1 /*
2 * User level driver support for input subsystem
3 *
4 * Heavily based on evdev.c by Vojtech Pavlik
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
19 *
20 * Author: Aristeu Sergio Rozanski Filho <aris@cathedrallabs.org>
21 *
22 * Changes/Revisions:
23 * 0.4 01/09/2014 (Benjamin Tissoires <benjamin.tissoires@redhat.com>)
24 * - add UI_GET_SYSNAME ioctl
25 * 0.3 09/04/2006 (Anssi Hannula <anssi.hannula@gmail.com>)
26 * - updated ff support for the changes in kernel interface
27 * - added MODULE_VERSION
28 * 0.2 16/10/2004 (Micah Dowty <micah@navi.cx>)
29 * - added force feedback support
30 * - added UI_SET_PHYS
31 * 0.1 20/06/2002
32 * - first public version
33 */
34 #include <linux/poll.h>
35 #include <linux/sched.h>
36 #include <linux/slab.h>
37 #include <linux/module.h>
38 #include <linux/init.h>
39 #include <linux/fs.h>
40 #include <linux/miscdevice.h>
41 #include <linux/uinput.h>
42 #include <linux/overflow.h>
43 #include <linux/input/mt.h>
44 #include "../input-compat.h"
45
uinput_dev_event(struct input_dev * dev,unsigned int type,unsigned int code,int value)46 static int uinput_dev_event(struct input_dev *dev,
47 unsigned int type, unsigned int code, int value)
48 {
49 struct uinput_device *udev = input_get_drvdata(dev);
50
51 udev->buff[udev->head].type = type;
52 udev->buff[udev->head].code = code;
53 udev->buff[udev->head].value = value;
54 do_gettimeofday(&udev->buff[udev->head].time);
55 udev->head = (udev->head + 1) % UINPUT_BUFFER_SIZE;
56
57 wake_up_interruptible(&udev->waitq);
58
59 return 0;
60 }
61
62 /* Atomically allocate an ID for the given request. Returns 0 on success. */
uinput_request_alloc_id(struct uinput_device * udev,struct uinput_request * request)63 static bool uinput_request_alloc_id(struct uinput_device *udev,
64 struct uinput_request *request)
65 {
66 unsigned int id;
67 bool reserved = false;
68
69 spin_lock(&udev->requests_lock);
70
71 for (id = 0; id < UINPUT_NUM_REQUESTS; id++) {
72 if (!udev->requests[id]) {
73 request->id = id;
74 udev->requests[id] = request;
75 reserved = true;
76 break;
77 }
78 }
79
80 spin_unlock(&udev->requests_lock);
81 return reserved;
82 }
83
uinput_request_find(struct uinput_device * udev,unsigned int id)84 static struct uinput_request *uinput_request_find(struct uinput_device *udev,
85 unsigned int id)
86 {
87 /* Find an input request, by ID. Returns NULL if the ID isn't valid. */
88 if (id >= UINPUT_NUM_REQUESTS)
89 return NULL;
90
91 return udev->requests[id];
92 }
93
uinput_request_reserve_slot(struct uinput_device * udev,struct uinput_request * request)94 static int uinput_request_reserve_slot(struct uinput_device *udev,
95 struct uinput_request *request)
96 {
97 /* Allocate slot. If none are available right away, wait. */
98 return wait_event_interruptible(udev->requests_waitq,
99 uinput_request_alloc_id(udev, request));
100 }
101
uinput_request_release_slot(struct uinput_device * udev,unsigned int id)102 static void uinput_request_release_slot(struct uinput_device *udev,
103 unsigned int id)
104 {
105 /* Mark slot as available */
106 spin_lock(&udev->requests_lock);
107 udev->requests[id] = NULL;
108 spin_unlock(&udev->requests_lock);
109
110 wake_up(&udev->requests_waitq);
111 }
112
uinput_request_send(struct uinput_device * udev,struct uinput_request * request)113 static int uinput_request_send(struct uinput_device *udev,
114 struct uinput_request *request)
115 {
116 int retval;
117
118 retval = mutex_lock_interruptible(&udev->mutex);
119 if (retval)
120 return retval;
121
122 if (udev->state != UIST_CREATED) {
123 retval = -ENODEV;
124 goto out;
125 }
126
127 init_completion(&request->done);
128
129 /*
130 * Tell our userspace application about this new request
131 * by queueing an input event.
