18c2ecf20Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0-or-later 28c2ecf20Sopenharmony_ci/* 38c2ecf20Sopenharmony_ci * User-space I/O driver support for HID subsystem 48c2ecf20Sopenharmony_ci * Copyright (c) 2012 David Herrmann 58c2ecf20Sopenharmony_ci */ 68c2ecf20Sopenharmony_ci 78c2ecf20Sopenharmony_ci/* 88c2ecf20Sopenharmony_ci */ 98c2ecf20Sopenharmony_ci 108c2ecf20Sopenharmony_ci#include <linux/atomic.h> 118c2ecf20Sopenharmony_ci#include <linux/compat.h> 128c2ecf20Sopenharmony_ci#include <linux/cred.h> 138c2ecf20Sopenharmony_ci#include <linux/device.h> 148c2ecf20Sopenharmony_ci#include <linux/fs.h> 158c2ecf20Sopenharmony_ci#include <linux/hid.h> 168c2ecf20Sopenharmony_ci#include <linux/input.h> 178c2ecf20Sopenharmony_ci#include <linux/miscdevice.h> 188c2ecf20Sopenharmony_ci#include <linux/module.h> 198c2ecf20Sopenharmony_ci#include <linux/mutex.h> 208c2ecf20Sopenharmony_ci#include <linux/poll.h> 218c2ecf20Sopenharmony_ci#include <linux/sched.h> 228c2ecf20Sopenharmony_ci#include <linux/spinlock.h> 238c2ecf20Sopenharmony_ci#include <linux/uhid.h> 248c2ecf20Sopenharmony_ci#include <linux/wait.h> 258c2ecf20Sopenharmony_ci 268c2ecf20Sopenharmony_ci#define UHID_NAME "uhid" 278c2ecf20Sopenharmony_ci#define UHID_BUFSIZE 32 288c2ecf20Sopenharmony_ci 298c2ecf20Sopenharmony_cistruct uhid_device { 308c2ecf20Sopenharmony_ci struct mutex devlock; 318c2ecf20Sopenharmony_ci 328c2ecf20Sopenharmony_ci /* This flag tracks whether the HID device is usable for commands from 338c2ecf20Sopenharmony_ci * userspace. The flag is already set before hid_add_device(), which 348c2ecf20Sopenharmony_ci * runs in workqueue context, to allow hid_add_device() to communicate 358c2ecf20Sopenharmony_ci * with userspace. 368c2ecf20Sopenharmony_ci * However, if hid_add_device() fails, the flag is cleared without 378c2ecf20Sopenharmony_ci * holding devlock. 388c2ecf20Sopenharmony_ci * We guarantee that if @running changes from true to false while you're 398c2ecf20Sopenharmony_ci * holding @devlock, it's still fine to access @hid. 408c2ecf20Sopenharmony_ci */ 418c2ecf20Sopenharmony_ci bool running; 428c2ecf20Sopenharmony_ci 438c2ecf20Sopenharmony_ci __u8 *rd_data; 448c2ecf20Sopenharmony_ci uint rd_size; 458c2ecf20Sopenharmony_ci 468c2ecf20Sopenharmony_ci /* When this is NULL, userspace may use UHID_CREATE/UHID_CREATE2. */ 478c2ecf20Sopenharmony_ci struct hid_device *hid; 488c2ecf20Sopenharmony_ci struct uhid_event input_buf; 498c2ecf20Sopenharmony_ci 508c2ecf20Sopenharmony_ci wait_queue_head_t waitq; 518c2ecf20Sopenharmony_ci spinlock_t qlock; 528c2ecf20Sopenharmony_ci __u8 head; 538c2ecf20Sopenharmony_ci __u8 tail; 548c2ecf20Sopenharmony_ci struct uhid_event *outq[UHID_BUFSIZE]; 558c2ecf20Sopenharmony_ci 568c2ecf20Sopenharmony_ci /* blocking GET_REPORT support; state changes protected by qlock */ 578c2ecf20Sopenharmony_ci struct mutex report_lock; 588c2ecf20Sopenharmony_ci wait_queue_head_t report_wait; 598c2ecf20Sopenharmony_ci bool report_running; 608c2ecf20Sopenharmony_ci u32 report_id; 618c2ecf20Sopenharmony_ci u32 report_type; 628c2ecf20Sopenharmony_ci struct uhid_event report_buf; 638c2ecf20Sopenharmony_ci struct work_struct worker; 648c2ecf20Sopenharmony_ci}; 658c2ecf20Sopenharmony_ci 668c2ecf20Sopenharmony_cistatic struct miscdevice uhid_misc; 678c2ecf20Sopenharmony_ci 688c2ecf20Sopenharmony_cistatic void uhid_device_add_worker(struct work_struct *work) 698c2ecf20Sopenharmony_ci{ 708c2ecf20Sopenharmony_ci struct uhid_device *uhid = container_of(work, struct uhid_device, worker); 718c2ecf20Sopenharmony_ci int ret; 728c2ecf20Sopenharmony_ci 738c2ecf20Sopenharmony_ci ret = hid_add_device(uhid->hid); 748c2ecf20Sopenharmony_ci if (ret) { 758c2ecf20Sopenharmony_ci hid_err(uhid->hid, "Cannot register HID device: error %d\n", ret); 768c2ecf20Sopenharmony_ci 778c2ecf20Sopenharmony_ci /* We used to call hid_destroy_device() here, but that's really 788c2ecf20Sopenharmony_ci * messy to get right because we have to coordinate with 798c2ecf20Sopenharmony_ci * concurrent writes from userspace that might be in the middle 808c2ecf20Sopenharmony_ci * of using uhid->hid. 818c2ecf20Sopenharmony_ci * Just leave uhid->hid as-is for now, and clean it up when 828c2ecf20Sopenharmony_ci * userspace tries to close or reinitialize the uhid instance. 838c2ecf20Sopenharmony_ci * 848c2ecf20Sopenharmony_ci * However, we do have to clear the ->running flag and do a 858c2ecf20Sopenharmony_ci * wakeup to make sure userspace knows that the device is gone. 868c2ecf20Sopenharmony_ci */ 878c2ecf20Sopenharmony_ci uhid->running = false; 888c2ecf20Sopenharmony_ci wake_up_interruptible(&uhid->report_wait); 898c2ecf20Sopenharmony_ci } 908c2ecf20Sopenharmony_ci} 918c2ecf20Sopenharmony_ci 928c2ecf20Sopenharmony_cistatic void uhid_queue(struct uhid_device *uhid, struct uhid_event *ev) 938c2ecf20Sopenharmony_ci{ 948c2ecf20Sopenharmony_ci __u8 newhead; 958c2ecf20Sopenharmony_ci 968c2ecf20Sopenharmony_ci newhead = (uhid->head + 1) % UHID_BUFSIZE; 978c2ecf20Sopenharmony_ci 988c2ecf20Sopenharmony_ci if (newhead != uhid->tail) { 