]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/blame - drivers/hid/uhid.c
projects / mirror_ubuntu-bionic-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
HID: uhid: Fix returning EPOLLOUT from uhid_char_poll
[mirror_ubuntu-bionic-kernel.git] / drivers / hid / uhid.c
CommitLineData
1ccd7a2a
DH		 1/*
2 * User-space I/O driver support for HID subsystem
3 * Copyright (c) 2012 David Herrmann
4 */
5
6/*
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the Free
9 * Software Foundation; either version 2 of the License, or (at your option)
10 * any later version.
11 */
12
13#include <linux/atomic.h>
befde022 14#include <linux/compat.h>
5e12f7f7 15#include <linux/cred.h>
1ccd7a2a
DH		 16#include <linux/device.h>
17#include <linux/fs.h>
18#include <linux/hid.h>
19#include <linux/input.h>
20#include <linux/miscdevice.h>
21#include <linux/module.h>
22#include <linux/mutex.h>
23#include <linux/poll.h>
24#include <linux/sched.h>
25#include <linux/spinlock.h>
26#include <linux/uhid.h>
27#include <linux/wait.h>
6c4ec0da 28#include <linux/eventpoll.h>
1ccd7a2a
DH		 29
30#define UHID_NAME "uhid"
ace3d861
DH		 31#define UHID_BUFSIZE 32
32
33struct uhid_device {
d937ae5f 34 struct mutex devlock;
d365c6cf
DH		 35 bool running;
36
37 __u8 *rd_data;
38 uint rd_size;
39
ace3d861 40 struct hid_device *hid;
6664ef72 41 struct uhid_event input_buf;
ace3d861
DH		 42
43 wait_queue_head_t waitq;
44 spinlock_t qlock;
45 __u8 head;
46 __u8 tail;
47 struct uhid_event *outq[UHID_BUFSIZE];
fcfcf0de 48
8cad5b01 49 /* blocking GET_REPORT support; state changes protected by qlock */
fcfcf0de
DH		 50 struct mutex report_lock;
51 wait_queue_head_t report_wait;
5942b849 52 bool report_running;
8cad5b01 53 u32 report_id;
11c22155 54 u32 report_type;
fcfcf0de 55 struct uhid_event report_buf;
67f8ecc5 56 struct work_struct worker;
ace3d861 57};
1ccd7a2a
DH		 58
59static struct miscdevice uhid_misc;
60
67f8ecc5
RC		 61static void uhid_device_add_worker(struct work_struct *work)
62{
63 struct uhid_device *uhid = container_of(work, struct uhid_device, worker);
64 int ret;
65
66 ret = hid_add_device(uhid->hid);
67 if (ret) {
68 hid_err(uhid->hid, "Cannot register HID device: error %d\n", ret);
69
70 hid_destroy_device(uhid->hid);
71 uhid->hid = NULL;
72 uhid->running = false;
73 }
74}
75
ace3d861
DH		 76static void uhid_queue(struct uhid_device *uhid, struct uhid_event *ev)
77{
78 __u8 newhead;
79
80 newhead = (uhid->head + 1) % UHID_BUFSIZE;
81
82 if (newhead != uhid->tail) {
83 uhid->outq[uhid->head] = ev;
84 uhid->head = newhead;
85 wake_up_interruptible(&uhid->waitq);
86 } else {
87 hid_warn(uhid->hid, "Output queue is full\n");
88 kfree(ev);
89 }
90}
91
92static int uhid_queue_event(struct uhid_device *uhid, __u32 event)
93{
94 unsigned long flags;
95 struct uhid_event *ev;
96
97 ev = kzalloc(sizeof(*ev), GFP_KERNEL);
98 if (!ev)
99 return -ENOMEM;
100
