    __u8                 dmi_addr[MAX_ADDR_LEN]; /* Hardware address */
    unsigned char        dmi_addrlen;    /* Address length */
    int                  dmi_users;      /* Number of users */
    int                  dmi_gusers;     /* Number of groups */
};
</pre>
Because multicasting and hardware addresses are independent of the actual transmission
of packets, this structure is portable across network implementations, and each
address is identified by a string of octets and a length, just like <font class="fixd">dev-&gt;dev_addr.</font><br>
<br>
<a name="ATypicalImplementation"></a><font color="red"><b>A Typical Implementation</b></font><br>
<br>
The best way to describe the design of <i>set_multicast_list </i>is to show you some
pseudocode.<br>
<br>
The following function is a typical implementation of the function in a full-featured
(<font class="fixd">ff</font>) driver. The driver is full featured in that the interface it controls has a complex
hardware packet filter, which can hold a table of multicast addresses to be received
by this host. The maximum size of the table is <font class="fixd">FF_TABLE_SIZE</font>.<br>
<br>
All the functions prefixed with <font class="fixd">ff_</font> are placeholders for hardware-specific operations:<br>
<pre>
void ff_set_multicast_list(struct net_device *dev)
{
    struct dev_mc_list *mcptr;

    if (dev-&gt;flags &amp; IFF_PROMISC) {
        ff_get_all_packets( );
        return;
    }
    /* If there's more addresses than we handle, get all multicast
    packets and sort them out in software. */
    if (dev-&gt;flags &amp; IFF_ALLMULTI || dev-&gt;mc_count &gt; FF_TABLE_SIZE) {
        ff_get_all_multicast_packets( );
        return;
    }
    /* No multicast?  Just get our own stuff */
    if (dev-&gt;mc_count = = 0) {
</pre>
<A name="540"></a><font color="blue">PAGE 540</font><br>
<pre>
        ff_get_only_own_packets( );
        return;
    }
    /* Store all of the multicast addresses in the hardware filter */
    ff_clear_mc_list( );
    for (mc_ptr = dev-&gt;mc_list; mc_ptr; mc_ptr = mc_ptr-&gt;next)
        ff_store_mc_address(mc_ptr-&gt;dmi_addr);
    ff_get_packets_in_multicast_list( );
}
</pre>
This implementation can be simplified if the interface cannot store a multicast table
in the hardware filter for incoming packets. In that case, <font class="fixd">FF_TABLE_SIZE</font> reduces to <font class="fixd">0,</font>
and the last four lines of code are not needed.<br>
<br>
As was mentioned earlier, even interfaces that can't deal with multicast packets need
to implement the <i>set_multicast_list </i>method to be notified about changes in <font class="fixd">dev-&gt;flags. </font>
This approach could be called a "nonfeatured" (<font class="fixd">nf</font>) implementation. The
implementation is very simple, as shown by the following code:<br>
<pre>
void nf_set_multicast_list(struct net_device *dev)
{
    if (dev-&gt;flags &amp; IFF_PROMISC)
        nf_get_all_packets( );
    else
        nf_get_only_own_packets( );
}
</pre>
Implementing <font class="fixd">IFF_PROMISC</font> is important, because otherwise the user won't be able to
run <i>tcpdump </i>or any other network analyzers. If the interface runs a point-to-point
link, on the other hand, there's no need to implement <i>set_multicast_list </i>at all,
because users receive every packet anyway.<br>
<br>
<a name="AFewOtherDetails17"></a><font color="red"><b>A Few Other Details</b></font><br>
<br>
This section covers a few other topics that may be of interest to network driver
authors. In each case, we simply try to point you in the right direction. Obtaining a
complete picture of the subject probably requires spending some time digging
through the kernel source as well.<br>
<br>
<a name="MediaIndependentInterfaceSupport"></a><font color="red"><b>Media Independent Interface Support</b></font><br>
<br>
Media Independent Interface (or MII) is an IEEE 802.3 standard describing how
Ethernet transceivers can interface with network controllers; many products on the
market conform with this interface. If you are writing a driver for an MII-compliant
controller, the kernel exports a generic MII support layer that may make your life
easier.<br>
<br>
<A name="541"></a><font color="blue">PAGE 541</font><br>
<br>
To use the generic MII layer, you should include <i>&lt;linux/mii.h&gt;</i>. You need to fill out an
<font class="fixd">mii_if_info</font> structure with information on the physical ID of the transceiver, whether
full duplex is in effect, etc. Also required are two methods for the <font class="fixd">mii_if_info</font> structure:<br>
<pre>
int (*mdio_read) (struct net_device *dev, int phy_id, int location);
void (*mdio_write) (struct net_device *dev, int phy_id, int location, int val);
</pre>
As you might expect, these methods should implement communications with your
specific MII interface.<br>
<br>
The generic MII code provides a set of functions for querying and changing the operating
mode of the transceiver; many of these are designed to work with the <i>ethtool
</i>utility (described in the next section). Look in <i>&lt;linux/mii.h&gt; </i>and <i>drivers/net/mii.c </i>for
the details.<br>
<br>
<a name="EthtoolSupport"></a><font color="red"><b>Ethtool Support</b></font><br>
<br>
<i>Ethtool </i>is a utility designed to give system administrators a great deal of control over
the operation of network interfaces. With <i>ethtool</i>, it is possible to control various
interface parameters including speed, media type, duplex operation, DMA ring
setup, hardware checksumming, wake-on-LAN operation, etc., but only if <i>ethtool </i>is
supported by the driver. <i>Ethtool </i>may be downloaded from <a href="http://sf.net/projects/gkernel/" target="_blank"><i>http://sf.net/projects/gkernel/</i></a>.<br>
<br>
The relevant declarations for <i>ethtool </i>support may be found in <i>&lt;linux/ethtool.h&gt;</i>. At
the core of it is a structure of type <font class="fixd">ethtool_ops,</font> which contains a full 24 different
methods for <i>ethtool </i>support. Most of these methods are relatively straightforward;
see <i>&lt;linux/ethtool.h&gt; </i>for the details. If your driver is using the MII layer, you can use
<i>mii_ethtool_gset </i>and <i>mii_ethtool_sset </i>to implement the <i>get_settings </i>and <i>set_settings
</i>methods, respectively.<br>
<br>
For <i>ethtool </i>to work with your device, you must place a pointer to your <font class="fixd">ethtool_ops</font>
structure in the <font class="fixd">net_device</font> structure. The macro <font class="fixd">SET_ETHTOOL_OPS</font> (defined in <i>&lt;linux/
netdevice.h&gt;</i>) should be used for this purpose. Do note that your <i>ethtool </i>methods can
be called even when the interface is down.<br>
<br>
<a name="Netpoll"></a><font color="red"><b>Netpoll</b></font><br>
<br>
"Netpoll" is a relatively late (2.6.5) addition to the network stack; its purpose is to
enable the kernel to send and receive packets in situations where the full network
and I/O subsystems may not be available. It is used for features like remote network
consoles and remote kernel debugging. Supporting netpoll in your driver is not, by
any means, necessary, but it may make your device more useful in some situations.
Supporting netpoll is also relatively easy in most cases.<br>
<br>
<A name="542"></a><font color="blue">PAGE 542</font><br>
<br>
Drivers implementing netpoll should implement the <i>poll_controller </i>method. Its job is
to keep up with anything that may be happening on the controller in the absence of
device interrupts. Almost all <i>poll_controller</i> methods take the following form:<br>
<pre>
void my_poll_controller(struct net_device *dev)
{
    disable_device_interrupts(dev);
    call_interrupt_handler(dev-&gt;irq, dev, NULL);
    reenable_device_interrupts(dev);
}
</pre>
The <i>poll_controller </i>method, in essence, is simply simulating interrupts from the
given device.<br>
<br>
<a name="QuickReference17"></a><font color="red"><b>Quick Reference</b></font><br>
<br>
This section provides a reference for the concepts introduced in this chapter. It also
explains the role of each header file that a driver needs to include. The lists of fields
in the <font class="fixd">net_device</font> and <font class="fixd">sk_buff</font> structures, however, are not repeated here.<br>
<br>
<font class="fixd">#include &lt;linux/netdevice.h&gt;</font><br>
<div class="bq">
Header that hosts the definitions of <font class="fixd">struct net_device</font> and <font class="fixd">struct net_device_stats,</font>
and includes a few other headers that are needed by network drivers.</div>
<br>
<font class="fixd">struct net_device *alloc_netdev(int sizeof_priv, char *name, void (*setup)(struct net_device *);<br>
struct net_device *alloc_etherdev(int sizeof_priv);<br>
void free_netdev(struct net_device *dev);</font><br>
<div class="bq">
Functions for allocating and freeing <font class="fixd">net_device</font> structures.</div>
<br>
<font class="fixd">int register_netdev(struct net_device *dev);<br>
void unregister_netdev(struct net_device *dev);</font><br>
<div class="bq">
Registers and unregisters a network device.</div>
<br>
<font class="fixd">void *netdev_priv(struct net_device *dev);</font><br>
<div class="bq">
A function that retrieves the pointer to the driver-private area of a network
device structure.</div>
<br>
<font class="fixd">struct net_device_stats;</font><br>
<div class="bq">
A structure that holds device statistics.</div>
<br>
<font class="fixd">netif_start_queue(struct net_device *dev);<br>
netif_stop_queue(struct net_device *dev);<br>
netif_wake_queue(struct net_device *dev);</font><br>
<div class="bq">
Functions that control the passing of packets to the driver for transmission. No
packets are transmitted until <i>netif_start_queue </i>has been called. <i>netif_stop_queue
</i>suspends transmission, and <i>netif_wake_queue </i>restarts the queue and pokes the
network layer to restart transmitting packets.</div>
<br>
<A name="543"></a><font color="blue">PAGE 543</font><br>
<br>
<font class="fixd">skb_shinfo(struct sk_buff *skb);</font><br>
<div class="bq">
A macro that provides access to the "shared info" portion of a packet buffer.</div>
<br>
<font class="fixd">void netif_rx(struct sk_buff *skb);</font><br>
<div class="bq">
Function that can be called (including at interrupt time) to notify the kernel that
a packet has been received and encapsulated into a socket buffer.</div>
<br>
<font class="fixd">void netif_rx_schedule(dev);</font><br>
<div class="bq">
Function that informs the kernel that packets are available and that polling
should be started on the interface; it is used only by NAPI-compliant drivers.</div>
<br>
<font class="fixd">int netif_receive_skb(struct sk_buff *skb);<br>
void netif_rx_complete(struct net_device *dev);</font><br>
<div class="bq">
Functions that should be used only by NAPI-compliant drivers. <i>netif_receive_skb
</i>is the NAPI equivalent to <i>netif_rx</i>; it feeds a packet into the kernel. When a
NAPI-compliant driver has exhausted the supply of received packets, it should
reenable interrupts, and call <i>netif_rx_complete</i> to stop polling.</div>
<br>
<font class="fixd">#include &lt;linux/if.h&gt;</font><br>
<div class="bq">
Included by <i>netdevice.h</i>, this file declares the interface flags (<font class="fixd">IFF_</font> macros) and
<font class="fixd">struct ifmap,</font> which has a major role in the <i>ioctl </i>implementation for network
drivers.</div>
<br>
<font class="fixd">void netif_carrier_off(struct net_device *dev);<br>
void netif_carrier_on(struct net_device *dev);<br>
int netif_carrier_ok(struct net_device *dev);</font><br>
<div class="bq">
The first two functions may be used to tell the kernel whether a carrier signal is
currently present on the given interface. <i>netif_carrier_ok </i>tests the carrier state as
reflected in the device structure.</div>
<br>
<font class="fixd">#include &lt;linux/if_ether.h&gt;<br>
ETH_ALEN<br>
ETH_P_IP<br>
struct ethhdr;</font><br>
<div class="bq">
Included by <i>netdevice.h</i>, <i>if_ether.h </i>defines all the <font class="fixd">ETH_</font> macros used to represent
octet lengths (such as the address length) and network protocols (such as IP). It
also defines the <font class="fixd">ethhdr</font> structure.</div>
<br>
<font class="fixd">#include &lt;linux/skbuff.h&gt;</font><br>
<div class="bq">
The definition of <font class="fixd">struct sk_buff</font> and related structures, as well as several inline
functions to act on the buffers. This header is included by <i>netdevice.h</i>.</div>
<br>
<A name="544"></a><font color="blue">PAGE 544</font><br>
<br>
<font class="fixd">struct sk_buff *alloc_skb(unsigned int len, int priority);<br>
struct sk_buff *dev_alloc_skb(unsigned int len);<br>
void kfree_skb(struct sk_buff *skb);<br>
void dev_kfree_skb(struct sk_buff *skb);<br>
void dev_kfree_skb_irq(struct sk_buff *skb);<br>
void dev_kfree_skb_any(struct sk_buff *skb);</font><br>
<div class="bq">
Functions that handle the allocation and freeing of socket buffers. Drivers
should normally use the <font class="fixd">dev_</font> variants, which are intended for that purpose.</div>
<br>
<font class="fixd">unsigned char *skb_put(struct sk_buff *skb, int len);<br>
unsigned char *__skb_put(struct sk_buff *skb, int len);<br>
unsigned char *skb_push(struct sk_buff *skb, int len);<br>
unsigned char *__skb_push(struct sk_buff *skb, int len);</font><br>
<div class="bq">
Functions that add data to an <font class="fixd">skb;</font> <i>skb_put </i>puts the data at the end of the <font class="fixd">skb,</font>
while <i>skb_push </i>puts it at the beginning. The regular versions perform checking
to ensure that adequate space is available; double-underscore versions leave
those tests out.</div>
<br>
<font class="fixd">int skb_headroom(struct sk_buff *skb);<br>
int skb_tailroom(struct sk_buff *skb);<br>
void skb_reserve(struct sk_buff *skb, int len);</font><br>
<div class="bq">
Functions that perform management of space within an <font class="fixd">skb.</font> <i>skb_headroom </i>and
<i>skb_tailroom </i>tell how much space is available at the beginning and end, respectively,
of an <font class="fixd">skb.</font> <i>skb_reserve </i>may be used to reserve space at the beginning of an
<font class="fixd">skb,</font> which must be empty.</div>
<br>
<font class="fixd">unsigned char *skb_pull(struct sk_buff *skb, int len);</font><br>
<div class="bq">
<i>skb_pull</i> "removes" data from an <font class="fixd">skb</font> by adjusting the internal pointers.</div>
<br>
<font class="fixd">int skb_is_nonlinear(struct sk_buff *skb);</font><br>
<div class="bq">
Function that returns a true value if this skb is separated into multiple fragments
for scatter/gather I/O.</div>
<br>
<font class="fixd">int skb_headlen(struct sk_buff *skb);</font><br>
<div class="bq">
Returns the length of the first segment of the skb--that part pointed to by <font class="fixd">skb-&gt;data.</font></div>
<br>
<font class="fixd">void *kmap_skb_frag(skb_frag_t *frag);<br>
void kunmap_skb_frag(void *vaddr);</font><br>
<div class="bq">
Functions that provide direct access to fragments within a nonlinear skb.</div>
<br>
<font class="fixd">#include &lt;linux/etherdevice.h&gt;<br>
void ether_setup(struct net_device *dev);</font><br>
<div class="bq">
Function that sets most device methods to the general-purpose implementation
for Ethernet drivers. It also sets <font class="fixd">dev-&gt;flags</font> and assigns the next available <font class="fixd">ethx</font>
name to <font class="fixd">dev-&gt;name</font> if the first character in the name is a blank space or the <font class="fixd">NULL</font>
character.</div>
<br>
<A name="545"></a><font color="blue">PAGE 545</font><br>
<br>
<font class="fixd">unsigned short eth_type_trans(struct sk_buff *skb, struct net_device *dev);</font><br>
<div class="bq">
When an Ethernet interface receives a packet, this function can be called to set
<font class="fixd">skb-&gt;pkt_type.</font> The return value is a protocol number that is usually stored in
<font class="fixd">skb-&gt;protocol.</font></div>
<br>
<font class="fixd">#include &lt;linux/sockios.h&gt;<br>
SIOCDEVPRIVATE</font><br>
<div class="bq">
The first of 16 <i>ioctl </i>commands that can be implemented by each driver for its
own private use. All the network <i>ioctl</i> commands are defined in <i>sockios.h</i>.</div>
<br>
<font class="fixd">#include &lt;linux/mii.h&gt;<br>
struct mii_if_info;</font><br>
<div class="bq">
Declarations and a structure supporting drivers of devices that implement the
MII standard.</div>
<br>
<font class="fixd">#include &lt;linux/ethtool.h&gt;<br>
struct ethtool_ops;</font><br>
<div class="bq">
Declarations and structures that let devices work with the <i>ethtool</i> utility.</div>
<br>
<A name="546"></a><font color="blue">PAGE 546</font><br>
<br>
<a name="CHAPTER18"></a><font color="red"><b>CHAPTER 18</b></font><br>
<br>
<a name="TTYDrivers"></a><font color="#7519FF" size="+1"><b>TTY Drivers</b></font><br>
<br>
A tty device gets its name from the very old abbreviation of teletypewriter and was
originally associated only with the physical or virtual terminal connection to a Unix
machine. Over time, the name also came to mean any serial port style device, as terminal
connections could also be created over such a connection. Some examples of
physical tty devices are serial ports, USB-to-serial-port converters, and some types of
modems that need special processing to work properly (such as the traditional WinModem
style devices). tty virtual devices support virtual consoles that are used to log
into a computer, from either the keyboard, over a network connection, or through a
xterm session.<br>
<br>
The Linux tty driver core lives right below the standard character driver level and
provides a range of features focused on providing an interface for terminal style
devices to use. The core is responsible for controlling both the flow of data across a
tty device and the format of the data. This allows tty drivers to focus on handling the
data to and from the hardware, instead of worrying about how to control the interaction
with user space in a consistent way. To control the flow of data, there are a
number of different line disciplines that can be virtually "plugged" into any tty
device. This is done by different tty line discipline drivers.<br>
<br>
As Figure 18-1 shows, the tty core takes data from a user that is to be sent to a tty
device. It then passes it to a tty line discipline driver, which then passes it to the tty
driver. The tty driver converts the data into a format that can be sent to the hardware.
Data being received from the tty hardware flows back up through the tty
driver, into the tty line discipline driver, and into the tty core, where it can be
retrieved by a user. Sometimes the tty driver communicates directly to the tty core,
and the tty core sends data directly to the tty driver, but usually the tty line discipline
has a chance to modify the data that is sent between the two.<br>
<br>
The tty driver never sees the tty line discipline. The driver cannot communicate
directly with the line discipline, nor does it realize it is even present. The driver's job
is to format data that is sent to it in a manner that the hardware can understand, and
receive data from the hardware. The tty line discipline's job is to format the data<br>
<br>
<A name="547"></a><font color="blue">PAGE 547</font><br>
<br>
<center>
<img src="fig18-1.gif">
</center>
<br>
<i>Figure 18-1. tty core overview</i><br>
<br>
received from a user, or the hardware, in a specific manner. This formatting usually
takes the form of a protocol conversion, such as PPP or Bluetooth.<br>
<br>
There are three different types of tty drivers: console, serial port, and pty. The console
and pty drivers have already been written and probably are the only ones needed
of these types of tty drivers. This leaves any new drivers using the tty core to interact
with the user and the system as serial port drivers.<br>
<br>
To determine what kind of tty drivers are currently loaded in the kernel and what tty
devices are currently present, look at the <i>/proc/tty/drivers </i>file. This file consists of a
list of the different tty drivers currently present, showing the name of the driver, the
default node name, the major number for the driver, the range of minors used by the
driver, and the type of the tty driver. The following is an example of this file:<br>
<pre>
/dev/tty             /dev/tty        5       0 system:/dev/tty
/dev/console         /dev/console    5       1 system:console
/dev/ptmx            /dev/ptmx       5       2 system
/dev/vc/0            /dev/vc/0       4       0 system:vtmaster
usbserial            /dev/ttyUSB   188   0-254 serial
serial               /dev/ttyS       4   64-67 serial
<font class="fixd">pty_slave</font>            /dev/pts      136   0-255 pty:slave
<font class="fixd">pty_master</font>           /dev/ptm      128   0-255 pty:master
<font class="fixd">pty_slave</font>            /dev/ttyp       3   0-255 pty:slave
<font class="fixd">pty_master</font>           /dev/pty        2   0-255 pty:master
unknown              /dev/tty        4    1-63 console
</pre>
The <i>/proc/tty/driver/ </i>directory contains individual files for some of the tty drivers, if
they implement that functionality. The default serial driver creates a file in this directory
that shows a lot of serial-port-specific information about the hardware. Information
on how to create a file in this directory is described later.<br>
<br>
<A name="548"></a><font color="blue">PAGE 548</font><br>
<br>
All of the tty devices currently registered and present in the kernel have their own
subdirectory under <i>/sys/class/tty</i>. Within that subdirectory, there is a "dev" file that
contains the major and minor number assigned to that tty device. If the driver tells
the kernel the locations of the physical device and driver associated with the tty
device, it creates symlinks back to them. An example of this tree is:<br>
<pre>
/sys/class/tty/
|-- console
|   `-- dev
|-- ptmx
|   `-- dev
|-- tty
|   `-- dev
|-- tty0
|   `-- dev
   ...
|-- ttyS1
|   `-- dev
|-- ttyS2
|   `-- dev
|-- ttyS3
|   `-- dev
   ...
|-- ttyUSB0
|   |-- dev
|   |-- device -&gt; ../../../devices/pci0000:00/0000:00:09.0/usb3/3-1/3-1:1.0/ttyUSB0
|   `-- driver -&gt; ../../../bus/usb-serial/drivers/keyspan_4
|-- ttyUSB1
|   |-- dev
|   |-- device -&gt; ../../../devices/pci0000:00/0000:00:09.0/usb3/3-1/3-1:1.0/ttyUSB1
|   `-- driver -&gt; ../../../bus/usb-serial/drivers/keyspan_4
|-- ttyUSB2
|   |-- dev
|   |-- device -&gt; ../../../devices/pci0000:00/0000:00:09.0/usb3/3-1/3-1:1.0/ttyUSB2
|   `-- driver -&gt; ../../../bus/usb-serial/drivers/keyspan_4
`-- ttyUSB3
    |-- dev
    |-- device -&gt; ../../../devices/pci0000:00/0000:00:09.0/usb3/3-1/3-1:1.0/ttyUSB3
    `-- driver -&gt; ../../../bus/usb-serial/drivers/keyspan_4
</pre>
<a name="ASmallTTYDriver"></a><font color="red"><b>A Small TTY Driver</b></font><br>
<br>
To explain how the tty core works, we create a small tty driver that can be loaded,
written to and read from, and unloaded. The main data structure of any tty driver is
the <font class="fixd">struct tty_driver</font>. It it used to register and unregister a tty driver with the tty
core and is described in the kernel header file <i>&lt;linux/tty_driver.h&gt;</i>.<br>
<br>
<A name="549"></a><font color="blue">PAGE 549</font><br>
<br>
To create a <font class="fixd">struct tty_driver</font>, the function <i>alloc_tty_driver </i>must be called with the
number of tty devices this driver supports as the paramater. This can be done with
the following brief code:<br>
<pre>
/* allocate the tty driver */
tiny_tty_driver = alloc_tty_driver(TINY_TTY_MINORS);
if (!tiny_tty_driver)
    return -ENOMEM;
</pre>
After the <i>alloc_tty_driver </i>function is successfully called, the <font class="fixd">struct tty_driver</font>
should be initialized with the proper information based on the needs of the tty
driver. This structure contains a lot of different fields, but not all of them have to be
initialized in order to have a working tty driver. Here is an example that shows how
to initialize the structure and sets up enough of the fields to create a working tty
driver. It uses the <i>tty_set_operations </i>function to help copy over the set of function
operations that is defined in the driver:<br>
<pre>
static struct tty_operations serial_ops = {
    .open = tiny_open,
    .close = tiny_close,
    .write = tiny_write,
    .write_room = tiny_write_room,
    .set_termios = tiny_set_termios,
};

...

    /* initialize the tty driver */
    tiny_tty_driver-&gt;owner = THIS_MODULE;
    tiny_tty_driver-&gt;driver_name = &quot;tiny_tty&quot;;
    tiny_tty_driver-&gt;name = &quot;ttty&quot;;
    tiny_tty_driver-&gt;devfs_name = &quot;tts/ttty%d&quot;;
    tiny_tty_driver-&gt;major = TINY_TTY_MAJOR,
    tiny_tty_driver-&gt;type = TTY_DRIVER_TYPE_SERIAL,
    tiny_tty_driver-&gt;subtype = SERIAL_TYPE_NORMAL,
    tiny_tty_driver-&gt;flags = TTY_DRIVER_REAL_RAW | TTY_DRIVER_NO_DEVFS,
    tiny_tty_driver-&gt;init_termios = tty_std_termios;
    tiny_tty_driver-&gt;init_termios.c_cflag = B9600 | CS8 | CREAD | HUPCL | CLOCAL;
    tty_set_operations(tiny_tty_driver, &amp;serial_ops);
</pre>
The variables and functions listed above, and how this structure is used, are
explained in the rest of the chapter.<br>
<br>
To register this driver with the tty core, the <font class="fixd">struct tty_driver</font> must be passed to the
<i>tty_register_driver</i> function:<br>
<pre>
/* register the tty driver */
retval = tty_register_driver(tiny_tty_driver);
if (retval) {
    printk(KERN_ERR &quot;failed to register tiny tty driver&quot;);
    put_tty_driver(tiny_tty_driver);
    return retval;
}
</pre>
<A name="550"></a><font color="blue">PAGE 550</font><br>
<br>
When <i>tty_register_driver </i>is called, the kernel creates all of the different sysfs tty files
for the whole range of minor devices that this tty driver can have. If you use <i>devfs
</i>(not covered in this book) and unless the <font class="fixd">TTY_DRIVER_NO_DEVFS</font> flag is specified, <i>devfs
</i>files are created, too. The flag may be specified if you want to call <i>tty_register_device
</i>only for the devices that actually exist on the system, so the user always has an up-todate
view of the devices present in the kernel, which is what <i>devfs</i> users expect.<br>
<br>
After registering itself, the driver registers the devices it controls through the <i>tty_
register_device</i> function. This function has three arguments:<br>
<ul>
<li> A pointer to the <font class="fixd">struct tty_driver</font> that the device belongs to.
<li> The minor number of the device.
<li> A pointer to the <font class="fixd">struct device</font> that this tty device is bound to. If the tty device is
not bound to any <font class="fixd">struct device</font>, this argument can be set to <font class="fixd">NULL</font>.
</ul>
Our driver registers all of the tty devices at once, as they are virtual and not bound to
any physical devices:<br>
<pre>
for (i = 0; i &lt; TINY_TTY_MINORS; ++i)
    tty_register_device(tiny_tty_driver, i, NULL);
</pre>
To unregister the driver with the tty core, all tty devices that were registered by calling
<i>tty_register_device </i>need to be cleaned up with a call to <i>tty_unregister_device</i>.
Then the <font class="fixd">struct tty_driver</font> must be unregistered with a call to <i>tty_unregister_driver</i>:<br>
<pre>
for (i = 0; i &lt; TINY_TTY_MINORS; ++i)
    tty_unregister_device(tiny_tty_driver, i);
tty_unregister_driver(tiny_tty_driver);
</pre>
<a name="StructTermios"></a><font color="red"><b>struct termios</b></font><br>
<br>
The <font class="fixd">init_termios</font> variable in the <font class="fixd">struct tty_driver</font> is a <font class="fixd">struct termios.</font> This variable
is used to provide a sane set of line settings if the port is used before it is initialized by
a user. The driver initializes the variable with a standard set of values, which is copied
from the <font class="fixd">tty_std_termios</font> variable. <font class="fixd">tty_std_termios</font> is defined in the tty core as:<br>
<pre>
struct termios tty_std_termios = {
    .c_iflag = ICRNL | IXON,
    .c_oflag = OPOST | ONLCR,
    .c_cflag = B38400 | CS8 | CREAD | HUPCL,
    .c_lflag = ISIG | ICANON | ECHO | ECHOE | ECHOK |
               ECHOCTL | ECHOKE | IEXTEN,
    .c_cc = INIT_C_CC
};
</pre>
The <font class="fixd">struct termios</font> structure is used to hold all of the current line settings for a specific
port on the tty device. These line settings control the current baud rate, data<br>
<br>
<A name="551"></a><font color="blue">PAGE 551</font><br>
<br>
size, data flow settings, and many other values. The different fields of this structure
are:<br>
<br>
<font class="fixd">tcflag_t c_iflag;</font><br>
<div class="bq">
The input mode flags</div>
<br>
<font class="fixd">tcflag_t c_oflag;</font><br>
<div class="bq">
The output mode flags</div>
<br>
<font class="fixd">tcflag_t c_cflag;</font><br>
<div class="bq">
The control mode flags</div>
<br>
<font class="fixd">tcflag_t c_lflag;</font><br>
<div class="bq">
The local mode flags</div>
<br>
<font class="fixd">cc_t c_line;</font><br>
<div class="bq">
The line discipline type</div>
<br>
<font class="fixd">cc_t c_cc[NCCS];</font><br>
<div class="bq">
An array of control characters</div>
<br>
All of the mode flags are defined as a large bitfield. The different values of the modes,
and what they are used for, can be seen in the termios manpages available in any
Linux distribution. The kernel provides a set of useful macros to get at the different
bits. These macros are defined in the header file <i>include/linux/tty.h</i>.<br>
<br>
All the fields that were defined in the <font class="fixd">tiny_tty_driver</font> variable are necessary to have
a working tty driver. The <font class="fixd">owner</font> field is necessary in order to prevent the tty driver
from being unloaded while the tty port is open. In previous kernel versions, it was up
to the tty driver itself to handle the module reference counting logic. But kernel programmers
determined that it would to be difficult to solve all of the different possible
race conditions, and so the tty core now handles all of this control for the tty
drivers.<br>
<br>
The <font class="fixd">driver_name</font> and <font class="fixd">name</font> fields look very similar, yet are used for different purposes.
The <font class="fixd">driver_name</font> variable should be set to something short, descriptive, and unique
among all tty drivers in the kernel. This is because it shows up in the <i>/proc/tty/
drivers </i>file to describe the driver to the user and in the sysfs tty class directory of tty
drivers currently loaded. The <font class="fixd">name</font> field is used to define a name for the individual tty
nodes assigned to this tty driver in the <i>/dev </i>tree. This string is used to create a tty
device by appending the number of the tty device being used at the end of the string.
It is also used to create the device name in the sysfs <i>/sys/class/tty/ </i>directory. If devfs is
enabled in the kernel, this name should include any subdirectory that the tty driver
wants to be placed into. As an example, the serial driver in the kernel sets the name
field to <font class="fixd">tts/</font> if devfs is enabled and <font class="fixd">ttyS</font> if it is not. This string is also displayed in the
<i>/proc/tty/drivers</i> file.<br>
<br>
<A name="552"></a><font color="blue">PAGE 552</font><br>
<br>
As we mentioned, the <i>/proc/tty/drivers </i>file shows all of the currently registered tty
drivers. With the <i>tiny_tty </i>driver registered in the kernel and no <i>devfs</i>, this file looks
something like the following:<br>
<pre>
$ <b>cat /proc/tty/drivers
</b>tiny_tty             /dev/ttty     240     0-3 serial
usbserial            /dev/ttyUSB   188   0-254 serial
serial               /dev/ttyS       4  64-107 serial
<font class="fixd">pty_slave</font>            /dev/pts      136   0-255 pty:slave
<font class="fixd">pty_master</font>           /dev/ptm      128   0-255 pty:master
<font class="fixd">pty_slave</font>            /dev/ttyp       3   0-255 pty:slave
<font class="fixd">pty_master</font>           /dev/pty        2   0-255 pty:master
unknown              /dev/vc/        4    1-63 console
/dev/vc/0            /dev/vc/0       4       0 system:vtmaster
/dev/ptmx            /dev/ptmx       5       2 system
/dev/console         /dev/console    5       1 system:console
/dev/tty             /dev/tty        5       0 system:/dev/tty
</pre>
Also, the sysfs directory <i>/sys/class/tty </i>looks something like the following when the
<font class="fixd">tiny_tty</font> driver is registered with the tty core:<br>
<pre>
$ <b>tree /sys/class/tty/ttty*
</b>/sys/class/tty/ttty0
`-- dev
/sys/class/tty/ttty1
`-- dev
/sys/class/tty/ttty2
`-- dev
/sys/class/tty/ttty3
`-- dev

$ <b>cat /sys/class/tty/ttty0/dev
</b>240:0
</pre>
The major variable describes what the major number for this driver is. The type and
subtype variables declare what type of tty driver this driver is. For our example, we
are a serial driver of a "normal" type. The only other subtype for a tty driver would
be a "callout" type. Callout devices were traditionally used to control the line settings
of a device. The data would be sent and received through one device node, and
any line setting changes would be sent to a different device node, which was the callout
device. This required the use of two minor numbers for every single tty device.
Thankfully, almost all drivers handle both the data and line settings on the same
device node, and the callout type is rarely used for new drivers.<br>
<br>
The <font class="fixd">flags</font> variable is used by both the tty driver and the tty core to indicate the current
state of the driver and what kind of tty driver it is. Several bitmask macros are
defined that you must use when testing or manipulating the flags. Three bits in the
<font class="fixd">flags</font> variable can be set by the driver:<br>
<br>
<font class="fixd">TTY_DRIVER_RESET_TERMIOS</font><br>
<div class="bq">
This flag states that the tty core resets the termios setting whenever the last process
has closed the device. This is useful for the console and pty drivers. For</div>
<br>
<A name="553"></a><font color="blue">PAGE 553</font><br>
<br>
<div class="bq">instance, suppose the user leaves a terminal in a weird state. With this flag set,
the terminal is reset to a normal value when the user logs out or the process that
controlled the session is "killed."</div>
<br>
<font class="fixd">TTY_DRIVER_REAL_RAW</font><br>
<div class="bq">
This flag states that the tty driver guarantees to send notifications of parity or
break characters up-to-the-line discipline. This allows the line discipline to process
received characters in a much quicker manner, as it does not have to inspect
every character received from the tty driver. Because of the speed benefits, this
value is usually set for all tty drivers.</div>
<br>
<font class="fixd">TTY_DRIVER_NO_DEVFS</font><br>
<div class="bq">
This flag states that when the call to <i>tty_register_driver </i>is made, the tty core does
not create any devfs entries for the tty devices. This is useful for any driver that
dynamically creates and destroys the minor devices. Examples of drivers that set
this are the USB-to-serial drivers, the USB modem driver, the USB Bluetooth tty
driver, and a number of the standard serial port drivers.<br>
<br>
When the tty driver later wants to register a specific tty device with the tty core,
it must call <i>tty_register_device</i>, with a pointer to the tty driver, and the minor
number of the device that has been created. If this is not done, the tty core still
passes all calls to the tty driver, but some of the internal tty-related functionality
might not be present. This includes <i>/sbin/hotplug </i>notification of new tty devices
and sysfs representation of the tty device. When the registered tty device is
removed from the machine, the tty driver must call <i>tty_unregister_device</i>.</div>
<br>
The one remaining bit in this variable is controlled by the tty core and is called
<font class="fixd">TTY_DRIVER_INSTALLED</font>. This flag is set by the tty core after the driver has been registered
and should never be set by a tty driver.<br>
<br>
<a name="TtydriverFunctionPointers"></a><font color="red"><b>tty_driver Function Pointers</b></font><br>
<br>
Finally, the <i>tiny_tty</i> driver declares four function pointers.<br>
<br>
<a name="OpenAndClose"></a><font color="red"><b>open and close</b></font><br>
<br>
The <i>open </i>function is called by the tty core when a user calls open on the device node
the tty driver is assigned to. The tty core calls this with a pointer to the <font class="fixd">tty_struct</font>
structure assigned to this device, and a file pointer. The <font class="fixd">open</font> field must be set by a tty
driver for it to work properly; otherwise, <font class="fixd">-ENODEV</font> is returned to the user when open is
called.<br>
<br>
When this <i>open </i>function is called, the tty driver is expected to either save some data
within the <font class="fixd">tty_struct</font> variable that is passed to it, or save the data within a static array
that can be referenced based on the minor number of the port. This is necessary so the<br>
<br>
<A name="554"></a><font color="blue">PAGE 554</font><br>
<br>
tty driver knows which device is being referenced when the later close, write, and
other functions are called.<br>
<br>
The <i>tiny_tty </i>driver saves a pointer within the tty structure, as can be seen with the
following code:<br>
<pre>
static int tiny_open(struct tty_struct *tty, struct file *file)
{
    struct tiny_serial *tiny;
    struct timer_list *timer;
    int index;

    /* initialize the pointer in case something fails */
    tty-&gt;driver_data = NULL;

    /* get the serial object associated with this tty pointer */
    index = tty-&gt;index;
    tiny = tiny_table[index];
    if (tiny = = NULL) {
        /* first time accessing this device, let's create it */
        tiny = kmalloc(sizeof(*tiny), GFP_KERNEL);
        if (!tiny)
            return -ENOMEM;

        init_MUTEX(&amp;tiny-&gt;sem);
        tiny-&gt;open_count = 0;
        tiny-&gt;timer = NULL;

        tiny_table[index] = tiny;
    }

    down(&amp;tiny-&gt;sem);

    /* save our structure within the tty structure */
    tty-&gt;driver_data = tiny;
    tiny-&gt;tty = tty;
</pre>
In this code, the <font class="fixd">tiny_serial</font> structure is saved within the tty structure. This allows
the <i>tiny_write</i>, <i>tiny_write_room</i>, and <i>tiny_close </i>functions to retrieve the <font class="fixd">tiny_serial</font>
structure and manipulate it properly.<br>
<br>
The <font class="fixd">tiny_serial</font> structure is defined as:<br>
<pre>
struct tiny_serial {
    struct tty_struct   *tty;       /* pointer to the tty for this device */
    int         open_count; /* number of times this port has been opened */
    struct semaphore    sem;        /* locks this structure */
    struct timer_list   *timer;