998c2ecf20Sopenharmony_ci uhid->outq[uhid->head] = ev; 1008c2ecf20Sopenharmony_ci uhid->head = newhead; 1018c2ecf20Sopenharmony_ci wake_up_interruptible(&uhid->waitq); 1028c2ecf20Sopenharmony_ci } else { 1038c2ecf20Sopenharmony_ci hid_warn(uhid->hid, "Output queue is full\n"); 1048c2ecf20Sopenharmony_ci kfree(ev); 1058c2ecf20Sopenharmony_ci } 1068c2ecf20Sopenharmony_ci} 1078c2ecf20Sopenharmony_ci 1088c2ecf20Sopenharmony_cistatic int uhid_queue_event(struct uhid_device *uhid, __u32 event) 1098c2ecf20Sopenharmony_ci{ 1108c2ecf20Sopenharmony_ci unsigned long flags; 1118c2ecf20Sopenharmony_ci struct uhid_event *ev; 1128c2ecf20Sopenharmony_ci 1138c2ecf20Sopenharmony_ci ev = kzalloc(sizeof(*ev), GFP_KERNEL); 1148c2ecf20Sopenharmony_ci if (!ev) 1158c2ecf20Sopenharmony_ci return -ENOMEM; 1168c2ecf20Sopenharmony_ci 1178c2ecf20Sopenharmony_ci ev->type = event; 1188c2ecf20Sopenharmony_ci 1198c2ecf20Sopenharmony_ci spin_lock_irqsave(&uhid->qlock, flags); 1208c2ecf20Sopenharmony_ci uhid_queue(uhid, ev); 1218c2ecf20Sopenharmony_ci spin_unlock_irqrestore(&uhid->qlock, flags); 1228c2ecf20Sopenharmony_ci 1238c2ecf20Sopenharmony_ci return 0; 1248c2ecf20Sopenharmony_ci} 1258c2ecf20Sopenharmony_ci 1268c2ecf20Sopenharmony_cistatic int uhid_hid_start(struct hid_device *hid) 1278c2ecf20Sopenharmony_ci{ 1288c2ecf20Sopenharmony_ci struct uhid_device *uhid = hid->driver_data; 1298c2ecf20Sopenharmony_ci struct uhid_event *ev; 1308c2ecf20Sopenharmony_ci unsigned long flags; 1318c2ecf20Sopenharmony_ci 1328c2ecf20Sopenharmony_ci ev = kzalloc(sizeof(*ev), GFP_KERNEL); 1338c2ecf20Sopenharmony_ci if (!ev) 1348c2ecf20Sopenharmony_ci return -ENOMEM; 1358c2ecf20Sopenharmony_ci 1368c2ecf20Sopenharmony_ci ev->type = UHID_START; 1378c2ecf20Sopenharmony_ci 1388c2ecf20Sopenharmony_ci if (hid->report_enum[HID_FEATURE_REPORT].numbered) 1398c2ecf20Sopenharmony_ci ev->u.start.dev_flags |= UHID_DEV_NUMBERED_FEATURE_REPORTS; 1408c2ecf20Sopenharmony_ci if (hid->report_enum[HID_OUTPUT_REPORT].numbered) 1418c2ecf20Sopenharmony_ci ev->u.start.dev_flags |= UHID_DEV_NUMBERED_OUTPUT_REPORTS; 1428c2ecf20Sopenharmony_ci if (hid->report_enum[HID_INPUT_REPORT].numbered) 1438c2ecf20Sopenharmony_ci ev->u.start.dev_flags |= UHID_DEV_NUMBERED_INPUT_REPORTS; 1448c2ecf20Sopenharmony_ci 1458c2ecf20Sopenharmony_ci spin_lock_irqsave(&uhid->qlock, flags); 1468c2ecf20Sopenharmony_ci uhid_queue(uhid, ev); 1478c2ecf20Sopenharmony_ci spin_unlock_irqrestore(&uhid->qlock, flags); 1488c2ecf20Sopenharmony_ci 1498c2ecf20Sopenharmony_ci return 0; 1508c2ecf20Sopenharmony_ci} 1518c2ecf20Sopenharmony_ci 1528c2ecf20Sopenharmony_cistatic void uhid_hid_stop(struct hid_device *hid) 1538c2ecf20Sopenharmony_ci{ 1548c2ecf20Sopenharmony_ci struct uhid_device *uhid = hid->driver_data; 1558c2ecf20Sopenharmony_ci 1568c2ecf20Sopenharmony_ci hid->claimed = 0; 1578c2ecf20Sopenharmony_ci uhid_queue_event(uhid, UHID_STOP); 1588c2ecf20Sopenharmony_ci} 1598c2ecf20Sopenharmony_ci 1608c2ecf20Sopenharmony_cistatic int uhid_hid_open(struct hid_device *hid) 1618c2ecf20Sopenharmony_ci{ 1628c2ecf20Sopenharmony_ci struct uhid_device *uhid = hid->driver_data; 1638c2ecf20Sopenharmony_ci 1648c2ecf20Sopenharmony_ci return uhid_queue_event(uhid, UHID_OPEN); 1658c2ecf20Sopenharmony_ci} 1668c2ecf20Sopenharmony_ci 1678c2ecf20Sopenharmony_cistatic void uhid_hid_close(struct hid_device *hid) 1688c2ecf20Sopenharmony_ci{ 1698c2ecf20Sopenharmony_ci struct uhid_device *uhid = hid->driver_data; 1708c2ecf20Sopenharmony_ci 1718c2ecf20Sopenharmony_ci uhid_queue_event(uhid, UHID_CLOSE); 1728c2ecf20Sopenharmony_ci} 1738c2ecf20Sopenharmony_ci 1748c2ecf20Sopenharmony_cistatic int uhid_hid_parse(struct hid_device *hid) 1758c2ecf20Sopenharmony_ci{ 1768c2ecf20Sopenharmony_ci struct uhid_device *uhid = hid->driver_data; 1778c2ecf20Sopenharmony_ci 1788c2ecf20Sopenharmony_ci return hid_parse_report(hid, uhid->rd_data, uhid->rd_size); 1798c2ecf20Sopenharmony_ci} 1808c2ecf20Sopenharmony_ci 1818c2ecf20Sopenharmony_ci/* must be called with report_lock held */ 1828c2ecf20Sopenharmony_cistatic int __uhid_report_queue_and_wait(struct uhid_device *uhid, 1838c2ecf20Sopenharmony_ci struct uhid_event *ev, 1848c2ecf20Sopenharmony_ci __u32 *report_id) 1858c2ecf20Sopenharmony_ci{ 1868c2ecf20Sopenharmony_ci unsigned long flags; 1878c2ecf20Sopenharmony_ci int ret; 1888c2ecf20Sopenharmony_ci 1898c2ecf20Sopenharmony_ci spin_lock_irqsave(&uhid->qlock, flags); 1908c2ecf20Sopenharmony_ci *report_id = ++uhid->report_id; 1918c2ecf20Sopenharmony_ci uhid->report_type = ev->type + 1; 1928c2ecf20Sopenharmony_ci uhid->report_running = true; 1938c2ecf20Sopenharmony_ci uhid_queue(uhid, ev); 1948c2ecf20Sopenharmony_ci spin_unlock_irqrestore(&uhid->qlock, flags); 1958c2ecf20Sopenharmony_ci 1968c2ecf20Sopenharmony_ci ret = wait_event_interruptible_timeout(uhid->report_wait, 1978c2ecf20Sopenharmony_ci !uhid->report_running || !uhid->running, 1988c2ecf20Sopenharmony_ci 5 * HZ); 1998c2ecf20Sopenharmony_ci if (!ret || !uhid->running || uhid->report_running) 2008c2ecf20Sopenharmony_ci ret = -EIO; 2018c2ecf20Sopenharmony_ci