fix buffer overflow in the moxa driver (CVE-2005-0504)
[linux-2.6/linux-acpi-2.6/ibm-acpi-2.6.git] / fs / char_dev.c
blob4e163afc168c21cc682326ef2b3596d09c8258d1
1 /*
2 * linux/fs/char_dev.c
4 * Copyright (C) 1991, 1992 Linus Torvalds
5 */
7 #include <linux/config.h>
8 #include <linux/init.h>
9 #include <linux/fs.h>
10 #include <linux/slab.h>
11 #include <linux/string.h>
13 #include <linux/major.h>
14 #include <linux/errno.h>
15 #include <linux/module.h>
16 #include <linux/smp_lock.h>
17 #include <linux/devfs_fs_kernel.h>
18 #include <linux/seq_file.h>
20 #include <linux/kobject.h>
21 #include <linux/kobj_map.h>
22 #include <linux/cdev.h>
24 #ifdef CONFIG_KMOD
25 #include <linux/kmod.h>
26 #endif
28 static struct kobj_map *cdev_map;
30 static DECLARE_MUTEX(chrdevs_lock);
32 static struct char_device_struct {
33 struct char_device_struct *next;
34 unsigned int major;
35 unsigned int baseminor;
36 int minorct;
37 char name[64];
38 struct file_operations *fops;
39 struct cdev *cdev; /* will die */
40 } *chrdevs[CHRDEV_MAJOR_HASH_SIZE];
42 /* index in the above */
43 static inline int major_to_index(int major)
45 return major % CHRDEV_MAJOR_HASH_SIZE;
48 #ifdef CONFIG_PROC_FS
50 void chrdev_show(struct seq_file *f, off_t offset)
52 struct char_device_struct *cd;
54 if (offset < CHRDEV_MAJOR_HASH_SIZE) {
55 down(&chrdevs_lock);
56 for (cd = chrdevs[offset]; cd; cd = cd->next)
57 seq_printf(f, "%3d %s\n", cd->major, cd->name);
58 up(&chrdevs_lock);
62 #endif /* CONFIG_PROC_FS */
65 * Register a single major with a specified minor range.
67 * If major == 0 this functions will dynamically allocate a major and return
68 * its number.
70 * If major > 0 this function will attempt to reserve the passed range of
71 * minors and will return zero on success.
73 * Returns a -ve errno on failure.
75 static struct char_device_struct *
76 __register_chrdev_region(unsigned int major, unsigned int baseminor,
77 int minorct, const char *name)
79 struct char_device_struct *cd, **cp;
80 int ret = 0;
81 int i;
83 cd = kmalloc(sizeof(struct char_device_struct), GFP_KERNEL);
84 if (cd == NULL)
85 return ERR_PTR(-ENOMEM);
87 memset(cd, 0, sizeof(struct char_device_struct));
89 down(&chrdevs_lock);
91 /* temporary */
92 if (major == 0) {
93 for (i = ARRAY_SIZE(chrdevs)-1; i > 0; i--) {
94 if (chrdevs[i] == NULL)
95 break;
98 if (i == 0) {
99 ret = -EBUSY;
100 goto out;
102 major = i;
103 ret = major;
106 cd->major = major;
107 cd->baseminor = baseminor;
108 cd->minorct = minorct;
109 strncpy(cd->name,name, 64);
111 i = major_to_index(major);
113 for (cp = &chrdevs[i]; *cp; cp = &(*cp)->next)
114 if ((*cp)->major > major ||
115 ((*cp)->major == major && (*cp)->baseminor >= baseminor))
116 break;
117 if (*cp && (*cp)->major == major &&
118 (*cp)->baseminor < baseminor + minorct) {
119 ret = -EBUSY;
120 goto out;
122 cd->next = *cp;
123 *cp = cd;
124 up(&chrdevs_lock);
125 return cd;
126 out:
127 up(&chrdevs_lock);
128 kfree(cd);
129 return ERR_PTR(ret);
132 static struct char_device_struct *
133 __unregister_chrdev_region(unsigned major, unsigned baseminor, int minorct)
135 struct char_device_struct *cd = NULL, **cp;
136 int i = major_to_index(major);
138 down(&chrdevs_lock);
139 for (cp = &chrdevs[i]; *cp; cp = &(*cp)->next)
140 if ((*cp)->major == major &&
141 (*cp)->baseminor == baseminor &&
142 (*cp)->minorct == minorct)
143 break;
144 if (*cp) {
145 cd = *cp;
146 *cp = cd->next;
148 up(&chrdevs_lock);
149 return cd;
152 int register_chrdev_region(dev_t from, unsigned count, const char *name)
154 struct char_device_struct *cd;
155 dev_t to = from + count;
156 dev_t n, next;
158 for (n = from; n < to; n = next) {
159 next = MKDEV(MAJOR(n)+1, 0);
160 if (next > to)
161 next = to;
162 cd = __register_chrdev_region(MAJOR(n), MINOR(n),
163 next - n, name);
164 if (IS_ERR(cd))
165 goto fail;
167 return 0;
168 fail:
169 to = n;
