spi: potential memleak in spidev_ioctl
[sfrench/cifs-2.6.git] / drivers / spi / spidev.c
1 /*
2  * spidev.c -- simple synchronous userspace interface to SPI devices
3  *
4  * Copyright (C) 2006 SWAPP
5  *      Andrea Paterniani <a.paterniani@swapp-eng.it>
6  * Copyright (C) 2007 David Brownell (simplification, cleanup)
7  *
8  * This program is free software; you can redistribute it and/or modify
9  * it under the terms of the GNU General Public License as published by
10  * the Free Software Foundation; either version 2 of the License, or
11  * (at your option) any later version.
12  *
13  * This program is distributed in the hope that it will be useful,
14  * but WITHOUT ANY WARRANTY; without even the implied warranty of
15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16  * GNU General Public License for more details.
17  *
18  * You should have received a copy of the GNU General Public License
19  * along with this program; if not, write to the Free Software
20  * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
21  */
22
23 #include <linux/init.h>
24 #include <linux/module.h>
25 #include <linux/ioctl.h>
26 #include <linux/fs.h>
27 #include <linux/device.h>
28 #include <linux/list.h>
29 #include <linux/errno.h>
30 #include <linux/mutex.h>
31 #include <linux/slab.h>
32
33 #include <linux/spi/spi.h>
34 #include <linux/spi/spidev.h>
35
36 #include <asm/uaccess.h>
37
38
39 /*
40  * This supports acccess to SPI devices using normal userspace I/O calls.
41  * Note that while traditional UNIX/POSIX I/O semantics are half duplex,
42  * and often mask message boundaries, full SPI support requires full duplex
43  * transfers.  There are several kinds of of internal message boundaries to
44  * handle chipselect management and other protocol options.
45  *
46  * SPI has a character major number assigned.  We allocate minor numbers
47  * dynamically using a bitmask.  You must use hotplug tools, such as udev
48  * (or mdev with busybox) to create and destroy the /dev/spidevB.C device
49  * nodes, since there is no fixed association of minor numbers with any
50  * particular SPI bus or device.
51  */
52 #define SPIDEV_MAJOR                    153     /* assigned */
53 #define N_SPI_MINORS                    32      /* ... up to 256 */
54
55 static unsigned long    minors[N_SPI_MINORS / BITS_PER_LONG];
56
57
58 /* Bit masks for spi_device.mode management */
59 #define SPI_MODE_MASK                   (SPI_CPHA | SPI_CPOL)
60
61
62 struct spidev_data {
63         struct device           dev;
64         struct spi_device       *spi;
65         struct list_head        device_entry;
66
67         struct mutex            buf_lock;
68         unsigned                users;
69         u8                      *buffer;
70 };
71
72 static LIST_HEAD(device_list);
73 static DEFINE_MUTEX(device_list_lock);
74
75 static unsigned bufsiz = 4096;
76 module_param(bufsiz, uint, S_IRUGO);
77 MODULE_PARM_DESC(bufsiz, "data bytes in biggest supported SPI message");
78
79 /*-------------------------------------------------------------------------*/
80
81 /* Read-only message with current device setup */
82 static ssize_t
83 spidev_read(struct file *filp, char __user *buf, size_t count, loff_t *f_pos)
84 {
85         struct spidev_data      *spidev;
86         struct spi_device       *spi;
87         ssize_t                 status = 0;
88
89         /* chipselect only toggles at start or end of operation */
90         if (count > bufsiz)
91                 return -EMSGSIZE;
92
93         spidev = filp->private_data;
94         spi = spidev->spi;
95
96         mutex_lock(&spidev->buf_lock);
97         status = spi_read(spi, spidev->buffer, count);
98         if (status == 0) {
99                 unsigned long   missing;
100
101                 missing = copy_to_user(buf, spidev->buffer, count);
102                 if (count && missing == count)
103                         status = -EFAULT;
104                 else
105                         status = count - missing;
106         }
107         mutex_unlock(&spidev->buf_lock);
108
109         return status;
110 }
111
112 /* Write-only message with current device setup */
113 static ssize_t
114 spidev_write(struct file *filp, const char __user *buf,
115                 size_t count, loff_t *f_pos)
116 {
117         struct spidev_data      *spidev;
118         struct spi_device       *spi;
119         ssize_t                 status = 0;
120         unsigned long           missing;
121
122         /* chipselect only toggles at start or end of operation */
123         if (count > bufsiz)
124                 return -EMSGSIZE;
125
126         spidev = filp->private_data;
127         spi = spidev->spi;
128
