xref: /openbmc/linux/net/bluetooth/hidp/core.c (revision 4800cd83)
1 /*
2    HIDP implementation for Linux Bluetooth stack (BlueZ).
3    Copyright (C) 2003-2004 Marcel Holtmann <marcel@holtmann.org>
4 
5    This program is free software; you can redistribute it and/or modify
6    it under the terms of the GNU General Public License version 2 as
7    published by the Free Software Foundation;
8 
9    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 
18    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20    SOFTWARE IS DISCLAIMED.
21 */
22 
23 #include <linux/module.h>
24 
25 #include <linux/types.h>
26 #include <linux/errno.h>
27 #include <linux/kernel.h>
28 #include <linux/sched.h>
29 #include <linux/slab.h>
30 #include <linux/poll.h>
31 #include <linux/freezer.h>
32 #include <linux/fcntl.h>
33 #include <linux/skbuff.h>
34 #include <linux/socket.h>
35 #include <linux/ioctl.h>
36 #include <linux/file.h>
37 #include <linux/init.h>
38 #include <linux/wait.h>
39 #include <net/sock.h>
40 
41 #include <linux/input.h>
42 #include <linux/hid.h>
43 #include <linux/hidraw.h>
44 
45 #include <net/bluetooth/bluetooth.h>
46 #include <net/bluetooth/hci_core.h>
47 #include <net/bluetooth/l2cap.h>
48 
49 #include "hidp.h"
50 
51 #define VERSION "1.2"
52 
53 static DECLARE_RWSEM(hidp_session_sem);
54 static LIST_HEAD(hidp_session_list);
55 
56 static unsigned char hidp_keycode[256] = {
57 	  0,  0,  0,  0, 30, 48, 46, 32, 18, 33, 34, 35, 23, 36, 37, 38,
58 	 50, 49, 24, 25, 16, 19, 31, 20, 22, 47, 17, 45, 21, 44,  2,  3,
59 	  4,  5,  6,  7,  8,  9, 10, 11, 28,  1, 14, 15, 57, 12, 13, 26,
60 	 27, 43, 43, 39, 40, 41, 51, 52, 53, 58, 59, 60, 61, 62, 63, 64,
61 	 65, 66, 67, 68, 87, 88, 99, 70,119,110,102,104,111,107,109,106,
62 	105,108,103, 69, 98, 55, 74, 78, 96, 79, 80, 81, 75, 76, 77, 71,
63 	 72, 73, 82, 83, 86,127,116,117,183,184,185,186,187,188,189,190,
64 	191,192,193,194,134,138,130,132,128,129,131,137,133,135,136,113,
65 	115,114,  0,  0,  0,121,  0, 89, 93,124, 92, 94, 95,  0,  0,  0,
66 	122,123, 90, 91, 85,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
67 	  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
68 	  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
69 	  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
70 	  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
71 	 29, 42, 56,125, 97, 54,100,126,164,166,165,163,161,115,114,113,
72 	150,158,159,128,136,177,178,176,142,152,173,140
73 };
74 
75 static unsigned char hidp_mkeyspat[] = { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 };
76 
77 static struct hidp_session *__hidp_get_session(bdaddr_t *bdaddr)
78 {
79 	struct hidp_session *session;
80 	struct list_head *p;
81 
82 	BT_DBG("");
83 
84 	list_for_each(p, &hidp_session_list) {
85 		session = list_entry(p, struct hidp_session, list);
86 		if (!bacmp(bdaddr, &session->bdaddr))
87 			return session;
88 	}
89 	return NULL;
90 }
91 
92 static void __hidp_link_session(struct hidp_session *session)
93 {
94 	__module_get(THIS_MODULE);
95 	list_add(&session->list, &hidp_session_list);
96 
97 	hci_conn_hold_device(session->conn);
98 }
99 
100 static void __hidp_unlink_session(struct hidp_session *session)
101 {
102 	hci_conn_put_device(session->conn);
103 
104 	list_del(&session->list);
105 	module_put(THIS_MODULE);
106 }
107 
108 static void __hidp_copy_session(struct hidp_session *session, struct hidp_conninfo *ci)
109 {
110 	memset(ci, 0, sizeof(*ci));