132 */
133 uinput_dev_event(udev->dev, EV_UINPUT, request->code, request->id);
134
135 out:
136 mutex_unlock(&udev->mutex);
137 return retval;
138 }
139
uinput_request_submit(struct uinput_device * udev,struct uinput_request * request)140 static int uinput_request_submit(struct uinput_device *udev,
141 struct uinput_request *request)
142 {
143 int retval;
144
145 retval = uinput_request_reserve_slot(udev, request);
146 if (retval)
147 return retval;
148
149 retval = uinput_request_send(udev, request);
150 if (retval)
151 goto out;
152
153 wait_for_completion(&request->done);
154 retval = request->retval;
155
156 out:
157 uinput_request_release_slot(udev, request->id);
158 return retval;
159 }
160
161 /*
162 * Fail all outstanding requests so handlers don't wait for the userspace
163 * to finish processing them.
164 */
uinput_flush_requests(struct uinput_device * udev)165 static void uinput_flush_requests(struct uinput_device *udev)
166 {
167 struct uinput_request *request;
168 int i;
169
170 spin_lock(&udev->requests_lock);
171
172 for (i = 0; i < UINPUT_NUM_REQUESTS; i++) {
173 request = udev->requests[i];
174 if (request) {
175 request->retval = -ENODEV;
176 complete(&request->done);
177 }
178 }
179
180 spin_unlock(&udev->requests_lock);
181 }
182
uinput_dev_set_gain(struct input_dev * dev,u16 gain)183 static void uinput_dev_set_gain(struct input_dev *dev, u16 gain)
184 {
185 uinput_dev_event(dev, EV_FF, FF_GAIN, gain);
186 }
187
uinput_dev_set_autocenter(struct input_dev * dev,u16 magnitude)188 static void uinput_dev_set_autocenter(struct input_dev *dev, u16 magnitude)
189 {
190 uinput_dev_event(dev, EV_FF, FF_AUTOCENTER, magnitude);
191 }
192
uinput_dev_playback(struct input_dev * dev,int effect_id,int value)193 static int uinput_dev_playback(struct input_dev *dev, int effect_id, int value)
194 {
195 return uinput_dev_event(dev, EV_FF, effect_id, value);
196 }
197
uinput_dev_upload_effect(struct input_dev * dev,struct ff_effect * effect,struct ff_effect * old)198 static int uinput_dev_upload_effect(struct input_dev *dev,
199 struct ff_effect *effect,
200 struct ff_effect *old)
201 {
202 struct uinput_device *udev = input_get_drvdata(dev);
203 struct uinput_request request;
204
205 /*
206 * uinput driver does not currently support periodic effects with
207 * custom waveform since it does not have a way to pass buffer of
208 * samples (custom_data) to userspace. If ever there is a device
209 * supporting custom waveforms we would need to define an additional
210 * ioctl (UI_UPLOAD_SAMPLES) but for now we just bail out.
211 */
212 if (effect->type == FF_PERIODIC &&
213 effect->u.periodic.waveform == FF_CUSTOM)
214 return -EINVAL;
215
216 request.code = UI_FF_UPLOAD;
217 request.u.upload.effect = effect;
218 request.u.upload.old = old;
219
220 return uinput_request_submit(udev, &request);
221 }
222
uinput_dev_erase_effect(struct input_dev * dev,int effect_id)223 static int uinput_dev_erase_effect(struct input_dev *dev, int effect_id)
224 {
225 struct uinput_device *udev = input_get_drvdata(dev);
226 struct uinput_request request;
227
228 if (!test_bit(EV_FF, dev->evbit))
229 return -ENOSYS;
230
231 request.code = UI_FF_ERASE;
232 request.u.effect_id = effect_id;
233
234 return uinput_request_submit(udev, &request);
235 }
236
uinput_dev_flush(struct input_dev * dev,struct file * file)237 static int uinput_dev_flush(struct input_dev *dev, struct file *file)
238 {
239 /*
240 * If we are called with file == NULL that means we are tearing
241 * down the device, and therefore we can not handle FF erase
242 * requests: either we are handling UI_DEV_DESTROY (and holding
243 * the udev->mutex), or the file descriptor is closed and there is
244 * nobody on the other side anymore.
