1*4882a593Smuzhiyun // SPDX-License-Identifier: GPL-2.0-or-later
2*4882a593Smuzhiyun /*
3*4882a593Smuzhiyun * User-space I/O driver support for HID subsystem
4*4882a593Smuzhiyun * Copyright (c) 2012 David Herrmann
5*4882a593Smuzhiyun */
6*4882a593Smuzhiyun
7*4882a593Smuzhiyun /*
8*4882a593Smuzhiyun */
9*4882a593Smuzhiyun
10*4882a593Smuzhiyun #include <linux/atomic.h>
11*4882a593Smuzhiyun #include <linux/compat.h>
12*4882a593Smuzhiyun #include <linux/cred.h>
13*4882a593Smuzhiyun #include <linux/device.h>
14*4882a593Smuzhiyun #include <linux/fs.h>
15*4882a593Smuzhiyun #include <linux/hid.h>
16*4882a593Smuzhiyun #include <linux/input.h>
17*4882a593Smuzhiyun #include <linux/miscdevice.h>
18*4882a593Smuzhiyun #include <linux/module.h>
19*4882a593Smuzhiyun #include <linux/mutex.h>
20*4882a593Smuzhiyun #include <linux/poll.h>
21*4882a593Smuzhiyun #include <linux/sched.h>
22*4882a593Smuzhiyun #include <linux/spinlock.h>
23*4882a593Smuzhiyun #include <linux/uhid.h>
24*4882a593Smuzhiyun #include <linux/wait.h>
25*4882a593Smuzhiyun
26*4882a593Smuzhiyun #define UHID_NAME "uhid"
27*4882a593Smuzhiyun #define UHID_BUFSIZE 32
28*4882a593Smuzhiyun
29*4882a593Smuzhiyun struct uhid_device {
30*4882a593Smuzhiyun struct mutex devlock;
31*4882a593Smuzhiyun
32*4882a593Smuzhiyun /* This flag tracks whether the HID device is usable for commands from
33*4882a593Smuzhiyun * userspace. The flag is already set before hid_add_device(), which
34*4882a593Smuzhiyun * runs in workqueue context, to allow hid_add_device() to communicate
35*4882a593Smuzhiyun * with userspace.
36*4882a593Smuzhiyun * However, if hid_add_device() fails, the flag is cleared without
37*4882a593Smuzhiyun * holding devlock.
38*4882a593Smuzhiyun * We guarantee that if @running changes from true to false while you're
39*4882a593Smuzhiyun * holding @devlock, it's still fine to access @hid.
40*4882a593Smuzhiyun */
41*4882a593Smuzhiyun bool running;
42*4882a593Smuzhiyun
43*4882a593Smuzhiyun __u8 *rd_data;
44*4882a593Smuzhiyun uint rd_size;
45*4882a593Smuzhiyun
46*4882a593Smuzhiyun /* When this is NULL, userspace may use UHID_CREATE/UHID_CREATE2. */
47*4882a593Smuzhiyun struct hid_device *hid;
48*4882a593Smuzhiyun struct uhid_event input_buf;
49*4882a593Smuzhiyun
50*4882a593Smuzhiyun wait_queue_head_t waitq;
51*4882a593Smuzhiyun spinlock_t qlock;
52*4882a593Smuzhiyun __u8 head;
53*4882a593Smuzhiyun __u8 tail;
54*4882a593Smuzhiyun struct uhid_event *outq[UHID_BUFSIZE];
55*4882a593Smuzhiyun
56*4882a593Smuzhiyun /* blocking GET_REPORT support; state changes protected by qlock */
57*4882a593Smuzhiyun struct mutex report_lock;
58*4882a593Smuzhiyun wait_queue_head_t report_wait;
59*4882a593Smuzhiyun bool report_running;
60*4882a593Smuzhiyun u32 report_id;
61*4882a593Smuzhiyun u32 report_type;
62*4882a593Smuzhiyun struct uhid_event report_buf;
63*4882a593Smuzhiyun struct work_struct worker;
64*4882a593Smuzhiyun };
65*4882a593Smuzhiyun
66*4882a593Smuzhiyun static struct miscdevice uhid_misc;
67*4882a593Smuzhiyun
uhid_device_add_worker(struct work_struct * work)68*4882a593Smuzhiyun static void uhid_device_add_worker(struct work_struct *work)
69*4882a593Smuzhiyun {
70*4882a593Smuzhiyun struct uhid_device *uhid = container_of(work, struct uhid_device, worker);
71*4882a593Smuzhiyun int ret;
72*4882a593Smuzhiyun
73*4882a593Smuzhiyun ret = hid_add_device(uhid->hid);
74*4882a593Smuzhiyun if (ret) {
75*4882a593Smuzhiyun hid_err(uhid->hid, "Cannot register HID device: error %d\n", ret);
76*4882a593Smuzhiyun
77*4882a593Smuzhiyun /* We used to call hid_destroy_device() here, but that's really
78*4882a593Smuzhiyun * messy to get right because we have to coordinate with
79*4882a593Smuzhiyun * concurrent writes from userspace that might be in the middle
80*4882a593Smuzhiyun * of using uhid->hid.
81*4882a593Smuzhiyun * Just leave uhid->hid as-is for now, and clean it up when
82*4882a593Smuzhiyun * userspace tries to close or reinitialize the uhid instance.
83*4882a593Smuzhiyun *
84*4882a593Smuzhiyun * However, we do have to clear the ->running flag and do a
85*4882a593Smuzhiyun * wakeup to make sure userspace knows that the device is gone.
