xref: /openbmc/linux/drivers/hid/usbhid/hiddev.c (revision d6869352)
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  *  Copyright (c) 2001 Paul Stewart
4  *  Copyright (c) 2001 Vojtech Pavlik
5  *
6  *  HID char devices, giving access to raw HID device events.
7  */
8 
9 /*
10  *
11  * Should you need to contact me, the author, you can do so either by
12  * e-mail - mail your message to Paul Stewart <stewart@wetlogic.net>
13  */
14 
15 #include <linux/poll.h>
16 #include <linux/slab.h>
17 #include <linux/sched/signal.h>
18 #include <linux/module.h>
19 #include <linux/init.h>
20 #include <linux/input.h>
21 #include <linux/usb.h>
22 #include <linux/hid.h>
23 #include <linux/hiddev.h>
24 #include <linux/compat.h>
25 #include <linux/vmalloc.h>
26 #include <linux/nospec.h>
27 #include "usbhid.h"
28 
29 #ifdef CONFIG_USB_DYNAMIC_MINORS
30 #define HIDDEV_MINOR_BASE	0
31 #define HIDDEV_MINORS		256
32 #else
33 #define HIDDEV_MINOR_BASE	96
34 #define HIDDEV_MINORS		16
35 #endif
36 #define HIDDEV_BUFFER_SIZE	2048
37 
38 struct hiddev_list {
39 	struct hiddev_usage_ref buffer[HIDDEV_BUFFER_SIZE];
40 	int head;
41 	int tail;
42 	unsigned flags;
43 	struct fasync_struct *fasync;
44 	struct hiddev *hiddev;
45 	struct list_head node;
46 	struct mutex thread_lock;
47 };
48 
49 /*
50  * Find a report, given the report's type and ID.  The ID can be specified
51  * indirectly by REPORT_ID_FIRST (which returns the first report of the given
52  * type) or by (REPORT_ID_NEXT | old_id), which returns the next report of the
53  * given type which follows old_id.
54  */
55 static struct hid_report *
56 hiddev_lookup_report(struct hid_device *hid, struct hiddev_report_info *rinfo)
57 {
58 	unsigned int flags = rinfo->report_id & ~HID_REPORT_ID_MASK;
59 	unsigned int rid = rinfo->report_id & HID_REPORT_ID_MASK;
60 	struct hid_report_enum *report_enum;
61 	struct hid_report *report;
62 	struct list_head *list;
63 
64 	if (rinfo->report_type < HID_REPORT_TYPE_MIN ||
65 	    rinfo->report_type > HID_REPORT_TYPE_MAX)
66 		return NULL;
67 
68 	report_enum = hid->report_enum +
69 		(rinfo->report_type - HID_REPORT_TYPE_MIN);
70 
71 	switch (flags) {
72 	case 0: /* Nothing to do -- report_id is already set correctly */
73 		break;
74 
75 	case HID_REPORT_ID_FIRST:
76 		if (list_empty(&report_enum->report_list))
77 			return NULL;
78 
79 		list = report_enum->report_list.next;
80 		report = list_entry(list, struct hid_report, list);
81 		rinfo->report_id = report->id;
82 		break;
83 
84 	case HID_REPORT_ID_NEXT:
85 		report = report_enum->report_id_hash[rid];
86 		if (!report)
87 			return NULL;
88 
89 		list = report->list.next;
90 		if (list == &report_enum->report_list)
91 			return NULL;
92 
93 		report = list_entry(list, struct hid_report, list);
94 		rinfo->report_id = report->id;
95 		break;
96 
97 	default:
98 		return NULL;
99 	}
100 
101 	return report_enum->report_id_hash[rinfo->report_id];
102 }
103 
104 /*
105  * Perform an exhaustive search of the report table for a usage, given its
106  * type and usage id.
