Introduction to Linux Device Drivers

Recreating Life One Driver At a Time

Muli Ben-Yehuda
mulix at mulix.org

IBM Haifa Research Labs and Haifux - Haifa Linux Club

Linux Device Drivers, Technion, Jan 2005 p.1/50

Why Write Linux Device Drivers?

For fun, For prot (Linux is hot right now, especially embedded Linux), To scratch an itch. Because you can! OK, but why Linux drivers? Because the source is available. Because of the communitys cooperation and involvement. Have I mentioned its fun yet?

Linux Device Drivers, Technion, Jan 2005 p.2/50

klife - Linux kernel game of life

klife is a Linux kernel Game of Life implementation. It is a software device driver, developed specically for this talk. The game of life is played on a square grid, where some of the cells are alive and the rest are dead. Each generation, based on each cells neighbors, we mark the cell as alive or dead. With time, amazing patterns develop. The only reason to implement the game of life inside the kernel is for demonstration purposes. Software device drivers are very common on Unix systems and provide many services to the user. Think about /dev/null, /dev/zero, /dev/random, /dev/kmem...
Linux Device Drivers, Technion, Jan 2005 p.3/50

Anatomy of a Device Driver

A device driver has three sides: one side talks to the rest of the kernel, one talks to the hardware, and one talks to the user:

User Kernel
Device Driver

Device File

Hardware
Linux Device Drivers, Technion, Jan 2005 p.4/50

Kernel Interface of a Device Driver

In order to talk to the kernel, the driver registers with subsystems to respond to events. Such an event might be the opening of a le, a page fault, the plugging in of a new USB device, etc.

Kernel Event List x File Open x Interrupt .... .... x Page Fault x Hotplug

Device Driver
Linux Device Drivers, Technion, Jan 2005 p.5/50

User Interface of a Device driver

Since Linux follows the UNIX model, and in UNIX everything is a le, users talk with device drivers through device les. Device les are a mechanism, supplied by the kernel, precisely for this direct User-Driver interface. klife is a character device, and thus the user talks to it through a character device le. The other common kind of device le is a block device le. We will only discuss character device les today.

Linux Device Drivers, Technion, Jan 2005 p.6/50

Anatomy of klife device driver

The user talks with klife through the /dev/klife device le. When the user opens /dev/klife, the kernel calls klifes open routine When the user closes /dev/klife, the kernel calls klifes release routine When the user reads or writes from or to /dev/klife you get the idea. . . klife talks to the kernel through its initialization function . . . and through register_chrdev . . . and through hooking into the timer interrupt We will elaborate on all of these later
Linux Device Drivers, Technion, Jan 2005 p.7/50

Driver Initialization Code

s t a t i c i n t _ _ i n i t k l i f e _ m o d u l e _ i n i t ( void ) { int ret ; pr_debug ( " k l i f e module i n i t c a l l e d \ n " ) ; i f ( ( r e t = r e g i s t e r _ c h r d e v (KLIFE_MAJOR_NUM , " k l i f e " , & k l i f e _ f o p s p r i n t k (KERN_ERR " r e g i s t e r _ c h r d e v : %d \ n " , r e t ) ; return ret ; }

Linux Device Drivers, Technion, Jan 2005 p.8/50

Driver Initialization
One function (init) is called on the drivers initialization. One function (exit) is called when the driver is removed from the system. Question: what happens if the driver is compiled into the kernel, rather than as a module? The init function will register hooks that will get the drivers code called when the appropriate event happens. Question: what if the init function doesnt register any hooks? There are various hooks that can be registered: le operations, pci operations, USB operations, network operations - it all depends on what kind of device this is.
Linux Device Drivers, Technion, Jan 2005 p.9/50

Registering Chardev Hooks

struct file_operations klife_fops = { . owner = THIS_MODULE , . open = k l i f e _ o p e n , . release = k l i f e _ r e l e a s e , . read = k l i f e _ r e a d , . write = klife_write , .mmap = klife_mmap , . ioctl = klife_ioctl }; ... i f ( ( r e t = r e g i s t e r _ c h r d e v (KLIFE_MAJOR_NUM , " k l i f e " , & k l i f e _ f o p s ) ) < 0 ) p r i n t k (KERN_ERR " r e g i s t e r _ c h r d e v : %d \ n " , r e t ) ;

Linux Device Drivers, Technion, Jan 2005 p.10/50

User Space Access to the Driver

We saw that the driver registers a character device tied to a given major number, but how does the user create such a le?
# mknod /dev/klife c 250 0

And how does the user open it?

if ((kfd = open("/dev/klife", O_RDWR)) < 0) { perror("open /dev/klife"); exit(EXIT_FAILURE); }

And then what?

