]>
Commit | Line | Data |
---|---|---|
1ccd7a2a DH |
1 | /* |
2 | * User-space I/O driver support for HID subsystem | |
3 | * Copyright (c) 2012 David Herrmann | |
4 | */ | |
5 | ||
6 | /* | |
7 | * This program is free software; you can redistribute it and/or modify it | |
8 | * under the terms of the GNU General Public License as published by the Free | |
9 | * Software Foundation; either version 2 of the License, or (at your option) | |
10 | * any later version. | |
11 | */ | |
12 | ||
13 | #include <linux/atomic.h> | |
befde022 | 14 | #include <linux/compat.h> |
5e12f7f7 | 15 | #include <linux/cred.h> |
1ccd7a2a DH |
16 | #include <linux/device.h> |
17 | #include <linux/fs.h> | |
18 | #include <linux/hid.h> | |
19 | #include <linux/input.h> | |
20 | #include <linux/miscdevice.h> | |
21 | #include <linux/module.h> | |
22 | #include <linux/mutex.h> | |
23 | #include <linux/poll.h> | |
24 | #include <linux/sched.h> | |
25 | #include <linux/spinlock.h> | |
26 | #include <linux/uhid.h> | |
27 | #include <linux/wait.h> | |
6c4ec0da | 28 | #include <linux/eventpoll.h> |
1ccd7a2a DH |
29 | |
30 | #define UHID_NAME "uhid" | |
ace3d861 DH |
31 | #define UHID_BUFSIZE 32 |
32 | ||
33 | struct uhid_device { | |
d937ae5f | 34 | struct mutex devlock; |
d365c6cf DH |
35 | bool running; |
36 | ||
37 | __u8 *rd_data; | |
38 | uint rd_size; | |
39 | ||
ace3d861 | 40 | struct hid_device *hid; |
6664ef72 | 41 | struct uhid_event input_buf; |
ace3d861 DH |
42 | |
43 | wait_queue_head_t waitq; | |
44 | spinlock_t qlock; | |
45 | __u8 head; | |
46 | __u8 tail; | |
47 | struct uhid_event *outq[UHID_BUFSIZE]; | |
fcfcf0de | 48 | |
8cad5b01 | 49 | /* blocking GET_REPORT support; state changes protected by qlock */ |
fcfcf0de DH |
50 | struct mutex report_lock; |
51 | wait_queue_head_t report_wait; | |
5942b849 | 52 | bool report_running; |
8cad5b01 | 53 | u32 report_id; |
11c22155 | 54 | u32 report_type; |
fcfcf0de | 55 | struct uhid_event report_buf; |
67f8ecc5 | 56 | struct work_struct worker; |
ace3d861 | 57 | }; |
1ccd7a2a DH |
58 | |
59 | static struct miscdevice uhid_misc; | |
60 | ||
67f8ecc5 RC |
61 | static void uhid_device_add_worker(struct work_struct *work) |
62 | { | |
63 | struct uhid_device *uhid = container_of(work, struct uhid_device, worker); | |
64 | int ret; | |
65 | ||
66 | ret = hid_add_device(uhid->hid); | |
67 | if (ret) { | |
68 | hid_err(uhid->hid, "Cannot register HID device: error %d\n", ret); | |
69 | ||
70 | hid_destroy_device(uhid->hid); | |
71 | uhid->hid = NULL; | |
72 | uhid->running = false; | |
73 | } | |
74 | } | |
75 | ||
ace3d861 DH |
76 | static void uhid_queue(struct uhid_device *uhid, struct uhid_event *ev) |
77 | { | |
78 | __u8 newhead; | |
79 | ||
80 | newhead = (uhid->head + 1) % UHID_BUFSIZE; | |
81 | ||
82 | if (newhead != uhid->tail) { | |
83 | uhid->outq[uhid->head] = ev; | |
84 | uhid->head = newhead; | |
85 | wake_up_interruptible(&uhid->waitq); | |
86 | } else { | |
87 | hid_warn(uhid->hid, "Output queue is full\n"); | |
88 | kfree(ev); | |
89 | } | |
90 | } | |
91 | ||
92 | static int uhid_queue_event(struct uhid_device *uhid, __u32 event) | |
93 | { | |
94 | unsigned long flags; | |
95 | struct uhid_event *ev; | |
96 | ||
97 | ev = kzalloc(sizeof(*ev), GFP_KERNEL); | |
98 | if (!ev) | |
99 | return -ENOMEM; | |
100 | ||
101 | ev->type = event; | |
102 | ||
103 | spin_lock_irqsave(&uhid->qlock, flags); | |