129         mutex_lock(&spidev->buf_lock);
130         missing = copy_from_user(spidev->buffer, buf, count);
131         if (missing == 0) {
132                 status = spi_write(spi, spidev->buffer, count);
133                 if (status == 0)
134                         status = count;
135         } else
136                 status = -EFAULT;
137         mutex_unlock(&spidev->buf_lock);
138
139         return status;
140 }
141
142 static int spidev_message(struct spidev_data *spidev,
143                 struct spi_ioc_transfer *u_xfers, unsigned n_xfers)
144 {
145         struct spi_message      msg;
146         struct spi_transfer     *k_xfers;
147         struct spi_transfer     *k_tmp;
148         struct spi_ioc_transfer *u_tmp;
149         struct spi_device       *spi = spidev->spi;
150         unsigned                n, total;
151         u8                      *buf;
152         int                     status = -EFAULT;
153
154         spi_message_init(&msg);
155         k_xfers = kcalloc(n_xfers, sizeof(*k_tmp), GFP_KERNEL);
156         if (k_xfers == NULL)
157                 return -ENOMEM;
158
159         /* Construct spi_message, copying any tx data to bounce buffer.
160          * We walk the array of user-provided transfers, using each one
161          * to initialize a kernel version of the same transfer.
162          */
163         mutex_lock(&spidev->buf_lock);
164         buf = spidev->buffer;
165         total = 0;
166         for (n = n_xfers, k_tmp = k_xfers, u_tmp = u_xfers;
167                         n;
168                         n--, k_tmp++, u_tmp++) {
169                 k_tmp->len = u_tmp->len;
170
171                 total += k_tmp->len;
172                 if (total > bufsiz) {
173                         status = -EMSGSIZE;
174                         goto done;
175                 }
176
177                 if (u_tmp->rx_buf) {
178                         k_tmp->rx_buf = buf;
179                         if (!access_ok(VERIFY_WRITE, u_tmp->rx_buf, u_tmp->len))
180                                 goto done;
181                 }
182                 if (u_tmp->tx_buf) {
183                         k_tmp->tx_buf = buf;
184                         if (copy_from_user(buf, (const u8 __user *)u_tmp->tx_buf,
185                                         u_tmp->len))
186                                 goto done;
187                 }
188                 buf += k_tmp->len;
189
190                 k_tmp->cs_change = !!u_tmp->cs_change;
191                 k_tmp->bits_per_word = u_tmp->bits_per_word;
192                 k_tmp->delay_usecs = u_tmp->delay_usecs;
193                 k_tmp->speed_hz = u_tmp->speed_hz;
194 #ifdef VERBOSE
195                 dev_dbg(&spi->dev,
196                         "  xfer len %zd %s%s%s%dbits %u usec %uHz\n",
197                         u_tmp->len,
198                         u_tmp->rx_buf ? "rx " : "",
199                         u_tmp->tx_buf ? "tx " : "",
200                         u_tmp->cs_change ? "cs " : "",
201                         u_tmp->bits_per_word ? : spi->bits_per_word,
202                         u_tmp->delay_usecs,
203                         u_tmp->speed_hz ? : spi->max_speed_hz);
204 #endif
205                 spi_message_add_tail(k_tmp, &msg);
206         }
207
208         status = spi_sync(spi, &msg);
209         if (status < 0)
210                 goto done;
211
212         /* copy any rx data out of bounce buffer */
213         buf = spidev->buffer;
214         for (n = n_xfers, u_tmp = u_xfers; n; n--, u_tmp++) {
215                 if (u_tmp->rx_buf) {
216                         if (__copy_to_user((u8 __user *)u_tmp->rx_buf, buf,
217                                         u_tmp->len)) {
218                                 status = -EFAULT;
219                                 goto done;
220                         }
221                 }
222                 buf += u_tmp->len;
223         }
224         status = total;
225
226 done:
227         mutex_unlock(&spidev->buf_lock);
228         kfree(k_xfers);
229         return status;
230 }
231
232 static int
233 spidev_ioctl(struct inode *inode, struct file *filp,
234                 unsigned int cmd, unsigned long arg)
235 {
236         int                     err = 0;
237         int                     retval = 0;
238         struct spidev_data      *spidev;
239         struct spi_device       *spi;
240         u32                     tmp;
241         unsigned                n_ioc;
242         struct spi_ioc_transfer *ioc;
243
244         /* Check type and command number */
245         if (_IOC_TYPE(cmd) != SPI_IOC_MAGIC)
246                 return -ENOTTY;
247
248         /* Check access direction once here; don't repeat below.
