1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * User level driver support for input subsystem 4 * 5 * Heavily based on evdev.c by Vojtech Pavlik 6 * 7 * Author: Aristeu Sergio Rozanski Filho <aris@cathedrallabs.org> 8 * 9 * Changes/Revisions: 10 * 0.4 01/09/2014 (Benjamin Tissoires <benjamin.tissoires@redhat.com>) 11 * - add UI_GET_SYSNAME ioctl 12 * 0.3 09/04/2006 (Anssi Hannula <anssi.hannula@gmail.com>) 13 * - updated ff support for the changes in kernel interface 14 * - added MODULE_VERSION 15 * 0.2 16/10/2004 (Micah Dowty <micah@navi.cx>) 16 * - added force feedback support 17 * - added UI_SET_PHYS 18 * 0.1 20/06/2002 19 * - first public version 20 */ 21 #include <uapi/linux/uinput.h> 22 #include <linux/poll.h> 23 #include <linux/sched.h> 24 #include <linux/slab.h> 25 #include <linux/module.h> 26 #include <linux/init.h> 27 #include <linux/fs.h> 28 #include <linux/miscdevice.h> 29 #include <linux/overflow.h> 30 #include <linux/input/mt.h> 31 #include "../input-compat.h" 32 33 #define UINPUT_NAME "uinput" 34 #define UINPUT_BUFFER_SIZE 16 35 #define UINPUT_NUM_REQUESTS 16 36 37 enum uinput_state { UIST_NEW_DEVICE, UIST_SETUP_COMPLETE, UIST_CREATED }; 38 39 struct uinput_request { 40 unsigned int id; 41 unsigned int code; /* UI_FF_UPLOAD, UI_FF_ERASE */ 42 43 int retval; 44 struct completion done; 45 46 union { 47 unsigned int effect_id; 48 struct { 49 struct ff_effect *effect; 50 struct ff_effect *old; 51 } upload; 52 } u; 53 }; 54 55 struct uinput_device { 56 struct input_dev *dev; 57 struct mutex mutex; 58 enum uinput_state state; 59 wait_queue_head_t waitq; 60 unsigned char ready; 61 unsigned char head; 62 unsigned char tail; 63 struct input_event buff[UINPUT_BUFFER_SIZE]; 64 unsigned int ff_effects_max; 65 66 struct uinput_request *requests[UINPUT_NUM_REQUESTS]; 67 wait_queue_head_t requests_waitq; 68 spinlock_t requests_lock; 69 }; 70 71 static int uinput_dev_event(struct input_dev *dev, 72 unsigned int type, unsigned int code, int value) 73 { 74 struct uinput_device *udev = input_get_drvdata(dev); 75 struct timespec64 ts; 76 77 udev->buff[udev->head].type = type; 78 udev->buff[udev->head].code = code; 79 udev->buff[udev->head].value = value; 80 ktime_get_ts64(&ts); 81 udev->buff[udev->head].input_event_sec = ts.tv_sec; 82 udev->buff[udev->head].input_event_usec = ts.tv_nsec / NSEC_PER_USEC; 83 udev->head = (udev->head + 1) % UINPUT_BUFFER_SIZE; 84 85 wake_up_interruptible(&udev->waitq); 86 87 return 0; 88 } 89 90 /* Atomically allocate an ID for the given request. Returns 0 on success. */ 91 static bool uinput_request_alloc_id(struct uinput_device *udev, 92 struct uinput_request *request) 93 { 94 unsigned int id; 95 bool reserved = false; 96 97 spin_lock(&udev->requests_lock); 98 99 for (id = 0; id < UINPUT_NUM_REQUESTS; id++) { 100 if (!udev->requests[id]) { 101 request->id = id; 102 udev->requests[id] = request; 103 reserved = true; 104 break; 105 } 106 } 107 108 spin_unlock(&udev->requests_lock); 109 return reserved; 110 } 111 112 static struct uinput_request *uinput_request_find(struct uinput_device *udev, 113 unsigned int id) 114 { 115 /* Find an input request, by ID. Returns NULL if the ID isn't valid. */ 116 if (id >= UINPUT_NUM_REQUESTS) 117 return NULL; 118 119 return udev->requests[id]; 120 } 121 122 static int uinput_request_reserve_slot(struct uinput_device *udev, 123 struct uinput_request *request) 124 { 125 /* Allocate slot. If none are available right