else if (ret < 0) 2028c2ecf20Sopenharmony_ci ret = -ERESTARTSYS; 2038c2ecf20Sopenharmony_ci else 2048c2ecf20Sopenharmony_ci ret = 0; 2058c2ecf20Sopenharmony_ci 2068c2ecf20Sopenharmony_ci uhid->report_running = false; 2078c2ecf20Sopenharmony_ci 2088c2ecf20Sopenharmony_ci return ret; 2098c2ecf20Sopenharmony_ci} 2108c2ecf20Sopenharmony_ci 2118c2ecf20Sopenharmony_cistatic void uhid_report_wake_up(struct uhid_device *uhid, u32 id, 2128c2ecf20Sopenharmony_ci const struct uhid_event *ev) 2138c2ecf20Sopenharmony_ci{ 2148c2ecf20Sopenharmony_ci unsigned long flags; 2158c2ecf20Sopenharmony_ci 2168c2ecf20Sopenharmony_ci spin_lock_irqsave(&uhid->qlock, flags); 2178c2ecf20Sopenharmony_ci 2188c2ecf20Sopenharmony_ci /* id for old report; drop it silently */ 2198c2ecf20Sopenharmony_ci if (uhid->report_type != ev->type || uhid->report_id != id) 2208c2ecf20Sopenharmony_ci goto unlock; 2218c2ecf20Sopenharmony_ci if (!uhid->report_running) 2228c2ecf20Sopenharmony_ci goto unlock; 2238c2ecf20Sopenharmony_ci 2248c2ecf20Sopenharmony_ci memcpy(&uhid->report_buf, ev, sizeof(*ev)); 2258c2ecf20Sopenharmony_ci uhid->report_running = false; 2268c2ecf20Sopenharmony_ci wake_up_interruptible(&uhid->report_wait); 2278c2ecf20Sopenharmony_ci 2288c2ecf20Sopenharmony_ciunlock: 2298c2ecf20Sopenharmony_ci spin_unlock_irqrestore(&uhid->qlock, flags); 2308c2ecf20Sopenharmony_ci} 2318c2ecf20Sopenharmony_ci 2328c2ecf20Sopenharmony_cistatic int uhid_hid_get_report(struct hid_device *hid, unsigned char rnum, 2338c2ecf20Sopenharmony_ci u8 *buf, size_t count, u8 rtype) 2348c2ecf20Sopenharmony_ci{ 2358c2ecf20Sopenharmony_ci struct uhid_device *uhid = hid->driver_data; 2368c2ecf20Sopenharmony_ci struct uhid_get_report_reply_req *req; 2378c2ecf20Sopenharmony_ci struct uhid_event *ev; 2388c2ecf20Sopenharmony_ci int ret; 2398c2ecf20Sopenharmony_ci 2408c2ecf20Sopenharmony_ci if (!uhid->running) 2418c2ecf20Sopenharmony_ci return -EIO; 2428c2ecf20Sopenharmony_ci 2438c2ecf20Sopenharmony_ci ev = kzalloc(sizeof(*ev), GFP_KERNEL); 2448c2ecf20Sopenharmony_ci if (!ev) 2458c2ecf20Sopenharmony_ci return -ENOMEM; 2468c2ecf20Sopenharmony_ci 2478c2ecf20Sopenharmony_ci ev->type = UHID_GET_REPORT; 2488c2ecf20Sopenharmony_ci ev->u.get_report.rnum = rnum; 2498c2ecf20Sopenharmony_ci ev->u.get_report.rtype = rtype; 2508c2ecf20Sopenharmony_ci 2518c2ecf20Sopenharmony_ci ret = mutex_lock_interruptible(&uhid->report_lock); 2528c2ecf20Sopenharmony_ci if (ret) { 2538c2ecf20Sopenharmony_ci kfree(ev); 2548c2ecf20Sopenharmony_ci return ret; 2558c2ecf20Sopenharmony_ci } 2568c2ecf20Sopenharmony_ci 2578c2ecf20Sopenharmony_ci /* this _always_ takes ownership of @ev */ 2588c2ecf20Sopenharmony_ci ret = __uhid_report_queue_and_wait(uhid, ev, &ev->u.get_report.id); 2598c2ecf20Sopenharmony_ci if (ret) 2608c2ecf20Sopenharmony_ci goto unlock; 2618c2ecf20Sopenharmony_ci 2628c2ecf20Sopenharmony_ci req = &uhid->report_buf.u.get_report_reply; 2638c2ecf20Sopenharmony_ci if (req->err) { 2648c2ecf20Sopenharmony_ci ret = -EIO; 2658c2ecf20Sopenharmony_ci } else { 2668c2ecf20Sopenharmony_ci ret = min3(count, (size_t)req->size, (size_t)UHID_DATA_MAX); 2678c2ecf20Sopenharmony_ci memcpy(buf, req->data, ret); 2688c2ecf20Sopenharmony_ci } 2698c2ecf20Sopenharmony_ci 2708c2ecf20Sopenharmony_ciunlock: 2718c2ecf20Sopenharmony_ci mutex_unlock(&uhid->report_lock); 2728c2ecf20Sopenharmony_ci return ret; 2738c2ecf20Sopenharmony_ci} 2748c2ecf20Sopenharmony_ci 2758c2ecf20Sopenharmony_cistatic int uhid_hid_set_report(struct hid_device *hid, unsigned char rnum, 2768c2ecf20Sopenharmony_ci const u8 *buf, size_t count, u8 rtype) 2778c2ecf20Sopenharmony_ci{ 2788c2ecf20Sopenharmony_ci struct uhid_device *uhid = hid->driver_data; 2798c2ecf20Sopenharmony_ci struct uhid_event *ev; 2808c2ecf20Sopenharmony_ci int ret; 2818c2ecf20Sopenharmony_ci 2828c2ecf20Sopenharmony_ci if (!uhid->running || count > UHID_DATA_MAX) 2838c2ecf20Sopenharmony_ci return -EIO; 2848c2ecf20Sopenharmony_ci 2858c2ecf20Sopenharmony_ci ev = kzalloc(sizeof(*ev), GFP_KERNEL); 2868c2ecf20Sopenharmony_ci if (!ev) 2878c2ecf20Sopenharmony_ci return -ENOMEM; 2888c2ecf20Sopenharmony_ci 2898c2ecf20Sopenharmony_ci ev->type = UHID_SET_REPORT; 2908c2ecf20Sopenharmony_ci ev->u.set_report.rnum = rnum; 2918c2ecf20Sopenharmony_ci ev->u.set_report.rtype = rtype; 2928c2ecf20Sopenharmony_ci ev->u.set_report.size = count; 2938c2ecf20Sopenharmony_ci memcpy(ev->u.set_report.data, buf, count); 2948c2ecf20Sopenharmony_ci 2958c2ecf20Sopenharmony_ci ret = mutex_lock_interruptible(&uhid->report_lock); 2968c2ecf20Sopenharmony_ci if (ret) { 2978c2ecf20Sopenharmony_ci kfree(ev); 2988c2ecf20Sopenharmony_ci return ret; 2998c2ecf20Sopenharmony_ci } 3008c2ecf20Sopenharmony_ci 3018c2ecf20Sopenharmony_ci /* this _always_ takes ownership of @ev */ 3028c2ecf20Sopenharmony_ci ret = __uhid_report_queue_and_wait(uhid, ev, &ev->u.set_report.id); 3038c2ecf20Sopenharmony_ci if (ret) 3048c2ecf20Sopenharmony_ci goto unlock; 3058c2ecf20Sopenharmony_ci 3068c2ecf20Sopenharmony_ci if (uhid->report_buf.u.set_report_reply.err) 3078c2ecf20Sopenharmony_ci ret = -EIO; 3088c2ecf20Sopenharmony_ci else 3098c2ecf20Sopenharmony_ci ret = count; 3108c2ecf20Sopenharmony_ci 3118c2ecf20Sopenharmony_ciunlock: 3128c2ecf20Sopenharmony_ci mutex_unlock(&uhid->report_lock); 3138c2ecf20Sopenharmony_ci return ret; 3148c2ecf20Sopenharmony_ci} 3158c2ecf20Sopenharmony_ci 3168c2ecf20Sopenharmony_cistatic int uhid_hid_raw_request(struct hid_device *hid, unsigned char reportnum, 3178c2ecf20Sopenharmony_ci __u8 *buf, size_t len, unsigned char rtype, 3188c2ecf20Sopenharmony_ci int reqtype) 3198c2ecf20Sopenharmony_ci{ 3208c2ecf20Sopenharmony_ci u8 u_rtype; 3218c2ecf20Sopenharmony_ci 3228c2ecf20Sopenharmony_ci switch (rtype) { 3238c2ecf20Sopenharmony_ci case HID_FEATURE_REPORT: 3248c2ecf20Sopenharmony_ci u_rtype = UHID_FEATURE_REPORT; 3258c2ecf20Sopenharmony_ci break; 3268c2ecf20Sopenharmony_ci case HID_OUTPUT_REPORT: 3278c2ecf20Sopenharmony_ci u_rtype = UHID_OUTPUT_REPORT; 3288c2ecf20Sopenharmony_ci break; 3298c2ecf20Sopenharmony_ci case HID_INPUT_REPORT: 3308c2ecf20Sopenharmony_ci u_rtype = UHID_INPUT_REPORT; 3318c2ecf20Sopenharmony_ci break; 3328c2ecf20Sopenharmony_ci default: 3338c2ecf20Sopenharmony_ci return -EINVAL; 3348c2ecf20Sopenharmony_ci } 3358c2ecf20Sopenharmony_ci 3368c2ecf20Sopenharmony_ci switch (reqtype) { 3378c2ecf20Sopenharmony_ci case HID_REQ_GET_REPORT: 3388c2ecf20Sopenharmony_ci return uhid_hid_get_report(hid, reportnum, buf, len, u_rtype); 3398c2ecf20Sopenharmony_ci case HID_REQ_SET_REPORT: 3408c2ecf20Sopenharmony_ci return uhid_hid_set_report(hid, reportnum, buf, len, u_rtype); 3418c2ecf20Sopenharmony_ci default: 3428c2ecf20Sopenharmony_ci return -EIO; 3438c2ecf20Sopenharmony_ci } 3448c2ecf20Sopenharmony_ci} 3458c2ecf20Sopenharmony_ci 3468c2ecf20Sopenharmony_cistatic int uhid_hid_output_raw(struct hid_device *hid, __u8 *buf, size_t count, 3478c2ecf20Sopenharmony_ci unsigned char report_type) 3488c2ecf20Sopenharmony_ci{ 3498c2ecf20Sopenharmony_ci struct uhid_device *uhid = hid->driver_data; 3508c2ecf20Sopenharmony_ci __u8 rtype; 3518c2ecf20Sopenharmony_ci unsigned long flags; 3528c2ecf20Sopenharmony_ci struct uhid_event *ev; 3538c2ecf20Sopenharmony_ci 3548c2ecf20Sopenharmony_ci switch (report_type) { 3558c2ecf20Sopenharmony_ci case HID_FEATURE_REPORT: 3568c2ecf20Sopenharmony_ci rtype = UHID_FEATURE_REPORT; 3578c2ecf20Sopenharmony_ci break; 3588c2ecf20Sopenharmony_ci case HID_OUTPUT_REPORT: 3598c2ecf20Sopenharmony_ci rtype = UHID_OUTPUT_REPORT; 3608c2ecf20Sopenharmony_ci break; 3618c2ecf20Sopenharmony_ci default: 3628c2ecf20Sopenharmony_ci return -EINVAL; 3638c2ecf20Sopenharmony_ci } 3648c2ecf20Sopenharmony_ci 3658c2ecf20Sopenharmony_ci if (count < 1 || count > UHID_DATA_MAX) 3668c2ecf20Sopenharmony_ci return -EINVAL; 3678c2ecf20Sopenharmony_ci 3688c2ecf20Sopenharmony_ci ev = kzalloc(sizeof(*ev), GFP_KERNEL); 3698c2ecf20Sopenharmony_ci if (!ev) 3708c2ecf20Sopenharmony_ci return -ENOMEM; 3718c2ecf20Sopenharmony_ci 3728c2ecf20Sopenharmony_ci ev->type = UHID_OUTPUT; 3738c2ecf20Sopenharmony_ci ev->u.output.size = count; 3748c2ecf20Sopenharmony_ci ev->u.output.rtype = rtype; 3758c2ecf20Sopenharmony_ci memcpy(ev->u.output.data, buf, count); 3768c2ecf20Sopenharmony_ci 3778c2ecf20Sopenharmony_ci spin_lock_irqsave(&uhid->qlock, flags); 3788c2ecf20Sopenharmony_ci uhid_queue(uhid, ev); 3798c2ecf20Sopenharmony_ci spin_unlock_irqrestore(&uhid->qlock, flags); 3808c2ecf20Sopenharmony_ci 3818c2ecf20Sopenharmony_ci return count; 3828c2ecf20Sopenharmony_ci} 3838c2ecf20Sopenharmony_ci 3848c2ecf20Sopenharmony_cistatic int uhid_hid_output_report(struct hid_device *hid, __u8 *buf, 3858c2ecf20Sopenharmony_ci size_t count) 3868c2ecf20Sopenharmony_ci{ 3878c2ecf20Sopenharmony_ci return uhid_hid_output_raw(hid, buf, count, HID_OUTPUT_REPORT); 3888c2ecf20Sopenharmony_ci} 3898c2ecf20Sopenharmony_ci 3908c2ecf20Sopenharmony_cistruct hid_ll_driver uhid_hid_driver = { 3918c2ecf20Sopenharmony_ci .start = uhid_hid_start, 3928c2ecf20Sopenharmony_ci .stop = uhid_hid_stop, 3938c2ecf20Sopenharmony_ci .open = uhid_hid_open, 3948c2ecf20Sopenharmony_ci .close = uhid_hid_close, 3958c2ecf20Sopenharmony_ci .parse = uhid_hid_parse, 3968c2ecf20Sopenharmony_ci .raw_request = uhid_hid_raw_request, 3978c2ecf20Sopenharmony_ci .output_report = uhid_hid_output_report, 3988c2ecf20Sopenharmony_ci .max_buffer_size = UHID_DATA_MAX, 3998c2ecf20Sopenharmony_ci}; 4008c2ecf20Sopenharmony_ciEXPORT_SYMBOL_GPL(uhid_hid_driver); 4018c2ecf20Sopenharmony_ci 4028c2ecf20Sopenharmony_ci#ifdef CONFIG_COMPAT 4038c2ecf20Sopenharmony_ci 4048c2ecf20Sopenharmony_ci/* Apparently we haven't stepped on these rakes enough times yet. */ 4058c2ecf20Sopenharmony_cistruct uhid_create_req_compat { 4068c2ecf20Sopenharmony_ci __u8 name[128]; 4078c2ecf20Sopenharmony_ci __u8 phys[64]; 4088c2ecf20Sopenharmony_ci __u8 uniq[64]; 4098c2ecf20Sopenharmony_ci 4108c2ecf20Sopenharmony_ci compat_uptr_t rd_data; 4118c2ecf20Sopenharmony_ci __u16 rd_size; 4128c2ecf20Sopenharmony_ci 4138c2ecf20Sopenharmony_ci __u16 bus; 4148c2ecf20Sopenharmony_ci __u32 vendor; 4158c2ecf20Sopenharmony_ci __u32 product; 4168c2ecf20Sopenharmony_ci __u32 version; 4178c2ecf20Sopenharmony_ci __u32 country; 4188c2ecf20Sopenharmony_ci} __attribute__((__packed__)); 4198c2ecf20Sopenharmony_ci 4208c2ecf20Sopenharmony_cistatic int uhid_event_from_user(const char __user *buffer, size_t len, 4218c2ecf20Sopenharmony_ci struct uhid_event *event) 4228c2ecf20Sopenharmony_ci{ 4238c2ecf20Sopenharmony_ci if (in_compat_syscall()) { 4248c2ecf20Sopenharmony_ci u32 type; 4258c2ecf20Sopenharmony_ci 4268c2ecf20Sopenharmony_ci if (get_user(type, buffer)) 4278c2ecf20Sopenharmony_ci return -EFAULT; 4288c2ecf20Sopenharmony_ci 4298c2ecf20Sopenharmony_ci if (type == UHID_CREATE) { 4308c2ecf20Sopenharmony_ci /* 4318c2ecf20Sopenharmony_ci * This is our messed up request with compat pointer. 