104 | uhid_queue(uhid, ev); | |
105 | spin_unlock_irqrestore(&uhid->qlock, flags); | |
106 | ||
107 | return 0; | |
108 | } | |
109 | ||
d365c6cf DH |
110 | static int uhid_hid_start(struct hid_device *hid) |
111 | { | |
ec4b7dea | 112 | struct uhid_device *uhid = hid->driver_data; |
c2b2f16c DH |
113 | struct uhid_event *ev; |
114 | unsigned long flags; | |
115 | ||
116 | ev = kzalloc(sizeof(*ev), GFP_KERNEL); | |
117 | if (!ev) | |
118 | return -ENOMEM; | |
119 | ||
120 | ev->type = UHID_START; | |
ec4b7dea | 121 | |
c2b2f16c DH |
122 | if (hid->report_enum[HID_FEATURE_REPORT].numbered) |
123 | ev->u.start.dev_flags |= UHID_DEV_NUMBERED_FEATURE_REPORTS; | |
124 | if (hid->report_enum[HID_OUTPUT_REPORT].numbered) | |
125 | ev->u.start.dev_flags |= UHID_DEV_NUMBERED_OUTPUT_REPORTS; | |
126 | if (hid->report_enum[HID_INPUT_REPORT].numbered) | |
127 | ev->u.start.dev_flags |= UHID_DEV_NUMBERED_INPUT_REPORTS; | |
128 | ||
129 | spin_lock_irqsave(&uhid->qlock, flags); | |
130 | uhid_queue(uhid, ev); | |
131 | spin_unlock_irqrestore(&uhid->qlock, flags); | |
132 | ||
133 | return 0; | |
d365c6cf DH |
134 | } |
135 | ||
136 | static void uhid_hid_stop(struct hid_device *hid) | |
137 | { | |
ec4b7dea DH |
138 | struct uhid_device *uhid = hid->driver_data; |
139 | ||
140 | hid->claimed = 0; | |
141 | uhid_queue_event(uhid, UHID_STOP); | |
d365c6cf DH |
142 | } |
143 | ||
144 | static int uhid_hid_open(struct hid_device *hid) | |
145 | { | |
e7191474 DH |
146 | struct uhid_device *uhid = hid->driver_data; |
147 | ||
148 | return uhid_queue_event(uhid, UHID_OPEN); | |
d365c6cf DH |
149 | } |
150 | ||
151 | static void uhid_hid_close(struct hid_device *hid) | |
152 | { | |
e7191474 DH |
153 | struct uhid_device *uhid = hid->driver_data; |
154 | ||
155 | uhid_queue_event(uhid, UHID_CLOSE); | |
d365c6cf DH |
156 | } |
157 | ||
d365c6cf DH |
158 | static int uhid_hid_parse(struct hid_device *hid) |
159 | { | |
037c061b DH |
160 | struct uhid_device *uhid = hid->driver_data; |
161 | ||
162 | return hid_parse_report(hid, uhid->rd_data, uhid->rd_size); | |
d365c6cf DH |
163 | } |
164 | ||
11c22155 DH |
165 | /* must be called with report_lock held */ |
166 | static int __uhid_report_queue_and_wait(struct uhid_device *uhid, | |
167 | struct uhid_event *ev, | |
168 | __u32 *report_id) | |
169 | { | |
170 | unsigned long flags; | |
171 | int ret; | |
172 | ||
173 | spin_lock_irqsave(&uhid->qlock, flags); | |
174 | *report_id = ++uhid->report_id; | |
8493ecca | 175 | uhid->report_type = ev->type + 1; |
11c22155 DH |
176 | uhid->report_running = true; |
177 | uhid_queue(uhid, ev); | |
178 | spin_unlock_irqrestore(&uhid->qlock, flags); | |
179 | ||
180 | ret = wait_event_interruptible_timeout(uhid->report_wait, | |
181 | !uhid->report_running || !uhid->running, | |
182 | 5 * HZ); | |
183 | if (!ret || !uhid->running || uhid->report_running) | |
184 | ret = -EIO; | |
185 | else if (ret < 0) | |
186 | ret = -ERESTARTSYS; | |
187 | else | |
188 | ret = 0; | |
189 | ||
190 | uhid->report_running = false; | |
191 | ||
192 | return ret; | |
193 | } | |
194 | ||
195 | static void uhid_report_wake_up(struct uhid_device *uhid, u32 id, | |
196 | const struct uhid_event *ev) | |
197 | { | |
198 | unsigned long flags; | |
199 | ||
200 | spin_lock_irqsave(&uhid->qlock, flags); | |
201 | ||
202 | /* id for old report; drop it silently */ | |
203 | if (uhid->report_type != ev->type || uhid->report_id != id) | |