away, wait. */ 126 return wait_event_interruptible(udev->requests_waitq, 127 uinput_request_alloc_id(udev, request)); 128 } 129 130 static void uinput_request_release_slot(struct uinput_device *udev, 131 unsigned int id) 132 { 133 /* Mark slot as available */ 134 spin_lock(&udev->requests_lock); 135 udev->requests[id] = NULL; 136 spin_unlock(&udev->requests_lock); 137 138 wake_up(&udev->requests_waitq); 139 } 140 141 static int uinput_request_send(struct uinput_device *udev, 142 struct uinput_request *request) 143 { 144 int retval; 145 146 retval = mutex_lock_interruptible(&udev->mutex); 147 if (retval) 148 return retval; 149 150 if (udev->state != UIST_CREATED) { 151 retval = -ENODEV; 152 goto out; 153 } 154 155 init_completion(&request->done); 156 157 /* 158 * Tell our userspace application about this new request 159 * by queueing an input event. 160 */ 161 uinput_dev_event(udev->dev, EV_UINPUT, request->code, request->id); 162 163 out: 164 mutex_unlock(&udev->mutex); 165 return retval; 166 } 167 168 static int uinput_request_submit(struct uinput_device *udev, 169 struct uinput_request *request) 170 { 171 int retval; 172 173 retval = uinput_request_reserve_slot(udev, request); 174 if (retval) 175 return retval; 176 177 retval = uinput_request_send(udev, request); 178 if (retval) 179 goto out; 180 181 if (!wait_for_completion_timeout(&request->done, 30 * HZ)) { 182 retval = -ETIMEDOUT; 183 goto out; 184 } 185 186 retval = request->retval; 187 188 out: 189 uinput_request_release_slot(udev, request->id); 190 return retval; 191 } 192 193 /* 194 * Fail all outstanding requests so handlers don't wait for the userspace 195 * to finish processing them. 196 */ 197 static void uinput_flush_requests(struct uinput_device *udev) 198 { 199 struct uinput_request *request; 200 int i; 201 202 spin_lock(&udev->requests_lock); 203 204 for (i = 0; i < UINPUT_NUM_REQUESTS; i++) { 205 request = udev->requests[i]; 206 if (request) { 207 request->retval = -ENODEV; 208 complete(&request->done); 209 } 210 } 211 212 spin_unlock(&udev->requests_lock); 213 } 214 215 static void uinput_dev_set_gain(struct input_dev *dev, u16 gain) 216 { 217 uinput_dev_event(dev, EV_FF, FF_GAIN, gain); 218 } 219 220 static void uinput_dev_set_autocenter(struct input_dev *dev, u16 magnitude) 221 { 222 uinput_dev_event(dev, EV_FF, FF_AUTOCENTER, magnitude); 223 } 224 225 static int uinput_dev_playback(struct input_dev *dev, int effect_id, int value) 226 { 227 return uinput_dev_event(dev, EV_FF, effect_id, value); 228 } 229 230 static int uinput_dev_upload_effect(struct input_dev *dev, 231 struct ff_effect *effect, 232 struct ff_effect *old) 233 { 234 struct uinput_device *udev = input_get_drvdata(dev); 235 struct uinput_request request; 236 237 /* 238 * uinput driver does not currently support periodic effects with 239 * custom waveform since it does not have a way to pass buffer of 240 * samples (custom_data) to userspace. If ever there is a device 241 * supporting custom waveforms we would need to define an additional 242 * ioctl (UI_UPLOAD_SAMPLES) but for now we just bail out. 243 */ 244 if (effect->type == FF_PERIODIC && 245 effect->u.periodic.waveform == FF_CUSTOM) 246 return -EINVAL; 247 248 request.code = UI_FF_UPLOAD; 249 request.u.upload.effect = effect; 250 request.u.upload.old = old; 251 252 return uinput_request_submit(udev, &request); 253 } 254 255 static int uinput_dev_erase_effect(struct input_dev *dev, int effect_id) 256 { 