xref: /openbmc/linux/drivers/hid/uhid.c (revision b34e08d5)
1 /*
2  * User-space I/O driver support for HID subsystem
3  * Copyright (c) 2012 David Herrmann
4  */
5 
6 /*
7  * This program is free software; you can redistribute it and/or modify it
8  * under the terms of the GNU General Public License as published by the Free
9  * Software Foundation; either version 2 of the License, or (at your option)
10  * any later version.
11  */
12 
13 #include <linux/atomic.h>
14 #include <linux/compat.h>
15 #include <linux/device.h>
16 #include <linux/fs.h>
17 #include <linux/hid.h>
18 #include <linux/input.h>
19 #include <linux/miscdevice.h>
20 #include <linux/module.h>
21 #include <linux/mutex.h>
22 #include <linux/poll.h>
23 #include <linux/sched.h>
24 #include <linux/spinlock.h>
25 #include <linux/uhid.h>
26 #include <linux/wait.h>
27 
28 #define UHID_NAME	"uhid"
29 #define UHID_BUFSIZE	32
30 
31 struct uhid_device {
32 	struct mutex devlock;
33 	bool running;
34 
35 	__u8 *rd_data;
36 	uint rd_size;
37 
38 	struct hid_device *hid;
39 	struct uhid_event input_buf;
40 
41 	wait_queue_head_t waitq;
42 	spinlock_t qlock;
43 	__u8 head;
44 	__u8 tail;
45 	struct uhid_event *outq[UHID_BUFSIZE];
46 
47 	struct mutex report_lock;
48 	wait_queue_head_t report_wait;
49 	atomic_t report_done;
50 	atomic_t report_id;
51 	struct uhid_event report_buf;
52 };
53 
54 static struct miscdevice uhid_misc;
55 
56 static void uhid_queue(struct uhid_device *uhid, struct uhid_event *ev)
57 {
58 	__u8 newhead;
59 
60 	newhead = (uhid->head + 1) % UHID_BUFSIZE;
61 
62 	if (newhead != uhid->tail) {
63 		uhid->outq[uhid->head] = ev;
64 		uhid->head = newhead;
65 		wake_up_interruptible(&uhid->waitq);
66 	} else {
67 		hid_warn(uhid->hid, "Output queue is full\n");
68 		kfree(ev);
69 	}
70 }
71 
72 static int uhid_queue_event(struct uhid_device *uhid, __u32 event)
73 {
74 	unsigned long flags;
75 	struct uhid_event *ev;
76 
77 	ev = kzalloc(sizeof(*ev), GFP_KERNEL);
78 	if (!ev)
79 		return -ENOMEM;
80 
81 	ev->type = event;
82 
83 	spin_lock_irqsave(&uhid->qlock, flags);
84 	uhid_queue(uhid, ev);
85 	spin_unlock_irqrestore(&uhid->qlock, flags);
86 
87 	return 0;
88 }
89 
90 static int uhid_hid_start(struct hid_device *hid)
91 {
92 	struct uhid_device *uhid = hid->driver_data;
93 
94 	return uhid_queue_event(uhid, UHID_START);
95 }
96 
97 static void uhid_hid_stop(struct hid_device *hid)
98 {
99 	struct uhid_device *uhid = hid->driver_data;
100 
101 	hid->claimed = 0;
102 	uhid_queue_event(uhid, UHID_STOP);
103 }
104 
105 static int uhid_hid_open(struct hid_device *hid)
106 {
107 	struct uhid_device *uhid = hid->driver_data;
108 
109 	return uhid_queue_event(uhid, UHID_OPEN);
110 }
111 
112 static void uhid_hid_close(struct hid_device *hid)
113 {
114 	struct uhid_device *uhid = hid->driver_data;
115 
116 	uhid_queue_event(uhid, UHID_CLOSE);
117 }
118 
119 static int uhid_hid_parse(struct hid_device *hid)
120 {
121 	struct uhid_device *uhid = hid->driver_data;
122 
123 	return hid_parse_report(hid, uhid->rd_data, uhid->rd_size);
124 }
125 
126 static int uhid_hid_get_raw(struct hid_device *hid, unsigned char rnum,
127 			    __u8 *buf, size_t count, unsigned char rtype)