4328c2ecf20Sopenharmony_ci * It is largish (more than 256 bytes) so we better 4338c2ecf20Sopenharmony_ci * allocate it from the heap. 4348c2ecf20Sopenharmony_ci */ 4358c2ecf20Sopenharmony_ci struct uhid_create_req_compat *compat; 4368c2ecf20Sopenharmony_ci 4378c2ecf20Sopenharmony_ci compat = kzalloc(sizeof(*compat), GFP_KERNEL); 4388c2ecf20Sopenharmony_ci if (!compat) 4398c2ecf20Sopenharmony_ci return -ENOMEM; 4408c2ecf20Sopenharmony_ci 4418c2ecf20Sopenharmony_ci buffer += sizeof(type); 4428c2ecf20Sopenharmony_ci len -= sizeof(type); 4438c2ecf20Sopenharmony_ci if (copy_from_user(compat, buffer, 4448c2ecf20Sopenharmony_ci min(len, sizeof(*compat)))) { 4458c2ecf20Sopenharmony_ci kfree(compat); 4468c2ecf20Sopenharmony_ci return -EFAULT; 4478c2ecf20Sopenharmony_ci } 4488c2ecf20Sopenharmony_ci 4498c2ecf20Sopenharmony_ci /* Shuffle the data over to proper structure */ 4508c2ecf20Sopenharmony_ci event->type = type; 4518c2ecf20Sopenharmony_ci 4528c2ecf20Sopenharmony_ci memcpy(event->u.create.name, compat->name, 4538c2ecf20Sopenharmony_ci sizeof(compat->name)); 4548c2ecf20Sopenharmony_ci memcpy(event->u.create.phys, compat->phys, 4558c2ecf20Sopenharmony_ci sizeof(compat->phys)); 4568c2ecf20Sopenharmony_ci memcpy(event->u.create.uniq, compat->uniq, 4578c2ecf20Sopenharmony_ci sizeof(compat->uniq)); 4588c2ecf20Sopenharmony_ci 4598c2ecf20Sopenharmony_ci event->u.create.rd_data = compat_ptr(compat->rd_data); 4608c2ecf20Sopenharmony_ci event->u.create.rd_size = compat->rd_size; 4618c2ecf20Sopenharmony_ci 4628c2ecf20Sopenharmony_ci event->u.create.bus = compat->bus; 4638c2ecf20Sopenharmony_ci event->u.create.vendor = compat->vendor; 4648c2ecf20Sopenharmony_ci event->u.create.product = compat->product; 4658c2ecf20Sopenharmony_ci event->u.create.version = compat->version; 4668c2ecf20Sopenharmony_ci event->u.create.country = compat->country; 4678c2ecf20Sopenharmony_ci 4688c2ecf20Sopenharmony_ci kfree(compat); 4698c2ecf20Sopenharmony_ci return 0; 4708c2ecf20Sopenharmony_ci } 4718c2ecf20Sopenharmony_ci /* All others can be copied directly */ 4728c2ecf20Sopenharmony_ci } 4738c2ecf20Sopenharmony_ci 4748c2ecf20Sopenharmony_ci if (copy_from_user(event, buffer, min(len, sizeof(*event)))) 4758c2ecf20Sopenharmony_ci return -EFAULT; 4768c2ecf20Sopenharmony_ci 4778c2ecf20Sopenharmony_ci return 0; 4788c2ecf20Sopenharmony_ci} 4798c2ecf20Sopenharmony_ci#else 4808c2ecf20Sopenharmony_cistatic int uhid_event_from_user(const char __user *buffer, size_t len, 4818c2ecf20Sopenharmony_ci struct uhid_event *event) 4828c2ecf20Sopenharmony_ci{ 4838c2ecf20Sopenharmony_ci if (copy_from_user(event, buffer, min(len, sizeof(*event)))) 4848c2ecf20Sopenharmony_ci return -EFAULT; 4858c2ecf20Sopenharmony_ci 4868c2ecf20Sopenharmony_ci return 0; 4878c2ecf20Sopenharmony_ci} 4888c2ecf20Sopenharmony_ci#endif 4898c2ecf20Sopenharmony_ci 4908c2ecf20Sopenharmony_cistatic int uhid_dev_create2(struct uhid_device *uhid, 4918c2ecf20Sopenharmony_ci const struct uhid_event *ev) 4928c2ecf20Sopenharmony_ci{ 4938c2ecf20Sopenharmony_ci struct hid_device *hid; 4948c2ecf20Sopenharmony_ci size_t rd_size, len; 4958c2ecf20Sopenharmony_ci void *rd_data; 4968c2ecf20Sopenharmony_ci int ret; 4978c2ecf20Sopenharmony_ci 4988c2ecf20Sopenharmony_ci if (uhid->hid) 4998c2ecf20Sopenharmony_ci return -EALREADY; 5008c2ecf20Sopenharmony_ci 5018c2ecf20Sopenharmony_ci rd_size = ev->u.create2.rd_size; 5028c2ecf20Sopenharmony_ci if (rd_size <= 0 || rd_size > HID_MAX_DESCRIPTOR_SIZE) 5038c2ecf20Sopenharmony_ci return -EINVAL; 5048c2ecf20Sopenharmony_ci 5058c2ecf20Sopenharmony_ci rd_data = kmemdup(ev->u.create2.rd_data, rd_size, GFP_KERNEL); 5068c2ecf20Sopenharmony_ci if (!rd_data) 5078c2ecf20Sopenharmony_ci return -ENOMEM; 5088c2ecf20Sopenharmony_ci 5098c2ecf20Sopenharmony_ci uhid->rd_size = rd_size; 5108c2ecf20Sopenharmony_ci uhid->rd_data = rd_data; 5118c2ecf20Sopenharmony_ci 5128c2ecf20Sopenharmony_ci hid = hid_allocate_device(); 5138c2ecf20Sopenharmony_ci if (IS_ERR(hid)) { 5148c2ecf20Sopenharmony_ci ret = PTR_ERR(hid); 5158c2ecf20Sopenharmony_ci goto err_free; 5168c2ecf20Sopenharmony_ci } 5178c2ecf20Sopenharmony_ci 5188c2ecf20Sopenharmony_ci /* @hid is zero-initialized, strncpy() is correct, strlcpy() not */ 5198c2ecf20Sopenharmony_ci len = min(sizeof(hid->name), sizeof(ev->u.create2.name)) - 1; 5208c2ecf20Sopenharmony_ci