111 	bacpy(&ci->bdaddr, &session->bdaddr);
112 
113 	ci->flags = session->flags;
114 	ci->state = session->state;
115 
116 	ci->vendor  = 0x0000;
117 	ci->product = 0x0000;
118 	ci->version = 0x0000;
119 
120 	if (session->input) {
121 		ci->vendor  = session->input->id.vendor;
122 		ci->product = session->input->id.product;
123 		ci->version = session->input->id.version;
124 		if (session->input->name)
125 			strncpy(ci->name, session->input->name, 128);
126 		else
127 			strncpy(ci->name, "HID Boot Device", 128);
128 	}
129 
130 	if (session->hid) {
131 		ci->vendor  = session->hid->vendor;
132 		ci->product = session->hid->product;
133 		ci->version = session->hid->version;
134 		strncpy(ci->name, session->hid->name, 128);
135 	}
136 }
137 
138 static int hidp_queue_event(struct hidp_session *session, struct input_dev *dev,
139 				unsigned int type, unsigned int code, int value)
140 {
141 	unsigned char newleds;
142 	struct sk_buff *skb;
143 
144 	BT_DBG("session %p type %d code %d value %d", session, type, code, value);
145 
146 	if (type != EV_LED)
147 		return -1;
148 
149 	newleds = (!!test_bit(LED_KANA,    dev->led) << 3) |
150 		  (!!test_bit(LED_COMPOSE, dev->led) << 3) |
151 		  (!!test_bit(LED_SCROLLL, dev->led) << 2) |
152 		  (!!test_bit(LED_CAPSL,   dev->led) << 1) |
153 		  (!!test_bit(LED_NUML,    dev->led));
154 
155 	if (session->leds == newleds)
156 		return 0;
157 
158 	session->leds = newleds;
159 
160 	if (!(skb = alloc_skb(3, GFP_ATOMIC))) {
161 		BT_ERR("Can't allocate memory for new frame");
162 		return -ENOMEM;
163 	}
164 
165 	*skb_put(skb, 1) = HIDP_TRANS_DATA | HIDP_DATA_RTYPE_OUPUT;
166 	*skb_put(skb, 1) = 0x01;
167 	*skb_put(skb, 1) = newleds;
168 
169 	skb_queue_tail(&session->intr_transmit, skb);
170 
171 	hidp_schedule(session);
172 
173 	return 0;
174 }
175 
176 static int hidp_hidinput_event(struct input_dev *dev, unsigned int type, unsigned int code, int value)
177 {
178 	struct hid_device *hid = input_get_drvdata(dev);
179 	struct hidp_session *session = hid->driver_data;
180 
181 	return hidp_queue_event(session, dev, type, code, value);
182 }
183 
184 static int hidp_input_event(struct input_dev *dev, unsigned int type, unsigned int code, int value)
185 {
186 	struct hidp_session *session = input_get_drvdata(dev);
187 
188 	return hidp_queue_event(session, dev, type, code, value);
189 }
190 
191 static void hidp_input_report(struct hidp_session *session, struct sk_buff *skb)
192 {
193 	struct input_dev *dev = session->input;
194 	unsigned char *keys = session->keys;
195 	unsigned char *udata = skb->data + 1;
196 	signed char *sdata = skb->data + 1;
197 	int i, size = skb->len - 1;
198 
199 	switch (skb->data[0]) {
200 	case 0x01:	/* Keyboard report */
201 		for (i = 0; i < 8; i++)
202 			input_report_key(dev, hidp_keycode[i + 224], (udata[0] >> i) & 1);
203 
204 		/* If all the key codes have been set to 0x01, it means
205 		 * too many keys were pressed at the same time. */
206 		if (!memcmp(udata + 2, hidp_mkeyspat, 6))
207 			break;
208 
209 		for (i = 2; i < 8; i++) {
210 			if (keys[i] > 3 && memscan(udata + 2, keys[i], 6) == udata + 8) {
211 				if (hidp_keycode[keys[i]])
212 					input_report_key(dev, hidp_keycode[keys[i]], 0);
213 				else
214 					BT_ERR("Unknown key (scancode %#x) released.", keys[i]);
215 			}
216 
217 			if (udata[i] > 3 && memscan(keys + 2, udata[i], 6) == keys + 8) {
218 				if (hidp_keycode[udata[i]])
219 					input_report_key(dev, hidp_keycode[udata[i]], 1);
