1
2
3
4
5
6
7
8
9
10
11
12
13#include <linux/atomic.h>
14#include <linux/compat.h>
15#include <linux/device.h>
16#include <linux/fs.h>
17#include <linux/hid.h>
18#include <linux/input.h>
19#include <linux/miscdevice.h>
20#include <linux/module.h>
21#include <linux/mutex.h>
22#include <linux/poll.h>
23#include <linux/sched.h>
24#include <linux/spinlock.h>
25#include <linux/uhid.h>
26#include <linux/wait.h>
27
28#define UHID_NAME "uhid"
29#define UHID_BUFSIZE 32
30
31struct uhid_device {
32 struct mutex devlock;
33 bool running;
34
35 __u8 *rd_data;
36 uint rd_size;
37
38 struct hid_device *hid;
39 struct uhid_event input_buf;
40
41 wait_queue_head_t waitq;
42 spinlock_t qlock;
43 __u8 head;
44 __u8 tail;
45 struct uhid_event *outq[UHID_BUFSIZE];
46
47
48 struct mutex report_lock;
49 wait_queue_head_t report_wait;
50 bool report_running;
51 u32 report_id;
52 u32 report_type;
53 struct uhid_event report_buf;
54 struct work_struct worker;
55};
56
57static struct miscdevice uhid_misc;
58
59static void uhid_device_add_worker(struct work_struct *work)
60{
61 struct uhid_device *uhid = container_of(work, struct uhid_device, worker);
62 int ret;
63
64 ret = hid_add_device(uhid->hid);
65 if (ret) {
66 hid_err(uhid->hid, "Cannot register HID device: error %d\n", ret);
67
68 hid_destroy_device(uhid->hid);
69 uhid->hid = NULL;
70 uhid->running = false;
71 }
72}
73
74static void uhid_queue(struct uhid_device *uhid, struct uhid_event *ev)
75{
76 __u8 newhead;
77
78 newhead = (uhid->head + 1) % UHID_BUFSIZE;
79
80 if (newhead != uhid->tail) {
81 uhid->outq[uhid->head] = ev;
82 uhid->head = newhead;
83 wake_up_interruptible(&uhid->waitq);
84 } else {
85 hid_warn(uhid->hid, "Output queue is full\n");
86 kfree(ev);
87 }
88}
89
90static int uhid_queue_event(struct uhid_device *uhid, __u32 event)
91{
92 unsigned long flags;
93 struct uhid_event *ev;
94
95 ev = kzalloc(sizeof(*ev), GFP_KERNEL);
96 if (!ev)
97 return -ENOMEM;
98
99 ev->type = event;
100
101 spin_lock_irqsave(&uhid->qlock, flags);
102 uhid_queue(uhid, ev);
103 spin_unlock_irqrestore(&uhid->qlock, flags);
104
105 return 0;
106}
107
108static int uhid_hid_start(struct hid_device *hid)
109{
110 struct uhid_device *uhid = hid->driver_data;
111 struct uhid_event *ev;
112 unsigned long flags;
113
114 ev = kzalloc(sizeof(*ev), GFP_KERNEL);
115 if (!ev)
116 return -ENOMEM;
117
118 ev->type = UHID_START;
119
120 if (hid->report_enum[HID_FEATURE_REPORT].numbered)
121 ev->u.start.dev_flags |= UHID_DEV_NUMBERED_FEATURE_REPORTS;
122 if (hid->report_enum[HID_OUTPUT_REPORT].numbered)
123 ev->u.start.dev_flags |= UHID_DEV_NUMBERED_OUTPUT_REPORTS;
124 if (hid->report_enum[HID_INPUT_REPORT].numbered)
125 ev->u.start.dev_flags |= UHID_DEV_NUMBERED_INPUT_REPORTS;
126
127 spin_lock_irqsave(&uhid->qlock, flags);
128 uhid_queue(uhid, ev);
129 spin_unlock_irqrestore(&uhid->qlock, flags);
130
131 return 0;
132}
133
134static void uhid_hid_stop(struct hid_device *hid)
135{
136 struct uhid_device *uhid = hid->driver_data;
137
138 hid->claimed = 0;
139 uhid_queue_event(uhid, UHID_STOP);
140}
141
142static int uhid_hid_open(struct hid_device *hid)
143{
