1
2
3
4
5
6
7
8
9
10#include <linux/atomic.h>
11#include <linux/compat.h>
12#include <linux/cred.h>
13#include <linux/device.h>
14#include <linux/fs.h>
15#include <linux/hid.h>
16#include <linux/input.h>
17#include <linux/miscdevice.h>
18#include <linux/module.h>
19#include <linux/mutex.h>
20#include <linux/poll.h>
21#include <linux/sched.h>
22#include <linux/spinlock.h>
23#include <linux/uhid.h>
24#include <linux/wait.h>
25
26#define UHID_NAME "uhid"
27#define UHID_BUFSIZE 32
28
29struct uhid_device {
30 struct mutex devlock;
31 bool running;
32
33 __u8 *rd_data;
34 uint rd_size;
35
36 struct hid_device *hid;
37 struct uhid_event input_buf;
38
39 wait_queue_head_t waitq;
40 spinlock_t qlock;
41 __u8 head;
42 __u8 tail;
43 struct uhid_event *outq[UHID_BUFSIZE];
44
45
46 struct mutex report_lock;
47 wait_queue_head_t report_wait;
48 bool report_running;
49 u32 report_id;
50 u32 report_type;
51 struct uhid_event report_buf;
52 struct work_struct worker;
53};
54
55static struct miscdevice uhid_misc;
56
57static void uhid_device_add_worker(struct work_struct *work)
58{
59 struct uhid_device *uhid = container_of(work, struct uhid_device, worker);
60 int ret;
61
62 ret = hid_add_device(uhid->hid);
63 if (ret) {
64 hid_err(uhid->hid, "Cannot register HID device: error %d\n", ret);
65
66 hid_destroy_device(uhid->hid);
67 uhid->hid = NULL;
68 uhid->running = false;
69 }
70}
71
72static void uhid_queue(struct uhid_device *uhid, struct uhid_event *ev)
73{
74 __u8 newhead;
75
76 newhead = (uhid->head + 1) % UHID_BUFSIZE;
77
78 if (newhead != uhid->tail) {
79 uhid->outq[uhid->head] = ev;
80 uhid->head = newhead;
81 wake_up_interruptible(&uhid->waitq);
82 } else {
83 hid_warn(uhid->hid, "Output queue is full\n");
84 kfree(ev);
85 }
86}
87
88static int uhid_queue_event(struct uhid_device *uhid, __u32 event)
89{
90 unsigned long flags;
91 struct uhid_event *ev;
92
93 ev = kzalloc(sizeof(*ev), GFP_KERNEL);
94 if (!ev)
95 return -ENOMEM;
96
97 ev->type = event;
98
99 spin_lock_irqsave(&uhid->qlock, flags);
100 uhid_queue(uhid, ev);
101 spin_unlock_irqrestore(&uhid->qlock, flags);
102
103 return 0;
104}
105
106static int uhid_hid_start(struct hid_device *hid)
107{
108 struct uhid_device *uhid = hid->driver_data;
109 struct uhid_event *ev;
110 unsigned long flags;
111
112 ev = kzalloc(sizeof(*ev), GFP_KERNEL);
113 if (!ev)
114 return -ENOMEM;
115
116 ev->type = UHID_START;
117
118 if (hid->report_enum[HID_FEATURE_REPORT].numbered)
119 ev->u.start.dev_flags |= UHID_DEV_NUMBERED_FEATURE_REPORTS;
120 if (hid->report_enum[HID_OUTPUT_REPORT].numbered)
121 ev->u.start.dev_flags |= UHID_DEV_NUMBERED_OUTPUT_REPORTS;
122 if (hid->report_enum[HID_INPUT_REPORT].numbered)
123 ev->u.start.dev_flags |= UHID_DEV_NUMBERED_INPUT_REPORTS;
124
125 spin_lock_irqsave(&uhid->qlock, flags);
126 uhid_queue(uhid, ev);
127 spin_unlock_irqrestore(&uhid->qlock, flags);
128
129 return 0;
130}
131
132static void uhid_hid_stop(struct hid_device *hid)
133{
134 struct uhid_device *uhid = hid->driver_data;
135
136 hid->claimed = 0;
137 uhid_queue_event(uhid, UHID_STOP);
138}
139
140static int uhid_hid_open(struct hid_device *hid)
141{
142 struct uhid_device *uhid = hid->driver_data;