Linux Device Drivers, Technion, Jan 2005 p.11/50

File Operations
. . . and then you start talking to the device. klife uses the following device le operations: open for starting a game (allocating resources). release for nishing a game (releasing resources). write for initializing the game (setting the starting positions on the grid). read for generating and then reading the next state of the games grid. ioctl for querying the current generation number, and for enabling or disabling hooking into the timer interrupt (more on this later). mmap for potentially faster but more complex direct access to the games grid.
Linux Device Drivers, Technion, Jan 2005 p.12/50

The open and release Routines

open and release are where you perform any setup not done in initialization time and any cleanup not done in module unload time.

Linux Device Drivers, Technion, Jan 2005 p.13/50

klife_open
klifes open routine allocates the klife structure which holds all of the state for this game (the grid, starting positions, current generation, etc).
s t a t i c i n t k l i f e _ o p e n ( s t r u c t inode inode , s t r u c t f i l e f i l p ) { struct klife k; int ret ; r e t = a l l o c _ k l i f e (& k ) ; i f ( ret ) return ret ; f i l p >p r i v a t e _ d a t a = k ; return 0; }

Linux Device Drivers, Technion, Jan 2005 p.14/50

klife_open - alloc_klife
s t a t i c i n t a l l o c _ k l i f e ( s t r u c t k l i f e pk ) { int ret ; struct klife k; k = k m a l l o c ( s i z e o f ( k ) , GFP_KERNEL ) ; if (! k) r e t u r n ENOMEM; ret = i n i t _ k l i f e (k ); i f ( ret ) { kfree ( k ) ; k = NULL ; } pk = k ; return ret ; }
Linux Device Drivers, Technion, Jan 2005 p.15/50

klife_open - init_klife
static int i n i t _ k l i f e ( struct klife k) { int ret ; memset ( k , 0 , s i z e o f ( k ) ) ; s p i n _ l o c k _ i n i t (& k>l o c k ) ; r e t = ENOMEM; / one page t o be e x p o r t e d t o userspace / k>g r i d = ( v o i d ) get_zeroed_page (GFP_KERNEL ) ; i f ( ! k>g r i d ) goto done ; k>t m p g r i d = k m a l l o c ( s i z e o f ( k>t m p g r i d ) , GFP_KERNEL ) ; i f ( ! k>t m p g r i d ) goto f r e e _ g r i d ;

Linux Device Drivers, Technion, Jan 2005 p.16/50

klife_open - init_klife cont

k>timer_hook . f u n c = k l i f e _ t i m e r _ i r q _ h a n d l e r ; k>timer_hook . data = k ; return 0; free_grid : free_page ( ( unsigned l o n g ) k>g r i d ) ; done : return ret ; }

Linux Device Drivers, Technion, Jan 2005 p.17/50

klife_release
klifes release routine frees the resource allocated during open time.
s t a t i c i n t k l i f e _ r e l e a s e ( s t r u c t inode inode , s t r u c t f i l e f i l p ) { s t r u c t k l i f e k = f i l p >p r i v a t e _ d a t a ; i f ( k>t i m e r ) klife_timer_unregister (k ); i f ( k>mapped ) { / undo s e t t i n g t h e g r i d page t o be r e s e r v e d / ClearPageReserved ( v i r t _ t o _ p a g e ( k>g r i d ) ) ; } free_klife (k ); return 0; }

Linux Device Drivers, Technion, Jan 2005 p.18/50

Commentary on open and release

Beware of races if you have any global data . . . many a driver author stumble on this point. Note also that release can fail, but almost no one checks errors from close(), so its better if it doesnt . . . Question: what happens if the userspace program crashes while holding your device le open?