204 | goto unlock; | |
205 | if (!uhid->report_running) | |
206 | goto unlock; | |
207 | ||
208 | memcpy(&uhid->report_buf, ev, sizeof(*ev)); | |
209 | uhid->report_running = false; | |
210 | wake_up_interruptible(&uhid->report_wait); | |
211 | ||
212 | unlock: | |
213 | spin_unlock_irqrestore(&uhid->qlock, flags); | |
214 | } | |
215 | ||
fa71f32b | 216 | static int uhid_hid_get_report(struct hid_device *hid, unsigned char rnum, |
11c22155 | 217 | u8 *buf, size_t count, u8 rtype) |
289a7162 JK |
218 | { |
219 | struct uhid_device *uhid = hid->driver_data; | |
11c22155 | 220 | struct uhid_get_report_reply_req *req; |
289a7162 | 221 | struct uhid_event *ev; |
289a7162 | 222 | int ret; |
289a7162 JK |
223 | |
224 | if (!uhid->running) | |
225 | return -EIO; | |
226 | ||
11c22155 DH |
227 | ev = kzalloc(sizeof(*ev), GFP_KERNEL); |
228 | if (!ev) | |
229 | return -ENOMEM; | |
230 | ||
231 | ev->type = UHID_GET_REPORT; | |
232 | ev->u.get_report.rnum = rnum; | |
233 | ev->u.get_report.rtype = rtype; | |
289a7162 JK |
234 | |
235 | ret = mutex_lock_interruptible(&uhid->report_lock); | |
11c22155 DH |
236 | if (ret) { |
237 | kfree(ev); | |
289a7162 | 238 | return ret; |
11c22155 | 239 | } |
289a7162 | 240 | |
11c22155 DH |
241 | /* this _always_ takes ownership of @ev */ |
242 | ret = __uhid_report_queue_and_wait(uhid, ev, &ev->u.get_report.id); | |
243 | if (ret) | |
289a7162 | 244 | goto unlock; |
11c22155 DH |
245 | |
246 | req = &uhid->report_buf.u.get_report_reply; | |
247 | if (req->err) { | |
248 | ret = -EIO; | |
249 | } else { | |
250 | ret = min3(count, (size_t)req->size, (size_t)UHID_DATA_MAX); | |
251 | memcpy(buf, req->data, ret); | |
289a7162 JK |
252 | } |
253 | ||
11c22155 DH |
254 | unlock: |
255 | mutex_unlock(&uhid->report_lock); | |
256 | return ret; | |
257 | } | |
289a7162 | 258 | |
11c22155 DH |
259 | static int uhid_hid_set_report(struct hid_device *hid, unsigned char rnum, |
260 | const u8 *buf, size_t count, u8 rtype) | |
261 | { | |
262 | struct uhid_device *uhid = hid->driver_data; | |
263 | struct uhid_event *ev; | |
264 | int ret; | |
289a7162 | 265 | |
11c22155 DH |
266 | if (!uhid->running || count > UHID_DATA_MAX) |
267 | return -EIO; | |
289a7162 | 268 | |
11c22155 DH |
269 | ev = kzalloc(sizeof(*ev), GFP_KERNEL); |
270 | if (!ev) | |
271 | return -ENOMEM; | |
289a7162 | 272 | |
11c22155 DH |
273 | ev->type = UHID_SET_REPORT; |
274 | ev->u.set_report.rnum = rnum; | |
275 | ev->u.set_report.rtype = rtype; | |
276 | ev->u.set_report.size = count; | |
277 | memcpy(ev->u.set_report.data, buf, count); | |
289a7162 | 278 | |
11c22155 DH |
279 | ret = mutex_lock_interruptible(&uhid->report_lock); |
280 | if (ret) { | |
281 | kfree(ev); | |
282 | return ret; | |
289a7162 JK |
283 | } |
284 | ||
11c22155 DH |
285 | /* this _always_ takes ownership of @ev */ |
286 | ret = __uhid_report_queue_and_wait(uhid, ev, &ev->u.set_report.id); | |
287 | if (ret) | |
288 | goto unlock; | |
289 | ||
290 | if (uhid->report_buf.u.set_report_reply.err) | |
291 | ret = -EIO; | |
292 | else | |
293 | ret = count; | |
289a7162 JK |
294 | |
295 | unlock: | |
296 | mutex_unlock(&uhid->report_lock); | |
11c22155 | 297 | return ret; |
289a7162 JK |
298 | } |
299 | ||
7c4003bc DH |
300 | static int uhid_hid_raw_request(struct hid_device *hid, unsigned char reportnum, |
301 | __u8 *buf, size_t len, unsigned char rtype, | |
302 | int reqtype) | |
