linux/drivers/spi/spidev.c

888 lines
22 KiB
C
Raw Normal View History

/*
* Simple synchronous userspace interface to SPI devices
*
* Copyright (C) 2006 SWAPP
* Andrea Paterniani <a.paterniani@swapp-eng.it>
* Copyright (C) 2007 David Brownell (simplification, cleanup)
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*/
#include <linux/init.h>
#include <linux/module.h>
#include <linux/ioctl.h>
#include <linux/fs.h>
#include <linux/device.h>
#include <linux/err.h>
#include <linux/list.h>
#include <linux/errno.h>
#include <linux/mutex.h>
#include <linux/slab.h>
#include <linux/compat.h>
#include <linux/of.h>
#include <linux/of_device.h>
#include <linux/acpi.h>
#include <linux/spi/spi.h>
#include <linux/spi/spidev.h>
#include <linux/uaccess.h>
/*
* This supports access to SPI devices using normal userspace I/O calls.
* Note that while traditional UNIX/POSIX I/O semantics are half duplex,
* and often mask message boundaries, full SPI support requires full duplex
* transfers. There are several kinds of internal message boundaries to
* handle chipselect management and other protocol options.
*
* SPI has a character major number assigned. We allocate minor numbers
* dynamically using a bitmask. You must use hotplug tools, such as udev
* (or mdev with busybox) to create and destroy the /dev/spidevB.C device
* nodes, since there is no fixed association of minor numbers with any
* particular SPI bus or device.
*/
#define SPIDEV_MAJOR 153 /* assigned */
#define N_SPI_MINORS 32 /* ... up to 256 */
static DECLARE_BITMAP(minors, N_SPI_MINORS);
/* Bit masks for spi_device.mode management. Note that incorrect
* settings for some settings can cause *lots* of trouble for other
* devices on a shared bus:
*
* - CS_HIGH ... this device will be active when it shouldn't be
* - 3WIRE ... when active, it won't behave as it should
* - NO_CS ... there will be no explicit message boundaries; this
* is completely incompatible with the shared bus model
* - READY ... transfers may proceed when they shouldn't.
*
* REVISIT should changing those flags be privileged?
*/
#define SPI_MODE_MASK (SPI_CPHA | SPI_CPOL | SPI_CS_HIGH \
| SPI_LSB_FIRST | SPI_3WIRE | SPI_LOOP \
| SPI_NO_CS | SPI_READY | SPI_TX_DUAL \
| SPI_TX_QUAD | SPI_RX_DUAL | SPI_RX_QUAD)
struct spidev_data {
dev_t devt;
spinlock_t spi_lock;
struct spi_device *spi;
struct list_head device_entry;
/* TX/RX buffers are NULL unless this device is open (users > 0) */
struct mutex buf_lock;
unsigned users;
u8 *tx_buffer;
u8 *rx_buffer;
u32 speed_hz;
};
static LIST_HEAD(device_list);
static DEFINE_MUTEX(device_list_lock);
static unsigned bufsiz = 4096;
module_param(bufsiz, uint, S_IRUGO);
MODULE_PARM_DESC(bufsiz, "data bytes in biggest supported SPI message");
/*-------------------------------------------------------------------------*/
static ssize_t
spidev_sync(struct spidev_data *spidev, struct spi_message *message)
{
DECLARE_COMPLETION_ONSTACK(done);
int status;
struct spi_device *spi;
spin_lock_irq(&spidev->spi_lock);
spi = spidev->spi;
spin_unlock_irq(&spidev->spi_lock);
if (spi == NULL)
status = -ESHUTDOWN;
else
status = spi_sync(spi, message);
if (status == 0)
status = message->actual_length;
return status;
}
static inline ssize_t
spidev_sync_write(struct spidev_data *spidev, size_t len)
{
struct spi_transfer t = {
.tx_buf = spidev->tx_buffer,
.len = len,
.speed_hz = spidev->speed_hz,
};
struct spi_message m;
spi_message_init(&m);
spi_message_add_tail(&t, &m);
return spidev_sync(spidev, &m);
}
static inline ssize_t
spidev_sync_read(struct spidev_data *spidev, size_t len)
{
struct spi_transfer t = {
.rx_buf = spidev->rx_buffer,
.len = len,
.speed_hz = spidev->speed_hz,
};
struct spi_message m;
spi_message_init(&m);
spi_message_add_tail(&t, &m);
return spidev_sync(spidev, &m);
}
/*-------------------------------------------------------------------------*/
/* Read-only message with current device setup */
static ssize_t
spidev_read(struct file *filp, char __user *buf, size_t count, loff_t *f_pos)
{
struct spidev_data *spidev;
ssize_t status = 0;
/* chipselect only toggles at start or end of operation */
if (count > bufsiz)
return -EMSGSIZE;
spidev = filp->private_data;
mutex_lock(&spidev->buf_lock);
status = spidev_sync_read(spidev, count);
if (status > 0) {
unsigned long missing;
missing = copy_to_user(buf, spidev->rx_buffer, status);
if (missing == status)
status = -EFAULT;
else
status = status - missing;
}
mutex_unlock(&spidev->buf_lock);
return status;
}
/* Write-only message with current device setup */
static ssize_t
spidev_write(struct file *filp, const char __user *buf,
size_t count, loff_t *f_pos)
{
struct spidev_data *spidev;
ssize_t status = 0;
unsigned long missing;
/* chipselect only toggles at start or end of operation */
if (count > bufsiz)
return -EMSGSIZE;
spidev = filp->private_data;
mutex_lock(&spidev->buf_lock);
missing = copy_from_user(spidev->tx_buffer, buf, count);
if (missing == 0)
status = spidev_sync_write(spidev, count);
else
status = -EFAULT;
mutex_unlock(&spidev->buf_lock);
return status;
}
static int spidev_message(struct spidev_data *spidev,
struct spi_ioc_transfer *u_xfers, unsigned n_xfers)
{
struct spi_message msg;
struct spi_transfer *k_xfers;
struct spi_transfer *k_tmp;
struct spi_ioc_transfer *u_tmp;
spi: spidev: only use up TX/RX bounce buffer space when needed This patch changes the way space is reserved in spidev's pre-allocated TX and RX bounce buffers to avoid wasting space in the buffers for an SPI message consisting of multiple, half-duplex transfers in different directions. Background: spidev data structures have separate, pre-allocated TX and RX bounce buffers (`spidev->tx_buffer` and `spidev->rx_buffer`) of fixed size (`bufsiz`). The `SPI_IOC_MESSAGE(N)` ioctl processing uses a kernel copy of the N `struct spi_ioc_transfer` elements copied from the userspace ioctl arg pointer. In these elements: `.len` is the length of transfer in bytes; `.rx_buf` is either a userspace pointer to a buffer to copy the RX data to or is set to 0 to discard the data; and `.tx_buf` is either a userspace pointer to TX data supplied by the user or is set to 0 to transmit zeros for this transfer. `spidev_message()` uses the array of N `struct spi_ioc_transfer` elements to construct a kernel SPI message consisting of a `struct spi_message` containing a linked list (allocated as an array) of N `struct spi_transfer` elements. This involves iterating through the `struct spi_ioc_transfer` and `struct spi_transfer` elements (variables `u_tmp` and `k_tmp` respectively). Before the first iteration, variables `tx_buf` and `rx_buf` point to the start of the TX and RX bounce buffers `spidev->tx_buffer` and `spidev->rx_buffer` and variable `total` is set to 0. These variables keep track of the next available space in the bounce buffers and the total length of the SPI message. Each iteration checks that there is enough room left in the buffers for the transfer. If `u_tmp->rx_buf` is non-zero, `k_tmp->rx_buf` is set to `rx_buf`, otherwise it remains set to NULL. If `u_tmp->tx_buf` is non-zero, `k_tmp->tx_buf` is set to `tx_buf` and the userspace TX data copied there, otherwise it remains set to NULL. The variables `total`, `rx_buf` and `tx_buf` are advanced by the length of the transfer. The "problem": While iterating through the transfers, the local bounce buffer "free space" pointer variables `tx_buf` and `rx_buf` are always advanced by the length of the transfer. If `u_tmp->rx_buf` is 0 (so `k_tmp->rx_buf` is NULL), then `rx_buf` is advanced unnecessarily and that part of `spidev->rx_buffer` is wasted. Similarly, if `u_tmp->tx_buf` is 0 (so `k_tmp->tx_buf` is NULL), part of `spidev->tx_buffer` is wasted. What this patch does: To avoid wasting space unnecessarily in the RX bounce buffer, only advance `rx_buf` by the transfer length if `u_tmp->rx_buf` is non-zero. Similarly, to avoid wasting space unnecessarily in the TX bounce buffer, only advance `tx_buf` if `u_tmp->tx_buf is non-zero. To avoid pointer subtraction, use new variables `rx_total` and `tx_total` to keep track of the amount of space allocated in each of the bounce buffers. If these exceed the available space, a `-EMSGSIZE` error will be returned. Limit the total length of the transfers (tracked by variable `total`) to `INT_MAX` instead of `bufsiz`, returning an `-EMSGSIZE` error if exceeded. The total length is returned by `spidev_message()` on success and we want that to be non-negative. The message size limits for the `SPI_IOC_MESSAGE(N)` ioctl are now as follows: (a) total length of transfers is <= INTMAX; (b) total length of transfers with non-NULL rx_buf is <= bufsiz; (c) total length of transfers with non-NULL tx_buf is <= bufsiz. Some transfers may have NULL rx_buf and NULL tx_buf. If the transfer is completed successfully by the SPI core, `spidev_message()` iterates through the transfers to copy any RX data from the bounce buffer back to userspace on those transfers where `u_tmp->rx_buf` is non-zero. The variable `rx_buf` is again used to keep track of the corresponding positions in the bounce buffer. Now it is only advanced for those transfers that use the RX bounce buffer. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Mark Brown <broonie@kernel.org>
2015-02-16 23:00:47 +08:00
unsigned n, total, tx_total, rx_total;
u8 *tx_buf, *rx_buf;
int status = -EFAULT;
spi_message_init(&msg);
k_xfers = kcalloc(n_xfers, sizeof(*k_tmp), GFP_KERNEL);
if (k_xfers == NULL)
return -ENOMEM;
/* Construct spi_message, copying any tx data to bounce buffer.