220 				else
221 					BT_ERR("Unknown key (scancode %#x) pressed.", udata[i]);
222 			}
223 		}
224 
225 		memcpy(keys, udata, 8);
226 		break;
227 
228 	case 0x02:	/* Mouse report */
229 		input_report_key(dev, BTN_LEFT,   sdata[0] & 0x01);
230 		input_report_key(dev, BTN_RIGHT,  sdata[0] & 0x02);
231 		input_report_key(dev, BTN_MIDDLE, sdata[0] & 0x04);
232 		input_report_key(dev, BTN_SIDE,   sdata[0] & 0x08);
233 		input_report_key(dev, BTN_EXTRA,  sdata[0] & 0x10);
234 
235 		input_report_rel(dev, REL_X, sdata[1]);
236 		input_report_rel(dev, REL_Y, sdata[2]);
237 
238 		if (size > 3)
239 			input_report_rel(dev, REL_WHEEL, sdata[3]);
240 		break;
241 	}
242 
243 	input_sync(dev);
244 }
245 
246 static int __hidp_send_ctrl_message(struct hidp_session *session,
247 			unsigned char hdr, unsigned char *data, int size)
248 {
249 	struct sk_buff *skb;
250 
251 	BT_DBG("session %p data %p size %d", session, data, size);
252 
253 	if (!(skb = alloc_skb(size + 1, GFP_ATOMIC))) {
254 		BT_ERR("Can't allocate memory for new frame");
255 		return -ENOMEM;
256 	}
257 
258 	*skb_put(skb, 1) = hdr;
259 	if (data && size > 0)
260 		memcpy(skb_put(skb, size), data, size);
261 
262 	skb_queue_tail(&session->ctrl_transmit, skb);
263 
264 	return 0;
265 }
266 
267 static inline int hidp_send_ctrl_message(struct hidp_session *session,
268 			unsigned char hdr, unsigned char *data, int size)
269 {
270 	int err;
271 
272 	err = __hidp_send_ctrl_message(session, hdr, data, size);
273 
274 	hidp_schedule(session);
275 
276 	return err;
277 }
278 
279 static int hidp_queue_report(struct hidp_session *session,
280 				unsigned char *data, int size)
281 {
282 	struct sk_buff *skb;
283 
284 	BT_DBG("session %p hid %p data %p size %d", session, session->hid, data, size);
285 
286 	if (!(skb = alloc_skb(size + 1, GFP_ATOMIC))) {
287 		BT_ERR("Can't allocate memory for new frame");
288 		return -ENOMEM;
289 	}
290 
291 	*skb_put(skb, 1) = 0xa2;
292 	if (size > 0)
293 		memcpy(skb_put(skb, size), data, size);
294 
295 	skb_queue_tail(&session->intr_transmit, skb);
296 
297 	hidp_schedule(session);
298 
299 	return 0;
300 }
301 
302 static int hidp_send_report(struct hidp_session *session, struct hid_report *report)
303 {
304 	unsigned char buf[32];
305 	int rsize;
306 
307 	rsize = ((report->size - 1) >> 3) + 1 + (report->id > 0);
308 	if (rsize > sizeof(buf))
309 		return -EIO;
310 
311 	hid_output_report(report, buf);
312 
313 	return hidp_queue_report(session, buf, rsize);
314 }
315 
316 static int hidp_output_raw_report(struct hid_device *hid, unsigned char *data, size_t count,
317 		unsigned char report_type)
318 {
319 	switch (report_type) {
320 	case HID_FEATURE_REPORT:
321 		report_type = HIDP_TRANS_SET_REPORT | HIDP_DATA_RTYPE_FEATURE;
322 		break;
323 	case HID_OUTPUT_REPORT:
324 		report_type = HIDP_TRANS_DATA | HIDP_DATA_RTYPE_OUPUT;
325 		break;
326 	default:
327 		return -EINVAL;
328 	}
329 
330 	if (hidp_send_ctrl_message(hid->driver_data, report_type,
331 			data, count))
332 		return -ENOMEM;
333 	return count;
334 }
335 
336 static void hidp_idle_timeout(unsigned long arg)
337 {
338 	struct hidp_session *session = (struct hidp_session *) arg;
339 
340 	atomic_inc(&session->terminate);
341 	hidp_schedule(session);
342 }
343 
344 static void hidp_set_timer(struct hidp_session *session)
345 {
346 	if (session->idle_to > 0)
347 		mod_timer(&session->timer, jiffies + HZ * session->idle_to);
348 }
349 