245 */
246 return file ? input_ff_flush(dev, file) : 0;
247 }
248
uinput_destroy_device(struct uinput_device * udev)249 static void uinput_destroy_device(struct uinput_device *udev)
250 {
251 const char *name, *phys;
252 struct input_dev *dev = udev->dev;
253 enum uinput_state old_state = udev->state;
254
255 udev->state = UIST_NEW_DEVICE;
256
257 if (dev) {
258 name = dev->name;
259 phys = dev->phys;
260 if (old_state == UIST_CREATED) {
261 uinput_flush_requests(udev);
262 input_unregister_device(dev);
263 } else {
264 input_free_device(dev);
265 }
266 kfree(name);
267 kfree(phys);
268 udev->dev = NULL;
269 }
270 }
271
uinput_create_device(struct uinput_device * udev)272 static int uinput_create_device(struct uinput_device *udev)
273 {
274 struct input_dev *dev = udev->dev;
275 int error, nslot;
276
277 if (udev->state != UIST_SETUP_COMPLETE) {
278 printk(KERN_DEBUG "%s: write device info first\n", UINPUT_NAME);
279 return -EINVAL;
280 }
281
282 if (test_bit(EV_ABS, dev->evbit)) {
283 input_alloc_absinfo(dev);
284 if (!dev->absinfo) {
285 error = -EINVAL;
286 goto fail1;
287 }
288
289 if (test_bit(ABS_MT_SLOT, dev->absbit)) {
290 nslot = input_abs_get_max(dev, ABS_MT_SLOT) + 1;
291 error = input_mt_init_slots(dev, nslot, 0);
292 if (error)
293 goto fail1;
294 } else if (test_bit(ABS_MT_POSITION_X, dev->absbit)) {
295 input_set_events_per_packet(dev, 60);
296 }
297 }
298
299 if (test_bit(EV_FF, dev->evbit) && !udev->ff_effects_max) {
300 printk(KERN_DEBUG "%s: ff_effects_max should be non-zero when FF_BIT is set\n",
301 UINPUT_NAME);
302 error = -EINVAL;
303 goto fail1;
304 }
305
306 if (udev->ff_effects_max) {
307 error = input_ff_create(dev, udev->ff_effects_max);
308 if (error)
309 goto fail1;
310
311 dev->ff->upload = uinput_dev_upload_effect;
312 dev->ff->erase = uinput_dev_erase_effect;
313 dev->ff->playback = uinput_dev_playback;
314 dev->ff->set_gain = uinput_dev_set_gain;
315 dev->ff->set_autocenter = uinput_dev_set_autocenter;
316 /*
317 * The standard input_ff_flush() implementation does
318 * not quite work for uinput as we can't reasonably
319 * handle FF requests during device teardown.
320 */
321 dev->flush = uinput_dev_flush;
322 }
323
324 error = input_register_device(udev->dev);
325 if (error)
326 goto fail2;
327
328 udev->state = UIST_CREATED;
329
330 return 0;
331
332 fail2: input_ff_destroy(dev);
333 fail1: uinput_destroy_device(udev);
334 return error;
335 }
336
uinput_open(struct inode * inode,struct file * file)337 static int uinput_open(struct inode *inode, struct file *file)
338 {
339 struct uinput_device *newdev;
340
341 newdev = kzalloc(sizeof(struct uinput_device), GFP_KERNEL);
342 if (!newdev)
343 return -ENOMEM;
344
345 mutex_init(&newdev->mutex);
346 spin_lock_init(&newdev->requests_lock);
347 init_waitqueue_head(&newdev->requests_waitq);
348 init_waitqueue_head(&newdev->waitq);
349 newdev->state = UIST_NEW_DEVICE;
350
351 file->private_data = newdev;
352 nonseekable_open(inode, file);
353
354 return 0;
355 }
356
uinput_validate_absinfo(struct input_dev * dev,unsigned int code,const struct input_absinfo * abs)357 static int uinput_validate_absinfo(struct input_dev *dev, unsigned int code,
358 const struct input_absinfo *abs)
359 {
360 int min, max, range;
361
362 min = abs->minimum;
363 max = abs->maximum;
364
365 if ((min != 0 || max != 0) && max <= min) {
366 printk(KERN_DEBUG
367 "%s: invalid abs[%02x] min:%d max:%d\n",
368 UINPUT_NAME, code, min, max);
369 return -EINVAL;
370 }
371
372 if (!check_sub_overflow(max, min, &range) && abs->flat > range) {
373 printk(KERN_DEBUG
374 "%s: abs_flat #%02x out of range: %d (min:%d/max:%d)\n",
375 UINPUT_NAME, code, abs->flat, min, max);
376 return -EINVAL;
377 }
378
379 return 0;
380 }
381
uinput_validate_absbits(struct input_dev * dev)382 static int uinput_validate_absbits(struct input_dev *dev)
383 {
384 unsigned int cnt;
385 int error;
386
387 if (!test_bit(EV_ABS, dev->evbit))
388 return 0;
389
390 /*
391 * Check if absmin/absmax/absfuzz/absflat are sane.