128 {
129 	struct uhid_device *uhid = hid->driver_data;
130 	__u8 report_type;
131 	struct uhid_event *ev;
132 	unsigned long flags;
133 	int ret;
134 	size_t uninitialized_var(len);
135 	struct uhid_feature_answer_req *req;
136 
137 	if (!uhid->running)
138 		return -EIO;
139 
140 	switch (rtype) {
141 	case HID_FEATURE_REPORT:
142 		report_type = UHID_FEATURE_REPORT;
143 		break;
144 	case HID_OUTPUT_REPORT:
145 		report_type = UHID_OUTPUT_REPORT;
146 		break;
147 	case HID_INPUT_REPORT:
148 		report_type = UHID_INPUT_REPORT;
149 		break;
150 	default:
151 		return -EINVAL;
152 	}
153 
154 	ret = mutex_lock_interruptible(&uhid->report_lock);
155 	if (ret)
156 		return ret;
157 
158 	ev = kzalloc(sizeof(*ev), GFP_KERNEL);
159 	if (!ev) {
160 		ret = -ENOMEM;
161 		goto unlock;
162 	}
163 
164 	spin_lock_irqsave(&uhid->qlock, flags);
165 	ev->type = UHID_FEATURE;
166 	ev->u.feature.id = atomic_inc_return(&uhid->report_id);
167 	ev->u.feature.rnum = rnum;
168 	ev->u.feature.rtype = report_type;
169 
170 	atomic_set(&uhid->report_done, 0);
171 	uhid_queue(uhid, ev);
172 	spin_unlock_irqrestore(&uhid->qlock, flags);
173 
174 	ret = wait_event_interruptible_timeout(uhid->report_wait,
175 				atomic_read(&uhid->report_done), 5 * HZ);
176 
177 	/*
178 	 * Make sure "uhid->running" is cleared on shutdown before
179 	 * "uhid->report_done" is set.
180 	 */
181 	smp_rmb();
182 	if (!ret || !uhid->running) {
183 		ret = -EIO;
184 	} else if (ret < 0) {
185 		ret = -ERESTARTSYS;
186 	} else {
187 		spin_lock_irqsave(&uhid->qlock, flags);
188 		req = &uhid->report_buf.u.feature_answer;
189 
190 		if (req->err) {
191 			ret = -EIO;
192 		} else {
193 			ret = 0;
194 			len = min(count,
195 				min_t(size_t, req->size, UHID_DATA_MAX));
196 			memcpy(buf, req->data, len);
197 		}
198 
199 		spin_unlock_irqrestore(&uhid->qlock, flags);
200 	}
201 
202 	atomic_set(&uhid->report_done, 1);
203 
204 unlock:
205 	mutex_unlock(&uhid->report_lock);
206 	return ret ? ret : len;
207 }
208 
209 static int uhid_hid_output_raw(struct hid_device *hid, __u8 *buf, size_t count,
210 			       unsigned char report_type)
211 {
212 	struct uhid_device *uhid = hid->driver_data;
213 	__u8 rtype;
214 	unsigned long flags;
215 	struct uhid_event *ev;
216 
217 	switch (report_type) {
218 	case HID_FEATURE_REPORT:
219 		rtype = UHID_FEATURE_REPORT;
220 		break;
221 	case HID_OUTPUT_REPORT:
222 		rtype = UHID_OUTPUT_REPORT;
223 		break;
224 	default:
225 		return -EINVAL;
226 	}
227 
228 	if (count < 1 || count > UHID_DATA_MAX)
229 		return -EINVAL;
230 
231 	ev = kzalloc(sizeof(*ev), GFP_KERNEL);
232 	if (!ev)
233 		return -ENOMEM;
234 
235 	ev->type = UHID_OUTPUT;
236 	ev->u.output.size = count;
237 	ev->u.output.rtype = rtype;
238 	memcpy(ev->u.output.data, buf, count);
239 
240 	spin_lock_irqsave(&uhid->qlock, flags);
241 	uhid_queue(uhid, ev);
242 	spin_unlock_irqrestore(&uhid->qlock, flags);
243 
244 	return count;
245 }
246 
247 static int uhid_hid_output_report(struct hid_device *hid, __u8 *buf,
248 				  size_t count)
249 {
250 	return uhid_hid_output_raw(hid, buf, count, HID_OUTPUT_REPORT);
251 }
252 
