xref: /openbmc/linux/drivers/input/misc/uinput.c (revision b593bce5)
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  *  User level driver support for input subsystem
4  *
5  * Heavily based on evdev.c by Vojtech Pavlik
6  *
7  * Author: Aristeu Sergio Rozanski Filho <aris@cathedrallabs.org>
8  *
9  * Changes/Revisions:
10  *	0.4	01/09/2014 (Benjamin Tissoires <benjamin.tissoires@redhat.com>)
11  *		- add UI_GET_SYSNAME ioctl
12  *	0.3	09/04/2006 (Anssi Hannula <anssi.hannula@gmail.com>)
13  *		- updated ff support for the changes in kernel interface
14  *		- added MODULE_VERSION
15  *	0.2	16/10/2004 (Micah Dowty <micah@navi.cx>)
16  *		- added force feedback support
17  *              - added UI_SET_PHYS
18  *	0.1	20/06/2002
19  *		- first public version
20  */
21 #include <uapi/linux/uinput.h>
22 #include <linux/poll.h>
23 #include <linux/sched.h>
24 #include <linux/slab.h>
25 #include <linux/module.h>
26 #include <linux/init.h>
27 #include <linux/fs.h>
28 #include <linux/miscdevice.h>
29 #include <linux/overflow.h>
30 #include <linux/input/mt.h>
31 #include "../input-compat.h"
32 
33 #define UINPUT_NAME		"uinput"
34 #define UINPUT_BUFFER_SIZE	16
35 #define UINPUT_NUM_REQUESTS	16
36 
37 enum uinput_state { UIST_NEW_DEVICE, UIST_SETUP_COMPLETE, UIST_CREATED };
38 
39 struct uinput_request {
40 	unsigned int		id;
41 	unsigned int		code;	/* UI_FF_UPLOAD, UI_FF_ERASE */
42 
43 	int			retval;
44 	struct completion	done;
45 
46 	union {
47 		unsigned int	effect_id;
48 		struct {
49 			struct ff_effect *effect;
50 			struct ff_effect *old;
51 		} upload;
52 	} u;
53 };
54 
55 struct uinput_device {
56 	struct input_dev	*dev;
57 	struct mutex		mutex;
58 	enum uinput_state	state;
59 	wait_queue_head_t	waitq;
60 	unsigned char		ready;
61 	unsigned char		head;
62 	unsigned char		tail;
63 	struct input_event	buff[UINPUT_BUFFER_SIZE];
64 	unsigned int		ff_effects_max;
65 
66 	struct uinput_request	*requests[UINPUT_NUM_REQUESTS];
67 	wait_queue_head_t	requests_waitq;
68 	spinlock_t		requests_lock;
69 };
70 
71 static int uinput_dev_event(struct input_dev *dev,
72 			    unsigned int type, unsigned int code, int value)
73 {
74 	struct uinput_device	*udev = input_get_drvdata(dev);
75 	struct timespec64	ts;
76 
77 	udev->buff[udev->head].type = type;
78 	udev->buff[udev->head].code = code;
79 	udev->buff[udev->head].value = value;
80 	ktime_get_ts64(&ts);
81 	udev->buff[udev->head].input_event_sec = ts.tv_sec;
82 	udev->buff[udev->head].input_event_usec = ts.tv_nsec / NSEC_PER_USEC;
83 	udev->head = (udev->head + 1) % UINPUT_BUFFER_SIZE;
84 
85 	wake_up_interruptible(&udev->waitq);
86 
87 	return 0;
88 }
89 
90 /* Atomically allocate an ID for the given request. Returns 0 on success. */
91 static bool uinput_request_alloc_id(struct uinput_device *udev,
92 				    struct uinput_request *request)
93 {
94 	unsigned int id;
95 	bool reserved = false;
96 
97 	spin_lock(&udev->requests_lock);
98 
99 	for (id = 0; id < UINPUT_NUM_REQUESTS; id++) {
100 		if (!udev->requests[id]) {
101 			request->id = id;
102 			udev->requests[id] = request;
103 			reserved = true;
104 			break;
105 		}
106 	}
107 
108 	spin_unlock(&udev->requests_lock);
109 	return reserved;
110 }
111 
112 static struct uinput_request *uinput_request_find(struct uinput_device *udev,
113 						  unsigned int id)
114 {
115 	/* Find an input request, by ID. Returns NULL if the ID isn't valid. */
116 	if (id >= UINPUT_NUM_REQUESTS)
117 		return NULL;
118 
119 	return udev->requests[id];
120 }
121 
122 static int uinput_request_reserve_slot(struct uinput_device *udev,
123 				       struct uinput_request *request)
124 {
125 	/* Allocate slot. If none are available right away, wait. */
126 	return wait_event_interruptible(udev->requests_waitq,
127 					uinput_request_alloc_id(udev, request));
128 }
129 
130 static void uinput_request_release_slot(struct uinput_device *udev,
131 					unsigned int id)
132 {
133 	/* Mark slot as available */
134 	spin_lock(&udev->requests_lock);
135 	udev->requests[id] = NULL;
136 	spin_unlock(&udev->requests_lock);
137 
138 	wake_up(&udev->requests_waitq);
139 }
140 
141 static int uinput_request_send(struct uinput_device *udev,
142 			       struct uinput_request *request)
143 {
144 	int retval;
145 
146 	retval = mutex_lock_interruptible(&udev->mutex);
147 	if (retval)
148 		return retval;
149 
150 	if (udev->state != UIST_CREATED) {
151 		retval = -ENODEV;
152 		goto out;
153 	}
154 
155 	init_completion(&request->done);
156 
157 	/*
158 	 * Tell our userspace application about this new request
159 	 * by queueing an input event.