350 static inline void hidp_del_timer(struct hidp_session *session)
351 {
352 	if (session->idle_to > 0)
353 		del_timer(&session->timer);
354 }
355 
356 static void hidp_process_handshake(struct hidp_session *session,
357 					unsigned char param)
358 {
359 	BT_DBG("session %p param 0x%02x", session, param);
360 
361 	switch (param) {
362 	case HIDP_HSHK_SUCCESSFUL:
363 		/* FIXME: Call into SET_ GET_ handlers here */
364 		break;
365 
366 	case HIDP_HSHK_NOT_READY:
367 	case HIDP_HSHK_ERR_INVALID_REPORT_ID:
368 	case HIDP_HSHK_ERR_UNSUPPORTED_REQUEST:
369 	case HIDP_HSHK_ERR_INVALID_PARAMETER:
370 		/* FIXME: Call into SET_ GET_ handlers here */
371 		break;
372 
373 	case HIDP_HSHK_ERR_UNKNOWN:
374 		break;
375 
376 	case HIDP_HSHK_ERR_FATAL:
377 		/* Device requests a reboot, as this is the only way this error
378 		 * can be recovered. */
379 		__hidp_send_ctrl_message(session,
380 			HIDP_TRANS_HID_CONTROL | HIDP_CTRL_SOFT_RESET, NULL, 0);
381 		break;
382 
383 	default:
384 		__hidp_send_ctrl_message(session,
385 			HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_INVALID_PARAMETER, NULL, 0);
386 		break;
387 	}
388 }
389 
390 static void hidp_process_hid_control(struct hidp_session *session,
391 					unsigned char param)
392 {
393 	BT_DBG("session %p param 0x%02x", session, param);
394 
395 	if (param == HIDP_CTRL_VIRTUAL_CABLE_UNPLUG) {
396 		/* Flush the transmit queues */
397 		skb_queue_purge(&session->ctrl_transmit);
398 		skb_queue_purge(&session->intr_transmit);
399 
400 		/* Kill session thread */
401 		atomic_inc(&session->terminate);
402 		hidp_schedule(session);
403 	}
404 }
405 
406 static void hidp_process_data(struct hidp_session *session, struct sk_buff *skb,
407 				unsigned char param)
408 {
409 	BT_DBG("session %p skb %p len %d param 0x%02x", session, skb, skb->len, param);
410 
411 	switch (param) {
412 	case HIDP_DATA_RTYPE_INPUT:
413 		hidp_set_timer(session);
414 
415 		if (session->input)
416 			hidp_input_report(session, skb);
417 
418 		if (session->hid)
419 			hid_input_report(session->hid, HID_INPUT_REPORT, skb->data, skb->len, 0);
420 
421 		break;
422 
423 	case HIDP_DATA_RTYPE_OTHER:
424 	case HIDP_DATA_RTYPE_OUPUT:
425 	case HIDP_DATA_RTYPE_FEATURE:
426 		break;
427 
428 	default:
429 		__hidp_send_ctrl_message(session,
430 			HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_INVALID_PARAMETER, NULL, 0);
431 	}
432 }
433 
434 static void hidp_recv_ctrl_frame(struct hidp_session *session,
435 					struct sk_buff *skb)
436 {
437 	unsigned char hdr, type, param;
438 
439 	BT_DBG("session %p skb %p len %d", session, skb, skb->len);
440 
441 	hdr = skb->data[0];
442 	skb_pull(skb, 1);
443 
444 	type = hdr & HIDP_HEADER_TRANS_MASK;
445 	param = hdr & HIDP_HEADER_PARAM_MASK;
446 
447 	switch (type) {
448 	case HIDP_TRANS_HANDSHAKE:
449 		hidp_process_handshake(session, param);
450 		break;
451 
452 	case HIDP_TRANS_HID_CONTROL:
453 		hidp_process_hid_control(session, param);
454 		break;
455 
456 	case HIDP_TRANS_DATA:
457 		hidp_process_data(session, skb, param);
458 		break;
459 
460 	default:
461 		__hidp_send_ctrl_message(session,
462 			HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_UNSUPPORTED_REQUEST, NULL, 0);
463 		break;
464 	}
465 
466 	kfree_skb(skb);
467 }
468 
469 static void hidp_recv_intr_frame(struct hidp_session *session,
470 				struct sk_buff *skb)
471 {
472 	unsigned char hdr;
473 
474 	BT_DBG("session %p skb %p len %d", session, skb, skb->len);
475 
