1 /* 2 * User-space I/O driver support for HID subsystem 3 * Copyright (c) 2012 David Herrmann 4 */ 5 6 /* 7 * This program is free software; you can redistribute it and/or modify it 8 * under the terms of the GNU General Public License as published by the Free 9 * Software Foundation; either version 2 of the License, or (at your option) 10 * any later version. 11 */ 12 13 #include <linux/atomic.h> 14 #include <linux/compat.h> 15 #include <linux/device.h> 16 #include <linux/fs.h> 17 #include <linux/hid.h> 18 #include <linux/input.h> 19 #include <linux/miscdevice.h> 20 #include <linux/module.h> 21 #include <linux/mutex.h> 22 #include <linux/poll.h> 23 #include <linux/sched.h> 24 #include <linux/spinlock.h> 25 #include <linux/uhid.h> 26 #include <linux/wait.h> 27 28 #define UHID_NAME "uhid" 29 #define UHID_BUFSIZE 32 30 31 struct uhid_device { 32 struct mutex devlock; 33 bool running; 34 35 __u8 *rd_data; 36 uint rd_size; 37 38 struct hid_device *hid; 39 struct uhid_event input_buf; 40 41 wait_queue_head_t waitq; 42 spinlock_t qlock; 43 __u8 head; 44 __u8 tail; 45 struct uhid_event *outq[UHID_BUFSIZE]; 46 47 struct mutex report_lock; 48 wait_queue_head_t report_wait; 49 atomic_t report_done; 50 atomic_t report_id; 51 struct uhid_event report_buf; 52 }; 53 54 static struct miscdevice uhid_misc; 55 56 static void uhid_queue(struct uhid_device *uhid, struct uhid_event *ev) 57 { 58 __u8 newhead; 59 60 newhead = (uhid->head + 1) % UHID_BUFSIZE; 61 62 if (newhead != uhid->tail) { 63 uhid->outq[uhid->head] = ev; 64 uhid->head = newhead; 65 wake_up_interruptible(&uhid->waitq); 66 } else { 67 hid_warn(uhid->hid, "Output queue is full\n"); 68 kfree(ev); 69 } 70 } 71 72 static int uhid_queue_event(struct uhid_device *uhid, __u32 event) 73 { 74 unsigned long flags; 75 struct uhid_event *ev; 76 77 ev = kzalloc(sizeof(*ev), GFP_KERNEL); 78 if (!ev) 79 return -ENOMEM; 80 81 ev->type = event; 82 83 spin_lock_irqsave(&uhid->qlock, flags); 84 uhid_queue(uhid, ev); 85 spin_unlock_irqrestore(&uhid->qlock, flags); 86 87 return 0; 88 } 89 90 static int uhid_hid_start(struct hid_device *hid) 91 { 92 struct uhid_device *uhid = hid->driver_data; 93 94 return uhid_queue_event(uhid, UHID_START); 95 } 96 97 static void uhid_hid_stop(struct hid_device *hid) 98 { 99 struct uhid_device *uhid = hid->driver_data; 100 101 hid->claimed = 0; 102 uhid_queue_event(uhid, UHID_STOP); 103 } 104 105 static int uhid_hid_open(struct hid_device *hid) 106 { 107 struct uhid_device *uhid = hid->driver_data; 108 109 return uhid_queue_event(uhid, UHID_OPEN); 110 } 111 112 static void uhid_hid_close(struct hid_device *hid) 113 { 114 struct uhid_device *uhid = hid->driver_data; 115 116 uhid_queue_event(uhid, UHID_CLOSE); 117 } 118 119 static int uhid_hid_parse(struct hid_device *hid) 120 { 121 struct uhid_device *uhid = hid->driver_data; 122 123 return hid_parse_report(hid, uhid->rd_data, uhid->rd_size); 124 } 125 126 static int uhid_hid_get_raw(struct hid_device *hid, unsigned char rnum, 127 __u8 *buf, size_t