86*4882a593Smuzhiyun */
87*4882a593Smuzhiyun uhid->running = false;
88*4882a593Smuzhiyun wake_up_interruptible(&uhid->report_wait);
89*4882a593Smuzhiyun }
90*4882a593Smuzhiyun }
91*4882a593Smuzhiyun
uhid_queue(struct uhid_device * uhid,struct uhid_event * ev)92*4882a593Smuzhiyun static void uhid_queue(struct uhid_device *uhid, struct uhid_event *ev)
93*4882a593Smuzhiyun {
94*4882a593Smuzhiyun __u8 newhead;
95*4882a593Smuzhiyun
96*4882a593Smuzhiyun newhead = (uhid->head + 1) % UHID_BUFSIZE;
97*4882a593Smuzhiyun
98*4882a593Smuzhiyun if (newhead != uhid->tail) {
99*4882a593Smuzhiyun uhid->outq[uhid->head] = ev;
100*4882a593Smuzhiyun uhid->head = newhead;
101*4882a593Smuzhiyun wake_up_interruptible(&uhid->waitq);
102*4882a593Smuzhiyun } else {
103*4882a593Smuzhiyun hid_warn(uhid->hid, "Output queue is full\n");
104*4882a593Smuzhiyun kfree(ev);
105*4882a593Smuzhiyun }
106*4882a593Smuzhiyun }
107*4882a593Smuzhiyun
uhid_queue_event(struct uhid_device * uhid,__u32 event)108*4882a593Smuzhiyun static int uhid_queue_event(struct uhid_device *uhid, __u32 event)
109*4882a593Smuzhiyun {
110*4882a593Smuzhiyun unsigned long flags;
111*4882a593Smuzhiyun struct uhid_event *ev;
112*4882a593Smuzhiyun
113*4882a593Smuzhiyun ev = kzalloc(sizeof(*ev), GFP_KERNEL);
114*4882a593Smuzhiyun if (!ev)
115*4882a593Smuzhiyun return -ENOMEM;
116*4882a593Smuzhiyun
117*4882a593Smuzhiyun ev->type = event;
118*4882a593Smuzhiyun
119*4882a593Smuzhiyun spin_lock_irqsave(&uhid->qlock, flags);
120*4882a593Smuzhiyun uhid_queue(uhid, ev);
121*4882a593Smuzhiyun spin_unlock_irqrestore(&uhid->qlock, flags);
122*4882a593Smuzhiyun
123*4882a593Smuzhiyun return 0;
124*4882a593Smuzhiyun }
125*4882a593Smuzhiyun
uhid_hid_start(struct hid_device * hid)126*4882a593Smuzhiyun static int uhid_hid_start(struct hid_device *hid)
127*4882a593Smuzhiyun {
128*4882a593Smuzhiyun struct uhid_device *uhid = hid->driver_data;
129*4882a593Smuzhiyun struct uhid_event *ev;
130*4882a593Smuzhiyun unsigned long flags;
131*4882a593Smuzhiyun
132*4882a593Smuzhiyun ev = kzalloc(sizeof(*ev), GFP_KERNEL);
133*4882a593Smuzhiyun if (!ev)
134*4882a593Smuzhiyun return -ENOMEM;
135*4882a593Smuzhiyun
136*4882a593Smuzhiyun ev->type = UHID_START;
137*4882a593Smuzhiyun
138*4882a593Smuzhiyun if (hid->report_enum[HID_FEATURE_REPORT].numbered)
139*4882a593Smuzhiyun ev->u.start.dev_flags |= UHID_DEV_NUMBERED_FEATURE_REPORTS;
140*4882a593Smuzhiyun if (hid->report_enum[HID_OUTPUT_REPORT].numbered)
141*4882a593Smuzhiyun ev->u.start.dev_flags |= UHID_DEV_NUMBERED_OUTPUT_REPORTS;
142*4882a593Smuzhiyun if (hid->report_enum[HID_INPUT_REPORT].numbered)
143*4882a593Smuzhiyun ev->u.start.dev_flags |= UHID_DEV_NUMBERED_INPUT_REPORTS;
144*4882a593Smuzhiyun
145*4882a593Smuzhiyun spin_lock_irqsave(&uhid->qlock, flags);
146*4882a593Smuzhiyun uhid_queue(uhid, ev);
147*4882a593Smuzhiyun spin_unlock_irqrestore(&uhid->qlock, flags);
148*4882a593Smuzhiyun
149*4882a593Smuzhiyun return 0;
150*4882a593Smuzhiyun }
151*4882a593Smuzhiyun
uhid_hid_stop(struct hid_device * hid)152*4882a593Smuzhiyun static void uhid_hid_stop(struct hid_device *hid)
153*4882a593Smuzhiyun {
154*4882a593Smuzhiyun struct uhid_device *uhid = hid->driver_data;
155*4882a593Smuzhiyun
156*4882a593Smuzhiyun hid->claimed = 0;
157*4882a593Smuzhiyun uhid_queue_event(uhid, UHID_STOP);
158*4882a593Smuzhiyun }
159*4882a593Smuzhiyun
uhid_hid_open(struct hid_device * hid)160*4882a593Smuzhiyun static int uhid_hid_open(struct hid_device *hid)
161*4882a593Smuzhiyun {
162*4882a593Smuzhiyun struct uhid_device *uhid = hid->driver_data;
163*4882a593Smuzhiyun
164*4882a593Smuzhiyun return uhid_queue_event(uhid, UHID_OPEN);
165*4882a593Smuzhiyun }
166*4882a593Smuzhiyun
uhid_hid_close(struct hid_device * hid)167*4882a593Smuzhiyun static void uhid_hid_close(struct hid_device *hid)
168*4882a593Smuzhiyun {
169*4882a593Smuzhiyun struct uhid_device *uhid = hid->driver_data;
170*4882a593Smuzhiyun
171*4882a593Smuzhiyun uhid_queue_event(uhid, UHID_CLOSE);
172*4882a593Smuzhiyun }
173*4882a593Smuzhiyun
uhid_hid_parse(struct hid_device * hid)174*4882a593Smuzhiyun static int uhid_hid_parse(struct hid_device *hid)
175*4882a593Smuzhiyun {
176*4882a593Smuzhiyun struct uhid_device *uhid = hid->driver_data;
177*4882a593Smuzhiyun
178*4882a593Smuzhiyun return hid_parse_report(hid, uhid->rd_data, uhid->rd_size);
179*4882a593Smuzhiyun }
180*4882a593Smuzhiyun
181*4882a593Smuzhiyun /* must be called with report_lock held */
__uhid_report_queue_and_wait(struct uhid_device * uhid,struct uhid_event * ev,__u32 * report_id)182*4882a593Smuzhiyun static int __uhid_report_queue_and_wait(struct uhid_device *uhid,
183*4882a593Smuzhiyun struct uhid_event *ev,
184*4882a593Smuzhiyun __u32 *report_id)
185*4882a593Smuzhiyun {
186*4882a593Smuzhiyun unsigned long flags;
187*4882a593Smuzhiyun int ret;
188*4882a593Smuzhiyun
189*4882a593Smuzhiyun spin_lock_irqsave(&uhid->qlock, flags);
190*4882a593Smuzhiyun *report_id = ++uhid->report_id;
191*4882a593Smuzhiyun uhid->report_type = ev->type + 1;
192*4882a593Smuzhiyun uhid->report_running = true;
193*4882a593Smuzhiyun uhid_queue(uhid, ev);
194*4882a593Smuzhiyun spin_unlock_irqrestore(&uhid->qlock, flags);
195*4882a593Smuzhiyun
196*4882a593Smuzhiyun ret = wait_event_interruptible_timeout(uhid->report_wait,