strncpy(hid->name, ev->u.create2.name, len); 5218c2ecf20Sopenharmony_ci len = min(sizeof(hid->phys), sizeof(ev->u.create2.phys)) - 1; 5228c2ecf20Sopenharmony_ci strncpy(hid->phys, ev->u.create2.phys, len); 5238c2ecf20Sopenharmony_ci len = min(sizeof(hid->uniq), sizeof(ev->u.create2.uniq)) - 1; 5248c2ecf20Sopenharmony_ci strncpy(hid->uniq, ev->u.create2.uniq, len); 5258c2ecf20Sopenharmony_ci 5268c2ecf20Sopenharmony_ci hid->ll_driver = &uhid_hid_driver; 5278c2ecf20Sopenharmony_ci hid->bus = ev->u.create2.bus; 5288c2ecf20Sopenharmony_ci hid->vendor = ev->u.create2.vendor; 5298c2ecf20Sopenharmony_ci hid->product = ev->u.create2.product; 5308c2ecf20Sopenharmony_ci hid->version = ev->u.create2.version; 5318c2ecf20Sopenharmony_ci hid->country = ev->u.create2.country; 5328c2ecf20Sopenharmony_ci hid->driver_data = uhid; 5338c2ecf20Sopenharmony_ci hid->dev.parent = uhid_misc.this_device; 5348c2ecf20Sopenharmony_ci 5358c2ecf20Sopenharmony_ci uhid->hid = hid; 5368c2ecf20Sopenharmony_ci uhid->running = true; 5378c2ecf20Sopenharmony_ci 5388c2ecf20Sopenharmony_ci /* Adding of a HID device is done through a worker, to allow HID drivers 5398c2ecf20Sopenharmony_ci * which use feature requests during .probe to work, without they would 5408c2ecf20Sopenharmony_ci * be blocked on devlock, which is held by uhid_char_write. 5418c2ecf20Sopenharmony_ci */ 5428c2ecf20Sopenharmony_ci schedule_work(&uhid->worker); 5438c2ecf20Sopenharmony_ci 5448c2ecf20Sopenharmony_ci return 0; 5458c2ecf20Sopenharmony_ci 5468c2ecf20Sopenharmony_cierr_free: 5478c2ecf20Sopenharmony_ci kfree(uhid->rd_data); 5488c2ecf20Sopenharmony_ci uhid->rd_data = NULL; 5498c2ecf20Sopenharmony_ci uhid->rd_size = 0; 5508c2ecf20Sopenharmony_ci return ret; 5518c2ecf20Sopenharmony_ci} 5528c2ecf20Sopenharmony_ci 5538c2ecf20Sopenharmony_cistatic int uhid_dev_create(struct uhid_device *uhid, 5548c2ecf20Sopenharmony_ci struct uhid_event *ev) 5558c2ecf20Sopenharmony_ci{ 5568c2ecf20Sopenharmony_ci struct uhid_create_req orig; 5578c2ecf20Sopenharmony_ci 5588c2ecf20Sopenharmony_ci orig = ev->u.create; 5598c2ecf20Sopenharmony_ci 5608c2ecf20Sopenharmony_ci if (orig.rd_size <= 0 || orig.rd_size > HID_MAX_DESCRIPTOR_SIZE) 5618c2ecf20Sopenharmony_ci return -EINVAL; 5628c2ecf20Sopenharmony_ci if (copy_from_user(&ev->u.create2.rd_data, orig.rd_data, orig.rd_size)) 5638c2ecf20Sopenharmony_ci return -EFAULT; 5648c2ecf20Sopenharmony_ci 5658c2ecf20Sopenharmony_ci memcpy(ev->u.create2.name, orig.name, sizeof(orig.name)); 5668c2ecf20Sopenharmony_ci memcpy(ev->u.create2.phys, orig.phys, sizeof(orig.phys)); 5678c2ecf20Sopenharmony_ci memcpy(ev->u.create2.uniq, orig.uniq, sizeof(orig.uniq)); 5688c2ecf20Sopenharmony_ci ev->u.create2.rd_size = orig.rd_size; 5698c2ecf20Sopenharmony_ci ev->u.create2.bus = orig.bus; 5708c2ecf20Sopenharmony_ci ev->u.create2.vendor = orig.vendor; 5718c2ecf20Sopenharmony_ci ev->u.create2.product = orig.product; 5728c2ecf20Sopenharmony_ci ev->u.create2.version = orig.version; 5738c2ecf20Sopenharmony_ci ev->u.create2.country = orig.country; 5748c2ecf20Sopenharmony_ci 5758c2ecf20Sopenharmony_ci return uhid_dev_create2(uhid, ev); 5768c2ecf20Sopenharmony_ci} 5778c2ecf20Sopenharmony_ci 5788c2ecf20Sopenharmony_cistatic int uhid_dev_destroy(struct uhid_device *uhid) 5798c2ecf20Sopenharmony_ci{ 5808c2ecf20Sopenharmony_ci if (!uhid->hid) 5818c2ecf20Sopenharmony_ci return -EINVAL; 5828c2ecf20Sopenharmony_ci 5838c2ecf20Sopenharmony_ci uhid->running = false; 5848c2ecf20Sopenharmony_ci wake_up_interruptible(&uhid->report_wait); 5858c2ecf20Sopenharmony_ci 5868c2ecf20Sopenharmony_ci cancel_work_sync(&uhid->worker); 5878c2ecf20Sopenharmony_ci 5888c2ecf20Sopenharmony_ci hid_destroy_device(uhid->hid); 5898c2ecf20Sopenharmony_ci uhid->hid = NULL; 5908c2ecf20Sopenharmony_ci kfree(uhid->rd_data); 5918c2ecf20Sopenharmony_ci 5928c2ecf20Sopenharmony_ci return 0; 5938c2ecf20Sopenharmony_ci} 5948c2ecf20Sopenharmony_ci 5958c2ecf20Sopenharmony_cistatic int uhid_dev_input(struct uhid_device *uhid, struct uhid_event *ev) 5968c2ecf20Sopenharmony_ci{ 5978c2ecf20Sopenharmony_ci if (!uhid->running) 5988c2ecf20Sopenharmony_ci return -EINVAL; 5998c2ecf20Sopenharmony_ci 6008c2ecf20Sopenharmony_ci hid_input_report(uhid->hid, HID_INPUT_REPORT, ev->u.input.data, 6018c2ecf20Sopenharmony_ci min_t(size_t, ev->u.input.size, UHID_DATA_MAX), 0); 6028c2ecf20Sopenharmony_ci 6038c2ecf20Sopenharmony_ci return 0; 6048c2ecf20Sopenharmony_ci} 6058c2ecf20Sopenharmony_ci 6068c2ecf20Sopenharmony_cistatic int uhid_dev_input2(struct uhid_device *uhid, struct uhid_event *ev) 6078c2ecf20Sopenharmony_ci{ 6088c2ecf20Sopenharmony_ci if (!uhid->running) 6098c2ecf20Sopenharmony_ci return -EINVAL; 6108c2ecf20Sopenharmony_ci 6118c2ecf20Sopenharmony_ci hid_input_report(uhid->hid, HID_INPUT_REPORT, ev->u.input2.data, 6128c2ecf20Sopenharmony_ci min_t(size_t, ev->u.input2.size, UHID_DATA_MAX), 0); 6138c2ecf20Sopenharmony_ci 6148c2ecf20Sopenharmony_ci return 0; 6158c2ecf20Sopenharmony_ci} 6168c2ecf20Sopenharmony_ci 6178c2ecf20Sopenharmony_cistatic int uhid_dev_get_report_reply(struct