107  */
108 static struct hid_field *
109 hiddev_lookup_usage(struct hid_device *hid, struct hiddev_usage_ref *uref)
110 {
111 	int i, j;
112 	struct hid_report *report;
113 	struct hid_report_enum *report_enum;
114 	struct hid_field *field;
115 
116 	if (uref->report_type < HID_REPORT_TYPE_MIN ||
117 	    uref->report_type > HID_REPORT_TYPE_MAX)
118 		return NULL;
119 
120 	report_enum = hid->report_enum +
121 		(uref->report_type - HID_REPORT_TYPE_MIN);
122 
123 	list_for_each_entry(report, &report_enum->report_list, list) {
124 		for (i = 0; i < report->maxfield; i++) {
125 			field = report->field[i];
126 			for (j = 0; j < field->maxusage; j++) {
127 				if (field->usage[j].hid == uref->usage_code) {
128 					uref->report_id = report->id;
129 					uref->field_index = i;
130 					uref->usage_index = j;
131 					return field;
132 				}
133 			}
134 		}
135 	}
136 
137 	return NULL;
138 }
139 
140 static void hiddev_send_event(struct hid_device *hid,
141 			      struct hiddev_usage_ref *uref)
142 {
143 	struct hiddev *hiddev = hid->hiddev;
144 	struct hiddev_list *list;
145 	unsigned long flags;
146 
147 	spin_lock_irqsave(&hiddev->list_lock, flags);
148 	list_for_each_entry(list, &hiddev->list, node) {
149 		if (uref->field_index != HID_FIELD_INDEX_NONE ||
150 		    (list->flags & HIDDEV_FLAG_REPORT) != 0) {
151 			list->buffer[list->head] = *uref;
152 			list->head = (list->head + 1) &
153 				(HIDDEV_BUFFER_SIZE - 1);
154 			kill_fasync(&list->fasync, SIGIO, POLL_IN);
155 		}
156 	}
157 	spin_unlock_irqrestore(&hiddev->list_lock, flags);
158 
159 	wake_up_interruptible(&hiddev->wait);
160 }
161 
162 /*
163  * This is where hid.c calls into hiddev to pass an event that occurred over
164  * the interrupt pipe
165  */
166 void hiddev_hid_event(struct hid_device *hid, struct hid_field *field,
167 		      struct hid_usage *usage, __s32 value)
168 {
169 	unsigned type = field->report_type;
170 	struct hiddev_usage_ref uref;
171 
172 	uref.report_type =
173 	  (type == HID_INPUT_REPORT) ? HID_REPORT_TYPE_INPUT :
174 	  ((type == HID_OUTPUT_REPORT) ? HID_REPORT_TYPE_OUTPUT :
175 	   ((type == HID_FEATURE_REPORT) ? HID_REPORT_TYPE_FEATURE : 0));
176 	uref.report_id = field->report->id;
177 	uref.field_index = field->index;
178 	uref.usage_index = (usage - field->usage);
179 	uref.usage_code = usage->hid;
180 	uref.value = value;
181 
182 	hiddev_send_event(hid, &uref);
183 }
184 EXPORT_SYMBOL_GPL(hiddev_hid_event);
185 
186 void hiddev_report_event(struct hid_device *hid, struct hid_report *report)
187 {
188 	unsigned type = report->type;
189 	struct hiddev_usage_ref uref;
190 
191 	memset(&uref, 0, sizeof(uref));
192 	uref.report_type =
193 	  (type == HID_INPUT_REPORT) ? HID_REPORT_TYPE_INPUT :
194 	  ((type == HID_OUTPUT_REPORT) ? HID_REPORT_TYPE_OUTPUT :
195 	   ((type == HID_FEATURE_REPORT) ? HID_REPORT_TYPE_FEATURE : 0));
196 	uref.report_id = report->id;
197 	uref.field_index = HID_FIELD_INDEX_NONE;
198 
199 	hiddev_send_event(hid, &uref);
200 }
201 
202 /*
203  * fasync file op
204  */
205 static int hiddev_fasync(int fd, struct file *file, int on)
206 {