};
</pre>
As we've seen, the <font class="fixd">open_count</font> variable is initialized to <font class="fixd">0</font> in the open call the first time
the port is opened. This is a typical reference counter, needed because the <i>open </i>and
<i>close </i>functions of a tty driver can be called multiple times for the same device in<br>
<br>
<A name="555"></a><font color="blue">PAGE 555</font><br>
<br>
order to allow multiple processes to read and write data. To handle everything correctly,
a count of how many times the port has been opened or closed must be kept;
the driver increments and decrements the count as the port is used. When the port is
opened for the first time, any needed hardware initialization and memory allocation
can be done. When the port is closed for the last time, any needed hardware shutdown
and memory cleanup can be done.<br>
<br>
The rest of the <i>tiny_open </i>function shows how to keep track of the number of times
the device has been opened:<br>
<pre>
    ++tiny-&gt;open_count;
    if (tiny-&gt;open_count = = 1) {
        /* this is the first time this port is opened */
        /* do any hardware initialization needed here */
</pre>
The <i>open </i>function must return either a negative error number if something has happened
to prevent the open from being successful, or a 0 to indicate success.<br>
<br>
The <i>close </i>function pointer is called by the tty core when <i>close </i>is called by a user on
the file handle that was previously created with a call to <i>open</i>. This indicates that the
device should be closed at this time. However, since the <i>open </i>function can be called
more than once, the <i>close </i>function also can be called more than once. So this function
should keep track of how many times it has been called to determine if the hardware
should really be shut down at this time. The <i>tiny_tty </i>driver does this with the
following code:<br>
<pre>
static void do_close(struct tiny_serial *tiny)
{
    down(&amp;tiny-&gt;sem);

    if (!tiny-&gt;open_count) {
        /* port was never opened */
        goto exit;
    }

    --tiny-&gt;open_count;
    if (tiny-&gt;open_count &lt;= 0) {
        /* The port is being closed by the last user. */
        /* Do any hardware specific stuff here */

        /* shut down our timer */
        del_timer(tiny-&gt;timer);
    }
exit:
    up(&amp;tiny-&gt;sem);
}

static void tiny_close(struct tty_struct *tty, struct file *file)
{
    struct tiny_serial *tiny = tty-&gt;driver_data;
</pre>
<A name="556"></a><font color="blue">PAGE 556</font><br>
<pre>
    if (tiny)
        do_close(tiny);
}
</pre>
The <i>tiny_close </i>function just calls the <i>do_close </i>function to do the real work of closing
the device. This is done so that the shutdown logic does not have to be duplicated
here and when the driver is unloaded and a port is open. The <i>close </i>function has no
return value, as it is not supposed to be able to fail.<br>
<br>
<a name="FlowOfData"></a><font color="red"><b>Flow of Data</b></font><br>
<br>
The <i>write </i>function call is called by the user when there is data to be sent to the hardware.
First the tty core receives the call, and then it passes the data on to the tty
driver's <i>write </i>function. The tty core also tells the tty driver the size of the data being
sent.<br>
<br>
Sometimes, because of the speed and buffer capacity of the tty hardware, not all
characters requested by the writing program can be sent at the moment the <i>write
</i>function is called. The <i>write </i>function should return the number of characters that
was able to be sent to the hardware (or queued to be sent at a later time), so that the
user program can check if all of the data really was written. It is much easier for this
check to be done in user space than it is for a kernel driver to sit and sleep until all of
the requested data is able to be sent out. If any errors happen during the <i>write </i>call, a
negative error value should be returned instead of the number of characters that were
written.<br>
<br>
The <i>write </i>function can be called from both interrupt context and user context. This
is important to know, as the tty driver should not call any functions that might sleep
when it is in interrupt context. These include any function that might possibly call
<i>schedule</i>, such as the common functions <i>copy_from_user</i>, <i>kmalloc</i>, and <i>printk</i>. If you
really want to sleep, make sure to check first whether the driver is in interrupt context
by calling<i> in_interrupt</i>.<br>
<br>
This sample tiny tty driver does not connect to any real hardware, so its write function
simply records in the kernel debug log what data was supposed to be written. It
does this with the following code:<br>
<pre>
static int tiny_write(struct tty_struct *tty,
              const unsigned char *buffer, int count)
{
    struct tiny_serial *tiny = tty-&gt;driver_data;
    int i;
    int retval = -EINVAL;

    if (!tiny)
        return -ENODEV;

    down(&amp;tiny-&gt;sem);
</pre>
<A name="557"></a><font color="blue">PAGE 557</font><br>
<pre>
    if (!tiny-&gt;open_count)
        /* port was not opened */
        goto exit;

    /* fake sending the data out a hardware port by
     * writing it to the kernel debug log.
     */
    printk(KERN_DEBUG &quot;%s - &quot;, __FUNCTION__);
    for (i = 0; i &lt; count; ++i)
        printk(&quot;%02x &quot;, buffer[i]);
    printk(&quot;\n&quot;);

exit:
    up(&amp;tiny-&gt;sem);
    return retval;
}
</pre>
The <i>write </i>function can be called when the tty subsystem itself needs to send some
data out the tty device. This can happen if the tty driver does not implement the
<i>put_char </i>function in the <font class="fixd">tty_struct</font>. In that case, the tty core uses the <i>write </i>function
callback with a data size of 1. This commonly happens when the tty core wants to
convert a newline character to a line feed plus a newline character. The biggest problem
that can occur here is that the tty driver's <i>write </i>function must not return 0 for
this kind of call. This means that the driver must write that byte of data to the device,
as the caller (the tty core) does not buffer the data and try again at a later time. As
the <i>write </i>function can not determine if it is being called in the place of <i>put_char</i>, even
if only one byte of data is being sent, try to implement the <i>write </i>function so it always
writes at least one byte before returning. A number of the current USB-to-serial tty
drivers do not follow this rule, and because of this, some terminals types do not work
properly when connected to them.<br>
<br>
The <i>write_room </i>function is called when the tty core wants to know how much room
in the write buffer the tty driver has available. This number changes over time as
characters empty out of the write buffers and as the <i>write </i>function is called, adding
characters to the buffer.<br>
<pre>
static int tiny_write_room(struct tty_struct *tty)
{
    struct tiny_serial *tiny = tty-&gt;driver_data;
    int room = -EINVAL;

    if (!tiny)
        return -ENODEV;

    down(&amp;tiny-&gt;sem);

    if (!tiny-&gt;open_count) {
        /* port was not opened */
        goto exit;
    }
</pre>
<A name="558"></a><font color="blue">PAGE 558</font><br>
<pre>
    /* calculate how much room is left in the device */
    room = 255;

exit:
    up(&amp;tiny-&gt;sem);
    return room;
}
</pre>
<a name="OtherBufferingFunctions"></a><font color="red"><b>Other Buffering Functions</b></font><br>
<br>
The <i>chars_in_buffer </i>function in the <font class="fixd">tty_driver</font> structure is not required in order to
have a working tty driver, but it is recommended. This function is called when the tty
core wants to know how many characters are still remaining in the tty driver's write
buffer to be sent out. If the driver can store characters before it sends them out to the
hardware, it should implement this function in order for the tty core to be able to
determine if all of the data in the driver has drained out.<br>
<br>
Three functions callbacks in the <font class="fixd">tty_driver</font> structure can be used to flush any
remaining data that the driver is holding on to. These are not required to be implemented,
but are recommended if the tty driver can buffer data before it sends it to the
hardware. The first two function callbacks are called <i>flush_chars </i>and <i>wait_until_sent</i>.
These functions are called when the tty core has sent a number of characters to the
tty driver using the <i>put_char </i>function callback. The <i>flush_chars </i>function callback is
called when the tty core wants the tty driver to start sending these characters out to
the hardware, if it hasn't already started. This function is allowed to return before all
of the data is sent out to the hardware. The <i>wait_until_sent </i>function callback works
much the same way; but it must wait until all of the characters are sent before returning
to the tty core or until the passed in <i>timeout </i>value has expired, whichever occurrence
happens first. The tty driver is allowed to sleep within this function in order to
complete it. If the timeout value passed to the <i>wait_until_sent </i>function callback is set
to 0, the function should wait until it is finished with the operation.<br>
<br>
The remaining data flushing function callback is <i>flush_buffer</i>. It is called by the tty
core when the tty driver is to flush all of the data still in its write buffers out of memory.
Any data remaining in the buffer is lost and not sent to the device.<br>
<br>
<a name="NoReadFunction"></a><font color="red"><b>No read Function?</b></font><br>
<br>
With only these functions, the <i>tiny_tty </i>driver can be registered, a device node
opened, data written to the device, the device node closed, and the driver unregistered
and unloaded from the kernel. But the tty core and <font class="fixd">tty_driver</font> structure do not
provide a read function; in other words; no function callback exists to get data from
the driver to the tty core.<br>
<br>
Instead of a conventional read function, the tty driver is responsible for sending any data
received from the hardware to the tty core when it is received. The tty core buffers the<br>
<br>
<A name="559"></a><font color="blue">PAGE 559</font><br>
<br>
data until it is asked for by the user. Because of the buffering logic the tty core provides,
it is not necessary for every tty driver to implement its own buffering logic. The tty core
notifies the tty driver when a user wants the driver to stop and start sending data, but if
the internal tty buffers are full, no such notification occurs.<br>
<br>
The tty core buffers the data received by the tty drivers in a structure called <font class="fixd">struct
tty_flip_buffer</font>. A flip buffer is a structure that contains two main data arrays. Data
being received from the tty device is stored in the first array. When that array is full,
any user waiting on the data is notified that data is available to be read. While the
user is reading the data from this array, any new incoming data is being stored in the
second array. When that array is finished, the data is again flushed to the user, and
the driver starts to fill up the first array. Essentially, the data being received "flips"
from one buffer to the other, hopefully not overflowing both of them. To try to prevent
data from being lost, a tty driver can monitor how big the incoming array is,
and, if it fills up, tell the tty driver to flush the buffer at this moment in time, instead
of waiting for the next available chance.<br>
<br>
The details of the struct <font class="fixd">tty_flip_buffer</font> structure do not really matter to the tty
driver, with one exception, the variable <font class="fixd">count.</font> This variable contains how many
bytes are currently left in the buffer that are being used for receiving data. If this
value is equal to the value <font class="fixd">TTY_FLIPBUF_SIZE,</font> the flip buffer needs to be flushed out to
the user with a call to <i>tty_flip_buffer_push</i>. This is shown in the following bit of
code:<br>
<pre>
for (i = 0; i &lt; data_size; ++i) {
    if (tty-&gt;flip.count &gt;= TTY_FLIPBUF_SIZE)
        tty_flip_buffer_push(tty);
    tty_insert_flip_char(tty, data[i], TTY_NORMAL);
}
tty_flip_buffer_push(tty);
</pre>
Characters that are received from the tty driver to be sent to the user are added to the
flip buffer with a call to <i>tty_insert_flip_char</i>. The first parameter of this function is
the <font class="fixd">struct tty_struct</font> the data should be saved in, the second parameter is the character
to be saved, and the third parameter is any flags that should be set for this character.
The flags value should be set to <font class="fixd">TTY_NORMAL</font> if this is a normal character being
received. If this is a special type of character indicating an error receiving data, it
should be set to <font class="fixd">TTY_BREAK, TTY_FRAME, TTY_PARITY,</font> or <font class="fixd">TTY_OVERRUN,</font> depending on the
error.<br>
<br>
In order to "push" the data to the user, a call to <i>tty_flip_buffer_push </i>is made. This
function should also be called if the flip buffer is about to overflow, as is shown in
this example. So whenever data is added to the flip buffer, or when the flip buffer is
full, the tty driver must call <i>tty_flip_buffer_push</i>. If the tty driver can accept data at
very high rates, the <font class="fixd">tty-&gt;low_latency</font> flag should be set, which causes the call to
<i>tty_flip_buffer_push </i>to be immediately executed when called. Otherwise, the<br>
<br>
<A name="560"></a><font color="blue">PAGE 560</font><br>
<br>
<i>tty_flip_buffer_push </i>call schedules itself to push the data out of the buffer at some
later point in the near future.<br>
<br>
<a name="TTYLineSettings"></a><font color="red"><b>TTY Line Settings</b></font><br>
<br>
When a user wants to change the line settings of a tty device or retrieve the current
line settings, he makes one of the many different termios user-space library function
calls or directly makes an <i>ioctl </i>call on the tty device node. The tty core converts both
of these interfaces into a number of different tty driver function callbacks and <i>ioctl
</i>calls.<br>
<br>
<a name="Settermios"></a><font color="red"><b>set_termios</b></font><br>
<br>
The majority of the termios user-space functions are translated by the library into an
<i>ioctl </i>call to the driver node. A large number of the different tty <i>ioctl </i>calls are then
translated by the tty core into a single <i>set_termios </i>function call to the tty driver. The
<i>set_termios </i>callback needs to determine which line settings it is being asked to
change, and then make those changes in the tty device. The tty driver must be able to
decode all of the different settings in the termios structure and react to any needed
changes. This is a complicated task, as all of the line settings are packed into the termios
structure in a wide variety of ways.<br>
<br>
The first thing that a <i>set_termios </i>function should do is determine whether anything
actually has to be changed. This can be done with the following code:<br>
<pre>
unsigned int cflag;

cflag = tty-&gt;termios-&gt;c_cflag;

/* check that they really want us to change something */
if (old_termios) {
    if ((cflag = = old_termios-&gt;c_cflag) &amp;&amp;
        (RELEVANT_IFLAG(tty-&gt;termios-&gt;c_iflag) = =
         RELEVANT_IFLAG(old_termios-&gt;c_iflag))) {
        printk(KERN_DEBUG &quot; - nothing to change...\n&quot;);
        return;
    }
}
</pre>
The <font class="fixd">RELEVANT_IFLAG</font> macro is defined as:<br>
<pre>
#define RELEVANT_IFLAG(iflag) ((iflag) &amp; (IGNBRK|BRKINT|IGNPAR|PARMRK|INPCK))
</pre>
and is used to mask off the important bits of the <font class="fixd">cflags</font> variable. This is then compared
to the old value, and see if they differ. If not, nothing needs to be changed, so
we return. Note that the <font class="fixd">old_termios</font> variable is first checked to see if it points to a
valid structure first, before it is accessed. This is required, as sometimes this variable
is set to <font class="fixd">NULL</font>. Trying to access a field off of a <font class="fixd">NULL</font> pointer causes the kernel to panic.<br>
<br>
<A name="561"></a><font color="blue">PAGE 561</font><br>
<br>
To look at the requested byte size, the <font class="fixd">CSIZE</font> bitmask can be used to separate out the
proper bits from the <font class="fixd">cflag</font> variable. If the size can not be determined, it is customary
to default to eight data bits. This can be implemented as follows:<br>
<pre>
/* get the byte size */
switch (cflag &amp; CSIZE) {
    case CS5:
        printk(KERN_DEBUG &quot; - data bits = 5\n&quot;);
        break;
    case CS6:
        printk(KERN_DEBUG &quot; - data bits = 6\n&quot;);
        break;
    case CS7:
        printk(KERN_DEBUG &quot; - data bits = 7\n&quot;);
        break;
    default:
    case CS8:
        printk(KERN_DEBUG &quot; - data bits = 8\n&quot;);
        break;
}
</pre>
To determine the requested parity value, the <font class="fixd">PARENB</font> bitmask can be checked against
the <font class="fixd">cflag</font> variable to tell if any parity is to be set at all. If so, the <font class="fixd">PARODD</font> bitmask can be
used to determine if the parity should be odd or even. An implementation of this is:<br>
<pre>
/* determine the parity */
if (cflag &amp; PARENB)
    if (cflag &amp; PARODD)
        printk(KERN_DEBUG &quot; - parity = odd\n&quot;);
    else
        printk(KERN_DEBUG &quot; - parity = even\n&quot;);
else
    printk(KERN_DEBUG &quot; - parity = none\n&quot;);
</pre>
The stop bits that are requested can also be determined from the <font class="fixd">cflag</font> variable using
the <font class="fixd">CSTOPB</font> bitmask. An implementation of this is:<br>
<pre>
/* figure out the stop bits requested */
if (cflag &amp; CSTOPB)
    printk(KERN_DEBUG &quot; - stop bits = 2\n&quot;);
else
    printk(KERN_DEBUG &quot; - stop bits = 1\n&quot;);
</pre>
There are a two basic types of flow control: hardware and software. To determine if
the user is asking for hardware flow control, the <font class="fixd">CRTSCTS</font> bitmask can be checked
against the <font class="fixd">cflag</font> variable. An exmple of this is:<br>
<pre>
/* figure out the hardware flow control settings */
if (cflag &amp; CRTSCTS)
    printk(KERN_DEBUG &quot; - RTS/CTS is enabled\n&quot;);
else
    printk(KERN_DEBUG &quot; - RTS/CTS is disabled\n&quot;);
</pre>
<A name="562"></a><font color="blue">PAGE 562</font><br>
<br>
Determining the different modes of software flow control and the different stop and
start characters is a bit more involved:<br>
<pre>
/* determine software flow control */
/* if we are implementing XON/XOFF, set the start and
 * stop character in the device */
if (I_IXOFF(tty) || I_IXON(tty)) {
    unsigned char stop_char  = STOP_CHAR(tty);
    unsigned char start_char = START_CHAR(tty);

    /* if we are implementing INBOUND XON/XOFF */
    if (I_IXOFF(tty))
        printk(KERN_DEBUG &quot; - INBOUND XON/XOFF is enabled, &quot;
            &quot;XON = %2x, XOFF = %2x&quot;, start_char, stop_char);
    else
        printk(KERN_DEBUG&quot; - INBOUND XON/XOFF is disabled&quot;);

    /* if we are implementing OUTBOUND XON/XOFF */
    if (I_IXON(tty))
        printk(KERN_DEBUG&quot; - OUTBOUND XON/XOFF is enabled, &quot;
            &quot;XON = %2x, XOFF = %2x&quot;, start_char, stop_char);
    else
        printk(KERN_DEBUG&quot; - OUTBOUND XON/XOFF is disabled&quot;);
}
</pre>
Finally, the baud rate needs to be determined. The tty core provides a function,
<i>tty_get_baud_rate</i>, to help do this. The function returns an integer indicating the
requested baud rate for the specific tty device:<br>
<pre>
/* get the baud rate wanted */
printk(KERN_DEBUG &quot; - baud rate = %d&quot;, tty_get_baud_rate(tty));
</pre>
Now that the tty driver has determined all of the different line settings, it can set the
hardware up properly based on these values.<br>
<br>
<a name="TiocmgetAndTiocmset"></a><font color="red"><b>tiocmget and tiocmset</b></font><br>
<br>
In the 2.4 and older kernels, there used to be a number of tty <i>ioctl </i>calls to get and set
the different control line settings. These were denoted by the constants <font class="fixd">TIOCMGET,
TIOCMBIS, TIOCMBIC,</font> and <font class="fixd">TIOCMSET. TIOCMGET</font> was used to get the line setting values of
the kernel, and as of the 2.6 kernel, this <i>ioctl </i>call has been turned into a tty driver
callback function called <i>tiocmget</i>. The other three <i>ioctls </i>have been simplified and are
now represented with a single tty driver callback function called <i>tiocmset</i>.<br>
<br>
The <i>tiocmget </i>function in the tty driver is called by the tty core when the core wants
to know the current physical values of the control lines of a specific tty device. This is
usually done to retrieve the values of the DTR and RTSlines of a serial port. If the tty
driver cannot directly read the MSR or MCR registers of the serial port, because the
hardware does not allow this, a copy of them should be kept locally. A number of the<br>
<br>
<A name="563"></a><font color="blue">PAGE 563</font><br>
<br>
USB-to-serial drivers must implement this kind of "shadow" variable. Here is how
this function could be implemented if a local copy of these values are kept:<br>
<pre>
static int tiny_tiocmget(struct tty_struct *tty, struct file *file)
{
    struct tiny_serial *tiny = tty-&gt;driver_data;

    unsigned int result = 0;
    unsigned int msr = tiny-&gt;msr;
    unsigned int mcr = tiny-&gt;mcr;

    result = ((mcr &amp; MCR_DTR)  ? TIOCM_DTR  : 0) |  /* DTR is set */
             ((mcr &amp; MCR_RTS)  ? TIOCM_RTS  : 0) |  /* RTS is set */
             ((mcr &amp; MCR_LOOP) ? TIOCM_LOOP : 0) |  /* LOOP is set */
             ((msr &amp; MSR_CTS)  ? TIOCM_CTS  : 0) |  /* CTS is set */
             ((msr &amp; MSR_CD)   ? TIOCM_CAR  : 0) |  /* Carrier detect is set*/
             ((msr &amp; MSR_RI)   ? TIOCM_RI   : 0) |  /* Ring Indicator is set */
             ((msr &amp; MSR_DSR)  ? TIOCM_DSR  : 0);   /* DSR is set */

    return result;
}
</pre>
The <i>tiocmset </i>function in the tty driver is called by the tty core when the core wants to
set the values of the control lines of a specific tty device. The tty core tells the tty
driver what values to set and what to clear, by passing them in two variables: set and
clear. These variables contain a bitmask of the lines settings that should be changed.
An <i>ioctl </i>call never asks the driver to both set and clear a particular bit at the same
time, so it does not matter which operation occurs first. Here is an example of how
this function could be implemented by a tty driver:<br>
<pre>
static int tiny_tiocmset(struct tty_struct *tty, struct file *file,
                         unsigned int set, unsigned int clear)
{
    struct tiny_serial *tiny = tty-&gt;driver_data;
    unsigned int mcr = tiny-&gt;mcr;

    if (set &amp; TIOCM_RTS)
        mcr |= MCR_RTS;
    if (set &amp; TIOCM_DTR)
        mcr |= MCR_RTS;

    if (clear &amp; TIOCM_RTS)
        mcr &amp;= ~MCR_RTS;
    if (clear &amp; TIOCM_DTR)
        mcr &amp;= ~MCR_RTS;

    /* set the new MCR value in the device */
    tiny-&gt;mcr = mcr;
    return 0;
}
</pre>
<A name="564"></a><font color="blue">PAGE 564</font><br>
<br>
<a name="Ioctls"></a><font color="red"><b>ioctls</b></font><br>
<br>
The <i>ioctl </i>function callback in the <font class="fixd">struct tty_driver</font> is called by the tty core when
<i>ioctl</i>(2) is called on the device node. If the tty driver does not know how to handle
the <i>ioctl </i>value passed to it, it should return <font class="fixd">-ENOIOCTLCMD</font> to try to let the tty core
implement a generic version of the call.<br>
<br>
The 2.6 kernel defines about 70 different tty <i>ioctls </i>that can be be sent to a tty driver.
Most tty drivers do not handle all of these, but only a small subset of the more common
ones. Here is a list of the more popular tty <i>ioctls</i>, what they mean, and how to
implement them:<br>
<br>
<font class="fixd">TIOCSERGETLSR</font><br>
<div class="bq">
Gets the value of this tty device's line status register (LSR).</div>
<br>
<font class="fixd">TIOCGSERIAL</font><br>
<div class="bq">
Gets the serial line information. A caller can potentially get a lot of serial line
information from the tty device all at once in this call. Some programs (such as
<i>setserial </i>and <i>dip</i>) call this function to make sure that the baud rate was properly
set and to get general information on what type of device the tty driver controls.
The caller passes in a pointer to a large struct of type <font class="fixd">serial_struct,</font> which the
tty driver should fill up with the proper values. Here is an example of how this
can be implemented:<br>
<pre>
static int tiny_ioctl(struct tty_struct *tty, struct file *file,
                      unsigned int cmd, unsigned long arg)
{
    struct tiny_serial *tiny = tty-&gt;driver_data;
    if (cmd = = TIOCGSERIAL) {
        struct serial_struct tmp;
        if (!arg)
            return -EFAULT;
        memset(&amp;tmp, 0, sizeof(tmp));
        tmp.type        = tiny-&gt;serial.type;
        tmp.line        = tiny-&gt;serial.line;
        tmp.port        = tiny-&gt;serial.port;
        tmp.irq         = tiny-&gt;serial.irq;
        tmp.flags       = ASYNC_SKIP_TEST | ASYNC_AUTO_IRQ;
        tmp.xmit_fifo_size  = tiny-&gt;serial.xmit_fifo_size;
        tmp.baud_base       = tiny-&gt;serial.baud_base;
        tmp.close_delay     = 5*HZ;
        tmp.closing_wait    = 30*HZ;
        tmp.custom_divisor  = tiny-&gt;serial.custom_divisor;
        tmp.hub6        = tiny-&gt;serial.hub6;
        tmp.io_type     = tiny-&gt;serial.io_type;
        if (copy_to_user((void __user *)arg, &amp;tmp, sizeof(tmp)))
            return -EFAULT;
        return 0;
    }
    return -ENOIOCTLCMD;
}
</pre></div>
<A name="565"></a><font color="blue">PAGE 565</font><br>
<br>
<font class="fixd">TIOCSSERIAL</font><br>
<div class="bq">
Sets the serial line information. This is the opposite of <font class="fixd">TIOCGSERIAL</font> and allows
the user to set the serial line status of the tty device all at once. A pointer to a
<font class="fixd">struct serial_struct</font> is passed to this call, full of data that the tty device should
now be set to. If the tty driver does not implement this call, most programs still
works properly.</div>
<br>
<font class="fixd">TIOCMIWAIT</font><br>
<div class="bq">
Waits for MSR change. The user asks for this <i>ioctl </i>in the unusual circumstances
that it wants to sleep within the kernel until something happens to the MSR register
of the tty device. The <font class="fixd">arg</font> parameter contains the type of event that the user
is waiting for. This is commonly used to wait until a status line changes, signaling
that more data is ready to be sent to the device.<br>
<br>
Be careful when implementing this <i>ioctl</i>, and do not use the <i>interruptible_sleep_on
</i>call, as it is unsafe (there are lots of nasty race conditions involved with it).
Instead, a <i>wait_queue </i>should be used to avoid these problems. Here's an example
of how to implement this ioctl:<br>
<pre>
static int tiny_ioctl(struct tty_struct *tty, struct file *file,
                      unsigned int cmd, unsigned long arg)
{
    struct tiny_serial *tiny = tty-&gt;driver_data;
    if (cmd = = TIOCMIWAIT) {
        DECLARE_WAITQUEUE(wait, current);
        struct async_icount cnow;
        struct async_icount cprev;
        cprev = tiny-&gt;icount;
        while (1) {
            add_wait_queue(&amp;tiny-&gt;wait, &amp;wait);
            set_current_state(TASK_INTERRUPTIBLE);
            schedule( );
            remove_wait_queue(&amp;tiny-&gt;wait, &amp;wait);
            /* see if a signal woke us up */
            if (signal_pending(current))
                return -ERESTARTSYS;
            cnow = tiny-&gt;icount;
            if (cnow.rng = = cprev.rng &amp;&amp; cnow.dsr = = cprev.dsr &amp;&amp;
                cnow.dcd = = cprev.dcd &amp;&amp; cnow.cts = = cprev.cts)
                return -EIO; /* no change =&gt; error */
            if (((arg &amp; TIOCM_RNG) &amp;&amp; (cnow.rng != cprev.rng)) ||
                ((arg &amp; TIOCM_DSR) &amp;&amp; (cnow.dsr != cprev.dsr)) ||
                ((arg &amp; TIOCM_CD)  &amp;&amp; (cnow.dcd != cprev.dcd)) ||
                ((arg &amp; TIOCM_CTS) &amp;&amp; (cnow.cts != cprev.cts)) ) {
                return 0;
            }
            cprev = cnow;
        }
    }
    return -ENOIOCTLCMD;
}
</pre></div>
<A name="566"></a><font color="blue">PAGE 566</font><br>
<br>
<div class="bq">Somewhere in the tty driver's code that recognizes that the MSR register
changes, the following line must be called for this code to work properly:<br>
<pre>
wake_up_interruptible(&amp;tp-&gt;wait);
</pre></div>
<font class="fixd">TIOCGICOUNT</font><br>
<div class="bq">
Gets interrupt counts. This is called when the user wants to know how many
serial line interrupts have happened. If the driver has an interrupt handler, it
should define an internal structure of counters to keep track of these statistics
and increment the proper counter every time the function is run by the kernel.<br>
<br>
This <i>ioctl </i>call passes the kernel a pointer to a structure <font class="fixd">serial_icounter_struct,</font>
which should be filled by the tty driver. This call is often made in conjunction
with the previous <font class="fixd">TIOCMIWAIT</font> <i>ioctl </i>call. If the tty driver keeps track of all of these
interrupts while the driver is operating, the code to implement this call can be
very simple:<br>
<pre>
static int tiny_ioctl(struct tty_struct *tty, struct file *file,
                      unsigned int cmd, unsigned long arg)
{
    struct tiny_serial *tiny = tty-&gt;driver_data;
    if (cmd = = TIOCGICOUNT) {
        struct async_icount cnow = tiny-&gt;icount;
        struct serial_icounter_struct icount;
        icount.cts  = cnow.cts;
        icount.dsr  = cnow.dsr;
        icount.rng  = cnow.rng;
        icount.dcd  = cnow.dcd;
        icount.rx   = cnow.rx;
        icount.tx   = cnow.tx;
        icount.frame    = cnow.frame;
        icount.overrun  = cnow.overrun;
        icount.parity   = cnow.parity;
        icount.brk  = cnow.brk;
        icount.buf_overrun = cnow.buf_overrun;
        if (copy_to_user((void __user *)arg, &amp;icount, sizeof(icount)))
            return -EFAULT;
        return 0;
    }
    return -ENOIOCTLCMD;
}
</pre></div>
<a name="ProcAndSysfsHandlingOfTTYDevices"></a><font color="red"><b>proc and sysfs Handling of TTY Devices</b></font><br>
<br>
The tty core provides a very easy way for any tty driver to maintain a file in the <i>/proc/
tty/driver </i>directory. If the driver defines the <i>read_proc </i>or <i>write_proc </i>functions, this
file is created. Then, any read or write call on this file is sent to the driver. The formats
of these functions are just like the standard <i>/proc</i> file-handling functions.<br>
<br>
<A name="567"></a><font color="blue">PAGE 567</font><br>
<br>
As an example, here is a simple implementation of the <i>read_proc tty </i>callback that
merely prints out the number of the currently registered ports:<br>
<pre>
static int tiny_read_proc(char *page, char **start, off_t off, int count,
                          int *eof, void *data)
{
    struct tiny_serial *tiny;
    off_t begin = 0;
    int length = 0;
    int i;

    length += sprintf(page, &quot;tinyserinfo:1.0 driver:%s\n&quot;, DRIVER_VERSION);
    for (i = 0; i &lt; TINY_TTY_MINORS &amp;&amp; length &lt; PAGE_SIZE; ++i) {
        tiny = tiny_table[i];
        if (tiny = = NULL)
            continue;