249          * IOC_DIR is from the user perspective, while access_ok is
250          * from the kernel perspective; so they look reversed.
251          */
252         if (_IOC_DIR(cmd) & _IOC_READ)
253                 err = !access_ok(VERIFY_WRITE,
254                                 (void __user *)arg, _IOC_SIZE(cmd));
255         if (err == 0 && _IOC_DIR(cmd) & _IOC_WRITE)
256                 err = !access_ok(VERIFY_READ,
257                                 (void __user *)arg, _IOC_SIZE(cmd));
258         if (err)
259                 return -EFAULT;
260
261         spidev = filp->private_data;
262         spi = spidev->spi;
263
264         switch (cmd) {
265         /* read requests */
266         case SPI_IOC_RD_MODE:
267                 retval = __put_user(spi->mode & SPI_MODE_MASK,
268                                         (__u8 __user *)arg);
269                 break;
270         case SPI_IOC_RD_LSB_FIRST:
271                 retval = __put_user((spi->mode & SPI_LSB_FIRST) ?  1 : 0,
272                                         (__u8 __user *)arg);
273                 break;
274         case SPI_IOC_RD_BITS_PER_WORD:
275                 retval = __put_user(spi->bits_per_word, (__u8 __user *)arg);
276                 break;
277         case SPI_IOC_RD_MAX_SPEED_HZ:
278                 retval = __put_user(spi->max_speed_hz, (__u32 __user *)arg);
279                 break;
280
281         /* write requests */
282         case SPI_IOC_WR_MODE:
283                 retval = __get_user(tmp, (u8 __user *)arg);
284                 if (retval == 0) {
285                         u8      save = spi->mode;
286
287                         if (tmp & ~SPI_MODE_MASK) {
288                                 retval = -EINVAL;
289                                 break;
290                         }
291
292                         tmp |= spi->mode & ~SPI_MODE_MASK;
293                         spi->mode = (u8)tmp;
294                         retval = spi_setup(spi);
295                         if (retval < 0)
296                                 spi->mode = save;
297                         else
298                                 dev_dbg(&spi->dev, "spi mode %02x\n", tmp);
299                 }
300                 break;
301         case SPI_IOC_WR_LSB_FIRST:
302                 retval = __get_user(tmp, (__u8 __user *)arg);
303                 if (retval == 0) {
304                         u8      save = spi->mode;
305
306                         if (tmp)
307                                 spi->mode |= SPI_LSB_FIRST;
308                         else
309                                 spi->mode &= ~SPI_LSB_FIRST;
310                         retval = spi_setup(spi);
311                         if (retval < 0)
312                                 spi->mode = save;
313                         else
314                                 dev_dbg(&spi->dev, "%csb first\n",
315                                                 tmp ? 'l' : 'm');
316                 }
317                 break;
318         case SPI_IOC_WR_BITS_PER_WORD:
319                 retval = __get_user(tmp, (__u8 __user *)arg);
320                 if (retval == 0) {
321                         u8      save = spi->bits_per_word;
322
323                         spi->bits_per_word = tmp;
324                         retval = spi_setup(spi);
325                         if (retval < 0)
326                                 spi->bits_per_word = save;
327                         else
328                                 dev_dbg(&spi->dev, "%d bits per word\n", tmp);
329                 }
330                 break;
331         case SPI_IOC_WR_MAX_SPEED_HZ:
332                 retval = __get_user(tmp, (__u32 __user *)arg);
333                 if (retval == 0) {
334                         u32     save = spi->max_speed_hz;
335
336                         spi->max_speed_hz = tmp;
337                         retval = spi_setup(spi);
338                         if (retval < 0)
339                                 spi->max_speed_hz = save;
340                         else