257 struct uinput_device *udev = input_get_drvdata(dev); 258 struct uinput_request request; 259 260 if (!test_bit(EV_FF, dev->evbit)) 261 return -ENOSYS; 262 263 request.code = UI_FF_ERASE; 264 request.u.effect_id = effect_id; 265 266 return uinput_request_submit(udev, &request); 267 } 268 269 static int uinput_dev_flush(struct input_dev *dev, struct file *file) 270 { 271 /* 272 * If we are called with file == NULL that means we are tearing 273 * down the device, and therefore we can not handle FF erase 274 * requests: either we are handling UI_DEV_DESTROY (and holding 275 * the udev->mutex), or the file descriptor is closed and there is 276 * nobody on the other side anymore. 277 */ 278 return file ? input_ff_flush(dev, file) : 0; 279 } 280 281 static void uinput_destroy_device(struct uinput_device *udev) 282 { 283 const char *name, *phys; 284 struct input_dev *dev = udev->dev; 285 enum uinput_state old_state = udev->state; 286 287 udev->state = UIST_NEW_DEVICE; 288 289 if (dev) { 290 name = dev->name; 291 phys = dev->phys; 292 if (old_state == UIST_CREATED) { 293 uinput_flush_requests(udev); 294 input_unregister_device(dev); 295 } else { 296 input_free_device(dev); 297 } 298 kfree(name); 299 kfree(phys); 300 udev->dev = NULL; 301 } 302 } 303 304 static int uinput_create_device(struct uinput_device *udev) 305 { 306 struct input_dev *dev = udev->dev; 307 int error, nslot; 308 309 if (udev->state != UIST_SETUP_COMPLETE) { 310 printk(KERN_DEBUG "%s: write device info first\n", UINPUT_NAME); 311 return -EINVAL; 312 } 313 314 if (test_bit(EV_ABS, dev->evbit)) { 315 input_alloc_absinfo(dev); 316 if (!dev->absinfo) { 317 error = -EINVAL; 318 goto fail1; 319 } 320 321 if (test_bit(ABS_MT_SLOT, dev->absbit)) { 322 nslot = input_abs_get_max(dev, ABS_MT_SLOT) + 1; 323 error = input_mt_init_slots(dev, nslot, 0); 324 if (error) 325 goto fail1; 326 } else if (test_bit(ABS_MT_POSITION_X, dev->absbit)) { 327 input_set_events_per_packet(dev, 60); 328 } 329 } 330 331 if (test_bit(EV_FF, dev->evbit) && !udev->ff_effects_max) { 332 printk(KERN_DEBUG "%s: ff_effects_max should be non-zero when FF_BIT is set\n", 333 UINPUT_NAME); 334 error = -EINVAL; 335 goto fail1; 336 } 337 338 if (udev->ff_effects_max) { 339 error = input_ff_create(dev, udev->ff_effects_max); 340 if (error) 341 goto fail1; 342 343 dev->ff->upload = uinput_dev_upload_effect; 344 dev->ff->erase = uinput_dev_erase_effect; 345 dev->ff->playback = uinput_dev_playback; 346 dev->ff->set_gain = uinput_dev_set_gain; 347 dev->ff->set_autocenter = uinput_dev_set_autocenter; 348 /* 349 * The standard input_ff_flush() implementation does 350 * not quite work for uinput as we can't reasonably 351 * handle FF requests during device teardown. 352 */ 353 dev->flush = uinput_dev_flush; 354 } 355 356 dev->event = uinput_dev_event; 357 358 input_set_drvdata(udev->dev, udev); 359 360 error = input_register_device(udev->dev); 361 if (error) 362 goto fail2; 363 364 udev->state = UIST_CREATED; 365 366 return 0; 367 368 fail2: input_ff_destroy(dev); 369 fail1: uinput_destroy_device(udev); 370 return error; 371 } 372 373 static int uinput_open(struct inode *inode, struct file *file) 374 { 375 struct uinput_device *newdev; 376 377 newdev = kzalloc(sizeof(struct uinput_device), GFP_KERNEL); 378 if (!newdev) 379 return -ENOMEM; 380 381 mutex_init(&newdev->mutex); 382 spin_lock_init(&newdev->requests_lock); 383 init_waitqueue_head(&newdev->requests_waitq); 384 