1
2
3
4
5
6
7
8
9
10
11
12
13#include <linux/atomic.h>
14#include <linux/compat.h>
15#include <linux/cred.h>
16#include <linux/device.h>
17#include <linux/fs.h>
18#include <linux/hid.h>
19#include <linux/input.h>
20#include <linux/miscdevice.h>
21#include <linux/module.h>
22#include <linux/mutex.h>
23#include <linux/poll.h>
24#include <linux/sched.h>
25#include <linux/spinlock.h>
26#include <linux/uhid.h>
27#include <linux/wait.h>
28
29#define UHID_NAME "uhid"
30#define UHID_BUFSIZE 32
31
32struct uhid_device {
33 struct mutex devlock;
34 bool running;
35
36 __u8 *rd_data;
37 uint rd_size;
38
39 struct hid_device *hid;
40 struct uhid_event input_buf;
41
42 wait_queue_head_t waitq;
43 spinlock_t qlock;
44 __u8 head;
45 __u8 tail;
46 struct uhid_event *outq[UHID_BUFSIZE];
47
48
49 struct mutex report_lock;
50 wait_queue_head_t report_wait;
51 bool report_running;
52 u32 report_id;
53 u32 report_type;
54 struct uhid_event report_buf;
55 struct work_struct worker;
56};
57
58static struct miscdevice uhid_misc;
59
60static void uhid_device_add_worker(struct work_struct *work)
61{
62 struct uhid_device *uhid = container_of(work, struct uhid_device, worker);
63 int ret;
64
65 ret = hid_add_device(uhid->hid);
66 if (ret) {
67 hid_err(uhid->hid, "Cannot register HID device: error %d\n", ret);
68
69 hid_destroy_device(uhid->hid);
70 uhid->hid = NULL;
71 uhid->running = false;
72 }
73}
74
75static void uhid_queue(struct uhid_device *uhid, struct uhid_event *ev)
76{
77 __u8 newhead;
78
79 newhead = (uhid->head + 1) % UHID_BUFSIZE;
80
81 if (newhead != uhid->tail) {
82 uhid->outq[uhid->head] = ev;
83 uhid->head = newhead;
84 wake_up_interruptible(&uhid->waitq);
85 } else {
86 hid_warn(uhid->hid, "Output queue is full\n");
87 kfree(ev);
88 }
89}
90
91static int uhid_queue_event(struct uhid_device *uhid, __u32 event)
92{
93 unsigned long flags;
94 struct uhid_event *ev;
95
96 ev = kzalloc(sizeof(*ev), GFP_KERNEL);
97 if (!ev)
98 return -ENOMEM;
99
100 ev->type = event;
101
102 spin_lock_irqsave(&uhid->qlock, flags);
103 uhid_queue(uhid, ev);
104 spin_unlock_irqrestore(&uhid->qlock, flags);
105
106 return 0;
107}
108
109static int uhid_hid_start(struct hid_device *hid)
110{
111 struct uhid_device *uhid = hid->driver_data;
112 struct uhid_event *ev;
113 unsigned long flags;
114
115 ev = kzalloc(sizeof(*ev), GFP_KERNEL);
116 if (!ev)
117 return -ENOMEM;
118
119 ev->type = UHID_START;
120
121 if (hid->report_enum[HID_FEATURE_REPORT].numbered)
122 ev->u.start.dev_flags |= UHID_DEV_NUMBERED_FEATURE_REPORTS;
123 if (hid->report_enum[HID_OUTPUT_REPORT].numbered)
124 ev->u.start.dev_flags |= UHID_DEV_NUMBERED_OUTPUT_REPORTS;
125 if (hid->report_enum[HID_INPUT_REPORT].numbered)
126 ev->u.start.dev_flags |= UHID_DEV_NUMBERED_INPUT_REPORTS;
127
128 spin_lock_irqsave(&uhid->qlock, flags);
129 uhid_queue(uhid, ev);
130 spin_unlock_irqrestore(&uhid->qlock, flags);
131
132 return 0;
133}
134
135static void uhid_hid_stop(struct hid_device *hid)
136{
137 struct uhid_device *uhid = hid->driver_data;
138
139 hid->claimed = 0;
140 uhid_queue_event(uhid, UHID_STOP);
141}
142
143static int uhid_hid_open(struct hid_device *hid)
144{