* We walk the array of user-provided transfers, using each one
* to initialize a kernel version of the same transfer.
*/
tx_buf = spidev->tx_buffer;
rx_buf = spidev->rx_buffer;
total = 0;
spi: spidev: only use up TX/RX bounce buffer space when needed This patch changes the way space is reserved in spidev's pre-allocated TX and RX bounce buffers to avoid wasting space in the buffers for an SPI message consisting of multiple, half-duplex transfers in different directions. Background: spidev data structures have separate, pre-allocated TX and RX bounce buffers (`spidev->tx_buffer` and `spidev->rx_buffer`) of fixed size (`bufsiz`). The `SPI_IOC_MESSAGE(N)` ioctl processing uses a kernel copy of the N `struct spi_ioc_transfer` elements copied from the userspace ioctl arg pointer. In these elements: `.len` is the length of transfer in bytes; `.rx_buf` is either a userspace pointer to a buffer to copy the RX data to or is set to 0 to discard the data; and `.tx_buf` is either a userspace pointer to TX data supplied by the user or is set to 0 to transmit zeros for this transfer. `spidev_message()` uses the array of N `struct spi_ioc_transfer` elements to construct a kernel SPI message consisting of a `struct spi_message` containing a linked list (allocated as an array) of N `struct spi_transfer` elements. This involves iterating through the `struct spi_ioc_transfer` and `struct spi_transfer` elements (variables `u_tmp` and `k_tmp` respectively). Before the first iteration, variables `tx_buf` and `rx_buf` point to the start of the TX and RX bounce buffers `spidev->tx_buffer` and `spidev->rx_buffer` and variable `total` is set to 0. These variables keep track of the next available space in the bounce buffers and the total length of the SPI message. Each iteration checks that there is enough room left in the buffers for the transfer. If `u_tmp->rx_buf` is non-zero, `k_tmp->rx_buf` is set to `rx_buf`, otherwise it remains set to NULL. If `u_tmp->tx_buf` is non-zero, `k_tmp->tx_buf` is set to `tx_buf` and the userspace TX data copied there, otherwise it remains set to NULL. The variables `total`, `rx_buf` and `tx_buf` are advanced by the length of the transfer. The "problem": While iterating through the transfers, the local bounce buffer "free space" pointer variables `tx_buf` and `rx_buf` are always advanced by the length of the transfer. If `u_tmp->rx_buf` is 0 (so `k_tmp->rx_buf` is NULL), then `rx_buf` is advanced unnecessarily and that part of `spidev->rx_buffer` is wasted. Similarly, if `u_tmp->tx_buf` is 0 (so `k_tmp->tx_buf` is NULL), part of `spidev->tx_buffer` is wasted. What this patch does: To avoid wasting space unnecessarily in the RX bounce buffer, only advance `rx_buf` by the transfer length if `u_tmp->rx_buf` is non-zero. Similarly, to avoid wasting space unnecessarily in the TX bounce buffer, only advance `tx_buf` if `u_tmp->tx_buf is non-zero. To avoid pointer subtraction, use new variables `rx_total` and `tx_total` to keep track of the amount of space allocated in each of the bounce buffers. If these exceed the available space, a `-EMSGSIZE` error will be returned. Limit the total length of the transfers (tracked by variable `total`) to `INT_MAX` instead of `bufsiz`, returning an `-EMSGSIZE` error if exceeded. The total length is returned by `spidev_message()` on success and we want that to be non-negative. The message size limits for the `SPI_IOC_MESSAGE(N)` ioctl are now as follows: (a) total length of transfers is <= INTMAX; (b) total length of transfers with non-NULL rx_buf is <= bufsiz; (c) total length of transfers with non-NULL tx_buf is <= bufsiz. Some transfers may have NULL rx_buf and NULL tx_buf. If the transfer is completed successfully by the SPI core, `spidev_message()` iterates through the transfers to copy any RX data from the bounce buffer back to userspace on those transfers where `u_tmp->rx_buf` is non-zero. The variable `rx_buf` is again used to keep track of the corresponding positions in the bounce buffer. Now it is only advanced for those transfers that use the RX bounce buffer. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Mark Brown <broonie@kernel.org>
2015-02-16 23:00:47 +08:00
tx_total = 0;
rx_total = 0;
for (n = n_xfers, k_tmp = k_xfers, u_tmp = u_xfers;
n;
n--, k_tmp++, u_tmp++) {
k_tmp->len = u_tmp->len;
total += k_tmp->len;
spi: spidev: only use up TX/RX bounce buffer space when needed This patch changes the way space is reserved in spidev's pre-allocated TX and RX bounce buffers to avoid wasting space in the buffers for an SPI message consisting of multiple, half-duplex transfers in different directions. Background: spidev data structures have separate, pre-allocated TX and RX bounce buffers (`spidev->tx_buffer` and `spidev->rx_buffer`) of fixed size (`bufsiz`). The `SPI_IOC_MESSAGE(N)` ioctl processing uses a kernel copy of the N `struct spi_ioc_transfer` elements copied from the userspace ioctl arg pointer. In these elements: `.len` is the length of transfer in bytes; `.rx_buf` is either a userspace pointer to a buffer to copy the RX data to or is set to 0 to discard the data; and `.tx_buf` is either a userspace pointer to TX data supplied by the user or is set to 0 to transmit zeros for this transfer. `spidev_message()` uses the array of N `struct spi_ioc_transfer` elements to construct a kernel SPI message consisting of a `struct spi_message` containing a linked list (allocated as an array) of N `struct spi_transfer` elements. This involves iterating through the `struct spi_ioc_transfer` and `struct spi_transfer` elements (variables `u_tmp` and `k_tmp` respectively). Before the first iteration, variables `tx_buf` and `rx_buf` point to the start of the TX and RX bounce buffers `spidev->tx_buffer` and `spidev->rx_buffer` and variable `total` is set to 0. These variables keep track of the next available space in the bounce buffers and the total length of the SPI message. Each iteration checks that there is enough room left in the buffers for the transfer. If `u_tmp->rx_buf` is non-zero, `k_tmp->rx_buf` is set to `rx_buf`, otherwise it remains set to NULL. If `u_tmp->tx_buf` is non-zero, `k_tmp->tx_buf` is set to `tx_buf` and the userspace TX data copied there, otherwise it remains set to NULL. The variables `total`, `rx_buf` and `tx_buf` are advanced by the length of the transfer. The "problem": While iterating through the transfers, the local bounce buffer "free space" pointer variables `tx_buf` and `rx_buf` are always advanced by the length of the transfer. If `u_tmp->rx_buf` is 0 (so `k_tmp->rx_buf` is NULL), then `rx_buf` is advanced unnecessarily and that part of `spidev->rx_buffer` is wasted. Similarly, if `u_tmp->tx_buf` is 0 (so `k_tmp->tx_buf` is NULL), part of `spidev->tx_buffer` is wasted. What this patch does: To avoid wasting space unnecessarily in the RX bounce buffer, only advance `rx_buf` by the transfer length if `u_tmp->rx_buf` is non-zero. Similarly, to avoid wasting space unnecessarily in the TX bounce buffer, only advance `tx_buf` if `u_tmp->tx_buf is non-zero. To avoid pointer subtraction, use new variables `rx_total` and `tx_total` to keep track of the amount of space allocated in each of the bounce buffers. If these exceed the available space, a `-EMSGSIZE` error will be returned. Limit the total length of the transfers (tracked by variable `total`) to `INT_MAX` instead of `bufsiz`, returning an `-EMSGSIZE` error if exceeded. The total length is returned by `spidev_message()` on success and we want that to be non-negative. The message size limits for the `SPI_IOC_MESSAGE(N)` ioctl are now as follows: (a) total length of transfers is <= INTMAX; (b) total length of transfers with non-NULL rx_buf is <= bufsiz; (c) total length of transfers with non-NULL tx_buf is <= bufsiz. Some transfers may have NULL rx_buf and NULL tx_buf. If the transfer is completed successfully by the SPI core, `spidev_message()` iterates through the transfers to copy any RX data from the bounce buffer back to userspace on those transfers where `u_tmp->rx_buf` is non-zero. The variable `rx_buf` is again used to keep track of the corresponding positions in the bounce buffer. Now it is only advanced for those transfers that use the RX bounce buffer. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Mark Brown <broonie@kernel.org>
2015-02-16 23:00:47 +08:00
/* Since the function returns the total length of transfers
* on success, restrict the total to positive int values to
* avoid the return value looking like an error. Also check
* each transfer length to avoid arithmetic overflow.