207 	struct hiddev_list *list = file->private_data;
208 
209 	return fasync_helper(fd, file, on, &list->fasync);
210 }
211 
212 
213 /*
214  * release file op
215  */
216 static int hiddev_release(struct inode * inode, struct file * file)
217 {
218 	struct hiddev_list *list = file->private_data;
219 	unsigned long flags;
220 
221 	spin_lock_irqsave(&list->hiddev->list_lock, flags);
222 	list_del(&list->node);
223 	spin_unlock_irqrestore(&list->hiddev->list_lock, flags);
224 
225 	mutex_lock(&list->hiddev->existancelock);
226 	if (!--list->hiddev->open) {
227 		if (list->hiddev->exist) {
228 			hid_hw_close(list->hiddev->hid);
229 			hid_hw_power(list->hiddev->hid, PM_HINT_NORMAL);
230 		} else {
231 			mutex_unlock(&list->hiddev->existancelock);
232 			kfree(list->hiddev);
233 			vfree(list);
234 			return 0;
235 		}
236 	}
237 
238 	mutex_unlock(&list->hiddev->existancelock);
239 	vfree(list);
240 
241 	return 0;
242 }
243 
244 /*
245  * open file op
246  */
247 static int hiddev_open(struct inode *inode, struct file *file)
248 {
249 	struct hiddev_list *list;
250 	struct usb_interface *intf;
251 	struct hid_device *hid;
252 	struct hiddev *hiddev;
253 	int res;
254 
255 	intf = usbhid_find_interface(iminor(inode));
256 	if (!intf)
257 		return -ENODEV;
258 	hid = usb_get_intfdata(intf);
259 	hiddev = hid->hiddev;
260 
261 	if (!(list = vzalloc(sizeof(struct hiddev_list))))
262 		return -ENOMEM;
263 	mutex_init(&list->thread_lock);
264 	list->hiddev = hiddev;
265 	file->private_data = list;
266 
267 	/*
268 	 * no need for locking because the USB major number
269 	 * is shared which usbcore guards against disconnect
270 	 */
271 	if (list->hiddev->exist) {
272 		if (!list->hiddev->open++) {
273 			res = hid_hw_open(hiddev->hid);
274 			if (res < 0)
275 				goto bail;
276 		}
277 	} else {
278 		res = -ENODEV;
279 		goto bail;
280 	}
281 
282 	spin_lock_irq(&list->hiddev->list_lock);
283 	list_add_tail(&list->node, &hiddev->list);
284 	spin_unlock_irq(&list->hiddev->list_lock);
285 
286 	mutex_lock(&hiddev->existancelock);
287 	if (!list->hiddev->open++)
288 		if (list->hiddev->exist) {
289 			struct hid_device *hid = hiddev->hid;
290 			res = hid_hw_power(hid, PM_HINT_FULLON);
291 			if (res < 0)
292 				goto bail_unlock;
293 			res = hid_hw_open(hid);
294 			if (res < 0)
295 				goto bail_normal_power;
296 		}
297 	mutex_unlock(&hiddev->existancelock);
298 	return 0;
299 bail_normal_power:
300 	hid_hw_power(hid, PM_HINT_NORMAL);
301 bail_unlock:
302 	mutex_unlock(&hiddev->existancelock);
303 bail:
304 	file->private_data = NULL;
305 	vfree(list);
306 	return res;
307 }
308 
309 /*
310  * "write" file op
311  */
312 static ssize_t hiddev_write(struct file * file, const char __user * buffer, size_t count, loff_t *ppos)
313 {
314 	return -EINVAL;
315 }
316 
317 /*
318  * "read" file op
319  */
320 static ssize_t hiddev_read(struct file * file, char __user * buffer, size_t count, loff_t *ppos)
321 {
322 	DEFINE_WAIT(wait);
323 	struct hiddev_list *list = file->private_data;
324 	int event_size;
325 	int retval;
326 
327 	event_size = ((list->flags & HIDDEV_FLAG_UREF) != 0) ?