197*4882a593Smuzhiyun !uhid->report_running || !uhid->running,
198*4882a593Smuzhiyun 5 * HZ);
199*4882a593Smuzhiyun if (!ret || !uhid->running || uhid->report_running)
200*4882a593Smuzhiyun ret = -EIO;
201*4882a593Smuzhiyun else if (ret < 0)
202*4882a593Smuzhiyun ret = -ERESTARTSYS;
203*4882a593Smuzhiyun else
204*4882a593Smuzhiyun ret = 0;
205*4882a593Smuzhiyun
206*4882a593Smuzhiyun uhid->report_running = false;
207*4882a593Smuzhiyun
208*4882a593Smuzhiyun return ret;
209*4882a593Smuzhiyun }
210*4882a593Smuzhiyun
uhid_report_wake_up(struct uhid_device * uhid,u32 id,const struct uhid_event * ev)211*4882a593Smuzhiyun static void uhid_report_wake_up(struct uhid_device *uhid, u32 id,
212*4882a593Smuzhiyun const struct uhid_event *ev)
213*4882a593Smuzhiyun {
214*4882a593Smuzhiyun unsigned long flags;
215*4882a593Smuzhiyun
216*4882a593Smuzhiyun spin_lock_irqsave(&uhid->qlock, flags);
217*4882a593Smuzhiyun
218*4882a593Smuzhiyun /* id for old report; drop it silently */
219*4882a593Smuzhiyun if (uhid->report_type != ev->type || uhid->report_id != id)
220*4882a593Smuzhiyun goto unlock;
221*4882a593Smuzhiyun if (!uhid->report_running)
222*4882a593Smuzhiyun goto unlock;
223*4882a593Smuzhiyun
224*4882a593Smuzhiyun memcpy(&uhid->report_buf, ev, sizeof(*ev));
225*4882a593Smuzhiyun uhid->report_running = false;
226*4882a593Smuzhiyun wake_up_interruptible(&uhid->report_wait);
227*4882a593Smuzhiyun
228*4882a593Smuzhiyun unlock:
229*4882a593Smuzhiyun spin_unlock_irqrestore(&uhid->qlock, flags);
230*4882a593Smuzhiyun }
231*4882a593Smuzhiyun
uhid_hid_get_report(struct hid_device * hid,unsigned char rnum,u8 * buf,size_t count,u8 rtype)232*4882a593Smuzhiyun static int uhid_hid_get_report(struct hid_device *hid, unsigned char rnum,
233*4882a593Smuzhiyun u8 *buf, size_t count, u8 rtype)
234*4882a593Smuzhiyun {
235*4882a593Smuzhiyun struct uhid_device *uhid = hid->driver_data;
236*4882a593Smuzhiyun struct uhid_get_report_reply_req *req;
237*4882a593Smuzhiyun struct uhid_event *ev;
238*4882a593Smuzhiyun int ret;
239*4882a593Smuzhiyun
240*4882a593Smuzhiyun if (!uhid->running)
241*4882a593Smuzhiyun return -EIO;
242*4882a593Smuzhiyun
243*4882a593Smuzhiyun ev = kzalloc(sizeof(*ev), GFP_KERNEL);
244*4882a593Smuzhiyun if (!ev)
245*4882a593Smuzhiyun return -ENOMEM;
246*4882a593Smuzhiyun
247*4882a593Smuzhiyun ev->type = UHID_GET_REPORT;
248*4882a593Smuzhiyun ev->u.get_report.rnum = rnum;
249*4882a593Smuzhiyun ev->u.get_report.rtype = rtype;
250*4882a593Smuzhiyun
251*4882a593Smuzhiyun ret = mutex_lock_interruptible(&uhid->report_lock);
252*4882a593Smuzhiyun if (ret) {
253*4882a593Smuzhiyun kfree(ev);
254*4882a593Smuzhiyun return ret;
255*4882a593Smuzhiyun }
256*4882a593Smuzhiyun
257*4882a593Smuzhiyun /* this _always_ takes ownership of @ev */
258*4882a593Smuzhiyun ret = __uhid_report_queue_and_wait(uhid, ev, &ev->u.get_report.id);
259*4882a593Smuzhiyun if (ret)
260*4882a593Smuzhiyun goto unlock;
261*4882a593Smuzhiyun
262*4882a593Smuzhiyun req = &uhid->report_buf.u.get_report_reply;
263*4882a593Smuzhiyun if (req->err) {
264*4882a593Smuzhiyun ret = -EIO;
265*4882a593Smuzhiyun } else {
266*4882a593Smuzhiyun ret = min3(count, (size_t)req->size, (size_t)UHID_DATA_MAX);
267*4882a593Smuzhiyun memcpy(buf, req->data, ret);
268*4882a593Smuzhiyun }
269*4882a593Smuzhiyun
270*4882a593Smuzhiyun unlock:
271*4882a593Smuzhiyun mutex_unlock(&uhid->report_lock);
272*4882a593Smuzhiyun return ret;
273*4882a593Smuzhiyun }
274*4882a593Smuzhiyun
uhid_hid_set_report(struct hid_device * hid,unsigned char rnum,const u8 * buf,size_t count,u8 rtype)275*4882a593Smuzhiyun static int uhid_hid_set_report(struct hid_device *hid, unsigned char rnum,
276*4882a593Smuzhiyun const u8 *buf, size_t count, u8 rtype)
277*4882a593Smuzhiyun {
278*4882a593Smuzhiyun struct uhid_device *uhid = hid->driver_data;
279*4882a593Smuzhiyun struct uhid_event *ev;
280*4882a593Smuzhiyun int ret;
281*4882a593Smuzhiyun
282*4882a593Smuzhiyun if (!uhid->running || count > UHID_DATA_MAX)
283*4882a593Smuzhiyun return -EIO;
284*4882a593Smuzhiyun
285*4882a593Smuzhiyun ev = kzalloc(sizeof(*ev), GFP_KERNEL);
286*4882a593Smuzhiyun if (!ev)
287*4882a593Smuzhiyun return -ENOMEM;
288*4882a593Smuzhiyun
289*4882a593Smuzhiyun ev->type = UHID_SET_REPORT;
290*4882a593Smuzhiyun ev->u.set_report.rnum = rnum;
291*4882a593Smuzhiyun ev->u.set_report.rtype = rtype;
292*4882a593Smuzhiyun ev->u.set_report.size = count;
293*4882a593Smuzhiyun memcpy(ev->u.set_report.data, buf, count);
294*4882a593Smuzhiyun
295*4882a593Smuzhiyun ret = mutex_lock_interruptible(&uhid->report_lock);
296*4882a593Smuzhiyun if (ret) {
297*4882a593Smuzhiyun kfree(ev);
298*4882a593Smuzhiyun return ret;
299*4882a593Smuzhiyun }
300*4882a593Smuzhiyun
301*4882a593Smuzhiyun /* this _always_ takes ownership of @ev */
302*4882a593Smuzhiyun ret = __uhid_report_queue_and_wait(uhid, ev, &ev->u.set_report.id);
303*4882a593Smuzhiyun if (ret)
304*4882a593Smuzhiyun goto unlock;
305*4882a593Smuzhiyun
306*4882a593Smuzhiyun if (uhid->report_buf.u.set_report_reply.err)
307*4882a593Smuzhiyun ret = -EIO;
308*4882a593Smuzhiyun else
309*4882a593Smuzhiyun ret = count;
310*4882a593Smuzhiyun
311*4882a593Smuzhiyun unlock:
312*4882a593Smuzhiyun mutex_unlock(&uhid->report_lock);
313*4882a593Smuzhiyun return ret;
314*4882a593Smuzhiyun }