160 	 */
161 	uinput_dev_event(udev->dev, EV_UINPUT, request->code, request->id);
162 
163  out:
164 	mutex_unlock(&udev->mutex);
165 	return retval;
166 }
167 
168 static int uinput_request_submit(struct uinput_device *udev,
169 				 struct uinput_request *request)
170 {
171 	int retval;
172 
173 	retval = uinput_request_reserve_slot(udev, request);
174 	if (retval)
175 		return retval;
176 
177 	retval = uinput_request_send(udev, request);
178 	if (retval)
179 		goto out;
180 
181 	if (!wait_for_completion_timeout(&request->done, 30 * HZ)) {
182 		retval = -ETIMEDOUT;
183 		goto out;
184 	}
185 
186 	retval = request->retval;
187 
188  out:
189 	uinput_request_release_slot(udev, request->id);
190 	return retval;
191 }
192 
193 /*
194  * Fail all outstanding requests so handlers don't wait for the userspace
195  * to finish processing them.
196  */
197 static void uinput_flush_requests(struct uinput_device *udev)
198 {
199 	struct uinput_request *request;
200 	int i;
201 
202 	spin_lock(&udev->requests_lock);
203 
204 	for (i = 0; i < UINPUT_NUM_REQUESTS; i++) {
205 		request = udev->requests[i];
206 		if (request) {
207 			request->retval = -ENODEV;
208 			complete(&request->done);
209 		}
210 	}
211 
212 	spin_unlock(&udev->requests_lock);
213 }
214 
215 static void uinput_dev_set_gain(struct input_dev *dev, u16 gain)
216 {
217 	uinput_dev_event(dev, EV_FF, FF_GAIN, gain);
218 }
219 
220 static void uinput_dev_set_autocenter(struct input_dev *dev, u16 magnitude)
221 {
222 	uinput_dev_event(dev, EV_FF, FF_AUTOCENTER, magnitude);
223 }
224 
225 static int uinput_dev_playback(struct input_dev *dev, int effect_id, int value)
226 {
227 	return uinput_dev_event(dev, EV_FF, effect_id, value);
228 }
229 
230 static int uinput_dev_upload_effect(struct input_dev *dev,
231 				    struct ff_effect *effect,
232 				    struct ff_effect *old)
233 {
234 	struct uinput_device *udev = input_get_drvdata(dev);
235 	struct uinput_request request;
236 
237 	/*
238 	 * uinput driver does not currently support periodic effects with
239 	 * custom waveform since it does not have a way to pass buffer of
240 	 * samples (custom_data) to userspace. If ever there is a device
241 	 * supporting custom waveforms we would need to define an additional
242 	 * ioctl (UI_UPLOAD_SAMPLES) but for now we just bail out.
243 	 */
244 	if (effect->type == FF_PERIODIC &&
245 			effect->u.periodic.waveform == FF_CUSTOM)
246 		return -EINVAL;
247 
248 	request.code = UI_FF_UPLOAD;
249 	request.u.upload.effect = effect;
250 	request.u.upload.old = old;
251 
252 	return uinput_request_submit(udev, &request);
253 }
254 
255 static int uinput_dev_erase_effect(struct input_dev *dev, int effect_id)
256 {
257 	struct uinput_device *udev = input_get_drvdata(dev);
258 	struct uinput_request request;
259 
260 	if (!test_bit(EV_FF, dev->evbit))
261 		return -ENOSYS;
262 
263 	request.code = UI_FF_ERASE;
264 	request.u.effect_id = effect_id;
265 
266 	return uinput_request_submit(udev, &request);
267 }
268 
269 static int uinput_dev_flush(struct input_dev *dev, struct file *file)
270 {
271 	/*
272 	 * If we are called with file == NULL that means we are tearing
273 	 * down the device, and therefore we can not handle FF erase
274 	 * requests: either we are handling UI_DEV_DESTROY (and holding
275 	 * the udev->mutex), or the file descriptor is closed and there is
276 	 * nobody on the other side anymore.