328 		sizeof(struct hiddev_usage_ref) : sizeof(struct hiddev_event);
329 
330 	if (count < event_size)
331 		return 0;
332 
333 	/* lock against other threads */
334 	retval = mutex_lock_interruptible(&list->thread_lock);
335 	if (retval)
336 		return -ERESTARTSYS;
337 
338 	while (retval == 0) {
339 		if (list->head == list->tail) {
340 			prepare_to_wait(&list->hiddev->wait, &wait, TASK_INTERRUPTIBLE);
341 
342 			while (list->head == list->tail) {
343 				if (signal_pending(current)) {
344 					retval = -ERESTARTSYS;
345 					break;
346 				}
347 				if (!list->hiddev->exist) {
348 					retval = -EIO;
349 					break;
350 				}
351 				if (file->f_flags & O_NONBLOCK) {
352 					retval = -EAGAIN;
353 					break;
354 				}
355 
356 				/* let O_NONBLOCK tasks run */
357 				mutex_unlock(&list->thread_lock);
358 				schedule();
359 				if (mutex_lock_interruptible(&list->thread_lock)) {
360 					finish_wait(&list->hiddev->wait, &wait);
361 					return -EINTR;
362 				}
363 				set_current_state(TASK_INTERRUPTIBLE);
364 			}
365 			finish_wait(&list->hiddev->wait, &wait);
366 
367 		}
368 
369 		if (retval) {
370 			mutex_unlock(&list->thread_lock);
371 			return retval;
372 		}
373 
374 
375 		while (list->head != list->tail &&
376 		       retval + event_size <= count) {
377 			if ((list->flags & HIDDEV_FLAG_UREF) == 0) {
378 				if (list->buffer[list->tail].field_index != HID_FIELD_INDEX_NONE) {
379 					struct hiddev_event event;
380 
381 					event.hid = list->buffer[list->tail].usage_code;
382 					event.value = list->buffer[list->tail].value;
383 					if (copy_to_user(buffer + retval, &event, sizeof(struct hiddev_event))) {
384 						mutex_unlock(&list->thread_lock);
385 						return -EFAULT;
386 					}
387 					retval += sizeof(struct hiddev_event);
388 				}
389 			} else {
390 				if (list->buffer[list->tail].field_index != HID_FIELD_INDEX_NONE ||
391 				    (list->flags & HIDDEV_FLAG_REPORT) != 0) {
392 
393 					if (copy_to_user(buffer + retval, list->buffer + list->tail, sizeof(struct hiddev_usage_ref))) {
394 						mutex_unlock(&list->thread_lock);
395 						return -EFAULT;
396 					}
397 					retval += sizeof(struct hiddev_usage_ref);
398 				}
399 			}
400 			list->tail = (list->tail + 1) & (HIDDEV_BUFFER_SIZE - 1);
401 		}
402 
403 	}
404 	mutex_unlock(&list->thread_lock);
405 
406 	return retval;
407 }
408 
409 /*
410  * "poll" file op
411  * No kernel lock - fine
412  */
413 static __poll_t hiddev_poll(struct file *file, poll_table *wait)
414 {
415 	struct hiddev_list *list = file->private_data;
416 
417 	poll_wait(file, &list->hiddev->wait, wait);
418 	if (list->head != list->tail)
419 		return EPOLLIN | EPOLLRDNORM;
420 	if (!list->hiddev->exist)
421 		return EPOLLERR | EPOLLHUP;
422 	return 0;
423 }
424 
425 /*
426  * "ioctl" file op
427  */
428 static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd, void __user *user_arg)
429 {
430 	struct hid_device *hid = hiddev->hid;
431 	struct hiddev_report_info rinfo;
432 	struct hiddev_usage_ref_multi *uref_multi = NULL;
433 	struct hiddev_usage_ref *uref;
434 	struct hid_report *report;
435 	struct hid_field *field;
436 	int i;
437 
438 	uref_multi = kmalloc(sizeof(struct hiddev_usage_ref_multi), GFP_KERNEL);
439 	if (!uref_multi)
440 		return -ENOMEM;
441 	uref = &uref_multi->uref;
442 	if (cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) {
443 		if (copy_from_user(uref_multi, user_arg,
444 				   sizeof(*uref_multi)))
445 			goto fault;
446 	} else {
447 		if (copy_from_user(uref, user_arg, sizeof(*uref)))
448 			goto fault;
449 	}
450 
451 	switch (cmd) {
452 	case HIDIOCGUCODE:
453 		rinfo.report_type = uref->report_type;
454 		rinfo.report_id = uref->report_id;
455 		if ((report = hiddev_lookup_report(hid, &rinfo)) == NULL)
456 			goto inval;
457 
458 		if (uref->field_index >= report->maxfield)
459 			goto inval;
460 		uref->field_index = array_index_nospec(uref->field_index,
461 						       report->maxfield);
462 
463 		field = report->field[uref->field_index];
464 		if (uref->usage_index >= field->maxusage)
465 			goto inval;
466 		uref->usage_index = array_index_nospec(uref->usage_index,
467 						       field->maxusage);
468 
469 		uref->usage_code = field->usage[uref->usage_index].hid;