315*4882a593Smuzhiyun
uhid_hid_raw_request(struct hid_device * hid,unsigned char reportnum,__u8 * buf,size_t len,unsigned char rtype,int reqtype)316*4882a593Smuzhiyun static int uhid_hid_raw_request(struct hid_device *hid, unsigned char reportnum,
317*4882a593Smuzhiyun __u8 *buf, size_t len, unsigned char rtype,
318*4882a593Smuzhiyun int reqtype)
319*4882a593Smuzhiyun {
320*4882a593Smuzhiyun u8 u_rtype;
321*4882a593Smuzhiyun
322*4882a593Smuzhiyun switch (rtype) {
323*4882a593Smuzhiyun case HID_FEATURE_REPORT:
324*4882a593Smuzhiyun u_rtype = UHID_FEATURE_REPORT;
325*4882a593Smuzhiyun break;
326*4882a593Smuzhiyun case HID_OUTPUT_REPORT:
327*4882a593Smuzhiyun u_rtype = UHID_OUTPUT_REPORT;
328*4882a593Smuzhiyun break;
329*4882a593Smuzhiyun case HID_INPUT_REPORT:
330*4882a593Smuzhiyun u_rtype = UHID_INPUT_REPORT;
331*4882a593Smuzhiyun break;
332*4882a593Smuzhiyun default:
333*4882a593Smuzhiyun return -EINVAL;
334*4882a593Smuzhiyun }
335*4882a593Smuzhiyun
336*4882a593Smuzhiyun switch (reqtype) {
337*4882a593Smuzhiyun case HID_REQ_GET_REPORT:
338*4882a593Smuzhiyun return uhid_hid_get_report(hid, reportnum, buf, len, u_rtype);
339*4882a593Smuzhiyun case HID_REQ_SET_REPORT:
340*4882a593Smuzhiyun return uhid_hid_set_report(hid, reportnum, buf, len, u_rtype);
341*4882a593Smuzhiyun default:
342*4882a593Smuzhiyun return -EIO;
343*4882a593Smuzhiyun }
344*4882a593Smuzhiyun }
345*4882a593Smuzhiyun
uhid_hid_output_raw(struct hid_device * hid,__u8 * buf,size_t count,unsigned char report_type)346*4882a593Smuzhiyun static int uhid_hid_output_raw(struct hid_device *hid, __u8 *buf, size_t count,
347*4882a593Smuzhiyun unsigned char report_type)
348*4882a593Smuzhiyun {
349*4882a593Smuzhiyun struct uhid_device *uhid = hid->driver_data;
350*4882a593Smuzhiyun __u8 rtype;
351*4882a593Smuzhiyun unsigned long flags;
352*4882a593Smuzhiyun struct uhid_event *ev;
353*4882a593Smuzhiyun
354*4882a593Smuzhiyun switch (report_type) {
355*4882a593Smuzhiyun case HID_FEATURE_REPORT:
356*4882a593Smuzhiyun rtype = UHID_FEATURE_REPORT;
357*4882a593Smuzhiyun break;
358*4882a593Smuzhiyun case HID_OUTPUT_REPORT:
359*4882a593Smuzhiyun rtype = UHID_OUTPUT_REPORT;
360*4882a593Smuzhiyun break;
361*4882a593Smuzhiyun default:
362*4882a593Smuzhiyun return -EINVAL;
363*4882a593Smuzhiyun }
364*4882a593Smuzhiyun
365*4882a593Smuzhiyun if (count < 1 || count > UHID_DATA_MAX)
366*4882a593Smuzhiyun return -EINVAL;
367*4882a593Smuzhiyun
368*4882a593Smuzhiyun ev = kzalloc(sizeof(*ev), GFP_KERNEL);
369*4882a593Smuzhiyun if (!ev)
370*4882a593Smuzhiyun return -ENOMEM;
371*4882a593Smuzhiyun
372*4882a593Smuzhiyun ev->type = UHID_OUTPUT;
373*4882a593Smuzhiyun ev->u.output.size = count;
374*4882a593Smuzhiyun ev->u.output.rtype = rtype;
375*4882a593Smuzhiyun memcpy(ev->u.output.data, buf, count);
376*4882a593Smuzhiyun
377*4882a593Smuzhiyun spin_lock_irqsave(&uhid->qlock, flags);
378*4882a593Smuzhiyun uhid_queue(uhid, ev);
379*4882a593Smuzhiyun spin_unlock_irqrestore(&uhid->qlock, flags);
380*4882a593Smuzhiyun
381*4882a593Smuzhiyun return count;
382*4882a593Smuzhiyun }
383*4882a593Smuzhiyun
uhid_hid_output_report(struct hid_device * hid,__u8 * buf,size_t count)384*4882a593Smuzhiyun static int uhid_hid_output_report(struct hid_device *hid, __u8 *buf,
385*4882a593Smuzhiyun size_t count)
386*4882a593Smuzhiyun {
387*4882a593Smuzhiyun return uhid_hid_output_raw(hid, buf, count, HID_OUTPUT_REPORT);
388*4882a593Smuzhiyun }
389*4882a593Smuzhiyun
390*4882a593Smuzhiyun struct hid_ll_driver uhid_hid_driver = {
391*4882a593Smuzhiyun .start = uhid_hid_start,
392*4882a593Smuzhiyun .stop = uhid_hid_stop,
393*4882a593Smuzhiyun .open = uhid_hid_open,
394*4882a593Smuzhiyun .close = uhid_hid_close,
395*4882a593Smuzhiyun .parse = uhid_hid_parse,
396*4882a593Smuzhiyun .raw_request = uhid_hid_raw_request,
397*4882a593Smuzhiyun .output_report = uhid_hid_output_report,
398*4882a593Smuzhiyun };
399*4882a593Smuzhiyun EXPORT_SYMBOL_GPL(uhid_hid_driver);
400*4882a593Smuzhiyun
401*4882a593Smuzhiyun #ifdef CONFIG_COMPAT
402*4882a593Smuzhiyun
403*4882a593Smuzhiyun /* Apparently we haven't stepped on these rakes enough times yet. */
404*4882a593Smuzhiyun struct uhid_create_req_compat {
405*4882a593Smuzhiyun __u8 name[128];
406*4882a593Smuzhiyun __u8 phys[64];
407*4882a593Smuzhiyun __u8 uniq[64];
408*4882a593Smuzhiyun
409*4882a593Smuzhiyun compat_uptr_t rd_data;
410*4882a593Smuzhiyun __u16 rd_size;
411*4882a593Smuzhiyun
412*4882a593Smuzhiyun __u16 bus;
413*4882a593Smuzhiyun __u32 vendor;
414*4882a593Smuzhiyun __u32 product;
415*4882a593Smuzhiyun __u32 version;
416*4882a593Smuzhiyun __u32 country;
417*4882a593Smuzhiyun } __attribute__((__packed__));
418*4882a593Smuzhiyun
uhid_event_from_user(const char __user * buffer,size_t len,struct uhid_event * event)419*4882a593Smuzhiyun static int uhid_event_from_user(const char __user *buffer, size_t len,
420*4882a593Smuzhiyun struct uhid_event *event)
421*4882a593Smuzhiyun {
422*4882a593Smuzhiyun if (in_compat_syscall()) {
423*4882a593Smuzhiyun u32 type;
424*4882a593Smuzhiyun
425*4882a593Smuzhiyun if (get_user(type, buffer))
426*4882a593Smuzhiyun return -EFAULT;
427*4882a593Smuzhiyun
428*4882a593Smuzhiyun if (type == UHID_CREATE) {
429*4882a593Smuzhiyun /*
430*4882a593Smuzhiyun * This is our messed up request with compat pointer.