277 	 */
278 	return file ? input_ff_flush(dev, file) : 0;
279 }
280 
281 static void uinput_destroy_device(struct uinput_device *udev)
282 {
283 	const char *name, *phys;
284 	struct input_dev *dev = udev->dev;
285 	enum uinput_state old_state = udev->state;
286 
287 	udev->state = UIST_NEW_DEVICE;
288 
289 	if (dev) {
290 		name = dev->name;
291 		phys = dev->phys;
292 		if (old_state == UIST_CREATED) {
293 			uinput_flush_requests(udev);
294 			input_unregister_device(dev);
295 		} else {
296 			input_free_device(dev);
297 		}
298 		kfree(name);
299 		kfree(phys);
300 		udev->dev = NULL;
301 	}
302 }
303 
304 static int uinput_create_device(struct uinput_device *udev)
305 {
306 	struct input_dev *dev = udev->dev;
307 	int error, nslot;
308 
309 	if (udev->state != UIST_SETUP_COMPLETE) {
310 		printk(KERN_DEBUG "%s: write device info first\n", UINPUT_NAME);
311 		return -EINVAL;
312 	}
313 
314 	if (test_bit(EV_ABS, dev->evbit)) {
315 		input_alloc_absinfo(dev);
316 		if (!dev->absinfo) {
317 			error = -EINVAL;
318 			goto fail1;
319 		}
320 
321 		if (test_bit(ABS_MT_SLOT, dev->absbit)) {
322 			nslot = input_abs_get_max(dev, ABS_MT_SLOT) + 1;
323 			error = input_mt_init_slots(dev, nslot, 0);
324 			if (error)
325 				goto fail1;
326 		} else if (test_bit(ABS_MT_POSITION_X, dev->absbit)) {
327 			input_set_events_per_packet(dev, 60);
328 		}
329 	}
330 
331 	if (test_bit(EV_FF, dev->evbit) && !udev->ff_effects_max) {
332 		printk(KERN_DEBUG "%s: ff_effects_max should be non-zero when FF_BIT is set\n",
333 			UINPUT_NAME);
334 		error = -EINVAL;
335 		goto fail1;
336 	}
337 
338 	if (udev->ff_effects_max) {
339 		error = input_ff_create(dev, udev->ff_effects_max);
340 		if (error)
341 			goto fail1;
342 
343 		dev->ff->upload = uinput_dev_upload_effect;
344 		dev->ff->erase = uinput_dev_erase_effect;
345 		dev->ff->playback = uinput_dev_playback;
346 		dev->ff->set_gain = uinput_dev_set_gain;
347 		dev->ff->set_autocenter = uinput_dev_set_autocenter;
348 		/*
349 		 * The standard input_ff_flush() implementation does
350 		 * not quite work for uinput as we can't reasonably
351 		 * handle FF requests during device teardown.
352 		 */
353 		dev->flush = uinput_dev_flush;
354 	}
355 
356 	dev->event = uinput_dev_event;
357 
358 	input_set_drvdata(udev->dev, udev);
359 
360 	error = input_register_device(udev->dev);
361 	if (error)
362 		goto fail2;
363 
364 	udev->state = UIST_CREATED;
365 
366 	return 0;
367 
368  fail2:	input_ff_destroy(dev);
369  fail1: uinput_destroy_device(udev);
370 	return error;
371 }
372 
373 static int uinput_open(struct inode *inode, struct file *file)
374 {
375 	struct uinput_device *newdev;
376 
377 	newdev = kzalloc(sizeof(struct uinput_device), GFP_KERNEL);
378 	if (!newdev)
379 		return -ENOMEM;
380 
381 	mutex_init(&newdev->mutex);
382 	spin_lock_init(&newdev->requests_lock);
383 	init_waitqueue_head(&newdev->requests_waitq);
384 	init_waitqueue_head(&newdev->waitq);
385 	newdev->state = UIST_NEW_DEVICE;
386 
387 	file->private_data = newdev;
388 	stream_open(inode, file);
389 
390 	return 0;
391 }
392 
393 static int uinput_validate_absinfo(struct input_dev *dev, unsigned int code,
394 				   const struct input_absinfo *abs)
395 {
396 	int min, max, range;
397 
398 	min = abs->minimum;
399 	max = abs->maximum;
400 
401 	if ((min != 0 || max != 0) && max < min) {
402 		printk(KERN_DEBUG
403 		       "%s: invalid abs[%02x] min:%d max:%d\n",
404 		       UINPUT_NAME, code, min, max);
405 		return -EINVAL;
406 	}
407 
408 	if (!check_sub_overflow(max, min, &range) && abs->flat > range) {
409 		printk(KERN_DEBUG
410 		       "%s: abs_flat #%02x out of range: %d (min:%d/max:%d)\n",
411 		       UINPUT_NAME, code, abs->flat, min, max);
412 		return -EINVAL;
413 	}
414 
415 	return 0;
416 }
417 
418 static int uinput_validate_absbits(struct input_dev *dev)
419 {
420 	unsigned int cnt;
421 	int error;
422 
423 	if (!test_bit(EV_ABS, dev->evbit))
424 		return 0;
425 
426 	/*
427 	 * Check if absmin/absmax/absfuzz/absflat are sane.