101 ev->type = event;
102
103 spin_lock_irqsave(&uhid->qlock, flags);
104 uhid_queue(uhid, ev);
105 spin_unlock_irqrestore(&uhid->qlock, flags);
106
107 return 0;
108}
109
d365c6cf
DH		 110static int uhid_hid_start(struct hid_device *hid)
111{
ec4b7dea 112 struct uhid_device *uhid = hid->driver_data;
c2b2f16c
DH		 113 struct uhid_event *ev;
114 unsigned long flags;
115
116 ev = kzalloc(sizeof(*ev), GFP_KERNEL);
117 if (!ev)
118 return -ENOMEM;
119
120 ev->type = UHID_START;
ec4b7dea 121
c2b2f16c
DH		 122 if (hid->report_enum[HID_FEATURE_REPORT].numbered)
123 ev->u.start.dev_flags |= UHID_DEV_NUMBERED_FEATURE_REPORTS;
124 if (hid->report_enum[HID_OUTPUT_REPORT].numbered)
125 ev->u.start.dev_flags |= UHID_DEV_NUMBERED_OUTPUT_REPORTS;
126 if (hid->report_enum[HID_INPUT_REPORT].numbered)
127 ev->u.start.dev_flags |= UHID_DEV_NUMBERED_INPUT_REPORTS;
128
129 spin_lock_irqsave(&uhid->qlock, flags);
130 uhid_queue(uhid, ev);
131 spin_unlock_irqrestore(&uhid->qlock, flags);
132
133 return 0;
d365c6cf
DH		 134}
135
136static void uhid_hid_stop(struct hid_device *hid)
137{
ec4b7dea
DH		 138 struct uhid_device *uhid = hid->driver_data;
139
140 hid->claimed = 0;
141 uhid_queue_event(uhid, UHID_STOP);
d365c6cf
DH		 142}
143
144static int uhid_hid_open(struct hid_device *hid)
145{
e7191474
DH		 146 struct uhid_device *uhid = hid->driver_data;
147
148 return uhid_queue_event(uhid, UHID_OPEN);
d365c6cf
DH		 149}
150
151static void uhid_hid_close(struct hid_device *hid)
152{
e7191474
DH		 153 struct uhid_device *uhid = hid->driver_data;
154
155 uhid_queue_event(uhid, UHID_CLOSE);
d365c6cf
DH		 156}
157
d365c6cf
DH		 158static int uhid_hid_parse(struct hid_device *hid)
159{
037c061b
DH		 160 struct uhid_device *uhid = hid->driver_data;
161
162 return hid_parse_report(hid, uhid->rd_data, uhid->rd_size);
d365c6cf
DH		 163}
164
11c22155
DH		 165/* must be called with report_lock held */
166static int __uhid_report_queue_and_wait(struct uhid_device *uhid,
167 struct uhid_event *ev,
168 __u32 *report_id)
169{
170 unsigned long flags;
171 int ret;
172
173 spin_lock_irqsave(&uhid->qlock, flags);
174 *report_id = ++uhid->report_id;
8493ecca 175 uhid->report_type = ev->type + 1;
11c22155
DH		 176 uhid->report_running = true;
177 uhid_queue(uhid, ev);
178 spin_unlock_irqrestore(&uhid->qlock, flags);
179
180 ret = wait_event_interruptible_timeout(uhid->report_wait,
181 !uhid->report_running || !uhid->running,
182 5 * HZ);
183 if (!ret || !uhid->running || uhid->report_running)
184 ret = -EIO;
185 else if (ret < 0)
186 ret = -ERESTARTSYS;
187 else
188 ret = 0;
189
190 uhid->report_running = false;
191
192 return ret;
193}
194
195static void uhid_report_wake_up(struct uhid_device *uhid, u32 id,
196 const struct uhid_event *ev)
197{
198 unsigned long flags;
199
200 spin_lock_irqsave(&uhid->qlock, flags);
201
202 /* id for old report; drop it silently */