303 | { | |
11c22155 DH |
304 | u8 u_rtype; |
305 | ||
306 | switch (rtype) { | |
307 | case HID_FEATURE_REPORT: | |
308 | u_rtype = UHID_FEATURE_REPORT; | |
309 | break; | |
310 | case HID_OUTPUT_REPORT: | |
311 | u_rtype = UHID_OUTPUT_REPORT; | |
312 | break; | |
313 | case HID_INPUT_REPORT: | |
314 | u_rtype = UHID_INPUT_REPORT; | |
315 | break; | |
316 | default: | |
317 | return -EINVAL; | |
318 | } | |
319 | ||
7c4003bc DH |
320 | switch (reqtype) { |
321 | case HID_REQ_GET_REPORT: | |
11c22155 | 322 | return uhid_hid_get_report(hid, reportnum, buf, len, u_rtype); |
7c4003bc | 323 | case HID_REQ_SET_REPORT: |
11c22155 | 324 | return uhid_hid_set_report(hid, reportnum, buf, len, u_rtype); |
7c4003bc DH |
325 | default: |
326 | return -EIO; | |
327 | } | |
328 | } | |
329 | ||
d365c6cf DH |
330 | static int uhid_hid_output_raw(struct hid_device *hid, __u8 *buf, size_t count, |
331 | unsigned char report_type) | |
332 | { | |
3b3baa82 DH |
333 | struct uhid_device *uhid = hid->driver_data; |
334 | __u8 rtype; | |
335 | unsigned long flags; | |
336 | struct uhid_event *ev; | |
337 | ||
338 | switch (report_type) { | |
339 | case HID_FEATURE_REPORT: | |
340 | rtype = UHID_FEATURE_REPORT; | |
341 | break; | |
342 | case HID_OUTPUT_REPORT: | |
343 | rtype = UHID_OUTPUT_REPORT; | |
344 | break; | |
345 | default: | |
346 | return -EINVAL; | |
347 | } | |
348 | ||
349 | if (count < 1 || count > UHID_DATA_MAX) | |
350 | return -EINVAL; | |
351 | ||
352 | ev = kzalloc(sizeof(*ev), GFP_KERNEL); | |
353 | if (!ev) | |
354 | return -ENOMEM; | |
355 | ||
356 | ev->type = UHID_OUTPUT; | |
357 | ev->u.output.size = count; | |
358 | ev->u.output.rtype = rtype; | |
359 | memcpy(ev->u.output.data, buf, count); | |
360 | ||
361 | spin_lock_irqsave(&uhid->qlock, flags); | |
362 | uhid_queue(uhid, ev); | |
363 | spin_unlock_irqrestore(&uhid->qlock, flags); | |
364 | ||
365 | return count; | |
d365c6cf DH |
366 | } |
367 | ||
596cfdd8 FP |
368 | static int uhid_hid_output_report(struct hid_device *hid, __u8 *buf, |
369 | size_t count) | |
370 | { | |
41abfb36 | 371 | return uhid_hid_output_raw(hid, buf, count, HID_OUTPUT_REPORT); |
596cfdd8 FP |
372 | } |
373 | ||
fc2237a7 | 374 | struct hid_ll_driver uhid_hid_driver = { |
d365c6cf DH |
375 | .start = uhid_hid_start, |
376 | .stop = uhid_hid_stop, | |
377 | .open = uhid_hid_open, | |
378 | .close = uhid_hid_close, | |
d365c6cf | 379 | .parse = uhid_hid_parse, |
7c4003bc | 380 | .raw_request = uhid_hid_raw_request, |
596cfdd8 | 381 | .output_report = uhid_hid_output_report, |
d365c6cf | 382 | }; |
fc2237a7 | 383 | EXPORT_SYMBOL_GPL(uhid_hid_driver); |
d365c6cf | 384 | |
befde022 DT |
385 | #ifdef CONFIG_COMPAT |
386 | ||
387 | /* Apparently we haven't stepped on these rakes enough times yet. */ | |
388 | struct uhid_create_req_compat { | |
389 | __u8 name[128]; | |
390 | __u8 phys[64]; | |
391 | __u8 uniq[64]; | |
392 | ||
393 | compat_uptr_t rd_data; | |
394 | __u16 rd_size; | |
395 | ||
396 | __u16 bus; | |
397 | __u32 vendor; | |
398 | __u32 product; | |
399 | __u32 version; | |
400 | __u32 country; | |
401 | } __attribute__((__packed__)); | |
402 | ||
403 | static int uhid_event_from_user(const char __user *buffer, size_t len, | |
404 | struct uhid_event *event) | |
405 | { | |
7365abba | 406 | if (in_compat_syscall()) { |
befde022 DT |
407 | u32 type; |
408 | ||
409 | if (get_user(type, buffer)) | |
410 | return -EFAULT; | |