        length += sprintf(page+length, &quot;%d\n&quot;, i);
        if ((length + begin) &gt; (off + count))
            goto done;
        if ((length + begin) &lt; off) {
            begin += length;
            length = 0;
        }
    }
    *eof = 1;
done:
    if (off &gt;= (length + begin))
        return 0;
    *start = page + (off-begin);
    return (count &lt; begin+length-off) ? count : begin + length-off;
}
</pre>
The tty core handles all of the sysfs directory and device creation when the tty
driver is registered, or when the individual tty devices are created, depending on
the <font class="fixd">TTY_DRIVER_NO_DEVFS</font> flag in the <font class="fixd">struct tty_driver</font>. The individual directory
always contains the <i>dev </i>file, which allows user-space tools to determine the major
and minor number assigned to the device. It also contains a <i>device </i>and <i>driver </i>symlink,
if a pointer to a valid <font class="fixd">struct device</font> is passed in the call to <i>tty_register_device</i>.
Other than these three files, it is not possible for individual tty drivers to create
new sysfs files in this location. This will probably change in future kernel releases.<br>
<br>
<a name="TheTtydriverStructureInDetail"></a><font color="red"><b>The <font class="fixd">tty_driver</font> Structure in Detail</b></font><br>
<br>
The <font class="fixd">tty_driver</font> structure is used to register a tty driver with the tty core. Here is a list
of all of the different fields in the structure and how they are used by the tty core:<br>
<br>
<font class="fixd">struct module *owner;</font><br>
<div class="bq">
The module owner for this driver.</div>
<br>
<A name="568"></a><font color="blue">PAGE 568</font><br>
<br>
<font class="fixd">int magic;</font><br>
<div class="bq">
The "magic" value for this structure. Should always be set to <font class="fixd">TTY_DRIVER_MAGIC</font>.
Is initialized in the <i>alloc_tty_driver</i> function.</div>
<br>
<font class="fixd">const char *driver_name;</font><br>
<div class="bq">
Name of the driver, used in <i>/proc/tty</i> and sysfs.</div>
<br>
<font class="fixd">const char *name;</font><br>
<div class="bq">
Node name of the driver.</div>
<br>
<font class="fixd">int name_base;</font><br>
<div class="bq">
Starting number to use when creating names for devices. This is used when the
kernel creates a string representation of a specific tty device assigned to the tty
driver.</div>
<br>
<font class="fixd">short major;</font><br>
<div class="bq">
Major number for the driver.</div>
<br>
<font class="fixd">short minor_start;</font><br>
<div class="bq">
Starting minor number for the driver. This is usually set to the same value as
<font class="fixd">name_base</font>. Typically, this value is set to 0.</div>
<br>
<font class="fixd">short num;</font><br>
<div class="bq">
Number of minor numbers assigned to the driver. If an entire major number
range is used by the driver, this value should be set to 255. This variable is initialized
in the <i>alloc_tty_driver</i> function.</div>
<br>
<font class="fixd">short type;<br>
short subtype;</font><br>
<div class="bq">
Describe what kind of tty driver is being registered with the tty core. The value
of <font class="fixd">subtype</font> depends on the <font class="fixd">type.</font> The <font class="fixd">type</font> field can be:<br>
<br>
<font class="fixd">TTY_DRIVER_TYPE_SYSTEM</font><br>
<div class="bq">
Used internally by the tty subsystem to remember that it is dealing with an
internal tty driver. subtype should be set to <font class="fixd">SYSTEM_TYPE_TTY, SYSTEM_TYPE_CONSOLE, 
SYSTEM_TYPE_SYSCONS,</font> or <font class="fixd">SYSTEM_TYPE_SYSPTMX</font>. This type should not
be used by any "normal" tty driver.</div>
<br>
<font class="fixd">TTY_DRIVER_TYPE_CONSOLE</font><br>
<div class="bq">
Used only by the console driver.</div>
<br>
<font class="fixd">TTY_DRIVER_TYPE_SERIAL</font><br>
<div class="bq">
Used by any serial type driver. <font class="fixd">subtype</font> should be set to <font class="fixd">SERIAL_TYPE_NORMAL</font>
or SERIAL_TYPE_CALLOUT, depending on which type your driver is. This is one
of the most common settings for the <font class="fixd">type</font> field.</div>
<br>
<font class="fixd">TTY_DRIVER_TYPE_PTY</font><br>
<div class="bq">
Used by the pseudo terminal interface (pty). <font class="fixd">subtype</font> needs to be set to either
<font class="fixd">PTY_TYPE_MASTER</font> or <font class="fixd">PTY_TYPE_SLAVE</font>.</div></div>
<br>
<font class="fixd">struct termios init_termios;</font><br>
<div class="bq">
Initial struct termios values for the device when it is created.</div>
<br>
<A name="569"></a><font color="blue">PAGE 569</font><br>
<br>
<font class="fixd">int flags;</font><br>
<div class="bq">
Driver flags, as described earlier in this chapter.</div>
<br>
<font class="fixd">struct proc_dir_entry *proc_entry;</font><br>
<div class="bq">
This driver's <i>/proc </i>entry structure. It is created by the tty core if the driver implements
the <i>write_proc </i>or <i>read_proc </i>functions. This field should not be set by the
tty driver itself.</div>
<br>
<font class="fixd">struct tty_driver *other;</font><br>
<div class="bq">
Pointer to a tty slave driver. This is used only by the pty driver and should not be
used by any other tty driver.</div>
<br>
<font class="fixd">void *driver_state;</font><br>
<div class="bq">
Internal state of the tty driver. Should be used only by the pty driver.</div>
<br>
<font class="fixd">struct tty_driver *next;<br>
struct tty_driver *prev;</font><br>
<div class="bq">
Linking variables. These variables are used by the tty core to chain all of the different
tty drivers together, and should not be touched by any tty driver.</div>
<br>
<a name="TheTtyoperationsStructureInDetail"></a><font color="red"><b>The <font class="fixd">tty_operations</font> Structure in Detail</b></font><br>
<br>
The <font class="fixd">tty_operations</font> structure contains all of the function callbacks that can be set by
a tty driver and called by the tty core. Currently, all of the function pointers contained
in this structure are also in the <font class="fixd">tty_driver</font> structure, but that will be replaced
soon with only an instance of this structure.<br>
<br>
<font class="fixd">int (*open)(struct tty_struct * tty, struct file * filp);</font><br>
<div class="bq">
The <i>open</i> function.</div>
<br>
<font class="fixd">void (*close)(struct tty_struct * tty, struct file * filp);</font><br>
<div class="bq">
The <i>close</i> function.</div>
<br>
<font class="fixd">int (*write)(struct tty_struct * tty, const unsigned char *buf, int count);<</font>br>
<div class="bq">
The <i>write</i> function.</div>
<br>
<font class="fixd">void (*put_char)(struct tty_struct *tty, unsigned char ch);</font><br>
<div class="bq">
The single-character <i>write </i>function. This function is called by the tty core when
a single character is to be written to the device. If a tty driver does not define this
function, the <i>write </i>function is called instead when the tty core wants to send a
single character.</div>
<br>
<font class="fixd">void (*flush_chars)(struct tty_struct *tty);<br>
void (*wait_until_sent)(struct tty_struct *tty, int timeout);</font><br>
<div class="bq">
The function that flushes data to the hardware.</div>
<br>
<font class="fixd">int (*write_room)(struct tty_struct *tty);</font><br>
<div class="bq">
The function that indicates how much of the buffer is free.</div>
<br>
<font class="fixd">int (*chars_in_buffer)(struct tty_struct *tty);</font><br>
<div class="bq">
The function that indicates how much of the buffer is full of data.</div>
<br>
<A name="570"></a><font color="blue">PAGE 570</font><br>
<br>
<font class="fixd">int (*ioctl)(struct tty_struct *tty, struct file * file, unsigned int cmd, unsigned long arg);</font><br>
<div class="bq">
The <i>ioctl </i>function. This function is called by the tty core when <i>ioctl(2) </i>is called
on the device node.</div>
<br>
<font class="fixd">void (*set_termios)(struct tty_struct *tty, struct termios * old);</font><br>
<div class="bq">
The <i>set_termios </i>function. This function is called by the tty core when the
device's termios settings have been changed.</div>
<br>
<font class="fixd">void (*throttle)(struct tty_struct * tty);<br>
void (*unthrottle)(struct tty_struct * tty);<br>
void (*stop)(struct tty_struct *tty);<br>
void (*start)(struct tty_struct *tty);</font><br>
<div class="bq">
Data-throttling functions. These functions are used to help control overruns of
the tty core's input buffers. The <i>throttle </i>function is called when the tty core's
input buffers are getting full. The tty driver should try to signal to the device that
no more characters should be sent to it. The <i>unthrottle </i>function is called when
the tty core's input buffers have been emptied out, and it can now accept more
data. The tty driver should then signal to the device that data can be received.
The <i>stop </i>and <i>start </i>functions are much like the <i>throttle </i>and <i>unthrottle </i>functions,
but they signify that the tty driver should stop sending data to the device and
then later resume sending data.</div>
<br>
<font class="fixd">void (*hangup)(struct tty_struct *tty);</font><br>
<div class="bq">
The <i>hangup </i>function. This function is called when the tty driver should hang up
the tty device. Any special hardware manipulation needed to do this should
occur at this time.</div>
<br>
<font class="fixd">void (*break_ctl)(struct tty_struct *tty, int state);</font><br>
<div class="bq">
The <i>line break </i>control function. This function is called when the tty driver is to
turn on or off the line BREAK status on the RS-232 port. If state is set to <font class="fixd">-1</font>, the
BREAK status should be turned on. If state is set to <font class="fixd">0,</font> the BREAK status should
be turned off. If this function is implemented by the tty driver, the tty core will
handle the <font class="fixd">TCSBRK, TCSBRKP, TIOCSBRK,</font> and <font class="fixd">TIOCCBRK</font> <i>ioctl</i>s. Otherwise, these <i>ioctl</i>s
are sent to the driver to the <i>ioctl</i> function.</div>
<br>
<font class="fixd">void (*flush_buffer)(struct tty_struct *tty);</font><br>
<div class="bq">
Flush buffer and lose any remaining data.</div>
<br>
<font class="fixd">void (*set_ldisc)(struct tty_struct *tty);</font><br>
<div class="bq">
The <i>set line discipline </i>function. This function is called when the tty core has
changed the line discipline of the tty driver. This function is generally not used
and should not be defined by a driver.</div>
<br>
<font class="fixd">void (*send_xchar)(struct tty_struct *tty, char ch);</font><br>
<div class="bq">
Send <i>X-type char </i>function. This function is used to send a high-priority XON or
XOFF character to the tty device. The character to be sent is specified in the ch
variable.</div>
<br>
<A name="571"></a><font color="blue">PAGE 571</font><br>
<br>
<font class="fixd">int (*read_proc)(char *page, char **start, off_t off, int count, int *eof, void *data);<br>
int (*write_proc)(struct file *file, const char *buffer, unsigned long count, void *data);</font><br>
<div class="bq">
<i>/proc read</i> and <i>write</i> functions.</div>
<br>
<font class="fixd">int (*tiocmget)(struct tty_struct *tty, struct file *file);</font><br>
<div class="bq">
Gets the current line settings of the specific tty device. If retrieved successfully
from the tty device, the value should be returned to the caller.</div>
<br>
<font class="fixd">int (*tiocmset)(struct tty_struct *tty, struct file *file, unsigned int set, unsigned int clear);</font><br>
<div class="bq">
Sets the current line settings of the specific tty device. set and clear contain the
different line settings that should either be set or cleared.</div>
<br>
<a name="TheTtystructStructureInDetail"></a><font color="red"><b>The <font class="fixd">tty_struct</font> Structure in Detail</b></font><br>
<br>
The <font class="fixd">tty_struct</font> variable is used by the tty core to keep the current state of a specific
tty port. Almost all of its fields are to be used only by the tty core, with a few exceptions.
The fields that a tty driver can use are described here:<br>
<br>
<font class="fixd">unsigned long flags;</font><br>
<div class="bq">
The current state of the tty device. This is a bitfield variable and is accessed
through the following macros:<br>
<br>
<font class="fixd">TTY_THROTTLED</font><br>
<div class="bq">
Set when the driver has had the <i>throttle </i>function called. Should not be set by
a tty driver, only the tty core.</div>
<br>
<font class="fixd">TTY_IO_ERROR</font><br>
<div class="bq">
Set by the driver when it does not want any data to be read from or written
to the driver. If a user program attempts to do this, it receives an -EIO error
from the kernel. This is usually set as the device is shutting down.</div>
<br>
<font class="fixd">TTY_OTHER_CLOSED</font><br>
<div class="bq">
Used only by the pty driver to notify when the port has been closed.</div>
<br>
<font class="fixd">TTY_EXCLUSIVE</font><br>
<div class="bq">
Set by the tty core to indicate that a port is in exclusive mode and can only
be accessed by one user at a time.</div>
<br>
<font class="fixd">TTY_DEBUG</font><br>
<div class="bq">
Not used anywhere in the kernel.</div>
<br>
<font class="fixd">TTY_DO_WRITE_WAKEUP</font><br>
<div class="bq">
If this is set, the line discipline's <i>write_wakeup </i>function is allowed to be
called. This is usually called at the same time the <i>wake_up_interruptible
</i>function is called by the tty driver.</div></div>
<br>
<A name="572"></a><font color="blue">PAGE 572</font><br>
<br>
<div class="bq">
<font class="fixd">TTY_PUSH</font><br>
<div class="bq">
Used only internally by the default tty line discipline.</div>
<br>
<font class="fixd">TTY_CLOSING</font><br>
<div class="bq">
Used by the tty core to keep track if a port is in the process of closing at that
moment in time or not.</div>
<br>
<font class="fixd">TTY_DONT_FLIP</font><br>
<div class="bq">
Used by the default tty line discipline to notify the tty core that it should not
change the flip buffer when it is set.</div>
<br>
<font class="fixd">TTY_HW_COOK_OUT</font><br>
<div class="bq">
If set by a tty driver, it notifies the line discipline that it will "cook" the output
sent to it. If it is not set, the line discipline copies output of the driver in
chunks; otherwise, it has to evaluate every byte sent individually for line
changes. This flag should generally not be set by a tty driver.</div>
<br>
<font class="fixd">TTY_HW_COOK_IN</font><br>
<div class="bq">
Almost identical to setting the <font class="fixd">TTY_DRIVER_REAL_RAW</font> flag in the driver flags
variable. This flag should generally not be set by a tty driver.</div>
<br>
<font class="fixd">TTY_PTY_LOCK</font><br>
<div class="bq">
Used by the pty driver to lock and unlock a port.</div>
<br>
<font class="fixd">TTY_NO_WRITE_SPLIT</font><br>
<div class="bq">
If set, the tty core does not split up writes to the tty driver into normal-sized
chunks. This value should not be used to prevent denial-of-service attacks
on tty ports by sending large amounts of data to a port.</div></div>
<br>
<font class="fixd">struct tty_flip_buffer flip;</font><br>
<div class="bq">
The flip buffer for the tty device.</div>
<br>
<font class="fixd">struct tty_ldisc ldisc;</font><br>
<div class="bq">
The line discipline for the tty device.</div>
<br>
<font class="fixd">wait_queue_head_t write_wait;</font><br>
<div class="bq">
The <i>wait_queue </i>for the tty writing function. A tty driver should wake this up to
signal when it can receive more data.</div>
<br>
<font class="fixd">struct termios *termios;</font><br>
<div class="bq">
Pointer to the current termios settings for the tty device.</div>
<br>
<font class="fixd">unsigned char stopped:1;</font><br>
<div class="bq">
Indicates whether the tty device is stopped. The tty driver can set this value.</div>
<br>
<font class="fixd">unsigned char hw_stopped:1;</font><br>
<div class="bq">
Indicates whether or not the tty device's hardware is stopped. The tty driver can
set this value.</div>
<br>
<font class="fixd">unsigned char low_latency:1;</font><br>
<div class="bq">
Indicates whether the tty device is a low-latency device, capable of receiving data
at a very high rate of speed. The tty driver can set this value.</div>
<br>
<A name="573"></a><font color="blue">PAGE 573</font><br>
<br>
<font class="fixd">unsigned char closing:1;</font><br>
<div class="bq">
Indicates whether the tty device is in the middle of closing the port. The tty
driver can set this value.</div>
<br>
<font class="fixd">struct tty_driver</font> driver;</font><br>
<div class="bq">
The current <font class="fixd">tty_driver</font> structure that controls this tty device.</div>
<br>
<font class="fixd">void *driver_data;</font><br>
<div class="bq">
A pointer that the <font class="fixd">tty_driver</font> can use to store data local to the tty driver. This
variable is not modified by the tty core.</div>
<br>
<a name="QuickReference18"></a><font color="red"><b>Quick Reference</b></font><br>
<br>
This section provides a reference for the concepts introduced in this chapter. It also
explains the role of each header file that a tty driver needs to include. The lists of
fields in the <font class="fixd">tty_driver</font> and <font class="fixd">tty_device</font> structures, however, are not repeated here.<br>
<br>
<font class="fixd">#include &lt;linux/tty_driver.h&gt;</font><br>
<div class="bq">
Header file that contains the definition of <font class="fixd">struct tty_driver</font> and declares some
of the different flags used in this structure.</div>
<br>
<font class="fixd">#include &lt;linux/tty.h&gt;</font><br>
<div class="bq">
Header file that contains the definition of <font class="fixd">struct tty_struct</font> and a number of
different macros to access the individual values of the <font class="fixd">struct termios</font> fields easily.
It also contains the function declarations of the tty driver core.</div>
<br>
<font class="fixd">#include &lt;linux/tty_flip.h&gt;</font><br>
<div class="bq">
Header file that contains some tty flip buffer inline functions that make it easier
to manipulate the flip buffer structures.</div>
<br>
<font class="fixd">#include &lt;asm/termios.h&gt;</font><br>
<div class="bq">
Header file that contains the definition of <font class="fixd">struct termio</font> for the specific hardware
platform the kernel is built for.</div>
<br>
<font class="fixd">struct tty_driver *alloc_tty_driver(int lines);</font><br>
<div class="bq">
Function that creates a <font class="fixd">struct tty_driver</font> that can be later passed to the
<i>tty_register_driver</i> and <i>tty_unregister_driver</i> functions.</div>
<br>
<font class="fixd">void put_tty_driver(struct tty_driver *driver);</font><br>
<div class="bq">
Function that cleans up a <font class="fixd">struct tty_driver</font> structure that has not been successfully
registered with the tty core.</div>
<br>
<font class="fixd">void tty_set_operations(struct tty_driver *driver, struct tty_operations *op);</font><br>
<div class="bq">
Function that initializes the function callbacks of a <font class="fixd">struct tty_driver</font>. This is
necessary to call before <i>tty_register_driver </i>can be called.</div>
<br>
<font class="fixd">int tty_register_driver(struct tty_driver *driver);
int tty_unregister_driver(struct tty_driver *driver);</font><br>
<div class="bq">
Functions that register and unregister a tty driver from the tty core.</div>
<br>
<A name="574"></a><font color="blue">PAGE 574</font><br>
<br>
<font class="fixd">void tty_register_device(struct tty_driver *driver, unsigned minor, struct device *device);<br>
void tty_unregister_device(struct tty_driver *driver, unsigned minor);</font><br>
<div class="bq">
Functions that register and unregister a single tty device with the tty core.</div>
<br>
<font class="fixd">void tty_insert_flip_char(struct tty_struct *tty, unsigned char ch, char flag);</font><br>
<div class="bq">
Function that inserts characters into the tty device's flip buffer to be read by a
user.</div>
<br>
<font class="fixd">TTY_NORMAL<br>
TTY_BREAK<br>
TTY_FRAME<br>
TTY_PARITY<br>
TTY_OVERRUN</font><br>
<div class="bq">
Different values for the flag paramater used in the <i>tty_insert_flip_char</i> function.</div>
<br>
<font class="fixd">int tty_get_baud_rate(struct tty_struct *tty);</font><br>
<div class="bq">
Function that gets the baud rate currently set for the specific tty device.</div>
<br>
<font class="fixd">void tty_flip_buffer_push(struct tty_struct *tty);</font><br>
<div class="bq">
Function that pushes the data in the current flip buffer to the user.</div>
<br>
<font class="fixd">tty_std_termios</font><br>
<div class="bq">
Variable that initializes a termios structure with a common set of default line
settings.</div>
<br>
<br><a name="Index"></a><font color="#7519FF" size="+1"><b>Index</b></font><br>
<br>
<A name="579"></a><font color="blue">PAGE 579</font><br>
<br>
<table cellspacing="0" cellpadding="0" width="100%"><tr><td valign="top" width="50%">

<a name="Numbers"></a><font color="red"><b>Numbers</b></font><br><br>

16-bit ports, <a href="#240">240</a>, <a href="#242">242</a><br>
32-bit ports, <a href="#240">240</a><br>
<div class="bql">accessing, <a href="#240">240</a><br>
string functions for, <a href="#242">242</a></div>
8-bit ports, <a href="#240">240</a><br>
<div class="bql">reading/writing, <a href="#240">240</a><br>
string functions for, <a href="#242">242</a></div>

<br><a name="A"></a><font color="red"><b>A</b></font><br><br>

abstractions (hardware), <a href="#318">318</a><br>
access<br>
<div class="bql">blocking open requests, <a href="#176">176</a><br>
character (char) drivers, <a href="#6">6</a>, <a href="#43">43</a>-<a href="#49">49</a><br>
to device files, <a href="#173">173</a>-<a href="#179">179</a><br>
DMA (see DMA)<br>
to drivers, <a href="#47">47</a><br>
interfaces, <a href="#7">7</a><br>
I/O memory, <a href="#249">249</a>, <a href="#250">250</a>, <a href="#252">252</a><br>
ISA memory, <a href="#253">253</a><br>
kobjects, <a href="#365">365</a><br>
locking, <a href="#121">121</a><br>
management, <a href="#108">108</a><br>
NUMA systems, <a href="#216">216</a>, <a href="#417">417</a><br>
PCI, <a href="#305">305</a><br>
<div class="bql">configuration space, <a href="#315">315</a><br>
I/O and memory spaces, <a href="#316">316</a></div>
policies, <a href="#3">3</a><br>
ports, <a href="#255">255</a><br>
<div class="bql">different sizes, <a href="#240">240</a><br>
from user space, <a href="#241">241</a></div>
restriction of, <a href="#144">144</a>, <a href="#174">174</a></div>
</td><td valign="top" width="50%">
<div class="bql">seqlocks, <a href="#127">127</a><br>
unaligned data, <a href="#300">300</a></div>
access_ok function, <a href="#142">142</a><br>
ACTION variable, <a href="#399">399</a><br>
adding<br>
<div class="bql">devices, <a href="#392">392</a>-<a href="#395">395</a><br>
drivers, <a href="#396">396</a><br>
locking, <a href="#109">109</a><br>
VMAs, <a href="#426">426</a></div>
Address Resolution Protocol (see ARP)<br>
addresses<br>
<div class="bql">bounce buffers, <a href="#445">445</a><br>
bus (see bus addresses)<br>
buses, <a href="#443">443</a><br>
hardware, <a href="#508">508</a>, <a href="#515">515</a><br>
hardware (see hardware addresses)<br>
MAC, <a href="#504">504</a>, <a href="#532">532</a>-<a href="#534">534</a><br>
PCI, <a href="#303">303</a>, <a href="#452">452</a><br>
remapping, <a href="#434">434</a><br>
resolution (network management), <a href="#5">5</a><br>
resolving, <a href="#532">532</a><br>
spaces, generic I/O, <a href="#316">316</a><br>
types, <a href="#413">413</a><br>
virtual (conversion), <a href="#444">444</a></div>
aio_fsync operation, <a href="#438">438</a><br>
algorithms (lock-free), <a href="#123">123</a><br>
alignment<br>
<div class="bql">of data, <a href="#293">293</a><br>
unaligned data access, <a href="#300">300</a></div>
allocating<br>
<div class="bql">major device numbers, <a href="#46">46</a>-<a href="#49">49</a><br>
memory, <a href="#60">60</a>-<a href="#62">62</a>
<div class="bql">by page, <a href="#221">221</a></div></div>
</td></tr></table>
<br>
<A name="580"></a><font color="blue">PAGE 580</font><br>
<br>
<table cellspacing="0" cellpadding="0" width="100%"><tr><td valign="top" width="50%">
allocation, <a href="#249">249</a>, <a href="#255">255</a><br>
<div class="bql">of block drivers, <a href="#468">468</a><br>
of buffers, <a href="#530">530</a><br>
of device numbers, <a href="#45">45</a><br>
of DMA buffers, <a href="#442">442</a><br>
dynamic allocation of major numbers, <a href="#46">46</a><br>
of gendisk structures, <a href="#468">468</a><br>
of I/O ports, <a href="#239">239</a><br>
of memory, <a href="#60">60</a>-<a href="#63">63</a><br>
<div class="bql">boot time, <a href="#230">230</a>, <a href="#234">234</a><br>
flags, <a href="#215">215</a>, <a href="#218">218</a>, <a href="#231">231</a><br>
I/O, <a href="#249">249</a>, <a href="#255">255</a><br>
kmalloc allocation engine, <a href="#213">213</a>-<a href="#217">217</a><br>
lookaside caches, <a href="#217">217</a>-<a href="#224">224</a>, <a href="#232">232</a><br>
per-CPU variables, <a href="#228">228</a>-<a href="#230">230</a><br>
vmalloc allocation function, <a href="#224">224</a>-<a href="#228">228</a></div>
page-oriented functions, <a href="#221">221</a>, <a href="#233">233</a><br>
of snull drivers, <a href="#503">503</a><br>
of socket buffers, <a href="#522">522</a>, <a href="#530">530</a><br>
structures (registration), <a href="#55">55</a>-<a href="#57">57</a><br>
of urbs, <a href="#354">354</a></div>
alloc_netdev function, <a href="#504">504</a><br>
alloc_pages interface, <a href="#223">223</a><br>
alloc_skb function, <a href="#530">530</a><br>
alloc_tty_driver function, <a href="#549">549</a><br>
Alpha architecture, porting and, <a href="#243">243</a><br>
alternatives to locking, <a href="#123">123</a>-<a href="#130">130</a><br>
API (application programming interface)<br>
<div class="bql">spinlocks, <a href="#117">117</a><br>
timers, <a href="#198">198</a></div>
application programming interface (see API)<br>
applications versus kernel modules, <a href="#18">18</a>-<a href="#22">22</a><br>
architecture<br>
<div class="bql">EISA, <a href="#323">323</a><br>
M68k (porting and), <a href="#243">243</a><br>
MCA, <a href="#322">322</a><br>
NuBus, <a href="#324">324</a><br>
PCI, <a href="#302">302</a>-<a href="#319">319</a><br>
PowerPC (porting and), <a href="#244">244</a><br>
S/390, <a href="#402">402</a><br>
SBus, <a href="#324">324</a><br>
SPARC, <a href="#244">244</a><br>
Super-H, <a href="#244">244</a><br>
VLB, <a href="#323">323</a><br>
x86 (interrupt handlers on), <a href="#268">268</a><br>
zSeries, <a href="#402">402</a></div>
arguments<br>
<div class="bql">cache, <a href="#218">218</a><br>
flags, <a href="#213">213</a><br>
interrupt handlers, <a href="#272">272</a><br>
ioctl method, <a href="#141">141</a></div>
</td><td valign="top" width="50%">
<div class="bql">kmalloc size, <a href="#216">216</a><br>
sfile, <a href="#87">87</a></div>
ARM architecture, porting and, <a href="#243">243</a><br>
ARP (Address Resolution Protocol), <a href="#504">504</a><br>
<div class="bql">Ethernet and, <a href="#532">532</a><br>
IFF_NOARP flag and, <a href="#504">504</a>, <a href="#509">509</a><br>
overriding, <a href="#533">533</a></div>
arrays<br>
<div class="bql">bi_io_vec, <a href="#482">482</a><br>
block drivers, <a href="#468">468</a><br>
memory maps, <a href="#417">417</a><br>
parameters (declaration of), <a href="#37">37</a><br>
quantum sets (memory), <a href="#61">61</a></div>
asm directory, <a href="#19">19</a><br>
assignment<br>
<div class="bql">dynamic allocation of major numbers, <a href="#46">46</a><br>
of hardware addresses, <a href="#515">515</a><br>
of IP numbers, <a href="#499">499</a><br>
of parameter values, <a href="#35">35</a>-<a href="#37">37</a></div>
asynchronous DMA, <a href="#441">441</a><br>
asynchronous I/O, <a href="#437">437</a>-<a href="#440">440</a><br>
asynchronous notification, <a href="#169">169</a>-<a href="#171">171</a><br>
asynchronous running of timers, <a href="#197">197</a><br>
asynctest program, <a href="#169">169</a><br>
atomic context (spinlocks), <a href="#118">118</a><br>
atomic variables, <a href="#124">124</a><br>
atomic_add operation, <a href="#125">125</a><br>
atomic_dec operation, <a href="#125">125</a><br>
atomic_dec_and_test operation, <a href="#125">125</a><br>
atomic_inc operation, <a href="#125">125</a><br>
atomic_inc_and_test operation, <a href="#125">125</a><br>
atomic_read operation, <a href="#125">125</a><br>
atomic_set operation, <a href="#125">125</a><br>
atomic_sub operation, <a href="#125">125</a><br>
atomic_sub_and_test operation, <a href="#125">125</a><br>
atomic_t count field (memory), <a href="#417">417</a><br>
attributes<br>
<div class="bql">binary (kobjects), <a href="#374">374</a><br>
buses, <a href="#380">380</a><br>
data (firmware), <a href="#407">407</a><br>
default (kobjects), <a href="#372">372</a><br>
deleting, <a href="#374">374</a>, <a href="#381">381</a><br>
devices, <a href="#383">383</a>, <a href="#407">407</a><br>
drivers, <a href="#386">386</a><br>
loading (firmware), <a href="#407">407</a><br>
nondefault (kobjects), <a href="#373">373</a></div>
authorization, <a href="#8">8</a><br>
autodetection, <a href="#264">264</a><br>
automatic, IRQ number detection, <a href="#264">264</a><br>
</td></tr></table>
<br>
<A name="581"></a><font color="blue">PAGE 581</font><br>
<br>
<table cellspacing="0" cellpadding="0" width="100%"><tr><td valign="top" width="50%">

<a name="B"></a><font color="red"><b>B</b></font><br><br>

back-casting kobject pointers, <a href="#365">365</a><br>
barriers<br>
<div class="bql">memory, <a href="#237">237</a>, <a href="#238">238</a>, <a href="#255">255</a><br>
requests, <a href="#485">485</a></div>
base module parameter, <a href="#247">247</a><br>
baud rates (tty drivers), <a href="#562">562</a><br>
BCD (binary-coded decimal) forms, <a href="#346">346</a><br>
bEndpointAddress field (USB), <a href="#330">330</a><br>
bibliography, <a href="#575">575</a><br>
big-endian byte order, <a href="#293">293</a><br>
bi_io_vec array, <a href="#482">482</a><br>
binary attributes (kobjects), <a href="#374">374</a><br>
binary-coded decimal (BCD) forms, <a href="#346">346</a><br>
bin_attribute structure, <a href="#374">374</a><br>
bInterval field (USB), <a href="#331">331</a><br>
bio structure, <a href="#482">482</a>, <a href="#487">487</a><br>
bitfields (ioctl commands), <a href="#137">137</a>, <a href="#180">180</a><br>
bits<br>
<div class="bql">clearing, <a href="#269">269</a><br>
operations, <a href="#126">126</a><br>
specifications, <a href="#246">246</a></div>
BLK_BOUNCE_HIGH symbol, <a href="#480">480</a><br>
blk_cleanup_queue function, <a href="#479">479</a><br>
blkdev_dequeue_request function, <a href="#479">479</a><br>
blk_queue_hardsect_size function, <a href="#470">470</a><br>
blk_queue_segment_boundary function, <a href="#481">481</a><br>
block devices, <a href="#7">7</a><br>
block drivers<br>
<div class="bql">command pre-preparation, <a href="#491">491</a><br>
functions, <a href="#494">494</a>-<a href="#496">496</a><br>
operations, <a href="#471">471</a>-<a href="#474">474</a><br>
registration, <a href="#465">465</a>-<a href="#470">470</a><br>
request processing, <a href="#474">474</a>-<a href="#491">491</a><br>
TCQ, <a href="#492">492</a>-<a href="#493">493</a></div>
block_fsync method, <a href="#167">167</a><br>
blocking<br>
<div class="bql">I/O, <a href="#147">147</a>-<a href="#162">162</a>, <a href="#176">176</a><br>
open method, <a href="#176">176</a><br>
operations, <a href="#151">151</a><br>
release method, <a href="#176">176</a></div>
bmAttributes field (USB), <a href="#330">330</a><br>
BogoMips value, <a href="#195">195</a><br>
boot time (memory allocation), <a href="#230">230</a>, <a href="#234">234</a><br>
booting (PCI), <a href="#306">306</a><br>
bottom halves<br>
<div class="bql">interrupt handlers, <a href="#275">275</a>-<a href="#278">278</a><br>
tasklets and, <a href="#276">276</a></div>
bounce buffers, <a href="#445">445</a><br>
<div class="bql">block drivers, <a href="#480">480</a><br>
streaming DMA mappings and, <a href="#449">449</a></div>
bridges, <a href="#303">303</a><br>
</td><td valign="top" width="50%">
BSS segments, <a href="#419">419</a><br>
buffers<br>
<div class="bql">allocation of, <a href="#530">530</a><br>
bounce, <a href="#445">445</a><br>
<div class="bql">block drivers, <a href="#480">480</a><br>
streaming DMA mappings and, <a href="#449">449</a></div>
circular, <a href="#78">78</a>, <a href="#123">123</a><br>
DMA (unmapping), <a href="#449">449</a><br>
freeing, <a href="#531">531</a><br>
I/O, <a href="#151">151</a><br>
large (obtaining), <a href="#230">230</a>, <a href="#234">234</a><br>
output, <a href="#152">152</a><br>
overrun errors, <a href="#9">9</a>, <a href="#95">95</a><br>
for printk function, <a href="#78">78</a><br>
ring (DMA), <a href="#441">441</a><br>
socket (see socket buffers)<br>
sockets, <a href="#522">522</a>, <a href="#528">528</a>-<a href="#532">532</a><br>
synchronization, <a href="#452">452</a><br>
transfers, <a href="#448">448</a><br>
tty drivers, <a href="#558">558</a><br>
USB, <a href="#338">338</a><br>
user space (direct I/O), <a href="#436">436</a><br>
write-buffering example, <a href="#282">282</a></div>
bugs (see debugging; troubleshooting)<br>
BULK endpoints (USB), <a href="#330">330</a><br>
bulk urbs (USB), <a href="#343">343</a><br>
bus_add_driver function, <a href="#396">396</a><br>
BUS_ATTR macro, <a href="#380">380</a><br>
bus_attribute type, <a href="#380">380</a><br>
buses<br>
<div class="bql">addresses, <a href="#413">413</a>, <a href="#443">443</a><br>
attributes, <a href="#380">380</a><br>
functions, <a href="#409">409</a><br>
IEEE1394 (Firewire), <a href="#400">400</a><br>
iteration, <a href="#379">379</a><br>
Linux device model, <a href="#377">377</a>-<a href="#381">381</a><br>
match function, <a href="#379">379</a><br>
methods, <a href="#379">379</a><br>
PCI (see PCI)<br>
registers, <a href="#445">445</a><br>
registration, <a href="#378">378</a><br>
USB (see USB)</div>
bus_for_each_dev function, <a href="#380">380</a><br>
bus_register function, <a href="#378">378</a><br>
bus_type structure, <a href="#378">378</a><br>
busy loops, <a href="#191">191</a><br>
busy-waiting implementation, <a href="#190">190</a><br>
bytes<br>
<div class="bql">CSIZE bitmask, <a href="#561">561</a><br>
order, <a href="#293">293</a><br>
orders, <a href="#300">300</a></div>
</td></tr></table>
<br>
<A name="582"></a><font color="blue">PAGE 582</font><br>
<br>
<table cellspacing="0" cellpadding="0" width="100%"><tr><td valign="top" width="50%">

<a name="C"></a><font color="red"><b>C</b></font><br><br>

caches<br>
<div class="bql">argument, <a href="#218">218</a><br>
coherency issues, <a href="#445">445</a><br>
lookaside, <a href="#217">217</a>-<a href="#224">224</a>, <a href="#232">232</a><br>
troubleshooting, <a href="#237">237</a>, <a href="#425">425</a></div>
calling<br>
<div class="bql">current process, <a href="#21">21</a><br>
firmware, <a href="#407">407</a><br>
ioctl method, <a href="#136">136</a><br>
ioremap function, <a href="#249">249</a><br>
memory barriers, <a href="#238">238</a><br>
perror calls, <a href="#93">93</a><br>
preparation functions, <a href="#492">492</a><br>
release, <a href="#174">174</a></div>
cancellation of urbs, <a href="#345">345</a><br>
capabilities, restricted operations and, <a href="#144">144</a><br>
capability.h header file, <a href="#144">144</a>, <a href="#181">181</a><br>
capable function, <a href="#145">145</a>, <a href="#181">181</a><br>
CAP_DAC_OVERRIDE capability, <a href="#144">144</a><br>
<div class="bql">single-user access to devices, <a href="#175">175</a></div>
CAP_NET_ADMIN capability, <a href="#144">144</a><br>
CAP_SYS_ADMIN capability, <a href="#144">144</a><br>
CAP_SYS_MODULE capability, <a href="#144">144</a><br>
CAP_SYS_RAWIO capability, <a href="#144">144</a><br>
CAP_SYS_TTY_CONFIG capability, <a href="#144">144</a><br>
card select number (CSN), <a href="#321">321</a><br>
cardctl utility, <a href="#3">3</a><br>
carrier signals, <a href="#528">528</a><br>
cdev structure, <a href="#56">56</a><br>
change_bit operation, <a href="#126">126</a><br>
change_mtu method, <a href="#513">513</a><br>
<div class="bql">improving performance using socket<br>
<div class="bql">buffers, <a href="#522">522</a></div></div>
channels, DMA, <a href="#454">454</a>-<a href="#456">456</a><br>
char *buffer field (request structure), <a href="#477">477</a><br>
char bus_id field, <a href="#382">382</a><br>
char disk_name field (gendisk), <a href="#467">467</a><br>
char (character) drivers, <a href="#6">6</a><br>
<div class="bql">access, <a href="#43">43</a>-<a href="#49">49</a><br>
asynchronous notification, <a href="#169">169</a>-<a href="#171">171</a><br>
defining mechanism of, <a href="#42">42</a><br>
files<br>
<div class="bql">access to, <a href="#173">173</a>-<a href="#179">179</a><br>
operations, <a href="#49">49</a>-<a href="#53">53</a><br>
structures, <a href="#53">53</a></div>
inode structure, <a href="#55">55</a><br>
I/O, <a href="#147">147</a>-<a href="#162">162</a><br>
ioctl method, <a href="#135">135</a>-<a href="#147">147</a><br>
llseek method, <a href="#171">171</a><br>
memory usage (scull), <a href="#60">60</a>-<a href="#63">63</a><br>
open method, <a href="#58">58</a>-<a href="#59">59</a></div>
</td><td valign="top" width="50%">
<div class="bql">poll method, <a href="#163">163</a>-<a href="#169">169</a><br>
read method, <a href="#63">63</a>-<a href="#69">69</a><br>
readv calls, <a href="#69">69</a><br>
registration, <a href="#55">55</a>-<a href="#57">57</a><br>
release method, <a href="#59">59</a><br>
scull (design of), <a href="#42">42</a><br>
select method, <a href="#163">163</a>-<a href="#169">169</a><br>
testing, <a href="#70">70</a><br>
version numbers, <a href="#43">43</a><br>
write method, <a href="#63">63</a>-<a href="#69">69</a><br>
writev calls, <a href="#69">69</a></div>
char name field (net_device structure), <a href="#506">506</a><br>
char *name variable (USB), <a href="#352">352</a><br>
character drivers (see char drivers)<br>
chars_in_buffer function, <a href="#558">558</a><br>
check_flags method, <a href="#52">52</a><br>
CHECKSUM_ symbols, <a href="#523">523</a><br>
circular buffers, <a href="#123">123</a><br>
<div class="bql">DMA ring buffers, <a href="#441">441</a><br>
implementing interrupt handlers, <a href="#270">270</a><br>
for printk function, <a href="#78">78</a></div>
claim_dma_lock function, <a href="#457">457</a><br>
class register (PCI), <a href="#309">309</a><br>
classes<br>
<div class="bql">devices, <a href="#5">5</a>, <a href="#362">362</a>, <a href="#390">390</a><br>
functions, <a href="#410">410</a><br>
interfaces, <a href="#391">391</a><br>
Linux device model, <a href="#387">387</a>-<a href="#391">391</a><br>
management, <a href="#389">389</a><br>
modules, <a href="#5">5</a>-<a href="#8">8</a></div>
class_id field, <a href="#390">390</a><br>
class_simple interface, <a href="#388">388</a><br>
class_simple_create function, <a href="#404">404</a><br>
class_simple_device_add function, <a href="#404">404</a><br>
class_simple_device_remove function, <a href="#405">405</a><br>
cleanup function, <a href="#32">32</a><br>
clear_bit operation, <a href="#126">126</a><br>
clear_dma_ff function, <a href="#458">458</a><br>
clearing bits on interface boards, <a href="#269">269</a><br>
clock ticks (see jiffies, values)<br>
clocks, <a href="#208">208</a><br>
<div class="bql">cycles (counting), <a href="#186">186</a><br>
(see also time)</div>
cloning devices, <a href="#177">177</a><br>
close function (tty drivers), <a href="#553">553</a>-<a href="#556">556</a><br>
close method, <a href="#59">59</a><br>
<div class="bql">vm_operations_struct structure, <a href="#421">421</a></div>
cmd field (request structure), <a href="#492">492</a><br>
coarse-grained locking, <a href="#122">122</a><br>
code<br>
<div class="bql">concurrency in, <a href="#20">20</a><br>
delaying execution of, <a href="#196">196</a></div>
</td></tr></table>
<br>
<A name="583"></a><font color="blue">PAGE 583</font><br>
<br>
<table cellspacing="0" cellpadding="0" width="100%"><tr><td valign="top" width="50%">
<div class="bql">execution, <a href="#190">190</a>-<a href="#196">196</a>, <a href="#209">209</a><br>
hello world module, <a href="#16">16</a>-<a href="#18">18</a><br>
inline assembly (example), <a href="#187">187</a><br>
ISA, <a href="#321">321</a><br>
kernels (see kernels)<br>
memory (scull), <a href="#107">107</a><br>
module requirements, <a href="#30">30</a><br>
runtime, <a href="#5">5</a><br>
scilluid, <a href="#175">175</a><br>
sleeps, <a href="#158">158</a><br>
test system setup, <a href="#15">15</a><br>
user space programming, <a href="#19">19</a>, <a href="#37">37</a>-<a href="#39">39</a></div>
coherency<br>
<div class="bql">caches, <a href="#445">445</a><br>
DMA, <a href="#446">446</a></div>
command pre-preparation (block drivers), <a href="#491">491</a><br>
command-oriented drivers, <a href="#146">146</a><br>
commands<br>
<div class="bql">dmesg, <a href="#77">77</a><br>
FIOASYNC, <a href="#141">141</a><br>
FIOCLEX, <a href="#141">141</a><br>
FIONBIO, <a href="#141">141</a><br>
FIONCLEX, <a href="#141">141</a><br>
FIOQSIZE, <a href="#141">141</a><br>
F_SETFL fcntl, <a href="#169">169</a><br>
F_SETOWN, <a href="#169">169</a><br>
gdb, <a href="#99">99</a><br>
ifconfig<br>
<div class="bql">net_device structure and, <a href="#506">506</a><br>
opening network drivers, <a href="#515">515</a>-<a href="#516">516</a><br>
snull interfaces, <a href="#501">501</a></div>
ioctl, <a href="#137">137</a>, <a href="#140">140</a><br>
<div class="bql">creating, <a href="#180">180</a><br>
customizing for networking, <a href="#535">535</a><br>
implementation, <a href="#145">145</a></div>
printk (see printk function)<br>
SIOCDEVPRIVATE, <a href="#535">535</a><br>
strace, <a href="#91">91</a><br>
wc, <a href="#92">92</a><br>
(see also functions)</div>
communication with user space, <a href="#362">362</a><br>
compilers<br>
<div class="bql">gcc, <a href="#188">188</a><br>
optimizations, <a href="#236">236</a></div>
compiling<br>
<div class="bql">char drivers, <a href="#70">70</a><br>
modules, <a href="#23">23</a>-<a href="#25">25</a></div>
complete function (urbs), <a href="#345">345</a><br>
complete module, <a href="#115">115</a><br>
</td><td valign="top" width="50%">
completion<br>
<div class="bql">of DMA, <a href="#458">458</a><br>
request functions, <a href="#486">486</a><br>
semaphores, <a href="#114">114</a>-<a href="#116">116</a><br>
urbs, <a href="#345">345</a></div>
concurrency<br>
<div class="bql">alternatives to locking, <a href="#123">123</a>-<a href="#130">130</a><br>
controlling transmission, <a href="#518">518</a><br>
debugging, <a href="#21">21</a><br>
in kernel programming, <a href="#20">20</a><br>
locking<br>
<div class="bql">adding, <a href="#109">109</a><br>
traps, <a href="#121">121</a>-<a href="#123">123</a></div>
management, <a href="#107">107</a>-<a href="#109">109</a><br>
scull (troubleshooting memory), <a href="#107">107</a><br>
semaphores<br>
<div class="bql">completion, <a href="#114">114</a>-<a href="#116">116</a><br>
implementation, <a href="#110">110</a>-<a href="#114">114</a></div>
spinlocks, <a href="#116">116</a>-<a href="#121">121</a><br>
transmission, <a href="#518">518</a></div>
CONFIG_ACPI_DEBUG option, <a href="#75">75</a><br>
CONFIG_DEBUG_DRIVER option, <a href="#75">75</a><br>
CONFIG_DEBUG_INFO option, <a href="#74">74</a><br>
CONFIG_DEBUG_KERNEL option, <a href="#73">73</a><br>
CONFIG_DEBUG_PAGEALLOC option, <a href="#74">74</a><br>
CONFIG_DEBUG_SLAB option, <a href="#73">73</a><br>
CONFIG_DEBUG_SPINLOCK option, <a href="#74">74</a><br>
CONFIG_DEBUG_SPINLOCK_SLEEP option, <a href="#74">74</a><br>
CONFIG_DEBUG_STACKOVERFLOW option, <a href="#74">74</a><br>
CONFIG_DEBUG_STACK_USAGE option, <a href="#74">74</a><br>
CONFIG_IKCONFIG option, <a href="#75">75</a><br>
CONFIG_IKCONFIG_PROC option, <a href="#75">75</a><br>
CONFIG_INIT_DEBUG option, <a href="#74">74</a><br>
CONFIG_INPUT_EVBUG option, <a href="#75">75</a><br>
CONFIG_KALLSYMS option, <a href="#74">74</a><br>
CONFIG_MAGIC_SYSRQ option, <a href="#74">74</a><br>
CONFIG_PROFILING option, <a href="#75">75</a><br>
CONFIG_SCSI_CONSTANTS option, <a href="#75">75</a><br>
configuration<br>
<div class="bql">cdev structure, <a href="#56">56</a><br>
char drivers, <a href="#45">45</a><br>
<div class="bql">dynamic allocation of major numbers, <a href="#46">46</a><br>
internal representation of device numbers, <a href="#44">44</a><br>
major/minor numbers, <a href="#43">43</a><br>
(see also char drivers)</div></div>
</td></tr></table>
<br>
<A name="584"></a><font color="blue">PAGE 584</font><br>
<br>
<table cellspacing="0" cellpadding="0" width="100%"><tr><td valign="top" width="50%">
configuration <i>(continued)</i><br>
<div class="bql">coherent DMA mappings, <a href="#446">446</a><br>
critical sections, <a href="#109">109</a><br>
DMA controllers, <a href="#456">456</a>-<a href="#459">459</a><br>
drivers, <a href="#35">35</a>-<a href="#37">37</a><br>
ether_setup function, <a href="#507">507</a>-<a href="#514">514</a><br>
interrupt handlers, <a href="#259">259</a>-<a href="#269">269</a><br>
kernels, <a href="#73">73</a>-<a href="#75">75</a><br>
line settings (tty drivers), <a href="#560">560</a>-<a href="#566">566</a><br>
multicasting, <a href="#539">539</a><br>
net_device structure, <a href="#502">502</a><br>
network devices, <a href="#512">512</a><br>
parameter assignment, <a href="#35">35</a>-<a href="#37">37</a><br>
PCI, <a href="#306">306</a><br>
<div class="bql">accessing configuration space, <a href="#315">315</a><br>
registers, <a href="#308">308</a></div>
serial lines, <a href="#565">565</a><br>
single-page streaming mappings, <a href="#450">450</a><br>
snull drivers, <a href="#498">498</a>-<a href="#502">502</a><br>
streaming DMA mappings, <a href="#448">448</a><br>
test system setup, <a href="#15">15</a><br>
timeouts, <a href="#193">193</a><br>
USB interfaces, <a href="#332">332</a><br>
version dependency, <a href="#26">26</a></div>
CONFIG_USB_DYNAMIC_MINORS configuration option, <a href="#353">353</a><br>
connections<br>
<div class="bql">Firewire, <a href="#400">400</a><br>
IP numbers, <a href="#500">500</a><br>
network drivers to kernels, <a href="#502">502</a>-<a href="#514">514</a><br>
PCI (see PCI)<br>
/proc file hierarchies, <a href="#86">86</a><br>
USB (see USB)<br>
(see also hotplugs)</div>
connectors (ISA), <a href="#323">323</a><br>
console_loglevel variable, <a href="#77">77</a><br>
<div class="bql">debugging system hangs, <a href="#97">97</a></div>
consoles<br>
<div class="bql">messages (redirecting), <a href="#77">77</a><br>
wrong font on, <a href="#147">147</a></div>
const char *dev_name functions, <a href="#260">260</a><br>
const char *name field (PCI registration), <a href="#311">311</a><br>
const char *name function, <a href="#348">348</a><br>
const struct pci_device_id *id_table field (PCI registration), <a href="#311">311</a><br>
const struct usb_device_id *id_table function, <a href="#348">348</a><br>
constructor function (kmem_cache_create), <a href="#218">218</a><br>
CONTROL endpoints (USB), <a href="#329">329</a><br>
control functions (queues), <a href="#480">480</a><br>
control urbs (USB), <a href="#343">343</a><br>
</td><td valign="top" width="50%">
controllers (PCI), <a href="#318">318</a><br>
controlling<br>
<div class="bql">transmission concurrency, <a href="#518">518</a><br>
urbs (USB), <a href="#354">354</a><br>
by writing control sequences, <a href="#146">146</a></div>
conventional memory, I/O registers, <a href="#236">236</a><br>
<div class="bql">(see also memory)</div>
conversion (virtual addresses), <a href="#444">444</a><br>
copying (cross-space), <a href="#64">64</a><br>
core files, <a href="#99">99</a><br>
counters<br>
<div class="bql">jiffies, <a href="#184">184</a><br>
reference (kobjects), <a href="#366">366</a><br>
registers, <a href="#186">186</a><br>
TSC, <a href="#186">186</a></div>
counts (interrupts), <a href="#566">566</a><br>
CPU modalities (levels), <a href="#20">20</a><br>
create_module system call, <a href="#226">226</a><br>
create_proc_read_entry function, <a href="#86">86</a><br>
creating<br>
<div class="bql">queues, <a href="#479">479</a><br>
urbs (USB), <a href="#341">341</a></div>
critical sections, <a href="#109">109</a><br>
cross-space copying, <a href="#64">64</a><br>
CRTSCTS bitmask, <a href="#561">561</a><br>
CSIZE bitmask, <a href="#561">561</a><br>
CSN (card select number), <a href="#321">321</a><br>
CSTOPB bitmask, <a href="#561">561</a><br>
current process, <a href="#21">21</a>, <a href="#40">40</a><br>
current time, retrieving, <a href="#188">188</a>-<a href="#190">190</a><br>
current.h header file, <a href="#21">21</a><br>
currentime file (jit module), <a href="#189">189</a><br>
custom<br>
<div class="bql">data types, <a href="#291">291</a><br>
ioctl methods for networking, <a href="#535">535</a></div>
cycles_t type, <a href="#187">187</a><br>