145 struct uhid_device *uhid = hid->driver_data;
146
147 return uhid_queue_event(uhid, UHID_OPEN);
148}
149
150static void uhid_hid_close(struct hid_device *hid)
151{
152 struct uhid_device *uhid = hid->driver_data;
153
154 uhid_queue_event(uhid, UHID_CLOSE);
155}
156
157static int uhid_hid_parse(struct hid_device *hid)
158{
159 struct uhid_device *uhid = hid->driver_data;
160
161 return hid_parse_report(hid, uhid->rd_data, uhid->rd_size);
162}
163
164
165static int __uhid_report_queue_and_wait(struct uhid_device *uhid,
166 struct uhid_event *ev,
167 __u32 *report_id)
168{
169 unsigned long flags;
170 int ret;
171
172 spin_lock_irqsave(&uhid->qlock, flags);
173 *report_id = ++uhid->report_id;
174 uhid->report_type = ev->type + 1;
175 uhid->report_running = true;
176 uhid_queue(uhid, ev);
177 spin_unlock_irqrestore(&uhid->qlock, flags);
178
179 ret = wait_event_interruptible_timeout(uhid->report_wait,
180 !uhid->report_running || !uhid->running,
181 5 * HZ);
182 if (!ret || !uhid->running || uhid->report_running)
183 ret = -EIO;
184 else if (ret < 0)
185 ret = -ERESTARTSYS;
186 else
187 ret = 0;
188
189 uhid->report_running = false;
190
191 return ret;
192}
193
194static void uhid_report_wake_up(struct uhid_device *uhid, u32 id,
195 const struct uhid_event *ev)
196{
197 unsigned long flags;
198
199 spin_lock_irqsave(&uhid->qlock, flags);
200
201
202 if (uhid->report_type != ev->type || uhid->report_id != id)
203 goto unlock;
204 if (!uhid->report_running)
205 goto unlock;
206
207 memcpy(&uhid->report_buf, ev, sizeof(*ev));
208 uhid->report_running = false;
209 wake_up_interruptible(&uhid->report_wait);
210
211unlock:
212 spin_unlock_irqrestore(&uhid->qlock, flags);
213}
214
215static int uhid_hid_get_report(struct hid_device *hid, unsigned char rnum,
216 u8 *buf, size_t count, u8 rtype)
217{
218 struct uhid_device *uhid = hid->driver_data;
219 struct uhid_get_report_reply_req *req;
220 struct uhid_event *ev;
221 int ret;
222
223 if (!uhid->running)
224 return -EIO;
225
226 ev = kzalloc(sizeof(*ev), GFP_KERNEL);
227 if (!ev)
228 return -ENOMEM;
229
230 ev->type = UHID_GET_REPORT;
231 ev->u.get_report.rnum = rnum;
232 ev->u.get_report.rtype = rtype;
233
234 ret = mutex_lock_interruptible(&uhid->report_lock);
235 if (ret) {
236 kfree(ev);
237 return ret;
238 }
239
240
241 ret = __uhid_report_queue_and_wait(uhid, ev, &ev->u.get_report.id);
242 if (ret)
243 goto unlock;
244
245 req = &uhid->report_buf.u.get_report_reply;
246 if (req->err) {
247 ret = -EIO;
248 } else {
249 ret = min3(count, (size_t)req->size, (size_t)UHID_DATA_MAX);
250 memcpy(buf, req->data, ret);
251 }
252
253unlock:
254 mutex_unlock(&uhid->report_lock);
255 return ret;
256}
257
258static int uhid_hid_set_report(struct hid_device *hid, unsigned char rnum,
259 const u8 *buf, size_t count, u8 rtype)
260{
261 struct uhid_device *uhid = hid->driver_data;
262 struct uhid_event *ev;
263 int ret;
264
265 if (!uhid->running || count > UHID_DATA_MAX)
266 return -EIO;
267
268 ev = kzalloc(sizeof(*ev), GFP_KERNEL);
269 if (!ev)
270 return -ENOMEM;
271
272 ev->type = UHID_SET_REPORT;
273 ev->u.set_report.rnum = rnum;
274 ev->u.set_report.rtype = rtype;
275 ev->u.set_report.size = count;