spi: spidev: only use up TX/RX bounce buffer space when needed This patch changes the way space is reserved in spidev's pre-allocated TX and RX bounce buffers to avoid wasting space in the buffers for an SPI message consisting of multiple, half-duplex transfers in different directions. Background: spidev data structures have separate, pre-allocated TX and RX bounce buffers (`spidev->tx_buffer` and `spidev->rx_buffer`) of fixed size (`bufsiz`). The `SPI_IOC_MESSAGE(N)` ioctl processing uses a kernel copy of the N `struct spi_ioc_transfer` elements copied from the userspace ioctl arg pointer. In these elements: `.len` is the length of transfer in bytes; `.rx_buf` is either a userspace pointer to a buffer to copy the RX data to or is set to 0 to discard the data; and `.tx_buf` is either a userspace pointer to TX data supplied by the user or is set to 0 to transmit zeros for this transfer. `spidev_message()` uses the array of N `struct spi_ioc_transfer` elements to construct a kernel SPI message consisting of a `struct spi_message` containing a linked list (allocated as an array) of N `struct spi_transfer` elements. This involves iterating through the `struct spi_ioc_transfer` and `struct spi_transfer` elements (variables `u_tmp` and `k_tmp` respectively). Before the first iteration, variables `tx_buf` and `rx_buf` point to the start of the TX and RX bounce buffers `spidev->tx_buffer` and `spidev->rx_buffer` and variable `total` is set to 0. These variables keep track of the next available space in the bounce buffers and the total length of the SPI message. Each iteration checks that there is enough room left in the buffers for the transfer. If `u_tmp->rx_buf` is non-zero, `k_tmp->rx_buf` is set to `rx_buf`, otherwise it remains set to NULL. If `u_tmp->tx_buf` is non-zero, `k_tmp->tx_buf` is set to `tx_buf` and the userspace TX data copied there, otherwise it remains set to NULL. The variables `total`, `rx_buf` and `tx_buf` are advanced by the length of the transfer. The "problem": While iterating through the transfers, the local bounce buffer "free space" pointer variables `tx_buf` and `rx_buf` are always advanced by the length of the transfer. If `u_tmp->rx_buf` is 0 (so `k_tmp->rx_buf` is NULL), then `rx_buf` is advanced unnecessarily and that part of `spidev->rx_buffer` is wasted. Similarly, if `u_tmp->tx_buf` is 0 (so `k_tmp->tx_buf` is NULL), part of `spidev->tx_buffer` is wasted. What this patch does: To avoid wasting space unnecessarily in the RX bounce buffer, only advance `rx_buf` by the transfer length if `u_tmp->rx_buf` is non-zero. Similarly, to avoid wasting space unnecessarily in the TX bounce buffer, only advance `tx_buf` if `u_tmp->tx_buf is non-zero. To avoid pointer subtraction, use new variables `rx_total` and `tx_total` to keep track of the amount of space allocated in each of the bounce buffers. If these exceed the available space, a `-EMSGSIZE` error will be returned. Limit the total length of the transfers (tracked by variable `total`) to `INT_MAX` instead of `bufsiz`, returning an `-EMSGSIZE` error if exceeded. The total length is returned by `spidev_message()` on success and we want that to be non-negative. The message size limits for the `SPI_IOC_MESSAGE(N)` ioctl are now as follows: (a) total length of transfers is <= INTMAX; (b) total length of transfers with non-NULL rx_buf is <= bufsiz; (c) total length of transfers with non-NULL tx_buf is <= bufsiz. Some transfers may have NULL rx_buf and NULL tx_buf. If the transfer is completed successfully by the SPI core, `spidev_message()` iterates through the transfers to copy any RX data from the bounce buffer back to userspace on those transfers where `u_tmp->rx_buf` is non-zero. The variable `rx_buf` is again used to keep track of the corresponding positions in the bounce buffer. Now it is only advanced for those transfers that use the RX bounce buffer. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Mark Brown <broonie@kernel.org>
2015-02-16 23:00:47 +08:00
*/
if (total > INT_MAX || k_tmp->len > INT_MAX) {
status = -EMSGSIZE;
goto done;
}
if (u_tmp->rx_buf) {
spi: spidev: only use up TX/RX bounce buffer space when needed This patch changes the way space is reserved in spidev's pre-allocated TX and RX bounce buffers to avoid wasting space in the buffers for an SPI message consisting of multiple, half-duplex transfers in different directions. Background: spidev data structures have separate, pre-allocated TX and RX bounce buffers (`spidev->tx_buffer` and `spidev->rx_buffer`) of fixed size (`bufsiz`). The `SPI_IOC_MESSAGE(N)` ioctl processing uses a kernel copy of the N `struct spi_ioc_transfer` elements copied from the userspace ioctl arg pointer. In these elements: `.len` is the length of transfer in bytes; `.rx_buf` is either a userspace pointer to a buffer to copy the RX data to or is set to 0 to discard the data; and `.tx_buf` is either a userspace pointer to TX data supplied by the user or is set to 0 to transmit zeros for this transfer. `spidev_message()` uses the array of N `struct spi_ioc_transfer` elements to construct a kernel SPI message consisting of a `struct spi_message` containing a linked list (allocated as an array) of N `struct spi_transfer` elements. This involves iterating through the `struct spi_ioc_transfer` and `struct spi_transfer` elements (variables `u_tmp` and `k_tmp` respectively). Before the first iteration, variables `tx_buf` and `rx_buf` point to the start of the TX and RX bounce buffers `spidev->tx_buffer` and `spidev->rx_buffer` and variable `total` is set to 0. These variables keep track of the next available space in the bounce buffers and the total length of the SPI message. Each iteration checks that there is enough room left in the buffers for the transfer. If `u_tmp->rx_buf` is non-zero, `k_tmp->rx_buf` is set to `rx_buf`, otherwise it remains set to NULL. If `u_tmp->tx_buf` is non-zero, `k_tmp->tx_buf` is set to `tx_buf` and the userspace TX data copied there, otherwise it remains set to NULL. The variables `total`, `rx_buf` and `tx_buf` are advanced by the length of the transfer. The "problem": While iterating through the transfers, the local bounce buffer "free space" pointer variables `tx_buf` and `rx_buf` are always advanced by the length of the transfer. If `u_tmp->rx_buf` is 0 (so `k_tmp->rx_buf` is NULL), then `rx_buf` is advanced unnecessarily and that part of `spidev->rx_buffer` is wasted. Similarly, if `u_tmp->tx_buf` is 0 (so `k_tmp->tx_buf` is NULL), part of `spidev->tx_buffer` is wasted. What this patch does: To avoid wasting space unnecessarily in the RX bounce buffer, only advance `rx_buf` by the transfer length if `u_tmp->rx_buf` is non-zero. Similarly, to avoid wasting space unnecessarily in the TX bounce buffer, only advance `tx_buf` if `u_tmp->tx_buf is non-zero. To avoid pointer subtraction, use new variables `rx_total` and `tx_total` to keep track of the amount of space allocated in each of the bounce buffers. If these exceed the available space, a `-EMSGSIZE` error will be returned. Limit the total length of the transfers (tracked by variable `total`) to `INT_MAX` instead of `bufsiz`, returning an `-EMSGSIZE` error if exceeded. The total length is returned by `spidev_message()` on success and we want that to be non-negative. The message size limits for the `SPI_IOC_MESSAGE(N)` ioctl are now as follows: (a) total length of transfers is <= INTMAX; (b) total length of transfers with non-NULL rx_buf is <= bufsiz; (c) total length of transfers with non-NULL tx_buf is <= bufsiz. Some transfers may have NULL rx_buf and NULL tx_buf. If the transfer is completed successfully by the SPI core, `spidev_message()` iterates through the transfers to copy any RX data from the bounce buffer back to userspace on those transfers where `u_tmp->rx_buf` is non-zero. The variable `rx_buf` is again used to keep track of the corresponding positions in the bounce buffer. Now it is only advanced for those transfers that use the RX bounce buffer. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Mark Brown <broonie@kernel.org>
2015-02-16 23:00:47 +08:00
/* this transfer needs space in RX bounce buffer */
rx_total += k_tmp->len;
if (rx_total > bufsiz) {
status = -EMSGSIZE;
goto done;
}
k_tmp->rx_buf = rx_buf;
if (!access_ok(VERIFY_WRITE, (u8 __user *)
(uintptr_t) u_tmp->rx_buf,
u_tmp->len))
goto done;