<br><a name="D"></a><font color="red"><b>D</b></font><br><br>

daemons<br>
<div class="bql">klogd, <a href="#17">17</a>, <a href="#77">77</a><br>
syslogd, <a href="#79">79</a></div>
data<br>
<div class="bql">explicitly sizing, <a href="#290">290</a><br>
physical packet transport, <a href="#501">501</a><br>
transferring with DMA, <a href="#440">440</a>-<a href="#459">459</a><br>
unaligned, portability and, <a href="#293">293</a></div>
data attribute (firmware), <a href="#407">407</a><br>
data functions (USB), <a href="#358">358</a><br>
data structures, <a href="#49">49</a><br>
<div class="bql">file operations, <a href="#49">49</a>-<a href="#53">53</a><br>
portability of, <a href="#294">294</a></div>
</td></tr></table>
<br>
<A name="585"></a><font color="blue">PAGE 585</font><br>
<br>
<table cellspacing="0" cellpadding="0" width="100%"><tr><td valign="top" width="50%">
data types<br>
<div class="bql">for explicitly sizing data, <a href="#290">290</a><br>
inptr_t (C99 standard), <a href="#289">289</a><br>
int, <a href="#289">289</a><br>
interface-specific, <a href="#291">291</a><br>
loose typing for I/O functions, <a href="#292">292</a><br>
mixing different, <a href="#289">289</a><br>
portability and, <a href="#288">288</a>-<a href="#292">292</a><br>
standard C types, <a href="#288">288</a><br>
u8, u16, u32, u64, <a href="#290">290</a><br>
uint8_t/unit32_t, <a href="#290">290</a></div>
dataalign program, <a href="#294">294</a><br>
datasize program, <a href="#288">288</a><br>
dd utility and scull driver example, <a href="#61">61</a><br>
deadline schedulers (I/O), <a href="#478">478</a><br>
deadlocks, avoiding, <a href="#117">117</a><br>
<div class="bql">(see also locking)</div>
debugging, <a href="#73">73</a>-<a href="#105">105</a><br>
<div class="bql">concurrency, <a href="#21">21</a><br>
using a debugger, <a href="#99">99</a>-<a href="#105">105</a><br>
using Dynamic Probes, <a href="#105">105</a><br>
interrupt handlers, <a href="#273">273</a><br>
with ioctl method, <a href="#90">90</a><br>
using kdb kernel debugger, <a href="#101">101</a>-<a href="#103">103</a><br>
kernels<br>
<div class="bql">monitoring, <a href="#91">91</a><br>
by printing, <a href="#75">75</a>-<a href="#82">82</a><br>
by querying, <a href="#82">82</a>-<a href="#91">91</a><br>
support, <a href="#73">73</a>-<a href="#75">75</a></div>
using kgdb, <a href="#103">103</a><br>
levels (implementation of), <a href="#81">81</a><br>
using LTT, <a href="#105">105</a><br>
locked keyboard, <a href="#97">97</a><br>
by printing, <a href="#81">81</a><br>
by querying, <a href="#91">91</a><br>
system faults, <a href="#93">93</a>-<a href="#98">98</a><br>
system hangs, <a href="#96">96</a><br>
using User-Mode Linux, <a href="#104">104</a><br>
(see also troubleshooting)</div>
declaration of array parameters, <a href="#37">37</a><br>
DECLARE_TASKLET macro, <a href="#276">276</a><br>
default attributes (kobjects), <a href="#372">372</a><br>
default_attrs field (kobjects), <a href="#372">372</a><br>
DEFAULT_CONSOLE_LOGLEVEL, <a href="#77">77</a><br>
DEFAULT_MESSAGE_LOGLEVEL, <a href="#77">77</a><br>
delaying execution of code, <a href="#190">190</a>-<a href="#196">196</a>, <a href="#209">209</a><br>
deleting<br>
<div class="bql">attributes, <a href="#374">374</a>, <a href="#381">381</a><br>
devices, <a href="#395">395</a><br>
drivers, <a href="#396">396</a><br>
mappings (DMA), <a href="#448">448</a><br>
/proc files, <a href="#86">86</a></div>
</td><td valign="top" width="50%">
<div class="bql">queues, <a href="#479">479</a><br>
symbolic links, <a href="#375">375</a></div>
del_timer_sync function, <a href="#200">200</a><br>
dentry field (file structure), <a href="#54">54</a><br>
dependency<br>
<div class="bql">platform, <a href="#27">27</a><br>
version, <a href="#26">26</a></div>
dereferencing memory addresses, <a href="#289">289</a><br>
descriptors (USB), <a href="#358">358</a><br>
design<br>
<div class="bql">concurrency, <a href="#107">107</a>-<a href="#109">109</a><br>
policy-free drivers, <a href="#3">3</a><br>
of scull, <a href="#42">42</a><br>
(see also configuration)</div>
desktops<br>
<div class="bql">PCI (see PCI)<br>
USB (see USB)</div>
destroying urbs (USB), <a href="#341">341</a><br>
destructor function (kmem_cache_create), <a href="#218">218</a><br>
/dev directory, <a href="#43">43</a><br>
/dev nodes, <a href="#6">6</a><br>
<div class="bql">char devices and, <a href="#43">43</a><br>
dynamic major number allocation, <a href="#46">46</a><br>
/dev/random device, <a href="#260">260</a><br>
/dev/urandom device, <a href="#260">260</a></div>
/dev tree, <a href="#403">403</a><br>
dev_alloc_skb function, <a href="#530">530</a><br>
development community (kernel), joining, <a href="#12">12</a><br>
development kernels, <a href="#10">10</a><br>
device attribute (firmware), <a href="#407">407</a><br>
DEVICE variable, <a href="#402">402</a><br>
deviceID register (PCI), <a href="#309">309</a><br>
devices<br>
<div class="bql">access to files, <a href="#173">173</a>-<a href="#179">179</a><br>
adding, <a href="#392">392</a>-<a href="#395">395</a><br>
allocation of numbers, <a href="#45">45</a><br>
attributes, <a href="#383">383</a><br>
block (see block drivers)<br>
caching problems, <a href="#425">425</a><br>
char drivers (see char drivers)<br>
character (see char drivers)<br>
classes of, <a href="#5">5</a>-<a href="#8">8</a>, <a href="#362">362</a>, <a href="#390">390</a><br>
cloning, <a href="#177">177</a><br>
concurrency, <a href="#107">107</a>-<a href="#109">109</a><br>
control operations, <a href="#5">5</a><br>
deleting, <a href="#395">395</a><br>
DMA and, <a href="#440">440</a>-<a href="#459">459</a><br>
drivers, <a href="#385">385</a><br>
dynamic, <a href="#397">397</a><br>
dynamic allocation of major numbers, <a href="#46">46</a></div>
</td></tr></table>
<br>
<A name="586"></a><font color="blue">PAGE 586</font><br>
<br>
<table cellspacing="0" cellpadding="0" width="100%"><tr><td valign="top" width="50%">
devices <i>(continued)</i><br>
<div class="bql">FIFO, <a href="#43">43</a><br>
file operations on, <a href="#49">49</a><br>
files, <a href="#43">43</a><br>
functions, <a href="#409">409</a><br>
hotpluggable, <a href="#362">362</a><br>
identifying type with ls command, <a href="#43">43</a><br>
initialization, <a href="#503">503</a><br>
input (hotplugging), <a href="#401">401</a><br>
internal representation of numbers, <a href="#44">44</a><br>
ioctl method, <a href="#135">135</a>-<a href="#147">147</a><br>
ISA, <a href="#320">320</a><br>
iteration, <a href="#379">379</a><br>
Linux device model, <a href="#362">362</a>-<a href="#364">364</a>, <a href="#381">381</a>-<a href="#387">387</a><br>
<div class="bql">buses, <a href="#377">377</a>-<a href="#381">381</a><br>
classes, <a href="#387">387</a>-<a href="#391">391</a><br>
firmware, <a href="#405">405</a>-<a href="#407">407</a><br>
hotplug events, <a href="#375">375</a><br>
hotplugging, <a href="#397">397</a>-<a href="#405">405</a><br>
kobjects, <a href="#364">364</a>-<a href="#371">371</a><br>
lifecycles, <a href="#391">391</a>-<a href="#397">397</a><br>
low-level sysfs operations, <a href="#371">371</a>-<a href="#375">375</a></div>
methods, <a href="#511">511</a><br>
names of, <a href="#46">46</a><br>
network, <a href="#400">400</a><br>
network drivers, <a href="#497">497</a><br>
numbers (printing), <a href="#82">82</a><br>
operations, <a href="#513">513</a><br>
reading and writing, <a href="#63">63</a><br>
reading data from, <a href="#166">166</a><br>
registration, <a href="#382">382</a>, <a href="#502">502</a><br>
SCSI, <a href="#402">402</a><br>
scullpipe (example), <a href="#153">153</a>-<a href="#162">162</a><br>
scullsingle, <a href="#174">174</a><br>
seeking, <a href="#171">171</a><br>
single-open, <a href="#173">173</a><br>
structures (embedding), <a href="#383">383</a><br>
truncating on open, <a href="#59">59</a><br>
USB (see USB)<br>
version (see versions, numbering)<br>
writing<br>
<div class="bql">control sequences to, <a href="#146">146</a><br>
data to, <a href="#166">166</a></div>
(see also drivers)</div>
dev_id pointer (installing shared handlers), <a href="#278">278</a><br>
dev_kfree_skb function, <a href="#524">524</a>, <a href="#531">531</a><br>
dev_mc_list structure, <a href="#538">538</a><br>
DEVPATH variable, <a href="#399">399</a><br>
dev_t i_rdev (inode structure field), <a href="#55">55</a><br>
</td><td valign="top" width="50%">
direct I/O, <a href="#435">435</a>-<a href="#440">440</a><br>
<div class="bql">implementation, <a href="#460">460</a><br>
(see also I/O)</div>
direct memory access (see DMA)<br>
directories<br>
<div class="bql">/dev, <a href="#43">43</a><br>
entries (file structure), <a href="#54">54</a><br>
of kernel headers, <a href="#19">19</a><br>
misc-progs source, <a href="#77">77</a>, <a href="#162">162</a><br>
/proc file hierarchy connections, <a href="#86">86</a><br>
/proc/tty/driver, <a href="#547">547</a><br>
sysfs<br>
<div class="bql">low-level operations, <a href="#371">371</a>-<a href="#375">375</a><br>
tty driver, <a href="#552">552</a><br>
USB, <a href="#333">333</a>-<a href="#335">335</a></div>
tty drivers, <a href="#566">566</a></div>
*dir_notify method, <a href="#52">52</a><br>
disable_dma function, <a href="#458">458</a><br>
disable_irq function, <a href="#279">279</a><br>
disabling<br>
<div class="bql">interrupt handlers, <a href="#273">273</a><br>
packet transmissions, <a href="#518">518</a><br>
print statements, <a href="#79">79</a></div>
disclosure of data, <a href="#9">9</a><br>
disconnect function (USB), <a href="#349">349</a>, <a href="#353">353</a><br>
disks<br>
<div class="bql">files versus open files, <a href="#53">53</a><br>
freeing, <a href="#468">468</a><br>
registration, <a href="#466">466</a></div>
distribution, writing drivers for, <a href="#28">28</a><br>
DMA (direct memory access), <a href="#440">440</a>-<a href="#459">459</a>, <a href="#461">461</a><br>
<div class="bql">block requests and, <a href="#489">489</a><br>
configuring controller, <a href="#456">456</a>-<a href="#459">459</a><br>
for ISA memory, <a href="#454">454</a>-<a href="#459">459</a><br>
mappings (scatter-gather), <a href="#450">450</a><br>
PCI devices and, <a href="#453">453</a><br>
registering usage, <a href="#455">455</a><br>
ring buffers, <a href="#441">441</a></div>
dma_addr_t setup_dma field (USB), <a href="#338">338</a><br>
dma_addr_t transfer_dma field (USB), <a href="#338">338</a><br>
DMA_BIDIRECTIONAL symbol, <a href="#448">448</a>, <a href="#461">461</a><br>
DMAC (DMA controller), <a href="#454">454</a><br>
DMA-capable memory zone, <a href="#215">215</a><br>
<div class="bql">SLAB_CACHE_DMA flag and, <a href="#218">218</a></div>
dma_free_coherent function, <a href="#447">447</a><br>
DMA_FROM_DEVICE symbol, <a href="#448">448</a>, <a href="#461">461</a><br>
dma.h header file, <a href="#455">455</a><br>
DMA_NONE symbol, <a href="#448">448</a>, <a href="#461">461</a><br>
dma_spin_lock, <a href="#457">457</a><br>
DMA_TO_DEVICE symbol, <a href="#448">448</a>, <a href="#461">461</a><br>
</td></tr></table>
<br>
<A name="587"></a><font color="blue">PAGE 587</font><br>
<br>
<table cellspacing="0" cellpadding="0" width="100%"><tr><td valign="top" width="50%">
dmesg command, <a href="#77">77</a><br>
do_close function, <a href="#556">556</a><br>
do_gettimeofday function, <a href="#188">188</a><br>
do_ioctl method, <a href="#513">513</a>, <a href="#535">535</a><br>
do_IRQ function, <a href="#268">268</a><br>
do-it-yourself probing, <a href="#266">266</a><br>
double underscore (__) functions, <a href="#22">22</a><br>
double-address cycle mappings (PCI), <a href="#452">452</a><br>
doubly linked lists (portability), <a href="#299">299</a>, <a href="#300">300</a><br>
down function, <a href="#111">111</a><br>
DRIVER_ATTR macro, <a href="#386">386</a><br>
drivers<br>
<div class="bql">adding, <a href="#396">396</a><br>
asynchronous notification and, <a href="#170">170</a><br>
attributes, <a href="#386">386</a><br>
block (see block drivers)<br>
char (see char drivers)<br>
command-oriented, <a href="#146">146</a><br>
configuring, <a href="#35">35</a>-<a href="#37">37</a><br>
deleting, <a href="#396">396</a><br>
devices, <a href="#385">385</a><br>
file operations, <a href="#49">49</a><br>
FireWire, <a href="#7">7</a><br>
functions, <a href="#409">409</a><br>
I2O, <a href="#7">7</a><br>
ioctl numbers for, <a href="#137">137</a><br>
iteration, <a href="#379">379</a><br>
lddbus, <a href="#379">379</a><br>
mechanism, <a href="#42">42</a><br>
<div class="bql">policy versus, <a href="#2">2</a><br>
separation from policies, <a href="#2">2</a>-<a href="#4">4</a></div>
modules, <a href="#7">7</a><br>
monitoring with preprocessor, <a href="#79">79</a>-<a href="#81">81</a><br>
network, <a href="#497">497</a><br>
<div class="bql">connecting to kernels, <a href="#502">502</a>-<a href="#514">514</a><br>
functions, <a href="#542">542</a>-<a href="#545">545</a><br>
interrupt handlers for, <a href="#523">523</a><br>
ioctl commands, <a href="#535">535</a><br>
link state (changes in), <a href="#528">528</a><br>
MAC addresses (resolution of), <a href="#532">532</a>-<a href="#534">534</a><br>
multicasting, <a href="#537">537</a>-<a href="#540">540</a><br>
opening, <a href="#515">515</a>-<a href="#516">516</a><br>
snull, <a href="#498">498</a>-<a href="#502">502</a><br>
statistics, <a href="#536">536</a></div>
sbull<br>
<div class="bql">initialization, <a href="#468">468</a><br>
request method, <a href="#475">475</a></div>
SCSI, <a href="#7">7</a><br>
scull (see scull)<br>
scullc (example), <a href="#219">219</a><br>
scullp (example), <a href="#223">223</a><br>
</td><td valign="top" width="50%">
<div class="bql">scullv (example), <a href="#227">227</a>, <a href="#233">233</a><br>
security issues, <a href="#8">8</a><br>
short (example), <a href="#246">246</a><br>
<div class="bql">accessing I/O memory, <a href="#252">252</a><br>
implementing interrupt handlers, <a href="#270">270</a><br>
installing interrupt handlers, <a href="#261">261</a><br>
probing, <a href="#266">266</a></div>
shortprint, <a href="#282">282</a>-<a href="#286">286</a><br>
structures (embedding), <a href="#386">386</a><br>
tty, <a href="#546">546</a>-<a href="#550">550</a><br>
<div class="bql">buffers, <a href="#558">558</a><br>
directories, <a href="#566">566</a><br>
functions, <a href="#573">573</a><br>
line settings, <a href="#560">560</a>-<a href="#566">566</a><br>
pointers, <a href="#553">553</a>-<a href="#560">560</a><br>
struct termios, <a href="#550">550</a>-<a href="#553">553</a><br>
tty_driver structure, <a href="#567">567</a><br>
tty_operations structure, <a href="#569">569</a><br>
tty_struct structure, <a href="#571">571</a></div>
USB (see USB)<br>
user-space, <a href="#37">37</a><br>
version (see versions, numbering)</div>
driver_unregister function, <a href="#397">397</a><br>
dynamic devices, <a href="#397">397</a><br>
Dynamic Probes debugging tool, <a href="#105">105</a><br>

<br><a name="E"></a><font color="red"><b>E</b></font><br><br>

EBUSY error, <a href="#176">176</a><br>
EISA (Extended ISA), <a href="#323">323</a><br>
elevators (I/O), <a href="#478">478</a><br>
elv_next_request function, <a href="#476">476</a>, <a href="#479">479</a>, <a href="#492">492</a><br>
embedding<br>
<div class="bql">device structures, <a href="#383">383</a><br>
driver structures, <a href="#386">386</a><br>
kobjects, <a href="#365">365</a></div>
enable_dma function, <a href="#458">458</a><br>
enable_irq function, <a href="#279">279</a><br>
enabling<br>
<div class="bql">configuration for kernels, <a href="#73">73</a>-<a href="#75">75</a><br>
interrupt handlers, <a href="#273">273</a><br>
PCI drivers, <a href="#314">314</a></div>
endless loops, preventing, <a href="#97">97</a><br>
end-of-file<br>
<div class="bql">poll method and, <a href="#165">165</a><br>
seeking relative to, <a href="#172">172</a></div>
endpoints<br>
<div class="bql">interfaces, <a href="#331">331</a><br>
USB, <a href="#328">328</a></div>
entropy pool and SA_SAMPLE_RANDOM flag, <a href="#260">260</a><br>
errno.h header file, <a href="#33">33</a><br>
error handling during initialization, <a href="#32">32</a><br>
</td></tr></table>
<br>
<A name="588"></a><font color="blue">PAGE 588</font><br>
<br>
<table cellspacing="0" cellpadding="0" width="100%"><tr><td valign="top" width="50%">
errors<br>
<div class="bql">buffer overrun, <a href="#95">95</a><br>
codes, <a href="#33">33</a><br>
handling at module initialization, <a href="#32">32</a>-<a href="#35">35</a><br>
read/write, <a href="#65">65</a><br>
values (pointers), <a href="#295">295</a><br>
(see also troubleshooting)</div>
/etc/networks file, <a href="#500">500</a><br>
/etc/syslog.conf file, <a href="#79">79</a><br>
ETH_ALEN macro, <a href="#515">515</a><br>
Ethernet<br>
<div class="bql">address resolution, <a href="#532">532</a><br>
ARP and, <a href="#532">532</a><br>
non-Ethernet headers, <a href="#534">534</a><br>
non-Ethernet interfaces, <a href="#507">507</a><br>
snull interfaces, <a href="#501">501</a></div>
ether_setup function, <a href="#504">504</a>, <a href="#507">507</a>-<a href="#514">514</a><br>
eth_header method, <a href="#512">512</a><br>
Ethtool, <a href="#541">541</a><br>
events<br>
<div class="bql">hotplug, <a href="#375">375</a><br>
race conditions, <a href="#107">107</a></div>
exclusive waits, <a href="#159">159</a><br>
execution<br>
<div class="bql">asynchronous (interrupt mode), <a href="#197">197</a><br>
of code (delaying), <a href="#190">190</a>-<a href="#196">196</a>, <a href="#209">209</a><br>
modes, <a href="#20">20</a><br>
shared interrupt handlers, <a href="#279">279</a><br>
threads, <a href="#109">109</a></div>
experimental kernels, <a href="#10">10</a><br>
exporting symbols, <a href="#28">28</a>-<a href="#29">29</a><br>
EXPORT_SYMBOL macro, <a href="#32">32</a>, <a href="#41">41</a><br>
EXPORT_SYMBOL_GPL macro, <a href="#41">41</a><br>
extended buses, <a href="#325">325</a><br>
Extended ISA (EISA), <a href="#323">323</a><br>