Linux Device Drivers, Technion, Jan 2005 p.19/50

write
For klife, I hijacked write to mean please initialize the grid to these starting positions. There are no hard and fast rules to what write has to mean, but its good to KISS (Keep It Simple, Silly...)

Linux Device Drivers, Technion, Jan 2005 p.20/50

klife_write - 1
s t a t i c s s i z e _ t k l i f e _ w r i t e ( s t r u c t f i l e f i l p , c o n s t char __user ubuf , s i z e _ t count , l o f f _ t f_pos ) { s i z e _ t sz ; char k b u f ; s t r u c t k l i f e k = f i l p >p r i v a t e _ d a t a ; ssize_t ret ; sz = count > PAGE_SIZE ? PAGE_SIZE : count ; k b u f = k m a l l o c ( sz , GFP_KERNEL ) ; i f ( ! kbuf ) r e t u r n ENOMEM;

Not trusting users: checking the size of the users buffer

Linux Device Drivers, Technion, Jan 2005 p.21/50

klife_write - 2
r e t = EFAULT ; i f ( copy_from_user ( k b u f , ubuf , sz ) ) goto f r e e _ b u f ; r e t = k l i f e _ a d d _ p o s i t i o n ( k , k b u f , sz ) ; i f ( ret == 0) r e t = sz ; free_buf : kfree ( kbuf ) ; return ret ; }

Use copy_from_user in case the user is passing a bad pointer.

Linux Device Drivers, Technion, Jan 2005 p.22/50

Commentary on write
Note that even for such a simple function, care must be exercised when dealing with untrusted users. Users are always untrusted. Always be prepared to handle errors!

Linux Device Drivers, Technion, Jan 2005 p.23/50

read
For klife, read means please calculate and give me the next generation. The bulk of the work is done in two other routines: klife_next_generation calculates the next generation based on the current one, according to the rules of the game of life. klife_draw takes a grid and draws it as a single string in a page of memory.

Linux Device Drivers, Technion, Jan 2005 p.24/50

klife_read - 1
s t a t i c ssize_t k l i f e _ r e a d ( s t r u c t f i l e f i l p , char ubuf , s i z e _ t count , l o f f _ t f_pos ) { struct klife klife ; char page ; ssize_t len ; ssize_t ret ; unsigned l o n g f l a g s ; k l i f e = f i l p >p r i v a t e _ d a t a ; / s p e c i a l h a n d l i n g f o r mmap / i f ( k l i f e >mapped ) r e t u r n klife_read_mapped ( f i l p , ubuf , count , f_pos ) ; i f ( ! ( page = k m a l l o c ( PAGE_SIZE , GFP_KERNEL ) ) ) r e t u r n ENOMEM;

Linux Device Drivers, Technion, Jan 2005 p.25/50

klife_read - 2
s p i n _ l o c k _ i r q s a v e (& k l i f e >l o c k , f l a g s ) ; klife_next_generation ( k l i f e ) ; l e n = k l i f e _ d r a w ( k l i f e , page ) ; s p i n _ u n l o c k _ i r q r e s t o r e (& k l i f e >l o c k , f l a g s ) ; i f ( len < 0 ) { r e t = len ; goto free_page ; } / l e n can t be n e g a t i v e / l e n = min ( count , ( s i z e _ t ) l e n ) ;

Note that the lock is held for the shortest possible time. We will see later what the lock protects us against.

Linux Device Drivers, Technion, Jan 2005 p.26/50

klife_read - 3
i f ( copy_to_user ( ubuf , page , l e n ) ) { r e t = EFAULT ; goto free_page ; } f_pos + = l e n ; r e t = len ; free_page : k f r e e ( page ) ; return ret ; }

copy_to_user in case the user is passing us a bad page.