203 if (uhid->report_type != ev->type || uhid->report_id != id)
204 goto unlock;
205 if (!uhid->report_running)
206 goto unlock;
207
208 memcpy(&uhid->report_buf, ev, sizeof(*ev));
209 uhid->report_running = false;
210 wake_up_interruptible(&uhid->report_wait);
211
212unlock:
213 spin_unlock_irqrestore(&uhid->qlock, flags);
214}
215
fa71f32b 216static int uhid_hid_get_report(struct hid_device *hid, unsigned char rnum,
11c22155 217 u8 *buf, size_t count, u8 rtype)
289a7162
JK		 218{
219 struct uhid_device *uhid = hid->driver_data;
11c22155 220 struct uhid_get_report_reply_req *req;
289a7162 221 struct uhid_event *ev;
289a7162 222 int ret;
289a7162
JK		 223
224 if (!uhid->running)
225 return -EIO;
226
11c22155
DH		 227 ev = kzalloc(sizeof(*ev), GFP_KERNEL);
228 if (!ev)
229 return -ENOMEM;
230
231 ev->type = UHID_GET_REPORT;
232 ev->u.get_report.rnum = rnum;
233 ev->u.get_report.rtype = rtype;
289a7162
JK		 234
235 ret = mutex_lock_interruptible(&uhid->report_lock);
11c22155
DH		 236 if (ret) {
237 kfree(ev);
289a7162 238 return ret;
11c22155 239 }
289a7162 240
11c22155
DH		 241 /* this _always_ takes ownership of @ev */
242 ret = __uhid_report_queue_and_wait(uhid, ev, &ev->u.get_report.id);
243 if (ret)
289a7162 244 goto unlock;
11c22155
DH		 245
246 req = &uhid->report_buf.u.get_report_reply;
247 if (req->err) {
248 ret = -EIO;
249 } else {
250 ret = min3(count, (size_t)req->size, (size_t)UHID_DATA_MAX);
251 memcpy(buf, req->data, ret);
289a7162
JK		 252 }
253
11c22155
DH		 254unlock:
255 mutex_unlock(&uhid->report_lock);
256 return ret;
257}
289a7162 258
11c22155
DH		 259static int uhid_hid_set_report(struct hid_device *hid, unsigned char rnum,
260 const u8 *buf, size_t count, u8 rtype)
261{
262 struct uhid_device *uhid = hid->driver_data;
263 struct uhid_event *ev;
264 int ret;
289a7162 265
11c22155
DH		 266 if (!uhid->running || count > UHID_DATA_MAX)
267 return -EIO;
289a7162 268
11c22155
DH		 269 ev = kzalloc(sizeof(*ev), GFP_KERNEL);
270 if (!ev)
271 return -ENOMEM;
289a7162 272
11c22155
DH		 273 ev->type = UHID_SET_REPORT;
274 ev->u.set_report.rnum = rnum;
275 ev->u.set_report.rtype = rtype;
276 ev->u.set_report.size = count;
277 memcpy(ev->u.set_report.data, buf, count);
289a7162 278
11c22155
DH		 279 ret = mutex_lock_interruptible(&uhid->report_lock);
280 if (ret) {
281 kfree(ev);
282 return ret;
289a7162
JK		 283 }
284
11c22155
DH		 285 /* this _always_ takes ownership of @ev */
286 ret = __uhid_report_queue_and_wait(uhid, ev, &ev->u.set_report.id);
287 if (ret)
288 goto unlock;
289
290 if (uhid->report_buf.u.set_report_reply.err)
291 ret = -EIO;
292 else
293 ret = count;
289a7162
JK		 294
295unlock:
296 mutex_unlock(&uhid->report_lock);
11c22155 297 return ret;
289a7162
JK		 298}
299
7c4003bc
DH		 300static int uhid_hid_raw_request(struct hid_device *hid, unsigned char reportnum,
301 __u8 *buf, size_t len, unsigned char rtype,
302 int reqtype)
303{