253 static int uhid_raw_request(struct hid_device *hid, unsigned char reportnum,
254 			    __u8 *buf, size_t len, unsigned char rtype,
255 			    int reqtype)
256 {
257 	switch (reqtype) {
258 	case HID_REQ_GET_REPORT:
259 		return uhid_hid_get_raw(hid, reportnum, buf, len, rtype);
260 	case HID_REQ_SET_REPORT:
261 		/* TODO: implement proper SET_REPORT functionality */
262 		return -ENOSYS;
263 	default:
264 		return -EIO;
265 	}
266 }
267 
268 static struct hid_ll_driver uhid_hid_driver = {
269 	.start = uhid_hid_start,
270 	.stop = uhid_hid_stop,
271 	.open = uhid_hid_open,
272 	.close = uhid_hid_close,
273 	.parse = uhid_hid_parse,
274 	.output_report = uhid_hid_output_report,
275 	.raw_request = uhid_raw_request,
276 };
277 
278 #ifdef CONFIG_COMPAT
279 
280 /* Apparently we haven't stepped on these rakes enough times yet. */
281 struct uhid_create_req_compat {
282 	__u8 name[128];
283 	__u8 phys[64];
284 	__u8 uniq[64];
285 
286 	compat_uptr_t rd_data;
287 	__u16 rd_size;
288 
289 	__u16 bus;
290 	__u32 vendor;
291 	__u32 product;
292 	__u32 version;
293 	__u32 country;
294 } __attribute__((__packed__));
295 
296 static int uhid_event_from_user(const char __user *buffer, size_t len,
297 				struct uhid_event *event)
298 {
299 	if (is_compat_task()) {
300 		u32 type;
301 
302 		if (get_user(type, buffer))
303 			return -EFAULT;
304 
305 		if (type == UHID_CREATE) {
306 			/*
307 			 * This is our messed up request with compat pointer.
308 			 * It is largish (more than 256 bytes) so we better
309 			 * allocate it from the heap.
310 			 */
311 			struct uhid_create_req_compat *compat;
312 
313 			compat = kzalloc(sizeof(*compat), GFP_KERNEL);
314 			if (!compat)
315 				return -ENOMEM;
316 
317 			buffer += sizeof(type);
318 			len -= sizeof(type);
319 			if (copy_from_user(compat, buffer,
320 					   min(len, sizeof(*compat)))) {
321 				kfree(compat);
322 				return -EFAULT;
323 			}
324 
325 			/* Shuffle the data over to proper structure */
326 			event->type = type;
327 
328 			memcpy(event->u.create.name, compat->name,
329 				sizeof(compat->name));
330 			memcpy(event->u.create.phys, compat->phys,
331 				sizeof(compat->phys));
332 			memcpy(event->u.create.uniq, compat->uniq,
333 				sizeof(compat->uniq));
334 
335 			event->u.create.rd_data = compat_ptr(compat->rd_data);
336 			event->u.create.rd_size = compat->rd_size;
337 
338 			event->u.create.bus = compat->bus;
339 			event->u.create.vendor = compat->vendor;
340 			event->u.create.product = compat->product;
341 			event->u.create.version = compat->version;
342 			event->u.create.country = compat->country;
343 
344 			kfree(compat);
345 			return 0;
346 		}
347 		/* All others can be copied directly */
348 	}
349 
350 	if (copy_from_user(event, buffer, min(len, sizeof(*event))))
351 		return -EFAULT;
352 
353 	return 0;
354 }
355 #else
356 static int uhid_event_from_user(const char __user *buffer, size_t len,
357 				struct uhid_event *event)
358 {
359 	if (copy_from_user(event, buffer, min(len, sizeof(*event))))
360 		return -EFAULT;
361 
362 	return 0;
363 }
364 #endif
365 
366 static int uhid_dev_create(struct uhid_device *uhid,
367 			   const struct uhid_event *ev)