428 	 */
429 
430 	for_each_set_bit(cnt, dev->absbit, ABS_CNT) {
431 		if (!dev->absinfo)
432 			return -EINVAL;
433 
434 		error = uinput_validate_absinfo(dev, cnt, &dev->absinfo[cnt]);
435 		if (error)
436 			return error;
437 	}
438 
439 	return 0;
440 }
441 
442 static int uinput_dev_setup(struct uinput_device *udev,
443 			    struct uinput_setup __user *arg)
444 {
445 	struct uinput_setup setup;
446 	struct input_dev *dev;
447 
448 	if (udev->state == UIST_CREATED)
449 		return -EINVAL;
450 
451 	if (copy_from_user(&setup, arg, sizeof(setup)))
452 		return -EFAULT;
453 
454 	if (!setup.name[0])
455 		return -EINVAL;
456 
457 	dev = udev->dev;
458 	dev->id = setup.id;
459 	udev->ff_effects_max = setup.ff_effects_max;
460 
461 	kfree(dev->name);
462 	dev->name = kstrndup(setup.name, UINPUT_MAX_NAME_SIZE, GFP_KERNEL);
463 	if (!dev->name)
464 		return -ENOMEM;
465 
466 	udev->state = UIST_SETUP_COMPLETE;
467 	return 0;
468 }
469 
470 static int uinput_abs_setup(struct uinput_device *udev,
471 			    struct uinput_setup __user *arg, size_t size)
472 {
473 	struct uinput_abs_setup setup = {};
474 	struct input_dev *dev;
475 	int error;
476 
477 	if (size > sizeof(setup))
478 		return -E2BIG;
479 
480 	if (udev->state == UIST_CREATED)
481 		return -EINVAL;
482 
483 	if (copy_from_user(&setup, arg, size))
484 		return -EFAULT;
485 
486 	if (setup.code > ABS_MAX)
487 		return -ERANGE;
488 
489 	dev = udev->dev;
490 
491 	error = uinput_validate_absinfo(dev, setup.code, &setup.absinfo);
492 	if (error)
493 		return error;
494 
495 	input_alloc_absinfo(dev);
496 	if (!dev->absinfo)
497 		return -ENOMEM;
498 
499 	set_bit(setup.code, dev->absbit);
500 	dev->absinfo[setup.code] = setup.absinfo;
501 	return 0;
502 }
503 
504 /* legacy setup via write() */
505 static int uinput_setup_device_legacy(struct uinput_device *udev,
506 				      const char __user *buffer, size_t count)
507 {
508 	struct uinput_user_dev	*user_dev;
509 	struct input_dev	*dev;
510 	int			i;
511 	int			retval;
512 
513 	if (count != sizeof(struct uinput_user_dev))
514 		return -EINVAL;
515 
516 	if (!udev->dev) {
517 		udev->dev = input_allocate_device();
518 		if (!udev->dev)
519 			return -ENOMEM;
520 	}
521 
522 	dev = udev->dev;
523 
524 	user_dev = memdup_user(buffer, sizeof(struct uinput_user_dev));
525 	if (IS_ERR(user_dev))
526 		return PTR_ERR(user_dev);
527 
528 	udev->ff_effects_max = user_dev->ff_effects_max;
529 
530 	/* Ensure name is filled in */
531 	if (!user_dev->name[0]) {
532 		retval = -EINVAL;
533 		goto exit;
534 	}
535 
536 	kfree(dev->name);
537 	dev->name = kstrndup(user_dev->name, UINPUT_MAX_NAME_SIZE,
538 			     GFP_KERNEL);
539 	if (!dev->name) {
540 		retval = -ENOMEM;
541 		goto exit;
542 	}
543 
544 	dev->id.bustype	= user_dev->id.bustype;
545 	dev->id.vendor	= user_dev->id.vendor;
546 	dev->id.product	= user_dev->id.product;
547 	dev->id.version	= user_dev->id.version;
548 
549 	for (i = 0; i < ABS_CNT; i++) {
550 		input_abs_set_max(dev, i, user_dev->absmax[i]);
551 		input_abs_set_min(dev, i, user_dev->absmin[i]);
552 		input_abs_set_fuzz(dev, i, user_dev->absfuzz[i]);
553 		input_abs_set_flat(dev, i, user_dev->absflat[i]);
554 	}
555 
556 	retval = uinput_validate_absbits(dev);
557 	if (retval < 0)
558 		goto exit;
559 
560 	udev->state = UIST_SETUP_COMPLETE;
561 	retval = count;
562 
563  exit:
564 	kfree(user_dev);
565 	return retval;
566 }
567 
568 static ssize_t uinput_inject_events(struct uinput_device *udev,
569 				    const char __user *buffer, size_t count)
570 {
571 	struct input_event ev;
572 	size_t bytes = 0;
573 
574 	if (count != 0 && count < input_event_size())
575 		return -EINVAL;
576 
577 	while (bytes + input_event_size() <= count) {
578 		/*
579 		 * Note that even if some events were fetched successfully
580 		 * we are still going to return EFAULT instead of partial
581 		 * count to let userspace know that it got it's buffers
582 		 * all wrong.