spi: spidev: only use up TX/RX bounce buffer space when needed This patch changes the way space is reserved in spidev's pre-allocated TX and RX bounce buffers to avoid wasting space in the buffers for an SPI message consisting of multiple, half-duplex transfers in different directions. Background: spidev data structures have separate, pre-allocated TX and RX bounce buffers (`spidev->tx_buffer` and `spidev->rx_buffer`) of fixed size (`bufsiz`). The `SPI_IOC_MESSAGE(N)` ioctl processing uses a kernel copy of the N `struct spi_ioc_transfer` elements copied from the userspace ioctl arg pointer. In these elements: `.len` is the length of transfer in bytes; `.rx_buf` is either a userspace pointer to a buffer to copy the RX data to or is set to 0 to discard the data; and `.tx_buf` is either a userspace pointer to TX data supplied by the user or is set to 0 to transmit zeros for this transfer. `spidev_message()` uses the array of N `struct spi_ioc_transfer` elements to construct a kernel SPI message consisting of a `struct spi_message` containing a linked list (allocated as an array) of N `struct spi_transfer` elements. This involves iterating through the `struct spi_ioc_transfer` and `struct spi_transfer` elements (variables `u_tmp` and `k_tmp` respectively). Before the first iteration, variables `tx_buf` and `rx_buf` point to the start of the TX and RX bounce buffers `spidev->tx_buffer` and `spidev->rx_buffer` and variable `total` is set to 0. These variables keep track of the next available space in the bounce buffers and the total length of the SPI message. Each iteration checks that there is enough room left in the buffers for the transfer. If `u_tmp->rx_buf` is non-zero, `k_tmp->rx_buf` is set to `rx_buf`, otherwise it remains set to NULL. If `u_tmp->tx_buf` is non-zero, `k_tmp->tx_buf` is set to `tx_buf` and the userspace TX data copied there, otherwise it remains set to NULL. The variables `total`, `rx_buf` and `tx_buf` are advanced by the length of the transfer. The "problem": While iterating through the transfers, the local bounce buffer "free space" pointer variables `tx_buf` and `rx_buf` are always advanced by the length of the transfer. If `u_tmp->rx_buf` is 0 (so `k_tmp->rx_buf` is NULL), then `rx_buf` is advanced unnecessarily and that part of `spidev->rx_buffer` is wasted. Similarly, if `u_tmp->tx_buf` is 0 (so `k_tmp->tx_buf` is NULL), part of `spidev->tx_buffer` is wasted. What this patch does: To avoid wasting space unnecessarily in the RX bounce buffer, only advance `rx_buf` by the transfer length if `u_tmp->rx_buf` is non-zero. Similarly, to avoid wasting space unnecessarily in the TX bounce buffer, only advance `tx_buf` if `u_tmp->tx_buf is non-zero. To avoid pointer subtraction, use new variables `rx_total` and `tx_total` to keep track of the amount of space allocated in each of the bounce buffers. If these exceed the available space, a `-EMSGSIZE` error will be returned. Limit the total length of the transfers (tracked by variable `total`) to `INT_MAX` instead of `bufsiz`, returning an `-EMSGSIZE` error if exceeded. The total length is returned by `spidev_message()` on success and we want that to be non-negative. The message size limits for the `SPI_IOC_MESSAGE(N)` ioctl are now as follows: (a) total length of transfers is <= INTMAX; (b) total length of transfers with non-NULL rx_buf is <= bufsiz; (c) total length of transfers with non-NULL tx_buf is <= bufsiz. Some transfers may have NULL rx_buf and NULL tx_buf. If the transfer is completed successfully by the SPI core, `spidev_message()` iterates through the transfers to copy any RX data from the bounce buffer back to userspace on those transfers where `u_tmp->rx_buf` is non-zero. The variable `rx_buf` is again used to keep track of the corresponding positions in the bounce buffer. Now it is only advanced for those transfers that use the RX bounce buffer. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Mark Brown <broonie@kernel.org>
2015-02-16 23:00:47 +08:00
rx_buf += k_tmp->len;
}
if (u_tmp->tx_buf) {
spi: spidev: only use up TX/RX bounce buffer space when needed This patch changes the way space is reserved in spidev's pre-allocated TX and RX bounce buffers to avoid wasting space in the buffers for an SPI message consisting of multiple, half-duplex transfers in different directions. Background: spidev data structures have separate, pre-allocated TX and RX bounce buffers (`spidev->tx_buffer` and `spidev->rx_buffer`) of fixed size (`bufsiz`). The `SPI_IOC_MESSAGE(N)` ioctl processing uses a kernel copy of the N `struct spi_ioc_transfer` elements copied from the userspace ioctl arg pointer. In these elements: `.len` is the length of transfer in bytes; `.rx_buf` is either a userspace pointer to a buffer to copy the RX data to or is set to 0 to discard the data; and `.tx_buf` is either a userspace pointer to TX data supplied by the user or is set to 0 to transmit zeros for this transfer. `spidev_message()` uses the array of N `struct spi_ioc_transfer` elements to construct a kernel SPI message consisting of a `struct spi_message` containing a linked list (allocated as an array) of N `struct spi_transfer` elements. This involves iterating through the `struct spi_ioc_transfer` and `struct spi_transfer` elements (variables `u_tmp` and `k_tmp` respectively). Before the first iteration, variables `tx_buf` and `rx_buf` point to the start of the TX and RX bounce buffers `spidev->tx_buffer` and `spidev->rx_buffer` and variable `total` is set to 0. These variables keep track of the next available space in the bounce buffers and the total length of the SPI message. Each iteration checks that there is enough room left in the buffers for the transfer. If `u_tmp->rx_buf` is non-zero, `k_tmp->rx_buf` is set to `rx_buf`, otherwise it remains set to NULL. If `u_tmp->tx_buf` is non-zero, `k_tmp->tx_buf` is set to `tx_buf` and the userspace TX data copied there, otherwise it remains set to NULL. The variables `total`, `rx_buf` and `tx_buf` are advanced by the length of the transfer. The "problem": While iterating through the transfers, the local bounce buffer "free space" pointer variables `tx_buf` and `rx_buf` are always advanced by the length of the transfer. If `u_tmp->rx_buf` is 0 (so `k_tmp->rx_buf` is NULL), then `rx_buf` is advanced unnecessarily and that part of `spidev->rx_buffer` is wasted. Similarly, if `u_tmp->tx_buf` is 0 (so `k_tmp->tx_buf` is NULL), part of `spidev->tx_buffer` is wasted. What this patch does: To avoid wasting space unnecessarily in the RX bounce buffer, only advance `rx_buf` by the transfer length if `u_tmp->rx_buf` is non-zero. Similarly, to avoid wasting space unnecessarily in the TX bounce buffer, only advance `tx_buf` if `u_tmp->tx_buf is non-zero. To avoid pointer subtraction, use new variables `rx_total` and `tx_total` to keep track of the amount of space allocated in each of the bounce buffers. If these exceed the available space, a `-EMSGSIZE` error will be returned. Limit the total length of the transfers (tracked by variable `total`) to `INT_MAX` instead of `bufsiz`, returning an `-EMSGSIZE` error if exceeded. The total length is returned by `spidev_message()` on success and we want that to be non-negative. The message size limits for the `SPI_IOC_MESSAGE(N)` ioctl are now as follows: (a) total length of transfers is <= INTMAX; (b) total length of transfers with non-NULL rx_buf is <= bufsiz; (c) total length of transfers with non-NULL tx_buf is <= bufsiz. Some transfers may have NULL rx_buf and NULL tx_buf. If the transfer is completed successfully by the SPI core, `spidev_message()` iterates through the transfers to copy any RX data from the bounce buffer back to userspace on those transfers where `u_tmp->rx_buf` is non-zero. The variable `rx_buf` is again used to keep track of the corresponding positions in the bounce buffer. Now it is only advanced for those transfers that use the RX bounce buffer. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Mark Brown <broonie@kernel.org>
2015-02-16 23:00:47 +08:00
/* this transfer needs space in TX bounce buffer */
tx_total += k_tmp->len;
if (tx_total > bufsiz) {
status = -EMSGSIZE;
goto done;
}
k_tmp->tx_buf = tx_buf;
if (copy_from_user(tx_buf, (const u8 __user *)
(uintptr_t) u_tmp->tx_buf,
u_tmp->len))
goto done;
spi: spidev: only use up TX/RX bounce buffer space when needed This patch changes the way space is reserved in spidev's pre-allocated TX and RX bounce buffers to avoid wasting space in the buffers for an SPI message consisting of multiple, half-duplex transfers in different directions. Background: spidev data structures have separate, pre-allocated TX and RX bounce buffers (`spidev->tx_buffer` and `spidev->rx_buffer`) of fixed size (`bufsiz`). The `SPI_IOC_MESSAGE(N)` ioctl processing uses a kernel copy of the N `struct spi_ioc_transfer` elements copied from the userspace ioctl arg pointer. In these elements: `.len` is the length of transfer in bytes; `.rx_buf` is either a userspace pointer to a buffer to copy the RX data to or is set to 0 to discard the data; and `.tx_buf` is either a userspace pointer to TX data supplied by the user or is set to 0 to transmit zeros for this transfer. `spidev_message()` uses the array of N `struct spi_ioc_transfer` elements to construct a kernel SPI message consisting of a `struct spi_message` containing a linked list (allocated as an array) of N `struct spi_transfer` elements. This involves iterating through the `struct spi_ioc_transfer` and `struct spi_transfer` elements (variables `u_tmp` and `k_tmp` respectively). Before the first iteration, variables `tx_buf` and `rx_buf` point to the start of the TX and RX bounce buffers `spidev->tx_buffer` and `spidev->rx_buffer` and variable `total` is set to 0. These variables keep track of the next available space in the bounce buffers and the total length of the SPI message. Each iteration checks that there is enough room left in the buffers for the transfer. If `u_tmp->rx_buf` is non-zero, `k_tmp->rx_buf` is set to `rx_buf`, otherwise it remains set to NULL. If `u_tmp->tx_buf` is non-zero, `k_tmp->tx_buf` is set to `tx_buf` and the userspace TX data copied there, otherwise it remains set to NULL. The variables `total`, `rx_buf` and `tx_buf` are advanced by the length of the transfer. The "problem": While iterating through the transfers, the local bounce buffer "free space" pointer variables `tx_buf` and `rx_buf` are always advanced by the length of the transfer. If `u_tmp->rx_buf` is 0 (so `k_tmp->rx_buf` is NULL), then `rx_buf` is advanced unnecessarily and that part of `spidev->rx_buffer` is wasted. Similarly, if `u_tmp->tx_buf` is 0 (so `k_tmp->tx_buf` is NULL), part of `spidev->tx_buffer` is wasted. What this patch does: To avoid wasting space unnecessarily in the RX bounce buffer, only advance `rx_buf` by the transfer length if `u_tmp->rx_buf` is non-zero. Similarly, to avoid wasting space unnecessarily in the TX bounce buffer, only advance `tx_buf` if `u_tmp->tx_buf is non-zero. To avoid pointer subtraction, use new variables `rx_total` and `tx_total` to keep track of the amount of space allocated in each of the bounce buffers. If these exceed the available space, a `-EMSGSIZE` error will be returned. Limit the total length of the transfers (tracked by variable `total`) to `INT_MAX` instead of `bufsiz`, returning an `-EMSGSIZE` error if exceeded. The total length is returned by `spidev_message()` on success and we want that to be non-negative. The message size limits for the `SPI_IOC_MESSAGE(N)` ioctl are now as follows: (a) total length of transfers is <= INTMAX; (b) total length of transfers with non-NULL rx_buf is <= bufsiz; (c) total length of transfers with non-NULL tx_buf is <= bufsiz. Some transfers may have NULL rx_buf and NULL tx_buf. If the transfer is completed successfully by the SPI core, `spidev_message()` iterates through the transfers to copy any RX data from the bounce buffer back to userspace on those transfers where `u_tmp->rx_buf` is non-zero. The variable `rx_buf` is again used to keep track of the corresponding positions in the bounce buffer. Now it is only advanced for those transfers that use the RX bounce buffer. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Mark Brown <broonie@kernel.org>