392 */
393
394 for_each_set_bit(cnt, dev->absbit, ABS_CNT) {
395 if (!dev->absinfo)
396 return -EINVAL;
397
398 error = uinput_validate_absinfo(dev, cnt, &dev->absinfo[cnt]);
399 if (error)
400 return error;
401 }
402
403 return 0;
404 }
405
uinput_allocate_device(struct uinput_device * udev)406 static int uinput_allocate_device(struct uinput_device *udev)
407 {
408 udev->dev = input_allocate_device();
409 if (!udev->dev)
410 return -ENOMEM;
411
412 udev->dev->event = uinput_dev_event;
413 input_set_drvdata(udev->dev, udev);
414
415 return 0;
416 }
417
uinput_dev_setup(struct uinput_device * udev,struct uinput_setup __user * arg)418 static int uinput_dev_setup(struct uinput_device *udev,
419 struct uinput_setup __user *arg)
420 {
421 struct uinput_setup setup;
422 struct input_dev *dev;
423
424 if (udev->state == UIST_CREATED)
425 return -EINVAL;
426
427 if (copy_from_user(&setup, arg, sizeof(setup)))
428 return -EFAULT;
429
430 if (!setup.name[0])
431 return -EINVAL;
432
433 dev = udev->dev;
434 dev->id = setup.id;
435 udev->ff_effects_max = setup.ff_effects_max;
436
437 kfree(dev->name);
438 dev->name = kstrndup(setup.name, UINPUT_MAX_NAME_SIZE, GFP_KERNEL);
439 if (!dev->name)
440 return -ENOMEM;
441
442 udev->state = UIST_SETUP_COMPLETE;
443 return 0;
444 }
445
uinput_abs_setup(struct uinput_device * udev,struct uinput_setup __user * arg,size_t size)446 static int uinput_abs_setup(struct uinput_device *udev,
447 struct uinput_setup __user *arg, size_t size)
448 {
449 struct uinput_abs_setup setup = {};
450 struct input_dev *dev;
451 int error;
452
453 if (size > sizeof(setup))
454 return -E2BIG;
455
456 if (udev->state == UIST_CREATED)
457 return -EINVAL;
458
459 if (copy_from_user(&setup, arg, size))
460 return -EFAULT;
461
462 if (setup.code > ABS_MAX)
463 return -ERANGE;
464
465 dev = udev->dev;
466
467 error = uinput_validate_absinfo(dev, setup.code, &setup.absinfo);
468 if (error)
469 return error;
470
471 input_alloc_absinfo(dev);
472 if (!dev->absinfo)
473 return -ENOMEM;
474
475 set_bit(setup.code, dev->absbit);
476 dev->absinfo[setup.code] = setup.absinfo;
477 return 0;
478 }
479
480 /* legacy setup via write() */
uinput_setup_device_legacy(struct uinput_device * udev,const char __user * buffer,size_t count)481 static int uinput_setup_device_legacy(struct uinput_device *udev,
482 const char __user *buffer, size_t count)
483 {
484 struct uinput_user_dev *user_dev;
485 struct input_dev *dev;
486 int i;
487 int retval;
488
489 if (count != sizeof(struct uinput_user_dev))
490 return -EINVAL;
491
492 if (!udev->dev) {
493 retval = uinput_allocate_device(udev);
494 if (retval)
495 return retval;
496 }
497
498 dev = udev->dev;
499
500 user_dev = memdup_user(buffer, sizeof(struct uinput_user_dev));
501 if (IS_ERR(user_dev))
502 return PTR_ERR(user_dev);
503
504 udev->ff_effects_max = user_dev->ff_effects_max;
505
506 /* Ensure name is filled in */
507 if (!user_dev->name[0]) {
508 retval = -EINVAL;
509 goto exit;
510 }
511
512 kfree(dev->name);
513 dev->name = kstrndup(user_dev->name, UINPUT_MAX_NAME_SIZE,
514 GFP_KERNEL);
515 if (!dev->name) {
516 retval = -ENOMEM;
517 goto exit;
518 }
519
520 dev->id.bustype = user_dev->id.bustype;
521 dev->id.vendor = user_dev->id.vendor;
522 dev->id.product = user_dev->id.product;
523 dev->id.version = user_dev->id.version;
524
525 for (i = 0; i < ABS_CNT; i++) {
526 input_abs_set_max(dev, i, user_dev->absmax[i]);
527 input_abs_set_min(dev, i, user_dev->absmin[i]);
528 input_abs_set_fuzz(dev, i, user_dev->absfuzz[i]);
529 input_abs_set_flat(dev, i, user_dev->absflat[i]);
530 }
531
532 retval = uinput_validate_absbits(dev);
533 if (retval < 0)
534 goto exit;
535
536 udev->state = UIST_SETUP_COMPLETE;
537 retval = count;
538
539 exit:
540 kfree(user_dev);
541 return retval;
542 }
543
uinput_inject_events(struct uinput_device * udev,const char __user * buffer,size_t count)544 static ssize_t uinput_inject_events(struct uinput_device *udev,
545 const char __user *buffer, size_t count)
546 {
547 struct input_event ev;
548 size_t bytes = 0;
549
550 if (count != 0 && count < input_event_size())
551 return -EINVAL;
552
553 while (bytes + input_event_size() <= count) {
554 /*
555 * Note that even if some events were fetched successfully
556 * we are still going to return EFAULT instead of partial
557 * count to let userspace know that it got it's buffers
558 * all wrong.