368 {
369 	struct hid_device *hid;
370 	int ret;
371 
372 	if (uhid->running)
373 		return -EALREADY;
374 
375 	uhid->rd_size = ev->u.create.rd_size;
376 	if (uhid->rd_size <= 0 || uhid->rd_size > HID_MAX_DESCRIPTOR_SIZE)
377 		return -EINVAL;
378 
379 	uhid->rd_data = kmalloc(uhid->rd_size, GFP_KERNEL);
380 	if (!uhid->rd_data)
381 		return -ENOMEM;
382 
383 	if (copy_from_user(uhid->rd_data, ev->u.create.rd_data,
384 			   uhid->rd_size)) {
385 		ret = -EFAULT;
386 		goto err_free;
387 	}
388 
389 	hid = hid_allocate_device();
390 	if (IS_ERR(hid)) {
391 		ret = PTR_ERR(hid);
392 		goto err_free;
393 	}
394 
395 	strncpy(hid->name, ev->u.create.name, 127);
396 	hid->name[127] = 0;
397 	strncpy(hid->phys, ev->u.create.phys, 63);
398 	hid->phys[63] = 0;
399 	strncpy(hid->uniq, ev->u.create.uniq, 63);
400 	hid->uniq[63] = 0;
401 
402 	hid->ll_driver = &uhid_hid_driver;
403 	hid->bus = ev->u.create.bus;
404 	hid->vendor = ev->u.create.vendor;
405 	hid->product = ev->u.create.product;
406 	hid->version = ev->u.create.version;
407 	hid->country = ev->u.create.country;
408 	hid->driver_data = uhid;
409 	hid->dev.parent = uhid_misc.this_device;
410 
411 	uhid->hid = hid;
412 	uhid->running = true;
413 
414 	ret = hid_add_device(hid);
415 	if (ret) {
416 		hid_err(hid, "Cannot register HID device\n");
417 		goto err_hid;
418 	}
419 
420 	return 0;
421 
422 err_hid:
423 	hid_destroy_device(hid);
424 	uhid->hid = NULL;
425 	uhid->running = false;
426 err_free:
427 	kfree(uhid->rd_data);
428 	return ret;
429 }
430 
431 static int uhid_dev_create2(struct uhid_device *uhid,
432 			    const struct uhid_event *ev)
433 {
434 	struct hid_device *hid;
435 	int ret;
436 
437 	if (uhid->running)
438 		return -EALREADY;
439 
440 	uhid->rd_size = ev->u.create2.rd_size;
441 	if (uhid->rd_size <= 0 || uhid->rd_size > HID_MAX_DESCRIPTOR_SIZE)
442 		return -EINVAL;
443 
444 	uhid->rd_data = kmalloc(uhid->rd_size, GFP_KERNEL);
445 	if (!uhid->rd_data)
446 		return -ENOMEM;
447 
448 	memcpy(uhid->rd_data, ev->u.create2.rd_data, uhid->rd_size);
449 
450 	hid = hid_allocate_device();
451 	if (IS_ERR(hid)) {
452 		ret = PTR_ERR(hid);
453 		goto err_free;
454 	}
455 
456 	strncpy(hid->name, ev->u.create2.name, 127);
457 	hid->name[127] = 0;
458 	strncpy(hid->phys, ev->u.create2.phys, 63);
459 	hid->phys[63] = 0;
460 	strncpy(hid->uniq, ev->u.create2.uniq, 63);
461 	hid->uniq[63] = 0;
462 
463 	hid->ll_driver = &uhid_hid_driver;
464 	hid->bus = ev->u.create2.bus;
465 	hid->vendor = ev->u.create2.vendor;
466 	hid->product = ev->u.create2.product;
467 	hid->version = ev->u.create2.version;
468 	hid->country = ev->u.create2.country;
469 	hid->driver_data = uhid;
470 	hid->dev.parent = uhid_misc.this_device;
471 
472 	uhid->hid = hid;
473 	uhid->running = true;
474 
475 	ret = hid_add_device(hid);
476 	if (ret) {
477 		hid_err(hid, "Cannot register HID device\n");
478 		goto err_hid;
479 	}
480 
481 	return 0;
482 
483 err_hid:
484 	hid_destroy_device(hid);
485 	uhid->hid = NULL;
486 	uhid->running = false;
487 err_free:
488 	kfree(uhid->rd_data);
489 	return ret;
490 }
491 
492 static int uhid_dev_destroy(struct uhid_device *uhid)
493 {