170 for (n = from; n < to; n = next) {
171 next = MKDEV(MAJOR(n)+1, 0);
172 kfree(__unregister_chrdev_region(MAJOR(n), MINOR(n), next - n));
174 return PTR_ERR(cd);
177 int alloc_chrdev_region(dev_t *dev, unsigned baseminor, unsigned count,
178 const char *name)
180 struct char_device_struct *cd;
181 cd = __register_chrdev_region(0, baseminor, count, name);
182 if (IS_ERR(cd))
183 return PTR_ERR(cd);
184 *dev = MKDEV(cd->major, cd->baseminor);
185 return 0;
188 int register_chrdev(unsigned int major, const char *name,
189 struct file_operations *fops)
191 struct char_device_struct *cd;
192 struct cdev *cdev;
193 char *s;
194 int err = -ENOMEM;
196 cd = __register_chrdev_region(major, 0, 256, name);
197 if (IS_ERR(cd))
198 return PTR_ERR(cd);
200 cdev = cdev_alloc();
201 if (!cdev)
202 goto out2;
204 cdev->owner = fops->owner;
205 cdev->ops = fops;
206 kobject_set_name(&cdev->kobj, "%s", name);
207 for (s = strchr(kobject_name(&cdev->kobj),'/'); s; s = strchr(s, '/'))
208 *s = '!';
210 err = cdev_add(cdev, MKDEV(cd->major, 0), 256);
211 if (err)
212 goto out;
214 cd->cdev = cdev;
216 return major ? 0 : cd->major;
217 out:
218 kobject_put(&cdev->kobj);
219 out2:
220 kfree(__unregister_chrdev_region(cd->major, 0, 256));
221 return err;
224 void unregister_chrdev_region(dev_t from, unsigned count)
226 dev_t to = from + count;
227 dev_t n, next;
229 for (n = from; n < to; n = next) {
230 next = MKDEV(MAJOR(n)+1, 0);
231 if (next > to)
232 next = to;
233 kfree(__unregister_chrdev_region(MAJOR(n), MINOR(n), next - n));
237 int unregister_chrdev(unsigned int major, const char *name)
239 struct char_device_struct *cd;
240 cd = __unregister_chrdev_region(major, 0, 256);
241 if (cd && cd->cdev)
242 cdev_del(cd->cdev);
243 kfree(cd);
244 return 0;
247 static DEFINE_SPINLOCK(cdev_lock);
249 static struct kobject *cdev_get(struct cdev *p)
251 struct module *owner = p->owner;
252 struct kobject *kobj;
254 if (owner && !try_module_get(owner))
255 return NULL;
256 kobj = kobject_get(&p->kobj);
257 if (!kobj)
258 module_put(owner);
259 return kobj;
262 void cdev_put(struct cdev *p)
264 if (p) {
265 struct module *owner = p->owner;
266 kobject_put(&p->kobj);
267 module_put(owner);
272 * Called every time a character special file is opened
274 int chrdev_open(struct inode * inode, struct file * filp)
276 struct cdev *p;
277 struct cdev *new = NULL;
278 int ret = 0;
280 spin_lock(&cdev_lock);
281 p = inode->i_cdev;
282 if (!p) {
283 struct kobject *kobj;
284 int idx;
285 spin_unlock(&cdev_lock);
286 kobj = kobj_lookup(cdev_map, inode->i_rdev, &idx);
287 if (!kobj)
288 return -ENXIO;
289 new = container_of(kobj, struct cdev, kobj);
290 spin_lock(&cdev_lock);
291 p = inode->i_cdev;
292 if (!p) {
293 inode->i_cdev = p = new;
294 inode->i_cindex = idx;
295 list_add(&inode->i_devices, &p->list);
296 new = NULL;
297 } else if (!cdev_get(p))
298 ret = -ENXIO;
299 } else if (!cdev_get(p))
300 ret = -ENXIO;
301 spin_unlock(&cdev_lock);
302 cdev_put(new);
303 if (ret)
304 return ret;
305 filp->f_op = fops_get(p->ops);
306 if (!filp->f_op) {
307 cdev_put(p);
308 return -ENXIO;
310 if (filp->f_op->open) {
311 lock_kernel();
312 ret = filp->f_op->open(inode,filp);
313 unlock_kernel();
315 if (ret)
316 cdev_put(p);
317 return ret;
320 void cd_forget(struct inode *inode)
322 spin_lock(&cdev_lock);
323 list_del_init(&inode->i_devices);
324 inode->i_cdev = NULL;
325 spin_unlock(&cdev_lock);
328 static void cdev_purge(struct cdev *cdev)
330 spin_lock(&cdev_lock);
331 while (!list_empty(&cdev->list)) {
332 struct inode *inode;
333 inode = container_of(cdev->list.next, struct inode, i_devices);
334 list_del_init(&inode->i_devices);
335 inode->i_cdev = NULL;
337 spin_unlock(&cdev_lock);
341 * Dummy default file-operations: the only thing this does
342 * is contain the open that then fills in the correct operations
343 * depending on the special file...