583 		 */
584 		if (input_event_from_user(buffer + bytes, &ev))
585 			return -EFAULT;
586 
587 		input_event(udev->dev, ev.type, ev.code, ev.value);
588 		bytes += input_event_size();
589 		cond_resched();
590 	}
591 
592 	return bytes;
593 }
594 
595 static ssize_t uinput_write(struct file *file, const char __user *buffer,
596 			    size_t count, loff_t *ppos)
597 {
598 	struct uinput_device *udev = file->private_data;
599 	int retval;
600 
601 	if (count == 0)
602 		return 0;
603 
604 	retval = mutex_lock_interruptible(&udev->mutex);
605 	if (retval)
606 		return retval;
607 
608 	retval = udev->state == UIST_CREATED ?
609 			uinput_inject_events(udev, buffer, count) :
610 			uinput_setup_device_legacy(udev, buffer, count);
611 
612 	mutex_unlock(&udev->mutex);
613 
614 	return retval;
615 }
616 
617 static bool uinput_fetch_next_event(struct uinput_device *udev,
618 				    struct input_event *event)
619 {
620 	bool have_event;
621 
622 	spin_lock_irq(&udev->dev->event_lock);
623 
624 	have_event = udev->head != udev->tail;
625 	if (have_event) {
626 		*event = udev->buff[udev->tail];
627 		udev->tail = (udev->tail + 1) % UINPUT_BUFFER_SIZE;
628 	}
629 
630 	spin_unlock_irq(&udev->dev->event_lock);
631 
632 	return have_event;
633 }
634 
635 static ssize_t uinput_events_to_user(struct uinput_device *udev,
636 				     char __user *buffer, size_t count)
637 {
638 	struct input_event event;
639 	size_t read = 0;
640 
641 	while (read + input_event_size() <= count &&
642 	       uinput_fetch_next_event(udev, &event)) {
643 
644 		if (input_event_to_user(buffer + read, &event))
645 			return -EFAULT;
646 
647 		read += input_event_size();
648 	}
649 
650 	return read;
651 }
652 
653 static ssize_t uinput_read(struct file *file, char __user *buffer,
654 			   size_t count, loff_t *ppos)
655 {
656 	struct uinput_device *udev = file->private_data;
657 	ssize_t retval;
658 
659 	if (count != 0 && count < input_event_size())
660 		return -EINVAL;
661 
662 	do {
663 		retval = mutex_lock_interruptible(&udev->mutex);
664 		if (retval)
665 			return retval;
666 
667 		if (udev->state != UIST_CREATED)
668 			retval = -ENODEV;
669 		else if (udev->head == udev->tail &&
670 			 (file->f_flags & O_NONBLOCK))
671 			retval = -EAGAIN;
672 		else
673 			retval = uinput_events_to_user(udev, buffer, count);
674 
675 		mutex_unlock(&udev->mutex);
676 
677 		if (retval || count == 0)
678 			break;
679 
680 		if (!(file->f_flags & O_NONBLOCK))
681 			retval = wait_event_interruptible(udev->waitq,
682 						  udev->head != udev->tail ||
683 						  udev->state != UIST_CREATED);
684 	} while (retval == 0);
685 
686 	return retval;
687 }
688 
689 static __poll_t uinput_poll(struct file *file, poll_table *wait)
690 {
691 	struct uinput_device *udev = file->private_data;
692 
693 	poll_wait(file, &udev->waitq, wait);
694 
695 	if (udev->head != udev->tail)
696 		return EPOLLIN | EPOLLRDNORM;
697 
698 	return 0;
699 }
700 
701 static int uinput_release(struct inode *inode, struct file *file)
702 {
703 	struct uinput_device *udev = file->private_data;
704 
705 	uinput_destroy_device(udev);
706 	kfree(udev);
707 
708 	return 0;
709 }
710 
711 #ifdef CONFIG_COMPAT
712 struct uinput_ff_upload_compat {
713 	__u32			request_id;
714 	__s32			retval;
715 	struct ff_effect_compat	effect;
716 	struct ff_effect_compat	old;
717 };
718 
719 static int uinput_ff_upload_to_user(char __user *buffer,
720 				    const struct uinput_ff_upload *ff_up)
721 {
722 	if (in_compat_syscall()) {
723 		struct uinput_ff_upload_compat ff_up_compat;
724 
725 		ff_up_compat.request_id = ff_up->request_id;
726 		ff_up_compat.retval = ff_up->retval;
727 		/*
728 		 * It so happens that the pointer that gives us the trouble
729 		 * is the last field in the structure. Since we don't support
730 		 * custom waveforms in uinput anyway we can just copy the whole
731 		 * thing (to the compat size) and ignore the pointer.