143
144 return uhid_queue_event(uhid, UHID_OPEN);
145}
146
147static void uhid_hid_close(struct hid_device *hid)
148{
149 struct uhid_device *uhid = hid->driver_data;
150
151 uhid_queue_event(uhid, UHID_CLOSE);
152}
153
154static int uhid_hid_parse(struct hid_device *hid)
155{
156 struct uhid_device *uhid = hid->driver_data;
157
158 return hid_parse_report(hid, uhid->rd_data, uhid->rd_size);
159}
160
161
162static int __uhid_report_queue_and_wait(struct uhid_device *uhid,
163 struct uhid_event *ev,
164 __u32 *report_id)
165{
166 unsigned long flags;
167 int ret;
168
169 spin_lock_irqsave(&uhid->qlock, flags);
170 *report_id = ++uhid->report_id;
171 uhid->report_type = ev->type + 1;
172 uhid->report_running = true;
173 uhid_queue(uhid, ev);
174 spin_unlock_irqrestore(&uhid->qlock, flags);
175
176 ret = wait_event_interruptible_timeout(uhid->report_wait,
177 !uhid->report_running || !uhid->running,
178 5 * HZ);
179 if (!ret || !uhid->running || uhid->report_running)
180 ret = -EIO;
181 else if (ret < 0)
182 ret = -ERESTARTSYS;
183 else
184 ret = 0;
185
186 uhid->report_running = false;
187
188 return ret;
189}
190
191static void uhid_report_wake_up(struct uhid_device *uhid, u32 id,
192 const struct uhid_event *ev)
193{
194 unsigned long flags;
195
196 spin_lock_irqsave(&uhid->qlock, flags);
197
198
199 if (uhid->report_type != ev->type || uhid->report_id != id)
200 goto unlock;
201 if (!uhid->report_running)
202 goto unlock;
203
204 memcpy(&uhid->report_buf, ev, sizeof(*ev));
205 uhid->report_running = false;
206 wake_up_interruptible(&uhid->report_wait);
207
208unlock:
209 spin_unlock_irqrestore(&uhid->qlock, flags);
210}
211
212static int uhid_hid_get_report(struct hid_device *hid, unsigned char rnum,
213 u8 *buf, size_t count, u8 rtype)
214{
215 struct uhid_device *uhid = hid->driver_data;
216 struct uhid_get_report_reply_req *req;
217 struct uhid_event *ev;
218 int ret;
219
220 if (!uhid->running)
221 return -EIO;
222
223 ev = kzalloc(sizeof(*ev), GFP_KERNEL);
224 if (!ev)
225 return -ENOMEM;
226
227 ev->type = UHID_GET_REPORT;
228 ev->u.get_report.rnum = rnum;
229 ev->u.get_report.rtype = rtype;
230
231 ret = mutex_lock_interruptible(&uhid->report_lock);
232 if (ret) {
233 kfree(ev);
234 return ret;
235 }
236
237
238 ret = __uhid_report_queue_and_wait(uhid, ev, &ev->u.get_report.id);
239 if (ret)
240 goto unlock;
241
242 req = &uhid->report_buf.u.get_report_reply;
243 if (req->err) {
244 ret = -EIO;
245 } else {
246 ret = min3(count, (size_t)req->size, (size_t)UHID_DATA_MAX);
247 memcpy(buf, req->data, ret);
248 }
249
250unlock:
251 mutex_unlock(&uhid->report_lock);
252 return ret;
253}
254
255static int uhid_hid_set_report(struct hid_device *hid, unsigned char rnum,
256 const u8 *buf, size_t count, u8 rtype)
257{
258 struct uhid_device *uhid = hid->driver_data;
259 struct uhid_event *ev;
260 int ret;
261
262 if (!uhid->running || count > UHID_DATA_MAX)
263 return -EIO;
264
265 ev = kzalloc(sizeof(*ev), GFP_KERNEL);
266 if (!ev)
267 return -ENOMEM;
268
269 ev->type = UHID_SET_REPORT;
270 ev->u.set_report.rnum = rnum;
271 ev->u.set_report.rtype = rtype;
272 ev->u.set_report.size = count;