345 struct file_operations def_chr_fops = {
346 .open = chrdev_open,
349 static struct kobject *exact_match(dev_t dev, int *part, void *data)
351 struct cdev *p = data;
352 return &p->kobj;
355 static int exact_lock(dev_t dev, void *data)
357 struct cdev *p = data;
358 return cdev_get(p) ? 0 : -1;
361 int cdev_add(struct cdev *p, dev_t dev, unsigned count)
363 p->dev = dev;
364 p->count = count;
365 return kobj_map(cdev_map, dev, count, NULL, exact_match, exact_lock, p);
368 static void cdev_unmap(dev_t dev, unsigned count)
370 kobj_unmap(cdev_map, dev, count);
373 void cdev_del(struct cdev *p)
375 cdev_unmap(p->dev, p->count);
376 kobject_put(&p->kobj);
380 static void cdev_default_release(struct kobject *kobj)
382 struct cdev *p = container_of(kobj, struct cdev, kobj);
383 cdev_purge(p);
386 static void cdev_dynamic_release(struct kobject *kobj)
388 struct cdev *p = container_of(kobj, struct cdev, kobj);
389 cdev_purge(p);
390 kfree(p);
393 static struct kobj_type ktype_cdev_default = {
394 .release = cdev_default_release,
397 static struct kobj_type ktype_cdev_dynamic = {
398 .release = cdev_dynamic_release,
401 struct cdev *cdev_alloc(void)
403 struct cdev *p = kmalloc(sizeof(struct cdev), GFP_KERNEL);
404 if (p) {
405 memset(p, 0, sizeof(struct cdev));
406 p->kobj.ktype = &ktype_cdev_dynamic;
407 INIT_LIST_HEAD(&p->list);
408 kobject_init(&p->kobj);
410 return p;
413 void cdev_init(struct cdev *cdev, struct file_operations *fops)
415 memset(cdev, 0, sizeof *cdev);
416 INIT_LIST_HEAD(&cdev->list);
417 cdev->kobj.ktype = &ktype_cdev_default;
418 kobject_init(&cdev->kobj);
419 cdev->ops = fops;
422 static struct kobject *base_probe(dev_t dev, int *part, void *data)
424 if (request_module("char-major-%d-%d", MAJOR(dev), MINOR(dev)) > 0)
425 /* Make old-style 2.4 aliases work */
426 request_module("char-major-%d", MAJOR(dev));
427 return NULL;
430 void __init chrdev_init(void)
432 cdev_map = kobj_map_init(base_probe, &chrdevs_lock);
436 /* Let modules do char dev stuff */
437 EXPORT_SYMBOL(register_chrdev_region);
438 EXPORT_SYMBOL(unregister_chrdev_region);
439 EXPORT_SYMBOL(alloc_chrdev_region);
440 EXPORT_SYMBOL(cdev_init);
441 EXPORT_SYMBOL(cdev_alloc);
442 EXPORT_SYMBOL(cdev_del);
443 EXPORT_SYMBOL(cdev_add);
444 EXPORT_SYMBOL(register_chrdev);
445 EXPORT_SYMBOL(unregister_chrdev);