431*4882a593Smuzhiyun * It is largish (more than 256 bytes) so we better
432*4882a593Smuzhiyun * allocate it from the heap.
433*4882a593Smuzhiyun */
434*4882a593Smuzhiyun struct uhid_create_req_compat *compat;
435*4882a593Smuzhiyun
436*4882a593Smuzhiyun compat = kzalloc(sizeof(*compat), GFP_KERNEL);
437*4882a593Smuzhiyun if (!compat)
438*4882a593Smuzhiyun return -ENOMEM;
439*4882a593Smuzhiyun
440*4882a593Smuzhiyun buffer += sizeof(type);
441*4882a593Smuzhiyun len -= sizeof(type);
442*4882a593Smuzhiyun if (copy_from_user(compat, buffer,
443*4882a593Smuzhiyun min(len, sizeof(*compat)))) {
444*4882a593Smuzhiyun kfree(compat);
445*4882a593Smuzhiyun return -EFAULT;
446*4882a593Smuzhiyun }
447*4882a593Smuzhiyun
448*4882a593Smuzhiyun /* Shuffle the data over to proper structure */
449*4882a593Smuzhiyun event->type = type;
450*4882a593Smuzhiyun
451*4882a593Smuzhiyun memcpy(event->u.create.name, compat->name,
452*4882a593Smuzhiyun sizeof(compat->name));
453*4882a593Smuzhiyun memcpy(event->u.create.phys, compat->phys,
454*4882a593Smuzhiyun sizeof(compat->phys));
455*4882a593Smuzhiyun memcpy(event->u.create.uniq, compat->uniq,
456*4882a593Smuzhiyun sizeof(compat->uniq));
457*4882a593Smuzhiyun
458*4882a593Smuzhiyun event->u.create.rd_data = compat_ptr(compat->rd_data);
459*4882a593Smuzhiyun event->u.create.rd_size = compat->rd_size;
460*4882a593Smuzhiyun
461*4882a593Smuzhiyun event->u.create.bus = compat->bus;
462*4882a593Smuzhiyun event->u.create.vendor = compat->vendor;
463*4882a593Smuzhiyun event->u.create.product = compat->product;
464*4882a593Smuzhiyun event->u.create.version = compat->version;
465*4882a593Smuzhiyun event->u.create.country = compat->country;
466*4882a593Smuzhiyun
467*4882a593Smuzhiyun kfree(compat);
468*4882a593Smuzhiyun return 0;
469*4882a593Smuzhiyun }
470*4882a593Smuzhiyun /* All others can be copied directly */
471*4882a593Smuzhiyun }
472*4882a593Smuzhiyun
473*4882a593Smuzhiyun if (copy_from_user(event, buffer, min(len, sizeof(*event))))
474*4882a593Smuzhiyun return -EFAULT;
475*4882a593Smuzhiyun
476*4882a593Smuzhiyun return 0;
477*4882a593Smuzhiyun }
478*4882a593Smuzhiyun #else
uhid_event_from_user(const char __user * buffer,size_t len,struct uhid_event * event)479*4882a593Smuzhiyun static int uhid_event_from_user(const char __user *buffer, size_t len,
480*4882a593Smuzhiyun struct uhid_event *event)
481*4882a593Smuzhiyun {
482*4882a593Smuzhiyun if (copy_from_user(event, buffer, min(len, sizeof(*event))))
483*4882a593Smuzhiyun return -EFAULT;
484*4882a593Smuzhiyun
485*4882a593Smuzhiyun return 0;
486*4882a593Smuzhiyun }
487*4882a593Smuzhiyun #endif
488*4882a593Smuzhiyun
uhid_dev_create2(struct uhid_device * uhid,const struct uhid_event * ev)489*4882a593Smuzhiyun static int uhid_dev_create2(struct uhid_device *uhid,
490*4882a593Smuzhiyun const struct uhid_event *ev)
491*4882a593Smuzhiyun {
492*4882a593Smuzhiyun struct hid_device *hid;
493*4882a593Smuzhiyun size_t rd_size, len;
494*4882a593Smuzhiyun void *rd_data;
495*4882a593Smuzhiyun int ret;
496*4882a593Smuzhiyun
497*4882a593Smuzhiyun if (uhid->hid)
498*4882a593Smuzhiyun return -EALREADY;
499*4882a593Smuzhiyun
500*4882a593Smuzhiyun rd_size = ev->u.create2.rd_size;
501*4882a593Smuzhiyun if (rd_size <= 0 || rd_size > HID_MAX_DESCRIPTOR_SIZE)
502*4882a593Smuzhiyun return -EINVAL;
503*4882a593Smuzhiyun
504*4882a593Smuzhiyun rd_data = kmemdup(ev->u.create2.rd_data, rd_size, GFP_KERNEL);
505*4882a593Smuzhiyun if (!rd_data)
506*4882a593Smuzhiyun return -ENOMEM;
507*4882a593Smuzhiyun
508*4882a593Smuzhiyun uhid->rd_size = rd_size;
509*4882a593Smuzhiyun uhid->rd_data = rd_data;
510*4882a593Smuzhiyun
511*4882a593Smuzhiyun hid = hid_allocate_device();
512*4882a593Smuzhiyun if (IS_ERR(hid)) {
513*4882a593Smuzhiyun ret = PTR_ERR(hid);
514*4882a593Smuzhiyun goto err_free;
515*4882a593Smuzhiyun }
516*4882a593Smuzhiyun
517*4882a593Smuzhiyun /* @hid is zero-initialized, strncpy() is correct, strlcpy() not */
518*4882a593Smuzhiyun len = min(sizeof(hid->name), sizeof(ev->u.create2.name)) - 1;
519*4882a593Smuzhiyun strncpy(hid->name, ev->u.create2.name, len);
520*4882a593Smuzhiyun len = min(sizeof(hid->phys), sizeof(ev->u.create2.phys)) - 1;
521*4882a593Smuzhiyun strncpy(hid->phys, ev->u.create2.phys, len);
522*4882a593Smuzhiyun len = min(sizeof(hid->uniq), sizeof(ev->u.create2.uniq)) - 1;
523*4882a593Smuzhiyun strncpy(hid->uniq, ev->u.create2.uniq, len);
524*4882a593Smuzhiyun
525*4882a593Smuzhiyun hid->ll_driver = &uhid_hid_driver;
526*4882a593Smuzhiyun hid->bus = ev->u.create2.bus;
527*4882a593Smuzhiyun hid->vendor = ev->u.create2.vendor;
528*4882a593Smuzhiyun hid->product = ev->u.create2.product;
529*4882a593Smuzhiyun hid->version = ev->u.create2.version;
530*4882a593Smuzhiyun hid->country = ev->u.create2.country;
531*4882a593Smuzhiyun hid->driver_data = uhid;
532*4882a593Smuzhiyun hid->dev.parent = uhid_misc.this_device;
533*4882a593Smuzhiyun
534*4882a593Smuzhiyun uhid->hid = hid;
535*4882a593Smuzhiyun uhid->running = true;
536*4882a593Smuzhiyun
537*4882a593Smuzhiyun /* Adding of a HID device is done through a worker, to allow HID drivers
538*4882a593Smuzhiyun * which use feature requests during .probe to work, without they would
539*4882a593Smuzhiyun * be blocked on devlock, which is held by uhid_char_write.
