[mirror_ubuntu-artful-kernel.git] / drivers / hid / uhid.c

/*
 * User-space I/O driver support for HID subsystem
 * Copyright (c) 2012 David Herrmann
 */

/*
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the Free
 * Software Foundation; either version 2 of the License, or (at your option)
 * any later version.
 */

#include <linux/atomic.h>
#include <linux/compat.h>
#include <linux/device.h>
#include <linux/fs.h>
#include <linux/hid.h>
#include <linux/input.h>
#include <linux/miscdevice.h>
#include <linux/module.h>
#include <linux/mutex.h>
#include <linux/poll.h>
#include <linux/sched.h>
#include <linux/spinlock.h>
#include <linux/uhid.h>
#include <linux/wait.h>

#define UHID_NAME	"uhid"
#define UHID_BUFSIZE	32

struct uhid_device {
	struct mutex devlock;
	bool running;

	__u8 *rd_data;
	uint rd_size;

	struct hid_device *hid;
	struct uhid_event input_buf;

	wait_queue_head_t waitq;
	spinlock_t qlock;
	__u8 head;
	__u8 tail;
	struct uhid_event *outq[UHID_BUFSIZE];

	/* blocking GET_REPORT support; state changes protected by qlock */
	struct mutex report_lock;
	wait_queue_head_t report_wait;
	bool report_running;
	u32 report_id;
	struct uhid_event report_buf;
};

static struct miscdevice uhid_misc;

static void uhid_queue(struct uhid_device *uhid, struct uhid_event *ev)
{
	__u8 newhead;

	newhead = (uhid->head + 1) % UHID_BUFSIZE;

	if (newhead != uhid->tail) {
		uhid->outq[uhid->head] = ev;
		uhid->head = newhead;
		wake_up_interruptible(&uhid->waitq);
	} else {
		hid_warn(uhid->hid, "Output queue is full\n");
		kfree(ev);
	}
}

static int uhid_queue_event(struct uhid_device *uhid, __u32 event)
{
	unsigned long flags;
	struct uhid_event *ev;

	ev = kzalloc(sizeof(*ev), GFP_KERNEL);
	if (!ev)
		return -ENOMEM;

	ev->type = event;

	spin_lock_irqsave(&uhid->qlock, flags);
	uhid_queue(uhid, ev);
	spin_unlock_irqrestore(&uhid->qlock, flags);

	return 0;
}

static int uhid_hid_start(struct hid_device *hid)
{
	struct uhid_device *uhid = hid->driver_data;

	return uhid_queue_event(uhid, UHID_START);
}

static void uhid_hid_stop(struct hid_device *hid)
{
	struct uhid_device *uhid = hid->driver_data;

	hid->claimed = 0;
	uhid_queue_event(uhid, UHID_STOP);
}

static int uhid_hid_open(struct hid_device *hid)
{
	struct uhid_device *uhid = hid->driver_data;

	return uhid_queue_event(uhid, UHID_OPEN);
}

static void uhid_hid_close(struct hid_device *hid)
{
	struct uhid_device *uhid = hid->driver_data;

	uhid_queue_event(uhid, UHID_CLOSE);
}

static int uhid_hid_parse(struct hid_device *hid)
{
	struct uhid_device *uhid = hid->driver_data;

	return hid_parse_report(hid, uhid->rd_data, uhid->rd_size);
}

static int uhid_hid_get_raw(struct hid_device *hid, unsigned char rnum,
			    __u8 *buf, size_t count, unsigned char rtype)
{
	struct uhid_device *uhid = hid->driver_data;
	__u8 report_type;
	struct uhid_event *ev;
	unsigned long flags;
	int ret;
	size_t uninitialized_var(len);
	struct uhid_feature_answer_req *req;

	if (!uhid->running)
		return -EIO;

	switch (rtype) {
	case HID_FEATURE_REPORT:
		report_type = UHID_FEATURE_REPORT;
		break;
	case HID_OUTPUT_REPORT:
		report_type = UHID_OUTPUT_REPORT;
		break;
	case HID_INPUT_REPORT:
		report_type = UHID_INPUT_REPORT;
		break;
	default:
		return -EINVAL;
	}

	ret = mutex_lock_interruptible(&uhid->report_lock);
	if (ret)
		return ret;

	ev = kzalloc(sizeof(*ev), GFP_KERNEL);
	if (!ev) {
		ret = -ENOMEM;
		goto unlock;
	}

	spin_lock_irqsave(&uhid->qlock, flags);
	ev->type = UHID_FEATURE;
	ev->u.feature.id = ++uhid->report_id;
	ev->u.feature.rnum = rnum;
	ev->u.feature.rtype = report_type;

	uhid->report_running = true;
	uhid_queue(uhid, ev);
	spin_unlock_irqrestore(&uhid->qlock, flags);

	ret = wait_event_interruptible_timeout(uhid->report_wait,
				!uhid->report_running || !uhid->running,
				5 * HZ);

	if (!ret || !uhid->running) {
		ret = -EIO;
	} else if (ret < 0) {
		ret = -ERESTARTSYS;
	} else {
		spin_lock_irqsave(&uhid->qlock, flags);
		req = &uhid->report_buf.u.feature_answer;

		if (req->err) {
			ret = -EIO;
		} else {
			ret = 0;
			len = min(count,
				min_t(size_t, req->size, UHID_DATA_MAX));
			memcpy(buf, req->data, len);
		}

		spin_unlock_irqrestore(&uhid->qlock, flags);
	}

	uhid->report_running = false;

unlock:
	mutex_unlock(&uhid->report_lock);
	return ret ? ret : len;
}

static int uhid_hid_output_raw(struct hid_device *hid, __u8 *buf, size_t count,
			       unsigned char report_type)
{
	struct uhid_device *uhid = hid->driver_data;
	__u8 rtype;
	unsigned long flags;
	struct uhid_event *ev;