411 | ||
412 | if (type == UHID_CREATE) { | |
413 | /* | |
414 | * This is our messed up request with compat pointer. | |
415 | * It is largish (more than 256 bytes) so we better | |
416 | * allocate it from the heap. | |
417 | */ | |
418 | struct uhid_create_req_compat *compat; | |
419 | ||
80897aa7 | 420 | compat = kzalloc(sizeof(*compat), GFP_KERNEL); |
befde022 DT |
421 | if (!compat) |
422 | return -ENOMEM; | |
423 | ||
424 | buffer += sizeof(type); | |
425 | len -= sizeof(type); | |
426 | if (copy_from_user(compat, buffer, | |
427 | min(len, sizeof(*compat)))) { | |
428 | kfree(compat); | |
429 | return -EFAULT; | |
430 | } | |
431 | ||
432 | /* Shuffle the data over to proper structure */ | |
433 | event->type = type; | |
434 | ||
435 | memcpy(event->u.create.name, compat->name, | |
436 | sizeof(compat->name)); | |
437 | memcpy(event->u.create.phys, compat->phys, | |
438 | sizeof(compat->phys)); | |
439 | memcpy(event->u.create.uniq, compat->uniq, | |
440 | sizeof(compat->uniq)); | |
441 | ||
442 | event->u.create.rd_data = compat_ptr(compat->rd_data); | |
443 | event->u.create.rd_size = compat->rd_size; | |
444 | ||
445 | event->u.create.bus = compat->bus; | |
446 | event->u.create.vendor = compat->vendor; | |
447 | event->u.create.product = compat->product; | |
448 | event->u.create.version = compat->version; | |
449 | event->u.create.country = compat->country; | |
450 | ||
451 | kfree(compat); | |
452 | return 0; | |
453 | } | |
454 | /* All others can be copied directly */ | |
455 | } | |
456 | ||
457 | if (copy_from_user(event, buffer, min(len, sizeof(*event)))) | |
458 | return -EFAULT; | |
459 | ||
460 | return 0; | |
461 | } | |
462 | #else | |
463 | static int uhid_event_from_user(const char __user *buffer, size_t len, | |
464 | struct uhid_event *event) | |
465 | { | |
466 | if (copy_from_user(event, buffer, min(len, sizeof(*event)))) | |
467 | return -EFAULT; | |
468 | ||
469 | return 0; | |
470 | } | |
471 | #endif | |
472 | ||
4522643a PG |
473 | static int uhid_dev_create2(struct uhid_device *uhid, |
474 | const struct uhid_event *ev) | |
475 | { | |
476 | struct hid_device *hid; | |
25be7fe2 | 477 | size_t rd_size, len; |
41c4a464 | 478 | void *rd_data; |
4522643a PG |
479 | int ret; |
480 | ||
481 | if (uhid->running) | |
482 | return -EALREADY; | |
483 | ||
41c4a464 DH |
484 | rd_size = ev->u.create2.rd_size; |
485 | if (rd_size <= 0 || rd_size > HID_MAX_DESCRIPTOR_SIZE) | |
4522643a PG |
486 | return -EINVAL; |
487 | ||
41c4a464 DH |
488 | rd_data = kmemdup(ev->u.create2.rd_data, rd_size, GFP_KERNEL); |
489 | if (!rd_data) | |
4522643a PG |
490 | return -ENOMEM; |
491 | ||
41c4a464 DH |
492 | uhid->rd_size = rd_size; |
493 | uhid->rd_data = rd_data; | |
494 | ||
4522643a PG |
495 | hid = hid_allocate_device(); |
496 | if (IS_ERR(hid)) { | |
497 | ret = PTR_ERR(hid); | |
498 | goto err_free; | |
499 | } | |
500 | ||
25be7fe2 DH |
501 | len = min(sizeof(hid->name), sizeof(ev->u.create2.name)) - 1; |
502 | strncpy(hid->name, ev->u.create2.name, len); | |
503 | len = min(sizeof(hid->phys), sizeof(ev->u.create2.phys)) - 1; | |
504 | strncpy(hid->phys, ev->u.create2.phys, len); | |
505 | len = min(sizeof(hid->uniq), sizeof(ev->u.create2.uniq)) - 1; | |
506 | strncpy(hid->uniq, ev->u.create2.uniq, len); | |
4522643a PG |
507 | |
508 | hid->ll_driver = &uhid_hid_driver; | |
509 | hid->bus = ev->u.create2.bus; | |