559 */
560 if (input_event_from_user(buffer + bytes, &ev))
561 return -EFAULT;
562
563 input_event(udev->dev, ev.type, ev.code, ev.value);
564 bytes += input_event_size();
565 }
566
567 return bytes;
568 }
569
uinput_write(struct file * file,const char __user * buffer,size_t count,loff_t * ppos)570 static ssize_t uinput_write(struct file *file, const char __user *buffer,
571 size_t count, loff_t *ppos)
572 {
573 struct uinput_device *udev = file->private_data;
574 int retval;
575
576 if (count == 0)
577 return 0;
578
579 retval = mutex_lock_interruptible(&udev->mutex);
580 if (retval)
581 return retval;
582
583 retval = udev->state == UIST_CREATED ?
584 uinput_inject_events(udev, buffer, count) :
585 uinput_setup_device_legacy(udev, buffer, count);
586
587 mutex_unlock(&udev->mutex);
588
589 return retval;
590 }
591
uinput_fetch_next_event(struct uinput_device * udev,struct input_event * event)592 static bool uinput_fetch_next_event(struct uinput_device *udev,
593 struct input_event *event)
594 {
595 bool have_event;
596
597 spin_lock_irq(&udev->dev->event_lock);
598
599 have_event = udev->head != udev->tail;
600 if (have_event) {
601 *event = udev->buff[udev->tail];
602 udev->tail = (udev->tail + 1) % UINPUT_BUFFER_SIZE;
603 }
604
605 spin_unlock_irq(&udev->dev->event_lock);
606
607 return have_event;
608 }
609
uinput_events_to_user(struct uinput_device * udev,char __user * buffer,size_t count)610 static ssize_t uinput_events_to_user(struct uinput_device *udev,
611 char __user *buffer, size_t count)
612 {
613 struct input_event event;
614 size_t read = 0;
615
616 while (read + input_event_size() <= count &&
617 uinput_fetch_next_event(udev, &event)) {
618
619 if (input_event_to_user(buffer + read, &event))
620 return -EFAULT;
621
622 read += input_event_size();
623 }
624
625 return read;
626 }
627
uinput_read(struct file * file,char __user * buffer,size_t count,loff_t * ppos)628 static ssize_t uinput_read(struct file *file, char __user *buffer,
629 size_t count, loff_t *ppos)
630 {
631 struct uinput_device *udev = file->private_data;
632 ssize_t retval;
633
634 if (count != 0 && count < input_event_size())
635 return -EINVAL;
636
637 do {
638 retval = mutex_lock_interruptible(&udev->mutex);
639 if (retval)
640 return retval;
641
642 if (udev->state != UIST_CREATED)
643 retval = -ENODEV;
644 else if (udev->head == udev->tail &&
645 (file->f_flags & O_NONBLOCK))
646 retval = -EAGAIN;
647 else
648 retval = uinput_events_to_user(udev, buffer, count);
649
650 mutex_unlock(&udev->mutex);
651
652 if (retval || count == 0)
653 break;
654
655 if (!(file->f_flags & O_NONBLOCK))
656 retval = wait_event_interruptible(udev->waitq,
657 udev->head != udev->tail ||
658 udev->state != UIST_CREATED);
659 } while (retval == 0);
660
661 return retval;
662 }
663
uinput_poll(struct file * file,poll_table * wait)664 static unsigned int uinput_poll(struct file *file, poll_table *wait)
665 {
666 struct uinput_device *udev = file->private_data;
667
668 poll_wait(file, &udev->waitq, wait);
669
670 if (udev->head != udev->tail)
671 return POLLIN | POLLRDNORM;
672
673 return 0;
674 }
675
uinput_release(struct inode * inode,struct file * file)676 static int uinput_release(struct inode *inode, struct file *file)