init_waitqueue_head(&newdev->waitq); 385 newdev->state = UIST_NEW_DEVICE; 386 387 file->private_data = newdev; 388 stream_open(inode, file); 389 390 return 0; 391 } 392 393 static int uinput_validate_absinfo(struct input_dev *dev, unsigned int code, 394 const struct input_absinfo *abs) 395 { 396 int min, max, range; 397 398 min = abs->minimum; 399 max = abs->maximum; 400 401 if ((min != 0 || max != 0) && max < min) { 402 printk(KERN_DEBUG 403 "%s: invalid abs[%02x] min:%d max:%d\n", 404 UINPUT_NAME, code, min, max); 405 return -EINVAL; 406 } 407 408 if (!check_sub_overflow(max, min, &range) && abs->flat > range) { 409 printk(KERN_DEBUG 410 "%s: abs_flat #%02x out of range: %d (min:%d/max:%d)\n", 411 UINPUT_NAME, code, abs->flat, min, max); 412 return -EINVAL; 413 } 414 415 return 0; 416 } 417 418 static int uinput_validate_absbits(struct input_dev *dev) 419 { 420 unsigned int cnt; 421 int error; 422 423 if (!test_bit(EV_ABS, dev->evbit)) 424 return 0; 425 426 /* 427 * Check if absmin/absmax/absfuzz/absflat are sane. 428 */ 429 430 for_each_set_bit(cnt, dev->absbit, ABS_CNT) { 431 if (!dev->absinfo) 432 return -EINVAL; 433 434 error = uinput_validate_absinfo(dev, cnt, &dev->absinfo[cnt]); 435 if (error) 436 return error; 437 } 438 439 return 0; 440 } 441 442 static int uinput_dev_setup(struct uinput_device *udev, 443 struct uinput_setup __user *arg) 444 { 445 struct uinput_setup setup; 446 struct input_dev *dev; 447 448 if (udev->state == UIST_CREATED) 449 return -EINVAL; 450 451 if (copy_from_user(&setup, arg, sizeof(setup))) 452 return -EFAULT; 453 454 if (!setup.name[0]) 455 return -EINVAL; 456 457 dev = udev->dev; 458 dev->id = setup.id; 459 udev->ff_effects_max = setup.ff_effects_max; 460 461 kfree(dev->name); 462 dev->name = kstrndup(setup.name, UINPUT_MAX_NAME_SIZE, GFP_KERNEL); 463 if (!dev->name) 464 return -ENOMEM; 465 466 udev->state = UIST_SETUP_COMPLETE; 467 return 0; 468 } 469 470 static int uinput_abs_setup(struct uinput_device *udev, 471 struct uinput_setup __user *arg, size_t size) 472 { 473 struct uinput_abs_setup setup = {}; 474 struct input_dev *dev; 475 int error; 476 477 if (size > sizeof(setup)) 478 return -E2BIG; 479 480 if (udev->state == UIST_CREATED) 481 return -EINVAL; 482 483 if (copy_from_user(&setup, arg, size)) 484 return -EFAULT; 485 486 if (setup.code > ABS_MAX) 487 return -ERANGE; 488 489 dev = udev->dev; 490 491 error = uinput_validate_absinfo(dev, setup.code, &setup.absinfo); 492 if (error) 493 return error; 494 495 input_alloc_absinfo(dev); 496 if (!dev->absinfo) 497 return -ENOMEM; 498 499 set_bit(setup.code, dev->absbit); 500 dev->absinfo[setup.code] = setup.absinfo; 501 return 0; 502 } 503 504 /* legacy setup via write() */ 505 static int uinput_setup_device_legacy(struct uinput_device *udev, 506 const char __user *buffer, size_t count) 507 { 508 struct uinput_user_dev *user_dev; 509 struct input_dev *dev; 510 int i; 511 int retval; 512 513 if (count != sizeof(struct uinput_user_dev)) 514 return -EINVAL; 515 516 if (!udev->dev) { 517 udev->dev = input_allocate_device(); 518 if (!udev->dev) 519 return -ENOMEM; 520 } 521 522 dev = udev->dev; 523 524 user_dev = memdup_user(buffer, sizeof(struct uinput_user_dev)); 525 if (IS_ERR(user_dev)) 526 return PTR_ERR(user_dev); 527 528 udev->ff_effects_max = user_dev->ff_effects_max; 529 530 /* Ensure name is filled in */ 531 if (!user_dev->name[0]) { 532 retval = -EINVAL; 533 goto exit; 534 } 535 536 kfree(dev->name); 