510 | hid->vendor = ev->u.create2.vendor; | |
511 | hid->product = ev->u.create2.product; | |
512 | hid->version = ev->u.create2.version; | |
513 | hid->country = ev->u.create2.country; | |
514 | hid->driver_data = uhid; | |
515 | hid->dev.parent = uhid_misc.this_device; | |
516 | ||
517 | uhid->hid = hid; | |
518 | uhid->running = true; | |
519 | ||
67f8ecc5 RC |
520 | /* Adding of a HID device is done through a worker, to allow HID drivers |
521 | * which use feature requests during .probe to work, without they would | |
522 | * be blocked on devlock, which is held by uhid_char_write. | |
523 | */ | |
524 | schedule_work(&uhid->worker); | |
4522643a PG |
525 | |
526 | return 0; | |
527 | ||
4522643a PG |
528 | err_free: |
529 | kfree(uhid->rd_data); | |
41c4a464 DH |
530 | uhid->rd_data = NULL; |
531 | uhid->rd_size = 0; | |
4522643a PG |
532 | return ret; |
533 | } | |
534 | ||
56c47754 DH |
535 | static int uhid_dev_create(struct uhid_device *uhid, |
536 | struct uhid_event *ev) | |
537 | { | |
538 | struct uhid_create_req orig; | |
539 | ||
540 | orig = ev->u.create; | |
541 | ||
542 | if (orig.rd_size <= 0 || orig.rd_size > HID_MAX_DESCRIPTOR_SIZE) | |
543 | return -EINVAL; | |
544 | if (copy_from_user(&ev->u.create2.rd_data, orig.rd_data, orig.rd_size)) | |
545 | return -EFAULT; | |
546 | ||
547 | memcpy(ev->u.create2.name, orig.name, sizeof(orig.name)); | |
548 | memcpy(ev->u.create2.phys, orig.phys, sizeof(orig.phys)); | |
549 | memcpy(ev->u.create2.uniq, orig.uniq, sizeof(orig.uniq)); | |
550 | ev->u.create2.rd_size = orig.rd_size; | |
551 | ev->u.create2.bus = orig.bus; | |
552 | ev->u.create2.vendor = orig.vendor; | |
553 | ev->u.create2.product = orig.product; | |
554 | ev->u.create2.version = orig.version; | |
555 | ev->u.create2.country = orig.country; | |
556 | ||
557 | return uhid_dev_create2(uhid, ev); | |
558 | } | |
559 | ||
d365c6cf DH |
560 | static int uhid_dev_destroy(struct uhid_device *uhid) |
561 | { | |
562 | if (!uhid->running) | |
563 | return -EINVAL; | |
564 | ||
565 | uhid->running = false; | |
fcfcf0de | 566 | wake_up_interruptible(&uhid->report_wait); |
d365c6cf | 567 | |
67f8ecc5 RC |
568 | cancel_work_sync(&uhid->worker); |
569 | ||
d365c6cf DH |
570 | hid_destroy_device(uhid->hid); |
571 | kfree(uhid->rd_data); | |
572 | ||
573 | return 0; | |
574 | } | |
575 | ||
5e87a36a DH |
576 | static int uhid_dev_input(struct uhid_device *uhid, struct uhid_event *ev) |
577 | { | |
578 | if (!uhid->running) | |
579 | return -EINVAL; | |
580 | ||
581 | hid_input_report(uhid->hid, HID_INPUT_REPORT, ev->u.input.data, | |
582 | min_t(size_t, ev->u.input.size, UHID_DATA_MAX), 0); | |
583 | ||
584 | return 0; | |
585 | } | |
586 | ||
4522643a PG |
587 | static int uhid_dev_input2(struct uhid_device *uhid, struct uhid_event *ev) |
588 | { | |
589 | if (!uhid->running) | |
590 | return -EINVAL; | |
591 | ||
592 | hid_input_report(uhid->hid, HID_INPUT_REPORT, ev->u.input2.data, | |
593 | min_t(size_t, ev->u.input2.size, UHID_DATA_MAX), 0); | |
594 | ||
595 | return 0; | |
596 | } | |
597 | ||
fa71f32b DH |
598 | static int uhid_dev_get_report_reply(struct uhid_device *uhid, |
599 | struct uhid_event *ev) | |
fcfcf0de | 600 | { |
fcfcf0de DH |
601 | if (!uhid->running) |
602 | return -EINVAL; | |
603 | ||
11c22155 DH |
604 | uhid_report_wake_up(uhid, ev->u.get_report_reply.id, ev); |
605 | return 0; | |
606 | } | |
fcfcf0de | 607 | |
11c22155 DH |