Linux Device Drivers, Technion, Jan 2005 p.27/50

klife_read - 4
s t a t i c ssize_t klife_read_mapped ( s t r u c t f i l e f i l p , char ubuf , s i z e _ t count , l o f f _ t f_pos ) { struct klife klife ; unsigned l o n g f l a g s ; k l i f e = f i l p >p r i v a t e _ d a t a ; s p i n _ l o c k _ i r q s a v e (& k l i f e >l o c k , f l a g s ) ; klife_next_generation ( k l i f e ) ; s p i n _ u n l o c k _ i r q r e s t o r e (& k l i f e >l o c k , f l a g s ) ; return 0; }

Again, mind the short lock holding time.

Linux Device Drivers, Technion, Jan 2005 p.28/50

Commentary on read
Theres plenty of room for optimization in this code . . . can you see where?

Linux Device Drivers, Technion, Jan 2005 p.29/50

ioctl
ioctl is a special access mechanism, for operations that do not cleanly map anywhere else. It is considered extremely bad taste to use ioctls in Linux where not absolutely necessary. New drivers should use either sysfs (a /proc -like virtual le system) or a driver specic le system (you can write a Linux le system in less than a 100 lines of code). In klife, we use ioctl to get the current generation number, for demonstration purposes only . . .

Linux Device Drivers, Technion, Jan 2005 p.30/50

klife_ioctl - 1
s t a t i c i n t k l i f e _ i o c t l ( s t r u c t inode inode , s t r u c t f i l e f i l e , unsigned i n t cmd , unsigned l o n g data ) { s t r u c t k l i f e k l i f e = f i l e >p r i v a t e _ d a t a ; unsigned l o n g gen ; i n t enable ; int ret ; unsigned l o n g f l a g s ; ret = 0; s w i t c h ( cmd ) { case KLIFE_GET_GENERATION : s p i n _ l o c k _ i r q s a v e (& k l i f e >l o c k , f l a g s ) ; gen = k l i f e >gen ; s p i n _ u n l o c k _ i r q r e s t o r e (& k l i f e >l o c k , f l a g s ) ; i f ( copy_to_user ( ( v o i d ) data , & gen , s i z e o f ( gen ) ) ) { r e t = EFAULT ; goto done ; }
Linux Device Drivers, Technion, Jan 2005 p.31/50

klife_ioctl - 2
break ; case KLIFE_SET_TIMER_MODE : i f ( copy_from_user (& enable , ( v o i d ) data , s i z e o f ( enable ) ) r e t = EFAULT ; goto done ; } pr_debug ( " user r e q u e s t t o %s t i m e r mode \ n " , enable ? " enable " : " d i s a b l e " ) ; i f ( k l i f e >t i m e r & & ! enable ) klife_timer_unregister ( klife ); e l s e i f ( ! k l i f e >t i m e r & & enable ) klife_timer_register ( klife ); break ; } done : return ret ; }

Linux Device Drivers, Technion, Jan 2005 p.32/50

memory mapping
The read-write mechanism, previously described, involves an overhead of a system call and related context switching and of memory copying. mmap maps pages of a le into memory, thus enabling programs to directly access the memory directly and save the overhead, . . . but: fast synchronization between kernel space and user space is a pain (why do we need it?), and Linux read and write are really quite fast. mmap is implemented in klife for demonstration purposes, with read() calls used for synchronization and triggering a generation update.

Linux Device Drivers, Technion, Jan 2005 p.33/50

klife_mmap
... SetPageReserved ( v i r t _ t o _ p a g e ( k l i f e >g r i d ) ) ; r e t = remap_pfn_range ( vma , vma>v m _ s t a r t , v i r t _ t o _ p h y s ( k l i f e >g r i d ) > > PAGE_SHIFT , PAGE_SIZE , vma>vm_page_prot ) ; pr_debug ( " io_remap_page_range r e t u r n e d %d \ n " , r e t ) ; i f ( ret == 0) k l i f e >mapped = 1 ; return ret ; }

Linux Device Drivers, Technion, Jan 2005 p.34/50

klife Interrupt Handler

What if we want a new generation on every raised interrupt? Since we dont have a hardware device to raise interrupts for us, lets hook into the one hardware every PC has - the clock - and steal its interrupt!