276 memcpy(ev->u.set_report.data, buf, count);
277
278 ret = mutex_lock_interruptible(&uhid->report_lock);
279 if (ret) {
280 kfree(ev);
281 return ret;
282 }
283
284
285 ret = __uhid_report_queue_and_wait(uhid, ev, &ev->u.set_report.id);
286 if (ret)
287 goto unlock;
288
289 if (uhid->report_buf.u.set_report_reply.err)
290 ret = -EIO;
291 else
292 ret = count;
293
294unlock:
295 mutex_unlock(&uhid->report_lock);
296 return ret;
297}
298
299static int uhid_hid_raw_request(struct hid_device *hid, unsigned char reportnum,
300 __u8 *buf, size_t len, unsigned char rtype,
301 int reqtype)
302{
303 u8 u_rtype;
304
305 switch (rtype) {
306 case HID_FEATURE_REPORT:
307 u_rtype = UHID_FEATURE_REPORT;
308 break;
309 case HID_OUTPUT_REPORT:
310 u_rtype = UHID_OUTPUT_REPORT;
311 break;
312 case HID_INPUT_REPORT:
313 u_rtype = UHID_INPUT_REPORT;
314 break;
315 default:
316 return -EINVAL;
317 }
318
319 switch (reqtype) {
320 case HID_REQ_GET_REPORT:
321 return uhid_hid_get_report(hid, reportnum, buf, len, u_rtype);
322 case HID_REQ_SET_REPORT:
323 return uhid_hid_set_report(hid, reportnum, buf, len, u_rtype);
324 default:
325 return -EIO;
326 }
327}
328
329static int uhid_hid_output_raw(struct hid_device *hid, __u8 *buf, size_t count,
330 unsigned char report_type)
331{
332 struct uhid_device *uhid = hid->driver_data;
333 __u8 rtype;
334 unsigned long flags;
335 struct uhid_event *ev;
336
337 switch (report_type) {
338 case HID_FEATURE_REPORT:
339 rtype = UHID_FEATURE_REPORT;
340 break;
341 case HID_OUTPUT_REPORT:
342 rtype = UHID_OUTPUT_REPORT;
343 break;
344 default:
345 return -EINVAL;
346 }
347
348 if (count < 1 || count > UHID_DATA_MAX)
349 return -EINVAL;
350
351 ev = kzalloc(sizeof(*ev), GFP_KERNEL);
352 if (!ev)
353 return -ENOMEM;
354
355 ev->type = UHID_OUTPUT;
356 ev->u.output.size = count;
357 ev->u.output.rtype = rtype;
358 memcpy(ev->u.output.data, buf, count);
359
360 spin_lock_irqsave(&uhid->qlock, flags);
361 uhid_queue(uhid, ev);
362 spin_unlock_irqrestore(&uhid->qlock, flags);
363
364 return count;
365}
366
367static int uhid_hid_output_report(struct hid_device *hid, __u8 *buf,
368 size_t count)
369{
370 return uhid_hid_output_raw(hid, buf, count, HID_OUTPUT_REPORT);
371}
372
373struct hid_ll_driver uhid_hid_driver = {
374 .start = uhid_hid_start,
375 .stop = uhid_hid_stop,
376 .open = uhid_hid_open,
377 .close = uhid_hid_close,
378 .parse = uhid_hid_parse,
379 .raw_request = uhid_hid_raw_request,
380 .output_report = uhid_hid_output_report,
381};
382EXPORT_SYMBOL_GPL(uhid_hid_driver);
383
384#ifdef CONFIG_COMPAT
385
386
387struct uhid_create_req_compat {
388 __u8 name[128];
389 __u8 phys[64];
390 __u8 uniq[64];
391
392 compat_uptr_t rd_data;
393 __u16 rd_size;
394
395 __u16 bus;
396 __u32 vendor;
397 __u32 product;
398 __u32 version;
399 __u32 country;
400} __attribute__((__packed__));
401
402static int uhid_event_from_user(const char __user *buffer, size_t len,
403 struct uhid_event *event)
404{
405 if (in_compat_syscall()) {
406 u32 type;
407
408 if (get_user(type, buffer))
409 return -EFAULT;
410
411 if (type == UHID_CREATE) {
412
413
414
415
416
417 struct uhid_create_req_compat *compat;
418