341                                 dev_dbg(&spi->dev, "%d Hz (max)\n", tmp);
342                 }
343                 break;
344
345         default:
346                 /* segmented and/or full-duplex I/O request */
347                 if (_IOC_NR(cmd) != _IOC_NR(SPI_IOC_MESSAGE(0))
348                                 || _IOC_DIR(cmd) != _IOC_WRITE)
349                         return -ENOTTY;
350
351                 tmp = _IOC_SIZE(cmd);
352                 if ((tmp % sizeof(struct spi_ioc_transfer)) != 0) {
353                         retval = -EINVAL;
354                         break;
355                 }
356                 n_ioc = tmp / sizeof(struct spi_ioc_transfer);
357                 if (n_ioc == 0)
358                         break;
359
360                 /* copy into scratch area */
361                 ioc = kmalloc(tmp, GFP_KERNEL);
362                 if (!ioc) {
363                         retval = -ENOMEM;
364                         break;
365                 }
366                 if (__copy_from_user(ioc, (void __user *)arg, tmp)) {
367                         kfree(ioc);
368                         retval = -EFAULT;
369                         break;
370                 }
371
372                 /* translate to spi_message, execute */
373                 retval = spidev_message(spidev, ioc, n_ioc);
374                 kfree(ioc);
375                 break;
376         }
377         return retval;
378 }
379
380 static int spidev_open(struct inode *inode, struct file *filp)
381 {
382         struct spidev_data      *spidev;
383         int                     status = -ENXIO;
384
385         mutex_lock(&device_list_lock);
386
387         list_for_each_entry(spidev, &device_list, device_entry) {
388                 if (spidev->dev.devt == inode->i_rdev) {
389                         status = 0;
390                         break;
391                 }
392         }
393         if (status == 0) {
394                 if (!spidev->buffer) {
395                         spidev->buffer = kmalloc(bufsiz, GFP_KERNEL);
396                         if (!spidev->buffer) {
397                                 dev_dbg(&spidev->spi->dev, "open/ENOMEM\n");
398                                 status = -ENOMEM;
399                         }
400                 }
401                 if (status == 0) {
402                         spidev->users++;
403                         filp->private_data = spidev;
404                         nonseekable_open(inode, filp);
405                 }
406         } else
407                 pr_debug("spidev: nothing for minor %d\n", iminor(inode));
408
409         mutex_unlock(&device_list_lock);
410         return status;
411 }
412
413 static int spidev_release(struct inode *inode, struct file *filp)
414 {
415         struct spidev_data      *spidev;
416         int                     status = 0;
417
418         mutex_lock(&device_list_lock);
419         spidev = filp->private_data;
420         filp->private_data = NULL;
421         spidev->users--;
422         if (!spidev->users) {
423                 kfree(spidev->buffer);
424                 spidev->buffer = NULL;
425         }
426         mutex_unlock(&device_list_lock);
427
428         return status;
429 }
430
431 static struct file_operations spidev_fops = {
432         .owner =        THIS_MODULE,
433         /* REVISIT switch to aio primitives, so that userspace
434          * gets more complete API coverage.  It'll simplify things
435          * too, except for the locking.
436          */
437         .write =        spidev_write,
438         .read =         spidev_read,
439         .ioctl =        spidev_ioctl,
440         .open =         spidev_open,
441         .release =      spidev_release,
442 };
443
444 /*-------------------------------------------------------------------------*/
445
446 /* The main reason to have this class is to make mdev/udev create the
447  * /dev/spidevB.C character device nodes exposing our userspace API.
448  * It also simplifies memory management.