273 memcpy(ev->u.set_report.data, buf, count);
274
275 ret = mutex_lock_interruptible(&uhid->report_lock);
276 if (ret) {
277 kfree(ev);
278 return ret;
279 }
280
281
282 ret = __uhid_report_queue_and_wait(uhid, ev, &ev->u.set_report.id);
283 if (ret)
284 goto unlock;
285
286 if (uhid->report_buf.u.set_report_reply.err)
287 ret = -EIO;
288 else
289 ret = count;
290
291unlock:
292 mutex_unlock(&uhid->report_lock);
293 return ret;
294}
295
296static int uhid_hid_raw_request(struct hid_device *hid, unsigned char reportnum,
297 __u8 *buf, size_t len, unsigned char rtype,
298 int reqtype)
299{
300 u8 u_rtype;
301
302 switch (rtype) {
303 case HID_FEATURE_REPORT:
304 u_rtype = UHID_FEATURE_REPORT;
305 break;
306 case HID_OUTPUT_REPORT:
307 u_rtype = UHID_OUTPUT_REPORT;
308 break;
309 case HID_INPUT_REPORT:
310 u_rtype = UHID_INPUT_REPORT;
311 break;
312 default:
313 return -EINVAL;
314 }
315
316 switch (reqtype) {
317 case HID_REQ_GET_REPORT:
318 return uhid_hid_get_report(hid, reportnum, buf, len, u_rtype);
319 case HID_REQ_SET_REPORT:
320 return uhid_hid_set_report(hid, reportnum, buf, len, u_rtype);
321 default:
322 return -EIO;
323 }
324}
325
326static int uhid_hid_output_raw(struct hid_device *hid, __u8 *buf, size_t count,
327 unsigned char report_type)
328{
329 struct uhid_device *uhid = hid->driver_data;
330 __u8 rtype;
331 unsigned long flags;
332 struct uhid_event *ev;
333
334 switch (report_type) {
335 case HID_FEATURE_REPORT:
336 rtype = UHID_FEATURE_REPORT;
337 break;
338 case HID_OUTPUT_REPORT:
339 rtype = UHID_OUTPUT_REPORT;
340 break;
341 default:
342 return -EINVAL;
343 }
344
345 if (count < 1 || count > UHID_DATA_MAX)
346 return -EINVAL;
347
348 ev = kzalloc(sizeof(*ev), GFP_KERNEL);
349 if (!ev)
350 return -ENOMEM;
351
352 ev->type = UHID_OUTPUT;
353 ev->u.output.size = count;
354 ev->u.output.rtype = rtype;
355 memcpy(ev->u.output.data, buf, count);
356
357 spin_lock_irqsave(&uhid->qlock, flags);
358 uhid_queue(uhid, ev);
359 spin_unlock_irqrestore(&uhid->qlock, flags);
360
361 return count;
362}
363
364static int uhid_hid_output_report(struct hid_device *hid, __u8 *buf,
365 size_t count)
366{
367 return uhid_hid_output_raw(hid, buf, count, HID_OUTPUT_REPORT);
368}
369
370struct hid_ll_driver uhid_hid_driver = {
371 .start = uhid_hid_start,
372 .stop = uhid_hid_stop,
373 .open = uhid_hid_open,
374 .close = uhid_hid_close,
375 .parse = uhid_hid_parse,
376 .raw_request = uhid_hid_raw_request,
377 .output_report = uhid_hid_output_report,
378};
379EXPORT_SYMBOL_GPL(uhid_hid_driver);
380
381#ifdef CONFIG_COMPAT
382
383
384struct uhid_create_req_compat {
385 __u8 name[128];
386 __u8 phys[64];
387 __u8 uniq[64];
388
389 compat_uptr_t rd_data;
390 __u16 rd_size;
391
392 __u16 bus;
393 __u32 vendor;
394 __u32 product;
395 __u32 version;
396 __u32 country;
397} __attribute__((__packed__));
398
399static int uhid_event_from_user(const char __user *buffer, size_t len,
400 struct uhid_event *event)
401{
402 if (in_compat_syscall()) {
403 u32 type;
404
405 if (get_user(type, buffer))
406 return -EFAULT;
407
408 if (type == UHID_CREATE) {
409
410
411
412
413
414 struct uhid_create_req_compat *compat;
415
416 compat = kzalloc(sizeof(*compat), GFP_KERNEL);