494 	if (!uhid->running)
495 		return -EINVAL;
496 
497 	/* clear "running" before setting "report_done" */
498 	uhid->running = false;
499 	smp_wmb();
500 	atomic_set(&uhid->report_done, 1);
501 	wake_up_interruptible(&uhid->report_wait);
502 
503 	hid_destroy_device(uhid->hid);
504 	kfree(uhid->rd_data);
505 
506 	return 0;
507 }
508 
509 static int uhid_dev_input(struct uhid_device *uhid, struct uhid_event *ev)
510 {
511 	if (!uhid->running)
512 		return -EINVAL;
513 
514 	hid_input_report(uhid->hid, HID_INPUT_REPORT, ev->u.input.data,
515 			 min_t(size_t, ev->u.input.size, UHID_DATA_MAX), 0);
516 
517 	return 0;
518 }
519 
520 static int uhid_dev_input2(struct uhid_device *uhid, struct uhid_event *ev)
521 {
522 	if (!uhid->running)
523 		return -EINVAL;
524 
525 	hid_input_report(uhid->hid, HID_INPUT_REPORT, ev->u.input2.data,
526 			 min_t(size_t, ev->u.input2.size, UHID_DATA_MAX), 0);
527 
528 	return 0;
529 }
530 
531 static int uhid_dev_feature_answer(struct uhid_device *uhid,
532 				   struct uhid_event *ev)
533 {
534 	unsigned long flags;
535 
536 	if (!uhid->running)
537 		return -EINVAL;
538 
539 	spin_lock_irqsave(&uhid->qlock, flags);
540 
541 	/* id for old report; drop it silently */
542 	if (atomic_read(&uhid->report_id) != ev->u.feature_answer.id)
543 		goto unlock;
544 	if (atomic_read(&uhid->report_done))
545 		goto unlock;
546 
547 	memcpy(&uhid->report_buf, ev, sizeof(*ev));
548 	atomic_set(&uhid->report_done, 1);
549 	wake_up_interruptible(&uhid->report_wait);
550 
551 unlock:
552 	spin_unlock_irqrestore(&uhid->qlock, flags);
553 	return 0;
554 }
555 
556 static int uhid_char_open(struct inode *inode, struct file *file)
557 {
558 	struct uhid_device *uhid;
559 
560 	uhid = kzalloc(sizeof(*uhid), GFP_KERNEL);
561 	if (!uhid)
562 		return -ENOMEM;
563 
564 	mutex_init(&uhid->devlock);
565 	mutex_init(&uhid->report_lock);
566 	spin_lock_init(&uhid->qlock);
567 	init_waitqueue_head(&uhid->waitq);
568 	init_waitqueue_head(&uhid->report_wait);
569 	uhid->running = false;
570 	atomic_set(&uhid->report_done, 1);
571 
572 	file->private_data = uhid;
573 	nonseekable_open(inode, file);
574 
575 	return 0;
576 }
577 
578 static int uhid_char_release(struct inode *inode, struct file *file)
579 {
580 	struct uhid_device *uhid = file->private_data;
581 	unsigned int i;
582 
583 	uhid_dev_destroy(uhid);
584 
585 	for (i = 0; i < UHID_BUFSIZE; ++i)
586 		kfree(uhid->outq[i]);
587 
588 	kfree(uhid);
589 
590 	return 0;
591 }
592 
593 static ssize_t uhid_char_read(struct file *file, char __user *buffer,
594 				size_t count, loff_t *ppos)
595 {
596 	struct uhid_device *uhid = file->private_data;
597 	int ret;
598 	unsigned long flags;
599 	size_t len;
600 
601 	/* they need at least the "type" member of uhid_event */
602 	if (count < sizeof(__u32))
603 		return -EINVAL;
604 
605 try_again:
606 	if (file->f_flags & O_NONBLOCK) {
607 		if (uhid->head == uhid->tail)
608 			return -EAGAIN;
609 	} else {
610 		ret = wait_event_interruptible(uhid->waitq,
611 						uhid->head != uhid->tail);
612 		if (ret)
613 			return ret;
614 	}
615 
616 	ret = mutex_lock_interruptible(&uhid->devlock);
617 	if (ret)
618 		return ret;
619 
