1 /*
2  *  Copyright (c) 2013, Microsoft Corporation.
3  *
4  *  This program is free software; you can redistribute it and/or modify it
5  *  under the terms and conditions of the GNU General Public License,
6  *  version 2, as published by the Free Software Foundation.
7  *
8  *  This program is distributed in the hope it will be useful, but WITHOUT
9  *  ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
10  *  FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
11  *  more details.
12  */
13 
14 #include <linux/init.h>
15 #include <linux/module.h>
16 #include <linux/device.h>
17 #include <linux/completion.h>
18 #include <linux/hyperv.h>
19 #include <linux/serio.h>
20 #include <linux/slab.h>
21 
22 /*
23  * Current version 1.0
24  *
25  */
26 #define SYNTH_KBD_VERSION_MAJOR 1
27 #define SYNTH_KBD_VERSION_MINOR	0
28 #define SYNTH_KBD_VERSION		(SYNTH_KBD_VERSION_MINOR | \
29 					 (SYNTH_KBD_VERSION_MAJOR << 16))
30 
31 
32 /*
33  * Message types in the synthetic input protocol
34  */
35 enum synth_kbd_msg_type {
36 	SYNTH_KBD_PROTOCOL_REQUEST = 1,
37 	SYNTH_KBD_PROTOCOL_RESPONSE = 2,
38 	SYNTH_KBD_EVENT = 3,
39 	SYNTH_KBD_LED_INDICATORS = 4,
40 };
41 
42 /*
43  * Basic message structures.
44  */
45 struct synth_kbd_msg_hdr {
46 	__le32 type;
47 };
48 
49 struct synth_kbd_msg {
50 	struct synth_kbd_msg_hdr header;
51 	char data[]; /* Enclosed message */
52 };
53 
54 union synth_kbd_version {
55 	__le32 version;
56 };
57 
58 /*
59  * Protocol messages
60  */
61 struct synth_kbd_protocol_request {
62 	struct synth_kbd_msg_hdr header;
63 	union synth_kbd_version version_requested;
64 };
65 
66 #define PROTOCOL_ACCEPTED	BIT(0)
67 struct synth_kbd_protocol_response {
68 	struct synth_kbd_msg_hdr header;
69 	__le32 proto_status;
70 };
71 
72 #define IS_UNICODE	BIT(0)
73 #define IS_BREAK	BIT(1)
74 #define IS_E0		BIT(2)
75 #define IS_E1		BIT(3)
76 struct synth_kbd_keystroke {
77 	struct synth_kbd_msg_hdr header;
78 	__le16 make_code;
79 	__le16 reserved0;
80 	__le32 info; /* Additional information */
81 };
82 
83 
84 #define HK_MAXIMUM_MESSAGE_SIZE 256
85 
86 #define KBD_VSC_SEND_RING_BUFFER_SIZE		(10 * PAGE_SIZE)
87 #define KBD_VSC_RECV_RING_BUFFER_SIZE		(10 * PAGE_SIZE)
88 
89 #define XTKBD_EMUL0     0xe0
90 #define XTKBD_EMUL1     0xe1
91 #define XTKBD_RELEASE   0x80
92 
93 
94 /*
95  * Represents a keyboard device
96  */
97 struct hv_kbd_dev {
98 	struct hv_device *hv_dev;
99 	struct serio *hv_serio;
100 	struct synth_kbd_protocol_request protocol_req;
101 	struct synth_kbd_protocol_response protocol_resp;
102 	/* Synchronize the request/response if needed */
103 	struct completion wait_event;
104 	spinlock_t lock; /* protects 'started' field */
105 	bool started;
106 };
107 
108 static void hv_kbd_on_receive(struct hv_device *hv_dev,
109 			      struct synth_kbd_msg *msg, u32 msg_length)
110 {
111 	struct hv_kbd_dev *kbd_dev = hv_get_drvdata(hv_dev);
112 	struct synth_kbd_keystroke *ks_msg;
113 	unsigned long flags;
114 	u32 msg_type = __le32_to_cpu(msg->header.type);
115 	u32 info;
116 	u16 scan_code;
117 
118 	switch (msg_type) {
119 	case SYNTH_KBD_PROTOCOL_RESPONSE:
120 		/*
121 		 * Validate the information provided by the host.