449  */
450
451 static void spidev_classdev_release(struct device *dev)
452 {
453         struct spidev_data      *spidev;
454
455         spidev = container_of(dev, struct spidev_data, dev);
456         kfree(spidev);
457 }
458
459 static struct class spidev_class = {
460         .name           = "spidev",
461         .owner          = THIS_MODULE,
462         .dev_release    = spidev_classdev_release,
463 };
464
465 /*-------------------------------------------------------------------------*/
466
467 static int spidev_probe(struct spi_device *spi)
468 {
469         struct spidev_data      *spidev;
470         int                     status;
471         unsigned long           minor;
472
473         /* Allocate driver data */
474         spidev = kzalloc(sizeof(*spidev), GFP_KERNEL);
475         if (!spidev)
476                 return -ENOMEM;
477
478         /* Initialize the driver data */
479         spidev->spi = spi;
480         mutex_init(&spidev->buf_lock);
481
482         INIT_LIST_HEAD(&spidev->device_entry);
483
484         /* If we can allocate a minor number, hook up this device.
485          * Reusing minors is fine so long as udev or mdev is working.
486          */
487         mutex_lock(&device_list_lock);
488         minor = find_first_zero_bit(minors, N_SPI_MINORS);
489         if (minor < N_SPI_MINORS) {
490                 spidev->dev.parent = &spi->dev;
491                 spidev->dev.class = &spidev_class;
492                 spidev->dev.devt = MKDEV(SPIDEV_MAJOR, minor);
493                 snprintf(spidev->dev.bus_id, sizeof spidev->dev.bus_id,
494                                 "spidev%d.%d",
495                                 spi->master->bus_num, spi->chip_select);
496                 status = device_register(&spidev->dev);
497         } else {
498                 dev_dbg(&spi->dev, "no minor number available!\n");
499                 status = -ENODEV;
500         }
501         if (status == 0) {
502                 set_bit(minor, minors);
503                 dev_set_drvdata(&spi->dev, spidev);
504                 list_add(&spidev->device_entry, &device_list);
505         }
506         mutex_unlock(&device_list_lock);
507
508         if (status != 0)
509                 kfree(spidev);
510
511         return status;
512 }
513
514 static int spidev_remove(struct spi_device *spi)
515 {
516         struct spidev_data      *spidev = dev_get_drvdata(&spi->dev);
517
518         mutex_lock(&device_list_lock);
519
520         list_del(&spidev->device_entry);
521         dev_set_drvdata(&spi->dev, NULL);
522         clear_bit(MINOR(spidev->dev.devt), minors);
523         device_unregister(&spidev->dev);
524
525         mutex_unlock(&device_list_lock);
526
527         return 0;
528 }
529
530 static struct spi_driver spidev_spi = {
531         .driver = {
532                 .name =         "spidev",
533                 .owner =        THIS_MODULE,
534         },
535         .probe =        spidev_probe,
536         .remove =       __devexit_p(spidev_remove),
537
538         /* NOTE:  suspend/resume methods are not necessary here.
539          * We don't do anything except pass the requests to/from
540          * the underlying controller.  The refrigerator handles
541          * most issues; the controller driver handles the rest.
542          */
543 };
544
545 /*-------------------------------------------------------------------------*/
546
547 static int __init spidev_init(void)
548 {
549         int status;
550
551         /* Claim our 256 reserved device numbers.  Then register a class
552          * that will key udev/mdev to add/remove /dev nodes.  Last, register
553          * the driver which manages those device numbers.
554          */
555         BUILD_BUG_ON(N_SPI_MINORS > 256);
556         status = register_chrdev(SPIDEV_MAJOR, "spi", &spidev_fops);
557         if (status < 0)
558                 return status;
559
560         status = class_register(&spidev_class);
561         if (status < 0) {
562                 unregister_chrdev(SPIDEV_MAJOR, spidev_spi.driver.name);
563                 return status;
564         }
565
566         status = spi_register_driver(&spidev_spi);
567         if (status < 0) {
568                 class_unregister(&spidev_class);
569                 unregister_chrdev(SPIDEV_MAJOR, spidev_spi.driver.name);
570         }
571         return status;
572 }
573 module_init(spidev_init);
574
575 static void __exit spidev_exit(void)
576 {
577         spi_unregister_driver(&spidev_spi);
578         class_unregister(&spidev_class);
579         unregister_chrdev(SPIDEV_MAJOR, spidev_spi.driver.name);
580 }
581 module_exit(spidev_exit);
582
583 MODULE_AUTHOR("Andrea Paterniani, <a.paterniani@swapp-eng.it>");
584 MODULE_DESCRIPTION("User mode SPI device interface");
585 MODULE_LICENSE("GPL");