677 {
678 struct uinput_device *udev = file->private_data;
679
680 uinput_destroy_device(udev);
681 kfree(udev);
682
683 return 0;
684 }
685
686 #ifdef CONFIG_COMPAT
687 struct uinput_ff_upload_compat {
688 __u32 request_id;
689 __s32 retval;
690 struct ff_effect_compat effect;
691 struct ff_effect_compat old;
692 };
693
uinput_ff_upload_to_user(char __user * buffer,const struct uinput_ff_upload * ff_up)694 static int uinput_ff_upload_to_user(char __user *buffer,
695 const struct uinput_ff_upload *ff_up)
696 {
697 if (in_compat_syscall()) {
698 struct uinput_ff_upload_compat ff_up_compat;
699
700 ff_up_compat.request_id = ff_up->request_id;
701 ff_up_compat.retval = ff_up->retval;
702 /*
703 * It so happens that the pointer that gives us the trouble
704 * is the last field in the structure. Since we don't support
705 * custom waveforms in uinput anyway we can just copy the whole
706 * thing (to the compat size) and ignore the pointer.
707 */
708 memcpy(&ff_up_compat.effect, &ff_up->effect,
709 sizeof(struct ff_effect_compat));
710 memcpy(&ff_up_compat.old, &ff_up->old,
711 sizeof(struct ff_effect_compat));
712
713 if (copy_to_user(buffer, &ff_up_compat,
714 sizeof(struct uinput_ff_upload_compat)))
715 return -EFAULT;
716 } else {
717 if (copy_to_user(buffer, ff_up,
718 sizeof(struct uinput_ff_upload)))
719 return -EFAULT;
720 }
721
722 return 0;
723 }
724
uinput_ff_upload_from_user(const char __user * buffer,struct uinput_ff_upload * ff_up)725 static int uinput_ff_upload_from_user(const char __user *buffer,
726 struct uinput_ff_upload *ff_up)
727 {
728 if (in_compat_syscall()) {
729 struct uinput_ff_upload_compat ff_up_compat;
730
731 if (copy_from_user(&ff_up_compat, buffer,
732 sizeof(struct uinput_ff_upload_compat)))
733 return -EFAULT;
734
735 ff_up->request_id = ff_up_compat.request_id;
736 ff_up->retval = ff_up_compat.retval;
737 memcpy(&ff_up->effect, &ff_up_compat.effect,
738 sizeof(struct ff_effect_compat));
739 memcpy(&ff_up->old, &ff_up_compat.old,
740 sizeof(struct ff_effect_compat));
741
742 } else {
743 if (copy_from_user(ff_up, buffer,
744 sizeof(struct uinput_ff_upload)))
745 return -EFAULT;
746 }
747
748 return 0;
749 }
750
751 #else
752
uinput_ff_upload_to_user(char __user * buffer,const struct uinput_ff_upload * ff_up)753 static int uinput_ff_upload_to_user(char __user *buffer,
754 const struct uinput_ff_upload *ff_up)
755 {
756 if (copy_to_user(buffer, ff_up, sizeof(struct uinput_ff_upload)))
757 return -EFAULT;
758
759 return 0;
760 }
761
uinput_ff_upload_from_user(const char __user * buffer,struct uinput_ff_upload * ff_up)762 static int uinput_ff_upload_from_user(const char __user *buffer,
763 struct uinput_ff_upload *ff_up)
764 {
765 if (copy_from_user(ff_up, buffer, sizeof(struct uinput_ff_upload)))
766 return -EFAULT;
767
768 return 0;
769 }
770
771 #endif
772
773 #define uinput_set_bit(_arg, _bit, _max) \
774 ({ \
775 int __ret = 0; \
776 if (udev->state == UIST_CREATED) \
777 __ret = -EINVAL; \
778 else if ((_arg) > (_max)) \
779 __ret = -EINVAL; \
780 else set_bit((_arg), udev->dev->_bit); \
781 __ret; \
782 })
783