122 		 * If the host is giving us a bogus packet,
123 		 * drop the packet (hoping the problem
124 		 * goes away).
125 		 */
126 		if (msg_length < sizeof(struct synth_kbd_protocol_response)) {
127 			dev_err(&hv_dev->device,
128 				"Illegal protocol response packet (len: %d)\n",
129 				msg_length);
130 			break;
131 		}
132 
133 		memcpy(&kbd_dev->protocol_resp, msg,
134 			sizeof(struct synth_kbd_protocol_response));
135 		complete(&kbd_dev->wait_event);
136 		break;
137 
138 	case SYNTH_KBD_EVENT:
139 		/*
140 		 * Validate the information provided by the host.
141 		 * If the host is giving us a bogus packet,
142 		 * drop the packet (hoping the problem
143 		 * goes away).
144 		 */
145 		if (msg_length < sizeof(struct  synth_kbd_keystroke)) {
146 			dev_err(&hv_dev->device,
147 				"Illegal keyboard event packet (len: %d)\n",
148 				msg_length);
149 			break;
150 		}
151 
152 		ks_msg = (struct synth_kbd_keystroke *)msg;
153 		info = __le32_to_cpu(ks_msg->info);
154 
155 		/*
156 		 * Inject the information through the serio interrupt.
157 		 */
158 		spin_lock_irqsave(&kbd_dev->lock, flags);
159 		if (kbd_dev->started) {
160 			if (info & IS_E0)
161 				serio_interrupt(kbd_dev->hv_serio,
162 						XTKBD_EMUL0, 0);
163 			if (info & IS_E1)
164 				serio_interrupt(kbd_dev->hv_serio,
165 						XTKBD_EMUL1, 0);
166 			scan_code = __le16_to_cpu(ks_msg->make_code);
167 			if (info & IS_BREAK)
168 				scan_code |= XTKBD_RELEASE;
169 
170 			serio_interrupt(kbd_dev->hv_serio, scan_code, 0);
171 		}
172 		spin_unlock_irqrestore(&kbd_dev->lock, flags);
173 		break;
174 
175 	default:
176 		dev_err(&hv_dev->device,
177 			"unhandled message type %d\n", msg_type);
178 	}
179 }
180 
181 static void hv_kbd_handle_received_packet(struct hv_device *hv_dev,
182 					  struct vmpacket_descriptor *desc,
183 					  u32 bytes_recvd,
184 					  u64 req_id)
185 {
186 	struct synth_kbd_msg *msg;
187 	u32 msg_sz;
188 
189 	switch (desc->type) {
190 	case VM_PKT_COMP:
191 		break;
192 
193 	case VM_PKT_DATA_INBAND:
194 		/*
195 		 * We have a packet that has "inband" data. The API used
196 		 * for retrieving the packet guarantees that the complete
197 		 * packet is read. So, minimally, we should be able to
198 		 * parse the payload header safely (assuming that the host
199 		 * can be trusted.  Trusting the host seems to be a
200 		 * reasonable assumption because in a virtualized
201 		 * environment there is not whole lot you can do if you
202 		 * don't trust the host.
203 		 *
204 		 * Nonetheless, let us validate if the host can be trusted
205 		 * (in a trivial way).  The interesting aspect of this
206 		 * validation is how do you recover if we discover that the
207 		 * host is not to be trusted? Simply dropping the packet, I
208 		 * don't think is an appropriate recovery.  In the interest
209 		 * of failing fast, it may be better to crash the guest.
210 		 * For now, I will just drop the packet!
211 		 */
212 
213 		msg_sz = bytes_recvd - (desc->offset8 << 3);
214 		if (msg_sz <= sizeof(struct synth_kbd_msg_hdr)) {
215 			/*
216 			 * Drop the packet and hope
217 			 * the problem magically goes away.