	switch (report_type) {
	case HID_FEATURE_REPORT:
		rtype = UHID_FEATURE_REPORT;
		break;
	case HID_OUTPUT_REPORT:
		rtype = UHID_OUTPUT_REPORT;
		break;
	default:
		return -EINVAL;
	}

	if (count < 1 || count > UHID_DATA_MAX)
		return -EINVAL;

	ev = kzalloc(sizeof(*ev), GFP_KERNEL);
	if (!ev)
		return -ENOMEM;

	ev->type = UHID_OUTPUT;
	ev->u.output.size = count;
	ev->u.output.rtype = rtype;
	memcpy(ev->u.output.data, buf, count);

	spin_lock_irqsave(&uhid->qlock, flags);
	uhid_queue(uhid, ev);
	spin_unlock_irqrestore(&uhid->qlock, flags);

	return count;
}

static int uhid_hid_output_report(struct hid_device *hid, __u8 *buf,
				  size_t count)
{
	return uhid_hid_output_raw(hid, buf, count, HID_OUTPUT_REPORT);
}

static int uhid_raw_request(struct hid_device *hid, unsigned char reportnum,
			    __u8 *buf, size_t len, unsigned char rtype,
			    int reqtype)
{
	switch (reqtype) {
	case HID_REQ_GET_REPORT:
		return uhid_hid_get_raw(hid, reportnum, buf, len, rtype);
	case HID_REQ_SET_REPORT:
		/* TODO: implement proper SET_REPORT functionality */
		return -ENOSYS;
	default:
		return -EIO;
	}
}

static struct hid_ll_driver uhid_hid_driver = {
	.start = uhid_hid_start,
	.stop = uhid_hid_stop,
	.open = uhid_hid_open,
	.close = uhid_hid_close,
	.parse = uhid_hid_parse,
	.output_report = uhid_hid_output_report,
	.raw_request = uhid_raw_request,
};

#ifdef CONFIG_COMPAT

/* Apparently we haven't stepped on these rakes enough times yet. */
struct uhid_create_req_compat {
	__u8 name[128];
	__u8 phys[64];
	__u8 uniq[64];

	compat_uptr_t rd_data;
	__u16 rd_size;

	__u16 bus;
	__u32 vendor;
	__u32 product;
	__u32 version;
	__u32 country;
} __attribute__((__packed__));

static int uhid_event_from_user(const char __user *buffer, size_t len,
				struct uhid_event *event)
{
	if (is_compat_task()) {
		u32 type;

		if (get_user(type, buffer))
			return -EFAULT;

		if (type == UHID_CREATE) {
			/*
			 * This is our messed up request with compat pointer.
			 * It is largish (more than 256 bytes) so we better
			 * allocate it from the heap.
			 */
			struct uhid_create_req_compat *compat;

			compat = kzalloc(sizeof(*compat), GFP_KERNEL);
			if (!compat)
				return -ENOMEM;

			buffer += sizeof(type);
			len -= sizeof(type);
			if (copy_from_user(compat, buffer,
					   min(len, sizeof(*compat)))) {
				kfree(compat);
				return -EFAULT;
			}

			/* Shuffle the data over to proper structure */
			event->type = type;

			memcpy(event->u.create.name, compat->name,
				sizeof(compat->name));
			memcpy(event->u.create.phys, compat->phys,
				sizeof(compat->phys));
			memcpy(event->u.create.uniq, compat->uniq,
				sizeof(compat->uniq));

			event->u.create.rd_data = compat_ptr(compat->rd_data);
			event->u.create.rd_size = compat->rd_size;

			event->u.create.bus = compat->bus;
			event->u.create.vendor = compat->vendor;
			event->u.create.product = compat->product;
			event->u.create.version = compat->version;
			event->u.create.country = compat->country;

			kfree(compat);
			return 0;
		}
		/* All others can be copied directly */
	}

	if (copy_from_user(event, buffer, min(len, sizeof(*event))))
		return -EFAULT;

	return 0;
}
#else
static int uhid_event_from_user(const char __user *buffer, size_t len,
				struct uhid_event *event)
{
	if (copy_from_user(event, buffer, min(len, sizeof(*event))))
		return -EFAULT;

	return 0;
}
#endif

static int uhid_dev_create2(struct uhid_device *uhid,
			    const struct uhid_event *ev)
{
	struct hid_device *hid;
	size_t rd_size, len;
	void *rd_data;
	int ret;

	if (uhid->running)
		return -EALREADY;

	rd_size = ev->u.create2.rd_size;
	if (rd_size <= 0 || rd_size > HID_MAX_DESCRIPTOR_SIZE)
		return -EINVAL;

	rd_data = kmemdup(ev->u.create2.rd_data, rd_size, GFP_KERNEL);
	if (!rd_data)
		return -ENOMEM;

	uhid->rd_size = rd_size;
	uhid->rd_data = rd_data;

	hid = hid_allocate_device();
	if (IS_ERR(hid)) {
		ret = PTR_ERR(hid);
		goto err_free;
	}

	len = min(sizeof(hid->name), sizeof(ev->u.create2.name)) - 1;
	strncpy(hid->name, ev->u.create2.name, len);
	len = min(sizeof(hid->phys), sizeof(ev->u.create2.phys)) - 1;
	strncpy(hid->phys, ev->u.create2.phys, len);
	len = min(sizeof(hid->uniq), sizeof(ev->u.create2.uniq)) - 1;
	strncpy(hid->uniq, ev->u.create2.uniq, len);

	hid->ll_driver = &uhid_hid_driver;
	hid->bus = ev->u.create2.bus;
	hid->vendor = ev->u.create2.vendor;
	hid->product = ev->u.create2.product;
	hid->version = ev->u.create2.version;
	hid->country = ev->u.create2.country;
	hid->driver_data = uhid;
	hid->dev.parent = uhid_misc.this_device;