540*4882a593Smuzhiyun */
541*4882a593Smuzhiyun schedule_work(&uhid->worker);
542*4882a593Smuzhiyun
543*4882a593Smuzhiyun return 0;
544*4882a593Smuzhiyun
545*4882a593Smuzhiyun err_free:
546*4882a593Smuzhiyun kfree(uhid->rd_data);
547*4882a593Smuzhiyun uhid->rd_data = NULL;
548*4882a593Smuzhiyun uhid->rd_size = 0;
549*4882a593Smuzhiyun return ret;
550*4882a593Smuzhiyun }
551*4882a593Smuzhiyun
uhid_dev_create(struct uhid_device * uhid,struct uhid_event * ev)552*4882a593Smuzhiyun static int uhid_dev_create(struct uhid_device *uhid,
553*4882a593Smuzhiyun struct uhid_event *ev)
554*4882a593Smuzhiyun {
555*4882a593Smuzhiyun struct uhid_create_req orig;
556*4882a593Smuzhiyun
557*4882a593Smuzhiyun orig = ev->u.create;
558*4882a593Smuzhiyun
559*4882a593Smuzhiyun if (orig.rd_size <= 0 || orig.rd_size > HID_MAX_DESCRIPTOR_SIZE)
560*4882a593Smuzhiyun return -EINVAL;
561*4882a593Smuzhiyun if (copy_from_user(&ev->u.create2.rd_data, orig.rd_data, orig.rd_size))
562*4882a593Smuzhiyun return -EFAULT;
563*4882a593Smuzhiyun
564*4882a593Smuzhiyun memcpy(ev->u.create2.name, orig.name, sizeof(orig.name));
565*4882a593Smuzhiyun memcpy(ev->u.create2.phys, orig.phys, sizeof(orig.phys));
566*4882a593Smuzhiyun memcpy(ev->u.create2.uniq, orig.uniq, sizeof(orig.uniq));
567*4882a593Smuzhiyun ev->u.create2.rd_size = orig.rd_size;
568*4882a593Smuzhiyun ev->u.create2.bus = orig.bus;
569*4882a593Smuzhiyun ev->u.create2.vendor = orig.vendor;
570*4882a593Smuzhiyun ev->u.create2.product = orig.product;
571*4882a593Smuzhiyun ev->u.create2.version = orig.version;
572*4882a593Smuzhiyun ev->u.create2.country = orig.country;
573*4882a593Smuzhiyun
574*4882a593Smuzhiyun return uhid_dev_create2(uhid, ev);
575*4882a593Smuzhiyun }
576*4882a593Smuzhiyun
uhid_dev_destroy(struct uhid_device * uhid)577*4882a593Smuzhiyun static int uhid_dev_destroy(struct uhid_device *uhid)
578*4882a593Smuzhiyun {
579*4882a593Smuzhiyun if (!uhid->hid)
580*4882a593Smuzhiyun return -EINVAL;
581*4882a593Smuzhiyun
582*4882a593Smuzhiyun uhid->running = false;
583*4882a593Smuzhiyun wake_up_interruptible(&uhid->report_wait);
584*4882a593Smuzhiyun
585*4882a593Smuzhiyun cancel_work_sync(&uhid->worker);
586*4882a593Smuzhiyun
587*4882a593Smuzhiyun hid_destroy_device(uhid->hid);
588*4882a593Smuzhiyun uhid->hid = NULL;
589*4882a593Smuzhiyun kfree(uhid->rd_data);
590*4882a593Smuzhiyun
591*4882a593Smuzhiyun return 0;
592*4882a593Smuzhiyun }
593*4882a593Smuzhiyun
uhid_dev_input(struct uhid_device * uhid,struct uhid_event * ev)594*4882a593Smuzhiyun static int uhid_dev_input(struct uhid_device *uhid, struct uhid_event *ev)
595*4882a593Smuzhiyun {
596*4882a593Smuzhiyun if (!uhid->running)
597*4882a593Smuzhiyun return -EINVAL;
598*4882a593Smuzhiyun
599*4882a593Smuzhiyun hid_input_report(uhid->hid, HID_INPUT_REPORT, ev->u.input.data,
600*4882a593Smuzhiyun min_t(size_t, ev->u.input.size, UHID_DATA_MAX), 0);
601*4882a593Smuzhiyun
602*4882a593Smuzhiyun return 0;
603*4882a593Smuzhiyun }
604*4882a593Smuzhiyun
uhid_dev_input2(struct uhid_device * uhid,struct uhid_event * ev)605*4882a593Smuzhiyun static int uhid_dev_input2(struct uhid_device *uhid, struct uhid_event *ev)
606*4882a593Smuzhiyun {
607*4882a593Smuzhiyun if (!uhid->running)
608*4882a593Smuzhiyun return -EINVAL;
609*4882a593Smuzhiyun
610*4882a593Smuzhiyun hid_input_report(uhid->hid, HID_INPUT_REPORT, ev->u.input2.data,
611*4882a593Smuzhiyun min_t(size_t, ev->u.input2.size, UHID_DATA_MAX), 0);
612*4882a593Smuzhiyun
613*4882a593Smuzhiyun return 0;
614*4882a593Smuzhiyun }
615*4882a593Smuzhiyun
uhid_dev_get_report_reply(struct uhid_device * uhid,struct uhid_event * ev)616*4882a593Smuzhiyun static int uhid_dev_get_report_reply(struct uhid_device *uhid,
617*4882a593Smuzhiyun struct uhid_event *ev)
618*4882a593Smuzhiyun {
619*4882a593Smuzhiyun if (!uhid->running)
620*4882a593Smuzhiyun return -EINVAL;
621*4882a593Smuzhiyun
622*4882a593Smuzhiyun uhid_report_wake_up(uhid, ev->u.get_report_reply.id, ev);
623*4882a593Smuzhiyun return 0;
624*4882a593Smuzhiyun }
625*4882a593Smuzhiyun
uhid_dev_set_report_reply(struct uhid_device * uhid,struct uhid_event * ev)626*4882a593Smuzhiyun static int uhid_dev_set_report_reply(struct uhid_device *uhid,
627*4882a593Smuzhiyun struct uhid_event *ev)
628*4882a593Smuzhiyun {
629*4882a593Smuzhiyun if (!uhid->running)
630*4882a593Smuzhiyun return -EINVAL;
631*4882a593Smuzhiyun
632*4882a593Smuzhiyun uhid_report_wake_up(uhid, ev->u.set_report_reply.id, ev);
633*4882a593Smuzhiyun return 0;
634*4882a593Smuzhiyun }
635*4882a593Smuzhiyun
uhid_char_open(struct inode * inode,struct file * file)636*4882a593Smuzhiyun static int uhid_char_open(struct inode *inode, struct file *file)
637*4882a593Smuzhiyun {
638*4882a593Smuzhiyun struct uhid_device *uhid;
639*4882a593Smuzhiyun
640*4882a593Smuzhiyun uhid = kzalloc(sizeof(*uhid), GFP_KERNEL);
641*4882a593Smuzhiyun if (!uhid)
642*4882a593Smuzhiyun return -ENOMEM;