11c22155
DH		 304 u8 u_rtype;
305
306 switch (rtype) {
307 case HID_FEATURE_REPORT:
308 u_rtype = UHID_FEATURE_REPORT;
309 break;
310 case HID_OUTPUT_REPORT:
311 u_rtype = UHID_OUTPUT_REPORT;
312 break;
313 case HID_INPUT_REPORT:
314 u_rtype = UHID_INPUT_REPORT;
315 break;
316 default:
317 return -EINVAL;
318 }
319
7c4003bc
DH		 320 switch (reqtype) {
321 case HID_REQ_GET_REPORT:
11c22155 322 return uhid_hid_get_report(hid, reportnum, buf, len, u_rtype);
7c4003bc 323 case HID_REQ_SET_REPORT:
11c22155 324 return uhid_hid_set_report(hid, reportnum, buf, len, u_rtype);
7c4003bc
DH		 325 default:
326 return -EIO;
327 }
328}
329
d365c6cf
DH		 330static int uhid_hid_output_raw(struct hid_device *hid, __u8 *buf, size_t count,
331 unsigned char report_type)
332{
3b3baa82
DH		 333 struct uhid_device *uhid = hid->driver_data;
334 __u8 rtype;
335 unsigned long flags;
336 struct uhid_event *ev;
337
338 switch (report_type) {
339 case HID_FEATURE_REPORT:
340 rtype = UHID_FEATURE_REPORT;
341 break;
342 case HID_OUTPUT_REPORT:
343 rtype = UHID_OUTPUT_REPORT;
344 break;
345 default:
346 return -EINVAL;
347 }
348
349 if (count < 1 || count > UHID_DATA_MAX)
350 return -EINVAL;
351
352 ev = kzalloc(sizeof(*ev), GFP_KERNEL);
353 if (!ev)
354 return -ENOMEM;
355
356 ev->type = UHID_OUTPUT;
357 ev->u.output.size = count;
358 ev->u.output.rtype = rtype;
359 memcpy(ev->u.output.data, buf, count);
360
361 spin_lock_irqsave(&uhid->qlock, flags);
362 uhid_queue(uhid, ev);
363 spin_unlock_irqrestore(&uhid->qlock, flags);
364
365 return count;
d365c6cf
DH		 366}
367
596cfdd8
FP		 368static int uhid_hid_output_report(struct hid_device *hid, __u8 *buf,
369 size_t count)
370{
41abfb36 371 return uhid_hid_output_raw(hid, buf, count, HID_OUTPUT_REPORT);
596cfdd8
FP		 372}
373
fc2237a7 374struct hid_ll_driver uhid_hid_driver = {
d365c6cf
DH		 375 .start = uhid_hid_start,
376 .stop = uhid_hid_stop,
377 .open = uhid_hid_open,
378 .close = uhid_hid_close,
d365c6cf 379 .parse = uhid_hid_parse,
7c4003bc 380 .raw_request = uhid_hid_raw_request,
596cfdd8 381 .output_report = uhid_hid_output_report,
d365c6cf 382};
fc2237a7 383EXPORT_SYMBOL_GPL(uhid_hid_driver);
d365c6cf 384
befde022
DT		 385#ifdef CONFIG_COMPAT
386
387/* Apparently we haven't stepped on these rakes enough times yet. */
388struct uhid_create_req_compat {
389 __u8 name[128];
390 __u8 phys[64];
391 __u8 uniq[64];
392
393 compat_uptr_t rd_data;
394 __u16 rd_size;
395
396 __u16 bus;
397 __u32 vendor;
398 __u32 product;
399 __u32 version;
400 __u32 country;
401} __attribute__((__packed__));
402
403static int uhid_event_from_user(const char __user *buffer, size_t len,
404 struct uhid_event *event)
405{
7365abba 406 if (in_compat_syscall()) {
befde022
DT		 407 u32 type;
408
409 if (get_user(type, buffer))
410 return -EFAULT;
411
412 if (type == UHID_CREATE) {
413 /*
414 * This is our messed up request with compat pointer.