	uhid->hid = hid;
	uhid->running = true;

	ret = hid_add_device(hid);
	if (ret) {
		hid_err(hid, "Cannot register HID device\n");
		goto err_hid;
	}

	return 0;

err_hid:
	hid_destroy_device(hid);
	uhid->hid = NULL;
	uhid->running = false;
err_free:
	kfree(uhid->rd_data);
	uhid->rd_data = NULL;
	uhid->rd_size = 0;
	return ret;
}

static int uhid_dev_create(struct uhid_device *uhid,
			   struct uhid_event *ev)
{
	struct uhid_create_req orig;

	orig = ev->u.create;

	if (orig.rd_size <= 0 || orig.rd_size > HID_MAX_DESCRIPTOR_SIZE)
		return -EINVAL;
	if (copy_from_user(&ev->u.create2.rd_data, orig.rd_data, orig.rd_size))
		return -EFAULT;

	memcpy(ev->u.create2.name, orig.name, sizeof(orig.name));
	memcpy(ev->u.create2.phys, orig.phys, sizeof(orig.phys));
	memcpy(ev->u.create2.uniq, orig.uniq, sizeof(orig.uniq));
	ev->u.create2.rd_size = orig.rd_size;
	ev->u.create2.bus = orig.bus;
	ev->u.create2.vendor = orig.vendor;
	ev->u.create2.product = orig.product;
	ev->u.create2.version = orig.version;
	ev->u.create2.country = orig.country;

	return uhid_dev_create2(uhid, ev);
}

static int uhid_dev_destroy(struct uhid_device *uhid)
{
	if (!uhid->running)
		return -EINVAL;

	uhid->running = false;
	wake_up_interruptible(&uhid->report_wait);

	hid_destroy_device(uhid->hid);
	kfree(uhid->rd_data);

	return 0;
}

static int uhid_dev_input(struct uhid_device *uhid, struct uhid_event *ev)
{
	if (!uhid->running)
		return -EINVAL;

	hid_input_report(uhid->hid, HID_INPUT_REPORT, ev->u.input.data,
			 min_t(size_t, ev->u.input.size, UHID_DATA_MAX), 0);

	return 0;
}

static int uhid_dev_input2(struct uhid_device *uhid, struct uhid_event *ev)
{
	if (!uhid->running)
		return -EINVAL;

	hid_input_report(uhid->hid, HID_INPUT_REPORT, ev->u.input2.data,
			 min_t(size_t, ev->u.input2.size, UHID_DATA_MAX), 0);

	return 0;
}

static int uhid_dev_feature_answer(struct uhid_device *uhid,
				   struct uhid_event *ev)
{
	unsigned long flags;

	if (!uhid->running)
		return -EINVAL;

	spin_lock_irqsave(&uhid->qlock, flags);

	/* id for old report; drop it silently */
	if (uhid->report_id != ev->u.feature_answer.id)
		goto unlock;
	if (!uhid->report_running)
		goto unlock;

	memcpy(&uhid->report_buf, ev, sizeof(*ev));
	uhid->report_running = false;
	wake_up_interruptible(&uhid->report_wait);

unlock:
	spin_unlock_irqrestore(&uhid->qlock, flags);
	return 0;
}

static int uhid_char_open(struct inode *inode, struct file *file)
{
	struct uhid_device *uhid;

	uhid = kzalloc(sizeof(*uhid), GFP_KERNEL);
	if (!uhid)
		return -ENOMEM;

	mutex_init(&uhid->devlock);
	mutex_init(&uhid->report_lock);
	spin_lock_init(&uhid->qlock);
	init_waitqueue_head(&uhid->waitq);
	init_waitqueue_head(&uhid->report_wait);
	uhid->running = false;

	file->private_data = uhid;
	nonseekable_open(inode, file);

	return 0;
}

static int uhid_char_release(struct inode *inode, struct file *file)
{
	struct uhid_device *uhid = file->private_data;
	unsigned int i;

	uhid_dev_destroy(uhid);

	for (i = 0; i < UHID_BUFSIZE; ++i)
		kfree(uhid->outq[i]);

	kfree(uhid);

	return 0;
}

static ssize_t uhid_char_read(struct file *file, char __user *buffer,
				size_t count, loff_t *ppos)
{
	struct uhid_device *uhid = file->private_data;
	int ret;
	unsigned long flags;
	size_t len;

	/* they need at least the "type" member of uhid_event */
	if (count < sizeof(__u32))
		return -EINVAL;

try_again:
	if (file->f_flags & O_NONBLOCK) {
		if (uhid->head == uhid->tail)
			return -EAGAIN;
	} else {
		ret = wait_event_interruptible(uhid->waitq,
						uhid->head != uhid->tail);
		if (ret)
			return ret;
	}

	ret = mutex_lock_interruptible(&uhid->devlock);
	if (ret)
		return ret;

	if (uhid->head == uhid->tail) {
		mutex_unlock(&uhid->devlock);
		goto try_again;
	} else {
		len = min(count, sizeof(**uhid->outq));
		if (copy_to_user(buffer, uhid->outq[uhid->tail], len)) {
			ret = -EFAULT;
		} else {
			kfree(uhid->outq[uhid->tail]);
			uhid->outq[uhid->tail] = NULL;

			spin_lock_irqsave(&uhid->qlock, flags);
			uhid->tail = (uhid->tail + 1) % UHID_BUFSIZE;
			spin_unlock_irqrestore(&uhid->qlock, flags);
		}
	}

	mutex_unlock(&uhid->devlock);
	return ret ? ret : len;
}

static ssize_t uhid_char_write(struct file *file, const char __user *buffer,
				size_t count, loff_t *ppos)
{
	struct uhid_device *uhid = file->private_data;
	int ret;
	size_t len;