Linux Device Drivers, Technion, Jan 2005 p.35/50

Usual Request For an Interrupt Handler

Usually, interrupts are requested using request_irq():
/ c l a i m our i r q / r c = ENODEV; i f ( r e q u e s t _ i r q ( card> i r q , & t r i d e n t _ i n t e r r u p t , SA_SHIRQ , card_names [ p c i _ i d >d r i v e r _ d a t a ] , card ) ) { p r i n t k (KERN_ERR " t r i d e n t : unable t o a l l o c a t e i r q %d \ n " , card> i r q ) ; goto o u t _ p r o c _ f s ; }

Linux Device Drivers, Technion, Jan 2005 p.36/50

klife Interrupt Handler

It is impossible to request the timer interrupt. Instead, we will directly modify the kernel code to call our interrupt handler, if its registered. We can do this, because the code is open. . .

Linux Device Drivers, Technion, Jan 2005 p.37/50

Arent Timers Good Enough For You?

Does every driver which wishes to get periodic notications need to hook the timer interrupt? - Nope. Linux provides an excellent timer mechanism which can be used for periodic notications. The reason for hooking into the timer interrupt in klife is because we wish to be called from hard interrupt context, also known as top half context . . . . . . whereas timer functions are called in softirq bottom half context. Why insist on getting called from hard interrupt context? So we can demonstrate deferring work.

Linux Device Drivers, Technion, Jan 2005 p.38/50

The Timer Interrupt Hook Patch

The patch adds a hook which a driver can register for, to be called directly from the timer interrupt handler. It also creates two functions: register_timer_interrupt unregister_timer_interrupt

Linux Device Drivers, Technion, Jan 2005 p.39/50

Hook Into The Timer Interrupt Routine 1

+ marks the lines added to the kernel.
+struct timer_interrupt_hook timer_interrupt_hook ; + + s t a t i c v o i d c a l l _ t i m e r _ h o o k ( s t r u c t p t _ r e g s regs ) +{ + s t r u c t t i m e r _ i n t e r r u p t _ h o o k hook = t i m e r _ i n t e r r u p t _ h o o k ; + + i f ( hook & & hook>f u n c ) + hook>f u n c ( hook>data ) ; +} @ @ 851,6 +862,8 @ @ v o i d d o _ t i m e r ( s t r u c t p t _ r e g s regs ) update_process_times ( user_mode ( regs ) ) ; #endif update_times ( ) ; + + c a l l _ t i m e r _ h o o k ( regs ) ; }

Linux Device Drivers, Technion, Jan 2005 p.40/50

Hook Into The Timer Interrupt Routine 2

+ i n t r e g i s t e r _ t i m e r _ i n t e r r u p t ( s t r u c t t i m e r _ i n t e r r u p t _ h o o k hook ) +{ + p r i n t k ( KERN_INFO " r e g i s t e r i n g a t i m e r i n t e r r u p t hook %p " + " ( f u n c %p , data %p ) \ n " , hook , hook>f u n c , + hook>data ) ; + + xchg (& timer_hook , hook ) ; + return 0; +} + + v o i d u n r e g i s t e r _ t i m e r _ i n t e r r u p t ( s t r u c t t i m e r _ i n t e r r u p t _ h o o k hook ) +{ + p r i n t k ( KERN_INFO " u n r e g i s t e r i n g a t i m e r i n t e r r u p t hook \ n " ) ; + + xchg (& timer_hook , NULL ) ; +}

Linux Device Drivers, Technion, Jan 2005 p.41/50

Commentary - The Timer Interrupt Hook

Note that the register and unregister calls use xchg(), to ensure atomic replacement of the pointer to the handler. Why use xchg() rather than a lock? What context (hard interrupt, bottom half, process context) will we be called in? Which CPUs timer interrupts would we be called in? What happens on an SMP system?

Linux Device Drivers, Technion, Jan 2005 p.42/50

Deferring Work
You were supposed to learn in class about bottom halves, softirqs, tasklets and other such curse words. The timer interrupt (and every other interrupt) has to happen very quickly. Why? The interrupt handler (top half, hard irq) usually just sets a ag which says there is work to be done. The work is then deferred to a bottom half context, where it is done by an (old style) bottom half, softirq, or tasklet. For klife, we defer the work we wish to do (updating the grid) to a bottom half context by scheduling a tasklet.