643*4882a593Smuzhiyun
644*4882a593Smuzhiyun mutex_init(&uhid->devlock);
645*4882a593Smuzhiyun mutex_init(&uhid->report_lock);
646*4882a593Smuzhiyun spin_lock_init(&uhid->qlock);
647*4882a593Smuzhiyun init_waitqueue_head(&uhid->waitq);
648*4882a593Smuzhiyun init_waitqueue_head(&uhid->report_wait);
649*4882a593Smuzhiyun uhid->running = false;
650*4882a593Smuzhiyun INIT_WORK(&uhid->worker, uhid_device_add_worker);
651*4882a593Smuzhiyun
652*4882a593Smuzhiyun file->private_data = uhid;
653*4882a593Smuzhiyun stream_open(inode, file);
654*4882a593Smuzhiyun
655*4882a593Smuzhiyun return 0;
656*4882a593Smuzhiyun }
657*4882a593Smuzhiyun
uhid_char_release(struct inode * inode,struct file * file)658*4882a593Smuzhiyun static int uhid_char_release(struct inode *inode, struct file *file)
659*4882a593Smuzhiyun {
660*4882a593Smuzhiyun struct uhid_device *uhid = file->private_data;
661*4882a593Smuzhiyun unsigned int i;
662*4882a593Smuzhiyun
663*4882a593Smuzhiyun uhid_dev_destroy(uhid);
664*4882a593Smuzhiyun
665*4882a593Smuzhiyun for (i = 0; i < UHID_BUFSIZE; ++i)
666*4882a593Smuzhiyun kfree(uhid->outq[i]);
667*4882a593Smuzhiyun
668*4882a593Smuzhiyun kfree(uhid);
669*4882a593Smuzhiyun
670*4882a593Smuzhiyun return 0;
671*4882a593Smuzhiyun }
672*4882a593Smuzhiyun
uhid_char_read(struct file * file,char __user * buffer,size_t count,loff_t * ppos)673*4882a593Smuzhiyun static ssize_t uhid_char_read(struct file *file, char __user *buffer,
674*4882a593Smuzhiyun size_t count, loff_t *ppos)
675*4882a593Smuzhiyun {
676*4882a593Smuzhiyun struct uhid_device *uhid = file->private_data;
677*4882a593Smuzhiyun int ret;
678*4882a593Smuzhiyun unsigned long flags;
679*4882a593Smuzhiyun size_t len;
680*4882a593Smuzhiyun
681*4882a593Smuzhiyun /* they need at least the "type" member of uhid_event */
682*4882a593Smuzhiyun if (count < sizeof(__u32))
683*4882a593Smuzhiyun return -EINVAL;
684*4882a593Smuzhiyun
685*4882a593Smuzhiyun try_again:
686*4882a593Smuzhiyun if (file->f_flags & O_NONBLOCK) {
687*4882a593Smuzhiyun if (uhid->head == uhid->tail)
688*4882a593Smuzhiyun return -EAGAIN;
689*4882a593Smuzhiyun } else {
690*4882a593Smuzhiyun ret = wait_event_interruptible(uhid->waitq,
691*4882a593Smuzhiyun uhid->head != uhid->tail);
692*4882a593Smuzhiyun if (ret)
693*4882a593Smuzhiyun return ret;
694*4882a593Smuzhiyun }
695*4882a593Smuzhiyun
696*4882a593Smuzhiyun ret = mutex_lock_interruptible(&uhid->devlock);
697*4882a593Smuzhiyun if (ret)
698*4882a593Smuzhiyun return ret;
699*4882a593Smuzhiyun
700*4882a593Smuzhiyun if (uhid->head == uhid->tail) {
701*4882a593Smuzhiyun mutex_unlock(&uhid->devlock);
702*4882a593Smuzhiyun goto try_again;
703*4882a593Smuzhiyun } else {
704*4882a593Smuzhiyun len = min(count, sizeof(**uhid->outq));
705*4882a593Smuzhiyun if (copy_to_user(buffer, uhid->outq[uhid->tail], len)) {
706*4882a593Smuzhiyun ret = -EFAULT;
707*4882a593Smuzhiyun } else {
708*4882a593Smuzhiyun kfree(uhid->outq[uhid->tail]);
709*4882a593Smuzhiyun uhid->outq[uhid->tail] = NULL;
710*4882a593Smuzhiyun
711*4882a593Smuzhiyun spin_lock_irqsave(&uhid->qlock, flags);
712*4882a593Smuzhiyun uhid->tail = (uhid->tail + 1) % UHID_BUFSIZE;
713*4882a593Smuzhiyun spin_unlock_irqrestore(&uhid->qlock, flags);
714*4882a593Smuzhiyun }
715*4882a593Smuzhiyun }
716*4882a593Smuzhiyun
717*4882a593Smuzhiyun mutex_unlock(&uhid->devlock);
718*4882a593Smuzhiyun return ret ? ret : len;
719*4882a593Smuzhiyun }
720*4882a593Smuzhiyun
uhid_char_write(struct file * file,const char __user * buffer,size_t count,loff_t * ppos)721*4882a593Smuzhiyun static ssize_t uhid_char_write(struct file *file, const char __user *buffer,
722*4882a593Smuzhiyun size_t count, loff_t *ppos)
723*4882a593Smuzhiyun {
724*4882a593Smuzhiyun struct uhid_device *uhid = file->private_data;
725*4882a593Smuzhiyun int ret;
726*4882a593Smuzhiyun size_t len;
727*4882a593Smuzhiyun
728*4882a593Smuzhiyun /* we need at least the "type" member of uhid_event */
729*4882a593Smuzhiyun if (count < sizeof(__u32))
730*4882a593Smuzhiyun return -EINVAL;
731*4882a593Smuzhiyun
732*4882a593Smuzhiyun ret = mutex_lock_interruptible(&uhid->devlock);
733*4882a593Smuzhiyun if (ret)
734*4882a593Smuzhiyun return ret;
735*4882a593Smuzhiyun
736*4882a593Smuzhiyun memset(&uhid->input_buf, 0, sizeof(uhid->input_buf));
737*4882a593Smuzhiyun len = min(count, sizeof(uhid->input_buf));
738*4882a593Smuzhiyun
739*4882a593Smuzhiyun ret = uhid_event_from_user(buffer, len, &uhid->input_buf);
740*4882a593Smuzhiyun if (ret)
741*4882a593Smuzhiyun goto unlock;
742*4882a593Smuzhiyun
743*4882a593Smuzhiyun switch (uhid->input_buf.type) {
744*4882a593Smuzhiyun case UHID_CREATE:
745*4882a593Smuzhiyun /*
746*4882a593Smuzhiyun * 'struct uhid_create_req' contains a __user pointer which is
747*4882a593Smuzhiyun * copied from, so it's unsafe to allow this with elevated
748*4882a593Smuzhiyun * privileges (e.g. from a setuid binary) or via kernel_write().