2015-02-16 23:00:47 +08:00
tx_buf += k_tmp->len;
}
k_tmp->cs_change = !!u_tmp->cs_change;
k_tmp->tx_nbits = u_tmp->tx_nbits;
k_tmp->rx_nbits = u_tmp->rx_nbits;
k_tmp->bits_per_word = u_tmp->bits_per_word;
k_tmp->delay_usecs = u_tmp->delay_usecs;
k_tmp->speed_hz = u_tmp->speed_hz;
if (!k_tmp->speed_hz)
k_tmp->speed_hz = spidev->speed_hz;
#ifdef VERBOSE
dev_dbg(&spidev->spi->dev,
" xfer len %u %s%s%s%dbits %u usec %uHz\n",
u_tmp->len,
u_tmp->rx_buf ? "rx " : "",
u_tmp->tx_buf ? "tx " : "",
u_tmp->cs_change ? "cs " : "",
u_tmp->bits_per_word ? : spidev->spi->bits_per_word,
u_tmp->delay_usecs,
u_tmp->speed_hz ? : spidev->spi->max_speed_hz);
#endif
spi_message_add_tail(k_tmp, &msg);
}
status = spidev_sync(spidev, &msg);
if (status < 0)
goto done;
/* copy any rx data out of bounce buffer */
rx_buf = spidev->rx_buffer;
for (n = n_xfers, u_tmp = u_xfers; n; n--, u_tmp++) {
if (u_tmp->rx_buf) {
if (__copy_to_user((u8 __user *)
(uintptr_t) u_tmp->rx_buf, rx_buf,
u_tmp->len)) {
status = -EFAULT;
goto done;
}
spi: spidev: only use up TX/RX bounce buffer space when needed This patch changes the way space is reserved in spidev's pre-allocated TX and RX bounce buffers to avoid wasting space in the buffers for an SPI message consisting of multiple, half-duplex transfers in different directions. Background: spidev data structures have separate, pre-allocated TX and RX bounce buffers (`spidev->tx_buffer` and `spidev->rx_buffer`) of fixed size (`bufsiz`). The `SPI_IOC_MESSAGE(N)` ioctl processing uses a kernel copy of the N `struct spi_ioc_transfer` elements copied from the userspace ioctl arg pointer. In these elements: `.len` is the length of transfer in bytes; `.rx_buf` is either a userspace pointer to a buffer to copy the RX data to or is set to 0 to discard the data; and `.tx_buf` is either a userspace pointer to TX data supplied by the user or is set to 0 to transmit zeros for this transfer. `spidev_message()` uses the array of N `struct spi_ioc_transfer` elements to construct a kernel SPI message consisting of a `struct spi_message` containing a linked list (allocated as an array) of N `struct spi_transfer` elements. This involves iterating through the `struct spi_ioc_transfer` and `struct spi_transfer` elements (variables `u_tmp` and `k_tmp` respectively). Before the first iteration, variables `tx_buf` and `rx_buf` point to the start of the TX and RX bounce buffers `spidev->tx_buffer` and `spidev->rx_buffer` and variable `total` is set to 0. These variables keep track of the next available space in the bounce buffers and the total length of the SPI message. Each iteration checks that there is enough room left in the buffers for the transfer. If `u_tmp->rx_buf` is non-zero, `k_tmp->rx_buf` is set to `rx_buf`, otherwise it remains set to NULL. If `u_tmp->tx_buf` is non-zero, `k_tmp->tx_buf` is set to `tx_buf` and the userspace TX data copied there, otherwise it remains set to NULL. The variables `total`, `rx_buf` and `tx_buf` are advanced by the length of the transfer. The "problem": While iterating through the transfers, the local bounce buffer "free space" pointer variables `tx_buf` and `rx_buf` are always advanced by the length of the transfer. If `u_tmp->rx_buf` is 0 (so `k_tmp->rx_buf` is NULL), then `rx_buf` is advanced unnecessarily and that part of `spidev->rx_buffer` is wasted. Similarly, if `u_tmp->tx_buf` is 0 (so `k_tmp->tx_buf` is NULL), part of `spidev->tx_buffer` is wasted. What this patch does: To avoid wasting space unnecessarily in the RX bounce buffer, only advance `rx_buf` by the transfer length if `u_tmp->rx_buf` is non-zero. Similarly, to avoid wasting space unnecessarily in the TX bounce buffer, only advance `tx_buf` if `u_tmp->tx_buf is non-zero. To avoid pointer subtraction, use new variables `rx_total` and `tx_total` to keep track of the amount of space allocated in each of the bounce buffers. If these exceed the available space, a `-EMSGSIZE` error will be returned. Limit the total length of the transfers (tracked by variable `total`) to `INT_MAX` instead of `bufsiz`, returning an `-EMSGSIZE` error if exceeded. The total length is returned by `spidev_message()` on success and we want that to be non-negative. The message size limits for the `SPI_IOC_MESSAGE(N)` ioctl are now as follows: (a) total length of transfers is <= INTMAX; (b) total length of transfers with non-NULL rx_buf is <= bufsiz; (c) total length of transfers with non-NULL tx_buf is <= bufsiz. Some transfers may have NULL rx_buf and NULL tx_buf. If the transfer is completed successfully by the SPI core, `spidev_message()` iterates through the transfers to copy any RX data from the bounce buffer back to userspace on those transfers where `u_tmp->rx_buf` is non-zero. The variable `rx_buf` is again used to keep track of the corresponding positions in the bounce buffer. Now it is only advanced for those transfers that use the RX bounce buffer. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Mark Brown <broonie@kernel.org>
2015-02-16 23:00:47 +08:00
rx_buf += u_tmp->len;
}
}
status = total;
done:
kfree(k_xfers);
return status;
}
spi: spidev: Convert buf pointers for 32-bit compat SPI_IOC_MESSAGE(n) The SPI_IOC_MESSAGE(n) ioctl commands' argument points to an array of n struct spi_ioc_transfer elements. The spidev's compat_ioctl handler just converts this pointer and passes it on to the unlocked_ioctl handler to process it. The tx_buf and rx_buf members of struct spi_ioc_transfer are of type __u64 and hold pointer values. A 32-bit userspace application running in a 64-bit kernel might not have widened the 32-bit pointers correctly for the kernel. The application might have sign-extended the pointer to when the kernel expects it to be zero-extended, or vice versa, leading to an -EFAULT being returned by spidev_message() if the widened pointer is invalid. Handle the SPI_IOC_MESSAGE(n) ioctl commands specially in the compat_ioctl handler, calling new function spidev_compat_ioctl_message() to handle them. This processes them in the same way as the unlocked_ioctl handler except that it uses compat_ptr() to convert the tx_buf and rx_buf members of each struct spi_ioc_transfer element. To save code, factor out part of the unlocked_ioctl handler into a new function spidev_get_ioc_message(). This checks the ioctl command code is a valid SPI_IOC_MESSAGE(n), determines n and copies the array of n struct spi_ioc_transfer elements from userspace into dynamically allocated memory, returning either a pointer to the memory, an ERR_PTR(-err) value, or NULL (for SPI_IOC_MESSAGE(0)). Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Mark Brown <broonie@kernel.org>
2015-01-31 02:43:33 +08:00
static struct spi_ioc_transfer *
spidev_get_ioc_message(unsigned int cmd, struct spi_ioc_transfer __user *u_ioc,
unsigned *n_ioc)
{
struct spi_ioc_transfer *ioc;
u32 tmp;
/* Check type, command number and direction */
if (_IOC_TYPE(cmd) != SPI_IOC_MAGIC
|| _IOC_NR(cmd) != _IOC_NR(SPI_IOC_MESSAGE(0))
|| _IOC_DIR(cmd) != _IOC_WRITE)
return ERR_PTR(-ENOTTY);
tmp = _IOC_SIZE(cmd);
if ((tmp % sizeof(struct spi_ioc_transfer)) != 0)
return ERR_PTR(-EINVAL);
*n_ioc = tmp / sizeof(struct spi_ioc_transfer);
if (*n_ioc == 0)
return NULL;
/* copy into scratch area */
ioc = kmalloc(tmp, GFP_KERNEL);
if (!ioc)
return ERR_PTR(-ENOMEM);
if (__copy_from_user(ioc, u_ioc, tmp)) {
kfree(ioc);
return ERR_PTR(-EFAULT);
}
return ioc;
}
static long
spidev_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
{
int err = 0;
int retval = 0;
struct spidev_data *spidev;
struct spi_device *spi;
u32 tmp;
unsigned n_ioc;
struct spi_ioc_transfer *ioc;
/* Check type and command number */
if (_IOC_TYPE(cmd) != SPI_IOC_MAGIC)
return -ENOTTY;
/* Check access direction once here; don't repeat below.
* IOC_DIR is from the user perspective, while access_ok is
* from the kernel perspective; so they look reversed.
*/
if (_IOC_DIR(cmd) & _IOC_READ)
err = !access_ok(VERIFY_WRITE,
(void __user *)arg, _IOC_SIZE(cmd));
if (err == 0 && _IOC_DIR(cmd) & _IOC_WRITE)
err = !access_ok(VERIFY_READ,
(void __user *)arg, _IOC_SIZE(cmd));
if (err)
return -EFAULT;
/* guard against device removal before, or while,
* we issue this ioctl.
*/
spidev = filp->private_data;
spin_lock_irq(&spidev->spi_lock);
spi = spi_dev_get(spidev->spi);
spin_unlock_irq(&spidev->spi_lock);
if (spi == NULL)
return -ESHUTDOWN;
/* use the buffer lock here for triple duty:
* - prevent I/O (from us) so calling spi_setup() is safe;
* - prevent concurrent SPI_IOC_WR_* from morphing
* data fields while SPI_IOC_RD_* reads them;
* - SPI_IOC_MESSAGE needs the buffer locked "normally".