uinput_str_to_user(void __user * dest,const char * str,unsigned int maxlen)784 static int uinput_str_to_user(void __user *dest, const char *str,
785 unsigned int maxlen)
786 {
787 char __user *p = dest;
788 int len, ret;
789
790 if (!str)
791 return -ENOENT;
792
793 if (maxlen == 0)
794 return -EINVAL;
795
796 len = strlen(str) + 1;
797 if (len > maxlen)
798 len = maxlen;
799
800 ret = copy_to_user(p, str, len);
801 if (ret)
802 return -EFAULT;
803
804 /* force terminating '\0' */
805 ret = put_user(0, p + len - 1);
806 return ret ? -EFAULT : len;
807 }
808
uinput_ioctl_handler(struct file * file,unsigned int cmd,unsigned long arg,void __user * p)809 static long uinput_ioctl_handler(struct file *file, unsigned int cmd,
810 unsigned long arg, void __user *p)
811 {
812 int retval;
813 struct uinput_device *udev = file->private_data;
814 struct uinput_ff_upload ff_up;
815 struct uinput_ff_erase ff_erase;
816 struct uinput_request *req;
817 char *phys;
818 const char *name;
819 unsigned int size;
820
821 retval = mutex_lock_interruptible(&udev->mutex);
822 if (retval)
823 return retval;
824
825 if (!udev->dev) {
826 retval = uinput_allocate_device(udev);
827 if (retval)
828 goto out;
829 }
830
831 switch (cmd) {
832 case UI_GET_VERSION:
833 if (put_user(UINPUT_VERSION,
834 (unsigned int __user *)p))
835 retval = -EFAULT;
836 goto out;
837
838 case UI_DEV_CREATE:
839 retval = uinput_create_device(udev);
840 goto out;
841
842 case UI_DEV_DESTROY:
843 uinput_destroy_device(udev);
844 goto out;
845
846 case UI_DEV_SETUP:
847 retval = uinput_dev_setup(udev, p);
848 goto out;
849
850 /* UI_ABS_SETUP is handled in the variable size ioctls */
851
852 case UI_SET_EVBIT:
853 retval = uinput_set_bit(arg, evbit, EV_MAX);
854 goto out;
855
856 case UI_SET_KEYBIT:
857 retval = uinput_set_bit(arg, keybit, KEY_MAX);
858 goto out;
859
860 case UI_SET_RELBIT:
861 retval = uinput_set_bit(arg, relbit, REL_MAX);
862 goto out;
863
864 case UI_SET_ABSBIT:
865 retval = uinput_set_bit(arg, absbit, ABS_MAX);
866 goto out;
867
868 case UI_SET_MSCBIT:
869 retval = uinput_set_bit(arg, mscbit, MSC_MAX);
870 goto out;
871
872 case UI_SET_LEDBIT:
873 retval = uinput_set_bit(arg, ledbit, LED_MAX);
874 goto out;
875
876 case UI_SET_SNDBIT:
877 retval = uinput_set_bit(arg, sndbit, SND_MAX);
878 goto out;
879
880 case UI_SET_FFBIT:
881 retval = uinput_set_bit(arg, ffbit, FF_MAX);
882 goto out;
883
884 case UI_SET_SWBIT:
885 retval = uinput_set_bit(arg, swbit, SW_MAX);
886 goto out;
887
888 case UI_SET_PROPBIT:
889 retval = uinput_set_bit(arg, propbit, INPUT_PROP_MAX);
890 goto out;
891
892 case UI_SET_PHYS:
893 if (udev->state == UIST_CREATED) {
894 retval = -EINVAL;
895 goto out;
896 }
897
898 phys = strndup_user(p, 1024);
899 if (IS_ERR(phys)) {
900 retval = PTR_ERR(phys);
901 goto out;
902 }
903
904 kfree(udev->dev->phys);
905 udev->dev->phys = phys;
906 goto out;
907
908 case UI_BEGIN_FF_UPLOAD:
909 retval = uinput_ff_upload_from_user(p, &ff_up);
910 if (retval)
911 goto out;
912
913 req = uinput_request_find(udev, ff_up.request_id);
914 if (!req || req->code != UI_FF_UPLOAD ||
915 !req->u.upload.effect) {
916 retval = -EINVAL;
917 goto out;
918 }
919
920 ff_up.retval = 0;
921 ff_up.effect = *req->u.upload.effect;
922 if (req->u.upload.old)