476 	hdr = skb->data[0];
477 	skb_pull(skb, 1);
478 
479 	if (hdr == (HIDP_TRANS_DATA | HIDP_DATA_RTYPE_INPUT)) {
480 		hidp_set_timer(session);
481 
482 		if (session->input)
483 			hidp_input_report(session, skb);
484 
485 		if (session->hid) {
486 			hid_input_report(session->hid, HID_INPUT_REPORT, skb->data, skb->len, 1);
487 			BT_DBG("report len %d", skb->len);
488 		}
489 	} else {
490 		BT_DBG("Unsupported protocol header 0x%02x", hdr);
491 	}
492 
493 	kfree_skb(skb);
494 }
495 
496 static int hidp_send_frame(struct socket *sock, unsigned char *data, int len)
497 {
498 	struct kvec iv = { data, len };
499 	struct msghdr msg;
500 
501 	BT_DBG("sock %p data %p len %d", sock, data, len);
502 
503 	if (!len)
504 		return 0;
505 
506 	memset(&msg, 0, sizeof(msg));
507 
508 	return kernel_sendmsg(sock, &msg, &iv, 1, len);
509 }
510 
511 static void hidp_process_transmit(struct hidp_session *session)
512 {
513 	struct sk_buff *skb;
514 
515 	BT_DBG("session %p", session);
516 
517 	while ((skb = skb_dequeue(&session->ctrl_transmit))) {
518 		if (hidp_send_frame(session->ctrl_sock, skb->data, skb->len) < 0) {
519 			skb_queue_head(&session->ctrl_transmit, skb);
520 			break;
521 		}
522 
523 		hidp_set_timer(session);
524 		kfree_skb(skb);
525 	}
526 
527 	while ((skb = skb_dequeue(&session->intr_transmit))) {
528 		if (hidp_send_frame(session->intr_sock, skb->data, skb->len) < 0) {
529 			skb_queue_head(&session->intr_transmit, skb);
530 			break;
531 		}
532 
533 		hidp_set_timer(session);
534 		kfree_skb(skb);
535 	}
536 }
537 
538 static int hidp_session(void *arg)
539 {
540 	struct hidp_session *session = arg;
541 	struct sock *ctrl_sk = session->ctrl_sock->sk;
542 	struct sock *intr_sk = session->intr_sock->sk;
543 	struct sk_buff *skb;
544 	int vendor = 0x0000, product = 0x0000;
545 	wait_queue_t ctrl_wait, intr_wait;
546 
547 	BT_DBG("session %p", session);
548 
549 	if (session->input) {
550 		vendor  = session->input->id.vendor;
551 		product = session->input->id.product;
552 	}
553 
554 	if (session->hid) {
555 		vendor  = session->hid->vendor;
556 		product = session->hid->product;
557 	}
558 
559 	daemonize("khidpd_%04x%04x", vendor, product);
560 	set_user_nice(current, -15);
561 
562 	init_waitqueue_entry(&ctrl_wait, current);
563 	init_waitqueue_entry(&intr_wait, current);
564 	add_wait_queue(sk_sleep(ctrl_sk), &ctrl_wait);
565 	add_wait_queue(sk_sleep(intr_sk), &intr_wait);
566 	while (!atomic_read(&session->terminate)) {
567 		set_current_state(TASK_INTERRUPTIBLE);
568 
569 		if (ctrl_sk->sk_state != BT_CONNECTED || intr_sk->sk_state != BT_CONNECTED)
570 			break;
571 
572 		while ((skb = skb_dequeue(&ctrl_sk->sk_receive_queue))) {
573 			skb_orphan(skb);
574 			hidp_recv_ctrl_frame(session, skb);
575 		}
576 
577 		while ((skb = skb_dequeue(&intr_sk->sk_receive_queue))) {
578 			skb_orphan(skb);
579 			hidp_recv_intr_frame(session, skb);
580 		}
581 
582 		hidp_process_transmit(session);
583 
584 		schedule();
585 	}
586 	set_current_state(TASK_RUNNING);
587 	remove_wait_queue(sk_sleep(intr_sk), &intr_wait);
588 	remove_wait_queue(sk_sleep(ctrl_sk), &ctrl_wait);
589 
590 	down_write(&hidp_session_sem);
591 
592 	hidp_del_timer(session);
593 
594 	if (session->input) {
595 		input_unregister_device(session->input);
596 		session->input = NULL;
597 	}
598 
599 	if (session->hid) {
600 		hid_destroy_device(session->hid);
601 		session->hid = NULL;
602 	}
603 
604 	/* Wakeup user-space polling for socket errors */