<br><a name="F"></a><font color="red"><b>F</b></font><br><br>

fast interrupt handlers, <a href="#268">268</a><br>
FASYNC flag, <a href="#52">52</a>, <a href="#169">169</a><br>
fasync method, <a href="#52">52</a><br>
fasync_helper function, <a href="#170">170</a>, <a href="#182">182</a><br>
fasync_struct structure, <a href="#170">170</a><br>
faults, <a href="#19">19</a>, <a href="#93">93</a>-<a href="#98">98</a><br>
faulty module (oops messages), <a href="#94">94</a><br>
faulty_read function, <a href="#96">96</a><br>
faulty_write function, <a href="#96">96</a><br>
fcntl system call, <a href="#141">141</a>, <a href="#169">169</a><br>
fcntl.h header file, <a href="#151">151</a><br>
fc_setup function, <a href="#507">507</a><br>
fdatasync system call, <a href="#167">167</a><br>
FDDI networks, configuring interfaces, <a href="#507">507</a><br>
fddi_setup function, <a href="#507">507</a><br>
</td><td valign="top" width="50%">
f_dentry pointer, <a href="#54">54</a><br>
f_flags field (file structure), <a href="#54">54</a><br>
<div class="bql">O_NONBLOCK flag, <a href="#141">141</a>, <a href="#151">151</a></div>
fiber channel devices, initializing, <a href="#507">507</a><br>
FIFO (first-in-first-out) devices, <a href="#43">43</a><br>
<div class="bql">poll method and, <a href="#165">165</a></div>
File System header (fs.h), <a href="#71">71</a><br>
file_operations structure, <a href="#49">49</a>, <a href="#54">54</a><br>
<div class="bql">declaring using tagged initialization, <a href="#53">53</a><br>
mmap method and, <a href="#424">424</a></div>
files<br>
<div class="bql">access to, <a href="#173">173</a>-<a href="#179">179</a><br>
capability.h header file, <a href="#144">144</a>, <a href="#181">181</a><br>
devices, <a href="#43">43</a><br>
/etc/networks, <a href="#500">500</a><br>
flags, <a href="#54">54</a><br>
inode structure, <a href="#55">55</a><br>
interrupts, <a href="#262">262</a><br>
ioctl. header file, <a href="#179">179</a><br>
kmsg, <a href="#78">78</a><br>
ksyms, <a href="#32">32</a><br>
modes, <a href="#53">53</a><br>
net_int c, <a href="#507">507</a><br>
open, <a href="#53">53</a><br>
operations, <a href="#49">49</a>-<a href="#53">53</a><br>
poll.h header file, <a href="#163">163</a>, <a href="#182">182</a><br>
/proc, <a href="#84">84</a><br>
stat, <a href="#263">263</a><br>
structure, <a href="#53">53</a><br>
structures, <a href="#49">49</a><br>
uaccess.h header file, <a href="#180">180</a></div>
filesystems, <a href="#4">4</a><br>
<div class="bql">char drivers, <a href="#43">43</a>-<a href="#49">49</a><br>
modules, <a href="#8">8</a><br>
nodes, <a href="#4">4</a>, <a href="#7">7</a><br>
/proc, <a href="#86">86</a>-<a href="#90">90</a><br>
<div class="bql">installing interrupt handlers, <a href="#262">262</a><br>
shared interrupts and, <a href="#280">280</a></div>
sysfs, <a href="#409">409</a></div>
filp pointer, <a href="#53">53</a><br>
<div class="bql">in ioctl method, <a href="#136">136</a><br>
in read/write methods, <a href="#63">63</a></div>
filp-&gt;f_op, <a href="#54">54</a><br>
filter hotplug operation, <a href="#376">376</a><br>
fine-grained locking, <a href="#122">122</a><br>
FIOASYNC command, <a href="#141">141</a><br>
FIOCLEX command, <a href="#141">141</a><br>
FIONBIO command, <a href="#141">141</a><br>
FIONCLEX command, <a href="#141">141</a><br>
FIOQSIZE command, <a href="#141">141</a><br>
FireWire, <a href="#400">400</a><br>
<div class="bql">drivers, <a href="#7">7</a></div>
</td></tr></table>
<br>
<A name="589"></a><font color="blue">PAGE 589</font><br>
<br>
<table cellspacing="0" cellpadding="0" width="100%"><tr><td valign="top" width="50%">
firmware<br>
<div class="bql">calling, <a href="#407">407</a><br>
functions, <a href="#411">411</a><br>
interfaces, <a href="#405">405</a><br>
Linux device model, <a href="#405">405</a>-<a href="#407">407</a><br>
PCI boot time configuration, <a href="#307">307</a></div>
first-in-first-out (FIFO) devices (see FIFO devices)<br>
flags<br>
<div class="bql">argument, <a href="#213">213</a><br>
FASYNC, <a href="#169">169</a><br>
file, <a href="#54">54</a><br>
GFP_ATOMIC, <a href="#214">214</a>, <a href="#222">222</a><br>
GFP_COLD, <a href="#215">215</a><br>
GFP_DMA, <a href="#215">215</a><br>
GFP_HIGH, <a href="#215">215</a><br>
GFP_HIGHMEM, <a href="#215">215</a><br>
GFP_HIGHUSER, <a href="#214">214</a><br>
GFP_KERNEL, <a href="#221">221</a><br>
GFP_NOFAIL, <a href="#215">215</a><br>
GFP_NOFS, <a href="#214">214</a><br>
GFP_NOIO, <a href="#215">215</a><br>
GFP_NORETRY, <a href="#215">215</a><br>
GFP_NOWARN, <a href="#215">215</a><br>
GFP_REPEAT, <a href="#215">215</a><br>
GFP_USER, <a href="#214">214</a><br>
GTP_KERNEL, <a href="#214">214</a><br>
IFF_ALLMULTI, <a href="#509">509</a><br>
IFF_AUTOMEDIA, <a href="#510">510</a><br>
IFF_BROADCAST, <a href="#509">509</a><br>
IFF_DEBUG, <a href="#509">509</a><br>
IFF_DYNAMIC, <a href="#510">510</a><br>
IFF_LOOPBACK, <a href="#509">509</a><br>
IFF_MASTER, <a href="#510">510</a><br>
IFF_MULTICAST, <a href="#509">509</a><br>
IFF_NOARP, <a href="#504">504</a>, <a href="#509">509</a><br>
IFF_NOTRAILERS, <a href="#510">510</a><br>
IFF_POINTTOPOINT, <a href="#509">509</a><br>
IFF_PORTSEL, <a href="#510">510</a><br>
IFF_PROMISC, <a href="#509">509</a><br>
IFF_RUNNING, <a href="#510">510</a><br>
IFF_SLAVE, <a href="#510">510</a><br>
IFF_UP, <a href="#509">509</a><br>
media_change, <a href="#473">473</a><br>
memory allocation, <a href="#215">215</a>, <a href="#218">218</a>, <a href="#231">231</a><br>
for net_device structure, <a href="#509">509</a><br>
O_NONBLOCK (f_flags field), <a href="#166">166</a><br>
PACKET_HOST, <a href="#530">530</a><br>
PG_locked, <a href="#417">417</a><br>
POLLERR, <a href="#164">164</a><br>
POLLHUP, <a href="#164">164</a><br>
POLLIN, <a href="#164">164</a></div>
</td><td valign="top" width="50%">
<div class="bql">POLLOUT, <a href="#164">164</a><br>
POLLPRI, <a href="#164">164</a><br>
POLLRDBAND, <a href="#164">164</a><br>
POLLRDNORM, <a href="#164">164</a><br>
POLLWRBAND, <a href="#164">164</a><br>
POLLWRNORM, <a href="#164">164</a><br>
resource (PCI), <a href="#317">317</a><br>
SA_INTERRUPT, <a href="#260">260</a>, <a href="#286">286</a><br>
SA_SAMPLE_RANDOM, <a href="#260">260</a><br>
SA_SHIRQ, <a href="#260">260</a>, <a href="#278">278</a><br>
SLAB_CACHE_DMA, <a href="#218">218</a><br>
SLAB_CTOR_CONSTRUCTOR, <a href="#218">218</a><br>
SLAB_HWCACHE_ALIGN, <a href="#218">218</a><br>
SLAB_NO_REAP, <a href="#218">218</a><br>
TTY_DRIVER_NO_DEVFS, <a href="#553">553</a><br>
TTY_DRIVER_REAL_RAW, <a href="#553">553</a><br>
TTY_DRIVER_RESET_TERMIOS, <a href="#552">552</a><br>
VM_IO, <a href="#421">421</a><br>
Wall, <a href="#291">291</a></div>
flips (tty drivers), <a href="#559">559</a><br>
flow of data (tty drivers), <a href="#556">556</a><br>
flush method, <a href="#51">51</a><br>
<div class="bql">close system call and, <a href="#60">60</a></div>
flush operation, <a href="#51">51</a><br>
flushing pending output, <a href="#167">167</a><br>
f_mode field (file structure), <a href="#53">53</a><br>
fonts (incorrect on console), <a href="#147">147</a><br>
f_op pointer, <a href="#54">54</a><br>
fops pointers, <a href="#49">49</a><br>
forms (BCD), <a href="#346">346</a><br>
f_pos field (file structure), <a href="#54">54</a><br>
<div class="bql">read_proc function and, <a href="#84">84</a></div>
fragmentation, <a href="#442">442</a><br>
free command, <a href="#70">70</a><br>
free_dma function, <a href="#455">455</a><br>
freeing<br>
<div class="bql">buffers, <a href="#531">531</a><br>
device numbers, <a href="#45">45</a><br>
disks, <a href="#468">468</a><br>
DMA pools, <a href="#447">447</a><br>
semaphores, <a href="#111">111</a></div>
free_irq function, <a href="#279">279</a><br>
free_netdev functions, <a href="#505">505</a><br>
free_pages function, <a href="#222">222</a><br>
F_SETFL command, <a href="#141">141</a><br>
<div class="bql">fcntl system call and, <a href="#169">169</a></div>
F_SETFL fcntl command, <a href="#169">169</a><br>
F_SETOWN command, <a href="#169">169</a><br>
<div class="bql">fcntl system call and, <a href="#169">169</a></div>
fs.h header file, <a href="#71">71</a>, <a href="#179">179</a><br>
<div class="bql">asynchronous notification and, <a href="#170">170</a><br>
blocking/nonblocking operations, <a href="#151">151</a></div>
</td></tr></table>
<br>
<A name="590"></a><font color="blue">PAGE 590</font><br>
<br>
<table cellspacing="0" cellpadding="0" width="100%"><tr><td valign="top" width="50%">
fsync method, <a href="#51">51</a>, <a href="#167">167</a><br>
full class interfaces, <a href="#389">389</a><br>
functions<br>
<div class="bql">access_ok, <a href="#142">142</a><br>
alloc_netdev, <a href="#504">504</a><br>
alloc_skb, <a href="#530">530</a><br>
alloc_tty_driver, <a href="#549">549</a><br>
blk_cleanup_queue, <a href="#479">479</a><br>
blkdev_dequeue_request, <a href="#479">479</a><br>
blk_queue_hardsect_size, <a href="#470">470</a><br>
blk_queue_segment_boundary, <a href="#481">481</a><br>
block drivers, <a href="#494">494</a>-<a href="#496">496</a><br>
bus_add_driver, <a href="#396">396</a><br>
buses, <a href="#409">409</a><br>
bus_for_each_dev, <a href="#380">380</a><br>
bus_register, <a href="#378">378</a><br>
calling from modules/applications, <a href="#18">18</a><br>
capable, <a href="#145">145</a>, <a href="#181">181</a><br>
chars_in_buffer, <a href="#558">558</a><br>
claim_dma_lock, <a href="#457">457</a><br>
classes, <a href="#410">410</a><br>
class_simple_create, <a href="#404">404</a><br>
class_simple_device_add, <a href="#404">404</a><br>
class_simple_device_remove, <a href="#405">405</a><br>
cleanup, <a href="#32">32</a><br>
clear_dma_ff, <a href="#458">458</a><br>
close (tty drivers), <a href="#553">553</a>-<a href="#556">556</a><br>
complete (urbs), <a href="#345">345</a><br>
const char *dev_name, <a href="#260">260</a><br>
const char *name, <a href="#348">348</a><br>
const struct usb_device_id*id_table, <a href="#348">348</a><br>
constructor (kmem_cache_create), <a href="#218">218</a><br>
create_proc_read_entry, <a href="#86">86</a><br>
del_timer_sync, <a href="#200">200</a><br>
dev_alloc_skb, <a href="#530">530</a><br>
devices, <a href="#409">409</a><br>
dev_kfree_skb, <a href="#524">524</a>, <a href="#531">531</a><br>
disable_dma, <a href="#458">458</a><br>
disable_irq, <a href="#279">279</a><br>
disconnect (USB), <a href="#349">349</a>, <a href="#353">353</a><br>
dma_free_coherent, <a href="#447">447</a><br>
do_close, <a href="#556">556</a><br>
do_gettimeofday, <a href="#188">188</a><br>
do_IRQ, <a href="#268">268</a><br>
double underscore (__), <a href="#22">22</a><br>
down, <a href="#111">111</a><br>
drivers, <a href="#409">409</a><br>
driver_unregister, <a href="#397">397</a><br>
elv_next_request, <a href="#476">476</a>, <a href="#479">479</a>, <a href="#492">492</a><br>
enable_dma, <a href="#458">458</a><br>
enable_irq, <a href="#279">279</a></div>
</td><td valign="top" width="50%">
<div class="bql">ether_setup, <a href="#504">504</a>, <a href="#507">507</a>-<a href="#514">514</a><br>
fasync_helper, <a href="#170">170</a>, <a href="#182">182</a><br>
faulty_read, <a href="#96">96</a><br>
faulty_write, <a href="#96">96</a><br>
fc_setup, <a href="#507">507</a><br>
fddi_setup, <a href="#507">507</a><br>
firmware, <a href="#411">411</a><br>
free_dma, <a href="#455">455</a><br>
free_irq, <a href="#279">279</a><br>
free_netdev, <a href="#505">505</a><br>
free_pages, <a href="#222">222</a><br>
get_cycles, <a href="#187">187</a><br>
get_dma_residue, <a href="#458">458</a><br>
get_fast_time, <a href="#189">189</a><br>
get_free_page, <a href="#221">221</a><br>
get_free_pages, <a href="#214">214</a>, <a href="#221">221</a>, <a href="#225">225</a><br>
get_page, <a href="#427">427</a><br>
get_unaligned, <a href="#293">293</a><br>
get_user, <a href="#143">143</a>, <a href="#180">180</a><br>
get_user_pages, <a href="#435">435</a><br>
get_zeroed_page, <a href="#221">221</a><br>
handle_IRQ_event, <a href="#269">269</a><br>
hello world module, <a href="#16">16</a><br>
hippi_setup, <a href="#508">508</a><br>
in_atomic, <a href="#198">198</a><br>
inb, <a href="#240">240</a><br>
inb_p, <a href="#242">242</a><br>
in_interrupt, <a href="#198">198</a><br>
initialization, <a href="#31">31</a>-<a href="#35">35</a><br>
inl, <a href="#240">240</a><br>
insb, <a href="#242">242</a><br>
inserting schedules, <a href="#97">97</a><br>
insl, <a href="#242">242</a><br>
insw, <a href="#242">242</a><br>
int pci_enable_device, <a href="#314">314</a><br>
int printk_ratelimit(void), <a href="#81">81</a><br>
int seq_escape, <a href="#88">88</a><br>
int seq_path, <a href="#89">89</a><br>
int seq_printf, <a href="#88">88</a><br>
int seq_putc, <a href="#88">88</a><br>
int seq_puts, <a href="#88">88</a><br>
int (USB), <a href="#348">348</a><br>
inw, <a href="#240">240</a><br>
ioctl (tty drivers), <a href="#564">564</a><br>
ioremap, <a href="#226">226</a>, <a href="#249">249</a>, <a href="#256">256</a><br>
ioremap_nocache, <a href="#250">250</a><br>
iounmap, <a href="#225">225</a>, <a href="#250">250</a><br>
irqreturn_t, <a href="#260">260</a><br>
isa_readb, <a href="#254">254</a><br>
kfree_skb, <a href="#531">531</a><br>
kill_fasync, <a href="#170">170</a>, <a href="#182">182</a></div>
</td></tr></table>
<br>
<A name="591"></a><font color="blue">PAGE 591</font><br>
<br>
<table cellspacing="0" cellpadding="0" width="100%"><tr><td valign="top" width="50%">
<div class="bql">kmalloc, <a href="#61">61</a><br>
<div class="bql">allocation engine, <a href="#213">213</a>-<a href="#217">217</a><br>
performance degradation issues, <a href="#222">222</a></div>
kmap, <a href="#418">418</a><br>
kmap_skb_frag, <a href="#532">532</a><br>
kmem_cache_alloc, <a href="#218">218</a><br>
kmem_cache_create, <a href="#217">217</a><br>
kmem_cache_t type, <a href="#217">217</a><br>
list_add, <a href="#297">297</a><br>
list_add_tail, <a href="#297">297</a><br>
list_del, <a href="#297">297</a><br>
list_empty, <a href="#297">297</a><br>
list_move, <a href="#297">297</a><br>
list_splice, <a href="#297">297</a><br>
locking, <a href="#121">121</a><br>
match (buses), <a href="#379">379</a><br>
mod_timer, <a href="#200">200</a>, <a href="#202">202</a><br>
module_init, <a href="#31">31</a><br>
netif_carrier_off, <a href="#528">528</a><br>
netif_carrier_ok, <a href="#528">528</a><br>
netif_carrier_on, <a href="#528">528</a><br>
netif_start_queue, <a href="#515">515</a><br>
netif_stop_queue, <a href="#516">516</a>, <a href="#518">518</a><br>
netif_wake_queue, <a href="#518">518</a><br>
network drivers, <a href="#542">542</a>-<a href="#545">545</a><br>
open (tty drivers), <a href="#553">553</a>-<a href="#556">556</a><br>
outb, <a href="#240">240</a><br>
outb_p, <a href="#242">242</a><br>
outl, <a href="#240">240</a><br>
outsb, <a href="#242">242</a><br>
outsl, <a href="#242">242</a><br>
outsw, <a href="#242">242</a><br>
outw, <a href="#240">240</a><br>
page-oriented allocation, <a href="#221">221</a>, <a href="#233">233</a><br>
pci_map-sg, <a href="#451">451</a><br>
pci_remove_bus_device, <a href="#395">395</a><br>
pci_resource_, <a href="#317">317</a><br>
pfn_to_page, <a href="#417">417</a><br>
poll_wait, <a href="#163">163</a>, <a href="#182">182</a><br>
printk, <a href="#17">17</a>, <a href="#76">76</a>-<a href="#82">82</a><br>
<div class="bql">circular buffers for, <a href="#78">78</a><br>
logging messages from, <a href="#78">78</a><br>
seq_file interface (avoiding in), <a href="#88">88</a><br>
turning debug messages on/off, <a href="#79">79</a></div>
probe (USB), <a href="#350">350</a><br>
probe_irq_off, <a href="#265">265</a><br>
probe_irq_on, <a href="#265">265</a><br>
put_unaligned, <a href="#293">293</a><br>
put_user, <a href="#143">143</a>, <a href="#180">180</a><br>
queues, <a href="#479">479</a><br>
rdtscl, <a href="#187">187</a><br>
read (tty drivers), <a href="#558">558</a></div>
</td><td valign="top" width="50%">
<div class="bql">read_proc, <a href="#85">85</a><br>
register_blkdev, <a href="#465">465</a><br>
register_chrdev, <a href="#404">404</a><br>
register_netdev, <a href="#503">503</a><br>
relaease_dma_lock, <a href="#457">457</a><br>
release (kobjects), <a href="#367">367</a><br>
remap_pfn_range, <a href="#424">424</a><br>
remove_proc_entry, <a href="#86">86</a><br>
request (block drivers), <a href="#474">474</a>-<a href="#491">491</a><br>
request_dma, <a href="#455">455</a><br>
request_firmware, <a href="#406">406</a><br>
SAK, <a href="#97">97</a><br>
sbull_request, <a href="#469">469</a><br>
schedule, <a href="#181">181</a><br>
<div class="bql">execution of code (delaying), <a href="#193">193</a><br>
preventing endless loops with, <a href="#97">97</a></div>
schedule_timeout, <a href="#194">194</a><br>
scull<br>
<div class="bql">open method, <a href="#58">58</a>-<a href="#59">59</a><br>
release method, <a href="#59">59</a></div>
scull_cleanup, <a href="#179">179</a><br>
scull_getwritespace, <a href="#158">158</a><br>
semaphores (see semaphores)<br>
set_dma_addr, <a href="#457">457</a><br>
set_dma_count, <a href="#457">457</a><br>
set_dma_mode, <a href="#457">457</a><br>
set_mb, <a href="#238">238</a><br>
set_multicast_list, <a href="#539">539</a><br>
set_rmb, <a href="#238">238</a><br>
set_termios, <a href="#560">560</a><br>
set_wmb, <a href="#238">238</a><br>
sg_dma_address, <a href="#462">462</a><br>
sg_dma_len, <a href="#462">462</a><br>
show, <a href="#386">386</a><br>
skb_headlen, <a href="#532">532</a><br>
skb_headroom, <a href="#531">531</a><br>
skb_is_nonlinear, <a href="#532">532</a><br>
skb_pull, <a href="#532">532</a><br>
skb_push, <a href="#531">531</a><br>
skb_put, <a href="#531">531</a><br>
skb_reserve, <a href="#531">531</a><br>
skb_tailroom, <a href="#531">531</a><br>
sleep_on, <a href="#162">162</a><br>
acting on socket buffers, <a href="#530">530</a><br>
spinlocks, <a href="#119">119</a><br>
struct module *owner, <a href="#348">348</a><br>
sysfs filesystem, <a href="#409">409</a><br>
sys_syslog, <a href="#77">77</a><br>
tasklet_schedule, <a href="#276">276</a><br>
tiny_close, <a href="#556">556</a><br>
tiocmget, <a href="#562">562</a><br>
tiomset, <a href="#562">562</a></div>
</td></tr></table>
<br>
<A name="592"></a><font color="blue">PAGE 592</font><br>
<br>
<table cellspacing="0" cellpadding="0" width="100%"><tr><td valign="top" width="50%">
functions <i>(continued)</i><br>
<div class="bql">tr_configure, <a href="#508">508</a><br>
tty drivers, <a href="#573">573</a><br>
tty_driver (pointers), <a href="#553">553</a>-<a href="#560">560</a><br>
tty_get_baud_rate, <a href="#562">562</a><br>
tty_register_driver, <a href="#549">549</a><br>
unregister_netdev, <a href="#505">505</a><br>
unsigned int irq, <a href="#260">260</a><br>
unsigned long flags, <a href="#260">260</a><br>
unsigned long pci_resource_end, <a href="#317">317</a><br>
unsigned long pci_resource_start, <a href="#317">317</a><br>
unsigned pci_resource_flags, <a href="#317">317</a><br>
up, <a href="#111">111</a><br>
urbs_completion, <a href="#345">345</a><br>
usb_alloc_urb, <a href="#342">342</a><br>
usb_bulk_msg, <a href="#356">356</a><br>
usb_control_msg, <a href="#357">357</a><br>
usb_fill_bulk_urb, <a href="#343">343</a><br>
usb_fill_control_urb, <a href="#343">343</a><br>
usb_fill_int_urb, <a href="#342">342</a><br>
usb_get_descriptor, <a href="#358">358</a><br>
usb_kill_urb, <a href="#345">345</a><br>
usb_register_dev, <a href="#352">352</a><br>
usb_set_intfdata, <a href="#351">351</a><br>
usb_string, <a href="#359">359</a><br>
usb_submit_urb, <a href="#344">344</a><br>
usb_unlink_urb, <a href="#345">345</a><br>
vfree, <a href="#225">225</a><br>
virt_to_page, <a href="#417">417</a><br>
vmalloc allocation, <a href="#224">224</a>-<a href="#228">228</a><br>
void, <a href="#348">348</a><br>
void barrier, <a href="#237">237</a><br>
void blk_queue_bounce_limit, <a href="#480">480</a><br>
void blk_queue_dma_alignment, <a href="#481">481</a><br>
void blk_queue_hardsect_size, <a href="#481">481</a><br>
void blk_queue_max_hw_segments, <a href="#480">480</a><br>
void blk_queue_max_phys_segments, <a href="#480">480</a><br>
void blk_queue_max_sectors, <a href="#480">480</a><br>
void blk_queue_max_segment_size, <a href="#480">480</a><br>
void blk_start_queue, <a href="#480">480</a><br>
void blk_stop_queue, <a href="#480">480</a><br>
void mb, <a href="#237">237</a><br>
void read_barrier_depends, <a href="#237">237</a><br>
void rmb, <a href="#237">237</a><br>
void smp_mb, <a href="#238">238</a><br>
void smp_rmb, <a href="#238">238</a><br>
void smp_wmb, <a href="#238">238</a><br>
void tasklet_disable, <a href="#204">204</a><br>
void tasklet_disable_nosync, <a href="#204">204</a><br>
void tasklet_enable, <a href="#204">204</a><br>
void tasklet_hi_schedule, <a href="#204">204</a></div>
</td><td valign="top" width="50%">
<div class="bql">void tasklet_kill, <a href="#204">204</a><br>
void tasklet_schedule, <a href="#204">204</a><br>
void wmb, <a href="#237">237</a><br>
void*dev_id, <a href="#260">260</a><br>
wait_event_interruptible_timeout, <a href="#194">194</a><br>
wake-up, <a href="#150">150</a>, <a href="#181">181</a><br>
wake_up, <a href="#159">159</a>, <a href="#181">181</a><br>
wake_up_interruptible, <a href="#181">181</a><br>
wake_up_interruptible_sync, <a href="#181">181</a><br>
wake_up_sync, <a href="#181">181</a><br>
workqueues, <a href="#206">206</a><br>
write (tty drivers), <a href="#556">556</a><br>
xmit_lock, <a href="#514">514</a></div>

<br><a name="G"></a><font color="red"><b>G</b></font><br><br>

gcc compiler, <a href="#188">188</a><br>
gdb commands, <a href="#99">99</a>, <a href="#103">103</a><br>
gendisk structure, <a href="#467">467</a><br>
general distribution, writing drivers for, <a href="#28">28</a><br>
General Public License (GPL), <a href="#11">11</a><br>
generic DMA layers, <a href="#444">444</a><br>
generic I/O address spaces, <a href="#316">316</a><br>
geographical addressing, <a href="#305">305</a><br>
get_cycles function, <a href="#187">187</a><br>
get_dma_residue function, <a href="#458">458</a><br>
get_fast_time function, <a href="#189">189</a><br>
get_free_page function, <a href="#221">221</a><br>
get_free_pages function, <a href="#214">214</a>, <a href="#221">221</a>, <a href="#225">225</a><br>
get_kernel_syms system call, <a href="#25">25</a><br>
get_page function, <a href="#427">427</a><br>
get_stats method, <a href="#512">512</a>, <a href="#536">536</a><br>
get_unaligned function, <a href="#293">293</a><br>
get_user function, <a href="#143">143</a>, <a href="#180">180</a><br>
get_user_pages function, <a href="#435">435</a><br>
get_zeroed_page function, <a href="#221">221</a><br>
GFP_ATOMIC flag, <a href="#214">214</a><br>
<div class="bql">page-oriented allocation functions, <a href="#221">221</a><br>
preparing for allocation failure, <a href="#222">222</a></div>
GFP_COLD flag, <a href="#215">215</a><br>
GFP_DMA flag, <a href="#215">215</a><br>
gfp.h header file, <a href="#214">214</a><br>
GFP_HIGH flag, <a href="#215">215</a><br>
GFP_HIGHMEM flag, <a href="#215">215</a><br>
GFP_HIGHUSER flag, <a href="#214">214</a><br>
GFP_KERNEL flag, <a href="#214">214</a>, <a href="#221">221</a><br>
GFP_NOFAIL flag, <a href="#215">215</a><br>
GFP_NOFS flag, <a href="#214">214</a><br>
GFP_NOIO flag, <a href="#215">215</a><br>
GFP_NORETRY flag, <a href="#215">215</a><br>
GFP_NOWARN flag, <a href="#215">215</a><br>
GFP_REPEAT flag, <a href="#215">215</a><br>
GFP_USER flag, <a href="#214">214</a><br>
</td></tr></table>
<br>
<A name="593"></a><font color="blue">PAGE 593</font><br>
<br>
<table cellspacing="0" cellpadding="0" width="100%"><tr><td valign="top" width="50%">
global information (net_device structure), <a href="#506">506</a><br>
global memory areas, <a href="#43">43</a><br>
global messages (enabling/disabling), <a href="#79">79</a><br>
GNU General Public License (GPL), <a href="#11">11</a><br>
goto statement, <a href="#33">33</a><br>
GPL (GNU General Public License), <a href="#11">11</a><br>

<br><a name="I"></a><font color="red"><b>I</b></font><br><br>

hacking kernels options, <a href="#73">73</a>-<a href="#75">75</a><br>
handle_IRQ_event function, <a href="#269">269</a><br>
hangs (system), <a href="#96">96</a>-<a href="#98">98</a><br>
hard_header method, <a href="#512">512</a>, <a href="#532">532</a><br>
hard_start_transmit method, <a href="#516">516</a><br>
hard_start_xmit method, <a href="#512">512</a>, <a href="#517">517</a><br>
hardware<br>
<div class="bql">addresses, <a href="#508">508</a><br>
<div class="bql">assignment of, <a href="#515">515</a><br>
modification of, <a href="#513">513</a></div>
DMA, <a href="#440">440</a>, <a href="#444">444</a><br>
headers, <a href="#533">533</a><br>
<div class="bql">adding before transmitting packets, <a href="#531">531</a><br>
building, <a href="#512">512</a><br>
encapsulating information, <a href="#534">534</a></div>
ioctl method, <a href="#135">135</a>-<a href="#147">147</a><br>
ISA, <a href="#320">320</a><br>
management, <a href="#235">235</a>-<a href="#254">254</a>, <a href="#255">255</a><br>
net_device structure, <a href="#506">506</a><br>
PCI (abstractions), <a href="#318">318</a><br>
removable media (supporting), <a href="#472">472</a></div>
header_cache method, <a href="#513">513</a><br>
header_cache_update method, <a href="#514">514</a><br>
headers<br>
<div class="bql">Ethernet (see Ethernet)<br>
files, <a href="#19">19</a>, <a href="#29">29</a><br>
hardware, <a href="#533">533</a><br>
non-Ethernet, <a href="#534">534</a></div>
hello world module, <a href="#16">16</a>-<a href="#18">18</a><br>
hierarchies<br>
<div class="bql">kobjects, <a href="#368">368</a><br>
ksets, <a href="#370">370</a><br>
/proc file connections, <a href="#86">86</a><br>
(see also filesystems)</div>
high memory, <a href="#216">216</a>, <a href="#415">415</a><br>
HIPPI drivers, preparing fields for, <a href="#508">508</a><br>
hippi_setup function, <a href="#508">508</a><br>
hostnames (snull interfaces), <a href="#500">500</a><br>
hotplugs<br>
<div class="bql">devices, <a href="#362">362</a><br>
events, <a href="#375">375</a></div>
</td><td valign="top" width="50%">
<div class="bql">Linux device model, <a href="#397">397</a>-<a href="#405">405</a><br>
scripts, <a href="#403">403</a></div>
hubs (USB), <a href="#334">334</a><br>
hung system, <a href="#96">96</a><br>
hyperthreaded processors, avoiding deadlocks, <a href="#117">117</a><br>
HZ (time frequency) symbol, <a href="#183">183</a>, <a href="#292">292</a><br>
group, device, <a href="#47">47</a><br>
<br><a name="H"></a><font color="red"><b>H</b></font><br><br>
I2O drivers, <a href="#7">7</a><br>
IA-64 architecture<br>
<div class="bql">porting and, <a href="#243">243</a><br>
/proc/interrupts file, snapshot of, <a href="#263">263</a></div>
IEEE1394 bus (Firewire), <a href="#400">400</a><br>
ifconfig command<br>
<div class="bql">net_device structure and, <a href="#506">506</a><br>
opening network drivers, <a href="#515">515</a>-<a href="#516">516</a><br>
snull interfaces, <a href="#501">501</a></div>
IFF_ symbols, <a href="#509">509</a>, <a href="#538">538</a><br>
IFF_ALLMULTI flag, <a href="#509">509</a><br>
IFF_AUTOMEDIA flag, <a href="#510">510</a><br>
IFF_BROADCAST flag, <a href="#509">509</a><br>
IFF_DEBUG flag, <a href="#509">509</a><br>
IFF_DYNAMIC flag, <a href="#510">510</a><br>
IFF_LOOPBACK flag, <a href="#509">509</a><br>
IFF_MASTER flag, <a href="#510">510</a><br>
IFF_MULTICAST flag, <a href="#509">509</a><br>
IFF_NOARP flag, <a href="#504">504</a>, <a href="#509">509</a><br>
IFF_NOTRAILERS flag, <a href="#510">510</a><br>
IFF_POINTOPOINT flag, <a href="#509">509</a><br>
IFF_PORTSEL flag, <a href="#510">510</a><br>
IFF_PROMISC flag, <a href="#509">509</a><br>
IFF_RUNNING flag, <a href="#510">510</a><br>
IFF_SLAVE flag, <a href="#510">510</a><br>
IFF_UP flag, <a href="#509">509</a><br>
if.h header file, <a href="#509">509</a>, <a href="#535">535</a><br>
ifreq structure, <a href="#535">535</a><br>
implementation<br>
<div class="bql">asynchronous I/O, <a href="#437">437</a><br>
busy-waiting, <a href="#190">190</a><br>
of classes, <a href="#5">5</a><br>
of debugging levels, <a href="#81">81</a><br>
direct I/O, <a href="#460">460</a><br>
of files in /proc filesystems, <a href="#84">84</a><br>
interrupt handlers, <a href="#269">269</a>-<a href="#275">275</a><br>
ioctl commands, <a href="#145">145</a><br>
ISA (PCI), <a href="#319">319</a>-<a href="#322">322</a><br>
llseek method, <a href="#171">171</a><br>
mmap, <a href="#412">412</a>-<a href="#416">416</a>, <a href="#460">460</a><br>
multicasting, <a href="#539">539</a><br>
of policies, <a href="#3">3</a><br>
removable media (supporting), <a href="#472">472</a></div>
</td></tr></table>
<br>
<A name="594"></a><font color="blue">PAGE 594</font><br>
<br>
<table cellspacing="0" cellpadding="0" width="100%"><tr><td valign="top" width="50%">
implementation <i>(continued)</i><br>
<div class="bql">semaphores, <a href="#110">110</a>-<a href="#114">114</a><br>
timers, <a href="#201">201</a></div>
in_atomic function, <a href="#198">198</a><br>
inb function, <a href="#240">240</a><br>
inb_p function, <a href="#242">242</a><br>
infinite loops, preventing, <a href="#97">97</a><br>
information leakage, <a href="#9">9</a><br>
in_interrupt function, <a href="#198">198</a><br>
init scripts and loading/unloading modules, <a href="#48">48</a><br>
init.h header file, <a href="#39">39</a><br>
initialization<br>
<div class="bql">completions (semaphores), <a href="#115">115</a><br>
devices, <a href="#503">503</a><br>
gendisk structure, <a href="#468">468</a><br>
interrupt handlers, <a href="#261">261</a><br>
kobjects, <a href="#366">366</a><br>
modules, <a href="#31">31</a>-<a href="#35">35</a><br>
mutexes, <a href="#110">110</a><br>
net_device structure, <a href="#503">503</a><br>
PCI, <a href="#306">306</a><br>
reader/writer semaphores, <a href="#113">113</a><br>
registers (PCI), <a href="#308">308</a><br>
sbull drivers, <a href="#468">468</a><br>
seqlocks, <a href="#128">128</a><br>
struct usb_driver structure, <a href="#349">349</a><br>
structures (registration), <a href="#55">55</a>-<a href="#57">57</a></div>
INIT_LIST_HEAD macro, <a href="#296">296</a><br>
inl function, <a href="#240">240</a><br>
inline assembly code (example), <a href="#187">187</a><br>
inode pointer in ioctl method, <a href="#136">136</a><br>
inode structure, <a href="#55">55</a><br>
input devices (hotplugging), <a href="#401">401</a><br>
input files, enabling asynchronous notification from, <a href="#169">169</a><br>
input module, <a href="#28">28</a><br>
input pins, <a href="#235">235</a>, <a href="#245">245</a><br>
<div class="bql">reading values from parallel port, <a href="#248">248</a></div>
insb function, <a href="#242">242</a><br>
insl function, <a href="#242">242</a><br>
insmod program, <a href="#5">5</a>, <a href="#17">17</a>, <a href="#25">25</a><br>
<div class="bql">assigning parameter values, <a href="#36">36</a><br>
dynamically allocating major numbers, <a href="#48">48</a><br>
modprobe program versus, <a href="#29">29</a><br>
testing modules using, <a href="#17">17</a></div>
installation<br>
<div class="bql">interrupt handlers, <a href="#259">259</a>-<a href="#269">269</a>, <a href="#278">278</a><br>
mainline kernels, <a href="#15">15</a></div>
insw function, <a href="#242">242</a><br>
</td><td valign="top" width="50%">
int actual_length field (USB), <a href="#339">339</a><br>
int data type, <a href="#289">289</a><br>
int error_count field (USB), <a href="#341">341</a><br>
int field<br>
<div class="bql">net_device structure, <a href="#506">506</a><br>
PCI registration, <a href="#312">312</a></div>
int flags field (gendisk), <a href="#467">467</a><br>
int function (USB), <a href="#348">348</a><br>
int interval field (USB), <a href="#341">341</a><br>
int major field (gendisk), <a href="#467">467</a><br>
int minor field (USB), <a href="#332">332</a><br>
int minor_base variable (USB), <a href="#353">353</a><br>
int minors field (gendisk), <a href="#467">467</a><br>
int number_of_packets field (USB), <a href="#341">341</a><br>
int pci_enable_device function, <a href="#314">314</a><br>
int printk_ratelimit(void) function, <a href="#81">81</a><br>
int seq_escape function, <a href="#88">88</a><br>
int seq_path function, <a href="#89">89</a><br>
int seq_printf function, <a href="#88">88</a><br>
int seq_putc function, <a href="#88">88</a><br>
int seq_puts function, <a href="#88">88</a><br>
int start_frame field (USB), <a href="#341">341</a><br>
int status field (USB), <a href="#339">339</a><br>
int transfer_buffer_length field (USB), <a href="#338">338</a><br>
interactive kernel debugger (kdb), <a href="#101">101</a>-<a href="#103">103</a><br>
INTERFACE variable, <a href="#401">401</a><br>
interfaces<br>
<div class="bql">alloc_pages, <a href="#223">223</a><br>
block drivers<br>
<div class="bql">command pre-preparation, <a href="#491">491</a><br>
functions, <a href="#494">494</a>-<a href="#496">496</a><br>
operations, <a href="#471">471</a>-<a href="#474">474</a><br>
registration, <a href="#465">465</a>-<a href="#470">470</a><br>
request processing, <a href="#474">474</a>-<a href="#491">491</a><br>
TCQ, <a href="#492">492</a>-<a href="#493">493</a></div>
classes, <a href="#391">391</a><br>
class_simple, <a href="#388">388</a><br>
cleanup function, <a href="#32">32</a><br>
configuration (USB), <a href="#332">332</a><br>
firmware, <a href="#405">405</a><br>
flags for net_device structure, <a href="#509">509</a><br>
full class, <a href="#389">389</a><br>
interface-specific data types, <a href="#291">291</a><br>
ksets, <a href="#370">370</a><br>
loopback, <a href="#498">498</a><br>
MII, <a href="#540">540</a><br>
networks, <a href="#7">7</a><br>
non-Ethernet, <a href="#507">507</a><br>
older<br>
<div class="bql">char device registration, <a href="#57">57</a><br>
/proc file implementation, <a href="#85">85</a></div></div>
</td></tr></table>
<br>
<A name="595"></a><font color="blue">PAGE 595</font><br>
<br>
<table cellspacing="0" cellpadding="0" width="100%"><tr><td valign="top" width="50%">
<div class="bql">parallel ports (see parallel ports)<br>
PCI, <a href="#302">302</a>-<a href="#319">319</a><br>
reader/writer semaphores, <a href="#114">114</a><br>
seq_file, <a href="#87">87</a>-<a href="#90">90</a><br>
snull, <a href="#498">498</a>-<a href="#502">502</a><br>
spinlocks, <a href="#117">117</a><br>
timers, <a href="#198">198</a><br>
USB, <a href="#331">331</a><br>
version dependency, <a href="#26">26</a><br>
VLB, <a href="#323">323</a></div>
interface-specific data types, <a href="#291">291</a><br>
internal functions (locking), <a href="#121">121</a><br>
internal representation of device numbers, <a href="#44">44</a><br>
Internet protocol (IP), <a href="#498">498</a><br>
interrupt handlers<br>
<div class="bql">autodetecting IRQ numbers, <a href="#264">264</a><br>
sharing interrupts, <a href="#281">281</a></div>
interrupt mode<br>
<div class="bql">and asynchronous execution, <a href="#197">197</a><br>
tasklets, <a href="#202">202</a>-<a href="#204">204</a></div>
interrupt request lines (see IRQs)<br>
interruptible sleeps, <a href="#157">157</a><br>
interrupts<br>
<div class="bql">counts, <a href="#566">566</a><br>
file, <a href="#262">262</a><br>
handlers<br>
<div class="bql">implementation of, <a href="#269">269</a>-<a href="#275">275</a><br>
installation of, <a href="#259">259</a>-<a href="#269">269</a><br>
I/O, <a href="#281">281</a>-<a href="#286">286</a><br>
management, <a href="#286">286</a><br>
for network drivers, <a href="#523">523</a><br>
preparing parallel ports, <a href="#259">259</a><br>
/proc files for, <a href="#262">262</a><br>
registration, <a href="#286">286</a><br>
sharing, <a href="#278">278</a>-<a href="#281">281</a><br>
tasklets, <a href="#276">276</a><br>
top and bottom halves, <a href="#275">275</a>-<a href="#278">278</a></div>
installation at, <a href="#261">261</a><br>
mitigation of, <a href="#525">525</a><br>
for network drivers, <a href="#523">523</a><br>
PCI, <a href="#317">317</a><br>
reports, <a href="#261">261</a><br>
shared interrupts and, <a href="#280">280</a><br>
timers, <a href="#183">183</a><br>
tty drivers, <a href="#556">556</a><br>
urbs, <a href="#342">342</a></div>
intervals of time (data type portability), <a href="#292">292</a><br>
intptr_t type (C99 standard), <a href="#289">289</a><br>
inw function, <a href="#240">240</a><br>
</td><td valign="top" width="50%">
I/O, <a href="#167">167</a><br>
<div class="bql">asynchronous, <a href="#437">437</a>-<a href="#440">440</a><br>
blocking, <a href="#147">147</a>-<a href="#162">162</a><br>
direct, <a href="#435">435</a>-<a href="#440">440</a>, <a href="#460">460</a><br>
flushing pending, <a href="#167">167</a><br>
generic address spaces, <a href="#316">316</a><br>
hardware management, <a href="#235">235</a>-<a href="#254">254</a><br>
interrupt handlers, <a href="#281">281</a>-<a href="#286">286</a><br>
mapping, <a href="#249">249</a>, <a href="#255">255</a><br>
memory (access), <a href="#249">249</a><br>
pausing, <a href="#242">242</a><br>
PCI, <a href="#305">305</a>, <a href="#316">316</a><br>
regions, <a href="#429">429</a><br>
registers, <a href="#236">236</a><br>
scatter/gather, <a href="#520">520</a><br>
schedulers, <a href="#478">478</a><br>
string operations, <a href="#241">241</a><br>
transferring data with DMA, <a href="#440">440</a>-<a href="#459">459</a></div>
I/O Memory Management Unit (see IOMMU)<br>
I/O ports, parallel (see parallel ports)<br>
I/O registers versus RAM, <a href="#236">236</a><br>
_IOC_DIRBITS macro, <a href="#180">180</a><br>
_IOC_NRBITS macro, <a href="#180">180</a><br>
_IOC_SIZEBITS macro, <a href="#180">180</a><br>
_IOC_TYPEBITS macro, <a href="#180">180</a><br>
ioctl commands (creating), <a href="#180">180</a><br>
ioctl function (tty drivers), <a href="#564">564</a><br>
ioctl method, <a href="#51">51</a>, <a href="#135">135</a>-<a href="#147">147</a><br>
<div class="bql">using bitfields to define commands, <a href="#137">137</a><br>
block drivers, <a href="#473">473</a><br>
controlling devices without, <a href="#146">146</a><br>
customizing for networking, <a href="#535">535</a><br>
debugging with, <a href="#90">90</a><br>
network devices and, <a href="#513">513</a><br>
TIOCLINUX command, <a href="#77">77</a></div>
ioctl.h header file, <a href="#137">137</a>, <a href="#179">179</a><br>
<div class="bql">setting up command numbers, <a href="#138">138</a></div>
ioctl-number.txt file, <a href="#137">137</a><br>
IOMMU (I/O memory management unit), <a href="#413">413</a>, <a href="#445">445</a><br>
ioremap function, <a href="#226">226</a>, <a href="#249">249</a>, <a href="#256">256</a><br>
ioremap, <a href="#225">225</a><br>
ioremap_nocache function, <a href="#250">250</a><br>
iounmap function, <a href="#225">225</a>, <a href="#250">250</a><br>
IP (Internet protocol), <a href="#498">498</a><br>
IP numbers, resolving to physical addresses, <a href="#532">532</a><br>
ip_summed field (sk_buff), <a href="#522">522</a>, <a href="#530">530</a><br>
irq argument (interrupt number), <a href="#260">260</a><br>
</td></tr></table>
<br>
<A name="596"></a><font color="blue">PAGE 596</font><br>
<br>
<table cellspacing="0" cellpadding="0" width="100%"><tr><td valign="top" width="50%">
irq.h header file, <a href="#267">267</a><br>
irqreturn_t function, <a href="#260">260</a><br>
IRQs (interrupt request lines)<br>
<div class="bql">autodetecting, <a href="#264">264</a><br>
statistics on, <a href="#263">263</a></div>
ISA<br>
<div class="bql">bus master DMA, <a href="#454">454</a><br>
devices, DMA for, <a href="#454">454</a>-<a href="#459">459</a><br>
I/O (pausing devices), <a href="#242">242</a><br>
memory (access), <a href="#253">253</a><br>
<div class="bql">below IMB, <a href="#252">252</a>-<a href="#254">254</a><br>
DMA for, <a href="#454">454</a>-<a href="#459">459</a></div>
PCI, <a href="#319">319</a>-<a href="#322">322</a></div>
isa_readb function, <a href="#254">254</a><br>
ISOCHRONOUS endpoints (USB), <a href="#330">330</a><br>
isochronous urbs (USB), <a href="#344">344</a><br>
iteration of buses, <a href="#379">379</a><br>

<br><a name="J"></a><font color="red"><b>J</b></font><br><br>

jiffies<br>
<div class="bql">in busy-waiting implementation, <a href="#191">191</a><br>
counters, <a href="#184">184</a><br>
no solution for short delays, <a href="#195">195</a><br>
values, <a href="#184">184</a>, <a href="#514">514</a></div>
jit (just in time) module<br>
<div class="bql">current time (retrieving), <a href="#189">189</a><br>
delaying code execution, <a href="#191">191</a></div>
jitbusy program, <a href="#191">191</a><br>
joysticks (hotplugging), <a href="#401">401</a><br>
just in time (jit) module (see jit module)<br>