608 | static int uhid_dev_set_report_reply(struct uhid_device *uhid, |
609 | struct uhid_event *ev) | |
610 | { | |
611 | if (!uhid->running) | |
612 | return -EINVAL; | |
fcfcf0de | 613 | |
11c22155 | 614 | uhid_report_wake_up(uhid, ev->u.set_report_reply.id, ev); |
fcfcf0de DH |
615 | return 0; |
616 | } | |
617 | ||
1ccd7a2a DH |
618 | static int uhid_char_open(struct inode *inode, struct file *file) |
619 | { | |
ace3d861 DH |
620 | struct uhid_device *uhid; |
621 | ||
622 | uhid = kzalloc(sizeof(*uhid), GFP_KERNEL); | |
623 | if (!uhid) | |
624 | return -ENOMEM; | |
625 | ||
d937ae5f | 626 | mutex_init(&uhid->devlock); |
fcfcf0de | 627 | mutex_init(&uhid->report_lock); |
ace3d861 DH |
628 | spin_lock_init(&uhid->qlock); |
629 | init_waitqueue_head(&uhid->waitq); | |
fcfcf0de | 630 | init_waitqueue_head(&uhid->report_wait); |
d365c6cf | 631 | uhid->running = false; |
67f8ecc5 | 632 | INIT_WORK(&uhid->worker, uhid_device_add_worker); |
ace3d861 DH |
633 | |
634 | file->private_data = uhid; | |
635 | nonseekable_open(inode, file); | |
636 | ||
1ccd7a2a DH |
637 | return 0; |
638 | } | |
639 | ||
640 | static int uhid_char_release(struct inode *inode, struct file *file) | |
641 | { | |
ace3d861 DH |
642 | struct uhid_device *uhid = file->private_data; |
643 | unsigned int i; | |
644 | ||
d365c6cf DH |
645 | uhid_dev_destroy(uhid); |
646 | ||
ace3d861 DH |
647 | for (i = 0; i < UHID_BUFSIZE; ++i) |
648 | kfree(uhid->outq[i]); | |
649 | ||
650 | kfree(uhid); | |
651 | ||
1ccd7a2a DH |
652 | return 0; |
653 | } | |
654 | ||
655 | static ssize_t uhid_char_read(struct file *file, char __user *buffer, | |
656 | size_t count, loff_t *ppos) | |
657 | { | |
d937ae5f DH |
658 | struct uhid_device *uhid = file->private_data; |
659 | int ret; | |
660 | unsigned long flags; | |
661 | size_t len; | |
662 | ||
663 | /* they need at least the "type" member of uhid_event */ | |
664 | if (count < sizeof(__u32)) | |
665 | return -EINVAL; | |
666 | ||
667 | try_again: | |
668 | if (file->f_flags & O_NONBLOCK) { | |
669 | if (uhid->head == uhid->tail) | |
670 | return -EAGAIN; | |
671 | } else { | |
672 | ret = wait_event_interruptible(uhid->waitq, | |
673 | uhid->head != uhid->tail); | |
674 | if (ret) | |
675 | return ret; | |
676 | } | |
677 | ||
678 | ret = mutex_lock_interruptible(&uhid->devlock); | |
679 | if (ret) | |
680 | return ret; | |
681 | ||
682 | if (uhid->head == uhid->tail) { | |
683 | mutex_unlock(&uhid->devlock); | |
684 | goto try_again; | |
685 | } else { | |
686 | len = min(count, sizeof(**uhid->outq)); | |
adefb69b | 687 | if (copy_to_user(buffer, uhid->outq[uhid->tail], len)) { |
d937ae5f DH |
688 | ret = -EFAULT; |
689 | } else { | |
690 | kfree(uhid->outq[uhid->tail]); | |
691 | uhid->outq[uhid->tail] = NULL; | |
692 | ||
693 | spin_lock_irqsave(&uhid->qlock, flags); | |
694 | uhid->tail = (uhid->tail + 1) % UHID_BUFSIZE; | |
695 | spin_unlock_irqrestore(&uhid->qlock, flags); | |
696 | } | |
697 | } | |
698 | ||
699 | mutex_unlock(&uhid->devlock); | |
700 | return ret ? ret : len; | |
1ccd7a2a DH |
701 | } |
702 | ||
703 | static ssize_t uhid_char_write(struct file *file, const char __user *buffer, | |
704 | size_t count, loff_t *ppos) | |
705 | { | |
6664ef72 DH |
706 | struct uhid_device *uhid = file->private_data; |
707 | int ret; | |
708 | size_t len; | |
709 | ||
710 | /* we need at least the "type" member of uhid_event */ | |