537 dev->name = kstrndup(user_dev->name, UINPUT_MAX_NAME_SIZE, 538 GFP_KERNEL); 539 if (!dev->name) { 540 retval = -ENOMEM; 541 goto exit; 542 } 543 544 dev->id.bustype = user_dev->id.bustype; 545 dev->id.vendor = user_dev->id.vendor; 546 dev->id.product = user_dev->id.product; 547 dev->id.version = user_dev->id.version; 548 549 for (i = 0; i < ABS_CNT; i++) { 550 input_abs_set_max(dev, i, user_dev->absmax[i]); 551 input_abs_set_min(dev, i, user_dev->absmin[i]); 552 input_abs_set_fuzz(dev, i, user_dev->absfuzz[i]); 553 input_abs_set_flat(dev, i, user_dev->absflat[i]); 554 } 555 556 retval = uinput_validate_absbits(dev); 557 if (retval < 0) 558 goto exit; 559 560 udev->state = UIST_SETUP_COMPLETE; 561 retval = count; 562 563 exit: 564 kfree(user_dev); 565 return retval; 566 } 567 568 static ssize_t uinput_inject_events(struct uinput_device *udev, 569 const char __user *buffer, size_t count) 570 { 571 struct input_event ev; 572 size_t bytes = 0; 573 574 if (count != 0 && count < input_event_size()) 575 return -EINVAL; 576 577 while (bytes + input_event_size() <= count) { 578 /* 579 * Note that even if some events were fetched successfully 580 * we are still going to return EFAULT instead of partial 581 * count to let userspace know that it got it's buffers 582 * all wrong. 583 */ 584 if (input_event_from_user(buffer + bytes, &ev)) 585 return -EFAULT; 586 587 input_event(udev->dev, ev.type, ev.code, ev.value); 588 bytes += input_event_size(); 589 cond_resched(); 590 } 591 592 return bytes; 593 } 594 595 static ssize_t uinput_write(struct file *file, const char __user *buffer, 596 size_t count, loff_t *ppos) 597 { 598 struct uinput_device *udev = file->private_data; 599 int retval; 600 601 if (count == 0) 602 return 0; 603 604 retval = mutex_lock_interruptible(&udev->mutex); 605 if (retval) 606 return retval; 607 608 retval = udev->state == UIST_CREATED ? 609 uinput_inject_events(udev, buffer, count) : 610 uinput_setup_device_legacy(udev, buffer, count); 611 612 mutex_unlock(&udev->mutex); 613 614 return retval; 615 } 616 617 static bool uinput_fetch_next_event(struct uinput_device *udev, 618 struct input_event *event) 619 { 620 bool have_event; 621 622 spin_lock_irq(&udev->dev->event_lock); 623 624 have_event = udev->head != udev->tail; 625 if (have_event) { 626 *event = udev->buff[udev->tail]; 627 udev->tail = (udev->tail + 1) % UINPUT_BUFFER_SIZE; 628 } 629 630 spin_unlock_irq(&udev->dev->event_lock); 631 632 return have_event; 633 } 634 635 static ssize_t uinput_events_to_user(struct uinput_device *udev, 636 char __user *buffer, size_t count) 637 { 638 struct input_event event; 639 size_t read = 0; 640 641 while (read + input_event_size() <= count && 642 uinput_fetch_next_event(udev, &event)) { 643 644 if (input_event_to_user(buffer + read, &event)) 645 return -EFAULT; 646 647 read += input_event_size(); 648 } 649 650 return read; 651 } 652 653 static ssize_t uinput_read(struct file *file, char __user *buffer, 654 size_t count, loff_t *ppos) 655 { 656 struct uinput_device *udev = file->private_data; 657 ssize_t retval; 658 659 if (count != 0 && count < input_event_size()) 660 return -EINVAL; 661 662 do { 663 retval = mutex_lock_interruptible(&udev->mutex); 664 if (retval) 665 return retval; 666 667 if (udev->state != UIST_CREATED) 668 retval = -ENODEV; 669 else if (udev->head == udev->tail && 670 (file->f_flags & O_NONBLOCK)) 671 retval = -EAGAIN; 672 else 673 retval = uinput_events_to_user(udev, buffer, count); 674 675 mutex_unlock(&udev->mutex); 676 677 if (retval || count == 0) 678 break; 679 680 if (!