<br><a name="K"></a><font color="red"><b>K</b></font><br><br>

kcore file, <a href="#99">99</a><br>
kdataalign program, <a href="#294">294</a><br>
kdatasize module, <a href="#289">289</a><br>
kdb kernel debugger, <a href="#101">101</a>-<a href="#103">103</a><br>
KERN_ALERT macro, <a href="#76">76</a><br>
KERN_CRIT macro, <a href="#76">76</a><br>
KERN_DEBUG macro, <a href="#76">76</a><br>
kernel-assisted probing, <a href="#265">265</a><br>
kernels<br>
<div class="bql">applications (comparisons to), <a href="#18">18</a>-<a href="#22">22</a><br>
capabilities and restricted operations, <a href="#144">144</a><br>
code requirements, <a href="#30">30</a><br>
concurrency, <a href="#20">20</a><br>
<div class="bql">adding locking, <a href="#109">109</a><br>
alternatives to locking, <a href="#123">123</a>-<a href="#130">130</a><br>
locking traps, <a href="#121">121</a>-<a href="#123">123</a><br>
management of, <a href="#107">107</a>-<a href="#109">109</a><br>
semaphore completion, <a href="#114">114</a>-<a href="#116">116</a><br>
semaphore implementation, <a href="#110">110</a>-<a href="#114">114</a></div></div>
</td><td valign="top" width="50%">
<div class="bql">current process and, <a href="#21">21</a><br>
data structures, <a href="#49">49</a><br>
data types in<br>
<div class="bql">assigning explicit sizes to, <a href="#290">290</a><br>
interface-specific, <a href="#291">291</a><br>
linked lists, <a href="#295">295</a>-<a href="#299">299</a><br>
portability, <a href="#292">292</a>-<a href="#295">295</a><br>
standard C types, <a href="#288">288</a></div>
debuggers, <a href="#99">99</a>-<a href="#105">105</a><br>
development community, joining, <a href="#12">12</a><br>
developmental (experimental), <a href="#10">10</a><br>
exclusive waits, <a href="#160">160</a><br>
filesystem modules, <a href="#8">8</a><br>
handling system faults (see system faults)<br>
headers, <a href="#19">19</a><br>
inode structure, <a href="#55">55</a><br>
interrupts<br>
<div class="bql">implementing handlers, <a href="#269">269</a>-<a href="#275">275</a><br>
installing handlers, <a href="#259">259</a>-<a href="#269">269</a></div>
introduction to, <a href="#1">1</a><br>
kgdb patch and, <a href="#103">103</a><br>
linked lists, <a href="#295">295</a>-<a href="#299">299</a><br>
Linux device model, <a href="#362">362</a>-<a href="#364">364</a><br>
<div class="bql">buses, <a href="#377">377</a>-<a href="#381">381</a><br>
classes, <a href="#387">387</a>-<a href="#391">391</a><br>
devices, <a href="#381">381</a>-<a href="#387">387</a><br>
firmware, <a href="#405">405</a>-<a href="#407">407</a><br>
hotplugging, <a href="#375">375</a>, <a href="#397">397</a>-<a href="#405">405</a><br>
kobjects, <a href="#364">364</a>-<a href="#371">371</a><br>
lifecycles, <a href="#391">391</a>-<a href="#397">397</a><br>
low-level sysfs operations, <a href="#371">371</a>-<a href="#375">375</a></div>
loading modules into (see loading, modules)<br>
logical addresses, <a href="#413">413</a><br>
mainline (installation of), <a href="#15">15</a><br>
messages, <a href="#18">18</a><br>
modules<br>
<div class="bql">loading, <a href="#25">25</a>-<a href="#28">28</a><br>
unloading, <a href="#25">25</a></div>
monitoring, <a href="#91">91</a><br>
multicasting support, <a href="#538">538</a><br>
network driver connections, <a href="#502">502</a>-<a href="#514">514</a><br>
platform dependency, <a href="#27">27</a><br>
printing, <a href="#75">75</a>-<a href="#82">82</a><br>
querying, <a href="#82">82</a>-<a href="#91">91</a><br>
security, <a href="#8">8</a><br>
sources, <a href="#575">575</a><br>
space, <a href="#19">19</a><br>
splitting role of, <a href="#4">4</a>-<a href="#5">5</a><br>
support, <a href="#73">73</a>-<a href="#75">75</a><br>
symbols, <a href="#28">28</a>-<a href="#29">29</a><br>
system hangs, <a href="#96">96</a></div>
</td></tr></table>
<br>
<A name="597"></a><font color="blue">PAGE 597</font><br>
<br>
<table cellspacing="0" cellpadding="0" width="100%"><tr><td valign="top" width="50%">
<div class="bql">tasklets, <a href="#202">202</a>-<a href="#204">204</a>, <a href="#211">211</a><br>
test system setup, <a href="#15">15</a><br>
time, <a href="#208">208</a><br>
<div class="bql">measurement of lapses, <a href="#183">183</a>-<a href="#188">188</a><br>
retrieving current time, <a href="#188">188</a>-<a href="#190">190</a></div>
timers, <a href="#196">196</a>-<a href="#202">202</a>, <a href="#210">210</a><br>
USB<br>
<div class="bql">sysfs directory trees, <a href="#333">333</a>-<a href="#335">335</a><br>
transfers without urbs, <a href="#356">356</a>-<a href="#359">359</a><br>
urbs, <a href="#335">335</a>-<a href="#346">346</a><br>
writing, <a href="#346">346</a>-<a href="#355">355</a></div>
versions<br>
<div class="bql">dependency, <a href="#26">26</a><br>
numbering, <a href="#10">10</a>-<a href="#11">11</a></div>
viewing, <a href="#5">5</a><br>
virtual addresses, <a href="#414">414</a>, <a href="#434">434</a><br>
VMAs, <a href="#419">419</a>-<a href="#422">422</a><br>
workqueues, <a href="#205">205</a>-<a href="#208">208</a>, <a href="#211">211</a><br>
(see also modules)</div>
kernel_ulong_t driver_info field (USB), <a href="#347">347</a><br>
KERNEL_VERSION macro, <a href="#27">27</a><br>
KERN_EMERG macro, <a href="#76">76</a><br>
KERN_ERR macro, <a href="#76">76</a><br>
KERN_INFO macro, <a href="#76">76</a><br>
KERN_NOTICE macro, <a href="#76">76</a><br>
KERN_WARNING macro, <a href="#76">76</a><br>
keyboards<br>
<div class="bql">debugging when locked, <a href="#97">97</a><br>
hotplugging, <a href="#401">401</a></div>
keys (magic SysRq), <a href="#97">97</a><br>
kfree, <a href="#61">61</a><br>
kfree_skb function, <a href="#531">531</a><br>
kgdb patch, <a href="#103">103</a><br>
kill_fasync function, <a href="#170">170</a>, <a href="#182">182</a><br>
killing urbs, <a href="#345">345</a><br>
klogd daemon, <a href="#17">17</a>, <a href="#77">77</a><br>
<div class="bql">logging messages, <a href="#78">78</a>, <a href="#79">79</a></div>
kmalloc<br>
<div class="bql">flags argument, <a href="#213">213</a><br>
returning virtual addresses, <a href="#225">225</a><br>
versus vmalloc, <a href="#225">225</a></div>
kmalloc function, <a href="#61">61</a><br>
<div class="bql">allocation engine, <a href="#213">213</a>-<a href="#217">217</a><br>
performance degradation issues, <a href="#222">222</a></div>
kmap function, <a href="#418">418</a><br>
kmap_skb_frag function, <a href="#532">532</a><br>
kmem_cache_alloc function, <a href="#218">218</a><br>
kmem_cache_create function, <a href="#217">217</a><br>
kmem_cache_t type function, <a href="#217">217</a><br>
kmsg file, <a href="#78">78</a><br>
</td><td valign="top" width="50%">
kobjects, <a href="#364">364</a>-<a href="#371">371</a><br>
<div class="bql">hotplug event generation, <a href="#375">375</a><br>
low-level sysfs operations, <a href="#371">371</a>-<a href="#375">375</a><br>
nondefault attributes, <a href="#373">373</a><br>
release functions, <a href="#367">367</a><br>
store method, <a href="#373">373</a><br>
symbolic links, <a href="#375">375</a></div>
kset_hotplug_ops structure, <a href="#376">376</a><br>
ksets, <a href="#368">368</a><br>
<div class="bql">operations on, <a href="#370">370</a><br>
subsystems, <a href="#370">370</a></div>
ksyms file, <a href="#32">32</a><br>

<br><a name="L"></a><font color="red"><b>L</b></font><br><br>

lapses of time, measurement of, <a href="#183">183</a>-<a href="#188">188</a><br>
laptop docking stations, <a href="#402">402</a><br>
large buffers, obtaining, <a href="#230">230</a>, <a href="#234">234</a><br>
large file implementations (/proc files), <a href="#87">87</a><br>
layers<br>
<div class="bql">generic DMA, <a href="#444">444</a><br>
modularization, <a href="#28">28</a></div>
lddbus driver, <a href="#379">379</a><br>
ldd_driver structure, <a href="#386">386</a><br>
LEDs, soldering to output pins, <a href="#247">247</a><br>
levels<br>
<div class="bql">CPU (modalities), <a href="#20">20</a><br>
debugging, <a href="#81">81</a><br>
message priority (see loglevels)</div>
libraries, <a href="#19">19</a><br>
license terms, <a href="#11">11</a><br>
lifecycles<br>
<div class="bql">Linux device model, <a href="#391">391</a>-<a href="#397">397</a><br>
objects, <a href="#363">363</a><br>
urbs, <a href="#335">335</a></div>
limitations of debug messages (prink function), <a href="#81">81</a><br>
line settings (tty drivers), <a href="#560">560</a>-<a href="#566">566</a><br>
line status register (LSR), <a href="#564">564</a><br>
link state (changes in), <a href="#528">528</a><br>
linked lists, <a href="#295">295</a>-<a href="#299">299</a><br>
<div class="bql">traversal of, <a href="#298">298</a></div>
linking libraries, <a href="#18">18</a><br>
links (symbolic), <a href="#375">375</a><br>
Linux<br>
<div class="bql">license terms, <a href="#11">11</a><br>
version numbering, <a href="#10">10</a></div>
Linux device model, <a href="#362">362</a>-<a href="#364">364</a><br>
<div class="bql">buses, <a href="#377">377</a>-<a href="#381">381</a><br>
classes, <a href="#387">387</a>-<a href="#391">391</a><br>
devices, <a href="#381">381</a>-<a href="#387">387</a></div>
</td></tr></table>
<br>
<A name="598"></a><font color="blue">PAGE 598</font><br>
<br>
<table cellspacing="0" cellpadding="0" width="100%"><tr><td valign="top" width="50%">
Linux device model <i>(continued)</i><br>
<div class="bql">firmware, <a href="#405">405</a>-<a href="#407">407</a><br>
hotplugging, <a href="#397">397</a>-<a href="#405">405</a><br>
kobjects, <a href="#364">364</a>-<a href="#371">371</a><br>
<div class="bql">hotplug events, <a href="#375">375</a><br>
low-level sysfs operations, <a href="#371">371</a>-<a href="#375">375</a></div>
lifecycles, <a href="#391">391</a>-<a href="#397">397</a></div>
Linux Documentation Project web site, <a href="#576">576</a><br>
Linux Trace Toolkit (LTT), <a href="#105">105</a><br>
linux-kernel mailing list, <a href="#12">12</a>, <a href="#299">299</a><br>
LINUX_VERSION_CODE macro, <a href="#27">27</a>, <a href="#40">40</a><br>
list_add function, <a href="#297">297</a><br>
list_add_tail function, <a href="#297">297</a><br>
list_del function, <a href="#297">297</a><br>
list_empty function, <a href="#297">297</a><br>
list_entry macro, <a href="#297">297</a><br>
list_for_each macro, <a href="#299">299</a><br>
list.h header file, <a href="#299">299</a><br>
list_head data structure, <a href="#299">299</a><br>
list_move function, <a href="#297">297</a><br>
lists, linked, <a href="#295">295</a>-<a href="#299">299</a><br>
lists (PCI), <a href="#326">326</a><br>
list_splice function, <a href="#297">297</a><br>
little-endian byte order, <a href="#293">293</a><br>
llseek method, <a href="#50">50</a>, <a href="#171">171</a><br>
loadable modules, <a href="#5">5</a><br>
loading<br>
<div class="bql">attribute (firmware), <a href="#407">407</a><br>
drivers, <a href="#46">46</a><br>
modules, <a href="#25">25</a>-<a href="#28">28</a><br>
<div class="bql">dynamically assigned device numbers, <a href="#47">47</a><br>
parameters, <a href="#35">35</a>-<a href="#37">37</a><br>
races, <a href="#35">35</a></div></div>
local0 (IP number), <a href="#499">499</a><br>
LocalTalk devices, setting up fields for, <a href="#507">507</a><br>
lock method, <a href="#52">52</a><br>
locked keyboard (debugging), <a href="#97">97</a><br>
lock-free algorithms, <a href="#123">123</a><br>
locking, <a href="#108">108</a><br>
<div class="bql">adding, <a href="#109">109</a><br>
alternatives to, <a href="#123">123</a>-<a href="#130">130</a><br>
atomic variables, <a href="#124">124</a><br>
rules for, <a href="#122">122</a><br>
seqlocks, <a href="#127">127</a><br>
traps, <a href="#121">121</a>-<a href="#123">123</a></div>
lockmeter tool, <a href="#123">123</a><br>
loff_t f_pos (struct file field), <a href="#54">54</a><br>
loff_t (long offset), <a href="#50">50</a>, <a href="#54">54</a><br>
LOG_BUF_LEN circular buffer, <a href="#78">78</a><br>
logging messages (printk function), <a href="#78">78</a><br>
logical addresses, <a href="#413">413</a><br>
</td><td valign="top" width="50%">
logical units (USB), <a href="#332">332</a><br>
login process, <a href="#173">173</a><br>
loglevels, <a href="#76">76</a><br>
<div class="bql">message priorities, <a href="#17">17</a></div>
long data type, <a href="#289">289</a><br>
long delays (of code execution), <a href="#190">190</a><br>
lookaside caches, <a href="#217">217</a>-<a href="#224">224</a>, <a href="#232">232</a><br>
loopback interfaces, <a href="#498">498</a><br>
loops<br>
<div class="bql">busy, <a href="#191">191</a><br>
endless, <a href="#97">97</a><br>
software, <a href="#195">195</a></div>
loops_per_jiffy value, <a href="#196">196</a><br>
low memory, <a href="#415">415</a><br>
low-level sysfs operations, <a href="#371">371</a>-<a href="#375">375</a><br>
ls command, identifying device type, <a href="#43">43</a><br>
LSR (line status register), <a href="#564">564</a><br>
ltalk_setup, <a href="#507">507</a><br>
ltalk_setup function, <a href="#507">507</a><br>
LTT (Linux Trace Toolkit), <a href="#105">105</a><br>

<br><a name="M"></a><font color="red"><b>M</b></font><br><br>

M68k architecture (porting and), <a href="#243">243</a><br>
MAC (medium access control) addresses, <a href="#504">504</a>, <a href="#508">508</a><br>
<div class="bql">resolution of, <a href="#532">532</a>-<a href="#534">534</a><br>
set_mac_address method and, <a href="#513">513</a></div>
macros<br>
<div class="bql">BUS_ATTR, <a href="#380">380</a><br>
completion, <a href="#115">115</a><br>
DECLARE_TASKLET, <a href="#276">276</a><br>
DIVER_ATTR, <a href="#386">386</a><br>
hello world module, <a href="#16">16</a><br>
INIT_LIST_HEAD, <a href="#296">296</a><br>
internal representation of device<br>
numbers, <a href="#44">44</a><br>
ioctl commands (creating), <a href="#180">180</a><br>
KERN_ALERT, <a href="#76">76</a><br>
KERN_CRIT, <a href="#76">76</a><br>
KERN_DEBUG, <a href="#76">76</a><br>
KERN_EMERG, <a href="#76">76</a><br>
KERN_ERR, <a href="#76">76</a><br>
KERN_INFO, <a href="#76">76</a><br>
KERN_NOTICE, <a href="#76">76</a><br>
KERN_WARNING, <a href="#76">76</a><br>
list_entry, <a href="#297">297</a><br>
list_for_each, <a href="#299">299</a><br>
MINOR, <a href="#71">71</a><br>
MODULE_DEVICE_TABLE, <a href="#311">311</a><br>
page_address, <a href="#417">417</a><br>
PAGE_SHIFT, <a href="#415">415</a><br>
PCI_DEVICE, <a href="#310">310</a></div>
</td></tr></table>
<br>
<A name="599"></a><font color="blue">PAGE 599</font><br>
<br>
<table cellspacing="0" cellpadding="0" width="100%"><tr><td valign="top" width="50%">
<div class="bql">PCI_DEVICE_CLASS, <a href="#310">310</a><br>
RELEVANT_IFLAG, <a href="#560">560</a><br>
sg_dma_address, <a href="#451">451</a><br>
sg_dma_len, <a href="#451">451</a><br>
symbols, <a href="#29">29</a><br>
UBS_DEVICE_VER, <a href="#347">347</a><br>
USB_DEVICE, <a href="#347">347</a><br>
USB_DEVICE_INFO, <a href="#347">347</a><br>
USB_INTERFACE_INFO, <a href="#347">347</a><br>
version dependency, <a href="#26">26</a><br>
wait queues, <a href="#156">156</a><br>
wait-event, <a href="#149">149</a></div>
magic SysRq key, <a href="#97">97</a><br>
mailing list, linux-kernel, <a href="#12">12</a><br>
mainline kernels, installation of, <a href="#15">15</a><br>
major device numbers, <a href="#44">44</a><br>
<div class="bql">dynamic allocation of, <a href="#46">46</a>-<a href="#49">49</a></div>
MAJOR macro, <a href="#71">71</a><br>
major numbers<br>
<div class="bql">char drivers, <a href="#43">43</a>-<a href="#49">49</a><br>
dynamic allocation of, <a href="#46">46</a></div>
make command, <a href="#24">24</a><br>
makefiles, <a href="#24">24</a><br>
<div class="bql">printk function, <a href="#80">80</a></div>
management, <a href="#4">4</a><br>
<div class="bql">classes, <a href="#389">389</a><br>
concurrency, <a href="#107">107</a>-<a href="#109">109</a><br>
<div class="bql">alternatives to locking, <a href="#123">123</a>-<a href="#130">130</a><br>
locking traps, <a href="#121">121</a>-<a href="#123">123</a></div>
fragmentation, <a href="#442">442</a><br>
hardware (I/O ports and I/O memory), <a href="#235">235</a>-<a href="#254">254</a><br>
interrupt handlers, <a href="#286">286</a><br>
memory, <a href="#4">4</a>, <a href="#412">412</a>-<a href="#416">416</a><br>
<div class="bql">direct I/O, <a href="#435">435</a>-<a href="#440">440</a><br>
DMA, <a href="#440">440</a>-<a href="#459">459</a>, <a href="#461">461</a><br>
mapping, <a href="#416">416</a>-<a href="#418">418</a><br>
mmap device operations, <a href="#422">422</a>-<a href="#434">434</a><br>
page tables, <a href="#418">418</a><br>
process memory maps, <a href="#422">422</a><br>
scull, <a href="#60">60</a>-<a href="#63">63</a>, <a href="#107">107</a><br>
VMAs, <a href="#419">419</a>-<a href="#422">422</a></div>
networks, <a href="#5">5</a><br>
physical memory, <a href="#216">216</a><br>
power, <a href="#362">362</a><br>
process, <a href="#4">4</a><br>
security, <a href="#8">8</a><br>
tasklets, <a href="#202">202</a>-<a href="#204">204</a></div>
manual sleeps, <a href="#156">156</a><br>
mapper program, <a href="#430">430</a><br>
</td><td valign="top" width="50%">
mapping<br>
<div class="bql">deleting, <a href="#448">448</a><br>
DMA, <a href="#445">445</a><br>
I/O, <a href="#249">249</a>, <a href="#255">255</a><br>
memory, <a href="#416">416</a>-<a href="#418">418</a><br>
<div class="bql">mmap device operations, <a href="#422">422</a>-<a href="#434">434</a><br>
process memory maps, <a href="#422">422</a></div>
PCI double-address cycle, <a href="#452">452</a><br>
registers, <a href="#445">445</a>, <a href="#450">450</a><br>
scatter-gather DMA, <a href="#450">450</a><br>
scatterlists and, <a href="#450">450</a><br>
single-page streaming, <a href="#450">450</a><br>
software-mapped memory, <a href="#250">250</a><br>
streaming DMA configuration, <a href="#448">448</a><br>
video memory, <a href="#423">423</a></div>
match function (buses), <a href="#379">379</a><br>
MCA (Micro Channel Architecture), <a href="#322">322</a><br>
mdelay, <a href="#196">196</a><br>
measurement of time lapses, <a href="#183">183</a>-<a href="#188">188</a><br>
Media Independent Interface (MII), <a href="#540">540</a><br>
media_changed method, <a href="#472">472</a><br>
medium access control addresses (see MAC addresses)<br>
memory<br>
<div class="bql">allocation, <a href="#60">60</a>-<a href="#62">62</a><br>
<div class="bql">boot time, <a href="#230">230</a>, <a href="#234">234</a><br>
flags, <a href="#215">215</a>, <a href="#218">218</a>, <a href="#231">231</a><br>
I/O, <a href="#249">249</a>, <a href="#255">255</a><br>
kmalloc allocation engine, <a href="#213">213</a>-<a href="#217">217</a><br>
lookaside caches, <a href="#217">217</a>-<a href="#224">224</a>, <a href="#232">232</a><br>
by page, <a href="#221">221</a><br>
per-CPU variables, <a href="#228">228</a>-<a href="#230">230</a><br>
performance degradation issues, <a href="#222">222</a><br>
vmalloc allocation function, <a href="#224">224</a>-<a href="#228">228</a></div>
barriers, <a href="#237">237</a>, <a href="#238">238</a>, <a href="#255">255</a><br>
block drivers, <a href="#468">468</a><br>
DMA (see DMA)<br>
global areas, <a href="#43">43</a><br>
hardware, <a href="#506">506</a><br>
high, <a href="#415">415</a><br>
I/O, <a href="#235">235</a>-<a href="#254">254</a>, <a href="#255">255</a><br>
ISA<br>
<div class="bql">access, <a href="#253">253</a><br>
memory range, <a href="#252">252</a>-<a href="#254">254</a></div>
limitations on, <a href="#415">415</a><br>
locking, <a href="#109">109</a><br>
low, <a href="#415">415</a><br>
management, <a href="#4">4</a>, <a href="#412">412</a>-<a href="#416">416</a><br>
<div class="bql">direct I/O, <a href="#435">435</a>-<a href="#440">440</a><br>
DMA, <a href="#440">440</a>-<a href="#459">459</a>, <a href="#461">461</a></div></div>
</td></tr></table>
<br>
<A name="600"></a><font color="blue">PAGE 600</font><br>
<br>
<table cellspacing="0" cellpadding="0" width="100%"><tr><td valign="top" width="50%">
memory, management <i>(continued)</i><br>
<div class="bql"><div class="bql">fragmentation, <a href="#442">442</a><br>
mapping, <a href="#416">416</a>-<a href="#418">418</a><br>
mmap device operations, <a href="#422">422</a>-<a href="#434">434</a><br>
page tables, <a href="#418">418</a><br>
process memory maps, <a href="#422">422</a><br>
VMAs, <a href="#419">419</a>-<a href="#422">422</a></div>
modules (loading), <a href="#25">25</a><br>
page size and portability, <a href="#292">292</a><br>
PCI, <a href="#305">305</a>, <a href="#316">316</a><br>
persistence, <a href="#43">43</a><br>
pools, <a href="#220">220</a>, <a href="#232">232</a><br>
remapping RAM, <a href="#430">430</a><br>
scull<br>
<div class="bql">design of, <a href="#43">43</a><br>
troubleshooting, <a href="#107">107</a><br>
usage, <a href="#60">60</a>-<a href="#63">63</a></div>
software-mapped (and ioremap function), <a href="#250">250</a><br>
user space, <a href="#437">437</a><br>
verifying user-space addresses, <a href="#142">142</a><br>
versus I/O registers, <a href="#236">236</a><br>
zones, <a href="#215">215</a></div>
memory management<br>
<div class="bql">DMA, <a href="#440">440</a>-<a href="#459">459</a><br>
theory of, <a href="#422">422</a><br>
VMAs, <a href="#422">422</a></div>
messages<br>
<div class="bql">consoles, <a href="#77">77</a><br>
debug<br>
<div class="bql">disabling, <a href="#79">79</a><br>
limitation of (printk function), <a href="#81">81</a></div>
globally enabling/disabling, <a href="#79">79</a><br>
kernels, <a href="#18">18</a><br>
logging, <a href="#78">78</a><br>
oops, <a href="#94">94</a>-<a href="#96">96</a><br>
priorities (loglevels) of, <a href="#17">17</a>, <a href="#76">76</a></div>
methods, <a href="#88">88</a><br>
<div class="bql">block_fsync, <a href="#167">167</a><br>
buses, <a href="#379">379</a><br>
change_mtu, <a href="#513">513</a><br>
check_flags, <a href="#52">52</a><br>
close, <a href="#59">59</a>, <a href="#421">421</a><br>
devices, <a href="#511">511</a><br>
*dir_notify, <a href="#52">52</a><br>
do_ioctl, <a href="#513">513</a>, <a href="#535">535</a><br>
fasync, <a href="#52">52</a><br>
flush, <a href="#51">51</a>, <a href="#60">60</a><br>
fsync, <a href="#51">51</a>, <a href="#167">167</a><br>
get_stats, <a href="#512">512</a>, <a href="#536">536</a><br>
hard_header, <a href="#512">512</a>, <a href="#532">532</a><br>
hard_start_transmit, <a href="#516">516</a></div>
</td><td valign="top" width="50%">
<div class="bql">hard_start_xmit, <a href="#512">512</a>, <a href="#517">517</a><br>
header_cache, <a href="#513">513</a><br>
header_cache_update, <a href="#514">514</a><br>
ioctl, <a href="#51">51</a>, <a href="#135">135</a>-<a href="#147">147</a><br>
<div class="bql">block drivers, <a href="#473">473</a><br>
customizing for networking, <a href="#535">535</a><br>
debugging with, <a href="#90">90</a><br>
inode pointer in, <a href="#136">136</a></div>
llseek, <a href="#50">50</a>, <a href="#171">171</a><br>
lock, <a href="#52">52</a><br>
media_changed, <a href="#472">472</a><br>
mmap, <a href="#51">51</a><br>
next, <a href="#87">87</a><br>
nopage, <a href="#422">422</a>, <a href="#427">427</a>, <a href="#431">431</a><br>
open, <a href="#51">51</a>, <a href="#58">58</a>-<a href="#59">59</a><br>
<div class="bql">block drivers, <a href="#471">471</a><br>
blocking, <a href="#176">176</a><br>
for network devices, <a href="#511">511</a><br>
private_data and, <a href="#54">54</a><br>
requesting DMA channels, <a href="#455">455</a><br>
restricting simultaneous users<br>
and, <a href="#175">175</a><br>
for single-open devices, <a href="#174">174</a><br>
vm_operations_struct structure, <a href="#421">421</a></div>
operations<br>
<div class="bql">aio_fsync, <a href="#438">438</a><br>
atomic_add, <a href="#125">125</a><br>
atomic_dec, <a href="#125">125</a><br>
atomic_dec_and_test, <a href="#125">125</a><br>
atomic_inc, <a href="#125">125</a><br>
atomic_inc_and_test, <a href="#125">125</a><br>
atomic_read, <a href="#125">125</a><br>
atomic_set, <a href="#125">125</a><br>
atomic_sub, <a href="#125">125</a><br>
atomic_sub_and_test, <a href="#125">125</a><br>
bit, <a href="#126">126</a><br>
block drivers, <a href="#466">466</a><br>
blocking/nonblocking, <a href="#151">151</a><br>
change_bit, <a href="#126">126</a><br>
clear_bit, <a href="#126">126</a><br>
devices, <a href="#513">513</a><br>
files, <a href="#49">49</a>-<a href="#53">53</a><br>
filter hotplug, <a href="#376">376</a><br>
flush, <a href="#51">51</a><br>
hotplugs, <a href="#376">376</a><br>
mmap devices, <a href="#422">422</a>-<a href="#434">434</a><br>
set_bit, <a href="#126">126</a><br>
spinlocks, <a href="#120">120</a><br>
string, <a href="#241">241</a>, <a href="#255">255</a><br>
sysrq, <a href="#98">98</a><br>
test_and_change_bit, <a href="#127">127</a><br>
test_and_clear_bit, <a href="#127">127</a></div></div>
</td></tr></table>
<br>
<A name="601"></a><font color="blue">PAGE 601</font><br>
<br>
<table cellspacing="0" cellpadding="0" width="100%"><tr><td valign="top" width="50%">
<div class="bql"><div class="bql">test_and_set_bit, <a href="#127">127</a><br>
test_bit, <a href="#127">127</a><br>
vector, <a href="#69">69</a></div>
poll, <a href="#51">51</a>, <a href="#163">163</a>-<a href="#169">169</a>, <a href="#513">513</a><br>
poll_controller, <a href="#542">542</a><br>
populate, <a href="#422">422</a><br>
pread, <a href="#65">65</a><br>
proc_read, <a href="#84">84</a><br>
pwrite, <a href="#65">65</a><br>
read, <a href="#50">50</a>, <a href="#63">63</a>-<a href="#69">69</a><br>
<div class="bql">arguments to, <a href="#65">65</a><br>
code for, <a href="#67">67</a><br>
configuring DMA controllers, <a href="#456">456</a><br>
f_pso field (file structure) and, <a href="#54">54</a><br>
oops messages, <a href="#95">95</a><br>
poll method and, <a href="#166">166</a><br>
rules for interpreting return values, <a href="#66">66</a><br>
strace command and, <a href="#92">92</a></div>
readdir, <a href="#50">50</a><br>
readv, <a href="#52">52</a><br>
rebuild_header, <a href="#512">512</a><br>
release, <a href="#51">51</a>, <a href="#59">59</a><br>
<div class="bql">block drivers, <a href="#471">471</a><br>
blocking, <a href="#176">176</a><br>
cloning devices, <a href="#179">179</a><br>
kobjects, <a href="#367">367</a></div>
revalidate, <a href="#473">473</a><br>
sbull ioctl, <a href="#473">473</a><br>
select, <a href="#163">163</a>-<a href="#169">169</a><br>
select, poll method and, <a href="#51">51</a><br>
set_config, <a href="#512">512</a><br>
set_mac_address, <a href="#513">513</a><br>
set_multicast_list, <a href="#510">510</a>, <a href="#513">513</a>, <a href="#538">538</a><br>
show<br>
<div class="bql">kobjects, <a href="#373">373</a><br>
seq_file interface, <a href="#88">88</a></div>
start, <a href="#87">87</a><br>
stop, <a href="#512">512</a><br>
store (kobjects), <a href="#373">373</a><br>
strace command and, <a href="#92">92</a><br>
struct module *owner, <a href="#50">50</a><br>
tx_timeout, <a href="#512">512</a><br>
unsigned long, <a href="#52">52</a><br>
write, <a href="#50">50</a>, <a href="#63">63</a>-<a href="#69">69</a><br>
<div class="bql">code for, <a href="#68">68</a><br>
f_pos field (file structure) and, <a href="#54">54</a><br>
interpreting rules for return values, <a href="#68">68</a><br>
oops messages, <a href="#94">94</a><br>
poll method and, <a href="#166">166</a></div>
writev, <a href="#52">52</a>, <a href="#69">69</a></div>
</td><td valign="top" width="50%">
mice<br>
<div class="bql">asynchronous notification, <a href="#170">170</a><br>
hotplugging, <a href="#401">401</a></div>
Micro Channel Architecture (MCA), <a href="#322">322</a><br>
microsecond resolution, <a href="#189">189</a><br>
MII (Media Independent Interface), <a href="#540">540</a><br>
minor device numbers, <a href="#44">44</a><br>
MINOR macro, <a href="#71">71</a><br>
minor numbers, char drivers, <a href="#43">43</a>-<a href="#49">49</a><br>
MIPS processor<br>
<div class="bql">inline assembly code and, <a href="#187">187</a><br>
porting and, <a href="#243">243</a></div>
misc-progs directory, <a href="#77">77</a>, <a href="#162">162</a><br>
mitigation of interrupts, <a href="#525">525</a><br>
MKDEV macro, <a href="#71">71</a><br>
mlock system call, <a href="#39">39</a><br>
mmap<br>
<div class="bql">device operations, <a href="#422">422</a>-<a href="#434">434</a><br>
implementation, <a href="#412">412</a>-<a href="#416">416</a>, <a href="#460">460</a><br>
(see also memory management)</div>
mmap method, <a href="#51">51</a><br>
<div class="bql">usage count and, <a href="#426">426</a><br>
vm_area_struct structure and, <a href="#420">420</a></div>
modalities (levels), CPU, <a href="#20">20</a><br>
models (Linux device), <a href="#362">362</a>-<a href="#364">364</a><br>
<div class="bql">buses, <a href="#377">377</a>-<a href="#381">381</a><br>
classes, <a href="#387">387</a>-<a href="#391">391</a><br>
devices, <a href="#381">381</a>-<a href="#387">387</a><br>
firmware, <a href="#405">405</a>-<a href="#407">407</a><br>
hotplugging, <a href="#375">375</a>, <a href="#397">397</a>-<a href="#405">405</a><br>
kobjects, <a href="#364">364</a>-<a href="#371">371</a><br>
lifecycles, <a href="#391">391</a>-<a href="#397">397</a><br>
low-level sysfs operations, <a href="#371">371</a>-<a href="#375">375</a></div>
modes<br>
<div class="bql">device modes, <a href="#47">47</a><br>
file modes, <a href="#53">53</a><br>
interrupt<br>
<div class="bql">asynchronous execution, <a href="#197">197</a><br>
tasklets, <a href="#202">202</a>-<a href="#204">204</a></div></div>
mode_t f_mode (struct file field), <a href="#53">53</a><br>
mode_t mode variable (USB), <a href="#353">353</a><br>
modprobe utility, <a href="#25">25</a>, <a href="#29">29</a><br>
<div class="bql">assigning parameter values, <a href="#36">36</a><br>
insmod program versus, <a href="#29">29</a></div>
mod_timer function, <a href="#200">200</a>, <a href="#202">202</a><br>
modularization, layered, <a href="#28">28</a><br>
MODULE_ALIAS macro, <a href="#41">41</a><br>
MODULE_AUTHOR macro, <a href="#41">41</a><br>
MODULE_DESCRIPTION macro, <a href="#41">41</a><br>
MODULE_DEVICE_TABLE macro, <a href="#41">41</a>, <a href="#311">311</a><br>
</td></tr></table>
<br>
<A name="602"></a><font color="blue">PAGE 602</font><br>
<br>
<table cellspacing="0" cellpadding="0" width="100%"><tr><td valign="top" width="50%">
module.h header file, <a href="#40">40</a><br>
module_init function, <a href="#31">31</a><br>
module_param macro, <a href="#36">36</a>, <a href="#41">41</a><br>
modules, <a href="#5">5</a><br>
<div class="bql">applications, <a href="#18">18</a>-<a href="#22">22</a><br>
authorization, <a href="#8">8</a><br>
base module parameter, <a href="#247">247</a><br>
classes, <a href="#5">5</a>-<a href="#8">8</a><br>
code requirements, <a href="#30">30</a><br>
compiling, <a href="#23">23</a>-<a href="#25">25</a><br>
complete, <a href="#115">115</a><br>
current process and, <a href="#21">21</a><br>
dynamic module assignment, <a href="#47">47</a><br>
dynamic number assignment, <a href="#47">47</a><br>
faulty (oops messages), <a href="#94">94</a><br>
files, <a href="#40">40</a><br>
filesystem, <a href="#8">8</a><br>
header files of, <a href="#19">19</a><br>
hello world, <a href="#16">16</a>-<a href="#18">18</a><br>
initialization, <a href="#31">31</a>-<a href="#35">35</a><br>
initializing, <a href="#31">31</a>-<a href="#35">35</a><br>
kdatasize, <a href="#289">289</a><br>
license terms, <a href="#11">11</a><br>
loading, <a href="#18">18</a>, <a href="#25">25</a>-<a href="#28">28</a><br>
<div class="bql">insmod program and, <a href="#25">25</a><br>
races, <a href="#35">35</a><br>
using init scripts, <a href="#48">48</a></div>
parameters, <a href="#35">35</a>-<a href="#37">37</a><br>
platform dependency, <a href="#27">27</a><br>
SCSI, <a href="#7">7</a><br>
security (see security)<br>
short, <a href="#265">265</a><br>
stacking, <a href="#28">28</a><br>
symbols, <a href="#28">28</a>-<a href="#29">29</a><br>
test system setup, <a href="#15">15</a><br>
unloading, <a href="#18">18</a>, <a href="#25">25</a>, <a href="#505">505</a><br>
user-space programming, <a href="#37">37</a>-<a href="#39">39</a><br>
version dependency, <a href="#26">26</a></div>
monitoring<br>
<div class="bql">kernels (debugging by), <a href="#91">91</a><br>
preprocessor for, <a href="#79">79</a>-<a href="#81">81</a></div>
mremap system calls, <a href="#427">427</a>, <a href="#430">430</a><br>
MSR register, <a href="#565">565</a><br>
MTU, network devices and, <a href="#513">513</a><br>
multicasting<br>
<div class="bql">IFF_MULTICAST flag and, <a href="#509">509</a><br>
network drivers, <a href="#537">537</a>-<a href="#540">540</a></div>
mutexes, <a href="#109">109</a><br>
<div class="bql">initialization, <a href="#110">110</a></div>
mutual exclusion, <a href="#108">108</a><br>
</td><td valign="top" width="50%">