470 
471 		if (copy_to_user(user_arg, uref, sizeof(*uref)))
472 			goto fault;
473 
474 		goto goodreturn;
475 
476 	default:
477 		if (cmd != HIDIOCGUSAGE &&
478 		    cmd != HIDIOCGUSAGES &&
479 		    uref->report_type == HID_REPORT_TYPE_INPUT)
480 			goto inval;
481 
482 		if (uref->report_id == HID_REPORT_ID_UNKNOWN) {
483 			field = hiddev_lookup_usage(hid, uref);
484 			if (field == NULL)
485 				goto inval;
486 		} else {
487 			rinfo.report_type = uref->report_type;
488 			rinfo.report_id = uref->report_id;
489 			if ((report = hiddev_lookup_report(hid, &rinfo)) == NULL)
490 				goto inval;
491 
492 			if (uref->field_index >= report->maxfield)
493 				goto inval;
494 			uref->field_index = array_index_nospec(uref->field_index,
495 							       report->maxfield);
496 
497 			field = report->field[uref->field_index];
498 
499 			if (cmd == HIDIOCGCOLLECTIONINDEX) {
500 				if (uref->usage_index >= field->maxusage)
501 					goto inval;
502 				uref->usage_index =
503 					array_index_nospec(uref->usage_index,
504 							   field->maxusage);
505 			} else if (uref->usage_index >= field->report_count)
506 				goto inval;
507 		}
508 
509 		if (cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) {
510 			if (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
511 			    uref->usage_index + uref_multi->num_values >
512 			    field->report_count)
513 				goto inval;
514 
515 			uref->usage_index =
516 				array_index_nospec(uref->usage_index,
517 						   field->report_count -
518 						   uref_multi->num_values);
519 		}
520 
521 		switch (cmd) {
522 		case HIDIOCGUSAGE:
523 			uref->value = field->value[uref->usage_index];
524 			if (copy_to_user(user_arg, uref, sizeof(*uref)))
525 				goto fault;
526 			goto goodreturn;
527 
528 		case HIDIOCSUSAGE:
529 			field->value[uref->usage_index] = uref->value;
530 			goto goodreturn;
531 
532 		case HIDIOCGCOLLECTIONINDEX:
533 			i = field->usage[uref->usage_index].collection_index;
534 			kfree(uref_multi);
535 			return i;
536 		case HIDIOCGUSAGES:
537 			for (i = 0; i < uref_multi->num_values; i++)
538 				uref_multi->values[i] =
539 				    field->value[uref->usage_index + i];
540 			if (copy_to_user(user_arg, uref_multi,
541 					 sizeof(*uref_multi)))
542 				goto fault;
543 			goto goodreturn;
544 		case HIDIOCSUSAGES:
545 			for (i = 0; i < uref_multi->num_values; i++)
546 				field->value[uref->usage_index + i] =
547 				    uref_multi->values[i];
548 			goto goodreturn;
549 		}
550 
551 goodreturn:
552 		kfree(uref_multi);
553 		return 0;
554 fault:
555 		kfree(uref_multi);
556 		return -EFAULT;
557 inval:
558 		kfree(uref_multi);
559 		return -EINVAL;
560 	}
561 }
562 
563 static noinline int hiddev_ioctl_string(struct hiddev *hiddev, unsigned int cmd, void __user *user_arg)
564 {
565 	struct hid_device *hid = hiddev->hid;
566 	struct usb_device *dev = hid_to_usb_dev(hid);
567 	int idx, len;
568 	char *buf;
569 
570 	if (get_user(idx, (int __user *)user_arg))
571 		return -EFAULT;
572 
573 	if ((buf = kmalloc(HID_STRING_SIZE, GFP_KERNEL)) == NULL)
574 		return -ENOMEM;
575 
576 	if ((len = usb_string(dev, idx, buf, HID_STRING_SIZE-1)) < 0) {
577 		kfree(buf);
578 		return -EINVAL;
579 	}
580 
581 	if (copy_to_user(user_arg+sizeof(int), buf, len+1)) {
582 		kfree(buf);
583 		return -EFAULT;
584 	}
585 
586 	kfree(buf);
587 
588 	return len;
589 }
590 
591 static long hiddev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
592 {
593 	struct hiddev_list *list = file->private_data;
594 	struct hiddev *hiddev = list->hiddev;
595 	struct hid_device *hid;
596 	struct hiddev_collection_info cinfo;
597 	struct hiddev_report_info rinfo;
598 	struct hiddev_field_info finfo;
599 	struct hiddev_devinfo dinfo;
600 	struct hid_report *report;
601 	struct hid_field *field;
602 	void __user *user_arg = (void __user *)arg;
603 	int i, r = -EINVAL;
604 
605 	/* Called without BKL by compat methods so no BKL taken */
606 
607 	mutex_lock(&hiddev->existancelock);
608 	if (!hiddev->exist) {
609 		r = -ENODEV;
610 		goto ret_unlock;
611 	}
612 
613 	hid = hiddev->hid;
614 
615 	switch (cmd) {
616 
617 	case HIDIOCGVERSION:
618 		r = put_user(HID_VERSION, (int __user *)arg) ?