(file->f_flags & O_NONBLOCK)) 681 retval = wait_event_interruptible(udev->waitq, 682 udev->head != udev->tail || 683 udev->state != UIST_CREATED); 684 } while (retval == 0); 685 686 return retval; 687 } 688 689 static __poll_t uinput_poll(struct file *file, poll_table *wait) 690 { 691 struct uinput_device *udev = file->private_data; 692 693 poll_wait(file, &udev->waitq, wait); 694 695 if (udev->head != udev->tail) 696 return EPOLLIN | EPOLLRDNORM; 697 698 return 0; 699 } 700 701 static int uinput_release(struct inode *inode, struct file *file) 702 { 703 struct uinput_device *udev = file->private_data; 704 705 uinput_destroy_device(udev); 706 kfree(udev); 707 708 return 0; 709 } 710 711 #ifdef CONFIG_COMPAT 712 struct uinput_ff_upload_compat { 713 __u32 request_id; 714 __s32 retval; 715 struct ff_effect_compat effect; 716 struct ff_effect_compat old; 717 }; 718 719 static int uinput_ff_upload_to_user(char __user *buffer, 720 const struct uinput_ff_upload *ff_up) 721 { 722 if (in_compat_syscall()) { 723 struct uinput_ff_upload_compat ff_up_compat; 724 725 ff_up_compat.request_id = ff_up->request_id; 726 ff_up_compat.retval = ff_up->retval; 727 /* 728 * It so happens that the pointer that gives us the trouble 729 * is the last field in the structure. Since we don't support 730 * custom waveforms in uinput anyway we can just copy the whole 731 * thing (to the compat size) and ignore the pointer. 732 */ 733 memcpy(&ff_up_compat.effect, &ff_up->effect, 734 sizeof(struct ff_effect_compat)); 735 memcpy(&ff_up_compat.old, &ff_up->old, 736 sizeof(struct ff_effect_compat)); 737 738 if (copy_to_user(buffer, &ff_up_compat, 739 sizeof(struct uinput_ff_upload_compat))) 740 return -EFAULT; 741 } else { 742 if (copy_to_user(buffer, ff_up, 743 sizeof(struct uinput_ff_upload))) 744 return -EFAULT; 745 } 746 747 return 0; 748 } 749 750 static int uinput_ff_upload_from_user(const char __user *buffer, 751 struct uinput_ff_upload *ff_up) 752 { 753 if (in_compat_syscall()) { 754 struct uinput_ff_upload_compat ff_up_compat; 755 756 if (copy_from_user(&ff_up_compat, buffer, 757 sizeof(struct uinput_ff_upload_compat))) 758 return -EFAULT; 759 760 ff_up->request_id = ff_up_compat.request_id; 761 ff_up->retval = ff_up_compat.retval; 762 memcpy(&ff_up->effect, &ff_up_compat.effect, 763 sizeof(struct ff_effect_compat)); 764 memcpy(&ff_up->old, &ff_up_compat.old, 765 sizeof(struct ff_effect_compat)); 766 767 } else { 768 if (copy_from_user(ff_up, buffer, 769 sizeof(struct uinput_ff_upload))) 770 return -EFAULT; 771 } 772 773 return 0; 774 } 775 776 #else 777 778 static int uinput_ff_upload_to_user(char __user *buffer, 779 const struct uinput_ff_upload *ff_up) 780 { 781 if (copy_to_user(buffer, ff_up, sizeof(struct uinput_ff_upload))) 782 return -EFAULT; 783 784 return 0; 785 } 786 787 static int uinput_ff_upload_from_user(const char __user *buffer, 788 struct uinput_ff_upload *ff_up) 789 { 790 if (copy_from_user(ff_up, buffer, sizeof(struct uinput_ff_upload))) 791 return -EFAULT; 792 793 return 0; 794 } 795 796 #endif 797 798 #define uinput_set_bit(_arg, _bit, _max) \ 799 ({ \ 800 int __ret = 0; \ 801 if (udev->state == UIST_CREATED) \ 802 __ret = -EINVAL; \ 803 else if ((_arg) > (_max)) \ 804 __ret = -EINVAL; \ 805 else set_bit((_arg), udev->dev->_bit); \ 806 __ret; \ 807 }) 808 809 static int