415 * It is largish (more than 256 bytes) so we better
416 * allocate it from the heap.
417 */
418 struct uhid_create_req_compat *compat;
419
80897aa7 420 compat = kzalloc(sizeof(*compat), GFP_KERNEL);
befde022
DT		 421 if (!compat)
422 return -ENOMEM;
423
424 buffer += sizeof(type);
425 len -= sizeof(type);
426 if (copy_from_user(compat, buffer,
427 min(len, sizeof(*compat)))) {
428 kfree(compat);
429 return -EFAULT;
430 }
431
432 /* Shuffle the data over to proper structure */
433 event->type = type;
434
435 memcpy(event->u.create.name, compat->name,
436 sizeof(compat->name));
437 memcpy(event->u.create.phys, compat->phys,
438 sizeof(compat->phys));
439 memcpy(event->u.create.uniq, compat->uniq,
440 sizeof(compat->uniq));
441
442 event->u.create.rd_data = compat_ptr(compat->rd_data);
443 event->u.create.rd_size = compat->rd_size;
444
445 event->u.create.bus = compat->bus;
446 event->u.create.vendor = compat->vendor;
447 event->u.create.product = compat->product;
448 event->u.create.version = compat->version;
449 event->u.create.country = compat->country;
450
451 kfree(compat);
452 return 0;
453 }
454 /* All others can be copied directly */
455 }
456
457 if (copy_from_user(event, buffer, min(len, sizeof(*event))))
458 return -EFAULT;
459
460 return 0;
461}
462#else
463static int uhid_event_from_user(const char __user *buffer, size_t len,
464 struct uhid_event *event)
465{
466 if (copy_from_user(event, buffer, min(len, sizeof(*event))))
467 return -EFAULT;
468
469 return 0;
470}
471#endif
472
4522643a
PG		 473static int uhid_dev_create2(struct uhid_device *uhid,
474 const struct uhid_event *ev)
475{
476 struct hid_device *hid;
25be7fe2 477 size_t rd_size, len;
41c4a464 478 void *rd_data;
4522643a
PG		 479 int ret;
480
481 if (uhid->running)
482 return -EALREADY;
483
41c4a464
DH		 484 rd_size = ev->u.create2.rd_size;
485 if (rd_size <= 0 || rd_size > HID_MAX_DESCRIPTOR_SIZE)
4522643a
PG		 486 return -EINVAL;
487
41c4a464
DH		 488 rd_data = kmemdup(ev->u.create2.rd_data, rd_size, GFP_KERNEL);
489 if (!rd_data)
4522643a
PG		 490 return -ENOMEM;
491
41c4a464
DH		 492 uhid->rd_size = rd_size;
493 uhid->rd_data = rd_data;
494
4522643a
PG		 495 hid = hid_allocate_device();
496 if (IS_ERR(hid)) {
497 ret = PTR_ERR(hid);
498 goto err_free;
499 }
500
25be7fe2
DH		 501 len = min(sizeof(hid->name), sizeof(ev->u.create2.name)) - 1;
502 strncpy(hid->name, ev->u.create2.name, len);
503 len = min(sizeof(hid->phys), sizeof(ev->u.create2.phys)) - 1;
504 strncpy(hid->phys, ev->u.create2.phys, len);
505 len = min(sizeof(hid->uniq), sizeof(ev->u.create2.uniq)) - 1;
506 strncpy(hid->uniq, ev->u.create2.uniq, len);
4522643a
PG		 507
508 hid->ll_driver = &uhid_hid_driver;
509 hid->bus = ev->u.create2.bus;
510 hid->vendor = ev->u.create2.vendor;
511 hid->product = ev->u.create2.product;
512 hid->version = ev->u.create2.version;
513 hid->country = ev->u.create2.country;
514 hid->driver_data = uhid;
515 hid->dev.parent = uhid_misc.this_device;
516
517 uhid->hid = hid;
518 uhid->running = true;
519
67f8ecc5
RC		 520 /* Adding of a HID device is done through a worker, to allow HID drivers
521 * which use feature requests during .probe to work, without they would
522 * be blocked on devlock, which is held by uhid_char_write.