	/* we need at least the "type" member of uhid_event */
	if (count < sizeof(__u32))
		return -EINVAL;

	ret = mutex_lock_interruptible(&uhid->devlock);
	if (ret)
		return ret;

	memset(&uhid->input_buf, 0, sizeof(uhid->input_buf));
	len = min(count, sizeof(uhid->input_buf));

	ret = uhid_event_from_user(buffer, len, &uhid->input_buf);
	if (ret)
		goto unlock;

	switch (uhid->input_buf.type) {
	case UHID_CREATE:
		ret = uhid_dev_create(uhid, &uhid->input_buf);
		break;
	case UHID_CREATE2:
		ret = uhid_dev_create2(uhid, &uhid->input_buf);
		break;
	case UHID_DESTROY:
		ret = uhid_dev_destroy(uhid);
		break;
	case UHID_INPUT:
		ret = uhid_dev_input(uhid, &uhid->input_buf);
		break;
	case UHID_INPUT2:
		ret = uhid_dev_input2(uhid, &uhid->input_buf);
		break;
	case UHID_FEATURE_ANSWER:
		ret = uhid_dev_feature_answer(uhid, &uhid->input_buf);
		break;
	default:
		ret = -EOPNOTSUPP;
	}

unlock:
	mutex_unlock(&uhid->devlock);

	/* return "count" not "len" to not confuse the caller */
	return ret ? ret : count;
}

static unsigned int uhid_char_poll(struct file *file, poll_table *wait)
{
	struct uhid_device *uhid = file->private_data;

	poll_wait(file, &uhid->waitq, wait);

	if (uhid->head != uhid->tail)
		return POLLIN | POLLRDNORM;

	return 0;
}

static const struct file_operations uhid_fops = {
	.owner		= THIS_MODULE,
	.open		= uhid_char_open,
	.release	= uhid_char_release,
	.read		= uhid_char_read,
	.write		= uhid_char_write,
	.poll		= uhid_char_poll,
	.llseek		= no_llseek,
};

static struct miscdevice uhid_misc = {
	.fops		= &uhid_fops,
	.minor		= UHID_MINOR,
	.name		= UHID_NAME,
};