uinput_str_to_user(void __user *dest, const char *str, 810 unsigned int maxlen) 811 { 812 char __user *p = dest; 813 int len, ret; 814 815 if (!str) 816 return -ENOENT; 817 818 if (maxlen == 0) 819 return -EINVAL; 820 821 len = strlen(str) + 1; 822 if (len > maxlen) 823 len = maxlen; 824 825 ret = copy_to_user(p, str, len); 826 if (ret) 827 return -EFAULT; 828 829 /* force terminating '\0' */ 830 ret = put_user(0, p + len - 1); 831 return ret ? -EFAULT : len; 832 } 833 834 static long uinput_ioctl_handler(struct file *file, unsigned int cmd, 835 unsigned long arg, void __user *p) 836 { 837 int retval; 838 struct uinput_device *udev = file->private_data; 839 struct uinput_ff_upload ff_up; 840 struct uinput_ff_erase ff_erase; 841 struct uinput_request *req; 842 char *phys; 843 const char *name; 844 unsigned int size; 845 846 retval = mutex_lock_interruptible(&udev->mutex); 847 if (retval) 848 return retval; 849 850 if (!udev->dev) { 851 udev->dev = input_allocate_device(); 852 if (!udev->dev) { 853 retval = -ENOMEM; 854 goto out; 855 } 856 } 857 858 switch (cmd) { 859 case UI_GET_VERSION: 860 if (put_user(UINPUT_VERSION, (unsigned int __user *)p)) 861 retval = -EFAULT; 862 goto out; 863 864 case UI_DEV_CREATE: 865 retval = uinput_create_device(udev); 866 goto out; 867 868 case UI_DEV_DESTROY: 869 uinput_destroy_device(udev); 870 goto out; 871 872 case UI_DEV_SETUP: 873 retval = uinput_dev_setup(udev, p); 874 goto out; 875 876 /* UI_ABS_SETUP is handled in the variable size ioctls */ 877 878 case UI_SET_EVBIT: 879 retval = uinput_set_bit(arg, evbit, EV_MAX); 880 goto out; 881 882 case UI_SET_KEYBIT: 883 retval = uinput_set_bit(arg, keybit, KEY_MAX); 884 goto out; 885 886 case UI_SET_RELBIT: 887 retval = uinput_set_bit(arg, relbit, REL_MAX); 888 goto out; 889 890 case UI_SET_ABSBIT: 891 retval = uinput_set_bit(arg, absbit, ABS_MAX); 892 goto out; 893 894 case UI_SET_MSCBIT: 895 retval = uinput_set_bit(arg, mscbit, MSC_MAX); 896 goto out; 897 898 case UI_SET_LEDBIT: 899 retval = uinput_set_bit(arg, ledbit, LED_MAX); 900 goto out; 901 902 case UI_SET_SNDBIT: 903 retval = uinput_set_bit(arg, sndbit, SND_MAX); 904 goto out; 905 906 case UI_SET_FFBIT: 907 retval = uinput_set_bit(arg, ffbit, FF_MAX); 908 goto out; 909 910 case UI_SET_SWBIT: 911 retval = uinput_set_bit(arg, swbit, SW_MAX); 912 goto out; 913 914 case UI_SET_PROPBIT: 915 retval = uinput_set_bit(arg, propbit, INPUT_PROP_MAX); 916 goto out; 917 918 case UI_SET_PHYS: 919 if (udev->state == UIST_CREATED) { 920 retval = -EINVAL; 921 goto out; 922 } 923 924 phys = strndup_user(p, 1024); 925 if (IS_ERR(phys)) { 926 retval = PTR_ERR(phys); 927 goto out; 928 } 929 930 kfree(udev->dev->phys); 931 udev->dev->phys = phys; 932 goto out; 933 934 case UI_BEGIN_FF_UPLOAD: 935 retval = uinput_ff_upload_from_user(p, &ff_up); 936 if (retval) 937 goto out; 938 939 req = uinput_request_find(udev, ff_up.request_id); 940 if (!req || req->code != UI_FF_UPLOAD || 941 !req->u.upload.effect) { 942 retval = -EINVAL; 943 goto out; 944 } 945 946 ff_up.retval = 0; 947 ff_up.effect = *req->u.upload.effect; 948 if (req->u.upload.old) 949 ff_up.old = *req->u.upload.old; 950 else 951 memset(&ff_up.old, 0, sizeof(struct ff_effect)); 952 953 retval = uinput_ff_upload_to_user(p, &ff_up); 954 goto out; 955 956 case UI_BEGIN_FF_ERASE: 957 if (copy_from_user(&ff_erase, p, sizeof(ff_erase))) { 958 retval = -EFAULT; 959 goto out; 960 } 961 962 req = uinput_request_find(udev, ff_erase.request_id); 