144 struct uhid_device *uhid = hid->driver_data;
145
146 return uhid_queue_event(uhid, UHID_OPEN);
147}
148
149static void uhid_hid_close(struct hid_device *hid)
150{
151 struct uhid_device *uhid = hid->driver_data;
152
153 uhid_queue_event(uhid, UHID_CLOSE);
154}
155
156static int uhid_hid_parse(struct hid_device *hid)
157{
158 struct uhid_device *uhid = hid->driver_data;
159
160 return hid_parse_report(hid, uhid->rd_data, uhid->rd_size);
161}
162
163
164static int __uhid_report_queue_and_wait(struct uhid_device *uhid,
165 struct uhid_event *ev,
166 __u32 *report_id)
167{
168 unsigned long flags;
169 int ret;
170
171 spin_lock_irqsave(&uhid->qlock, flags);
172 *report_id = ++uhid->report_id;
173 uhid->report_type = ev->type + 1;
174 uhid->report_running = true;
175 uhid_queue(uhid, ev);
176 spin_unlock_irqrestore(&uhid->qlock, flags);
177
178 ret = wait_event_interruptible_timeout(uhid->report_wait,
179 !uhid->report_running || !uhid->running,
180 5 * HZ);
181 if (!ret || !uhid->running || uhid->report_running)
182 ret = -EIO;
183 else if (ret < 0)
184 ret = -ERESTARTSYS;
185 else
186 ret = 0;
187
188 uhid->report_running = false;
189
190 return ret;
191}
192
193static void uhid_report_wake_up(struct uhid_device *uhid, u32 id,
194 const struct uhid_event *ev)
195{
196 unsigned long flags;
197
198 spin_lock_irqsave(&uhid->qlock, flags);
199
200
201 if (uhid->report_type != ev->type || uhid->report_id != id)
202 goto unlock;
203 if (!uhid->report_running)
204 goto unlock;
205
206 memcpy(&uhid->report_buf, ev, sizeof(*ev));
207 uhid->report_running = false;
208 wake_up_interruptible(&uhid->report_wait);
209
210unlock:
211 spin_unlock_irqrestore(&uhid->qlock, flags);
212}
213
214static int uhid_hid_get_report(struct hid_device *hid, unsigned char rnum,
215 u8 *buf, size_t count, u8 rtype)
216{
217 struct uhid_device *uhid = hid->driver_data;
218 struct uhid_get_report_reply_req *req;
219 struct uhid_event *ev;
220 int ret;
221
222 if (!uhid->running)
223 return -EIO;
224
225 ev = kzalloc(sizeof(*ev), GFP_KERNEL);
226 if (!ev)
227 return -ENOMEM;
228
229 ev->type = UHID_GET_REPORT;
230 ev->u.get_report.rnum = rnum;
231 ev->u.get_report.rtype = rtype;
232
233 ret = mutex_lock_interruptible(&uhid->report_lock);
234 if (ret) {
235 kfree(ev);
236 return ret;
237 }
238
239
240 ret = __uhid_report_queue_and_wait(uhid, ev, &ev->u.get_report.id);
241 if (ret)
242 goto unlock;
243
244 req = &uhid->report_buf.u.get_report_reply;
245 if (req->err) {
246 ret = -EIO;
247 } else {
248 ret = min3(count, (size_t)req->size, (size_t)UHID_DATA_MAX);
249 memcpy(buf, req->data, ret);
250 }
251
252unlock:
253 mutex_unlock(&uhid->report_lock);
254 return ret;
255}
256
257static int uhid_hid_set_report(struct hid_device *hid, unsigned char rnum,
258 const u8 *buf, size_t count, u8 rtype)
259{
260 struct uhid_device *uhid = hid->driver_data;
261 struct uhid_event *ev;
262 int ret;
263
264 if (!uhid->running || count > UHID_DATA_MAX)
265 return -EIO;
266
267 ev = kzalloc(sizeof(*ev), GFP_KERNEL);
268 if (!ev)
269 return -ENOMEM;
270
271 ev->type = UHID_SET_REPORT;
272 ev->u.set_report.rnum = rnum;
273 ev->u.set_report.rtype = rtype;