749*4882a593Smuzhiyun */
750*4882a593Smuzhiyun if (file->f_cred != current_cred() || uaccess_kernel()) {
751*4882a593Smuzhiyun pr_err_once("UHID_CREATE from different security context by process %d (%s), this is not allowed.\n",
752*4882a593Smuzhiyun task_tgid_vnr(current), current->comm);
753*4882a593Smuzhiyun ret = -EACCES;
754*4882a593Smuzhiyun goto unlock;
755*4882a593Smuzhiyun }
756*4882a593Smuzhiyun ret = uhid_dev_create(uhid, &uhid->input_buf);
757*4882a593Smuzhiyun break;
758*4882a593Smuzhiyun case UHID_CREATE2:
759*4882a593Smuzhiyun ret = uhid_dev_create2(uhid, &uhid->input_buf);
760*4882a593Smuzhiyun break;
761*4882a593Smuzhiyun case UHID_DESTROY:
762*4882a593Smuzhiyun ret = uhid_dev_destroy(uhid);
763*4882a593Smuzhiyun break;
764*4882a593Smuzhiyun case UHID_INPUT:
765*4882a593Smuzhiyun ret = uhid_dev_input(uhid, &uhid->input_buf);
766*4882a593Smuzhiyun break;
767*4882a593Smuzhiyun case UHID_INPUT2:
768*4882a593Smuzhiyun ret = uhid_dev_input2(uhid, &uhid->input_buf);
769*4882a593Smuzhiyun break;
770*4882a593Smuzhiyun case UHID_GET_REPORT_REPLY:
771*4882a593Smuzhiyun ret = uhid_dev_get_report_reply(uhid, &uhid->input_buf);
772*4882a593Smuzhiyun break;
773*4882a593Smuzhiyun case UHID_SET_REPORT_REPLY:
774*4882a593Smuzhiyun ret = uhid_dev_set_report_reply(uhid, &uhid->input_buf);
775*4882a593Smuzhiyun break;
776*4882a593Smuzhiyun default:
777*4882a593Smuzhiyun ret = -EOPNOTSUPP;
778*4882a593Smuzhiyun }
779*4882a593Smuzhiyun
780*4882a593Smuzhiyun unlock:
781*4882a593Smuzhiyun mutex_unlock(&uhid->devlock);
782*4882a593Smuzhiyun
783*4882a593Smuzhiyun /* return "count" not "len" to not confuse the caller */
784*4882a593Smuzhiyun return ret ? ret : count;
785*4882a593Smuzhiyun }
786*4882a593Smuzhiyun
uhid_char_poll(struct file * file,poll_table * wait)787*4882a593Smuzhiyun static __poll_t uhid_char_poll(struct file *file, poll_table *wait)
788*4882a593Smuzhiyun {
789*4882a593Smuzhiyun struct uhid_device *uhid = file->private_data;
790*4882a593Smuzhiyun __poll_t mask = EPOLLOUT | EPOLLWRNORM; /* uhid is always writable */
791*4882a593Smuzhiyun
792*4882a593Smuzhiyun poll_wait(file, &uhid->waitq, wait);
793*4882a593Smuzhiyun
794*4882a593Smuzhiyun if (uhid->head != uhid->tail)
795*4882a593Smuzhiyun mask |= EPOLLIN | EPOLLRDNORM;
796*4882a593Smuzhiyun
797*4882a593Smuzhiyun return mask;
798*4882a593Smuzhiyun }
799*4882a593Smuzhiyun
800*4882a593Smuzhiyun static const struct file_operations uhid_fops = {
801*4882a593Smuzhiyun .owner = THIS_MODULE,
802*4882a593Smuzhiyun .open = uhid_char_open,
803*4882a593Smuzhiyun .release = uhid_char_release,
804*4882a593Smuzhiyun .read = uhid_char_read,
805*4882a593Smuzhiyun .write = uhid_char_write,
806*4882a593Smuzhiyun .poll = uhid_char_poll,
807*4882a593Smuzhiyun .llseek = no_llseek,
808*4882a593Smuzhiyun };
809*4882a593Smuzhiyun
810*4882a593Smuzhiyun static struct miscdevice uhid_misc = {
811*4882a593Smuzhiyun .fops = &uhid_fops,
812*4882a593Smuzhiyun .minor = UHID_MINOR,
813*4882a593Smuzhiyun .name = UHID_NAME,
814*4882a593Smuzhiyun };
815*4882a593Smuzhiyun module_misc_device(uhid_misc);
816*4882a593Smuzhiyun
817*4882a593Smuzhiyun MODULE_LICENSE("GPL");
818*4882a593Smuzhiyun MODULE_AUTHOR("David Herrmann <dh.herrmann@gmail.com>");
819*4882a593Smuzhiyun MODULE_DESCRIPTION("User-space I/O driver support for HID subsystem");
820*4882a593Smuzhiyun MODULE_ALIAS_MISCDEV(UHID_MINOR);
821*4882a593Smuzhiyun MODULE_ALIAS("devname:" UHID_NAME);
822