uhid_device *uhid, 6188c2ecf20Sopenharmony_ci struct uhid_event *ev) 6198c2ecf20Sopenharmony_ci{ 6208c2ecf20Sopenharmony_ci if (!uhid->running) 6218c2ecf20Sopenharmony_ci return -EINVAL; 6228c2ecf20Sopenharmony_ci 6238c2ecf20Sopenharmony_ci uhid_report_wake_up(uhid, ev->u.get_report_reply.id, ev); 6248c2ecf20Sopenharmony_ci return 0; 6258c2ecf20Sopenharmony_ci} 6268c2ecf20Sopenharmony_ci 6278c2ecf20Sopenharmony_cistatic int uhid_dev_set_report_reply(struct uhid_device *uhid, 6288c2ecf20Sopenharmony_ci struct uhid_event *ev) 6298c2ecf20Sopenharmony_ci{ 6308c2ecf20Sopenharmony_ci if (!uhid->running) 6318c2ecf20Sopenharmony_ci return -EINVAL; 6328c2ecf20Sopenharmony_ci 6338c2ecf20Sopenharmony_ci uhid_report_wake_up(uhid, ev->u.set_report_reply.id, ev); 6348c2ecf20Sopenharmony_ci return 0; 6358c2ecf20Sopenharmony_ci} 6368c2ecf20Sopenharmony_ci 6378c2ecf20Sopenharmony_cistatic int uhid_char_open(struct inode *inode, struct file *file) 6388c2ecf20Sopenharmony_ci{ 6398c2ecf20Sopenharmony_ci struct uhid_device *uhid; 6408c2ecf20Sopenharmony_ci 6418c2ecf20Sopenharmony_ci uhid = kzalloc(sizeof(*uhid), GFP_KERNEL); 6428c2ecf20Sopenharmony_ci if (!uhid) 6438c2ecf20Sopenharmony_ci return -ENOMEM; 6448c2ecf20Sopenharmony_ci 6458c2ecf20Sopenharmony_ci mutex_init(&uhid->devlock); 6468c2ecf20Sopenharmony_ci mutex_init(&uhid->report_lock); 6478c2ecf20Sopenharmony_ci spin_lock_init(&uhid->qlock); 6488c2ecf20Sopenharmony_ci init_waitqueue_head(&uhid->waitq); 6498c2ecf20Sopenharmony_ci init_waitqueue_head(&uhid->report_wait); 6508c2ecf20Sopenharmony_ci uhid->running = false; 6518c2ecf20Sopenharmony_ci INIT_WORK(&uhid->worker, uhid_device_add_worker); 6528c2ecf20Sopenharmony_ci 6538c2ecf20Sopenharmony_ci file->private_data = uhid; 6548c2ecf20Sopenharmony_ci stream_open(inode, file); 6558c2ecf20Sopenharmony_ci 6568c2ecf20Sopenharmony_ci return 0; 6578c2ecf20Sopenharmony_ci} 6588c2ecf20Sopenharmony_ci 6598c2ecf20Sopenharmony_cistatic int uhid_char_release(struct inode *inode, struct file *file) 6608c2ecf20Sopenharmony_ci{ 6618c2ecf20Sopenharmony_ci struct uhid_device *uhid = file->private_data; 6628c2ecf20Sopenharmony_ci unsigned int i; 6638c2ecf20Sopenharmony_ci 6648c2ecf20Sopenharmony_ci uhid_dev_destroy(uhid); 6658c2ecf20Sopenharmony_ci 6668c2ecf20Sopenharmony_ci for (i = 0; i < UHID_BUFSIZE; ++i) 6678c2ecf20Sopenharmony_ci kfree(uhid->outq[i]); 6688c2ecf20Sopenharmony_ci 6698c2ecf20Sopenharmony_ci kfree(uhid); 6708c2ecf20Sopenharmony_ci 6718c2ecf20Sopenharmony_ci return 0; 6728c2ecf20Sopenharmony_ci} 6738c2ecf20Sopenharmony_ci 6748c2ecf20Sopenharmony_cistatic ssize_t uhid_char_read(struct file *file, char __user *buffer, 6758c2ecf20Sopenharmony_ci size_t count, loff_t *ppos) 6768c2ecf20Sopenharmony_ci{ 6778c2ecf20Sopenharmony_ci struct uhid_device *uhid = file->private_data; 6788c2ecf20Sopenharmony_ci int ret; 6798c2ecf20Sopenharmony_ci unsigned long flags; 6808c2ecf20Sopenharmony_ci size_t len; 6818c2ecf20Sopenharmony_ci 6828c2ecf20Sopenharmony_ci /* they need at least the "type" member of uhid_event */ 6838c2ecf20Sopenharmony_ci if (count < sizeof(__u32)) 6848c2ecf20Sopenharmony_ci return -EINVAL; 6858c2ecf20Sopenharmony_ci 6868c2ecf20Sopenharmony_citry_again: 6878c2ecf20Sopenharmony_ci if (file->f_flags & O_NONBLOCK) { 6888c2ecf20Sopenharmony_ci if (uhid->head == uhid->tail) 6898c2ecf20Sopenharmony_ci return -EAGAIN; 6908c2ecf20Sopenharmony_ci } else { 6918c2ecf20Sopenharmony_ci ret = wait_event_interruptible(uhid->waitq, 6928c2ecf20Sopenharmony_ci uhid->head != uhid->tail); 6938c2ecf20Sopenharmony_ci if (ret) 6948c2ecf20Sopenharmony_ci return ret; 6958c2ecf20Sopenharmony_ci } 6968c2ecf20Sopenharmony_ci 6978c2ecf20Sopenharmony_ci ret = mutex_lock_interruptible(&uhid->devlock); 6988c2ecf20Sopenharmony_ci if (ret) 6998c2ecf20Sopenharmony_ci return ret; 7008c2ecf20Sopenharmony_ci 7018c2ecf20Sopenharmony_ci if (uhid->head == uhid->tail) { 7028c2ecf20Sopenharmony_ci mutex_unlock(&uhid->devlock); 7038c2ecf20Sopenharmony_ci goto try_again; 7048c2ecf20Sopenharmony_ci } else { 7058c2ecf20Sopenharmony_ci len = min(count, sizeof(**uhid->outq)); 7068c2ecf20Sopenharmony_ci if (copy_to_user(buffer, uhid->outq[uhid->tail], len)) { 7078c2ecf20Sopenharmony_ci ret = -EFAULT; 7088c2ecf20Sopenharmony_ci } else { 7098c2ecf20Sopenharmony_ci kfree(uhid->outq[uhid->tail]); 7108c2ecf20Sopenharmony_ci uhid->outq[uhid->tail] = NULL; 7118c2ecf20Sopenharmony_ci 7128c2ecf20Sopenharmony_ci spin_lock_irqsave(&uhid->qlock, flags); 7138c2ecf20Sopenharmony_ci uhid->tail = (uhid->tail + 1) % UHID_BUFSIZE; 7148c2ecf20Sopenharmony_ci spin_unlock_irqrestore(&uhid->qlock, flags); 7158c2ecf20Sopenharmony_ci } 7168c2ecf20Sopenharmony_ci } 7178c2ecf20Sopenharmony_ci 7188c2ecf20Sopenharmony_ci mutex_unlock(&uhid->devlock); 7198c2ecf20Sopenharmony_ci return ret ? ret : len; 7208c2ecf20Sopenharmony_ci} 7218c2ecf20Sopenharmony_ci 7228c2ecf20Sopenharmony_cistatic ssize_t uhid_char_write(struct file *file, const char __user *buffer, 7238c2ecf20Sopenharmony_ci size_t count, loff_t *ppos) 7248c2ecf20Sopenharmony_ci{ 