218 			 */
219 			dev_err(&hv_dev->device,
220 				"Illegal packet (type: %d, tid: %llx, size: %d)\n",
221 				desc->type, req_id, msg_sz);
222 			break;
223 		}
224 
225 		msg = (void *)desc + (desc->offset8 << 3);
226 		hv_kbd_on_receive(hv_dev, msg, msg_sz);
227 		break;
228 
229 	default:
230 		dev_err(&hv_dev->device,
231 			"unhandled packet type %d, tid %llx len %d\n",
232 			desc->type, req_id, bytes_recvd);
233 		break;
234 	}
235 }
236 
237 static void hv_kbd_on_channel_callback(void *context)
238 {
239 	struct hv_device *hv_dev = context;
240 	void *buffer;
241 	int bufferlen = 0x100; /* Start with sensible size */
242 	u32 bytes_recvd;
243 	u64 req_id;
244 	int error;
245 
246 	buffer = kmalloc(bufferlen, GFP_ATOMIC);
247 	if (!buffer)
248 		return;
249 
250 	while (1) {
251 		error = vmbus_recvpacket_raw(hv_dev->channel, buffer, bufferlen,
252 					     &bytes_recvd, &req_id);
253 		switch (error) {
254 		case 0:
255 			if (bytes_recvd == 0) {
256 				kfree(buffer);
257 				return;
258 			}
259 
260 			hv_kbd_handle_received_packet(hv_dev, buffer,
261 						      bytes_recvd, req_id);
262 			break;
263 
264 		case -ENOBUFS:
265 			kfree(buffer);
266 			/* Handle large packet */
267 			bufferlen = bytes_recvd;
268 			buffer = kmalloc(bytes_recvd, GFP_ATOMIC);
269 			if (!buffer)
270 				return;
271 			break;
272 		}
273 	}
274 }
275 
276 static int hv_kbd_connect_to_vsp(struct hv_device *hv_dev)
277 {
278 	struct hv_kbd_dev *kbd_dev = hv_get_drvdata(hv_dev);
279 	struct synth_kbd_protocol_request *request;
280 	struct synth_kbd_protocol_response *response;
281 	u32 proto_status;
282 	int error;
283 
284 	request = &kbd_dev->protocol_req;
285 	memset(request, 0, sizeof(struct synth_kbd_protocol_request));
286 	request->header.type = __cpu_to_le32(SYNTH_KBD_PROTOCOL_REQUEST);
287 	request->version_requested.version = __cpu_to_le32(SYNTH_KBD_VERSION);
288 
289 	error = vmbus_sendpacket(hv_dev->channel, request,
290 				 sizeof(struct synth_kbd_protocol_request),
291 				 (unsigned long)request,
292 				 VM_PKT_DATA_INBAND,
293 				 VMBUS_DATA_PACKET_FLAG_COMPLETION_REQUESTED);
294 	if (error)
295 		return error;
296 
297 	if (!wait_for_completion_timeout(&kbd_dev->wait_event, 10 * HZ))
298 		return -ETIMEDOUT;
299 
300 	response = &kbd_dev->protocol_resp;
301 	proto_status = __le32_to_cpu(response->proto_status);
302 	if (!(proto_status & PROTOCOL_ACCEPTED)) {
303 		dev_err(&hv_dev->device,
304 			"synth_kbd protocol request failed (version %d)\n",
305 		        SYNTH_KBD_VERSION);
306 		return -ENODEV;
307 	}
308 
309 	return 0;
310 }
311 
312 static int hv_kbd_start(struct serio *serio)
313 {
314 	struct hv_kbd_dev *kbd_dev = serio->port_data;
315 	unsigned long flags;
316 
317 	spin_lock_irqsave(&kbd_dev->lock, flags);
318 	kbd_dev->started = true;
319 	spin_unlock_irqrestore(&kbd_dev->lock, flags);
320 
321 	return 0;
322 }
323 
324 static void hv_kbd_stop(struct serio *serio)