419 compat = kzalloc(sizeof(*compat), GFP_KERNEL);
420 if (!compat)
421 return -ENOMEM;
422
423 buffer += sizeof(type);
424 len -= sizeof(type);
425 if (copy_from_user(compat, buffer,
426 min(len, sizeof(*compat)))) {
427 kfree(compat);
428 return -EFAULT;
429 }
430
431
432 event->type = type;
433
434 memcpy(event->u.create.name, compat->name,
435 sizeof(compat->name));
436 memcpy(event->u.create.phys, compat->phys,
437 sizeof(compat->phys));
438 memcpy(event->u.create.uniq, compat->uniq,
439 sizeof(compat->uniq));
440
441 event->u.create.rd_data = compat_ptr(compat->rd_data);
442 event->u.create.rd_size = compat->rd_size;
443
444 event->u.create.bus = compat->bus;
445 event->u.create.vendor = compat->vendor;
446 event->u.create.product = compat->product;
447 event->u.create.version = compat->version;
448 event->u.create.country = compat->country;
449
450 kfree(compat);
451 return 0;
452 }
453
454 }
455
456 if (copy_from_user(event, buffer, min(len, sizeof(*event))))
457 return -EFAULT;
458
459 return 0;
460}
461#else
462static int uhid_event_from_user(const char __user *buffer, size_t len,
463 struct uhid_event *event)
464{
465 if (copy_from_user(event, buffer, min(len, sizeof(*event))))
466 return -EFAULT;
467
468 return 0;
469}
470#endif
471
472static int uhid_dev_create2(struct uhid_device *uhid,
473 const struct uhid_event *ev)
474{
475 struct hid_device *hid;
476 size_t rd_size, len;
477 void *rd_data;
478 int ret;
479
480 if (uhid->running)
481 return -EALREADY;
482
483 rd_size = ev->u.create2.rd_size;
484 if (rd_size <= 0 || rd_size > HID_MAX_DESCRIPTOR_SIZE)
485 return -EINVAL;
486
487 rd_data = kmemdup(ev->u.create2.rd_data, rd_size, GFP_KERNEL);
488 if (!rd_data)
489 return -ENOMEM;
490
491 uhid->rd_size = rd_size;
492 uhid->rd_data = rd_data;
493
494 hid = hid_allocate_device();
495 if (IS_ERR(hid)) {
496 ret = PTR_ERR(hid);
497 goto err_free;
498 }
499
500
501 len = min(sizeof(hid->name), sizeof(ev->u.create2.name)) - 1;
502 strncpy(hid->name, ev->u.create2.name, len);
503 len = min(sizeof(hid->phys), sizeof(ev->u.create2.phys)) - 1;
504 strncpy(hid->phys, ev->u.create2.phys, len);
505 len = min(sizeof(hid->uniq), sizeof(ev->u.create2.uniq)) - 1;
506 strncpy(hid->uniq, ev->u.create2.uniq, len);
507
508 hid->ll_driver = &uhid_hid_driver;
509 hid->bus = ev->u.create2.bus;
510 hid->vendor = ev->u.create2.vendor;
511 hid->product = ev->u.create2.product;
512 hid->version = ev->u.create2.version;
513 hid->country = ev->u.create2.country;
514 hid->driver_data = uhid;
515 hid->dev.parent = uhid_misc.this_device;
516
517 uhid->hid = hid;
518 uhid->running = true;
519
520
521
522
523
524 schedule_work(&uhid->worker);
525
526 return 0;
527
528err_free:
529 kfree(uhid->rd_data);
530 uhid->rd_data = NULL;
531 uhid->rd_size = 0;
532 return ret;
533}
534
535static int uhid_dev_create(struct uhid_device *uhid,
536 struct uhid_event *ev)
537{
538 struct uhid_create_req orig;
539
540 orig = ev->u.create;
541
542 if (orig.rd_size <= 0 || orig.rd_size > HID_MAX_DESCRIPTOR_SIZE)
543 return -EINVAL;
544 if (copy_from_user(&ev->u.create2.rd_data, orig.rd_data, orig.rd_size))
545 return -EFAULT;
546