732 		 */
733 		memcpy(&ff_up_compat.effect, &ff_up->effect,
734 			sizeof(struct ff_effect_compat));
735 		memcpy(&ff_up_compat.old, &ff_up->old,
736 			sizeof(struct ff_effect_compat));
737 
738 		if (copy_to_user(buffer, &ff_up_compat,
739 				 sizeof(struct uinput_ff_upload_compat)))
740 			return -EFAULT;
741 	} else {
742 		if (copy_to_user(buffer, ff_up,
743 				 sizeof(struct uinput_ff_upload)))
744 			return -EFAULT;
745 	}
746 
747 	return 0;
748 }
749 
750 static int uinput_ff_upload_from_user(const char __user *buffer,
751 				      struct uinput_ff_upload *ff_up)
752 {
753 	if (in_compat_syscall()) {
754 		struct uinput_ff_upload_compat ff_up_compat;
755 
756 		if (copy_from_user(&ff_up_compat, buffer,
757 				   sizeof(struct uinput_ff_upload_compat)))
758 			return -EFAULT;
759 
760 		ff_up->request_id = ff_up_compat.request_id;
761 		ff_up->retval = ff_up_compat.retval;
762 		memcpy(&ff_up->effect, &ff_up_compat.effect,
763 			sizeof(struct ff_effect_compat));
764 		memcpy(&ff_up->old, &ff_up_compat.old,
765 			sizeof(struct ff_effect_compat));
766 
767 	} else {
768 		if (copy_from_user(ff_up, buffer,
769 				   sizeof(struct uinput_ff_upload)))
770 			return -EFAULT;
771 	}
772 
773 	return 0;
774 }
775 
776 #else
777 
778 static int uinput_ff_upload_to_user(char __user *buffer,
779 				    const struct uinput_ff_upload *ff_up)
780 {
781 	if (copy_to_user(buffer, ff_up, sizeof(struct uinput_ff_upload)))
782 		return -EFAULT;
783 
784 	return 0;
785 }
786 
787 static int uinput_ff_upload_from_user(const char __user *buffer,
788 				      struct uinput_ff_upload *ff_up)
789 {
790 	if (copy_from_user(ff_up, buffer, sizeof(struct uinput_ff_upload)))
791 		return -EFAULT;
792 
793 	return 0;
794 }
795 
796 #endif
797 
798 #define uinput_set_bit(_arg, _bit, _max)		\
799 ({							\
800 	int __ret = 0;					\
801 	if (udev->state == UIST_CREATED)		\
802 		__ret =  -EINVAL;			\
803 	else if ((_arg) > (_max))			\
804 		__ret = -EINVAL;			\
805 	else set_bit((_arg), udev->dev->_bit);		\
806 	__ret;						\
807 })
808 
809 static int uinput_str_to_user(void __user *dest, const char *str,
810 			      unsigned int maxlen)
811 {
812 	char __user *p = dest;
813 	int len, ret;
814 
815 	if (!str)
816 		return -ENOENT;
817 
818 	if (maxlen == 0)
819 		return -EINVAL;
820 
821 	len = strlen(str) + 1;
822 	if (len > maxlen)
823 		len = maxlen;
824 
825 	ret = copy_to_user(p, str, len);
826 	if (ret)
827 		return -EFAULT;
828 
829 	/* force terminating '\0' */
830 	ret = put_user(0, p + len - 1);
831 	return ret ? -EFAULT : len;
832 }
833 
834 static long uinput_ioctl_handler(struct file *file, unsigned int cmd,
835 				 unsigned long arg, void __user *p)
836 {
837 	int			retval;
838 	struct uinput_device	*udev = file->private_data;
839 	struct uinput_ff_upload ff_up;
840 	struct uinput_ff_erase  ff_erase;
841 	struct uinput_request   *req;
842 	char			*phys;
843 	const char		*name;
844 	unsigned int		size;
845 
846 	retval = mutex_lock_interruptible(&udev->mutex);
847 	if (retval)
848 		return retval;
849 
850 	if (!udev->dev) {
851 		udev->dev = input_allocate_device();
852 		if (!udev->dev) {