711 | if (count < sizeof(__u32)) | |
712 | return -EINVAL; | |
713 | ||
714 | ret = mutex_lock_interruptible(&uhid->devlock); | |
715 | if (ret) | |
716 | return ret; | |
717 | ||
718 | memset(&uhid->input_buf, 0, sizeof(uhid->input_buf)); | |
719 | len = min(count, sizeof(uhid->input_buf)); | |
befde022 DT |
720 | |
721 | ret = uhid_event_from_user(buffer, len, &uhid->input_buf); | |
722 | if (ret) | |
6664ef72 | 723 | goto unlock; |
6664ef72 DH |
724 | |
725 | switch (uhid->input_buf.type) { | |
d365c6cf | 726 | case UHID_CREATE: |
5e12f7f7 EB |
727 | /* |
728 | * 'struct uhid_create_req' contains a __user pointer which is | |
729 | * copied from, so it's unsafe to allow this with elevated | |
730 | * privileges (e.g. from a setuid binary) or via kernel_write(). | |
731 | */ | |
732 | if (file->f_cred != current_cred() || uaccess_kernel()) { | |
733 | pr_err_once("UHID_CREATE from different security context by process %d (%s), this is not allowed.\n", | |
734 | task_tgid_vnr(current), current->comm); | |
735 | ret = -EACCES; | |
736 | goto unlock; | |
737 | } | |
d365c6cf DH |
738 | ret = uhid_dev_create(uhid, &uhid->input_buf); |
739 | break; | |
4522643a PG |
740 | case UHID_CREATE2: |
741 | ret = uhid_dev_create2(uhid, &uhid->input_buf); | |
742 | break; | |
d365c6cf DH |
743 | case UHID_DESTROY: |
744 | ret = uhid_dev_destroy(uhid); | |
745 | break; | |
5e87a36a DH |
746 | case UHID_INPUT: |
747 | ret = uhid_dev_input(uhid, &uhid->input_buf); | |
748 | break; | |
4522643a PG |
749 | case UHID_INPUT2: |
750 | ret = uhid_dev_input2(uhid, &uhid->input_buf); | |
751 | break; | |
fa71f32b DH |
752 | case UHID_GET_REPORT_REPLY: |
753 | ret = uhid_dev_get_report_reply(uhid, &uhid->input_buf); | |
fcfcf0de | 754 | break; |
11c22155 DH |
755 | case UHID_SET_REPORT_REPLY: |
756 | ret = uhid_dev_set_report_reply(uhid, &uhid->input_buf); | |
757 | break; | |
6664ef72 DH |
758 | default: |
759 | ret = -EOPNOTSUPP; | |
760 | } | |
761 | ||
762 | unlock: | |
763 | mutex_unlock(&uhid->devlock); | |
764 | ||
765 | /* return "count" not "len" to not confuse the caller */ | |
766 | return ret ? ret : count; | |
1ccd7a2a DH |
767 | } |
768 | ||
769 | static unsigned int uhid_char_poll(struct file *file, poll_table *wait) | |
770 | { | |
1f9dec1e DH |
771 | struct uhid_device *uhid = file->private_data; |
772 | ||
773 | poll_wait(file, &uhid->waitq, wait); | |
774 | ||
775 | if (uhid->head != uhid->tail) | |
776 | return POLLIN | POLLRDNORM; | |
777 | ||
6c4ec0da | 778 | return EPOLLOUT | EPOLLWRNORM; |
1ccd7a2a DH |
779 | } |
780 | ||
781 | static const struct file_operations uhid_fops = { | |
782 | .owner = THIS_MODULE, | |
783 | .open = uhid_char_open, | |
784 | .release = uhid_char_release, | |
785 | .read = uhid_char_read, | |
786 | .write = uhid_char_write, | |
787 | .poll = uhid_char_poll, | |
788 | .llseek = no_llseek, | |
789 | }; | |
790 | ||
791 | static struct miscdevice uhid_misc = { | |
792 | .fops = &uhid_fops, | |
19872d20 | 793 | .minor = UHID_MINOR, |
1ccd7a2a DH |
794 | .name = UHID_NAME, |
795 | }; | |
ca75d601 | 796 | module_misc_device(uhid_misc); |
1ccd7a2a | 797 | |
1ccd7a2a DH |
798 | MODULE_LICENSE("GPL"); |
799 | MODULE_AUTHOR("David Herrmann <dh.herrmann@gmail.com>"); | |
800 | MODULE_DESCRIPTION("User-space I/O driver support for HID subsystem"); | |
19872d20 | 801 | MODULE_ALIAS_MISCDEV(UHID_MINOR); |
60cbd53e | 802 | MODULE_ALIAS("devname:" UHID_NAME); |