547 memcpy(ev->u.create2.name, orig.name, sizeof(orig.name));
548 memcpy(ev->u.create2.phys, orig.phys, sizeof(orig.phys));
549 memcpy(ev->u.create2.uniq, orig.uniq, sizeof(orig.uniq));
550 ev->u.create2.rd_size = orig.rd_size;
551 ev->u.create2.bus = orig.bus;
552 ev->u.create2.vendor = orig.vendor;
553 ev->u.create2.product = orig.product;
554 ev->u.create2.version = orig.version;
555 ev->u.create2.country = orig.country;
556
557 return uhid_dev_create2(uhid, ev);
558}
559
560static int uhid_dev_destroy(struct uhid_device *uhid)
561{
562 if (!uhid->running)
563 return -EINVAL;
564
565 uhid->running = false;
566 wake_up_interruptible(&uhid->report_wait);
567
568 cancel_work_sync(&uhid->worker);
569
570 hid_destroy_device(uhid->hid);
571 kfree(uhid->rd_data);
572
573 return 0;
574}
575
576static int uhid_dev_input(struct uhid_device *uhid, struct uhid_event *ev)
577{
578 if (!uhid->running)
579 return -EINVAL;
580
581 hid_input_report(uhid->hid, HID_INPUT_REPORT, ev->u.input.data,
582 min_t(size_t, ev->u.input.size, UHID_DATA_MAX), 0);
583
584 return 0;
585}
586
587static int uhid_dev_input2(struct uhid_device *uhid, struct uhid_event *ev)
588{
589 if (!uhid->running)
590 return -EINVAL;
591
592 hid_input_report(uhid->hid, HID_INPUT_REPORT, ev->u.input2.data,
593 min_t(size_t, ev->u.input2.size, UHID_DATA_MAX), 0);
594
595 return 0;
596}
597
598static int uhid_dev_get_report_reply(struct uhid_device *uhid,
599 struct uhid_event *ev)
600{
601 if (!uhid->running)
602 return -EINVAL;
603
604 uhid_report_wake_up(uhid, ev->u.get_report_reply.id, ev);
605 return 0;
606}
607
608static int uhid_dev_set_report_reply(struct uhid_device *uhid,
609 struct uhid_event *ev)
610{
611 if (!uhid->running)
612 return -EINVAL;
613
614 uhid_report_wake_up(uhid, ev->u.set_report_reply.id, ev);
615 return 0;
616}
617
618static int uhid_char_open(struct inode *inode, struct file *file)
619{
620 struct uhid_device *uhid;
621
622 uhid = kzalloc(sizeof(*uhid), GFP_KERNEL);
623 if (!uhid)
624 return -ENOMEM;
625
626 mutex_init(&uhid->devlock);
627 mutex_init(&uhid->report_lock);
628 spin_lock_init(&uhid->qlock);
629 init_waitqueue_head(&uhid->waitq);
630 init_waitqueue_head(&uhid->report_wait);
631 uhid->running = false;
632 INIT_WORK(&uhid->worker, uhid_device_add_worker);
633
634 file->private_data = uhid;
635 nonseekable_open(inode, file);
636
637 return 0;
638}
639
640static int uhid_char_release(struct inode *inode, struct file *file)
641{
642 struct uhid_device *uhid = file->private_data;
643 unsigned int i;
644
645 uhid_dev_destroy(uhid);
646
647 for (i = 0; i < UHID_BUFSIZE; ++i)
648 kfree(uhid->outq[i]);
649
650 kfree(uhid);
651
652 return 0;
653}
654
655static ssize_t uhid_char_read(struct file *file, char __user *buffer,
656 size_t count, loff_t *ppos)
657{
658 struct uhid_device *uhid = file->private_data;
659 int ret;
660 unsigned long flags;
661 size_t len;
662
663
664 if (count < sizeof(__u32))
665 return -EINVAL;
666
667try_again:
668 if (file->f_flags & O_NONBLOCK) {
669 if (uhid->head == uhid->tail)
670 return -EAGAIN;
671 } else {
672 ret = wait_event_interruptible(uhid->waitq,
673 uhid->head != uhid->tail);
674 if (ret)
675 return ret;
676 }
677