<a name="N"></a><font color="red"><b>N</b></font><br><br>

name field (buses), <a href="#378">378</a><br>
NAME variable, <a href="#401">401</a><br>
naming<br>
<div class="bql">IP numbers, <a href="#499">499</a><br>
sysfs directory tree (USB), <a href="#334">334</a></div>
native DMA, <a href="#454">454</a>-<a href="#459">459</a><br>
natural alignment of data items, <a href="#294">294</a><br>
nbtest program, <a href="#162">162</a><br>
net_device structure, <a href="#502">502</a>, <a href="#506">506</a>-<a href="#507">507</a><br>
<div class="bql">device methods of, <a href="#514">514</a><br>
interface flags for, <a href="#509">509</a></div>
net_device_stats structure, <a href="#505">505</a>, <a href="#536">536</a><br>
netif_carrier_off function, <a href="#528">528</a><br>
netif_carrier_ok function, <a href="#528">528</a><br>
netif_carrier_on function, <a href="#528">528</a><br>
netif_start_queue function, <a href="#515">515</a><br>
netif_stop_queue function, <a href="#516">516</a>, <a href="#518">518</a><br>
netif_wake_queue function, <a href="#518">518</a><br>
net_init.c file, <a href="#507">507</a><br>
netpoll, <a href="#541">541</a><br>
network devices, <a href="#400">400</a><br>
network drivers, <a href="#497">497</a><br>
<div class="bql">functions, <a href="#542">542</a>-<a href="#545">545</a><br>
interrupt handlers for, <a href="#523">523</a><br>
ioctl commands, <a href="#535">535</a><br>
kernel connections, <a href="#502">502</a>-<a href="#514">514</a><br>
link state (changes in), <a href="#528">528</a><br>
MAC addresses (resolution of), <a href="#532">532</a>-<a href="#534">534</a><br>
methods of, <a href="#514">514</a><br>
multicasting, <a href="#537">537</a>-<a href="#540">540</a><br>
opening, <a href="#515">515</a>-<a href="#516">516</a><br>
snull, <a href="#498">498</a>-<a href="#502">502</a><br>
statistics, <a href="#536">536</a></div>
networks, <a href="#5">5</a><br>
<div class="bql">interfaces, <a href="#7">7</a><br>
management, <a href="#5">5</a></div>
next method, <a href="#87">87</a><br>
nonblocking operations, <a href="#151">151</a><br>
nondefault attributes (kobjects), <a href="#373">373</a><br>
non-Ethernet headers, <a href="#534">534</a><br>
non-Ethernet interfaces, <a href="#507">507</a><br>
nonpreemption and concurrency, <a href="#21">21</a><br>
nonretryable requests, <a href="#486">486</a><br>
nonuniform memory access (NUMA) systems (see NUMA systems)<br>
nopage method, <a href="#422">422</a>, <a href="#427">427</a><br>
<div class="bql">mremap system call with, <a href="#427">427</a><br>
preventing extension of mapping, <a href="#430">430</a><br>
remapping RAM, <a href="#431">431</a></div>
normal memory zone, <a href="#215">215</a><br>
notification (asynchronous), <a href="#169">169</a>-<a href="#171">171</a><br>
</td></tr></table>
<br>
<A name="603"></a><font color="blue">PAGE 603</font><br>
<br>
<table cellspacing="0" cellpadding="0" width="100%"><tr><td valign="top" width="50%">
nr_frags field, <a href="#520">520</a><br>
NR_IRQS symbol, <a href="#267">267</a><br>
NuBus, <a href="#324">324</a><br>
NUMA (nonuniform memory access) systems, <a href="#216">216</a>, <a href="#417">417</a><br>
numbering versions (see versions, numbering)<br>
numbers<br>
<div class="bql">devices (printing), <a href="#82">82</a><br>
interrupt, <a href="#260">260</a><br>
IP (assignment of), <a href="#499">499</a><br>
major and minor, <a href="#43">43</a>-<a href="#49">49</a><br>
PFN, <a href="#415">415</a><br>
root hubs (USB), <a href="#334">334</a><br>
versions, <a href="#10">10</a>-<a href="#11">11</a></div>

<br><a name="O"></a><font color="red"><b>O</b></font><br><br>

objects<br>
<div class="bql">kobjects, <a href="#364">364</a>-<a href="#371">371</a><br>
<div class="bql">hotplug event generation, <a href="#375">375</a><br>
low-level sysfs operations, <a href="#371">371</a>-<a href="#375">375</a><br>
(see also kobjects)</div>
lifecycles, <a href="#363">363</a><br>
sharing, <a href="#108">108</a></div>
octets, <a href="#498">498</a><br>
older interfaces<br>
<div class="bql">char device registration, <a href="#57">57</a><br>
/proc file implementation, <a href="#85">85</a></div>
O_NDELAY flag (f_flags field), <a href="#151">151</a><br>
O_NONBLOCK flag (f_flags field), <a href="#54">54</a>, <a href="#141">141</a>, <a href="#151">151</a><br>
<div class="bql">read/write methods and, <a href="#166">166</a></div>
oops messages, <a href="#94">94</a>-<a href="#96">96</a><br>
open files, <a href="#53">53</a><br>
open function (tty drivers), <a href="#553">553</a>-<a href="#556">556</a><br>
open method, <a href="#51">51</a>, <a href="#58">58</a>-<a href="#59">59</a><br>
<div class="bql">block drivers, <a href="#471">471</a><br>
blocking, <a href="#176">176</a><br>
for network devices, <a href="#511">511</a><br>
private_data and, <a href="#54">54</a><br>
requesting DMA channels, <a href="#455">455</a><br>
restricting simultaneous users and, <a href="#175">175</a><br>
for single-open devices, <a href="#174">174</a><br>
vm_operations_struct structure, <a href="#421">421</a></div>
opening network drivers, <a href="#515">515</a>-<a href="#516">516</a><br>
operations<br>
<div class="bql">aio_fsync, <a href="#438">438</a><br>
atomic_add, <a href="#125">125</a><br>
atomic_dec, <a href="#125">125</a><br>
atomic_dec_and_test, <a href="#125">125</a><br>
atomic_inc, <a href="#125">125</a><br>
atomic_inc_and_test, <a href="#125">125</a></div>
</td><td valign="top" width="50%">
<div class="bql">atomic_read, <a href="#125">125</a><br>
atomic_set, <a href="#125">125</a><br>
atomic_sub, <a href="#125">125</a><br>
atomic_sub_and_test, <a href="#125">125</a><br>
bit, <a href="#126">126</a><br>
block drivers, <a href="#466">466</a>, <a href="#471">471</a>-<a href="#474">474</a><br>
blocking, <a href="#151">151</a><br>
change_bit, <a href="#126">126</a><br>
clear_bit, <a href="#126">126</a><br>
devices, <a href="#513">513</a><br>
files, <a href="#49">49</a>-<a href="#53">53</a><br>
filter operation, <a href="#376">376</a><br>
flush, <a href="#51">51</a><br>
hotplugs, <a href="#376">376</a><br>
on ksets, <a href="#370">370</a><br>
low-level sysfs, <a href="#371">371</a>-<a href="#375">375</a><br>
methods<br>
<div class="bql">buses, <a href="#379">379</a><br>
close, <a href="#421">421</a><br>
nopage, <a href="#422">422</a><br>
open, <a href="#421">421</a><br>
populate, <a href="#422">422</a><br>
(see also methods)</div>
mmap devices, <a href="#422">422</a>-<a href="#434">434</a><br>
nonblocking, <a href="#151">151</a><br>
set_bit, <a href="#126">126</a><br>
snull interfaces, <a href="#500">500</a><br>
spinlocks, <a href="#120">120</a><br>
string, <a href="#241">241</a>, <a href="#255">255</a><br>
sysrq, <a href="#98">98</a><br>
test_and_change_bit, <a href="#127">127</a><br>
test_and_clear_bit, <a href="#127">127</a><br>
test_and_set_bit, <a href="#127">127</a><br>
test_bit, <a href="#127">127</a><br>
tty_operations structure, <a href="#569">569</a><br>
vector, <a href="#69">69</a><br>
VMAs (adding), <a href="#426">426</a></div>
optimizations, compiler, <a href="#236">236</a><br>
options (configuration), <a href="#73">73</a>-<a href="#75">75</a><br>
ordering locking (rules for), <a href="#122">122</a><br>
O_RDONLY flag (f_flags field), <a href="#54">54</a><br>
O_SYNC flag (f_flags field), <a href="#54">54</a><br>
outb function, <a href="#240">240</a><br>
outb_p function, <a href="#242">242</a><br>
outl function, <a href="#240">240</a><br>
output<br>
<div class="bql">buffers, <a href="#152">152</a><br>
flushing pending, <a href="#167">167</a><br>
pins, <a href="#235">235</a>, <a href="#245">245</a>, <a href="#247">247</a></div>
outsb function, <a href="#242">242</a><br>
outsl function, <a href="#242">242</a><br>
outsw function, <a href="#242">242</a><br>
</td></tr></table>
<br>
<A name="605"></a><font color="blue">PAGE 605</font><br>
<br>
<table cellspacing="0" cellpadding="0" width="100%"><tr><td valign="top" width="50%">
outw function, <a href="#240">240</a><br>
overriding ARP, <a href="#533">533</a><br>
overruns (buffers), <a href="#95">95</a><br>

<br><a name="P"></a><font color="red"><b>P</b></font><br><br>

packages, upgrading, <a href="#10">10</a><br>
PACKET_BROADCAST flag, <a href="#530">530</a><br>
PACKET_HOST flag, <a href="#530">530</a><br>
PACKET_MULTICAST flag, <a href="#530">530</a><br>
PACKET_OTHERHOST flag, <a href="#530">530</a><br>
packets<br>
<div class="bql">management, <a href="#5">5</a><br>
multicasting, <a href="#538">538</a><br>
reception, <a href="#523">523</a><br>
reception of, <a href="#501">501</a>, <a href="#521">521</a><br>
transmission, <a href="#501">501</a>, <a href="#516">516</a>-<a href="#520">520</a></div>
page frame number (PFN), <a href="#415">415</a><br>
page_address macro, <a href="#417">417</a><br>
page.h header file, <a href="#292">292</a><br>
page-oriented allocation functions, <a href="#221">221</a>, <a href="#233">233</a><br>
pages<br>
<div class="bql">allocators, <a href="#224">224</a><br>
faults caused by invalid pointers, <a href="#94">94</a><br>
physical addresses, <a href="#415">415</a><br>
size and portability, <a href="#292">292</a><br>
tables, <a href="#418">418</a><br>
<div class="bql">I/O memory and, <a href="#249">249</a><br>
nopage VMA method, <a href="#427">427</a></div></div>
PAGE_SHIFT macro, <a href="#415">415</a><br>
PAGE_SHIFT symbol, <a href="#292">292</a><br>
PAGE_SIZE symbol, <a href="#292">292</a>, <a href="#423">423</a><br>
Parallel Line Internet Protocol (see PLIP)<br>
parallel ports, <a href="#245">245</a>-<a href="#248">248</a><br>
<div class="bql">interrupt handlers<br>
<div class="bql">disabling, <a href="#274">274</a><br>
preparing for, <a href="#259">259</a></div>
stacking driver modules, <a href="#28">28</a></div>
parameters<br>
<div class="bql">assigning values, <a href="#36">36</a><br>
base module, <a href="#247">247</a><br>
modules, <a href="#35">35</a>-<a href="#37">37</a></div>
param.h header file, <a href="#183">183</a><br>
PARENB bitmask, <a href="#561">561</a><br>
PARODD bitmask, <a href="#561">561</a><br>
partial data transfers<br>
<div class="bql">read method, <a href="#66">66</a><br>
write method, <a href="#68">68</a></div>
passwords, <a href="#9">9</a><br>
pausing I/O, <a href="#242">242</a><br>
PC parallel interface, <a href="#245">245</a><br>
</td><td valign="top" width="50%">
PCI (Peripheral Component Interconnect), <a href="#226">226</a><br>
<div class="bql">devices<br>
<div class="bql">adding, <a href="#392">392</a>-<a href="#395">395</a><br>
deleting, <a href="#395">395</a></div>
DMA, <a href="#453">453</a><br>
double-address cycle mappings, <a href="#452">452</a><br>
drivers<br>
<div class="bql">adding, <a href="#396">396</a><br>
deleting, <a href="#396">396</a></div>
EISA, <a href="#323">323</a><br>
extended buses, <a href="#325">325</a><br>
interfaces, <a href="#302">302</a>-<a href="#319">319</a><br>
ISA, <a href="#319">319</a>-<a href="#322">322</a><br>
lists, <a href="#326">326</a><br>
MCA, <a href="#322">322</a><br>
NuBus, <a href="#324">324</a><br>
PC/104 and PC/104+, <a href="#322">322</a><br>
SBus, <a href="#323">323</a><br>
searching, <a href="#326">326</a><br>
VLB, <a href="#323">323</a></div>
pci_bus_type variable, <a href="#392">392</a><br>
PCI_CLASS variable, <a href="#400">400</a><br>
PCI_DEVICE macro, <a href="#310">310</a><br>
PCI_DEVICE_CLASS macro, <a href="#310">310</a><br>
PCI_DMA_FROMDEVICE symbol, <a href="#449">449</a><br>
PCI_DMA_TODEVICE symbol, <a href="#449">449</a><br>
PCI_ID variable, <a href="#400">400</a><br>
pci_map_sg function, <a href="#451">451</a><br>
pci_remove_bus_device function, <a href="#395">395</a><br>
pci_resource_ functions, <a href="#317">317</a><br>
PCI_SLOT_NAME variable, <a href="#400">400</a><br>
PCI_SUBSYS_ID variable, <a href="#400">400</a><br>
PDEBUG/PDEBUGG symbols, <a href="#80">80</a><br>
pending output, flushing, <a href="#167">167</a><br>
per-CPU variables, <a href="#228">228</a>-<a href="#230">230</a><br>
performance<br>
<div class="bql">allocating socket buffers, <a href="#522">522</a><br>
degrading by allocating too much memory, <a href="#222">222</a><br>
memory barriers and, <a href="#238">238</a><br>
mmap method, <a href="#423">423</a><br>
output buffers and, <a href="#152">152</a><br>
string operations and, <a href="#241">241</a></div>
Peripheral Component Interconnect (see PCI)<br>
peripherals (DMA), <a href="#440">440</a>-<a href="#459">459</a><br>
perror calls, <a href="#93">93</a><br>
persistence of memory, <a href="#43">43</a><br>
PFN (page frame number), <a href="#415">415</a><br>
pfn_to_page function, <a href="#417">417</a><br>
PG_locked flag, <a href="#417">417</a><br>
</td></tr></table>
<br>
<A name="605"></a><font color="blue">PAGE 605</font><br>
<br>
<table cellspacing="0" cellpadding="0" width="100%"><tr><td valign="top" width="50%">
PG_reserved flag, <a href="#417">417</a><br>
PHYS variable, <a href="#401">401</a><br>
physical addresses, <a href="#413">413</a><br>
<div class="bql">pages, <a href="#415">415</a><br>
(see also addresses)</div>
physical memory, management of, <a href="#216">216</a><br>
<div class="bql">(see also memory)</div>
pins<br>
<div class="bql">9/10 of parallel connector, <a href="#259">259</a><br>
interrupts (generating), <a href="#271">271</a><br>
output, <a href="#235">235</a>, <a href="#245">245</a>, <a href="#247">247</a></div>
pipes (scull), <a href="#43">43</a><br>
platform dependency, <a href="#11">11</a>, <a href="#27">27</a><br>
<div class="bql">for modules, <a href="#27">27</a><br>
porting and, <a href="#242">242</a><br>
/proc/stat file, <a href="#263">263</a></div>
PLIP (Parallel Line Internet Protocol)<br>
<div class="bql">using Ethernet headers, <a href="#533">533</a><br>
interrupt handling differences, <a href="#523">523</a></div>
plug and play (PnP), <a href="#321">321</a><br>
PnP (plug and play), <a href="#321">321</a><br>
pointers<br>
<div class="bql">data type portability, <a href="#295">295</a><br>
inode in ioctl method, <a href="#136">136</a><br>
kobject, <a href="#365">365</a><br>
scull, <a href="#61">61</a><br>
tty_driver function, <a href="#553">553</a>-<a href="#560">560</a></div>
Point-to-Point Protocol (PPP) and interrupt handling differences, <a href="#523">523</a><br>
policies<br>
<div class="bql">controlling devices by printing and, <a href="#147">147</a><br>
memory, <a href="#4">4</a><br>
allocation (scull), <a href="#60">60</a>, <a href="#63">63</a><br>
security, <a href="#8">8</a><br>
separation from mechanism, <a href="#2">2</a>-<a href="#4">4</a></div>
policy, driver, <a href="#2">2</a>-<a href="#4">4</a><br>
poll method, <a href="#51">51</a>, <a href="#163">163</a>-<a href="#169">169</a>, <a href="#513">513</a><br>
poll_controller method, <a href="#542">542</a><br>
POLLERR flag, <a href="#164">164</a><br>
poll.h header file, <a href="#163">163</a>, <a href="#182">182</a><br>
POLLHUP flag, <a href="#164">164</a><br>
POLLIN flag, <a href="#164">164</a><br>
POLLOUT flag, <a href="#164">164</a><br>
POLLPRI flag, <a href="#164">164</a><br>
POLLRDBAND flag, <a href="#164">164</a><br>
POLLRDNORM flag, <a href="#164">164</a><br>
poll_table structure, <a href="#163">163</a>, <a href="#167">167</a><br>
poll_table_entry structure, <a href="#167">167</a><br>
poll_wait function, <a href="#163">163</a>, <a href="#182">182</a><br>
POLLWRBAND flag, <a href="#164">164</a><br>
POLLWRNORM flag, <a href="#164">164</a><br>
</td><td valign="top" width="50%">
pools<br>
<div class="bql">DMA, <a href="#447">447</a><br>
memory, <a href="#220">220</a>, <a href="#232">232</a></div>
populate method, <a href="#422">422</a><br>
portability, <a href="#292">292</a>-<a href="#299">299</a><br>
<div class="bql">data types and, <a href="#288">288</a>-<a href="#292">292</a><br>
porting and, <a href="#242">242</a></div>
ports<br>
<div class="bql">access, <a href="#255">255</a><br>
accessing different sizes, <a href="#240">240</a><br>
I/O, <a href="#235">235</a>-<a href="#254">254</a>, <a href="#255">255</a><br>
parallel, <a href="#245">245</a>-<a href="#248">248</a><br>
<div class="bql">disabling interrupt handlers, <a href="#274">274</a><br>
preparing for interrupt handlers, <a href="#259">259</a></div>
platform dependency and, <a href="#242">242</a><br>
(see also connections; parallel ports)</div>
POS (Programmable Option Select), <a href="#322">322</a><br>
power management, <a href="#362">362</a><br>
PowerPC architecture (porting and), <a href="#244">244</a><br>
PPP (Point-to-Point Protocol) and interrupt handling differences, <a href="#523">523</a><br>
pread method, <a href="#65">65</a><br>
precision, temporal, <a href="#189">189</a><br>
predefined commands, ioctl method, <a href="#140">140</a><br>
<div class="bql">(see also commands)</div>
preemption and concurrency, <a href="#21">21</a><br>
preprocessor, using to monitor driver, <a href="#79">79</a>-<a href="#81">81</a><br>
printing<br>
<div class="bql">controlling devices by, <a href="#147">147</a><br>
to debug code, <a href="#81">81</a><br>
device numbers, <a href="#82">82</a><br>
from gdb debugger, <a href="#99">99</a><br>
interface-specific data, <a href="#291">291</a><br>
kernels, <a href="#75">75</a>-<a href="#82">82</a><br>
_t data items, <a href="#291">291</a></div>
printk function, <a href="#17">17</a>, <a href="#76">76</a>-<a href="#82">82</a><br>
<div class="bql">circular buffers for, <a href="#78">78</a><br>
debugging with, <a href="#78">78</a><br>
logging messages from, <a href="#78">78</a><br>
seq_file interface (avoiding in), <a href="#88">88</a><br>
turning debug messages on/off, <a href="#79">79</a></div>
priorities, <a href="#76">76</a><br>
<div class="bql">allocation, <a href="#214">214</a><br>
<div class="bql">memory, <a href="#213">213</a></div>
message (see loglevels)</div>
private_data field (file structure), <a href="#54">54</a><br>
privileged operations, <a href="#144">144</a><br>
probe function (USB), <a href="#350">350</a><br>
probe_irq_off function, <a href="#265">265</a><br>
probe_irq_on function, <a href="#265">265</a><br>
Probes, Dynamic, <a href="#105">105</a><br>
</td></tr></table>
<br>
<A name="606"></a><font color="blue">PAGE 606</font><br>
<br>
<table cellspacing="0" cellpadding="0" width="100%"><tr><td valign="top" width="50%">
probing, <a href="#264">264</a><br>
<div class="bql">do-it-yourself, <a href="#266">266</a><br>
for IRQ numbers, <a href="#264">264</a><br>
kernel-assisted, <a href="#265">265</a><br>
PCI, <a href="#313">313</a></div>
/proc filesystem, <a href="#86">86</a>-<a href="#90">90</a><br>
<div class="bql">installing interrupt handlers, <a href="#262">262</a><br>
removing /proc entries, <a href="#86">86</a><br>
shared interrupts and, <a href="#280">280</a></div>
/proc/devices file, <a href="#46">46</a><br>
processes<br>
<div class="bql">current, <a href="#21">21</a><br>
kernel timers for, <a href="#202">202</a><br>
kernels (splitting), <a href="#4">4</a>-<a href="#5">5</a><br>
login, <a href="#173">173</a><br>
managing, <a href="#4">4</a><br>
memory maps, <a href="#422">422</a><br>
opening devices for each process, <a href="#173">173</a><br>
sleeps, <a href="#147">147</a>-<a href="#162">162</a></div>
processor-specific registers, <a href="#186">186</a><br>
/proc/interrupts file, <a href="#262">262</a>, <a href="#280">280</a><br>
/proc/kcore file, <a href="#99">99</a><br>
/proc/kmsg file, <a href="#78">78</a><br>
/proc/*/maps, <a href="#420">420</a><br>
/proc/modules file, <a href="#40">40</a><br>
proc_read method, <a href="#84">84</a><br>
/proc/slabinfo file, <a href="#219">219</a><br>
/proc/stat file, <a href="#263">263</a><br>
/proc/sys/kernel/printk file, reading console loglevel with, <a href="#77">77</a><br>
/proc/tty/driver/ directory, <a href="#547">547</a><br>
PRODUCT variable, <a href="#401">401</a><br>
Programmable Option Select (POS), <a href="#322">322</a><br>
programming<br>
<div class="bql">concurrency in, <a href="#20">20</a><br>
hello world module, <a href="#16">16</a>-<a href="#18">18</a><br>
ISA, <a href="#321">321</a><br>
module requirements, <a href="#30">30</a><br>
test system setup, <a href="#15">15</a><br>
user space, <a href="#19">19</a>, <a href="#37">37</a>-<a href="#39">39</a></div>
programming drivers (see writing, drivers)<br>
programs, <a href="#3">3</a><br>
<div class="bql">asynctest, <a href="#169">169</a><br>
dataalign, <a href="#294">294</a><br>
datasize, <a href="#288">288</a><br>
insmod, <a href="#5">5</a><br>
jitbusy, <a href="#191">191</a><br>
mapper, <a href="#430">430</a><br>
nbtest, <a href="#162">162</a><br>
obtaining, <a href="#12">12</a><br>
rmmod, <a href="#5">5</a><br>
/sbin/hotplug utility, <a href="#398">398</a></div>
</td><td valign="top" width="50%">
<div class="bql">setconsole, <a href="#77">77</a><br>
setterm, <a href="#147">147</a><br>
tcpdump, <a href="#501">501</a><br>
tracing, <a href="#105">105</a><br>
tunelp, <a href="#3">3</a><br>
(see also applications versus kernel modules)</div>
public kernel symbols, <a href="#28">28</a>-<a href="#29">29</a><br>
put_unaligned function, <a href="#293">293</a><br>
put_user function, <a href="#143">143</a>, <a href="#180">180</a><br>
pwrite method, <a href="#65">65</a><br>

<br><a name="Q"></a><font color="red"><b>Q</b></font><br><br>

quantums/quantum sets (memory), <a href="#61">61</a><br>
querying kernels, <a href="#82">82</a>-<a href="#91">91</a><br>
querying to debug, <a href="#91">91</a><br>
queues<br>
<div class="bql">control functions, <a href="#480">480</a><br>
creating/deleting, <a href="#479">479</a><br>
functions, <a href="#479">479</a><br>
network drivers, <a href="#515">515</a><br>
request function, <a href="#475">475</a><br>
request method, <a href="#478">478</a><br>
TCQ, <a href="#492">492</a>-<a href="#493">493</a><br>
transmissions, <a href="#518">518</a><br>
wait, <a href="#149">149</a>, <a href="#156">156</a>, <a href="#181">181</a><br>
workqueues, <a href="#205">205</a>-<a href="#208">208</a>, <a href="#211">211</a>, <a href="#277">277</a></div>

<br><a name="R"></a><font color="red"><b>R</b></font><br><br>

race conditions, <a href="#21">21</a><br>
<div class="bql">kernel timers and, <a href="#198">198</a><br>
module loading, <a href="#35">35</a><br>
sequences, <a href="#107">107</a></div>
RAM (random access memory)<br>
<div class="bql">remapping, <a href="#430">430</a><br>
versus I/O registers, <a href="#236">236</a></div>
random access memory (see RAM)<br>
random numbers, <a href="#260">260</a><br>
rates, limitations of, <a href="#81">81</a><br>
RCU (read-copy-update), <a href="#129">129</a><br>
rdtscl function, <a href="#187">187</a><br>
read function (tty drivers), <a href="#558">558</a><br>
read method, <a href="#50">50</a>, <a href="#63">63</a>-<a href="#69">69</a><br>
<div class="bql">arguments to, <a href="#65">65</a><br>
code for, <a href="#67">67</a><br>
configuring DMA controllers, <a href="#456">456</a><br>
f_pos field (file structure) and, <a href="#54">54</a><br>
oops messages, <a href="#95">95</a><br>
poll method and, <a href="#166">166</a><br>
return values, rules for interpreting, <a href="#66">66</a><br>
strace command and, <a href="#92">92</a></div>
</td></tr></table>
<br>
<A name="607"></a><font color="blue">PAGE 607</font><br>
<br>
<table cellspacing="0" cellpadding="0" width="100%"><tr><td valign="top" width="50%">
read-copy-update (RCU), <a href="#129">129</a><br>
readdir method, <a href="#50">50</a><br>
reader/writer semaphores, <a href="#113">113</a><br>
reader/writer spinlocks, <a href="#120">120</a><br>
reading<br>
<div class="bql">blocking/nonblocking operations, <a href="#151">151</a><br>
from a device, <a href="#63">63</a>-<a href="#67">67</a></div>
read-only /proc files, creating, <a href="#84">84</a><br>
read_proc function, <a href="#85">85</a><br>
readv calls, <a href="#69">69</a><br>
readv method, <a href="#52">52</a><br>
read/write instructions, reordering, <a href="#236">236</a><br>
read/write position, changing, <a href="#50">50</a><br>
rebuild_header method, <a href="#512">512</a><br>
reception of packets, <a href="#501">501</a>, <a href="#521">521</a>-<a href="#523">523</a><br>
recovery, error, <a href="#33">33</a><br>
redirecting console messages, <a href="#77">77</a><br>
reentrant<br>
<div class="bql">calls, <a href="#97">97</a><br>
code, <a href="#21">21</a></div>
reference counters (kobjects), <a href="#366">366</a><br>
regions<br>
<div class="bql">generic I/O address spaces, <a href="#316">316</a><br>
I/O memory management, <a href="#429">429</a></div>
register_blkdev function, <a href="#465">465</a><br>
register_chrdev function, <a href="#404">404</a><br>
register_netdev function, <a href="#503">503</a><br>
registers<br>
<div class="bql">counters, <a href="#186">186</a><br>
I/O, <a href="#236">236</a><br>
LSR, <a href="#564">564</a><br>
mapping, <a href="#445">445</a>, <a href="#450">450</a><br>
MSR, <a href="#565">565</a><br>
PCI, <a href="#308">308</a>, <a href="#325">325</a><br>
<div class="bql">class, <a href="#309">309</a><br>
deviceID, <a href="#309">309</a><br>
subsystem deviceID, <a href="#309">309</a><br>
subsystem vendorID, <a href="#309">309</a><br>
vendorID, <a href="#309">309</a></div>
processor-specific, <a href="#186">186</a><br>
scatterlists (and mapping), <a href="#450">450</a></div>
registration<br>
<div class="bql">block drivers, <a href="#465">465</a>-<a href="#470">470</a><br>
buses, <a href="#378">378</a><br>
char drivers, <a href="#55">55</a>-<a href="#57">57</a><br>
cleanup function, <a href="#32">32</a><br>
devices, <a href="#382">382</a>, <a href="#502">502</a><br>
disks, <a href="#466">466</a><br>
DMA usage, <a href="#455">455</a><br>
interrupt handlers, <a href="#286">286</a><br>
module-loading races, <a href="#35">35</a></div>
</td><td valign="top" width="50%">
<div class="bql">PCI drivers, <a href="#311">311</a><br>
struct usb_driver structure, <a href="#349">349</a><br>
tiny_tty_driver variable, <a href="#551">551</a><br>
tracking, <a href="#33">33</a><br>
tty drivers, <a href="#549">549</a><br>
USB drivers, <a href="#348">348</a></div>
release calls, <a href="#174">174</a><br>
release functions (kobjects), <a href="#367">367</a><br>
release method, <a href="#51">51</a>, <a href="#59">59</a><br>
<div class="bql">block drivers, <a href="#471">471</a><br>
blocking, <a href="#176">176</a><br>
cloning devices, <a href="#179">179</a><br>
kobjects, <a href="#367">367</a></div>
release_dma_lock function, <a href="#457">457</a><br>
releasing spinlocks, <a href="#120">120</a><br>
RELEVANT_IFLAG macro, <a href="#560">560</a><br>
remap_pfn_range function, <a href="#424">424</a><br>
remapping<br>
<div class="bql">kernel virtual addresses, <a href="#434">434</a><br>
RAM, <a href="#430">430</a><br>
(see also mapping)</div>
remote0 (IP number), <a href="#499">499</a><br>
removable media (supporting), <a href="#472">472</a><br>
remove_proc_entry function, <a href="#86">86</a><br>
reordering read/write instructions, <a href="#236">236</a><br>
repatch program, <a href="#575">575</a><br>
reports (interrupts), <a href="#261">261</a><br>
request_dma function, <a href="#455">455</a><br>
request_firmware function, <a href="#406">406</a><br>
requests<br>
<div class="bql">blocking, <a href="#176">176</a><br>
processing, <a href="#474">474</a>-<a href="#491">491</a><br>
state of (processing), <a href="#483">483</a></div>
requeuing/rescheduling tasks, <a href="#198">198</a><br>
requirements, code, <a href="#30">30</a><br>
resolution of time, <a href="#189">189</a><br>
resolving Ethernet addresses, <a href="#532">532</a><br>
resource flags (PCI), <a href="#317">317</a><br>
restriction of access, <a href="#174">174</a><br>
retrieval of current time, <a href="#188">188</a>-<a href="#190">190</a><br>
return values<br>
<div class="bql">interrupt handlers, <a href="#272">272</a><br>
switch statements, <a href="#140">140</a></div>
revalidate method, <a href="#473">473</a><br>
ring buffers (DMA), <a href="#441">441</a><br>
RISC processor and inline assembly code, <a href="#187">187</a><br>
rmmod program, <a href="#5">5</a>, <a href="#17">17</a><br>
<div class="bql">dynamically allocating major<br>
<div class="bql">numbers, <a href="#48">48</a></div>
testing modules using, <a href="#17">17</a></div>
</td></tr></table>
<br>
<A name="608"></a><font color="blue">PAGE 608</font><br>
<br>
<table cellspacing="0" cellpadding="0" width="100%"><tr><td valign="top" width="50%">
roles<br>
<div class="bql">of device drivers, <a href="#2">2</a>-<a href="#4">4</a><br>
kernels, <a href="#4">4</a>-<a href="#5">5</a></div>
root hubs (USB), <a href="#334">334</a><br>
routing, network management, <a href="#5">5</a><br>
rq_data_dir field (request structure), <a href="#477">477</a><br>
rules<br>
<div class="bql">locking, <a href="#121">121</a><br>
ordering, <a href="#122">122</a></div>
running (see execution)<br>
runtime, code, <a href="#5">5</a><br>
rwsems (reader/writer semaphores), <a href="#113">113</a><br>