619 			-EFAULT : 0;
620 		break;
621 
622 	case HIDIOCAPPLICATION:
623 		if (arg >= hid->maxapplication)
624 			break;
625 
626 		for (i = 0; i < hid->maxcollection; i++)
627 			if (hid->collection[i].type ==
628 			    HID_COLLECTION_APPLICATION && arg-- == 0)
629 				break;
630 
631 		if (i < hid->maxcollection)
632 			r = hid->collection[i].usage;
633 		break;
634 
635 	case HIDIOCGDEVINFO:
636 		{
637 			struct usb_device *dev = hid_to_usb_dev(hid);
638 			struct usbhid_device *usbhid = hid->driver_data;
639 
640 			memset(&dinfo, 0, sizeof(dinfo));
641 
642 			dinfo.bustype = BUS_USB;
643 			dinfo.busnum = dev->bus->busnum;
644 			dinfo.devnum = dev->devnum;
645 			dinfo.ifnum = usbhid->ifnum;
646 			dinfo.vendor = le16_to_cpu(dev->descriptor.idVendor);
647 			dinfo.product = le16_to_cpu(dev->descriptor.idProduct);
648 			dinfo.version = le16_to_cpu(dev->descriptor.bcdDevice);
649 			dinfo.num_applications = hid->maxapplication;
650 
651 			r = copy_to_user(user_arg, &dinfo, sizeof(dinfo)) ?
652 				-EFAULT : 0;
653 			break;
654 		}
655 
656 	case HIDIOCGFLAG:
657 		r = put_user(list->flags, (int __user *)arg) ?
658 			-EFAULT : 0;
659 		break;
660 
661 	case HIDIOCSFLAG:
662 		{
663 			int newflags;
664 
665 			if (get_user(newflags, (int __user *)arg)) {
666 				r = -EFAULT;
667 				break;
668 			}
669 
670 			if ((newflags & ~HIDDEV_FLAGS) != 0 ||
671 			    ((newflags & HIDDEV_FLAG_REPORT) != 0 &&
672 			     (newflags & HIDDEV_FLAG_UREF) == 0))
673 				break;
674 
675 			list->flags = newflags;
676 
677 			r = 0;
678 			break;
679 		}
680 
681 	case HIDIOCGSTRING:
682 		r = hiddev_ioctl_string(hiddev, cmd, user_arg);
683 		break;
684 
685 	case HIDIOCINITREPORT:
686 		usbhid_init_reports(hid);
687 		hiddev->initialized = true;
688 		r = 0;
689 		break;
690 
691 	case HIDIOCGREPORT:
692 		if (copy_from_user(&rinfo, user_arg, sizeof(rinfo))) {
693 			r = -EFAULT;
694 			break;
695 		}
696 
697 		if (rinfo.report_type == HID_REPORT_TYPE_OUTPUT)
698 			break;
699 
700 		report = hiddev_lookup_report(hid, &rinfo);
701 		if (report == NULL)
702 			break;
703 
704 		hid_hw_request(hid, report, HID_REQ_GET_REPORT);
705 		hid_hw_wait(hid);
706 
707 		r = 0;
708 		break;
709 
710 	case HIDIOCSREPORT:
711 		if (copy_from_user(&rinfo, user_arg, sizeof(rinfo))) {
712 			r = -EFAULT;
713 			break;
714 		}
715 
716 		if (rinfo.report_type == HID_REPORT_TYPE_INPUT)
717 			break;
718 
719 		report = hiddev_lookup_report(hid, &rinfo);
720 		if (report == NULL)
721 			break;
722 
723 		hid_hw_request(hid, report, HID_REQ_SET_REPORT);
724 		hid_hw_wait(hid);
725 
726 		r = 0;
727 		break;
728 
729 	case HIDIOCGREPORTINFO:
730 		if (copy_from_user(&rinfo, user_arg, sizeof(rinfo))) {
731 			r = -EFAULT;
732 			break;
733 		}
734 
735 		report = hiddev_lookup_report(hid, &rinfo);
736 		if (report == NULL)
737 			break;
738 
739 		rinfo.num_fields = report->maxfield;
740 
741 		r = copy_to_user(user_arg, &rinfo, sizeof(rinfo)) ?