*/
mutex_lock(&spidev->buf_lock);
switch (cmd) {
/* read requests */
case SPI_IOC_RD_MODE:
retval = __put_user(spi->mode & SPI_MODE_MASK,
(__u8 __user *)arg);
break;
case SPI_IOC_RD_MODE32:
retval = __put_user(spi->mode & SPI_MODE_MASK,
(__u32 __user *)arg);
break;
case SPI_IOC_RD_LSB_FIRST:
retval = __put_user((spi->mode & SPI_LSB_FIRST) ? 1 : 0,
(__u8 __user *)arg);
break;
case SPI_IOC_RD_BITS_PER_WORD:
retval = __put_user(spi->bits_per_word, (__u8 __user *)arg);
break;
case SPI_IOC_RD_MAX_SPEED_HZ:
retval = __put_user(spidev->speed_hz, (__u32 __user *)arg);
break;
/* write requests */
case SPI_IOC_WR_MODE:
case SPI_IOC_WR_MODE32:
if (cmd == SPI_IOC_WR_MODE)
retval = __get_user(tmp, (u8 __user *)arg);
else
retval = __get_user(tmp, (u32 __user *)arg);
if (retval == 0) {
u32 save = spi->mode;
if (tmp & ~SPI_MODE_MASK) {
retval = -EINVAL;
break;
}
tmp |= spi->mode & ~SPI_MODE_MASK;
spi->mode = (u16)tmp;
retval = spi_setup(spi);
if (retval < 0)
spi->mode = save;
else
dev_dbg(&spi->dev, "spi mode %x\n", tmp);
}
break;
case SPI_IOC_WR_LSB_FIRST:
retval = __get_user(tmp, (__u8 __user *)arg);
if (retval == 0) {
u32 save = spi->mode;
if (tmp)
spi->mode |= SPI_LSB_FIRST;
else
spi->mode &= ~SPI_LSB_FIRST;
retval = spi_setup(spi);
if (retval < 0)
spi->mode = save;
else
dev_dbg(&spi->dev, "%csb first\n",
tmp ? 'l' : 'm');
}
break;
case SPI_IOC_WR_BITS_PER_WORD:
retval = __get_user(tmp, (__u8 __user *)arg);
if (retval == 0) {
u8 save = spi->bits_per_word;
spi->bits_per_word = tmp;
retval = spi_setup(spi);
if (retval < 0)
spi->bits_per_word = save;
else
dev_dbg(&spi->dev, "%d bits per word\n", tmp);
}
break;
case SPI_IOC_WR_MAX_SPEED_HZ:
retval = __get_user(tmp, (__u32 __user *)arg);
if (retval == 0) {
u32 save = spi->max_speed_hz;
spi->max_speed_hz = tmp;
retval = spi_setup(spi);
if (retval >= 0)
spidev->speed_hz = tmp;
else
dev_dbg(&spi->dev, "%d Hz (max)\n", tmp);
spi->max_speed_hz = save;
}
break;
default:
/* segmented and/or full-duplex I/O request */
spi: spidev: Convert buf pointers for 32-bit compat SPI_IOC_MESSAGE(n) The SPI_IOC_MESSAGE(n) ioctl commands' argument points to an array of n struct spi_ioc_transfer elements. The spidev's compat_ioctl handler just converts this pointer and passes it on to the unlocked_ioctl handler to process it. The tx_buf and rx_buf members of struct spi_ioc_transfer are of type __u64 and hold pointer values. A 32-bit userspace application running in a 64-bit kernel might not have widened the 32-bit pointers correctly for the kernel. The application might have sign-extended the pointer to when the kernel expects it to be zero-extended, or vice versa, leading to an -EFAULT being returned by spidev_message() if the widened pointer is invalid. Handle the SPI_IOC_MESSAGE(n) ioctl commands specially in the compat_ioctl handler, calling new function spidev_compat_ioctl_message() to handle them. This processes them in the same way as the unlocked_ioctl handler except that it uses compat_ptr() to convert the tx_buf and rx_buf members of each struct spi_ioc_transfer element. To save code, factor out part of the unlocked_ioctl handler into a new function spidev_get_ioc_message(). This checks the ioctl command code is a valid SPI_IOC_MESSAGE(n), determines n and copies the array of n struct spi_ioc_transfer elements from userspace into dynamically allocated memory, returning either a pointer to the memory, an ERR_PTR(-err) value, or NULL (for SPI_IOC_MESSAGE(0)). Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Mark Brown <broonie@kernel.org>
2015-01-31 02:43:33 +08:00
/* Check message and copy into scratch area */
ioc = spidev_get_ioc_message(cmd,
(struct spi_ioc_transfer __user *)arg, &n_ioc);
if (IS_ERR(ioc)) {
retval = PTR_ERR(ioc);
break;
}
spi: spidev: Convert buf pointers for 32-bit compat SPI_IOC_MESSAGE(n) The SPI_IOC_MESSAGE(n) ioctl commands' argument points to an array of n struct spi_ioc_transfer elements. The spidev's compat_ioctl handler just converts this pointer and passes it on to the unlocked_ioctl handler to process it. The tx_buf and rx_buf members of struct spi_ioc_transfer are of type __u64 and hold pointer values. A 32-bit userspace application running in a 64-bit kernel might not have widened the 32-bit pointers correctly for the kernel. The application might have sign-extended the pointer to when the kernel expects it to be zero-extended, or vice versa, leading to an -EFAULT being returned by spidev_message() if the widened pointer is invalid. Handle the SPI_IOC_MESSAGE(n) ioctl commands specially in the compat_ioctl handler, calling new function spidev_compat_ioctl_message() to handle them. This processes them in the same way as the unlocked_ioctl handler except that it uses compat_ptr() to convert the tx_buf and rx_buf members of each struct spi_ioc_transfer element. To save code, factor out part of the unlocked_ioctl handler into a new function spidev_get_ioc_message(). This checks the ioctl command code is a valid SPI_IOC_MESSAGE(n), determines n and copies the array of n struct spi_ioc_transfer elements from userspace into dynamically allocated memory, returning either a pointer to the memory, an ERR_PTR(-err) value, or NULL (for SPI_IOC_MESSAGE(0)). Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Mark Brown <broonie@kernel.org>
2015-01-31 02:43:33 +08:00
if (!ioc)
break; /* n_ioc is also 0 */
/* translate to spi_message, execute */
retval = spidev_message(spidev, ioc, n_ioc);
kfree(ioc);
break;
}
mutex_unlock(&spidev->buf_lock);
spi_dev_put(spi);
return retval;
}
#ifdef CONFIG_COMPAT
spi: spidev: Convert buf pointers for 32-bit compat SPI_IOC_MESSAGE(n) The SPI_IOC_MESSAGE(n) ioctl commands' argument points to an array of n struct spi_ioc_transfer elements. The spidev's compat_ioctl handler just converts this pointer and passes it on to the unlocked_ioctl handler to process it. The tx_buf and rx_buf members of struct spi_ioc_transfer are of type __u64 and hold pointer values. A 32-bit userspace application running in a 64-bit kernel might not have widened the 32-bit pointers correctly for the kernel. The application might have sign-extended the pointer to when the kernel expects it to be zero-extended, or vice versa, leading to an -EFAULT being returned by spidev_message() if the widened pointer is invalid. Handle the SPI_IOC_MESSAGE(n) ioctl commands specially in the compat_ioctl handler, calling new function spidev_compat_ioctl_message() to handle them. This processes them in the same way as the unlocked_ioctl handler except that it uses compat_ptr() to convert the tx_buf and rx_buf members of each struct spi_ioc_transfer element. To save code, factor out part of the unlocked_ioctl handler into a new function spidev_get_ioc_message(). This checks the ioctl command code is a valid SPI_IOC_MESSAGE(n), determines n and copies the array of n struct spi_ioc_transfer elements from userspace into dynamically allocated memory, returning either a pointer to the memory, an ERR_PTR(-err) value, or NULL (for SPI_IOC_MESSAGE(0)). Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Mark Brown <broonie@kernel.org>
2015-01-31 02:43:33 +08:00
static long
spidev_compat_ioc_message(struct file *filp, unsigned int cmd,
unsigned long arg)
{
struct spi_ioc_transfer __user *u_ioc;
int retval = 0;
struct spidev_data *spidev;
struct spi_device *spi;
unsigned n_ioc, n;
struct spi_ioc_transfer *ioc;
u_ioc = (struct spi_ioc_transfer __user *) compat_ptr(arg);
if (!access_ok(VERIFY_READ, u_ioc, _IOC_SIZE(cmd)))
return -EFAULT;
/* guard against device removal before, or while,
* we issue this ioctl.