274 ev->u.set_report.size = count;
275 memcpy(ev->u.set_report.data, buf, count);
276
277 ret = mutex_lock_interruptible(&uhid->report_lock);
278 if (ret) {
279 kfree(ev);
280 return ret;
281 }
282
283
284 ret = __uhid_report_queue_and_wait(uhid, ev, &ev->u.set_report.id);
285 if (ret)
286 goto unlock;
287
288 if (uhid->report_buf.u.set_report_reply.err)
289 ret = -EIO;
290 else
291 ret = count;
292
293unlock:
294 mutex_unlock(&uhid->report_lock);
295 return ret;
296}
297
298static int uhid_hid_raw_request(struct hid_device *hid, unsigned char reportnum,
299 __u8 *buf, size_t len, unsigned char rtype,
300 int reqtype)
301{
302 u8 u_rtype;
303
304 switch (rtype) {
305 case HID_FEATURE_REPORT:
306 u_rtype = UHID_FEATURE_REPORT;
307 break;
308 case HID_OUTPUT_REPORT:
309 u_rtype = UHID_OUTPUT_REPORT;
310 break;
311 case HID_INPUT_REPORT:
312 u_rtype = UHID_INPUT_REPORT;
313 break;
314 default:
315 return -EINVAL;
316 }
317
318 switch (reqtype) {
319 case HID_REQ_GET_REPORT:
320 return uhid_hid_get_report(hid, reportnum, buf, len, u_rtype);
321 case HID_REQ_SET_REPORT:
322 return uhid_hid_set_report(hid, reportnum, buf, len, u_rtype);
323 default:
324 return -EIO;
325 }
326}
327
328static int uhid_hid_output_raw(struct hid_device *hid, __u8 *buf, size_t count,
329 unsigned char report_type)
330{
331 struct uhid_device *uhid = hid->driver_data;
332 __u8 rtype;
333 unsigned long flags;
334 struct uhid_event *ev;
335
336 switch (report_type) {
337 case HID_FEATURE_REPORT:
338 rtype = UHID_FEATURE_REPORT;
339 break;
340 case HID_OUTPUT_REPORT:
341 rtype = UHID_OUTPUT_REPORT;
342 break;
343 default:
344 return -EINVAL;
345 }
346
347 if (count < 1 || count > UHID_DATA_MAX)
348 return -EINVAL;
349
350 ev = kzalloc(sizeof(*ev), GFP_KERNEL);
351 if (!ev)
352 return -ENOMEM;
353
354 ev->type = UHID_OUTPUT;
355 ev->u.output.size = count;
356 ev->u.output.rtype = rtype;
357 memcpy(ev->u.output.data, buf, count);
358
359 spin_lock_irqsave(&uhid->qlock, flags);
360 uhid_queue(uhid, ev);
361 spin_unlock_irqrestore(&uhid->qlock, flags);
362
363 return count;
364}
365
366static int uhid_hid_output_report(struct hid_device *hid, __u8 *buf,
367 size_t count)
368{
369 return uhid_hid_output_raw(hid, buf, count, HID_OUTPUT_REPORT);
370}
371
372static struct hid_ll_driver uhid_hid_driver = {
373 .start = uhid_hid_start,
374 .stop = uhid_hid_stop,
375 .open = uhid_hid_open,
376 .close = uhid_hid_close,
377 .parse = uhid_hid_parse,
378 .raw_request = uhid_hid_raw_request,
379 .output_report = uhid_hid_output_report,
380};
381
382#ifdef CONFIG_COMPAT
383
384
385struct uhid_create_req_compat {
386 __u8 name[128];
387 __u8 phys[64];
388 __u8 uniq[64];
389
390 compat_uptr_t rd_data;
391 __u16 rd_size;
392
393 __u16 bus;
394 __u32 vendor;
395 __u32 product;
396 __u32 version;
397 __u32 country;
398} __attribute__((__packed__));
399
400static int uhid_event_from_user(const char __user *buffer, size_t len,
401 struct uhid_event *event)
402{
403 if (in_compat_syscall()) {
404 u32 type;
405
406 if (get_user(type, buffer))
407 return -EFAULT;
408
409 if (type == UHID_CREATE) {
410
411
412
413
414
415 struct uhid_create_req_compat *compat;