<br><a name="S"></a><font color="red"><b>S</b></font><br><br>

S/390 architecture, <a href="#402">402</a><br>
<div class="bql">porting and, <a href="#244">244</a></div>
SA_INTERRUPT flag, <a href="#260">260</a>, <a href="#286">286</a><br>
SAK (secure attention key) function, <a href="#97">97</a><br>
sample programs, obtaining, <a href="#12">12</a><br>
SA_SAMPLE_RANDOM flag, <a href="#260">260</a>, <a href="#286">286</a><br>
SA_SHIRQ flag, <a href="#260">260</a>, <a href="#278">278</a>, <a href="#286">286</a><br>
/sbin/hotplug utility, <a href="#398">398</a><br>
sbull drivers<br>
<div class="bql">initialization, <a href="#468">468</a><br>
request method, <a href="#475">475</a></div>
sbull ioctl method, <a href="#473">473</a><br>
sbull_request function, <a href="#469">469</a><br>
SBus, <a href="#324">324</a><br>
scatter/gather<br>
<div class="bql">DMA mappings, <a href="#450">450</a><br>
I/O, <a href="#520">520</a></div>
scatterlists<br>
<div class="bql">mapping, <a href="#450">450</a><br>
structure, <a href="#462">462</a></div>
sched.h header file, <a href="#40">40</a>, <a href="#184">184</a><br>
schedule function, <a href="#181">181</a><br>
<div class="bql">execution of code (delaying), <a href="#193">193</a><br>
preventing endless loops with, <a href="#97">97</a></div>
schedulers (I/O), <a href="#478">478</a><br>
schedule_timeout function, <a href="#194">194</a><br>
scheduling kernel timers, <a href="#196">196</a>-<a href="#202">202</a><br>
scripts (hotplug), <a href="#403">403</a><br>
SCSI<br>
<div class="bql">devices, <a href="#402">402</a><br>
modules, <a href="#7">7</a></div>
scull, <a href="#42">42</a>, <a href="#47">47</a><br>
<div class="bql">char drivers, <a href="#70">70</a><br>
concurrency (see concurrency)<br>
design of, <a href="#42">42</a><br>
device registration, <a href="#56">56</a><br>
drivers (example), <a href="#80">80</a>, <a href="#138">138</a></div>
</td><td valign="top" width="50%">
<div class="bql">file operations, <a href="#49">49</a>-<a href="#53">53</a><br>
inode structure, <a href="#55">55</a><br>
locking (adding), <a href="#109">109</a><br>
memory<br>
<div class="bql">troubleshooting, <a href="#107">107</a><br>
usage, <a href="#60">60</a>-<a href="#63">63</a></div>
next method, <a href="#87">87</a><br>
open method, <a href="#58">58</a>-<a href="#59">59</a><br>
pointers, <a href="#61">61</a><br>
race conditions, <a href="#107">107</a><br>
read method, <a href="#63">63</a>-<a href="#69">69</a><br>
read_proc method, <a href="#85">85</a><br>
readv calls, <a href="#69">69</a><br>
release method, <a href="#59">59</a><br>
semaphores, <a href="#112">112</a><br>
show method, <a href="#88">88</a><br>
stop method, <a href="#88">88</a><br>
write method, <a href="#63">63</a>-<a href="#69">69</a><br>
writev calls, <a href="#69">69</a></div>
scull driver (example), <a href="#42">42</a><br>
scullc driver (example), <a href="#219">219</a><br>
scull_cleanup function, <a href="#179">179</a><br>
scull_getwritespace function, <a href="#158">158</a><br>
scullp<br>
<div class="bql">example, <a href="#223">223</a><br>
mmap implementations, <a href="#431">431</a></div>
scullpipe devices (example), <a href="#153">153</a>-<a href="#162">162</a><br>
scullsingle device, <a href="#174">174</a><br>
sculluid code, <a href="#175">175</a><br>
scullv driver (example), <a href="#227">227</a>, <a href="#233">233</a><br>
searching PCI drivers, <a href="#326">326</a><br>
sectors (size of), <a href="#470">470</a><br>
sector_t bi_sector field (bio structure), <a href="#482">482</a><br>
sector_t capacity field (gendisk), <a href="#467">467</a><br>
sector_t sector field (request structure), <a href="#476">476</a><br>
secure attention key (SAK) function, <a href="#97">97</a><br>
security, <a href="#8">8</a><br>
seeking devices, <a href="#171">171</a><br>
select method, <a href="#163">163</a>-<a href="#169">169</a><br>
<div class="bql">poll method and, <a href="#51">51</a></div>
semaphores, <a href="#109">109</a><br>
<div class="bql">completion, <a href="#114">114</a>-<a href="#116">116</a><br>
implementation, <a href="#110">110</a>-<a href="#114">114</a><br>
reader/writer, <a href="#113">113</a><br>
unlocking, <a href="#110">110</a></div>
sendfile system, <a href="#52">52</a><br>
sendpage system, <a href="#52">52</a><br>
seq_file interface, <a href="#87">87</a>-<a href="#90">90</a><br>
seqlocks, <a href="#127">127</a><br>
SEQNUM variable, <a href="#399">399</a><br>
sequences (race conditions), <a href="#107">107</a><br>
</td></tr></table>
<br>
<A name="609"></a><font color="blue">PAGE 609</font><br>
<br>
<table cellspacing="0" cellpadding="0" width="100%"><tr><td valign="top" width="50%">
serial line configuration, <a href="#565">565</a><br>
serial_icounter_struct structure, <a href="#566">566</a><br>
set_bit operation, <a href="#126">126</a><br>
set_config method, <a href="#512">512</a><br>
setconsole program, <a href="#77">77</a><br>
set_dma_addr function, <a href="#457">457</a><br>
set_dma_count function, <a href="#457">457</a><br>
set_dma_mode function, <a href="#457">457</a><br>
set_mac_address method, <a href="#513">513</a><br>
set_mb function, <a href="#238">238</a><br>
set_multicast_list function, <a href="#539">539</a><br>
set_multicast_list method, <a href="#510">510</a>, <a href="#513">513</a><br>
set_rmb function, <a href="#238">238</a><br>
setterm program, <a href="#147">147</a><br>
set_termios function, <a href="#560">560</a><br>
set_wmb function, <a href="#238">238</a><br>
sfile argument, <a href="#87">87</a><br>
sg_dma_address function, <a href="#462">462</a><br>
sg_dma_address macro, <a href="#451">451</a><br>
sg_dma_len function, <a href="#462">462</a><br>
sg_dma_len macro, <a href="#451">451</a><br>
sharing<br>
<div class="bql">code, <a href="#108">108</a><br>
interrupt handlers, <a href="#278">278</a>-<a href="#281">281</a><br>
queues, <a href="#207">207</a></div>
short delays, <a href="#195">195</a>-<a href="#196">196</a><br>
<div class="bql">sleeps, <a href="#196">196</a></div>
short driver (example), <a href="#246">246</a><br>
<div class="bql">accessing I/O memory, <a href="#252">252</a><br>
implementing interrupt handlers, <a href="#270">270</a><br>
installing interrupt handlers, <a href="#261">261</a><br>
probing, <a href="#266">266</a></div>
short module, <a href="#265">265</a><br>
shortprint drivers, <a href="#282">282</a>-<a href="#286">286</a><br>
show function, <a href="#386">386</a><br>
show method<br>
<div class="bql">kobjects, <a href="#373">373</a><br>
seq_file interface, <a href="#88">88</a></div>
shutdown, <a href="#31">31</a>, <a href="#362">362</a><br>
shutting down modules (see unloading, modules)<br>
SIGIO signal, <a href="#169">169</a><br>
signal handling, <a href="#154">154</a><br>
Simple Character Utility for Loading Localitie (see scull)<br>
Simple Hardware Operations and Raw Tests (see short driver)<br>
simple sleeping, <a href="#149">149</a><br>
single-open devices, <a href="#173">173</a><br>
single-page streaming mappings, <a href="#450">450</a><br>
</td><td valign="top" width="50%">
SIOCDEVPRIVATE commands, <a href="#535">535</a><br>
SIOCSIFADDR command, <a href="#535">535</a><br>
SIOCSIFMAP command, <a href="#535">535</a><br>
size<br>
<div class="bql">data explicitly, <a href="#290">290</a><br>
explicit, <a href="#290">290</a><br>
kmalloc argument, <a href="#216">216</a><br>
pages, <a href="#292">292</a><br>
ports, <a href="#240">240</a><br>
of sectors, <a href="#470">470</a></div>
skb_headlen function, <a href="#532">532</a><br>
skb_headroom function, <a href="#531">531</a><br>
skb_is_nonlinear functions, <a href="#532">532</a><br>
skb_pull function, <a href="#532">532</a><br>
skb_push function, <a href="#531">531</a><br>
skb_put function, <a href="#531">531</a><br>
skb_reserve function, <a href="#531">531</a><br>
skb_tailroom function, <a href="#531">531</a><br>
sk_buff structure<br>
<div class="bql">fields for, <a href="#529">529</a><br>
transmitting packets, <a href="#516">516</a></div>
skbuff.h header file, <a href="#516">516</a><br>
SLAB_CACHE_DMA flag, <a href="#218">218</a><br>
SLAB_CTOR_ATOMIC flag, <a href="#218">218</a><br>
SLAB_CTOR_CONSTRUCTOR flag, <a href="#218">218</a><br>
SLAB_HWCACHE_ALIGN flag, <a href="#218">218</a><br>
SLAB_NO_REAP flag, <a href="#218">218</a><br>
sleep_on function, <a href="#162">162</a><br>
sleeps<br>
<div class="bql">locking, <a href="#110">110</a><br>
manual, <a href="#156">156</a><br>
processes, <a href="#147">147</a>-<a href="#162">162</a><br>
short delays, <a href="#196">196</a><br>
spinlocks, <a href="#118">118</a></div>
slow downs (avoiding), <a href="#82">82</a><br>
slow interrupt handlers, <a href="#268">268</a><br>
SMP (symmetric multiprocessor) systems, <a href="#21">21</a><br>
snullnet0 (IP number), <a href="#499">499</a><br>
socket buffers, <a href="#516">516</a>, <a href="#528">528</a>-<a href="#532">532</a><br>
<div class="bql">allocation, <a href="#522">522</a></div>
software<br>
<div class="bql">loops, <a href="#195">195</a><br>
versions (see versions, numbering)<br>
(see also applications versus kernel modules)</div>
software-mapped I/O memory (ioremap function), <a href="#250">250</a><br>
SPARC architecture, <a href="#244">244</a><br>
SPARC64 platform (data alignment), <a href="#294">294</a><br>
special files, <a href="#43">43</a><br>
</td></tr></table>
<br>
<A name="610"></a><font color="blue">PAGE 610</font><br>
<br>
<table cellspacing="0" cellpadding="0" width="100%"><tr><td valign="top" width="50%">
spinlocks<br>
<div class="bql">dma_spin_lock, <a href="#457">457</a><br>
hard_start_xmit function, <a href="#518">518</a><br>
releasing, <a href="#120">120</a><br>
xmit_lock function, <a href="#514">514</a></div>
splitting kernels, <a href="#4">4</a>-<a href="#5">5</a><br>
stacking modules, <a href="#28">28</a><br>
standard C data types, <a href="#288">288</a><br>
start method, <a href="#87">87</a><br>
stat file, <a href="#263">263</a><br>
state of request processing, <a href="#483">483</a><br>
statements<br>
<div class="bql">goto, <a href="#33">33</a><br>
printk (see printk function)<br>
switch<br>
<div class="bql">with ioctl method, <a href="#136">136</a><br>
return values, <a href="#140">140</a></div></div>
static functions (locking), <a href="#121">121</a><br>
static numbers, assignment of, <a href="#46">46</a><br>
statistics<br>
<div class="bql">on caches, <a href="#219">219</a><br>
on interrupts, <a href="#263">263</a><br>
on network drivers, <a href="#536">536</a><br>
on network interfaces, <a href="#504">504</a>, <a href="#512">512</a>, <a href="#536">536</a></div>
status information, <a href="#514">514</a><br>
stop method, <a href="#88">88</a>, <a href="#512">512</a><br>
store method (kobjects), <a href="#373">373</a><br>
strace command, <a href="#91">91</a><br>
strace tool, <a href="#162">162</a><br>
streaming<br>
<div class="bql">DMA mappings, <a href="#446">446</a>, <a href="#448">448</a><br>
single-page mappings, <a href="#450">450</a></div>
string operations, <a href="#241">241</a>, <a href="#255">255</a><br>
struct block_device_operations *fops field (gendisk), <a href="#467">467</a><br>
struct bus_type *bus field, <a href="#382">382</a><br>
struct cdev *i_cdev (inode structure field), <a href="#55">55</a><br>
struct dentry *f_dentry (struct file field), <a href="#54">54</a><br>
struct device fields, <a href="#381">381</a><br>
struct device *parent field, <a href="#381">381</a><br>
struct device_driver *driver field, <a href="#382">382</a><br>
struct device_driver structure, <a href="#385">385</a><br>
struct file, <a href="#53">53</a><br>
struct file_operations *f_op (struct file field), <a href="#54">54</a><br>
struct file_operations *fops variable (USB), <a href="#353">353</a><br>
struct kobject kobj field, <a href="#381">381</a><br>
struct module *owner function, <a href="#348">348</a><br>
struct module *owner method, <a href="#50">50</a><br>
struct net_device *next field (net_device structure), <a href="#506">506</a><br>
</td><td valign="top" width="50%">
struct pci_device_id structure (PCI), <a href="#309">309</a><br>
struct request structure, <a href="#476">476</a><br>
struct request_queue *queue field (gendisk), <a href="#467">467</a><br>
struct scull_qset structure, <a href="#62">62</a><br>
struct termios structure (tty drivers), <a href="#550">550</a>-<a href="#553">553</a><br>
struct timeval pointer, <a href="#188">188</a><br>
struct tty_flip_buffer structure, <a href="#559">559</a><br>
struct urb structure, <a href="#336">336</a><br>
struct usb_device *dev field (USB), <a href="#336">336</a><br>
struct usb_device_id structure (USB), <a href="#346">346</a><br>
struct usb_driver structure, <a href="#349">349</a><br>
struct usb_host_interface *altsetting field (USB), <a href="#331">331</a><br>
struct usb_host_interface *cur_altsetting field (USB), <a href="#332">332</a><br>
struct usb_interface structure, <a href="#351">351</a><br>
struct usb_iso_packet_descriptor iso_frame_desc field (USB), <a href="#341">341</a><br>
structures<br>
<div class="bql">bin_attribute, <a href="#374">374</a><br>
bio, <a href="#482">482</a>, <a href="#487">487</a><br>
bus_type, <a href="#378">378</a><br>
cdev configuration, <a href="#56">56</a><br>
data, <a href="#49">49</a>, <a href="#49">49</a>-<a href="#53">53</a><br>
devices, <a href="#383">383</a><br>
dev_mc_list, <a href="#538">538</a><br>
drivers, <a href="#386">386</a><br>
file_operations (mmap method and), <a href="#424">424</a><br>
gendisk, <a href="#467">467</a><br>
ifreq, <a href="#535">535</a><br>
kobjects, <a href="#364">364</a>-<a href="#371">371</a><br>
kset_hotplug_ops, <a href="#376">376</a><br>
ldd_driver, <a href="#386">386</a><br>
net_device, <a href="#502">502</a>, <a href="#506">506</a>-<a href="#507">507</a><br>
net_device_stats, <a href="#505">505</a>, <a href="#536">536</a><br>
registration, <a href="#55">55</a>-<a href="#57">57</a><br>
scatterlist, <a href="#462">462</a><br>
serial_icounter_struct, <a href="#566">566</a><br>
sk_buff, <a href="#529">529</a><br>
struct device_driver, <a href="#385">385</a><br>
struct request, <a href="#476">476</a><br>
struct scull_qset, <a href="#62">62</a><br>
struct termios (tty drivers), <a href="#550">550</a>-<a href="#553">553</a><br>
struct tty_flip_buffer, <a href="#559">559</a><br>
struct urb, <a href="#336">336</a><br>
struct usb_driver, <a href="#349">349</a><br>
struct usb_interface, <a href="#351">351</a><br>
tty_driver, <a href="#567">567</a><br>
tty_operations, <a href="#569">569</a><br>
tty_struct, <a href="#571">571</a></div>
</td></tr></table>
<br>
<A name="611"></a><font color="blue">PAGE 611</font><br>
<br>
<table cellspacing="0" cellpadding="0" width="100%"><tr><td valign="top" width="50%">
<div class="bql">vm_area_struct, <a href="#420">420</a><br>
vm_operations_struct, <a href="#421">421</a></div>
submission of urbs, <a href="#344">344</a>, <a href="#354">354</a><br>
SUBSYSTEM variable, <a href="#399">399</a><br>
subsystems, <a href="#368">368</a><br>
<div class="bql">classes, <a href="#391">391</a><br>
deviceID register (PCI), <a href="#309">309</a><br>
firmware, <a href="#407">407</a><br>
ksets, <a href="#370">370</a><br>
memory management, <a href="#4">4</a><br>
module stacking, <a href="#29">29</a><br>
USB (see USB)<br>
vendorID register (PCI), <a href="#309">309</a></div>
Super-H architecture, <a href="#244">244</a><br>
supervisor mode, <a href="#20">20</a><br>
support<br>
<div class="bql">Ethtool, <a href="#541">541</a><br>
kernels (debugging), <a href="#73">73</a>-<a href="#75">75</a><br>
MII, <a href="#540">540</a><br>
multicasting, <a href="#538">538</a></div>
swappers, <a href="#193">193</a><br>
switch statements<br>
<div class="bql">return values, <a href="#140">140</a><br>
with ioctl method, <a href="#136">136</a></div>
symbolic links (kobjects), <a href="#375">375</a><br>
symbols, <a href="#28">28</a>-<a href="#29">29</a><br>
<div class="bql">BLK_BOUNCE_HIGH, <a href="#480">480</a><br>
bytes, <a href="#300">300</a><br>
CHECKSUM, <a href="#523">523</a><br>
DMA_BIDIRECTIONAL, <a href="#448">448</a><br>
DMA_FROM_DEVICE, <a href="#448">448</a><br>
DMA_NONE, <a href="#448">448</a><br>
DMA_TO_DEVICE, <a href="#448">448</a>, <a href="#461">461</a><br>
IFF_, <a href="#538">538</a><br>
NR_IRQS, <a href="#267">267</a><br>
PAGE_SIZE, <a href="#423">423</a><br>
PCI_DMA_FROMDEVICE, <a href="#449">449</a><br>
PCI_DMA_TODEVICE, <a href="#449">449</a><br>
PDEBUG/PDEBUGG, <a href="#80">80</a><br>
symbol table, <a href="#28">28</a>-<a href="#29">29</a></div>
symmetric multiprocessor (SMP) systems, <a href="#21">21</a><br>
synchronization<br>
<div class="bql">DMA buffers, <a href="#452">452</a><br>
semaphores, <a href="#114">114</a></div>
sysfs directory<br>
<div class="bql">trees (USB), <a href="#333">333</a>-<a href="#335">335</a><br>
tty driver, <a href="#552">552</a></div>
sysfs filesystem, <a href="#409">409</a><br>
<div class="bql">low-level operations, <a href="#371">371</a>-<a href="#375">375</a></div>
syslogd daemon, <a href="#79">79</a><br>
sysrq operations, <a href="#98">98</a><br>
</td><td valign="top" width="50%">
sysrq.txt file, <a href="#97">97</a><br>
sys_syslog function, <a href="#77">77</a><br>
system calls, <a href="#25">25</a><br>
system faults<br>
<div class="bql">debugging, <a href="#93">93</a>-<a href="#98">98</a><br>
handling, <a href="#19">19</a></div>
system hangs, <a href="#96">96</a>-<a href="#98">98</a><br>
system shutdown, <a href="#362">362</a><br>

<br><a name="T"></a><font color="red"><b>T</b></font><br><br>

_t data types, <a href="#291">291</a><br>
table pages, <a href="#418">418</a><br>
<div class="bql">I/O memory and, <a href="#249">249</a><br>
nopage VMA method, <a href="#427">427</a></div>
tables, symbols, <a href="#28">28</a>-<a href="#29">29</a><br>
tagged command queuing (TCQ), <a href="#492">492</a>-<a href="#493">493</a><br>
tagged initialization formats, <a href="#53">53</a><br>
tasklets, <a href="#202">202</a>-<a href="#204">204</a>, <a href="#211">211</a><br>
<div class="bql">interrupt handlers, <a href="#276">276</a></div>
tasklet_schedule function, <a href="#276">276</a><br>
tcpdump program, <a href="#501">501</a><br>
TCQ (tagged command queueing), <a href="#492">492</a>-<a href="#493">493</a><br>
tearing down single-page streaming mappings, <a href="#450">450</a><br>
templates, scull (design of), <a href="#42">42</a><br>
terminals, selecting for messages, <a href="#77">77</a><br>
termios userspace functions, <a href="#560">560</a><br>
test system setup, <a href="#15">15</a><br>
test_and_change_bit operation, <a href="#127">127</a><br>
test_and_clear_bit operations, <a href="#127">127</a><br>
test_and_set_bit operation, <a href="#127">127</a><br>
test_bit operation, <a href="#127">127</a><br>
testing<br>
<div class="bql">block drivers, <a href="#468">468</a><br>
char drivers, <a href="#70">70</a><br>
hello world modules, <a href="#17">17</a><br>
scullpipe drivers, <a href="#162">162</a></div>
thread execution, <a href="#109">109</a><br>
throughput (DMA), <a href="#440">440</a>-<a href="#459">459</a><br>
time, <a href="#208">208</a><br>
<div class="bql">boot (PCI), <a href="#306">306</a><br>
current time (retrieving), <a href="#188">188</a>-<a href="#190">190</a><br>
execution of code (delaying), <a href="#190">190</a>-<a href="#196">196</a>, <a href="#209">209</a><br>
HZ (time frequency), <a href="#183">183</a>, <a href="#292">292</a><br>
intervals of (data type portability), <a href="#292">292</a><br>
kernel timers, <a href="#202">202</a><br>
lapses (measurement of), <a href="#183">183</a>-<a href="#188">188</a><br>
tasklets, <a href="#202">202</a>-<a href="#204">204</a><br>
time intervals in the kernel, <a href="#292">292</a><br>
workqueues, <a href="#205">205</a>-<a href="#208">208</a></div>
</td></tr></table>
<br>
<A name="612"></a><font color="blue">PAGE 612</font><br>
<br>
<table cellspacing="0" cellpadding="0" width="100%"><tr><td valign="top" width="50%">
timeouts<br>
<div class="bql">configuration, <a href="#193">193</a><br>
scheduling, <a href="#194">194</a><br>
transmission (see transmission timeouts)</div>
timer.h header file, <a href="#198">198</a><br>
timer_list structure, <a href="#198">198</a><br>
timers, <a href="#202">202</a><br>
<div class="bql">interrupts, <a href="#183">183</a><br>
kernels, <a href="#196">196</a>-<a href="#202">202</a>, <a href="#210">210</a></div>
timestamp counter (TSC), <a href="#186">186</a><br>
tiny_close function, <a href="#556">556</a><br>
tiny_tty_driver variable, <a href="#551">551</a><br>
TIOCLINUX command, <a href="#77">77</a><br>
tiocmget function, <a href="#562">562</a><br>
tiocmset functions, <a href="#562">562</a><br>
token ring networks, setting up interfaces for, <a href="#508">508</a><br>
tools<br>
<div class="bql">debuggers, <a href="#99">99</a>-<a href="#105">105</a><br>
Ethtool, <a href="#541">541</a><br>
kernels (enabling configuration options), <a href="#73">73</a>-<a href="#75">75</a><br>
lockmeter, <a href="#123">123</a><br>
/sbin/hotplug utility, <a href="#398">398</a><br>
strace, <a href="#162">162</a><br>
timers, <a href="#196">196</a>-<a href="#202">202</a><br>
(see also debugging; utilities)</div>
top halves (interrupt handlers), <a href="#275">275</a>-<a href="#278">278</a><br>
tracing programs, <a href="#105">105</a><br>
tracking<br>
<div class="bql">registration, <a href="#33">33</a><br>
struct scull_qset (structure), <a href="#62">62</a></div>
transfers<br>
<div class="bql">buffers, <a href="#448">448</a><br>
DMA, <a href="#440">440</a>-<a href="#459">459</a>, <a href="#461">461</a><br>
USB without urbs, <a href="#356">356</a>-<a href="#359">359</a></div>
transistor-transistor logic (TTL) levels, <a href="#245">245</a><br>
transmission concurrency, controlling, <a href="#518">518</a><br>
transmission of packets, <a href="#501">501</a>, <a href="#516">516</a>-<a href="#520">520</a><br>
transmission timeouts, <a href="#504">504</a>, <a href="#519">519</a><br>
<div class="bql">tx_timeout method and, <a href="#512">512</a><br>
watchdog_timeo field and, <a href="#514">514</a></div>
traps (locking), <a href="#121">121</a>-<a href="#123">123</a><br>
traversal of linked lists, <a href="#298">298</a><br>
tr_configure function, <a href="#508">508</a><br>
trees<br>
<div class="bql">/dev, <a href="#403">403</a><br>
sysfs (USB and), <a href="#333">333</a>-<a href="#335">335</a><br>
tty drivers, <a href="#548">548</a></div>
troubleshooting, <a href="#73">73</a><br>
<div class="bql">caches, <a href="#237">237</a>, <a href="#425">425</a>, <a href="#445">445</a><br>
DMA hardware, <a href="#444">444</a></div>
</td><td valign="top" width="50%">
<div class="bql">fragmentation, <a href="#442">442</a><br>
locking, <a href="#121">121</a>-<a href="#123">123</a><br>
memory (scull), <a href="#107">107</a><br>
porting problems, <a href="#242">242</a><br>
system hangs, <a href="#96">96</a><br>
values, <a href="#295">295</a><br>
wrong font on console, <a href="#147">147</a></div>
truncating devices on open, <a href="#59">59</a><br>
TSC (timestamp counter), <a href="#186">186</a><br>
TTL (transistor-transistor logic) levels, <a href="#245">245</a><br>
tty drivers, <a href="#546">546</a>-<a href="#550">550</a><br>
<div class="bql">buffers, <a href="#558">558</a><br>
directories, <a href="#566">566</a><br>
functions, <a href="#573">573</a><br>
line settings, <a href="#560">560</a>-<a href="#566">566</a><br>
pointers, <a href="#553">553</a>-<a href="#560">560</a><br>
struct termios, <a href="#550">550</a>-<a href="#553">553</a><br>
sysfs directories, <a href="#552">552</a><br>
tty_driver structure, <a href="#567">567</a><br>
tty_operations structure, <a href="#569">569</a><br>
tty_struct structure, <a href="#571">571</a></div>
tty_driver structure, <a href="#567">567</a>, <a href="#569">569</a>, <a href="#571">571</a><br>
TTY_DRIVER_NO_DEVFS flag, <a href="#553">553</a><br>
TTY_DRIVER_REAL_RAW flag, <a href="#553">553</a><br>
TTY_DRIVER_RESET_TERMIOS flag, <a href="#552">552</a><br>
tty_get_baud_rate function, <a href="#562">562</a><br>
tty_register_driver function, <a href="#549">549</a><br>
tunelp program, <a href="#3">3</a><br>
turning messages on/off, <a href="#79">79</a><br>
tx_timeout method, <a href="#512">512</a>, <a href="#519">519</a><br>
TYPE variable, <a href="#401">401</a><br>
types<br>
<div class="bql">addresses, <a href="#413">413</a><br>
bus_attribute, <a href="#380">380</a><br>
module parameter support, <a href="#36">36</a><br>
PCI driver support, <a href="#325">325</a></div>

<br><a name="U"></a><font color="red"><b>U</b></font><br><br>

u16 bcdDevice_hi field (USB), <a href="#346">346</a><br>
u16 bcdDevice_lo field (USB), <a href="#346">346</a><br>
u16 idProduct field (USB), <a href="#346">346</a><br>
u16 idVendor field (USB), <a href="#346">346</a><br>
u16 match_flags field (USB), <a href="#346">346</a><br>
u8 bDeviceClass field (USB), <a href="#347">347</a><br>
u8 bDeviceProtocol field (USB), <a href="#347">347</a><br>
u8 bDeviceSubClass field (USB), <a href="#347">347</a><br>
u8 bInterfaceClass field (USB), <a href="#347">347</a><br>
u8 bInterfaceProtocol field (USB), <a href="#347">347</a><br>
u8 bInterfaceSubClass field (USB), <a href="#347">347</a><br>
u8, u16, u32, u64 data types, <a href="#290">290</a><br>
uaccess.h header file, <a href="#64">64</a>, <a href="#72">72</a>, <a href="#142">142</a>, <a href="#180">180</a><br>
udelay, <a href="#196">196</a><br>
</td></tr></table>
<br>
<A name="613"></a><font color="blue">PAGE 613</font><br>
<br>
<table cellspacing="0" cellpadding="0" width="100%"><tr><td valign="top" width="50%">
uint8_t/uint32_t types, <a href="#290">290</a><br>
uintptr_t type (C99 standard), <a href="#289">289</a><br>
unaligned data, <a href="#293">293</a><br>
<div class="bql">access, <a href="#300">300</a></div>
unaligned.h header file, <a href="#293">293</a><br>
unidirectional pipes (USB endpoints), <a href="#329">329</a><br>
uniprocessor systems, concurrency in, <a href="#21">21</a><br>
universal serial bus (see USB)<br>
Unix<br>
<div class="bql">filesystems, <a href="#4">4</a><br>
interfaces (access to), <a href="#7">7</a></div>
unlinking urbs, <a href="#345">345</a><br>
unloading<br>
<div class="bql">modules, <a href="#18">18</a>, <a href="#25">25</a>, <a href="#505">505</a><br>
USB drivers, <a href="#349">349</a></div>
unlocking semaphores, <a href="#110">110</a><br>
unmapping, DMA buffers, <a href="#449">449</a><br>
<div class="bql">(see also mapping)</div>
unregistering facilities, <a href="#33">33</a><br>
unregister_netdev function, <a href="#505">505</a><br>
unshielded twisted pair (UTP), <a href="#510">510</a><br>
unsigned char *setup_packet field (USB), <a href="#338">338</a><br>
unsigned int bi_size field (bio structure), <a href="#482">482</a><br>
unsigned int f_flags (struct file field), <a href="#54">54</a><br>
unsigned int irq function, <a href="#260">260</a><br>
unsigned int pipe field (USB), <a href="#336">336</a><br>
unsigned int transfer_flags field (USB), <a href="#337">337</a><br>
unsigned long bi_flags field (bio structure), <a href="#482">482</a><br>
unsigned long flags field (memory), <a href="#417">417</a><br>
unsigned long flags function, <a href="#260">260</a><br>
unsigned long method, <a href="#52">52</a><br>
unsigned long nr_sectors field (request structure), <a href="#476">476</a><br>
unsigned long pci_resource_end function, <a href="#317">317</a><br>
unsigned long pci_resource_flags function, <a href="#317">317</a><br>
unsigned long pci_resource_start function, <a href="#317">317</a><br>
unsigned long state field (net_device structure), <a href="#506">506</a><br>
unsigned num_altsetting field (USB), <a href="#332">332</a><br>
unsigned short bio_hw_segments field (bio structure), <a href="#482">482</a><br>
unsigned short bio_phys_segments field (bio structure), <a href="#482">482</a><br>
unsigned type, <a href="#240">240</a><br>
up function, <a href="#111">111</a><br>
updates, RCU, <a href="#129">129</a><br>
urandom device, <a href="#260">260</a><br>
</td><td valign="top" width="50%">
urbs<br>
<div class="bql">cancellation of, <a href="#345">345</a><br>
interrupts, <a href="#342">342</a><br>
killing, <a href="#345">345</a><br>
submitting, <a href="#344">344</a><br>
unlinking, <a href="#345">345</a><br>
USB, <a href="#335">335</a>-<a href="#346">346</a><br>
<div class="bql">creating/destroying, <a href="#341">341</a><br>
struct urb structure, <a href="#336">336</a><br>
submitting, <a href="#354">354</a><br>
transfers without, <a href="#356">356</a>-<a href="#359">359</a></div></div>
urbs_completion function, <a href="#345">345</a><br>
usage count, <a href="#426">426</a><br>
<div class="bql">decremented by release method, <a href="#59">59</a><br>
incremented by open method, <a href="#58">58</a><br>
nopage method and, <a href="#432">432</a></div>
USB request blocks (see urbs)<br>
USB (universal serial bus), <a href="#7">7</a>, <a href="#327">327</a>-<a href="#332">332</a><br>
<div class="bql">configurations, <a href="#332">332</a><br>
hotplugging, <a href="#401">401</a><br>
stacking, <a href="#28">28</a><br>
sysfs directory tree, <a href="#333">333</a>-<a href="#335">335</a><br>
transfers without urbs, <a href="#356">356</a>-<a href="#359">359</a><br>
urbs, <a href="#335">335</a>-<a href="#346">346</a><br>
writing, <a href="#346">346</a>-<a href="#355">355</a></div>
usb_alloc_urb function, <a href="#342">342</a><br>
usb_bulk_msg function, <a href="#356">356</a><br>
usb_control_msg function, <a href="#357">357</a><br>
usbcore module, <a href="#28">28</a><br>
USB_DEVICE macro, <a href="#347">347</a><br>
USB_DEVICE_INFO macros, <a href="#347">347</a><br>
USB_DEVICE_VER macro, <a href="#347">347</a><br>
usb_fill_bulk_urb function, <a href="#343">343</a><br>
usb_fill_control_urb function, <a href="#343">343</a><br>
usb_fill_int_urb function, <a href="#342">342</a><br>
usb_get_descriptor function, <a href="#358">358</a><br>
USB_INTERFACE_INFO macro, <a href="#347">347</a><br>
usb_kill_urb function, <a href="#345">345</a><br>
usb_register_dev function, <a href="#352">352</a><br>
usb_set_intfdata function, <a href="#351">351</a><br>
usb_string function, <a href="#359">359</a><br>
usb_submit_urb function, <a href="#344">344</a><br>
usb_unlink_urb function, <a href="#345">345</a><br>
user mode, <a href="#20">20</a><br>
user programs, <a href="#3">3</a><br>
user space, <a href="#19">19</a><br>
<div class="bql">capabilities/restrictions in, <a href="#144">144</a><br>
communication with, <a href="#362">362</a><br>
direct I/O, <a href="#435">435</a>-<a href="#440">440</a><br>
explicitly sizing data in, <a href="#290">290</a><br>
I/O port access from, <a href="#241">241</a></div>
</td></tr></table>
<br>
<A name="614"></a><font color="blue">PAGE 614</font><br>
<br>
<table cellspacing="0" cellpadding="0" width="100%"><tr><td valign="top" width="50%">
user space <i>(continued)</i><br>
<div class="bql">programming, <a href="#19">19</a>, <a href="#37">37</a>, <a href="#39">39</a><br>
retrieving datum from, <a href="#143">143</a><br>
transferring to/from kernel space, <a href="#63">63</a><br>
tty drivers, <a href="#560">560</a>-<a href="#566">566</a><br>
writing drivers in, <a href="#37">37</a></div>
user virtual addresses, <a href="#413">413</a><br>
User-Mode Linux, <a href="#104">104</a><br>
utilities, <a href="#3">3</a><br>
<div class="bql">insmod, <a href="#17">17</a><br>
modprobe, <a href="#25">25</a>, <a href="#29">29</a><br>
rmmod, <a href="#17">17</a><br>
(see also programs)</div>
utility fields (net_device structure), <a href="#514">514</a><br>
UTP (unshielded twisted pair), <a href="#510">510</a><br>
UTS_RELEASE macro, <a href="#27">27</a><br>

<br><a name="V"></a><font color="red"><b>V</b></font><br><br>

values<br>
<div class="bql">BogoMips, <a href="#195">195</a><br>
errors, <a href="#295">295</a><br>
jiffies, <a href="#184">184</a>, <a href="#514">514</a><br>
loops_per_jiffy, <a href="#196">196</a><br>
return<br>
<div class="bql">interrupt handlers, <a href="#272">272</a><br>
switch statements, <a href="#140">140</a></div></div>
variables<br>
<div class="bql">ACTION, <a href="#399">399</a><br>
atomic, <a href="#124">124</a><br>
char*name (USB), <a href="#352">352</a><br>
console_loglevel, <a href="#77">77</a><br>
DEVICE, <a href="#402">402</a><br>
DEVPATH, <a href="#399">399</a><br>
int minor_base (USB), <a href="#353">353</a><br>
INTERFACE, <a href="#401">401</a><br>
mode_t mode (USB), <a href="#353">353</a><br>
NAME, <a href="#401">401</a><br>
pci_bus_type, <a href="#392">392</a><br>
PCI_CLASS, <a href="#400">400</a><br>
PCI_ID, <a href="#400">400</a><br>
PCI_SLOT_NAME, <a href="#400">400</a><br>
PCI_SUBSYS_ID, <a href="#400">400</a><br>
per-CPU, <a href="#228">228</a>-<a href="#230">230</a><br>
PHYS, <a href="#401">401</a><br>
PRODUCT, <a href="#401">401</a><br>
SEQNUM, <a href="#399">399</a><br>
struct file_operations *fops (USB), <a href="#353">353</a><br>
SUBSYSTEM, <a href="#399">399</a><br>
tiny_tty_driver, <a href="#551">551</a><br>
TYPE, <a href="#401">401</a></div>
vector operations, char drivers, <a href="#69">69</a><br>
vendorID register (PCI), <a href="#309">309</a><br>
</td><td valign="top" width="50%">
VERIFY_ symbols, <a href="#142">142</a>, <a href="#180">180</a><br>
version dependency, <a href="#26">26</a><br>
version.h header file, <a href="#26">26</a>, <a href="#40">40</a><br>
versions<br>
<div class="bql">dependency, <a href="#26">26</a><br>
numbering, <a href="#10">10</a>-<a href="#11">11</a><br>
<div class="bql">char drivers, <a href="#43">43</a><br>
major device numbers, <a href="#44">44</a><br>
minor device numbers, <a href="#44">44</a><br>
older char device registration, <a href="#57">57</a></div></div>
VESA Local Bus (VLB), <a href="#323">323</a><br>
vfree function, <a href="#225">225</a><br>
video memory (mapping), <a href="#423">423</a><br>
viewing kernels, <a href="#5">5</a><br>
virt_to_page function, <a href="#417">417</a><br>
virtual addresses, <a href="#414">414</a><br>
<div class="bql">conversion, <a href="#444">444</a><br>
remapping, <a href="#434">434</a><br>
(see also addresses)</div>
virtual memory, <a href="#413">413</a><br>
<div class="bql">(see also memory)</div>
virtual memory area (see VMA)<br>
VLB (VESA Local Bus), <a href="#323">323</a><br>
VMA (virtual memory area), <a href="#419">419</a>-<a href="#422">422</a>, <a href="#426">426</a><br>
vmalloc allocation function, <a href="#224">224</a>-<a href="#228">228</a><br>
vmalloc.h header file, <a href="#225">225</a><br>
vm_area_struct structure, <a href="#420">420</a><br>
VM_IO flag, <a href="#421">421</a><br>
vm_operations_struct structure, <a href="#421">421</a><br>
VM_RESERVED flag, <a href="#421">421</a><br>
void barrier function, <a href="#237">237</a><br>
void blk_queue_bounce_limit function, <a href="#480">480</a><br>
void blk_queue_dma_alignment function, <a href="#481">481</a><br>
void blk_queue_hardsect_size function, <a href="#481">481</a><br>
void blk_queue_max_hw_segments function, <a href="#480">480</a><br>
void blk_queue_max_phys_segments function, <a href="#480">480</a><br>
void blk_queue_max_sectors function, <a href="#480">480</a><br>
void blk_queue_max_segment_size function, <a href="#480">480</a><br>
void blk_start_queue function, <a href="#480">480</a><br>
void blk_stop_queue function, <a href="#480">480</a><br>
void *context field (USB), <a href="#339">339</a><br>
void *dev_id function, <a href="#260">260</a><br>
void *driver_data field, <a href="#382">382</a><br>
void field (PCI registration), <a href="#312">312</a><br>
void function, <a href="#348">348</a><br>
void mb function, <a href="#237">237</a><br>
void *private_data field (gendisk), <a href="#467">467</a><br>
void *private_data (struct file field), <a href="#54">54</a><br>
</td></tr></table>
<br>
<A name="615"></a><font color="blue">PAGE 615</font><br>
<br>
<table cellspacing="0" cellpadding="0" width="100%"><tr><td valign="top" width="50%">
void read_barrier_depends function, <a href="#237">237</a><br>
void *release field, <a href="#382">382</a><br>
void rmb function, <a href="#237">237</a><br>
void smp_mb functions, <a href="#238">238</a><br>
void smp_read_barrier_depends function, <a href="#238">238</a><br>
void smp_rmb function, <a href="#238">238</a><br>
void smp_wmb function, <a href="#238">238</a><br>
void tasklet_disable function, <a href="#204">204</a><br>
void tasklet_disable_nosync function, <a href="#204">204</a><br>
void tasklet_enable function, <a href="#204">204</a><br>
void tasklet_hi_schedule function, <a href="#204">204</a><br>
void tasklet_kill function, <a href="#204">204</a><br>
void tasklet_schedule function, <a href="#204">204</a><br>
void *transfer_buffer field (USB), <a href="#338">338</a><br>
void *virtual field (memory), <a href="#417">417</a><br>
void wmb function, <a href="#237">237</a><br>

<br><a name="W"></a><font color="red"><b>W</b></font><br><br>

wait queues, <a href="#149">149</a>, <a href="#156">156</a>, <a href="#181">181</a><br>
<div class="bql">delaying code execution, <a href="#194">194</a><br>
poll table entries and, <a href="#167">167</a><br>
putting processes into, <a href="#182">182</a></div>
wait_event macro, <a href="#149">149</a><br>
wait_event_interruptible_timeout function, <a href="#194">194</a><br>
wake_up function, <a href="#150">150</a>, <a href="#159">159</a>, <a href="#181">181</a><br>
wake_up_interruptible function, <a href="#181">181</a><br>
wake_up_interruptible_sync function, <a href="#181">181</a><br>
wake_up_sync function, <a href="#181">181</a><br>
Wall flag, <a href="#291">291</a><br>
watchdog_timeo field (net_device structure), <a href="#514">514</a>, <a href="#519">519</a><br>
wc command, <a href="#92">92</a><br>
wMaxPacketSize field (USB), <a href="#331">331</a><br>
workqueues, <a href="#205">205</a>-<a href="#208">208</a>, <a href="#211">211</a><br>
<div class="bql">interrupt handlers, <a href="#277">277</a></div>
</td><td valign="top" width="50%">
WQ_FLAG_EXCLUSIVE flag set, <a href="#160">160</a><br>
write function (tty drivers), <a href="#556">556</a><br>
write method, <a href="#50">50</a>, <a href="#63">63</a>-<a href="#69">69</a><br>
<div class="bql">code for, <a href="#68">68</a><br>
configuring DMA controller, <a href="#456">456</a><br>
f_pos field (file structure) and, <a href="#54">54</a><br>
oops messages, <a href="#94">94</a><br>
poll method and, <a href="#166">166</a><br>
return values, rules for interpreting, <a href="#68">68</a><br>
select method and, <a href="#166">166</a><br>
strace command and, <a href="#92">92</a></div>
write system, <a href="#50">50</a><br>
write-buffering example, <a href="#282">282</a><br>
writev calls, <a href="#69">69</a><br>
writev method, <a href="#52">52</a><br>
writing, <a href="#73">73</a><br>
<div class="bql">blocking/nonblocking operations, <a href="#151">151</a><br>
control sequences to devices, <a href="#146">146</a><br>
to a device, <a href="#63">63</a>-<a href="#66">66</a>, <a href="#68">68</a><br>
drivers<br>
<div class="bql">in user space, <a href="#37">37</a><br>
role of, <a href="#2">2</a>-<a href="#4">4</a><br>
version numbering, <a href="#10">10</a></div>
UBS drivers, <a href="#346">346</a>-<a href="#355">355</a></div>

<br><a name="X"></a><font color="red"><b>X</b></font><br><br>

x86 architecture<br>
<div class="bql">interrupt handling on, <a href="#268">268</a><br>
porting and, <a href="#243">243</a></div>
xmit_lock function, <a href="#514">514</a><br>
xtime variable, <a href="#189">189</a><br>

<br><a name="Z"></a><font color="red"><b>Z</b></font><br><br>

zero-order limitations, <a href="#432">432</a><br>
zones (memory), <a href="#215">215</a><br>
zSeries architecture, <a href="#402">402</a><br>
</td></tr></table>
<br><br>
<br>
</html>
</body>