605 	session->intr_sock->sk->sk_err = EUNATCH;
606 	session->ctrl_sock->sk->sk_err = EUNATCH;
607 
608 	hidp_schedule(session);
609 
610 	fput(session->intr_sock->file);
611 
612 	wait_event_timeout(*(sk_sleep(ctrl_sk)),
613 		(ctrl_sk->sk_state == BT_CLOSED), msecs_to_jiffies(500));
614 
615 	fput(session->ctrl_sock->file);
616 
617 	__hidp_unlink_session(session);
618 
619 	up_write(&hidp_session_sem);
620 
621 	kfree(session);
622 	return 0;
623 }
624 
625 static struct device *hidp_get_device(struct hidp_session *session)
626 {
627 	bdaddr_t *src = &bt_sk(session->ctrl_sock->sk)->src;
628 	bdaddr_t *dst = &bt_sk(session->ctrl_sock->sk)->dst;
629 	struct device *device = NULL;
630 	struct hci_dev *hdev;
631 
632 	hdev = hci_get_route(dst, src);
633 	if (!hdev)
634 		return NULL;
635 
636 	session->conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
637 	if (session->conn)
638 		device = &session->conn->dev;
639 
640 	hci_dev_put(hdev);
641 
642 	return device;
643 }
644 
645 static int hidp_setup_input(struct hidp_session *session,
646 				struct hidp_connadd_req *req)
647 {
648 	struct input_dev *input;
649 	int err, i;
650 
651 	input = input_allocate_device();
652 	if (!input)
653 		return -ENOMEM;
654 
655 	session->input = input;
656 
657 	input_set_drvdata(input, session);
658 
659 	input->name = "Bluetooth HID Boot Protocol Device";
660 
661 	input->id.bustype = BUS_BLUETOOTH;
662 	input->id.vendor  = req->vendor;
663 	input->id.product = req->product;
664 	input->id.version = req->version;
665 
666 	if (req->subclass & 0x40) {
667 		set_bit(EV_KEY, input->evbit);
668 		set_bit(EV_LED, input->evbit);
669 		set_bit(EV_REP, input->evbit);
670 
671 		set_bit(LED_NUML,    input->ledbit);
672 		set_bit(LED_CAPSL,   input->ledbit);
673 		set_bit(LED_SCROLLL, input->ledbit);
674 		set_bit(LED_COMPOSE, input->ledbit);
675 		set_bit(LED_KANA,    input->ledbit);
676 
677 		for (i = 0; i < sizeof(hidp_keycode); i++)
678 			set_bit(hidp_keycode[i], input->keybit);
679 		clear_bit(0, input->keybit);
680 	}
681 
682 	if (req->subclass & 0x80) {
683 		input->evbit[0] = BIT_MASK(EV_KEY) | BIT_MASK(EV_REL);
684 		input->keybit[BIT_WORD(BTN_MOUSE)] = BIT_MASK(BTN_LEFT) |
685 			BIT_MASK(BTN_RIGHT) | BIT_MASK(BTN_MIDDLE);
686 		input->relbit[0] = BIT_MASK(REL_X) | BIT_MASK(REL_Y);
687 		input->keybit[BIT_WORD(BTN_MOUSE)] |= BIT_MASK(BTN_SIDE) |
688 			BIT_MASK(BTN_EXTRA);
689 		input->relbit[0] |= BIT_MASK(REL_WHEEL);
690 	}
691 
692 	input->dev.parent = hidp_get_device(session);
693 
694 	input->event = hidp_input_event;
695 
696 	err = input_register_device(input);
697 	if (err < 0) {
698 		hci_conn_put_device(session->conn);
699 		return err;
700 	}
701 
702 	return 0;
703 }
704 
705 static int hidp_open(struct hid_device *hid)
706 {
707 	return 0;
708 }
709 
710 static void hidp_close(struct hid_device *hid)
711 {
712 }
713 
714 static int hidp_parse(struct hid_device *hid)
715 {
716 	struct hidp_session *session = hid->driver_data;
717 
718 	return hid_parse_report(session->hid, session->rd_data,
719 			session->rd_size);
720 }
721 
722 static int hidp_start(struct hid_device *hid)
723 {
724 	struct hidp_session *session = hid->driver_data;
725 	struct hid_report *report;
726 
727 	list_for_each_entry(report, &hid->report_enum[HID_INPUT_REPORT].
728 			report_list, list)
729 		hidp_send_report(session, report);
730 
731 	list_for_each_entry(report, &hid->report_enum[HID_FEATURE_REPORT].