523 */
524 schedule_work(&uhid->worker);
4522643a
PG		 525
526 return 0;
527
4522643a
PG		 528err_free:
529 kfree(uhid->rd_data);
41c4a464
DH		 530 uhid->rd_data = NULL;
531 uhid->rd_size = 0;
4522643a
PG		 532 return ret;
533}
534
56c47754
DH		 535static int uhid_dev_create(struct uhid_device *uhid,
536 struct uhid_event *ev)
537{
538 struct uhid_create_req orig;
539
540 orig = ev->u.create;
541
542 if (orig.rd_size <= 0 || orig.rd_size > HID_MAX_DESCRIPTOR_SIZE)
543 return -EINVAL;
544 if (copy_from_user(&ev->u.create2.rd_data, orig.rd_data, orig.rd_size))
545 return -EFAULT;
546
547 memcpy(ev->u.create2.name, orig.name, sizeof(orig.name));
548 memcpy(ev->u.create2.phys, orig.phys, sizeof(orig.phys));
549 memcpy(ev->u.create2.uniq, orig.uniq, sizeof(orig.uniq));
550 ev->u.create2.rd_size = orig.rd_size;
551 ev->u.create2.bus = orig.bus;
552 ev->u.create2.vendor = orig.vendor;
553 ev->u.create2.product = orig.product;
554 ev->u.create2.version = orig.version;
555 ev->u.create2.country = orig.country;
556
557 return uhid_dev_create2(uhid, ev);
558}
559
d365c6cf
DH		 560static int uhid_dev_destroy(struct uhid_device *uhid)
561{
562 if (!uhid->running)
563 return -EINVAL;
564
565 uhid->running = false;
fcfcf0de 566 wake_up_interruptible(&uhid->report_wait);
d365c6cf 567
67f8ecc5
RC		 568 cancel_work_sync(&uhid->worker);
569
d365c6cf
DH		 570 hid_destroy_device(uhid->hid);
571 kfree(uhid->rd_data);
572
573 return 0;
574}
575
5e87a36a
DH		 576static int uhid_dev_input(struct uhid_device *uhid, struct uhid_event *ev)
577{
578 if (!uhid->running)
579 return -EINVAL;
580
581 hid_input_report(uhid->hid, HID_INPUT_REPORT, ev->u.input.data,
582 min_t(size_t, ev->u.input.size, UHID_DATA_MAX), 0);
583
584 return 0;
585}
586
4522643a
PG		 587static int uhid_dev_input2(struct uhid_device *uhid, struct uhid_event *ev)
588{
589 if (!uhid->running)
590 return -EINVAL;
591
592 hid_input_report(uhid->hid, HID_INPUT_REPORT, ev->u.input2.data,
593 min_t(size_t, ev->u.input2.size, UHID_DATA_MAX), 0);
594
595 return 0;
596}
597
fa71f32b
DH		 598static int uhid_dev_get_report_reply(struct uhid_device *uhid,
599 struct uhid_event *ev)
fcfcf0de 600{
fcfcf0de
DH		 601 if (!uhid->running)
602 return -EINVAL;
603
11c22155
DH		 604 uhid_report_wake_up(uhid, ev->u.get_report_reply.id, ev);
605 return 0;
606}
fcfcf0de 607
11c22155
DH		 608static int uhid_dev_set_report_reply(struct uhid_device *uhid,
609 struct uhid_event *ev)
610{
611 if (!uhid->running)
612 return -EINVAL;
fcfcf0de 613
11c22155 614 uhid_report_wake_up(uhid, ev->u.set_report_reply.id, ev);
fcfcf0de
DH		 615 return 0;
616}
617
1ccd7a2a
DH		 618static int uhid_char_open(struct inode *inode, struct file *file)
619{
ace3d861
DH		 620 struct uhid_device *uhid;
621
622 uhid = kzalloc(sizeof(*uhid), GFP_KERNEL);
623 if (!uhid)
624 return -ENOMEM;
625
d937ae5f 626 mutex_init(&uhid->devlock);
fcfcf0de 627 mutex_init(&uhid->report_lock);