static int __init uhid_init(void)
{
	return misc_register(&uhid_misc);
}

static void __exit uhid_exit(void)
{
	misc_deregister(&uhid_misc);
}

module_init(uhid_init);
module_exit(uhid_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("David Herrmann <dh.herrmann@gmail.com>");
MODULE_DESCRIPTION("User-space I/O driver support for HID subsystem");
MODULE_ALIAS_MISCDEV(UHID_MINOR);
MODULE_ALIAS("devname:" UHID_NAME);
Commit	Line	Data
1ccd7a2a DH	1	/*
	2	* User-space I/O driver support for HID subsystem
	3	* Copyright (c) 2012 David Herrmann
	4	*/
	5
	6	/*
	7	* This program is free software; you can redistribute it and/or modify it
	8	* under the terms of the GNU General Public License as published by the Free
	9	* Software Foundation; either version 2 of the License, or (at your option)
	10	* any later version.
	11	*/
	12
	13	#include <linux/atomic.h>
befde022	14	#include <linux/compat.h>
1ccd7a2a DH	15	#include <linux/device.h>
	16	#include <linux/fs.h>
	17	#include <linux/hid.h>
	18	#include <linux/input.h>
	19	#include <linux/miscdevice.h>
	20	#include <linux/module.h>
	21	#include <linux/mutex.h>
	22	#include <linux/poll.h>
	23	#include <linux/sched.h>
	24	#include <linux/spinlock.h>
	25	#include <linux/uhid.h>
	26	#include <linux/wait.h>
	27
	28	#define UHID_NAME "uhid"
ace3d861 DH	29	#define UHID_BUFSIZE 32
	30
	31	struct uhid_device {
d937ae5f	32	struct mutex devlock;
d365c6cf DH	33	bool running;
	34
	35	__u8 *rd_data;
	36	uint rd_size;
	37
ace3d861	38	struct hid_device *hid;
6664ef72	39	struct uhid_event input_buf;
ace3d861 DH	40
	41	wait_queue_head_t waitq;
	42	spinlock_t qlock;
	43	__u8 head;
	44	__u8 tail;
	45	struct uhid_event *outq[UHID_BUFSIZE];
fcfcf0de	46
8cad5b01	47	/* blocking GET_REPORT support; state changes protected by qlock */
fcfcf0de DH	48	struct mutex report_lock;
fcfcf0de DH	49	wait_queue_head_t report_wait;
5942b849	50	bool report_running;
8cad5b01	51	u32 report_id;
fcfcf0de	52	struct uhid_event report_buf;
ace3d861	53	};
1ccd7a2a DH	54
	55	static struct miscdevice uhid_misc;
	56
ace3d861 DH	57	static void uhid_queue(struct uhid_device uhid, struct uhid_event ev)
	58	{
	59	__u8 newhead;
	60
	61	newhead = (uhid->head + 1) % UHID_BUFSIZE;
	62
	63	if (newhead != uhid->tail) {
	64	uhid->outq[uhid->head] = ev;
	65	uhid->head = newhead;
	66	wake_up_interruptible(&uhid->waitq);
	67	} else {
	68	hid_warn(uhid->hid, "Output queue is full\n");
	69	kfree(ev);
	70	}
	71	}
	72
	73	static int uhid_queue_event(struct uhid_device *uhid, __u32 event)
	74	{
	75	unsigned long flags;
	76	struct uhid_event *ev;
	77
	78	ev = kzalloc(sizeof(*ev), GFP_KERNEL);
	79	if (!ev)
	80	return -ENOMEM;
	81
	82	ev->type = event;
	83
	84	spin_lock_irqsave(&uhid->qlock, flags);
	85	uhid_queue(uhid, ev);
	86	spin_unlock_irqrestore(&uhid->qlock, flags);
	87
	88	return 0;
	89	}
	90
d365c6cf DH	91	static int uhid_hid_start(struct hid_device *hid)
d365c6cf DH	92	{
ec4b7dea DH	93	struct uhid_device *uhid = hid->driver_data;
	94
	95	return uhid_queue_event(uhid, UHID_START);
d365c6cf DH	96	}
	97
	98	static void uhid_hid_stop(struct hid_device *hid)
	99	{
ec4b7dea DH	100	struct uhid_device *uhid = hid->driver_data;
	101
	102	hid->claimed = 0;
	103	uhid_queue_event(uhid, UHID_STOP);
d365c6cf DH	104	}
	105
	106	static int uhid_hid_open(struct hid_device *hid)
	107	{
e7191474 DH	108	struct uhid_device *uhid = hid->driver_data;
	109
	110	return uhid_queue_event(uhid, UHID_OPEN);
d365c6cf DH	111	}
	112
	113	static void uhid_hid_close(struct hid_device *hid)
	114	{
e7191474 DH	115	struct uhid_device *uhid = hid->driver_data;
	116
	117	uhid_queue_event(uhid, UHID_CLOSE);
d365c6cf DH	118	}
d365c6cf DH	119
d365c6cf DH	120	static int uhid_hid_parse(struct hid_device *hid)
d365c6cf DH	121	{
037c061b DH	122	struct uhid_device *uhid = hid->driver_data;
	123
	124	return hid_parse_report(hid, uhid->rd_data, uhid->rd_size);
d365c6cf DH	125	}
d365c6cf DH	126
289a7162 JK	127	static int uhid_hid_get_raw(struct hid_device *hid, unsigned char rnum,
	128	__u8 *buf, size_t count, unsigned char rtype)
	129	{
	130	struct uhid_device *uhid = hid->driver_data;
	131	__u8 report_type;
	132	struct uhid_event *ev;
	133	unsigned long flags;
	134	int ret;
	135	size_t uninitialized_var(len);
	136	struct uhid_feature_answer_req *req;
	137
	138	if (!uhid->running)
	139	return -EIO;
	140
	141	switch (rtype) {
	142	case HID_FEATURE_REPORT:
	143	report_type = UHID_FEATURE_REPORT;
	144	break;
	145	case HID_OUTPUT_REPORT:
	146	report_type = UHID_OUTPUT_REPORT;
	147	break;
	148	case HID_INPUT_REPORT:
	149	report_type = UHID_INPUT_REPORT;
	150	break;
	151	default:
	152	return -EINVAL;
	153	}
	154
	155	ret = mutex_lock_interruptible(&uhid->report_lock);
	156	if (ret)
	157	return ret;
	158
	159	ev = kzalloc(sizeof(*ev), GFP_KERNEL);
	160	if (!ev) {
	161	ret = -ENOMEM;
	162	goto unlock;
	163	}
	164
	165	spin_lock_irqsave(&uhid->qlock, flags);
	166	ev->type = UHID_FEATURE;
8cad5b01	167	ev->u.feature.id = ++uhid->report_id;