Linux Device Drivers, Technion, Jan 2005 p.43/50

Preparing The Tasklet

DECLARE_TASKLET_DISABLED ( k l i f e _ t a s k l e t , k l i f e _ t a s k l e t _ f u n c , 0 ) ; s t a t i c void k l i f e _ t i m e r _ r e g i s t e r ( s t r u c t k l i f e k l i f e ) { unsigned l o n g f l a g s ; int ret ; s p i n _ l o c k _ i r q s a v e (& k l i f e >l o c k , f l a g s ) ; / prime t h e t a s k l e t w i t h t h e c o r r e c t data ours / t a s k l e t _ i n i t (& k l i f e _ t a s k l e t , k l i f e _ t a s k l e t _ f u n c , ( unsigned l o n g ) k l i f e ) ; r e t = r e g i s t e r _ t i m e r _ i n t e r r u p t (& k l i f e >timer_hook ) ; i f ( ! ret ) k l i f e >t i m e r = 1 ; s p i n _ u n l o c k _ i r q r e s t o r e (& k l i f e >l o c k , f l a g s ) ; pr_debug ( " r e g i s t e r _ t i m e r _ i n t e r r u p t r e t u r n e d %d \ n " , r e t ) ; }

Linux Device Drivers, Technion, Jan 2005 p.44/50

The klife Tasklet

Heres what our klife tasklet does: First, it derives the klife structure from the parameter it gets. Then, it locks it, to prevent concurrent access on another CPU. What are we protecting against? Then, it generates the new generation. What must we never do here? Hint: can tasklets block? Last, it releases the lock.

Linux Device Drivers, Technion, Jan 2005 p.45/50

Deferring Work - The klife Tasklet

s t a t i c v o i d k l i f e _ t i m e r _ i r q _ h a n d l e r ( v o i d data ) { s t r u c t k l i f e k l i f e = data ; / 2 t i m e s a second / i f ( k l i f e >t i m e r _ i n v o c a t i o n ++ % (HZ / 2 ) = = 0 ) t a s k l e t _ s c h e d u l e (& k l i f e _ t a s k l e t ) ; } s t a t i c v o i d k l i f e _ t a s k l e t _ f u n c ( unsigned l o n g data ) { s t r u c t k l i f e k l i f e = ( v o i d ) data ; s p i n _ l o c k (& k l i f e >l o c k ) ; klife_next_generation ( k l i f e ) ; s p i n _ u n l o c k (& k l i f e >l o c k ) ; }

Linux Device Drivers, Technion, Jan 2005 p.46/50

Adding klife To The Build System

Building the module in kernel 2.6 is a breeze. All thats required to add klife to the kernels build system are these tiny patches: In drivers/char/Kcong:
+ c o n f i g GAME_OF_LIFE + t r i s t a t e " k e r n e l game o f l i f e " + help + K e r n e l i m p l e m e n t a t i o n o f t h e Game o f L i f e .

in drivers/char/Makele
+ o b j$ ( CONFIG_GAME_OF_LIFE ) + = k l i f e . o

Linux Device Drivers, Technion, Jan 2005 p.47/50

Summary
Writing Linux drivers is easy . . . . . . and fun! Most drivers do fairly simple things, which Linux provides APIs for. The real fun is when dealing with the hardwares quirks. It gets easier with practice . . . . . . but it never gets boring.

Questions?
Linux Device Drivers, Technion, Jan 2005 p.48/50

Where To Get Help

google Community resources: web sites and mailing lists. Distributed documentation (books, articles, magazines) Use The Source, Luke! Your fellow kernel hackers.

Linux Device Drivers, Technion, Jan 2005 p.49/50

Bibliography
kernelnewbies - http://www.kernelnewbies.org linux-kernel mailing list archives h t t p : / / marc . theaimsgroup . com / ? l = l i n u x k e r n e l&w=2

Understanding the Linux Kernel, by Bovet and Cesati Linux Device Drivers, 3rd edition, by Rubini et. al. Linux Kernel Development, 2nd edition, by Robert Love /usr/src/linux-xxx/

Linux Device Drivers, Technion, Jan 2005 p.50/50