ace3d861
DH		 628 spin_lock_init(&uhid->qlock);
629 init_waitqueue_head(&uhid->waitq);
fcfcf0de 630 init_waitqueue_head(&uhid->report_wait);
d365c6cf 631 uhid->running = false;
67f8ecc5 632 INIT_WORK(&uhid->worker, uhid_device_add_worker);
ace3d861
DH		 633
634 file->private_data = uhid;
635 nonseekable_open(inode, file);
636
1ccd7a2a
DH		 637 return 0;
638}
639
640static int uhid_char_release(struct inode *inode, struct file *file)
641{
ace3d861
DH		 642 struct uhid_device *uhid = file->private_data;
643 unsigned int i;
644
d365c6cf
DH		 645 uhid_dev_destroy(uhid);
646
ace3d861
DH		 647 for (i = 0; i < UHID_BUFSIZE; ++i)
648 kfree(uhid->outq[i]);
649
650 kfree(uhid);
651
1ccd7a2a
DH		 652 return 0;
653}
654
655static ssize_t uhid_char_read(struct file *file, char __user *buffer,
656 size_t count, loff_t *ppos)
657{
d937ae5f
DH		 658 struct uhid_device *uhid = file->private_data;
659 int ret;
660 unsigned long flags;
661 size_t len;
662
663 /* they need at least the "type" member of uhid_event */
664 if (count < sizeof(__u32))
665 return -EINVAL;
666
667try_again:
668 if (file->f_flags & O_NONBLOCK) {
669 if (uhid->head == uhid->tail)
670 return -EAGAIN;
671 } else {
672 ret = wait_event_interruptible(uhid->waitq,
673 uhid->head != uhid->tail);
674 if (ret)
675 return ret;
676 }
677
678 ret = mutex_lock_interruptible(&uhid->devlock);
679 if (ret)
680 return ret;
681
682 if (uhid->head == uhid->tail) {
683 mutex_unlock(&uhid->devlock);
684 goto try_again;
685 } else {
686 len = min(count, sizeof(**uhid->outq));
adefb69b 687 if (copy_to_user(buffer, uhid->outq[uhid->tail], len)) {
d937ae5f
DH		 688 ret = -EFAULT;
689 } else {
690 kfree(uhid->outq[uhid->tail]);
691 uhid->outq[uhid->tail] = NULL;
692
693 spin_lock_irqsave(&uhid->qlock, flags);
694 uhid->tail = (uhid->tail + 1) % UHID_BUFSIZE;
695 spin_unlock_irqrestore(&uhid->qlock, flags);
696 }
697 }
698
699 mutex_unlock(&uhid->devlock);
700 return ret ? ret : len;
1ccd7a2a
DH		 701}
702
703static ssize_t uhid_char_write(struct file *file, const char __user *buffer,
704 size_t count, loff_t *ppos)
705{
6664ef72
DH		 706 struct uhid_device *uhid = file->private_data;
707 int ret;
708 size_t len;
709
710 /* we need at least the "type" member of uhid_event */
711 if (count < sizeof(__u32))
712 return -EINVAL;
713
714 ret = mutex_lock_interruptible(&uhid->devlock);
715 if (ret)
716 return ret;
717
718 memset(&uhid->input_buf, 0, sizeof(uhid->input_buf));
719 len = min(count, sizeof(uhid->input_buf));
befde022
DT		 720
721 ret = uhid_event_from_user(buffer, len, &uhid->input_buf);
722 if (ret)
6664ef72 723 goto unlock;
6664ef72
DH		 724
725 switch (uhid->input_buf.type) {
d365c6cf 726 case UHID_CREATE:
5e12f7f7
EB		 727 /*
728 * 'struct uhid_create_req' contains a __user pointer which is
729 * copied from, so it's unsafe to allow this with elevated
730 * privileges (e.g. from a setuid binary) or via kernel_write().