732 			report_list, list)
733 		hidp_send_report(session, report);
734 
735 	return 0;
736 }
737 
738 static void hidp_stop(struct hid_device *hid)
739 {
740 	struct hidp_session *session = hid->driver_data;
741 
742 	skb_queue_purge(&session->ctrl_transmit);
743 	skb_queue_purge(&session->intr_transmit);
744 
745 	hid->claimed = 0;
746 }
747 
748 static struct hid_ll_driver hidp_hid_driver = {
749 	.parse = hidp_parse,
750 	.start = hidp_start,
751 	.stop = hidp_stop,
752 	.open  = hidp_open,
753 	.close = hidp_close,
754 	.hidinput_input_event = hidp_hidinput_event,
755 };
756 
757 static int hidp_setup_hid(struct hidp_session *session,
758 				struct hidp_connadd_req *req)
759 {
760 	struct hid_device *hid;
761 	int err;
762 
763 	session->rd_data = kzalloc(req->rd_size, GFP_KERNEL);
764 	if (!session->rd_data)
765 		return -ENOMEM;
766 
767 	if (copy_from_user(session->rd_data, req->rd_data, req->rd_size)) {
768 		err = -EFAULT;
769 		goto fault;
770 	}
771 	session->rd_size = req->rd_size;
772 
773 	hid = hid_allocate_device();
774 	if (IS_ERR(hid)) {
775 		err = PTR_ERR(hid);
776 		goto fault;
777 	}
778 
779 	session->hid = hid;
780 
781 	hid->driver_data = session;
782 
783 	hid->bus     = BUS_BLUETOOTH;
784 	hid->vendor  = req->vendor;
785 	hid->product = req->product;
786 	hid->version = req->version;
787 	hid->country = req->country;
788 
789 	strncpy(hid->name, req->name, 128);
790 	strncpy(hid->phys, batostr(&bt_sk(session->ctrl_sock->sk)->src), 64);
791 	strncpy(hid->uniq, batostr(&bt_sk(session->ctrl_sock->sk)->dst), 64);
792 
793 	hid->dev.parent = hidp_get_device(session);
794 	hid->ll_driver = &hidp_hid_driver;
795 
796 	hid->hid_output_raw_report = hidp_output_raw_report;
797 
798 	err = hid_add_device(hid);
799 	if (err < 0)
800 		goto failed;
801 
802 	return 0;
803 
804 failed:
805 	hid_destroy_device(hid);
806 	session->hid = NULL;
807 
808 fault:
809 	kfree(session->rd_data);
810 	session->rd_data = NULL;
811 
812 	return err;
813 }
814 
815 int hidp_add_connection(struct hidp_connadd_req *req, struct socket *ctrl_sock, struct socket *intr_sock)
816 {
817 	struct hidp_session *session, *s;
818 	int err;
819 
820 	BT_DBG("");
821 
822 	if (bacmp(&bt_sk(ctrl_sock->sk)->src, &bt_sk(intr_sock->sk)->src) ||
823 			bacmp(&bt_sk(ctrl_sock->sk)->dst, &bt_sk(intr_sock->sk)->dst))
824 		return -ENOTUNIQ;
825 
826 	session = kzalloc(sizeof(struct hidp_session), GFP_KERNEL);
827 	if (!session)
828 		return -ENOMEM;
829 
830 	BT_DBG("rd_data %p rd_size %d", req->rd_data, req->rd_size);
831 
832 	down_write(&hidp_session_sem);
833 
834 	s = __hidp_get_session(&bt_sk(ctrl_sock->sk)->dst);
835 	if (s && s->state == BT_CONNECTED) {
836 		err = -EEXIST;
837 		goto failed;
838 	}
839 
840 	bacpy(&session->bdaddr, &bt_sk(ctrl_sock->sk)->dst);
841 
842 	session->ctrl_mtu = min_t(uint, l2cap_pi(ctrl_sock->sk)->omtu, l2cap_pi(ctrl_sock->sk)->imtu);
843 	session->intr_mtu = min_t(uint, l2cap_pi(intr_sock->sk)->omtu, l2cap_pi(intr_sock->sk)->imtu);
844 
845 	BT_DBG("ctrl mtu %d intr mtu %d", session->ctrl_mtu, session->intr_mtu);
846 
847 	session->ctrl_sock = ctrl_sock;
848 	session->intr_sock = intr_sock;
849 	session->state     = BT_CONNECTED;
850 
851 	setup_timer(&session->timer, hidp_idle_timeout, (unsigned long)session);
852 
853 	skb_queue_head_init(&session->ctrl_transmit);
854 	skb_queue_head_init(&session->intr_transmit);
855 
856 	session->flags   = req->flags & (1 << HIDP_BLUETOOTH_VENDOR_ID);
857 	session->idle_to = req->idle_to;
858 
859 	if (req->rd_size > 0) {
860 		err = hidp_setup_hid(session, req);
861 		if (err && err != -ENODEV)
862 			goto purge;
863 	}
864 
865 	if (!session->hid) {
866 		err = hidp_setup_input(session, req);
867 		if (err < 0)
868 			goto purge;
869 	}
870 
871 	__hidp_link_session(session);
872 
873 	hidp_set_timer(session);
874 
875 	err = kernel_thread(hidp_session, session, CLONE_KERNEL);
876 	if (err < 0)
877 		goto unlink;
878 
879 	if (session->input) {
880 		hidp_send_ctrl_message(session,