*/
spidev = filp->private_data;
spin_lock_irq(&spidev->spi_lock);
spi = spi_dev_get(spidev->spi);
spin_unlock_irq(&spidev->spi_lock);
if (spi == NULL)
return -ESHUTDOWN;
/* SPI_IOC_MESSAGE needs the buffer locked "normally" */
mutex_lock(&spidev->buf_lock);
/* Check message and copy into scratch area */
ioc = spidev_get_ioc_message(cmd, u_ioc, &n_ioc);
if (IS_ERR(ioc)) {
retval = PTR_ERR(ioc);
goto done;
}
if (!ioc)
goto done; /* n_ioc is also 0 */
/* Convert buffer pointers */
for (n = 0; n < n_ioc; n++) {
ioc[n].rx_buf = (uintptr_t) compat_ptr(ioc[n].rx_buf);
ioc[n].tx_buf = (uintptr_t) compat_ptr(ioc[n].tx_buf);
}
/* translate to spi_message, execute */
retval = spidev_message(spidev, ioc, n_ioc);
kfree(ioc);
done:
mutex_unlock(&spidev->buf_lock);
spi_dev_put(spi);
return retval;
}
static long
spidev_compat_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
{
spi: spidev: Convert buf pointers for 32-bit compat SPI_IOC_MESSAGE(n) The SPI_IOC_MESSAGE(n) ioctl commands' argument points to an array of n struct spi_ioc_transfer elements. The spidev's compat_ioctl handler just converts this pointer and passes it on to the unlocked_ioctl handler to process it. The tx_buf and rx_buf members of struct spi_ioc_transfer are of type __u64 and hold pointer values. A 32-bit userspace application running in a 64-bit kernel might not have widened the 32-bit pointers correctly for the kernel. The application might have sign-extended the pointer to when the kernel expects it to be zero-extended, or vice versa, leading to an -EFAULT being returned by spidev_message() if the widened pointer is invalid. Handle the SPI_IOC_MESSAGE(n) ioctl commands specially in the compat_ioctl handler, calling new function spidev_compat_ioctl_message() to handle them. This processes them in the same way as the unlocked_ioctl handler except that it uses compat_ptr() to convert the tx_buf and rx_buf members of each struct spi_ioc_transfer element. To save code, factor out part of the unlocked_ioctl handler into a new function spidev_get_ioc_message(). This checks the ioctl command code is a valid SPI_IOC_MESSAGE(n), determines n and copies the array of n struct spi_ioc_transfer elements from userspace into dynamically allocated memory, returning either a pointer to the memory, an ERR_PTR(-err) value, or NULL (for SPI_IOC_MESSAGE(0)). Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Mark Brown <broonie@kernel.org>
2015-01-31 02:43:33 +08:00
if (_IOC_TYPE(cmd) == SPI_IOC_MAGIC
&& _IOC_NR(cmd) == _IOC_NR(SPI_IOC_MESSAGE(0))
&& _IOC_DIR(cmd) == _IOC_WRITE)
return spidev_compat_ioc_message(filp, cmd, arg);
return spidev_ioctl(filp, cmd, (unsigned long)compat_ptr(arg));
}
#else
#define spidev_compat_ioctl NULL
#endif /* CONFIG_COMPAT */
static int spidev_open(struct inode *inode, struct file *filp)
{
struct spidev_data *spidev;
int status = -ENXIO;
mutex_lock(&device_list_lock);
list_for_each_entry(spidev, &device_list, device_entry) {
if (spidev->devt == inode->i_rdev) {
status = 0;
break;
}
}
if (status) {
pr_debug("spidev: nothing for minor %d\n", iminor(inode));
goto err_find_dev;
}
if (!spidev->tx_buffer) {
spidev->tx_buffer = kmalloc(bufsiz, GFP_KERNEL);
if (!spidev->tx_buffer) {
dev_dbg(&spidev->spi->dev, "open/ENOMEM\n");
status = -ENOMEM;
goto err_find_dev;
}
}
if (!spidev->rx_buffer) {
spidev->rx_buffer = kmalloc(bufsiz, GFP_KERNEL);
if (!spidev->rx_buffer) {
dev_dbg(&spidev->spi->dev, "open/ENOMEM\n");
status = -ENOMEM;
goto err_alloc_rx_buf;
}
}
spidev->users++;
filp->private_data = spidev;
nonseekable_open(inode, filp);
mutex_unlock(&device_list_lock);
return 0;
err_alloc_rx_buf:
kfree(spidev->tx_buffer);
spidev->tx_buffer = NULL;
err_find_dev:
mutex_unlock(&device_list_lock);
return status;
}
static int spidev_release(struct inode *inode, struct file *filp)
{
struct spidev_data *spidev;
mutex_lock(&device_list_lock);
spidev = filp->private_data;
filp->private_data = NULL;
/* last close? */
spidev->users--;
if (!spidev->users) {
int dofree;
kfree(spidev->tx_buffer);
spidev->tx_buffer = NULL;
kfree(spidev->rx_buffer);
spidev->rx_buffer = NULL;
spin_lock_irq(&spidev->spi_lock);
if (spidev->spi)
spidev->speed_hz = spidev->spi->max_speed_hz;
/* ... after we unbound from the underlying device? */
dofree = (spidev->spi == NULL);
spin_unlock_irq(&spidev->spi_lock);
if (dofree)
kfree(spidev);
}
mutex_unlock(&device_list_lock);
return 0;
}
static const struct file_operations spidev_fops = {
.owner = THIS_MODULE,
/* REVISIT switch to aio primitives, so that userspace
* gets more complete API coverage. It'll simplify things
* too, except for the locking.
*/
.write = spidev_write,
.read = spidev_read,
.unlocked_ioctl = spidev_ioctl,
.compat_ioctl = spidev_compat_ioctl,
.open = spidev_open,
.release = spidev_release,
llseek: automatically add .llseek fop All file_operations should get a .llseek operation so we can make nonseekable_open the default for future file operations without a .llseek pointer. The three cases that we can automatically detect are no_llseek, seq_lseek and default_llseek. For cases where we can we can automatically prove that the file offset is always ignored, we use noop_llseek, which maintains the current behavior of not returning an error from a seek. New drivers should normally not use noop_llseek but instead use no_llseek and call nonseekable_open at open time. Existing drivers can be converted to do the same when the maintainer knows for certain that no user code relies on calling seek on the device file. The generated code is often incorrectly indented and right now contains comments that clarify for each added line why a specific variant was chosen. In the version that gets submitted upstream, the comments will be gone and I will manually fix the indentation, because there does not seem to be a way to do that using coccinelle. Some amount of new code is currently sitting in linux-next that should get the same modifications, which I will do at the end of the merge window. Many thanks to Julia Lawall for helping me learn to write a semantic patch that does all this. ===== begin semantic patch ===== // This adds an llseek= method to all file operations, // as a preparation for making no_llseek the default. // // The rules are // - use no_llseek explicitly if we do nonseekable_open // - use seq_lseek for sequential files // - use default_llseek if we know we access f_pos // - use noop_llseek if we know we don't access f_pos, // but we still want to allow users to call lseek // @ open1 exists @ identifier nested_open; @@ nested_open(...) { <+... nonseekable_open(...) ...+> } @ open exists@ identifier open_f; identifier i, f; identifier open1.nested_open; @@ int open_f(struct inode *i, struct file *f) { <+... ( nonseekable_open(...) | nested_open(...) ) ...+> } @ read disable optional_qualifier exists @ identifier read_f; identifier f, p, s, off; type ssize_t, size_t, loff_t; expression E; identifier func; @@ ssize_t read_f(struct file *f, char *p, size_t s, loff_t *off) { <+... ( *off = E | *off += E | func(..., off, ...) | E = *off ) ...+> } @ read_no_fpos disable optional_qualifier exists @ identifier read_f; identifier f, p, s, off; type ssize_t, size_t, loff_t; @@ ssize_t read_f(struct file *f, char *p, size_t s, loff_t *off) { ... when != off } @ write @ identifier write_f; identifier f, p, s, off; type ssize_t, size_t, loff_t; expression E; identifier func; @@ ssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off) { <+... ( *off = E | *off += E | func(..., off, ...) | E = *off ) ...+> } @ write_no_fpos @ identifier write_f; identifier f, p, s, off; type ssize_t, size_t, loff_t; @@ ssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off) { ... when != off } @ fops0 @ identifier fops; @@ struct file_operations fops = { ... }; @ has_llseek depends on fops0 @ identifier fops0.fops; identifier llseek_f; @@ struct file_operations fops = { ... .llseek = llseek_f, ... }; @ has_read depends on fops0 @ identifier fops0.fops; identifier read_f; @@ struct file_operations fops = { ... .read = read_f, ... }; @ has_write depends on fops0 @ identifier fops0.fops; identifier write_f; @@ struct file_operations fops = { ... .write = write_f, ... }; @ has_open depends on fops0 @ identifier fops0.fops; identifier open_f; @@ struct file_operations fops = { ... .open = open_f, ... }; // use no_llseek if we call nonseekable_open //////////////////////////////////////////// @ nonseekable1 depends on !has_llseek && has_open @ identifier fops0.fops; identifier nso ~= "nonseekable_open"; @@ struct file_operations fops = { ... .open = nso, ... +.llseek = no_llseek, /* nonseekable */ }; @ nonseekable2 depends on !has_llseek @ identifier fops0.fops; identifier open.open_f; @@ struct file_operations fops = { ... .open = open_f, ... +.llseek = no_llseek, /* open uses nonseekable */ }; // use seq_lseek for sequential files ///////////////////////////////////// @ seq depends on !has_llseek @ identifier fops0.fops; identifier sr ~= "seq_read"; @@ struct file_operations fops = { ... .read = sr, ... +.llseek = seq_lseek, /* we have seq_read */ }; // use default_llseek if there is a readdir /////////////////////////////////////////// @ fops1 depends on !has_llseek && !nonseekable1 && !nonseekable2 && !seq @ identifier fops0.fops; identifier readdir_e; @@ // any other fop is used that changes pos struct file_operations fops = { ... .readdir = readdir_e, ... +.llseek = default_llseek, /* readdir is present */ }; // use default_llseek if at least one of read/write touches f_pos ///////////////////////////////////////////////////////////////// @ fops2 depends on !fops1 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @ identifier fops0.fops; identifier read.read_f; @@ // read fops use offset struct file_operations fops = { ... .read = read_f, ... +.llseek = default_llseek, /* read accesses f_pos */ }; @ fops3 depends on !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @ identifier fops0.fops; identifier write.write_f; @@ // write fops use offset struct file_operations fops = { ... .write = write_f, ... + .llseek = default_llseek, /* write accesses f_pos */ }; // Use noop_llseek if neither read nor write accesses f_pos /////////////////////////////////////////////////////////// @ fops4 depends on !fops1 && !fops2 && !fops3 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @ identifier fops0.fops; identifier read_no_fpos.read_f; identifier write_no_fpos.write_f; @@ // write fops use offset struct file_operations fops = { ... .write = write_f, .read = read_f, ... +.llseek = noop_llseek, /* read and write both use no f_pos */ }; @ depends on has_write && !has_read && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @ identifier fops0.fops; identifier write_no_fpos.write_f; @@ struct file_operations fops = { ... .write = write_f, ... +.llseek = noop_llseek, /* write uses no f_pos */ }; @ depends on has_read && !has_write && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @ identifier fops0.fops; identifier read_no_fpos.read_f; @@ struct file_operations fops = { ... .read = read_f, ... +.llseek = noop_llseek, /* read uses no f_pos */ }; @ depends on !has_read && !has_write && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @ identifier fops0.fops; @@ struct file_operations fops = { ... +.llseek = noop_llseek, /* no read or write fn */ }; ===== End semantic patch ===== Signed-off-by: Arnd Bergmann <arnd@arndb.de> Cc: Julia Lawall <julia@diku.dk> Cc: Christoph Hellwig <hch@infradead.org>
2010-08-16 00:52:59 +08:00
.llseek = no_llseek,
};
/*-------------------------------------------------------------------------*/
/* The main reason to have this class is to make mdev/udev create the
* /dev/spidevB.C character device nodes exposing our userspace API.