count, unsigned char rtype) 128 { 129 struct uhid_device *uhid = hid->driver_data; 130 __u8 report_type; 131 struct uhid_event *ev; 132 unsigned long flags; 133 int ret; 134 size_t uninitialized_var(len); 135 struct uhid_feature_answer_req *req; 136 137 if (!uhid->running) 138 return -EIO; 139 140 switch (rtype) { 141 case HID_FEATURE_REPORT: 142 report_type = UHID_FEATURE_REPORT; 143 break; 144 case HID_OUTPUT_REPORT: 145 report_type = UHID_OUTPUT_REPORT; 146 break; 147 case HID_INPUT_REPORT: 148 report_type = UHID_INPUT_REPORT; 149 break; 150 default: 151 return -EINVAL; 152 } 153 154 ret = mutex_lock_interruptible(&uhid->report_lock); 155 if (ret) 156 return ret; 157 158 ev = kzalloc(sizeof(*ev), GFP_KERNEL); 159 if (!ev) { 160 ret = -ENOMEM; 161 goto unlock; 162 } 163 164 spin_lock_irqsave(&uhid->qlock, flags); 165 ev->type = UHID_FEATURE; 166 ev->u.feature.id = atomic_inc_return(&uhid->report_id); 167 ev->u.feature.rnum = rnum; 168 ev->u.feature.rtype = report_type; 169 170 atomic_set(&uhid->report_done, 0); 171 uhid_queue(uhid, ev); 172 spin_unlock_irqrestore(&uhid->qlock, flags); 173 174 ret = wait_event_interruptible_timeout(uhid->report_wait, 175 atomic_read(&uhid->report_done), 5 * HZ); 176 177 /* 178 * Make sure "uhid->running" is cleared on shutdown before 179 * "uhid->report_done" is set. 180 */ 181 smp_rmb(); 182 if (!ret || !uhid->running) { 183 ret = -EIO; 184 } else if (ret < 0) { 185 ret = -ERESTARTSYS; 186 } else { 187 spin_lock_irqsave(&uhid->qlock, flags); 188 req = &uhid->report_buf.u.feature_answer; 189 190 if (req->err) { 191 ret = -EIO; 192 } else { 193 ret = 0; 194 len = min(count, 195 min_t(size_t, req->size, UHID_DATA_MAX)); 196 memcpy(buf, req->data, len); 197 } 198 199 spin_unlock_irqrestore(&uhid->qlock, flags); 200 } 201 202 atomic_set(&uhid->report_done, 1); 203 204 unlock: 205 mutex_unlock(&uhid->report_lock); 206 return ret ? ret : len; 207 } 208 209 static int uhid_hid_output_raw(struct hid_device *hid, __u8 *buf, size_t count, 210 unsigned char report_type) 211 { 212 struct uhid_device *uhid = hid->driver_data; 213 __u8 rtype; 214 unsigned long flags; 215 struct uhid_event *ev; 216 217 switch (report_type) { 218 case HID_FEATURE_REPORT: 219 rtype = UHID_FEATURE_REPORT; 220 break; 221 case HID_OUTPUT_REPORT: 222 rtype = UHID_OUTPUT_REPORT; 223 break; 224 default: 225 return -EINVAL; 226 } 227 228 if (count < 1 || count > UHID_DATA_MAX) 229 return -EINVAL; 230 231 ev = kzalloc(sizeof(*ev), GFP_KERNEL); 232 if (!ev) 233 return -ENOMEM; 234 235 ev->type = UHID_OUTPUT; 236 ev->u.output.size = count; 237 ev->u.output.rtype = rtype; 238 memcpy(ev->u.output.data, buf, count); 239 240 spin_lock_irqsave(&uhid->qlock, flags); 241 uhid_queue(uhid, ev); 242 spin_unlock_irqrestore(&uhid->qlock, flags); 243 244 return count; 245 } 246 247 static int uhid_hid_output_report(struct hid_device *hid, __u8 *buf, 248 size_t count) 249 { 250 return uhid_hid_output_raw(hid, buf, count, HID_OUTPUT_REPORT); 251 } 252 253 static int uhid_raw_request(struct