416
417 compat = kzalloc(sizeof(*compat), GFP_KERNEL);
418 if (!compat)
419 return -ENOMEM;
420
421 buffer += sizeof(type);
422 len -= sizeof(type);
423 if (copy_from_user(compat, buffer,
424 min(len, sizeof(*compat)))) {
425 kfree(compat);
426 return -EFAULT;
427 }
428
429
430 event->type = type;
431
432 memcpy(event->u.create.name, compat->name,
433 sizeof(compat->name));
434 memcpy(event->u.create.phys, compat->phys,
435 sizeof(compat->phys));
436 memcpy(event->u.create.uniq, compat->uniq,
437 sizeof(compat->uniq));
438
439 event->u.create.rd_data = compat_ptr(compat->rd_data);
440 event->u.create.rd_size = compat->rd_size;
441
442 event->u.create.bus = compat->bus;
443 event->u.create.vendor = compat->vendor;
444 event->u.create.product = compat->product;
445 event->u.create.version = compat->version;
446 event->u.create.country = compat->country;
447
448 kfree(compat);
449 return 0;
450 }
451
452 }
453
454 if (copy_from_user(event, buffer, min(len, sizeof(*event))))
455 return -EFAULT;
456
457 return 0;
458}
459#else
460static int uhid_event_from_user(const char __user *buffer, size_t len,
461 struct uhid_event *event)
462{
463 if (copy_from_user(event, buffer, min(len, sizeof(*event))))
464 return -EFAULT;
465
466 return 0;
467}
468#endif
469
470static int uhid_dev_create2(struct uhid_device *uhid,
471 const struct uhid_event *ev)
472{
473 struct hid_device *hid;
474 size_t rd_size, len;
475 void *rd_data;
476 int ret;
477
478 if (uhid->running)
479 return -EALREADY;
480
481 rd_size = ev->u.create2.rd_size;
482 if (rd_size <= 0 || rd_size > HID_MAX_DESCRIPTOR_SIZE)
483 return -EINVAL;
484
485 rd_data = kmemdup(ev->u.create2.rd_data, rd_size, GFP_KERNEL);
486 if (!rd_data)
487 return -ENOMEM;
488
489 uhid->rd_size = rd_size;
490 uhid->rd_data = rd_data;
491
492 hid = hid_allocate_device();
493 if (IS_ERR(hid)) {
494 ret = PTR_ERR(hid);
495 goto err_free;
496 }
497
498 len = min(sizeof(hid->name), sizeof(ev->u.create2.name)) - 1;
499 strncpy(hid->name, ev->u.create2.name, len);
500 len = min(sizeof(hid->phys), sizeof(ev->u.create2.phys)) - 1;
501 strncpy(hid->phys, ev->u.create2.phys, len);
502 len = min(sizeof(hid->uniq), sizeof(ev->u.create2.uniq)) - 1;
503 strncpy(hid->uniq, ev->u.create2.uniq, len);
504
505 hid->ll_driver = &uhid_hid_driver;
506 hid->bus = ev->u.create2.bus;
507 hid->vendor = ev->u.create2.vendor;
508 hid->product = ev->u.create2.product;
509 hid->version = ev->u.create2.version;
510 hid->country = ev->u.create2.country;
511 hid->driver_data = uhid;
512 hid->dev.parent = uhid_misc.this_device;
513
514 uhid->hid = hid;
515 uhid->running = true;
516
517
518
519
520
521 schedule_work(&uhid->worker);
522
523 return 0;
524
525err_free:
526 kfree(uhid->rd_data);
527 uhid->rd_data = NULL;
528 uhid->rd_size = 0;
529 return ret;
530}
531
532static int uhid_dev_create(struct uhid_device *uhid,
533 struct uhid_event *ev)
534{
535 struct uhid_create_req orig;
536
537 orig = ev->u.create;
538
539 if (orig.rd_size <= 0 || orig.rd_size > HID_MAX_DESCRIPTOR_SIZE)
540 return -EINVAL;
541 if (copy_from_user(&ev->u.create2.rd_data, orig.rd_data, orig.rd_size))
542 return -EFAULT;