853 			retval = -ENOMEM;
854 			goto out;
855 		}
856 	}
857 
858 	switch (cmd) {
859 	case UI_GET_VERSION:
860 		if (put_user(UINPUT_VERSION, (unsigned int __user *)p))
861 			retval = -EFAULT;
862 		goto out;
863 
864 	case UI_DEV_CREATE:
865 		retval = uinput_create_device(udev);
866 		goto out;
867 
868 	case UI_DEV_DESTROY:
869 		uinput_destroy_device(udev);
870 		goto out;
871 
872 	case UI_DEV_SETUP:
873 		retval = uinput_dev_setup(udev, p);
874 		goto out;
875 
876 	/* UI_ABS_SETUP is handled in the variable size ioctls */
877 
878 	case UI_SET_EVBIT:
879 		retval = uinput_set_bit(arg, evbit, EV_MAX);
880 		goto out;
881 
882 	case UI_SET_KEYBIT:
883 		retval = uinput_set_bit(arg, keybit, KEY_MAX);
884 		goto out;
885 
886 	case UI_SET_RELBIT:
887 		retval = uinput_set_bit(arg, relbit, REL_MAX);
888 		goto out;
889 
890 	case UI_SET_ABSBIT:
891 		retval = uinput_set_bit(arg, absbit, ABS_MAX);
892 		goto out;
893 
894 	case UI_SET_MSCBIT:
895 		retval = uinput_set_bit(arg, mscbit, MSC_MAX);
896 		goto out;
897 
898 	case UI_SET_LEDBIT:
899 		retval = uinput_set_bit(arg, ledbit, LED_MAX);
900 		goto out;
901 
902 	case UI_SET_SNDBIT:
903 		retval = uinput_set_bit(arg, sndbit, SND_MAX);
904 		goto out;
905 
906 	case UI_SET_FFBIT:
907 		retval = uinput_set_bit(arg, ffbit, FF_MAX);
908 		goto out;
909 
910 	case UI_SET_SWBIT:
911 		retval = uinput_set_bit(arg, swbit, SW_MAX);
912 		goto out;
913 
914 	case UI_SET_PROPBIT:
915 		retval = uinput_set_bit(arg, propbit, INPUT_PROP_MAX);
916 		goto out;
917 
918 	case UI_SET_PHYS:
919 		if (udev->state == UIST_CREATED) {
920 			retval = -EINVAL;
921 			goto out;
922 		}
923 
924 		phys = strndup_user(p, 1024);
925 		if (IS_ERR(phys)) {
926 			retval = PTR_ERR(phys);
927 			goto out;
928 		}
929 
930 		kfree(udev->dev->phys);
931 		udev->dev->phys = phys;
932 		goto out;
933 
934 	case UI_BEGIN_FF_UPLOAD:
935 		retval = uinput_ff_upload_from_user(p, &ff_up);
936 		if (retval)
937 			goto out;
938 
939 		req = uinput_request_find(udev, ff_up.request_id);
940 		if (!req || req->code != UI_FF_UPLOAD ||
941 		    !req->u.upload.effect) {
942 			retval = -EINVAL;
943 			goto out;
944 		}
945 
946 		ff_up.retval = 0;
947 		ff_up.effect = *req->u.upload.effect;
948 		if (req->u.upload.old)
949 			ff_up.old = *req->u.upload.old;
950 		else
951 			memset(&ff_up.old, 0, sizeof(struct ff_effect));
952 
953 		retval = uinput_ff_upload_to_user(p, &ff_up);
954 		goto out;
955 
956 	case UI_BEGIN_FF_ERASE:
957 		if (copy_from_user(&ff_erase, p, sizeof(ff_erase))) {
958 			retval = -EFAULT;
959 			goto out;
960 		}
961 
962 		req = uinput_request_find(udev, ff_erase.request_id);
963 		if (!req || req->code != UI_FF_ERASE) {
964 			retval = -EINVAL;
965 			goto out;
966 		}
967 
968 		ff_erase.retval = 0;
969 		ff_erase.effect_id = req->u.effect_id;
970 		if (copy_to_user(p, &ff_erase, sizeof(ff_erase))) {
971 			retval = -EFAULT;
972 			goto out;
973 		}
974 
975 		goto out;
976 
977 	case UI_END_FF_UPLOAD:
978 		retval = uinput_ff_upload_from_user(p, &ff_up);
979 		if (retval)
980 			goto out;
981 
982 		req = uinput_request_find(udev, ff_up.request_id);