325 {
326 	struct hv_kbd_dev *kbd_dev = serio->port_data;
327 	unsigned long flags;
328 
329 	spin_lock_irqsave(&kbd_dev->lock, flags);
330 	kbd_dev->started = false;
331 	spin_unlock_irqrestore(&kbd_dev->lock, flags);
332 }
333 
334 static int hv_kbd_probe(struct hv_device *hv_dev,
335 			const struct hv_vmbus_device_id *dev_id)
336 {
337 	struct hv_kbd_dev *kbd_dev;
338 	struct serio *hv_serio;
339 	int error;
340 
341 	kbd_dev = kzalloc(sizeof(struct hv_kbd_dev), GFP_KERNEL);
342 	hv_serio = kzalloc(sizeof(struct serio), GFP_KERNEL);
343 	if (!kbd_dev || !hv_serio) {
344 		error = -ENOMEM;
345 		goto err_free_mem;
346 	}
347 
348 	kbd_dev->hv_dev = hv_dev;
349 	kbd_dev->hv_serio = hv_serio;
350 	spin_lock_init(&kbd_dev->lock);
351 	init_completion(&kbd_dev->wait_event);
352 	hv_set_drvdata(hv_dev, kbd_dev);
353 
354 	hv_serio->dev.parent  = &hv_dev->device;
355 	hv_serio->id.type = SERIO_8042_XL;
356 	hv_serio->port_data = kbd_dev;
357 	strlcpy(hv_serio->name, dev_name(&hv_dev->device),
358 		sizeof(hv_serio->name));
359 	strlcpy(hv_serio->phys, dev_name(&hv_dev->device),
360 		sizeof(hv_serio->phys));
361 
362 	hv_serio->start = hv_kbd_start;
363 	hv_serio->stop = hv_kbd_stop;
364 
365 	error = vmbus_open(hv_dev->channel,
366 			   KBD_VSC_SEND_RING_BUFFER_SIZE,
367 			   KBD_VSC_RECV_RING_BUFFER_SIZE,
368 			   NULL, 0,
369 			   hv_kbd_on_channel_callback,
370 			   hv_dev);
371 	if (error)
372 		goto err_free_mem;
373 
374 	error = hv_kbd_connect_to_vsp(hv_dev);
375 	if (error)
376 		goto err_close_vmbus;
377 
378 	serio_register_port(kbd_dev->hv_serio);
379 	return 0;
380 
381 err_close_vmbus:
382 	vmbus_close(hv_dev->channel);
383 err_free_mem:
384 	kfree(hv_serio);
385 	kfree(kbd_dev);
386 	return error;
387 }
388 
389 static int hv_kbd_remove(struct hv_device *hv_dev)
390 {
391 	struct hv_kbd_dev *kbd_dev = hv_get_drvdata(hv_dev);
392 
393 	serio_unregister_port(kbd_dev->hv_serio);
394 	vmbus_close(hv_dev->channel);
395 	kfree(kbd_dev);
396 
397 	hv_set_drvdata(hv_dev, NULL);
398 
399 	return 0;
400 }
401 
402 /*
403  * Keyboard GUID
404  * {f912ad6d-2b17-48ea-bd65-f927a61c7684}
405  */
406 #define HV_KBD_GUID \
407 	.guid = { \
408 			0x6d, 0xad, 0x12, 0xf9, 0x17, 0x2b, 0xea, 0x48, \
409 			0xbd, 0x65, 0xf9, 0x27, 0xa6, 0x1c, 0x76, 0x84 \
410 	}
411 
412 static const struct hv_vmbus_device_id id_table[] = {
413 	/* Keyboard guid */
414 	{ HV_KBD_GUID, },
415 	{ },
416 };
417 
418 MODULE_DEVICE_TABLE(vmbus, id_table);
419 
420 static struct  hv_driver hv_kbd_drv = {
421 	.name = KBUILD_MODNAME,
422 	.id_table = id_table,
423 	.probe = hv_kbd_probe,
424 	.remove = hv_kbd_remove,
425 };
426 
427 static int __init hv_kbd_init(void)
428 {
429 	return vmbus_driver_register(&hv_kbd_drv);
430 }
431 
432 static void __exit hv_kbd_exit(void)
433 {
434 	vmbus_driver_unregister(&hv_kbd_drv);
435 }
436 
437 MODULE_LICENSE("GPL");
438 module_init(hv_kbd_init);
439 module_exit(hv_kbd_exit);
440