289a7162 JK	168	ev->u.feature.rnum = rnum;
	169	ev->u.feature.rtype = report_type;
	170
5942b849	171	uhid->report_running = true;
289a7162 JK	172	uhid_queue(uhid, ev);
	173	spin_unlock_irqrestore(&uhid->qlock, flags);
	174
	175	ret = wait_event_interruptible_timeout(uhid->report_wait,
5942b849 DH	176	!uhid->report_running \|\| !uhid->running,
5942b849 DH	177	5 * HZ);
289a7162	178
289a7162 JK	179	if (!ret \|\| !uhid->running) {
	180	ret = -EIO;
	181	} else if (ret < 0) {
	182	ret = -ERESTARTSYS;
	183	} else {
	184	spin_lock_irqsave(&uhid->qlock, flags);
	185	req = &uhid->report_buf.u.feature_answer;
	186
	187	if (req->err) {
	188	ret = -EIO;
	189	} else {
	190	ret = 0;
	191	len = min(count,
	192	min_t(size_t, req->size, UHID_DATA_MAX));
	193	memcpy(buf, req->data, len);
	194	}
	195
	196	spin_unlock_irqrestore(&uhid->qlock, flags);
	197	}
	198
5942b849	199	uhid->report_running = false;
289a7162 JK	200
	201	unlock:
	202	mutex_unlock(&uhid->report_lock);
	203	return ret ? ret : len;
	204	}
	205
d365c6cf DH	206	static int uhid_hid_output_raw(struct hid_device hid, __u8 buf, size_t count,
	207	unsigned char report_type)
	208	{
3b3baa82 DH	209	struct uhid_device *uhid = hid->driver_data;
	210	__u8 rtype;
	211	unsigned long flags;
	212	struct uhid_event *ev;
	213
	214	switch (report_type) {
	215	case HID_FEATURE_REPORT:
	216	rtype = UHID_FEATURE_REPORT;
	217	break;
	218	case HID_OUTPUT_REPORT:
	219	rtype = UHID_OUTPUT_REPORT;
	220	break;
	221	default:
	222	return -EINVAL;
	223	}
	224
	225	if (count < 1 \|\| count > UHID_DATA_MAX)
	226	return -EINVAL;
	227
	228	ev = kzalloc(sizeof(*ev), GFP_KERNEL);
	229	if (!ev)
	230	return -ENOMEM;
	231
	232	ev->type = UHID_OUTPUT;
	233	ev->u.output.size = count;
	234	ev->u.output.rtype = rtype;
	235	memcpy(ev->u.output.data, buf, count);
	236
	237	spin_lock_irqsave(&uhid->qlock, flags);
	238	uhid_queue(uhid, ev);
	239	spin_unlock_irqrestore(&uhid->qlock, flags);
	240
	241	return count;
d365c6cf DH	242	}
d365c6cf DH	243
596cfdd8 FP	244	static int uhid_hid_output_report(struct hid_device hid, __u8 buf,
	245	size_t count)
	246	{
41abfb36	247	return uhid_hid_output_raw(hid, buf, count, HID_OUTPUT_REPORT);
596cfdd8 FP	248	}
596cfdd8 FP	249
706daeff BT	250	static int uhid_raw_request(struct hid_device *hid, unsigned char reportnum,
	251	__u8 *buf, size_t len, unsigned char rtype,
	252	int reqtype)
	253	{
	254	switch (reqtype) {
	255	case HID_REQ_GET_REPORT:
	256	return uhid_hid_get_raw(hid, reportnum, buf, len, rtype);
	257	case HID_REQ_SET_REPORT:
	258	/* TODO: implement proper SET_REPORT functionality */
	259	return -ENOSYS;
	260	default:
	261	return -EIO;
	262	}
	263	}
	264
d365c6cf DH	265	static struct hid_ll_driver uhid_hid_driver = {
	266	.start = uhid_hid_start,
	267	.stop = uhid_hid_stop,
	268	.open = uhid_hid_open,
	269	.close = uhid_hid_close,
d365c6cf	270	.parse = uhid_hid_parse,
596cfdd8	271	.output_report = uhid_hid_output_report,
706daeff	272	.raw_request = uhid_raw_request,
d365c6cf DH	273	};
d365c6cf DH	274
befde022 DT	275	#ifdef CONFIG_COMPAT
	276
	277	/* Apparently we haven't stepped on these rakes enough times yet. */
	278	struct uhid_create_req_compat {
	279	__u8 name[128];
	280	__u8 phys[64];
	281	__u8 uniq[64];
	282
	283	compat_uptr_t rd_data;
	284	__u16 rd_size;
	285
	286	__u16 bus;
	287	__u32 vendor;
	288	__u32 product;
	289	__u32 version;
	290	__u32 country;
	291	} __attribute__((__packed__));
	292
	293	static int uhid_event_from_user(const char __user *buffer, size_t len,
	294	struct uhid_event *event)
	295	{
	296	if (is_compat_task()) {
	297	u32 type;
	298
	299	if (get_user(type, buffer))
	300	return -EFAULT;
	301
	302	if (type == UHID_CREATE) {
	303	/*
	304	* This is our messed up request with compat pointer.
	305	* It is largish (more than 256 bytes) so we better
	306	* allocate it from the heap.
	307	*/
	308	struct uhid_create_req_compat *compat;
	309
80897aa7	310	compat = kzalloc(sizeof(*compat), GFP_KERNEL);
befde022 DT	311	if (!compat)
	312	return -ENOMEM;
	313
	314	buffer += sizeof(type);
	315	len -= sizeof(type);
	316	if (copy_from_user(compat, buffer,
	317	min(len, sizeof(*compat)))) {
	318	kfree(compat);
	319	return -EFAULT;
	320	}
	321
	322	/* Shuffle the data over to proper structure */
	323	event->type = type;
	324
	325	memcpy(event->u.create.name, compat->name,
	326	sizeof(compat->name));
	327	memcpy(event->u.create.phys, compat->phys,
	328	sizeof(compat->phys));
	329	memcpy(event->u.create.uniq, compat->uniq,
	330	sizeof(compat->uniq));
	331
	332	event->u.create.rd_data = compat_ptr(compat->rd_data);
	333	event->u.create.rd_size = compat->rd_size;
	334
	335	event->u.create.bus = compat->bus;
	336	event->u.create.vendor = compat->vendor;
	337	event->u.create.product = compat->product;
	338	event->u.create.version = compat->version;
	339	event->u.create.country = compat->country;
	340
	341	kfree(compat);
	342	return 0;
	343	}
	344	/* All others can be copied directly */
	345	}
	346