* It also simplifies memory management.
*/
static struct class *spidev_class;
#ifdef CONFIG_OF
static const struct of_device_id spidev_dt_ids[] = {
{ .compatible = "rohm,dh2228fv" },
{ .compatible = "lineartechnology,ltc2488" },
{ .compatible = "ge,achc" },
{ .compatible = "semtech,sx1301" },
{},
};
MODULE_DEVICE_TABLE(of, spidev_dt_ids);
#endif
#ifdef CONFIG_ACPI
/* Dummy SPI devices not to be used in production systems */
#define SPIDEV_ACPI_DUMMY 1
static const struct acpi_device_id spidev_acpi_ids[] = {
/*
* The ACPI SPT000* devices are only meant for development and
* testing. Systems used in production should have a proper ACPI
* description of the connected peripheral and they should also use
* a proper driver instead of poking directly to the SPI bus.
*/
{ "SPT0001", SPIDEV_ACPI_DUMMY },
{ "SPT0002", SPIDEV_ACPI_DUMMY },
{ "SPT0003", SPIDEV_ACPI_DUMMY },
{},
};
MODULE_DEVICE_TABLE(acpi, spidev_acpi_ids);
static void spidev_probe_acpi(struct spi_device *spi)
{
const struct acpi_device_id *id;
if (!has_acpi_companion(&spi->dev))
return;
id = acpi_match_device(spidev_acpi_ids, &spi->dev);
if (WARN_ON(!id))
return;
if (id->driver_data == SPIDEV_ACPI_DUMMY)
dev_warn(&spi->dev, "do not use this driver in production systems!\n");
}
#else
static inline void spidev_probe_acpi(struct spi_device *spi) {}
#endif
/*-------------------------------------------------------------------------*/
static int spidev_probe(struct spi_device *spi)
{
struct spidev_data *spidev;
int status;
unsigned long minor;
/*
* spidev should never be referenced in DT without a specific
* compatible string, it is a Linux implementation thing
* rather than a description of the hardware.
*/
if (spi->dev.of_node && !of_match_device(spidev_dt_ids, &spi->dev)) {
dev_err(&spi->dev, "buggy DT: spidev listed directly in DT\n");
WARN_ON(spi->dev.of_node &&
!of_match_device(spidev_dt_ids, &spi->dev));
}
spidev_probe_acpi(spi);
/* Allocate driver data */
spidev = kzalloc(sizeof(*spidev), GFP_KERNEL);
if (!spidev)
return -ENOMEM;
/* Initialize the driver data */
spidev->spi = spi;
spin_lock_init(&spidev->spi_lock);
mutex_init(&spidev->buf_lock);
INIT_LIST_HEAD(&spidev->device_entry);
/* If we can allocate a minor number, hook up this device.
* Reusing minors is fine so long as udev or mdev is working.
*/
mutex_lock(&device_list_lock);
minor = find_first_zero_bit(minors, N_SPI_MINORS);
if (minor < N_SPI_MINORS) {
struct device *dev;
spidev->devt = MKDEV(SPIDEV_MAJOR, minor);
dev = device_create(spidev_class, &spi->dev, spidev->devt,
spidev, "spidev%d.%d",
spi->master->bus_num, spi->chip_select);
status = PTR_ERR_OR_ZERO(dev);
} else {
dev_dbg(&spi->dev, "no minor number available!\n");
status = -ENODEV;
}
if (status == 0) {
set_bit(minor, minors);
list_add(&spidev->device_entry, &device_list);
}
mutex_unlock(&device_list_lock);
spidev->speed_hz = spi->max_speed_hz;
spi: avoid spidev crash when device is removed I saw a kernel oops in spidev_remove() when a spidev device was registered and I unloaded the SPI master driver: Unable to handle kernel paging request for data at address 0x00000004 Faulting instruction address: 0xc01c0c50 Oops: Kernel access of bad area, sig: 11 [#1] CDSPR Modules linked in: spi_ppc4xx(-) NIP: c01c0c50 LR: c01bf9e4 CTR: c01c0c34 REGS: cec89c30 TRAP: 0300 Not tainted (2.6.27.3izt) MSR: 00021000 <ME> CR: 24000228 XER: 20000007 DEAR: 00000004, ESR: 00800000 TASK = cf889040[2070] 'rmmod' THREAD: cec88000 GPR00: 00000000 cec89ce0 cf889040 cec8e000 00000004 cec8e000 ffffffff 00000000 GPR08: 0000001c c0336380 00000000 c01c0c34 00000001 1001a338 100e0000 100df49c GPR16: 100b54c0 100df49c 100ddd20 100f05a8 100b5340 100efd68 00000000 00000000 GPR24: 100ec008 100f0428 c0327788 c0327794 cec8e0ac cec8e000 c0336380 00000000 NIP [c01c0c50] spidev_remove+0x1c/0xe4 LR [c01bf9e4] spi_drv_remove+0x2c/0x3c Call Trace: [cec89d00] [c01bf9e4] spi_drv_remove+0x2c/0x3c [cec89d10] [c01859a0] __device_release_driver+0x78/0xb4 [cec89d20] [c0185ab0] device_release_driver+0x28/0x44 [cec89d40] [c0184be8] bus_remove_device+0xac/0xd8 [cec89d60] [c0183094] device_del+0x100/0x194 [cec89d80] [c0183140] device_unregister+0x18/0x30 [cec89da0] [c01bf30c] __unregister+0x20/0x34 [cec89db0] [c0182778] device_for_each_child+0x38/0x74 [cec89de0] [c01bf2d0] spi_unregister_master+0x28/0x44 [cec89e00] [c01bfeac] spi_bitbang_stop+0x1c/0x58 [cec89e20] [d908a5e0] spi_ppc4xx_of_remove+0x24/0x7c [spi_ppc4xx] [...] IMHO a call to spi_set_drvdata() is missing in spidev_probe(). The patch below helped. Signed-off-by: Wolfgang Ocker <weo@reccoware.de> Signed-off-by: David Brownell <dbrownell@users.sourceforge.net> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-12-02 05:13:52 +08:00
if (status == 0)
spi_set_drvdata(spi, spidev);
else
kfree(spidev);
return status;
}
static int spidev_remove(struct spi_device *spi)
{
struct spidev_data *spidev = spi_get_drvdata(spi);
/* make sure ops on existing fds can abort cleanly */
spin_lock_irq(&spidev->spi_lock);
spidev->spi = NULL;
spin_unlock_irq(&spidev->spi_lock);
/* prevent new opens */
mutex_lock(&device_list_lock);
list_del(&spidev->device_entry);
device_destroy(spidev_class, spidev->devt);
clear_bit(MINOR(spidev->devt), minors);
if (spidev->users == 0)
kfree(spidev);
mutex_unlock(&device_list_lock);
return 0;
}
static struct spi_driver spidev_spi_driver = {
.driver = {
.name = "spidev",
.of_match_table = of_match_ptr(spidev_dt_ids),
.acpi_match_table = ACPI_PTR(spidev_acpi_ids),
},
.probe = spidev_probe,
.remove = spidev_remove,
/* NOTE: suspend/resume methods are not necessary here.
* We don't do anything except pass the requests to/from
* the underlying controller. The refrigerator handles
* most issues; the controller driver handles the rest.
*/
};
/*-------------------------------------------------------------------------*/
static int __init spidev_init(void)
{
int status;
/* Claim our 256 reserved device numbers. Then register a class
* that will key udev/mdev to add/remove /dev nodes. Last, register
* the driver which manages those device numbers.
*/
BUILD_BUG_ON(N_SPI_MINORS > 256);
status = register_chrdev(SPIDEV_MAJOR, "spi", &spidev_fops);
if (status < 0)
return status;
spidev_class = class_create(THIS_MODULE, "spidev");
if (IS_ERR(spidev_class)) {
unregister_chrdev(SPIDEV_MAJOR, spidev_spi_driver.driver.name);
return PTR_ERR(spidev_class);
}
status = spi_register_driver(&spidev_spi_driver);
if (status < 0) {
class_destroy(spidev_class);
unregister_chrdev(SPIDEV_MAJOR, spidev_spi_driver.driver.name);
}
return status;
}
module_init(spidev_init);
static void __exit spidev_exit(void)
{
spi_unregister_driver(&spidev_spi_driver);
class_destroy(spidev_class);
unregister_chrdev(SPIDEV_MAJOR, spidev_spi_driver.driver.name);
}
module_exit(spidev_exit);
MODULE_AUTHOR("Andrea Paterniani, <a.paterniani@swapp-eng.it>");
MODULE_DESCRIPTION("User mode SPI device interface");
MODULE_LICENSE("GPL");
MODULE_ALIAS("spi:spidev");