881 			HIDP_TRANS_SET_PROTOCOL | HIDP_PROTO_BOOT, NULL, 0);
882 		session->flags |= (1 << HIDP_BOOT_PROTOCOL_MODE);
883 
884 		session->leds = 0xff;
885 		hidp_input_event(session->input, EV_LED, 0, 0);
886 	}
887 
888 	up_write(&hidp_session_sem);
889 	return 0;
890 
891 unlink:
892 	hidp_del_timer(session);
893 
894 	__hidp_unlink_session(session);
895 
896 	if (session->input) {
897 		input_unregister_device(session->input);
898 		session->input = NULL;
899 	}
900 
901 	if (session->hid) {
902 		hid_destroy_device(session->hid);
903 		session->hid = NULL;
904 	}
905 
906 	kfree(session->rd_data);
907 	session->rd_data = NULL;
908 
909 purge:
910 	skb_queue_purge(&session->ctrl_transmit);
911 	skb_queue_purge(&session->intr_transmit);
912 
913 failed:
914 	up_write(&hidp_session_sem);
915 
916 	input_free_device(session->input);
917 	kfree(session);
918 	return err;
919 }
920 
921 int hidp_del_connection(struct hidp_conndel_req *req)
922 {
923 	struct hidp_session *session;
924 	int err = 0;
925 
926 	BT_DBG("");
927 
928 	down_read(&hidp_session_sem);
929 
930 	session = __hidp_get_session(&req->bdaddr);
931 	if (session) {
932 		if (req->flags & (1 << HIDP_VIRTUAL_CABLE_UNPLUG)) {
933 			hidp_send_ctrl_message(session,
934 				HIDP_TRANS_HID_CONTROL | HIDP_CTRL_VIRTUAL_CABLE_UNPLUG, NULL, 0);
935 		} else {
936 			/* Flush the transmit queues */
937 			skb_queue_purge(&session->ctrl_transmit);
938 			skb_queue_purge(&session->intr_transmit);
939 
940 			/* Wakeup user-space polling for socket errors */
941 			session->intr_sock->sk->sk_err = EUNATCH;
942 			session->ctrl_sock->sk->sk_err = EUNATCH;
943 
944 			/* Kill session thread */
945 			atomic_inc(&session->terminate);
946 			hidp_schedule(session);
947 		}
948 	} else
949 		err = -ENOENT;
950 
951 	up_read(&hidp_session_sem);
952 	return err;
953 }
954 
955 int hidp_get_connlist(struct hidp_connlist_req *req)
956 {
957 	struct list_head *p;
958 	int err = 0, n = 0;
959 
960 	BT_DBG("");
961 
962 	down_read(&hidp_session_sem);
963 
964 	list_for_each(p, &hidp_session_list) {
965 		struct hidp_session *session;
966 		struct hidp_conninfo ci;
967 
968 		session = list_entry(p, struct hidp_session, list);
969 
970 		__hidp_copy_session(session, &ci);
971 
972 		if (copy_to_user(req->ci, &ci, sizeof(ci))) {
973 			err = -EFAULT;
974 			break;
975 		}
976 
977 		if (++n >= req->cnum)
978 			break;
979 
980 		req->ci++;
981 	}
982 	req->cnum = n;
983 
984 	up_read(&hidp_session_sem);
985 	return err;
986 }
987 
988 int hidp_get_conninfo(struct hidp_conninfo *ci)
989 {
990 	struct hidp_session *session;
991 	int err = 0;
992 
993 	down_read(&hidp_session_sem);
994 
995 	session = __hidp_get_session(&ci->bdaddr);
996 	if (session)
997 		__hidp_copy_session(session, ci);
998 	else
999 		err = -ENOENT;
1000 
1001 	up_read(&hidp_session_sem);
1002 	return err;
1003 }
1004 
1005 static const struct hid_device_id hidp_table[] = {
1006 	{ HID_BLUETOOTH_DEVICE(HID_ANY_ID, HID_ANY_ID) },
1007 	{ }
1008 };
1009 
1010 static struct hid_driver hidp_driver = {
1011 	.name = "generic-bluetooth",
1012 	.id_table = hidp_table,
1013 };
1014 
1015 static int __init hidp_init(void)
1016 {
1017 	int ret;
1018 
1019 	l2cap_load();
1020 
1021 	BT_INFO("HIDP (Human Interface Emulation) ver %s", VERSION);
1022 
1023 	ret = hid_register_driver(&hidp_driver);
1024 	if (ret)
1025 		goto err;
1026 
1027 	ret = hidp_init_sockets();
1028 	if (ret)
1029 		goto err_drv;
1030 
1031 	return 0;
1032 err_drv:
1033 	hid_unregister_driver(&hidp_driver);
1034 err:
1035 	return ret;
1036 }
1037 
1038 static void __exit hidp_exit(void)
1039 {
1040 	hidp_cleanup_sockets();
1041 	hid_unregister_driver(&hidp_driver);
1042 }
1043 
1044 module_init(hidp_init);
1045 module_exit(hidp_exit);
1046 
1047 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
1048 MODULE_DESCRIPTION("Bluetooth HIDP ver " VERSION);
1049 MODULE_VERSION(VERSION);
1050 MODULE_LICENSE("GPL");
1051 MODULE_ALIAS("bt-proto-6");
1052