417 if (!compat)
418 return -ENOMEM;
419
420 buffer += sizeof(type);
421 len -= sizeof(type);
422 if (copy_from_user(compat, buffer,
423 min(len, sizeof(*compat)))) {
424 kfree(compat);
425 return -EFAULT;
426 }
427
428
429 event->type = type;
430
431 memcpy(event->u.create.name, compat->name,
432 sizeof(compat->name));
433 memcpy(event->u.create.phys, compat->phys,
434 sizeof(compat->phys));
435 memcpy(event->u.create.uniq, compat->uniq,
436 sizeof(compat->uniq));
437
438 event->u.create.rd_data = compat_ptr(compat->rd_data);
439 event->u.create.rd_size = compat->rd_size;
440
441 event->u.create.bus = compat->bus;
442 event->u.create.vendor = compat->vendor;
443 event->u.create.product = compat->product;
444 event->u.create.version = compat->version;
445 event->u.create.country = compat->country;
446
447 kfree(compat);
448 return 0;
449 }
450
451 }
452
453 if (copy_from_user(event, buffer, min(len, sizeof(*event))))
454 return -EFAULT;
455
456 return 0;
457}
458#else
459static int uhid_event_from_user(const char __user *buffer, size_t len,
460 struct uhid_event *event)
461{
462 if (copy_from_user(event, buffer, min(len, sizeof(*event))))
463 return -EFAULT;
464
465 return 0;
466}
467#endif
468
469static int uhid_dev_create2(struct uhid_device *uhid,
470 const struct uhid_event *ev)
471{
472 struct hid_device *hid;
473 size_t rd_size, len;
474 void *rd_data;
475 int ret;
476
477 if (uhid->running)
478 return -EALREADY;
479
480 rd_size = ev->u.create2.rd_size;
481 if (rd_size <= 0 || rd_size > HID_MAX_DESCRIPTOR_SIZE)
482 return -EINVAL;
483
484 rd_data = kmemdup(ev->u.create2.rd_data, rd_size, GFP_KERNEL);
485 if (!rd_data)
486 return -ENOMEM;
487
488 uhid->rd_size = rd_size;
489 uhid->rd_data = rd_data;
490
491 hid = hid_allocate_device();
492 if (IS_ERR(hid)) {
493 ret = PTR_ERR(hid);
494 goto err_free;
495 }
496
497
498 len = min(sizeof(hid->name), sizeof(ev->u.create2.name)) - 1;
499 strncpy(hid->name, ev->u.create2.name, len);
500 len = min(sizeof(hid->phys), sizeof(ev->u.create2.phys)) - 1;
501 strncpy(hid->phys, ev->u.create2.phys, len);
502 len = min(sizeof(hid->uniq), sizeof(ev->u.create2.uniq)) - 1;
503 strncpy(hid->uniq, ev->u.create2.uniq, len);
504
505 hid->ll_driver = &uhid_hid_driver;
506 hid->bus = ev->u.create2.bus;
507 hid->vendor = ev->u.create2.vendor;
508 hid->product = ev->u.create2.product;
509 hid->version = ev->u.create2.version;
510 hid->country = ev->u.create2.country;
511 hid->driver_data = uhid;
512 hid->dev.parent = uhid_misc.this_device;
513
514 uhid->hid = hid;
515 uhid->running = true;
516
517
518
519
520
521 schedule_work(&uhid->worker);
522
523 return 0;
524
525err_free:
526 kfree(uhid->rd_data);
527 uhid->rd_data = NULL;
528 uhid->rd_size = 0;
529 return ret;
530}
531
532static int uhid_dev_create(struct uhid_device *uhid,
533 struct uhid_event *ev)
534{
535 struct uhid_create_req orig;
536
537 orig = ev->u.create;
538
539 if (orig.rd_size <= 0 || orig.rd_size > HID_MAX_DESCRIPTOR_SIZE)
540 return -EINVAL;
541 if (copy_from_user(&ev->u.create2.rd_data, orig.rd_data, orig.rd_size))
542 return -EFAULT;
543
544 memcpy(ev->u.create2.name, orig.name, sizeof(orig.name));