7258c2ecf20Sopenharmony_ci struct uhid_device *uhid = file->private_data; 7268c2ecf20Sopenharmony_ci int ret; 7278c2ecf20Sopenharmony_ci size_t len; 7288c2ecf20Sopenharmony_ci 7298c2ecf20Sopenharmony_ci /* we need at least the "type" member of uhid_event */ 7308c2ecf20Sopenharmony_ci if (count < sizeof(__u32)) 7318c2ecf20Sopenharmony_ci return -EINVAL; 7328c2ecf20Sopenharmony_ci 7338c2ecf20Sopenharmony_ci ret = mutex_lock_interruptible(&uhid->devlock); 7348c2ecf20Sopenharmony_ci if (ret) 7358c2ecf20Sopenharmony_ci return ret; 7368c2ecf20Sopenharmony_ci 7378c2ecf20Sopenharmony_ci memset(&uhid->input_buf, 0, sizeof(uhid->input_buf)); 7388c2ecf20Sopenharmony_ci len = min(count, sizeof(uhid->input_buf)); 7398c2ecf20Sopenharmony_ci 7408c2ecf20Sopenharmony_ci ret = uhid_event_from_user(buffer, len, &uhid->input_buf); 7418c2ecf20Sopenharmony_ci if (ret) 7428c2ecf20Sopenharmony_ci goto unlock; 7438c2ecf20Sopenharmony_ci 7448c2ecf20Sopenharmony_ci switch (uhid->input_buf.type) { 7458c2ecf20Sopenharmony_ci case UHID_CREATE: 7468c2ecf20Sopenharmony_ci /* 7478c2ecf20Sopenharmony_ci * 'struct uhid_create_req' contains a __user pointer which is 7488c2ecf20Sopenharmony_ci * copied from, so it's unsafe to allow this with elevated 7498c2ecf20Sopenharmony_ci * privileges (e.g. from a setuid binary) or via kernel_write(). 7508c2ecf20Sopenharmony_ci */ 7518c2ecf20Sopenharmony_ci if (file->f_cred != current_cred() || uaccess_kernel()) { 7528c2ecf20Sopenharmony_ci pr_err_once("UHID_CREATE from different security context by process %d (%s), this is not allowed.\n", 7538c2ecf20Sopenharmony_ci task_tgid_vnr(current), current->comm); 7548c2ecf20Sopenharmony_ci ret = -EACCES; 7558c2ecf20Sopenharmony_ci goto unlock; 7568c2ecf20Sopenharmony_ci } 7578c2ecf20Sopenharmony_ci ret = uhid_dev_create(uhid, &uhid->input_buf); 7588c2ecf20Sopenharmony_ci break; 7598c2ecf20Sopenharmony_ci case UHID_CREATE2: 7608c2ecf20Sopenharmony_ci ret = uhid_dev_create2(uhid, &uhid->input_buf); 7618c2ecf20Sopenharmony_ci break; 7628c2ecf20Sopenharmony_ci case UHID_DESTROY: 7638c2ecf20Sopenharmony_ci ret = uhid_dev_destroy(uhid); 7648c2ecf20Sopenharmony_ci break; 7658c2ecf20Sopenharmony_ci case UHID_INPUT: 7668c2ecf20Sopenharmony_ci ret = uhid_dev_input(uhid, &uhid->input_buf); 7678c2ecf20Sopenharmony_ci break; 7688c2ecf20Sopenharmony_ci case UHID_INPUT2: 7698c2ecf20Sopenharmony_ci ret = uhid_dev_input2(uhid, &uhid->input_buf); 7708c2ecf20Sopenharmony_ci break; 7718c2ecf20Sopenharmony_ci case UHID_GET_REPORT_REPLY: 7728c2ecf20Sopenharmony_ci ret = uhid_dev_get_report_reply(uhid, &uhid->input_buf); 7738c2ecf20Sopenharmony_ci break; 7748c2ecf20Sopenharmony_ci case UHID_SET_REPORT_REPLY: 7758c2ecf20Sopenharmony_ci ret = uhid_dev_set_report_reply(uhid, &uhid->input_buf); 7768c2ecf20Sopenharmony_ci break; 7778c2ecf20Sopenharmony_ci default: 7788c2ecf20Sopenharmony_ci ret = -EOPNOTSUPP; 7798c2ecf20Sopenharmony_ci } 7808c2ecf20Sopenharmony_ci 7818c2ecf20Sopenharmony_ciunlock: 7828c2ecf20Sopenharmony_ci mutex_unlock(&uhid->devlock); 7838c2ecf20Sopenharmony_ci 7848c2ecf20Sopenharmony_ci /* return "count" not "len" to not confuse the caller */ 7858c2ecf20Sopenharmony_ci return ret ? ret : count; 7868c2ecf20Sopenharmony_ci} 7878c2ecf20Sopenharmony_ci 7888c2ecf20Sopenharmony_cistatic __poll_t uhid_char_poll(struct file *file, poll_table *wait) 7898c2ecf20Sopenharmony_ci{ 7908c2ecf20Sopenharmony_ci struct uhid_device *uhid = file->private_data; 7918c2ecf20Sopenharmony_ci __poll_t mask = EPOLLOUT | EPOLLWRNORM; /* uhid is always writable */ 7928c2ecf20Sopenharmony_ci 7938c2ecf20Sopenharmony_ci poll_wait(file, &uhid->waitq, wait); 7948c2ecf20Sopenharmony_ci 7958c2ecf20Sopenharmony_ci if (uhid->head != uhid->tail) 7968c2ecf20Sopenharmony_ci mask |= EPOLLIN | EPOLLRDNORM; 7978c2ecf20Sopenharmony_ci 7988c2ecf20Sopenharmony_ci return mask; 7998c2ecf20Sopenharmony_ci} 8008c2ecf20Sopenharmony_ci 8018c2ecf20Sopenharmony_cistatic const struct file_operations uhid_fops = { 8028c2ecf20Sopenharmony_ci .owner = THIS_MODULE, 8038c2ecf20Sopenharmony_ci .open = uhid_char_open, 8048c2ecf20Sopenharmony_ci .release = uhid_char_release, 8058c2ecf20Sopenharmony_ci .read = uhid_char_read, 8068c2ecf20Sopenharmony_ci .write = uhid_char_write, 8078c2ecf20Sopenharmony_ci .poll = uhid_char_poll, 8088c2ecf20Sopenharmony_ci .llseek = no_llseek, 8098c2ecf20Sopenharmony_ci}; 8108c2ecf20Sopenharmony_ci 8118c2ecf20Sopenharmony_cistatic struct miscdevice uhid_misc = { 8128c2ecf20Sopenharmony_ci .fops = &uhid_fops, 8138c2ecf20Sopenharmony_ci .minor = UHID_MINOR, 8148c2ecf20Sopenharmony_ci .name = UHID_NAME, 8158c2ecf20Sopenharmony_ci}; 8168c2ecf20Sopenharmony_cimodule_misc_device(uhid_misc); 8178c2ecf20Sopenharmony_ci 8188c2ecf20Sopenharmony_ciMODULE_LICENSE("GPL"); 8198c2ecf20Sopenharmony_ciMODULE_AUTHOR("David Herrmann <dh.herrmann@gmail.com>"); 8208c2ecf20Sopenharmony_ciMODULE_DESCRIPTION("User-space I/O driver support for HID subsystem"); 8218c2ecf20Sopenharmony_ciMODULE_ALIAS_MISCDEV(UHID_MINOR); 8228c2ecf20Sopenharmony_ciMODULE_ALIAS("devname:" UHID_NAME); 823