731 */
732 if (file->f_cred != current_cred() || uaccess_kernel()) {
733 pr_err_once("UHID_CREATE from different security context by process %d (%s), this is not allowed.\n",
734 task_tgid_vnr(current), current->comm);
735 ret = -EACCES;
736 goto unlock;
737 }
d365c6cf
DH		 738 ret = uhid_dev_create(uhid, &uhid->input_buf);
739 break;
4522643a
PG		 740 case UHID_CREATE2:
741 ret = uhid_dev_create2(uhid, &uhid->input_buf);
742 break;
d365c6cf
DH		 743 case UHID_DESTROY:
744 ret = uhid_dev_destroy(uhid);
745 break;
5e87a36a
DH		 746 case UHID_INPUT:
747 ret = uhid_dev_input(uhid, &uhid->input_buf);
748 break;
4522643a
PG		 749 case UHID_INPUT2:
750 ret = uhid_dev_input2(uhid, &uhid->input_buf);
751 break;
fa71f32b
DH		 752 case UHID_GET_REPORT_REPLY:
753 ret = uhid_dev_get_report_reply(uhid, &uhid->input_buf);
fcfcf0de 754 break;
11c22155
DH		 755 case UHID_SET_REPORT_REPLY:
756 ret = uhid_dev_set_report_reply(uhid, &uhid->input_buf);
757 break;
6664ef72
DH		 758 default:
759 ret = -EOPNOTSUPP;
760 }
761
762unlock:
763 mutex_unlock(&uhid->devlock);
764
765 /* return "count" not "len" to not confuse the caller */
766 return ret ? ret : count;
1ccd7a2a
DH		 767}
768
769static unsigned int uhid_char_poll(struct file *file, poll_table *wait)
770{
1f9dec1e
DH		 771 struct uhid_device *uhid = file->private_data;
772
773 poll_wait(file, &uhid->waitq, wait);
774
775 if (uhid->head != uhid->tail)
776 return POLLIN | POLLRDNORM;
777
6c4ec0da 778 return EPOLLOUT | EPOLLWRNORM;
1ccd7a2a
DH		 779}
780
781static const struct file_operations uhid_fops = {
782 .owner = THIS_MODULE,
783 .open = uhid_char_open,
784 .release = uhid_char_release,
785 .read = uhid_char_read,
786 .write = uhid_char_write,
787 .poll = uhid_char_poll,
788 .llseek = no_llseek,
789};
790
791static struct miscdevice uhid_misc = {
792 .fops = &uhid_fops,
19872d20 793 .minor = UHID_MINOR,
1ccd7a2a
DH		 794 .name = UHID_NAME,
795};
ca75d601 796module_misc_device(uhid_misc);
1ccd7a2a 797
1ccd7a2a
DH		 798MODULE_LICENSE("GPL");
799MODULE_AUTHOR("David Herrmann <dh.herrmann@gmail.com>");
800MODULE_DESCRIPTION("User-space I/O driver support for HID subsystem");
19872d20 801MODULE_ALIAS_MISCDEV(UHID_MINOR);
60cbd53e 802MODULE_ALIAS("devname:" UHID_NAME);
ubuntu-bionic-kernel mirror