543
544 memcpy(ev->u.create2.name, orig.name, sizeof(orig.name));
545 memcpy(ev->u.create2.phys, orig.phys, sizeof(orig.phys));
546 memcpy(ev->u.create2.uniq, orig.uniq, sizeof(orig.uniq));
547 ev->u.create2.rd_size = orig.rd_size;
548 ev->u.create2.bus = orig.bus;
549 ev->u.create2.vendor = orig.vendor;
550 ev->u.create2.product = orig.product;
551 ev->u.create2.version = orig.version;
552 ev->u.create2.country = orig.country;
553
554 return uhid_dev_create2(uhid, ev);
555}
556
557static int uhid_dev_destroy(struct uhid_device *uhid)
558{
559 if (!uhid->running)
560 return -EINVAL;
561
562 uhid->running = false;
563 wake_up_interruptible(&uhid->report_wait);
564
565 cancel_work_sync(&uhid->worker);
566
567 hid_destroy_device(uhid->hid);
568 kfree(uhid->rd_data);
569
570 return 0;
571}
572
573static int uhid_dev_input(struct uhid_device *uhid, struct uhid_event *ev)
574{
575 if (!uhid->running)
576 return -EINVAL;
577
578 hid_input_report(uhid->hid, HID_INPUT_REPORT, ev->u.input.data,
579 min_t(size_t, ev->u.input.size, UHID_DATA_MAX), 0);
580
581 return 0;
582}
583
584static int uhid_dev_input2(struct uhid_device *uhid, struct uhid_event *ev)
585{
586 if (!uhid->running)
587 return -EINVAL;
588
589 hid_input_report(uhid->hid, HID_INPUT_REPORT, ev->u.input2.data,
590 min_t(size_t, ev->u.input2.size, UHID_DATA_MAX), 0);
591
592 return 0;
593}
594
595static int uhid_dev_get_report_reply(struct uhid_device *uhid,
596 struct uhid_event *ev)
597{
598 if (!uhid->running)
599 return -EINVAL;
600
601 uhid_report_wake_up(uhid, ev->u.get_report_reply.id, ev);
602 return 0;
603}
604
605static int uhid_dev_set_report_reply(struct uhid_device *uhid,
606 struct uhid_event *ev)
607{
608 if (!uhid->running)
609 return -EINVAL;
610
611 uhid_report_wake_up(uhid, ev->u.set_report_reply.id, ev);
612 return 0;
613}
614
615static int uhid_char_open(struct inode *inode, struct file *file)
616{
617 struct uhid_device *uhid;
618
619 uhid = kzalloc(sizeof(*uhid), GFP_KERNEL);
620 if (!uhid)
621 return -ENOMEM;
622
623 mutex_init(&uhid->devlock);
624 mutex_init(&uhid->report_lock);
625 spin_lock_init(&uhid->qlock);
626 init_waitqueue_head(&uhid->waitq);
627 init_waitqueue_head(&uhid->report_wait);
628 uhid->running = false;
629 INIT_WORK(&uhid->worker, uhid_device_add_worker);
630
631 file->private_data = uhid;
632 nonseekable_open(inode, file);
633
634 return 0;
635}
636
637static int uhid_char_release(struct inode *inode, struct file *file)
638{
639 struct uhid_device *uhid = file->private_data;
640 unsigned int i;
641
642 uhid_dev_destroy(uhid);
643
644 for (i = 0; i < UHID_BUFSIZE; ++i)
645 kfree(uhid->outq[i]);
646
647 kfree(uhid);
648
649 return 0;
650}
651
652static ssize_t uhid_char_read(struct file *file, char __user *buffer,
653 size_t count, loff_t *ppos)
654{
655 struct uhid_device *uhid = file->private_data;
656 int ret;
657 unsigned long flags;
658 size_t len;
659
660
661 if (count < sizeof(__u32))
662 return -EINVAL;
663
664try_again:
665 if (file->f_flags & O_NONBLOCK) {
666 if (uhid->head == uhid->tail)
667 return -EAGAIN;
668 } else {
669 ret = wait_event_interruptible(uhid->waitq,
670 uhid->head != uhid->tail);