	347	if (copy_from_user(event, buffer, min(len, sizeof(*event))))
	348	return -EFAULT;
	349
	350	return 0;
	351	}
	352	#else
	353	static int uhid_event_from_user(const char __user *buffer, size_t len,
	354	struct uhid_event *event)
	355	{
	356	if (copy_from_user(event, buffer, min(len, sizeof(*event))))
	357	return -EFAULT;
	358
	359	return 0;
	360	}
	361	#endif
	362
4522643a PG	363	static int uhid_dev_create2(struct uhid_device *uhid,
	364	const struct uhid_event *ev)
	365	{
	366	struct hid_device *hid;
25be7fe2	367	size_t rd_size, len;
41c4a464	368	void *rd_data;
4522643a PG	369	int ret;
	370
	371	if (uhid->running)
	372	return -EALREADY;
	373
41c4a464 DH	374	rd_size = ev->u.create2.rd_size;
41c4a464 DH	375	if (rd_size <= 0 \|\| rd_size > HID_MAX_DESCRIPTOR_SIZE)
4522643a PG	376	return -EINVAL;
4522643a PG	377
41c4a464 DH	378	rd_data = kmemdup(ev->u.create2.rd_data, rd_size, GFP_KERNEL);
41c4a464 DH	379	if (!rd_data)
4522643a PG	380	return -ENOMEM;
4522643a PG	381
41c4a464 DH	382	uhid->rd_size = rd_size;
	383	uhid->rd_data = rd_data;
	384
4522643a PG	385	hid = hid_allocate_device();
	386	if (IS_ERR(hid)) {
	387	ret = PTR_ERR(hid);
	388	goto err_free;
	389	}
	390
25be7fe2 DH	391	len = min(sizeof(hid->name), sizeof(ev->u.create2.name)) - 1;
	392	strncpy(hid->name, ev->u.create2.name, len);
	393	len = min(sizeof(hid->phys), sizeof(ev->u.create2.phys)) - 1;
	394	strncpy(hid->phys, ev->u.create2.phys, len);
	395	len = min(sizeof(hid->uniq), sizeof(ev->u.create2.uniq)) - 1;
	396	strncpy(hid->uniq, ev->u.create2.uniq, len);
4522643a PG	397
	398	hid->ll_driver = &uhid_hid_driver;
	399	hid->bus = ev->u.create2.bus;
	400	hid->vendor = ev->u.create2.vendor;
	401	hid->product = ev->u.create2.product;
	402	hid->version = ev->u.create2.version;
	403	hid->country = ev->u.create2.country;
	404	hid->driver_data = uhid;
	405	hid->dev.parent = uhid_misc.this_device;
	406
	407	uhid->hid = hid;
	408	uhid->running = true;
	409
	410	ret = hid_add_device(hid);
	411	if (ret) {
	412	hid_err(hid, "Cannot register HID device\n");
	413	goto err_hid;
	414	}
	415
	416	return 0;
	417
	418	err_hid:
	419	hid_destroy_device(hid);
	420	uhid->hid = NULL;
	421	uhid->running = false;
	422	err_free:
	423	kfree(uhid->rd_data);
41c4a464 DH	424	uhid->rd_data = NULL;
41c4a464 DH	425	uhid->rd_size = 0;
4522643a PG	426	return ret;
	427	}
	428
56c47754 DH	429	static int uhid_dev_create(struct uhid_device *uhid,
	430	struct uhid_event *ev)
	431	{
	432	struct uhid_create_req orig;
	433
	434	orig = ev->u.create;
	435
	436	if (orig.rd_size <= 0 \|\| orig.rd_size > HID_MAX_DESCRIPTOR_SIZE)
	437	return -EINVAL;
	438	if (copy_from_user(&ev->u.create2.rd_data, orig.rd_data, orig.rd_size))
	439	return -EFAULT;
	440
	441	memcpy(ev->u.create2.name, orig.name, sizeof(orig.name));
	442	memcpy(ev->u.create2.phys, orig.phys, sizeof(orig.phys));
	443	memcpy(ev->u.create2.uniq, orig.uniq, sizeof(orig.uniq));
	444	ev->u.create2.rd_size = orig.rd_size;
	445	ev->u.create2.bus = orig.bus;
	446	ev->u.create2.vendor = orig.vendor;
	447	ev->u.create2.product = orig.product;
	448	ev->u.create2.version = orig.version;
	449	ev->u.create2.country = orig.country;
	450
	451	return uhid_dev_create2(uhid, ev);
	452	}
	453
d365c6cf DH	454	static int uhid_dev_destroy(struct uhid_device *uhid)
	455	{
	456	if (!uhid->running)
	457	return -EINVAL;
	458
	459	uhid->running = false;
fcfcf0de	460	wake_up_interruptible(&uhid->report_wait);
d365c6cf DH	461
	462	hid_destroy_device(uhid->hid);
	463	kfree(uhid->rd_data);
	464
	465	return 0;
	466	}
	467
5e87a36a DH	468	static int uhid_dev_input(struct uhid_device uhid, struct uhid_event ev)
	469	{
	470	if (!uhid->running)
	471	return -EINVAL;
	472
	473	hid_input_report(uhid->hid, HID_INPUT_REPORT, ev->u.input.data,
	474	min_t(size_t, ev->u.input.size, UHID_DATA_MAX), 0);
	475
	476	return 0;
	477	}
	478
4522643a PG	479	static int uhid_dev_input2(struct uhid_device uhid, struct uhid_event ev)
	480	{
	481	if (!uhid->running)
	482	return -EINVAL;
	483
	484	hid_input_report(uhid->hid, HID_INPUT_REPORT, ev->u.input2.data,
	485	min_t(size_t, ev->u.input2.size, UHID_DATA_MAX), 0);
	486
	487	return 0;
	488	}
	489
fcfcf0de DH	490	static int uhid_dev_feature_answer(struct uhid_device *uhid,
	491	struct uhid_event *ev)
	492	{
	493	unsigned long flags;
	494
	495	if (!uhid->running)
	496	return -EINVAL;
	497
	498	spin_lock_irqsave(&uhid->qlock, flags);
	499
	500	/* id for old report; drop it silently */
8cad5b01	501	if (uhid->report_id != ev->u.feature_answer.id)
fcfcf0de	502	goto unlock;
5942b849	503	if (!uhid->report_running)
fcfcf0de DH	504	goto unlock;
	505
	506	memcpy(&uhid->report_buf, ev, sizeof(*ev));
5942b849	507	uhid->report_running = false;
fcfcf0de DH	508	wake_up_interruptible(&uhid->report_wait);
	509
	510	unlock:
	511	spin_unlock_irqrestore(&uhid->qlock, flags);
	512	return 0;
	513	}
	514
1ccd7a2a DH	515	static int uhid_char_open(struct inode inode, struct file file)
1ccd7a2a DH	516	{
ace3d861 DH	517	struct uhid_device *uhid;