620 	if (uhid->head == uhid->tail) {
621 		mutex_unlock(&uhid->devlock);
622 		goto try_again;
623 	} else {
624 		len = min(count, sizeof(**uhid->outq));
625 		if (copy_to_user(buffer, uhid->outq[uhid->tail], len)) {
626 			ret = -EFAULT;
627 		} else {
628 			kfree(uhid->outq[uhid->tail]);
629 			uhid->outq[uhid->tail] = NULL;
630 
631 			spin_lock_irqsave(&uhid->qlock, flags);
632 			uhid->tail = (uhid->tail + 1) % UHID_BUFSIZE;
633 			spin_unlock_irqrestore(&uhid->qlock, flags);
634 		}
635 	}
636 
637 	mutex_unlock(&uhid->devlock);
638 	return ret ? ret : len;
639 }
640 
641 static ssize_t uhid_char_write(struct file *file, const char __user *buffer,
642 				size_t count, loff_t *ppos)
643 {
644 	struct uhid_device *uhid = file->private_data;
645 	int ret;
646 	size_t len;
647 
648 	/* we need at least the "type" member of uhid_event */
649 	if (count < sizeof(__u32))
650 		return -EINVAL;
651 
652 	ret = mutex_lock_interruptible(&uhid->devlock);
653 	if (ret)
654 		return ret;
655 
656 	memset(&uhid->input_buf, 0, sizeof(uhid->input_buf));
657 	len = min(count, sizeof(uhid->input_buf));
658 
659 	ret = uhid_event_from_user(buffer, len, &uhid->input_buf);
660 	if (ret)
661 		goto unlock;
662 
663 	switch (uhid->input_buf.type) {
664 	case UHID_CREATE:
665 		ret = uhid_dev_create(uhid, &uhid->input_buf);
666 		break;
667 	case UHID_CREATE2:
668 		ret = uhid_dev_create2(uhid, &uhid->input_buf);
669 		break;
670 	case UHID_DESTROY:
671 		ret = uhid_dev_destroy(uhid);
672 		break;
673 	case UHID_INPUT:
674 		ret = uhid_dev_input(uhid, &uhid->input_buf);
675 		break;
676 	case UHID_INPUT2:
677 		ret = uhid_dev_input2(uhid, &uhid->input_buf);
678 		break;
679 	case UHID_FEATURE_ANSWER:
680 		ret = uhid_dev_feature_answer(uhid, &uhid->input_buf);
681 		break;
682 	default:
683 		ret = -EOPNOTSUPP;
684 	}
685 
686 unlock:
687 	mutex_unlock(&uhid->devlock);
688 
689 	/* return "count" not "len" to not confuse the caller */
690 	return ret ? ret : count;
691 }
692 
693 static unsigned int uhid_char_poll(struct file *file, poll_table *wait)
694 {
695 	struct uhid_device *uhid = file->private_data;
696 
697 	poll_wait(file, &uhid->waitq, wait);
698 
699 	if (uhid->head != uhid->tail)
700 		return POLLIN | POLLRDNORM;
701 
702 	return 0;
703 }
704 
705 static const struct file_operations uhid_fops = {
706 	.owner		= THIS_MODULE,
707 	.open		= uhid_char_open,
708 	.release	= uhid_char_release,
709 	.read		= uhid_char_read,
710 	.write		= uhid_char_write,
711 	.poll		= uhid_char_poll,
712 	.llseek		= no_llseek,
713 };
714 
715 static struct miscdevice uhid_misc = {
716 	.fops		= &uhid_fops,
717 	.minor		= UHID_MINOR,
718 	.name		= UHID_NAME,
719 };
720 
721 static int __init uhid_init(void)
722 {
723 	return misc_register(&uhid_misc);
724 }
725 
726 static void __exit uhid_exit(void)
727 {
728 	misc_deregister(&uhid_misc);
729 }
730 
731 module_init(uhid_init);
732 module_exit(uhid_exit);
733 MODULE_LICENSE("GPL");
734 MODULE_AUTHOR("David Herrmann <dh.herrmann@gmail.com>");
735 MODULE_DESCRIPTION("User-space I/O driver support for HID subsystem");
736 MODULE_ALIAS_MISCDEV(UHID_MINOR);
737 MODULE_ALIAS("devname:" UHID_NAME);
738