983 		if (!req || req->code != UI_FF_UPLOAD ||
984 		    !req->u.upload.effect) {
985 			retval = -EINVAL;
986 			goto out;
987 		}
988 
989 		req->retval = ff_up.retval;
990 		complete(&req->done);
991 		goto out;
992 
993 	case UI_END_FF_ERASE:
994 		if (copy_from_user(&ff_erase, p, sizeof(ff_erase))) {
995 			retval = -EFAULT;
996 			goto out;
997 		}
998 
999 		req = uinput_request_find(udev, ff_erase.request_id);
1000 		if (!req || req->code != UI_FF_ERASE) {
1001 			retval = -EINVAL;
1002 			goto out;
1003 		}
1004 
1005 		req->retval = ff_erase.retval;
1006 		complete(&req->done);
1007 		goto out;
1008 	}
1009 
1010 	size = _IOC_SIZE(cmd);
1011 
1012 	/* Now check variable-length commands */
1013 	switch (cmd & ~IOCSIZE_MASK) {
1014 	case UI_GET_SYSNAME(0):
1015 		if (udev->state != UIST_CREATED) {
1016 			retval = -ENOENT;
1017 			goto out;
1018 		}
1019 		name = dev_name(&udev->dev->dev);
1020 		retval = uinput_str_to_user(p, name, size);
1021 		goto out;
1022 
1023 	case UI_ABS_SETUP & ~IOCSIZE_MASK:
1024 		retval = uinput_abs_setup(udev, p, size);
1025 		goto out;
1026 	}
1027 
1028 	retval = -EINVAL;
1029  out:
1030 	mutex_unlock(&udev->mutex);
1031 	return retval;
1032 }
1033 
1034 static long uinput_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
1035 {
1036 	return uinput_ioctl_handler(file, cmd, arg, (void __user *)arg);
1037 }
1038 
1039 #ifdef CONFIG_COMPAT
1040 
1041 /*
1042  * These IOCTLs change their size and thus their numbers between
1043  * 32 and 64 bits.
1044  */
1045 #define UI_SET_PHYS_COMPAT		\
1046 	_IOW(UINPUT_IOCTL_BASE, 108, compat_uptr_t)
1047 #define UI_BEGIN_FF_UPLOAD_COMPAT	\
1048 	_IOWR(UINPUT_IOCTL_BASE, 200, struct uinput_ff_upload_compat)
1049 #define UI_END_FF_UPLOAD_COMPAT		\
1050 	_IOW(UINPUT_IOCTL_BASE, 201, struct uinput_ff_upload_compat)
1051 
1052 static long uinput_compat_ioctl(struct file *file,
1053 				unsigned int cmd, unsigned long arg)
1054 {
1055 	switch (cmd) {
1056 	case UI_SET_PHYS_COMPAT:
1057 		cmd = UI_SET_PHYS;
1058 		break;
1059 	case UI_BEGIN_FF_UPLOAD_COMPAT:
1060 		cmd = UI_BEGIN_FF_UPLOAD;
1061 		break;
1062 	case UI_END_FF_UPLOAD_COMPAT:
1063 		cmd = UI_END_FF_UPLOAD;
1064 		break;
1065 	}
1066 
1067 	return uinput_ioctl_handler(file, cmd, arg, compat_ptr(arg));
1068 }
1069 #endif
1070 
1071 static const struct file_operations uinput_fops = {
1072 	.owner		= THIS_MODULE,
1073 	.open		= uinput_open,
1074 	.release	= uinput_release,
1075 	.read		= uinput_read,
1076 	.write		= uinput_write,
1077 	.poll		= uinput_poll,
1078 	.unlocked_ioctl	= uinput_ioctl,
1079 #ifdef CONFIG_COMPAT
1080 	.compat_ioctl	= uinput_compat_ioctl,
1081 #endif
1082 	.llseek		= no_llseek,
1083 };
1084 
1085 static struct miscdevice uinput_misc = {
1086 	.fops		= &uinput_fops,
1087 	.minor		= UINPUT_MINOR,
1088 	.name		= UINPUT_NAME,
1089 };
1090 module_misc_device(uinput_misc);
1091 
1092 MODULE_ALIAS_MISCDEV(UINPUT_MINOR);
1093 MODULE_ALIAS("devname:" UINPUT_NAME);
1094 
1095 MODULE_AUTHOR("Aristeu Sergio Rozanski Filho");
1096 MODULE_DESCRIPTION("User level driver support for input subsystem");
1097 MODULE_LICENSE("GPL");
1098