	518
	519	uhid = kzalloc(sizeof(*uhid), GFP_KERNEL);
	520	if (!uhid)
	521	return -ENOMEM;
	522
d937ae5f	523	mutex_init(&uhid->devlock);
fcfcf0de	524	mutex_init(&uhid->report_lock);
ace3d861 DH	525	spin_lock_init(&uhid->qlock);
ace3d861 DH	526	init_waitqueue_head(&uhid->waitq);
fcfcf0de	527	init_waitqueue_head(&uhid->report_wait);
d365c6cf	528	uhid->running = false;
ace3d861 DH	529
	530	file->private_data = uhid;
	531	nonseekable_open(inode, file);
	532
1ccd7a2a DH	533	return 0;
	534	}
	535
	536	static int uhid_char_release(struct inode inode, struct file file)
	537	{
ace3d861 DH	538	struct uhid_device *uhid = file->private_data;
	539	unsigned int i;
	540
d365c6cf DH	541	uhid_dev_destroy(uhid);
d365c6cf DH	542
ace3d861 DH	543	for (i = 0; i < UHID_BUFSIZE; ++i)
	544	kfree(uhid->outq[i]);
	545
	546	kfree(uhid);
	547
1ccd7a2a DH	548	return 0;
	549	}
	550
	551	static ssize_t uhid_char_read(struct file file, char __user buffer,
	552	size_t count, loff_t *ppos)
	553	{
d937ae5f DH	554	struct uhid_device *uhid = file->private_data;
	555	int ret;
	556	unsigned long flags;
	557	size_t len;
	558
	559	/* they need at least the "type" member of uhid_event */
	560	if (count < sizeof(__u32))
	561	return -EINVAL;
	562
	563	try_again:
	564	if (file->f_flags & O_NONBLOCK) {
	565	if (uhid->head == uhid->tail)
	566	return -EAGAIN;
	567	} else {
	568	ret = wait_event_interruptible(uhid->waitq,
	569	uhid->head != uhid->tail);
	570	if (ret)
	571	return ret;
	572	}
	573
	574	ret = mutex_lock_interruptible(&uhid->devlock);
	575	if (ret)
	576	return ret;
	577
	578	if (uhid->head == uhid->tail) {
	579	mutex_unlock(&uhid->devlock);
	580	goto try_again;
	581	} else {
	582	len = min(count, sizeof(**uhid->outq));
adefb69b	583	if (copy_to_user(buffer, uhid->outq[uhid->tail], len)) {
d937ae5f DH	584	ret = -EFAULT;
	585	} else {
	586	kfree(uhid->outq[uhid->tail]);
	587	uhid->outq[uhid->tail] = NULL;
	588
	589	spin_lock_irqsave(&uhid->qlock, flags);
	590	uhid->tail = (uhid->tail + 1) % UHID_BUFSIZE;
	591	spin_unlock_irqrestore(&uhid->qlock, flags);
	592	}
	593	}
	594
	595	mutex_unlock(&uhid->devlock);
	596	return ret ? ret : len;
1ccd7a2a DH	597	}
	598
	599	static ssize_t uhid_char_write(struct file file, const char __user buffer,
	600	size_t count, loff_t *ppos)
	601	{
6664ef72 DH	602	struct uhid_device *uhid = file->private_data;
	603	int ret;
	604	size_t len;
	605
	606	/* we need at least the "type" member of uhid_event */
	607	if (count < sizeof(__u32))
	608	return -EINVAL;
	609
	610	ret = mutex_lock_interruptible(&uhid->devlock);
	611	if (ret)
	612	return ret;
	613
	614	memset(&uhid->input_buf, 0, sizeof(uhid->input_buf));
	615	len = min(count, sizeof(uhid->input_buf));
befde022 DT	616
	617	ret = uhid_event_from_user(buffer, len, &uhid->input_buf);
	618	if (ret)
6664ef72	619	goto unlock;
6664ef72 DH	620
6664ef72 DH	621	switch (uhid->input_buf.type) {
d365c6cf DH	622	case UHID_CREATE:
	623	ret = uhid_dev_create(uhid, &uhid->input_buf);
	624	break;
4522643a PG	625	case UHID_CREATE2:
	626	ret = uhid_dev_create2(uhid, &uhid->input_buf);
	627	break;
d365c6cf DH	628	case UHID_DESTROY:
	629	ret = uhid_dev_destroy(uhid);
	630	break;
5e87a36a DH	631	case UHID_INPUT:
	632	ret = uhid_dev_input(uhid, &uhid->input_buf);
	633	break;
4522643a PG	634	case UHID_INPUT2:
	635	ret = uhid_dev_input2(uhid, &uhid->input_buf);
	636	break;
fcfcf0de DH	637	case UHID_FEATURE_ANSWER:
	638	ret = uhid_dev_feature_answer(uhid, &uhid->input_buf);
	639	break;
6664ef72 DH	640	default:
	641	ret = -EOPNOTSUPP;
	642	}
	643
	644	unlock:
	645	mutex_unlock(&uhid->devlock);
	646
	647	/* return "count" not "len" to not confuse the caller */
	648	return ret ? ret : count;
1ccd7a2a DH	649	}
	650
	651	static unsigned int uhid_char_poll(struct file file, poll_table wait)
	652	{
1f9dec1e DH	653	struct uhid_device *uhid = file->private_data;
	654
	655	poll_wait(file, &uhid->waitq, wait);
	656
	657	if (uhid->head != uhid->tail)
	658	return POLLIN \| POLLRDNORM;
	659
1ccd7a2a DH	660	return 0;
	661	}
	662
	663	static const struct file_operations uhid_fops = {
	664	.owner = THIS_MODULE,
	665	.open = uhid_char_open,
	666	.release = uhid_char_release,
	667	.read = uhid_char_read,
	668	.write = uhid_char_write,
	669	.poll = uhid_char_poll,
	670	.llseek = no_llseek,
	671	};
	672
	673	static struct miscdevice uhid_misc = {
	674	.fops = &uhid_fops,
19872d20	675	.minor = UHID_MINOR,
1ccd7a2a DH	676	.name = UHID_NAME,
	677	};
	678
	679	static int __init uhid_init(void)
	680	{
	681	return misc_register(&uhid_misc);
	682	}
	683
	684	static void __exit uhid_exit(void)
	685	{
	686	misc_deregister(&uhid_misc);
	687	}
	688
	689	module_init(uhid_init);
	690	module_exit(uhid_exit);
	691	MODULE_LICENSE("GPL");
	692	MODULE_AUTHOR("David Herrmann <dh.herrmann@gmail.com>");
	693	MODULE_DESCRIPTION("User-space I/O driver support for HID subsystem");
19872d20	694	MODULE_ALIAS_MISCDEV(UHID_MINOR);
60cbd53e	695	MODULE_ALIAS("devname:" UHID_NAME);