671 if (ret)
672 return ret;
673 }
674
675 ret = mutex_lock_interruptible(&uhid->devlock);
676 if (ret)
677 return ret;
678
679 if (uhid->head == uhid->tail) {
680 mutex_unlock(&uhid->devlock);
681 goto try_again;
682 } else {
683 len = min(count, sizeof(**uhid->outq));
684 if (copy_to_user(buffer, uhid->outq[uhid->tail], len)) {
685 ret = -EFAULT;
686 } else {
687 kfree(uhid->outq[uhid->tail]);
688 uhid->outq[uhid->tail] = NULL;
689
690 spin_lock_irqsave(&uhid->qlock, flags);
691 uhid->tail = (uhid->tail + 1) % UHID_BUFSIZE;
692 spin_unlock_irqrestore(&uhid->qlock, flags);
693 }
694 }
695
696 mutex_unlock(&uhid->devlock);
697 return ret ? ret : len;
698}
699
700static ssize_t uhid_char_write(struct file *file, const char __user *buffer,
701 size_t count, loff_t *ppos)
702{
703 struct uhid_device *uhid = file->private_data;
704 int ret;
705 size_t len;
706
707
708 if (count < sizeof(__u32))
709 return -EINVAL;
710
711 ret = mutex_lock_interruptible(&uhid->devlock);
712 if (ret)
713 return ret;
714
715 memset(&uhid->input_buf, 0, sizeof(uhid->input_buf));
716 len = min(count, sizeof(uhid->input_buf));
717
718 ret = uhid_event_from_user(buffer, len, &uhid->input_buf);
719 if (ret)
720 goto unlock;
721
722 switch (uhid->input_buf.type) {
723 case UHID_CREATE:
724 ret = uhid_dev_create(uhid, &uhid->input_buf);
725 break;
726 case UHID_CREATE2:
727 ret = uhid_dev_create2(uhid, &uhid->input_buf);
728 break;
729 case UHID_DESTROY:
730 ret = uhid_dev_destroy(uhid);
731 break;
732 case UHID_INPUT:
733 ret = uhid_dev_input(uhid, &uhid->input_buf);
734 break;
735 case UHID_INPUT2:
736 ret = uhid_dev_input2(uhid, &uhid->input_buf);
737 break;
738 case UHID_GET_REPORT_REPLY:
739 ret = uhid_dev_get_report_reply(uhid, &uhid->input_buf);
740 break;
741 case UHID_SET_REPORT_REPLY:
742 ret = uhid_dev_set_report_reply(uhid, &uhid->input_buf);
743 break;
744 default:
745 ret = -EOPNOTSUPP;
746 }
747
748unlock:
749 mutex_unlock(&uhid->devlock);
750
751
752 return ret ? ret : count;
753}
754
755static unsigned int uhid_char_poll(struct file *file, poll_table *wait)
756{
757 struct uhid_device *uhid = file->private_data;
758
759 poll_wait(file, &uhid->waitq, wait);
760
761 if (uhid->head != uhid->tail)
762 return POLLIN | POLLRDNORM;
763
764 return 0;
765}
766
767static const struct file_operations uhid_fops = {
768 .owner = THIS_MODULE,
769 .open = uhid_char_open,
770 .release = uhid_char_release,
771 .read = uhid_char_read,
772 .write = uhid_char_write,
773 .poll = uhid_char_poll,
774 .llseek = no_llseek,
775};
776
777static struct miscdevice uhid_misc = {
778 .fops = &uhid_fops,
779 .minor = UHID_MINOR,
780 .name = UHID_NAME,
781};
782
783static int __init uhid_init(void)
784{
785 return misc_register(&uhid_misc);
786}
787
788static void __exit uhid_exit(void)
789{
790 misc_deregister(&uhid_misc);
791}
792
793module_init(uhid_init);
794module_exit(uhid_exit);
795MODULE_LICENSE("GPL");
796MODULE_AUTHOR("David Herrmann <dh.herrmann@gmail.com>");
797MODULE_DESCRIPTION("User-space I/O driver support for HID subsystem");
798MODULE_ALIAS_MISCDEV(UHID_MINOR);
799MODULE_ALIAS("devname:" UHID_NAME);
800