742 			-EFAULT : 0;
743 		break;
744 
745 	case HIDIOCGFIELDINFO:
746 		if (copy_from_user(&finfo, user_arg, sizeof(finfo))) {
747 			r = -EFAULT;
748 			break;
749 		}
750 
751 		rinfo.report_type = finfo.report_type;
752 		rinfo.report_id = finfo.report_id;
753 
754 		report = hiddev_lookup_report(hid, &rinfo);
755 		if (report == NULL)
756 			break;
757 
758 		if (finfo.field_index >= report->maxfield)
759 			break;
760 		finfo.field_index = array_index_nospec(finfo.field_index,
761 						       report->maxfield);
762 
763 		field = report->field[finfo.field_index];
764 		memset(&finfo, 0, sizeof(finfo));
765 		finfo.report_type = rinfo.report_type;
766 		finfo.report_id = rinfo.report_id;
767 		finfo.field_index = field->report_count - 1;
768 		finfo.maxusage = field->maxusage;
769 		finfo.flags = field->flags;
770 		finfo.physical = field->physical;
771 		finfo.logical = field->logical;
772 		finfo.application = field->application;
773 		finfo.logical_minimum = field->logical_minimum;
774 		finfo.logical_maximum = field->logical_maximum;
775 		finfo.physical_minimum = field->physical_minimum;
776 		finfo.physical_maximum = field->physical_maximum;
777 		finfo.unit_exponent = field->unit_exponent;
778 		finfo.unit = field->unit;
779 
780 		r = copy_to_user(user_arg, &finfo, sizeof(finfo)) ?
781 			-EFAULT : 0;
782 		break;
783 
784 	case HIDIOCGUCODE:
785 		/* fall through */
786 	case HIDIOCGUSAGE:
787 	case HIDIOCSUSAGE:
788 	case HIDIOCGUSAGES:
789 	case HIDIOCSUSAGES:
790 	case HIDIOCGCOLLECTIONINDEX:
791 		if (!hiddev->initialized) {
792 			usbhid_init_reports(hid);
793 			hiddev->initialized = true;
794 		}
795 		r = hiddev_ioctl_usage(hiddev, cmd, user_arg);
796 		break;
797 
798 	case HIDIOCGCOLLECTIONINFO:
799 		if (copy_from_user(&cinfo, user_arg, sizeof(cinfo))) {
800 			r = -EFAULT;
801 			break;
802 		}
803 
804 		if (cinfo.index >= hid->maxcollection)
805 			break;
806 		cinfo.index = array_index_nospec(cinfo.index,
807 						 hid->maxcollection);
808 
809 		cinfo.type = hid->collection[cinfo.index].type;
810 		cinfo.usage = hid->collection[cinfo.index].usage;
811 		cinfo.level = hid->collection[cinfo.index].level;
812 
813 		r = copy_to_user(user_arg, &cinfo, sizeof(cinfo)) ?
814 			-EFAULT : 0;
815 		break;
816 
817 	default:
818 		if (_IOC_TYPE(cmd) != 'H' || _IOC_DIR(cmd) != _IOC_READ)
819 			break;
820 
821 		if (_IOC_NR(cmd) == _IOC_NR(HIDIOCGNAME(0))) {
822 			int len = strlen(hid->name) + 1;
823 			if (len > _IOC_SIZE(cmd))
824 				 len = _IOC_SIZE(cmd);
825 			r = copy_to_user(user_arg, hid->name, len) ?
826 				-EFAULT : len;
827 			break;
828 		}
829 
830 		if (_IOC_NR(cmd) == _IOC_NR(HIDIOCGPHYS(0))) {
831 			int len = strlen(hid->phys) + 1;
832 			if (len > _IOC_SIZE(cmd))
833 				len = _IOC_SIZE(cmd);
834 			r = copy_to_user(user_arg, hid->phys, len) ?