hid_device *hid, unsigned char reportnum, 254 __u8 *buf, size_t len, unsigned char rtype, 255 int reqtype) 256 { 257 switch (reqtype) { 258 case HID_REQ_GET_REPORT: 259 return uhid_hid_get_raw(hid, reportnum, buf, len, rtype); 260 case HID_REQ_SET_REPORT: 261 /* TODO: implement proper SET_REPORT functionality */ 262 return -ENOSYS; 263 default: 264 return -EIO; 265 } 266 } 267 268 static struct hid_ll_driver uhid_hid_driver = { 269 .start = uhid_hid_start, 270 .stop = uhid_hid_stop, 271 .open = uhid_hid_open, 272 .close = uhid_hid_close, 273 .parse = uhid_hid_parse, 274 .output_report = uhid_hid_output_report, 275 .raw_request = uhid_raw_request, 276 }; 277 278 #ifdef CONFIG_COMPAT 279 280 /* Apparently we haven't stepped on these rakes enough times yet. */ 281 struct uhid_create_req_compat { 282 __u8 name[128]; 283 __u8 phys[64]; 284 __u8 uniq[64]; 285 286 compat_uptr_t rd_data; 287 __u16 rd_size; 288 289 __u16 bus; 290 __u32 vendor; 291 __u32 product; 292 __u32 version; 293 __u32 country; 294 } __attribute__((__packed__)); 295 296 static int uhid_event_from_user(const char __user *buffer, size_t len, 297 struct uhid_event *event) 298 { 299 if (is_compat_task()) { 300 u32 type; 301 302 if (get_user(type, buffer)) 303 return -EFAULT; 304 305 if (type == UHID_CREATE) { 306 /* 307 * This is our messed up request with compat pointer. 308 * It is largish (more than 256 bytes) so we better 309 * allocate it from the heap. 310 */ 311 struct uhid_create_req_compat *compat; 312 313 compat = kzalloc(sizeof(*compat), GFP_KERNEL); 314 if (!compat) 315 return -ENOMEM; 316 317 buffer += sizeof(type); 318 len -= sizeof(type); 319 if (copy_from_user(compat, buffer, 320 min(len, sizeof(*compat)))) { 321 kfree(compat); 322 return -EFAULT; 323 } 324 325 /* Shuffle the data over to proper structure */ 326 event->type = type; 327 328 memcpy(event->u.create.name, compat->name, 329 sizeof(compat->name)); 330 memcpy(event->u.create.phys, compat->phys, 331 sizeof(compat->phys)); 332 memcpy(event->u.create.uniq, compat->uniq, 333 sizeof(compat->uniq)); 334 335 event->u.create.rd_data = compat_ptr(compat->rd_data); 336 event->u.create.rd_size = compat->rd_size; 337 338 event->u.create.bus = compat->bus; 339 event->u.create.vendor = compat->vendor; 340 event->u.create.product = compat->product; 341 event->u.create.version = compat->version; 342 event->u.create.country = compat->country; 343 344 kfree(compat); 345 return 0; 346 } 347 /* All others can be copied directly */ 348 } 349 350 if (copy_from_user(event, buffer, min(len, sizeof(*event)))) 351 return -EFAULT; 352 353 return 0; 354 } 355 #else 356 static int uhid_event_from_user(const char __user *buffer, size_t len, 357 struct uhid_event *event) 358 { 359 if (copy_from_user(event, buffer, min(len, sizeof(*event)))) 360 return -EFAULT; 361 362 return 0; 363 } 364 #endif 365 366 static int uhid_dev_create(struct uhid_device *uhid, 367 const struct uhid_event *ev) 368 { 369 struct hid_device *hid; 370 int ret; 371 372 if (uhid->running) 373 return -EALREADY; 374 375 uhid->rd_size = ev->u.create.rd_size; 376 if (uhid->rd_size <= 0 || uhid->rd_size > HID_MAX_DESCRIPTOR_SIZE) 377 return -EINVAL; 378 379 uhid->rd_data = kmalloc(uhid->rd_size, GFP_KERNEL); 380 if (!uhid->rd_data) 381 return -ENOMEM; 382 383 if (copy_from_user(uhid->rd_data, ev->u.create.rd_data, 384 uhid->rd_size)) { 385 ret = -EFAULT; 386 goto err_free; 387 } 388 389 hid = hid_allocate_device(); 390 if (IS_ERR(hid)) { 391 ret = PTR_ERR(hid); 392 goto err_free; 393 } 394 395 strncpy(hid->name, ev->u.create.name, 127); 396 hid->name[127] = 0; 397 strncpy(hid->phys, ev->u.create.phys, 63); 398 hid->phys[63] = 0; 399 strncpy(hid->uniq, ev->u.create.uniq, 63); 400 hid->uniq[63] = 0; 401 402 hid->ll_driver = &uhid_hid_driver; 403 hid->bus = ev->u.create.bus; 404 hid->vendor = ev->u.create.vendor; 405 hid->product = ev->u.create.product; 406 hid->version = ev->u.create.version; 407 hid->country = ev->u.create.country; 408 hid->driver_data = uhid; 409 hid->dev.parent = uhid_misc.this_device; 410 411 uhid->hid = hid; 412 uhid->running = true; 413 414 ret = hid_add_device(hid); 415 if (ret) { 416 hid_err(hid, "Cannot register HID device\n"); 417 goto err_hid; 418 } 419 420 return 0; 421 422 err_hid: 423 hid_destroy_device(hid); 424 uhid->hid = NULL; 425 uhid->running = false; 426 err_free: 427 kfree(uhid->rd_data); 428 return ret; 429 } 430 431 static int uhid_dev_create2(struct uhid_device *uhid, 432 const struct uhid_event *ev) 433 { 434 struct hid_device *hid; 435 int ret; 436 437 if (uhid->running) 438 return -EALREADY; 439 440 uhid->rd_size = ev->u.create2.rd_size; 441 if (uhid->rd_size <= 0 || uhid->rd_size > HID_MAX_DESCRIPTOR_SIZE) 442 return -EINVAL; 443 444 uhid->rd_data = kmalloc(uhid->rd_size, GFP_KERNEL); 445 if (!uhid->rd_data) 446 return -ENOMEM; 447 448 memcpy(uhid->rd_data, ev->u.create2.rd_data, uhid->rd_size); 449 450 hid = hid_allocate_device(); 451 if (IS_ERR(hid)) { 452 ret = PTR_ERR(hid); 453 goto err_free; 454 } 455 456 strncpy(hid->name, ev->u.create2.name, 127); 457 hid->name[127] = 0; 458 strncpy(hid->phys, ev->u.create2.phys, 63); 459 hid->phys[63] = 0; 460 strncpy(hid->uniq, ev->u.create2.uniq, 63); 461 hid->uniq[63] = 0; 462 463 hid->ll_driver = &uhid_hid_driver; 464 hid->bus = ev->u.create2.bus; 465 hid->vendor = ev->u.create2.vendor; 466 hid->product = ev->u.create2.product; 467 hid->version = ev->u.create2.version; 468 hid->country = ev->u.create2.country; 469 hid->driver_data = uhid; 470 hid->dev.parent = uhid_misc.this_device; 471 472 uhid->hid = hid; 473 uhid->running = true; 474 475 ret = hid_add_device(hid); 476 if (ret) { 477 hid_err(hid, "Cannot register HID device\n"); 478 goto err_hid; 479 } 480 481 return 0; 482 483 err_hid: 484 hid_destroy_device(hid); 485 uhid->hid = NULL; 486 uhid->running = false; 487 err_free: 488 kfree(uhid->rd_data); 489 return ret; 490 } 491 492 static int uhid_dev_destroy(struct uhid_device *uhid) 493 { 494 if (!uhid->running) 495 return -EINVAL; 496 497 /* clear "running" before setting "report_done" */ 498 uhid->running = false; 499 smp_wmb(); 500 atomic_set(&uhid->report_done, 1); 501 wake_up_interruptible(&uhid->report_wait); 502 503 hid_destroy_device(uhid->hid); 504 kfree(uhid->rd_data); 505 506 return 0; 507 } 508 509 static int uhid_dev_input(struct uhid_device *uhid, struct uhid_event *ev) 510 { 511 if (!uhid->running) 512 return -EINVAL; 513 514 hid_input_report(uhid->hid, HID_INPUT_REPORT, ev->u.input.data, 515 min_t(size_t, ev->u.input.size, UHID_DATA_MAX), 0); 516 517 return 0; 518 } 519 520 static int uhid_dev_input2(struct uhid_device *uhid, struct uhid_event *ev) 521 { 522 if (!uhid->running) 523 return -EINVAL; 524 525 hid_input_report(uhid->hid, HID_INPUT_REPORT, ev->u.input2.data, 526 min_t(size_t, ev->u.input2.size, UHID_DATA_MAX), 0); 527 528 return 0; 529 } 530 531 static int uhid_dev_feature_answer(struct uhid_device *uhid, 532 struct uhid_event *ev) 533 { 534 unsigned long flags; 535 536 if (!uhid->running) 537 return -EINVAL; 538 539 spin_lock_irqsave(&uhid->qlock, flags); 540 541 /* id for old report; drop it silently */ 542 if (atomic_read(&uhid->report_id) != ev->u.feature_answer.id) 543 goto unlock; 544 if (atomic_read(&uhid->report_done)) 545 goto unlock; 546 547 memcpy(&uhid->report_buf, ev, sizeof(*ev)); 548 atomic_set(&uhid->report_done, 1); 549 wake_up_interruptible(&uhid->report_wait); 550 551 unlock: 552 spin_unlock_irqrestore(&uhid->qlock, flags); 553 return 0; 554 } 555 556 static int uhid_char_open(struct inode *inode, struct file *file) 557 { 558 struct uhid_device *uhid; 559 560 uhid = kzalloc(sizeof(*uhid), GFP_KERNEL); 561 if (!uhid) 562 return -ENOMEM; 563 564 mutex_init(&uhid->devlock); 565 mutex_init(&uhid->report_lock); 566 spin_lock_init(&uhid->qlock); 567 init_waitqueue_head(&uhid->waitq); 568 init_waitqueue_head(&uhid->report_wait); 569 uhid->running = false; 570 atomic_set(&uhid->report_done, 1); 571 572 file->private_data = uhid; 573 nonseekable_open(inode, file); 574 575 return 0; 576 } 577 578 static int uhid_char_release(struct inode *inode, struct file *file) 579 { 580 struct uhid_device *uhid = file->private_data; 581 unsigned int i; 582 583 uhid_dev_destroy(uhid); 584 585 for (i = 0; i < UHID_BUFSIZE; ++i) 586 kfree(uhid->outq[i]); 587 588 kfree(uhid); 589 590 return 0; 591 } 592 593 static ssize_t uhid_char_read(struct file *file, char __user *buffer, 594 size_t count, loff_t *ppos) 595 { 596 struct uhid_device *uhid = file->private_data; 597 int ret; 598 unsigned long flags; 599 size_t len; 600 601 /* they need at least the "type" member of uhid_event */ 602 if (count < sizeof(__u32)) 603 return -EINVAL; 604 605 try_again: 606 if (file->f_flags & O_NONBLOCK) { 607 if (uhid->head == uhid->tail) 608 return -EAGAIN; 609 } else { 610 ret = wait_event_interruptible(uhid->waitq, 611 uhid->head != uhid->tail); 612 if (ret) 613 return ret; 614 } 615 616 ret = mutex_lock_interruptible(&uhid->devlock); 617 if (ret) 618 return ret; 619 620 if (uhid->head == uhid->tail) { 621 mutex_unlock(&uhid->devlock); 622 goto try_again; 623 } else { 624 len = min(count, sizeof(**uhid->outq)); 625 if (copy_to_user(buffer, uhid->outq[uhid->tail], len)) { 626 ret = -EFAULT; 627 } else { 628 kfree(uhid->outq[uhid->tail]); 629 uhid->outq[uhid->tail] = NULL; 630 631 spin_lock_irqsave(&uhid->qlock, flags); 632 uhid->tail = (uhid->tail + 1) % UHID_BUFSIZE; 633 spin_unlock_irqrestore(&uhid->qlock, flags); 634 } 635 } 636 637 mutex_unlock(&uhid->devlock); 638 return ret ? ret : len; 639 } 640 641 static ssize_t uhid_char_write(struct file *file, const char __user *buffer, 642 size_t count, loff_t *ppos) 643 { 644 struct uhid_device *uhid = file->private_data; 645 int ret; 646 size_t len; 647 648 /* we need at least the "type" member of uhid_event */ 649 if (count < sizeof(__u32)) 650 return -EINVAL; 651 652 ret = mutex_lock_interruptible(&uhid->devlock); 653 if (ret) 654 return ret; 655 656 memset(&uhid->input_buf, 0, sizeof(uhid->input_buf)); 657 len = min(count, sizeof(uhid->input_buf)); 658 659 ret = uhid_event_from_user(buffer, len, &uhid->input_buf); 660 if (ret) 661 goto unlock; 662 663 switch (uhid->input_buf.type) { 664 case UHID_CREATE: 665 ret = uhid_dev_create(uhid, &uhid->input_buf); 666 break; 667 case UHID_CREATE2: 668 ret = uhid_dev_create2(uhid, &uhid->input_buf); 669 break; 670 case UHID_DESTROY: 671 ret = uhid_dev_destroy(uhid); 672 break; 673 case UHID_INPUT: 674 ret = uhid_dev_input(uhid, &uhid->input_buf); 675 break; 676 case UHID_INPUT2: 677 ret = uhid_dev_input2(uhid, &uhid->input_buf); 678 break; 679 case UHID_FEATURE_ANSWER: 680 ret = uhid_dev_feature_answer(uhid, &uhid->input_buf); 681 break; 682 default: 683 ret = -EOPNOTSUPP; 684 } 685 686 unlock: 687 mutex_unlock(&uhid->devlock); 688 689 /* return "count" not "len" to not confuse the caller */ 690 return ret ? ret : count; 691 } 692 693 static unsigned int uhid_char_poll(struct file *file, poll_table *wait) 694 { 695 struct uhid_device *uhid = file->private_data; 696 697 poll_wait(file, &uhid->waitq, wait); 698 699 if (uhid->head != uhid->tail) 700 return POLLIN | POLLRDNORM; 701 702 return 0; 703 } 704 705 static const struct file_operations uhid_fops = { 706 .owner = THIS_MODULE, 707 .open = uhid_char_open, 708 .release = uhid_char_release, 709 .read = uhid_char_read, 710 .write = uhid_char_write, 711 .poll = uhid_char_poll, 712 .llseek = no_llseek, 713 }; 714 715 static struct miscdevice uhid_misc = { 716 .fops = &uhid_fops, 717 .minor = UHID_MINOR, 718 .name = UHID_NAME, 719 }; 720 721 static int __init uhid_init(void) 722 { 723 return misc_register(&uhid_misc); 724 } 725 726 static void __exit uhid_exit(void) 727 { 728 misc_deregister(&uhid_misc); 729 } 730 731 module_init(uhid_init); 732 module_exit(uhid_exit); 733 MODULE_LICENSE("GPL"); 734 MODULE_AUTHOR("David Herrmann <dh.herrmann@gmail.com>"); 735 MODULE_DESCRIPTION("User-space I/O driver support for HID subsystem"); 736 MODULE_ALIAS_MISCDEV(UHID_MINOR); 737 MODULE_ALIAS("devname:" UHID_NAME); 738