963 if (!req || req->code != UI_FF_ERASE) { 964 retval = -EINVAL; 965 goto out; 966 } 967 968 ff_erase.retval = 0; 969 ff_erase.effect_id = req->u.effect_id; 970 if (copy_to_user(p, &ff_erase, sizeof(ff_erase))) { 971 retval = -EFAULT; 972 goto out; 973 } 974 975 goto out; 976 977 case UI_END_FF_UPLOAD: 978 retval = uinput_ff_upload_from_user(p, &ff_up); 979 if (retval) 980 goto out; 981 982 req = uinput_request_find(udev, ff_up.request_id); 983 if (!req || req->code != UI_FF_UPLOAD || 984 !req->u.upload.effect) { 985 retval = -EINVAL; 986 goto out; 987 } 988 989 req->retval = ff_up.retval; 990 complete(&req->done); 991 goto out; 992 993 case UI_END_FF_ERASE: 994 if (copy_from_user(&ff_erase, p, sizeof(ff_erase))) { 995 retval = -EFAULT; 996 goto out; 997 } 998 999 req = uinput_request_find(udev, ff_erase.request_id); 1000 if (!req || req->code != UI_FF_ERASE) { 1001 retval = -EINVAL; 1002 goto out; 1003 } 1004 1005 req->retval = ff_erase.retval; 1006 complete(&req->done); 1007 goto out; 1008 } 1009 1010 size = _IOC_SIZE(cmd); 1011 1012 /* Now check variable-length commands */ 1013 switch (cmd & ~IOCSIZE_MASK) { 1014 case UI_GET_SYSNAME(0): 1015 if (udev->state != UIST_CREATED) { 1016 retval = -ENOENT; 1017 goto out; 1018 } 1019 name = dev_name(&udev->dev->dev); 1020 retval = uinput_str_to_user(p, name, size); 1021 goto out; 1022 1023 case UI_ABS_SETUP & ~IOCSIZE_MASK: 1024 retval = uinput_abs_setup(udev, p, size); 1025 goto out; 1026 } 1027 1028 retval = -EINVAL; 1029 out: 1030 mutex_unlock(&udev->mutex); 1031 return retval; 1032 } 1033 1034 static long uinput_ioctl(struct file *file, unsigned int cmd, unsigned long arg) 1035 { 1036 return uinput_ioctl_handler(file, cmd, arg, (void __user *)arg); 1037 } 1038 1039 #ifdef CONFIG_COMPAT 1040 1041 /* 1042 * These IOCTLs change their size and thus their numbers between 1043 * 32 and 64 bits. 1044 */ 1045 #define UI_SET_PHYS_COMPAT \ 1046 _IOW(UINPUT_IOCTL_BASE, 108, compat_uptr_t) 1047 #define UI_BEGIN_FF_UPLOAD_COMPAT \ 1048 _IOWR(UINPUT_IOCTL_BASE, 200, struct uinput_ff_upload_compat) 1049 #define UI_END_FF_UPLOAD_COMPAT \ 1050 _IOW(UINPUT_IOCTL_BASE, 201, struct uinput_ff_upload_compat) 1051 1052 static long uinput_compat_ioctl(struct file *file, 1053 unsigned int cmd, unsigned long arg) 1054 { 1055 switch (cmd) { 1056 case UI_SET_PHYS_COMPAT: 1057 cmd = UI_SET_PHYS; 1058 break; 1059 case UI_BEGIN_FF_UPLOAD_COMPAT: 1060 cmd = UI_BEGIN_FF_UPLOAD; 1061 break; 1062 case UI_END_FF_UPLOAD_COMPAT: 1063 cmd = UI_END_FF_UPLOAD; 1064 break; 1065 } 1066 1067 return uinput_ioctl_handler(file, cmd, arg, compat_ptr(arg)); 1068 } 1069 #endif 1070 1071 static const struct file_operations uinput_fops = { 1072 .owner = THIS_MODULE, 1073 .open = uinput_open, 1074 .release = uinput_release, 1075 .read = uinput_read, 1076 .write = uinput_write, 1077 .poll = uinput_poll, 1078 .unlocked_ioctl = uinput_ioctl, 1079 #ifdef CONFIG_COMPAT 1080 .compat_ioctl = uinput_compat_ioctl, 1081 #endif 1082 .llseek = no_llseek, 1083 }; 1084 1085 static struct miscdevice uinput_misc = { 1086 .fops = &uinput_fops, 1087 .minor = UINPUT_MINOR, 1088 .name = UINPUT_NAME, 1089 }; 1090 module_misc_device(uinput_misc); 1091 1092 MODULE_ALIAS_MISCDEV(UINPUT_MINOR); 1093 MODULE_ALIAS("devname:" UINPUT_NAME); 1094 1095 MODULE_AUTHOR("Aristeu Sergio Rozanski Filho"); 1096 MODULE_DESCRIPTION("User level driver support for input subsystem"); 1097 MODULE_LICENSE("GPL"); 1098