545 memcpy(ev->u.create2.phys, orig.phys, sizeof(orig.phys));
546 memcpy(ev->u.create2.uniq, orig.uniq, sizeof(orig.uniq));
547 ev->u.create2.rd_size = orig.rd_size;
548 ev->u.create2.bus = orig.bus;
549 ev->u.create2.vendor = orig.vendor;
550 ev->u.create2.product = orig.product;
551 ev->u.create2.version = orig.version;
552 ev->u.create2.country = orig.country;
553
554 return uhid_dev_create2(uhid, ev);
555}
556
557static int uhid_dev_destroy(struct uhid_device *uhid)
558{
559 if (!uhid->running)
560 return -EINVAL;
561
562 uhid->running = false;
563 wake_up_interruptible(&uhid->report_wait);
564
565 cancel_work_sync(&uhid->worker);
566
567 hid_destroy_device(uhid->hid);
568 kfree(uhid->rd_data);
569
570 return 0;
571}
572
573static int uhid_dev_input(struct uhid_device *uhid, struct uhid_event *ev)
574{
575 if (!uhid->running)
576 return -EINVAL;
577
578 hid_input_report(uhid->hid, HID_INPUT_REPORT, ev->u.input.data,
579 min_t(size_t, ev->u.input.size, UHID_DATA_MAX), 0);
580
581 return 0;
582}
583
584static int uhid_dev_input2(struct uhid_device *uhid, struct uhid_event *ev)
585{
586 if (!uhid->running)
587 return -EINVAL;
588
589 hid_input_report(uhid->hid, HID_INPUT_REPORT, ev->u.input2.data,
590 min_t(size_t, ev->u.input2.size, UHID_DATA_MAX), 0);
591
592 return 0;
593}
594
595static int uhid_dev_get_report_reply(struct uhid_device *uhid,
596 struct uhid_event *ev)
597{
598 if (!uhid->running)
599 return -EINVAL;
600
601 uhid_report_wake_up(uhid, ev->u.get_report_reply.id, ev);
602 return 0;
603}
604
605static int uhid_dev_set_report_reply(struct uhid_device *uhid,
606 struct uhid_event *ev)
607{
608 if (!uhid->running)
609 return -EINVAL;
610
611 uhid_report_wake_up(uhid, ev->u.set_report_reply.id, ev);
612 return 0;
613}
614
615static int uhid_char_open(struct inode *inode, struct file *file)
616{
617 struct uhid_device *uhid;
618
619 uhid = kzalloc(sizeof(*uhid), GFP_KERNEL);
620 if (!uhid)
621 return -ENOMEM;
622
623 mutex_init(&uhid->devlock);
624 mutex_init(&uhid->report_lock);
625 spin_lock_init(&uhid->qlock);
626 init_waitqueue_head(&uhid->waitq);
627 init_waitqueue_head(&uhid->report_wait);
628 uhid->running = false;
629 INIT_WORK(&uhid->worker, uhid_device_add_worker);
630
631 file->private_data = uhid;
632 stream_open(inode, file);
633
634 return 0;
635}
636
637static int uhid_char_release(struct inode *inode, struct file *file)
638{
639 struct uhid_device *uhid = file->private_data;
640 unsigned int i;
641
642 uhid_dev_destroy(uhid);
643
644 for (i = 0; i < UHID_BUFSIZE; ++i)
645 kfree(uhid->outq[i]);
646
647 kfree(uhid);
648
649 return 0;
650}
651
652static ssize_t uhid_char_read(struct file *file, char __user *buffer,
653 size_t count, loff_t *ppos)
654{
655 struct uhid_device *uhid = file->private_data;
656 int ret;
657 unsigned long flags;
658 size_t len;
659
660
661 if (count < sizeof(__u32))
662 return -EINVAL;
663
664try_again:
665 if (file->f_flags & O_NONBLOCK) {
666 if (uhid->head == uhid->tail)
667 return -EAGAIN;
668 } else {
669 ret = wait_event_interruptible(uhid->waitq,
670 uhid->head != uhid->tail);
671 if (ret)
672 return ret;
673 }
674
675 ret = mutex_lock_interruptible(&uhid->devlock);