678 ret = mutex_lock_interruptible(&uhid->devlock);
679 if (ret)
680 return ret;
681
682 if (uhid->head == uhid->tail) {
683 mutex_unlock(&uhid->devlock);
684 goto try_again;
685 } else {
686 len = min(count, sizeof(**uhid->outq));
687 if (copy_to_user(buffer, uhid->outq[uhid->tail], len)) {
688 ret = -EFAULT;
689 } else {
690 kfree(uhid->outq[uhid->tail]);
691 uhid->outq[uhid->tail] = NULL;
692
693 spin_lock_irqsave(&uhid->qlock, flags);
694 uhid->tail = (uhid->tail + 1) % UHID_BUFSIZE;
695 spin_unlock_irqrestore(&uhid->qlock, flags);
696 }
697 }
698
699 mutex_unlock(&uhid->devlock);
700 return ret ? ret : len;
701}
702
703static ssize_t uhid_char_write(struct file *file, const char __user *buffer,
704 size_t count, loff_t *ppos)
705{
706 struct uhid_device *uhid = file->private_data;
707 int ret;
708 size_t len;
709
710
711 if (count < sizeof(__u32))
712 return -EINVAL;
713
714 ret = mutex_lock_interruptible(&uhid->devlock);
715 if (ret)
716 return ret;
717
718 memset(&uhid->input_buf, 0, sizeof(uhid->input_buf));
719 len = min(count, sizeof(uhid->input_buf));
720
721 ret = uhid_event_from_user(buffer, len, &uhid->input_buf);
722 if (ret)
723 goto unlock;
724
725 switch (uhid->input_buf.type) {
726 case UHID_CREATE:
727
728
729
730
731
732 if (file->f_cred != current_cred() || uaccess_kernel()) {
733 pr_err_once("UHID_CREATE from different security context by process %d (%s), this is not allowed.\n",
734 task_tgid_vnr(current), current->comm);
735 ret = -EACCES;
736 goto unlock;
737 }
738 ret = uhid_dev_create(uhid, &uhid->input_buf);
739 break;
740 case UHID_CREATE2:
741 ret = uhid_dev_create2(uhid, &uhid->input_buf);
742 break;
743 case UHID_DESTROY:
744 ret = uhid_dev_destroy(uhid);
745 break;
746 case UHID_INPUT:
747 ret = uhid_dev_input(uhid, &uhid->input_buf);
748 break;
749 case UHID_INPUT2:
750 ret = uhid_dev_input2(uhid, &uhid->input_buf);
751 break;
752 case UHID_GET_REPORT_REPLY:
753 ret = uhid_dev_get_report_reply(uhid, &uhid->input_buf);
754 break;
755 case UHID_SET_REPORT_REPLY:
756 ret = uhid_dev_set_report_reply(uhid, &uhid->input_buf);
757 break;
758 default:
759 ret = -EOPNOTSUPP;
760 }
761
762unlock:
763 mutex_unlock(&uhid->devlock);
764
765
766 return ret ? ret : count;
767}
768
769static __poll_t uhid_char_poll(struct file *file, poll_table *wait)
770{
771 struct uhid_device *uhid = file->private_data;
772
773 poll_wait(file, &uhid->waitq, wait);
774
775 if (uhid->head != uhid->tail)
776 return EPOLLIN | EPOLLRDNORM;
777
778 return 0;
779}
780
781static const struct file_operations uhid_fops = {
782 .owner = THIS_MODULE,
783 .open = uhid_char_open,
784 .release = uhid_char_release,
785 .read = uhid_char_read,
786 .write = uhid_char_write,
787 .poll = uhid_char_poll,
788 .llseek = no_llseek,
789};
790
791static struct miscdevice uhid_misc = {
792 .fops = &uhid_fops,
793 .minor = UHID_MINOR,
794 .name = UHID_NAME,
795};
796module_misc_device(uhid_misc);
797
798MODULE_LICENSE("GPL");
799MODULE_AUTHOR("David Herrmann <dh.herrmann@gmail.com>");
800MODULE_DESCRIPTION("User-space I/O driver support for HID subsystem");
801MODULE_ALIAS_MISCDEV(UHID_MINOR);
802MODULE_ALIAS("devname:" UHID_NAME);
803