835 				-EFAULT : len;
836 			break;
837 		}
838 	}
839 
840 ret_unlock:
841 	mutex_unlock(&hiddev->existancelock);
842 	return r;
843 }
844 
845 #ifdef CONFIG_COMPAT
846 static long hiddev_compat_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
847 {
848 	return hiddev_ioctl(file, cmd, (unsigned long)compat_ptr(arg));
849 }
850 #endif
851 
852 static const struct file_operations hiddev_fops = {
853 	.owner =	THIS_MODULE,
854 	.read =		hiddev_read,
855 	.write =	hiddev_write,
856 	.poll =		hiddev_poll,
857 	.open =		hiddev_open,
858 	.release =	hiddev_release,
859 	.unlocked_ioctl =	hiddev_ioctl,
860 	.fasync =	hiddev_fasync,
861 #ifdef CONFIG_COMPAT
862 	.compat_ioctl	= hiddev_compat_ioctl,
863 #endif
864 	.llseek		= noop_llseek,
865 };
866 
867 static char *hiddev_devnode(struct device *dev, umode_t *mode)
868 {
869 	return kasprintf(GFP_KERNEL, "usb/%s", dev_name(dev));
870 }
871 
872 static struct usb_class_driver hiddev_class = {
873 	.name =		"hiddev%d",
874 	.devnode =	hiddev_devnode,
875 	.fops =		&hiddev_fops,
876 	.minor_base =	HIDDEV_MINOR_BASE,
877 };
878 
879 /*
880  * This is where hid.c calls us to connect a hid device to the hiddev driver
881  */
882 int hiddev_connect(struct hid_device *hid, unsigned int force)
883 {
884 	struct hiddev *hiddev;
885 	struct usbhid_device *usbhid = hid->driver_data;
886 	int retval;
887 
888 	if (!force) {
889 		unsigned int i;
890 		for (i = 0; i < hid->maxcollection; i++)
891 			if (hid->collection[i].type ==
892 			    HID_COLLECTION_APPLICATION &&
893 			    !IS_INPUT_APPLICATION(hid->collection[i].usage))
894 				break;
895 
896 		if (i == hid->maxcollection)
897 			return -1;
898 	}
899 
900 	if (!(hiddev = kzalloc(sizeof(struct hiddev), GFP_KERNEL)))
901 		return -1;
902 
903 	init_waitqueue_head(&hiddev->wait);
904 	INIT_LIST_HEAD(&hiddev->list);
905 	spin_lock_init(&hiddev->list_lock);
906 	mutex_init(&hiddev->existancelock);
907 	hid->hiddev = hiddev;
908 	hiddev->hid = hid;
909 	hiddev->exist = 1;
910 	retval = usb_register_dev(usbhid->intf, &hiddev_class);
911 	if (retval) {
912 		hid_err(hid, "Not able to get a minor for this device\n");
913 		hid->hiddev = NULL;
914 		kfree(hiddev);
915 		return -1;
916 	}
917 
918 	/*
919 	 * If HID_QUIRK_NO_INIT_REPORTS is set, make sure we don't initialize
920 	 * the reports.
921 	 */
922 	hiddev->initialized = hid->quirks & HID_QUIRK_NO_INIT_REPORTS;
923 
924 	hiddev->minor = usbhid->intf->minor;
925 
926 	return 0;
927 }
928 
929 /*
930  * This is where hid.c calls us to disconnect a hiddev device from the
931  * corresponding hid device (usually because the usb device has disconnected)
932  */
933 static struct usb_class_driver hiddev_class;
934 void hiddev_disconnect(struct hid_device *hid)
935 {
936 	struct hiddev *hiddev = hid->hiddev;
937 	struct usbhid_device *usbhid = hid->driver_data;
938 
939 	usb_deregister_dev(usbhid->intf, &hiddev_class);
940 
941 	mutex_lock(&hiddev->existancelock);
942 	hiddev->exist = 0;
943 
944 	if (hiddev->open) {
945 		mutex_unlock(&hiddev->existancelock);
946 		hid_hw_close(hiddev->hid);
947 		wake_up_interruptible(&hiddev->wait);
948 	} else {
949 		mutex_unlock(&hiddev->existancelock);
950 		kfree(hiddev);
951 	}
952 }
953