676 if (ret)
677 return ret;
678
679 if (uhid->head == uhid->tail) {
680 mutex_unlock(&uhid->devlock);
681 goto try_again;
682 } else {
683 len = min(count, sizeof(**uhid->outq));
684 if (copy_to_user(buffer, uhid->outq[uhid->tail], len)) {
685 ret = -EFAULT;
686 } else {
687 kfree(uhid->outq[uhid->tail]);
688 uhid->outq[uhid->tail] = NULL;
689
690 spin_lock_irqsave(&uhid->qlock, flags);
691 uhid->tail = (uhid->tail + 1) % UHID_BUFSIZE;
692 spin_unlock_irqrestore(&uhid->qlock, flags);
693 }
694 }
695
696 mutex_unlock(&uhid->devlock);
697 return ret ? ret : len;
698}
699
700static ssize_t uhid_char_write(struct file *file, const char __user *buffer,
701 size_t count, loff_t *ppos)
702{
703 struct uhid_device *uhid = file->private_data;
704 int ret;
705 size_t len;
706
707
708 if (count < sizeof(__u32))
709 return -EINVAL;
710
711 ret = mutex_lock_interruptible(&uhid->devlock);
712 if (ret)
713 return ret;
714
715 memset(&uhid->input_buf, 0, sizeof(uhid->input_buf));
716 len = min(count, sizeof(uhid->input_buf));
717
718 ret = uhid_event_from_user(buffer, len, &uhid->input_buf);
719 if (ret)
720 goto unlock;
721
722 switch (uhid->input_buf.type) {
723 case UHID_CREATE:
724
725
726
727
728
729 if (file->f_cred != current_cred() || uaccess_kernel()) {
730 pr_err_once("UHID_CREATE from different security context by process %d (%s), this is not allowed.\n",
731 task_tgid_vnr(current), current->comm);
732 ret = -EACCES;
733 goto unlock;
734 }
735 ret = uhid_dev_create(uhid, &uhid->input_buf);
736 break;
737 case UHID_CREATE2:
738 ret = uhid_dev_create2(uhid, &uhid->input_buf);
739 break;
740 case UHID_DESTROY:
741 ret = uhid_dev_destroy(uhid);
742 break;
743 case UHID_INPUT:
744 ret = uhid_dev_input(uhid, &uhid->input_buf);
745 break;
746 case UHID_INPUT2:
747 ret = uhid_dev_input2(uhid, &uhid->input_buf);
748 break;
749 case UHID_GET_REPORT_REPLY:
750 ret = uhid_dev_get_report_reply(uhid, &uhid->input_buf);
751 break;
752 case UHID_SET_REPORT_REPLY:
753 ret = uhid_dev_set_report_reply(uhid, &uhid->input_buf);
754 break;
755 default:
756 ret = -EOPNOTSUPP;
757 }
758
759unlock:
760 mutex_unlock(&uhid->devlock);
761
762
763 return ret ? ret : count;
764}
765
766static __poll_t uhid_char_poll(struct file *file, poll_table *wait)
767{
768 struct uhid_device *uhid = file->private_data;
769 __poll_t mask = EPOLLOUT | EPOLLWRNORM;
770
771 poll_wait(file, &uhid->waitq, wait);
772
773 if (uhid->head != uhid->tail)
774 mask |= EPOLLIN | EPOLLRDNORM;
775
776 return mask;
777}
778
779static const struct file_operations uhid_fops = {
780 .owner = THIS_MODULE,
781 .open = uhid_char_open,
782 .release = uhid_char_release,
783 .read = uhid_char_read,
784 .write = uhid_char_write,
785 .poll = uhid_char_poll,
786 .llseek = no_llseek,
787};
788
789static struct miscdevice uhid_misc = {
790 .fops = &uhid_fops,
791 .minor = UHID_MINOR,
792 .name = UHID_NAME,
793};
794module_misc_device(uhid_misc);
795
796MODULE_LICENSE("GPL");
797MODULE_AUTHOR("David Herrmann <dh.herrmann@gmail.com>");
798MODULE_DESCRIPTION("User-space I/O driver support for HID subsystem");
799MODULE_ALIAS_MISCDEV(UHID_MINOR);
800MODULE_ALIAS("devname:" UHID_NAME);
801