923 ff_up.old = *req->u.upload.old;
924 else
925 memset(&ff_up.old, 0, sizeof(struct ff_effect));
926
927 retval = uinput_ff_upload_to_user(p, &ff_up);
928 goto out;
929
930 case UI_BEGIN_FF_ERASE:
931 if (copy_from_user(&ff_erase, p, sizeof(ff_erase))) {
932 retval = -EFAULT;
933 goto out;
934 }
935
936 req = uinput_request_find(udev, ff_erase.request_id);
937 if (!req || req->code != UI_FF_ERASE) {
938 retval = -EINVAL;
939 goto out;
940 }
941
942 ff_erase.retval = 0;
943 ff_erase.effect_id = req->u.effect_id;
944 if (copy_to_user(p, &ff_erase, sizeof(ff_erase))) {
945 retval = -EFAULT;
946 goto out;
947 }
948
949 goto out;
950
951 case UI_END_FF_UPLOAD:
952 retval = uinput_ff_upload_from_user(p, &ff_up);
953 if (retval)
954 goto out;
955
956 req = uinput_request_find(udev, ff_up.request_id);
957 if (!req || req->code != UI_FF_UPLOAD ||
958 !req->u.upload.effect) {
959 retval = -EINVAL;
960 goto out;
961 }
962
963 req->retval = ff_up.retval;
964 complete(&req->done);
965 goto out;
966
967 case UI_END_FF_ERASE:
968 if (copy_from_user(&ff_erase, p, sizeof(ff_erase))) {
969 retval = -EFAULT;
970 goto out;
971 }
972
973 req = uinput_request_find(udev, ff_erase.request_id);
974 if (!req || req->code != UI_FF_ERASE) {
975 retval = -EINVAL;
976 goto out;
977 }
978
979 req->retval = ff_erase.retval;
980 complete(&req->done);
981 goto out;
982 }
983
984 size = _IOC_SIZE(cmd);
985
986 /* Now check variable-length commands */
987 switch (cmd & ~IOCSIZE_MASK) {
988 case UI_GET_SYSNAME(0):
989 if (udev->state != UIST_CREATED) {
990 retval = -ENOENT;
991 goto out;
992 }
993 name = dev_name(&udev->dev->dev);
994 retval = uinput_str_to_user(p, name, size);
995 goto out;
996
997 case UI_ABS_SETUP & ~IOCSIZE_MASK:
998 retval = uinput_abs_setup(udev, p, size);
999 goto out;
1000 }
1001
1002 retval = -EINVAL;
1003 out:
1004 mutex_unlock(&udev->mutex);
1005 return retval;
1006 }
1007
uinput_ioctl(struct file * file,unsigned int cmd,unsigned long arg)1008 static long uinput_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
1009 {
1010 return uinput_ioctl_handler(file, cmd, arg, (void __user *)arg);
1011 }
1012
1013 #ifdef CONFIG_COMPAT
1014
1015 /*
1016 * These IOCTLs change their size and thus their numbers between
1017 * 32 and 64 bits.
1018 */
1019 #define UI_SET_PHYS_COMPAT \
1020 _IOW(UINPUT_IOCTL_BASE, 108, compat_uptr_t)
1021 #define UI_BEGIN_FF_UPLOAD_COMPAT \
1022 _IOWR(UINPUT_IOCTL_BASE, 200, struct uinput_ff_upload_compat)
1023 #define UI_END_FF_UPLOAD_COMPAT \
1024 _IOW(UINPUT_IOCTL_BASE, 201, struct uinput_ff_upload_compat)
1025
uinput_compat_ioctl(struct file * file,unsigned int cmd,unsigned long arg)1026 static long uinput_compat_ioctl(struct file *file,
1027 unsigned int cmd, unsigned long arg)
1028 {
1029 switch (cmd) {
1030 case UI_SET_PHYS_COMPAT:
1031 cmd = UI_SET_PHYS;
1032 break;
1033 case UI_BEGIN_FF_UPLOAD_COMPAT:
1034 cmd = UI_BEGIN_FF_UPLOAD;
1035 break;
1036 case UI_END_FF_UPLOAD_COMPAT:
1037 cmd = UI_END_FF_UPLOAD;
1038 break;
1039 }
1040
1041 return uinput_ioctl_handler(file, cmd, arg, compat_ptr(arg));
1042 }
1043 #endif
1044
1045 static const struct file_operations uinput_fops = {
1046 .owner = THIS_MODULE,
1047 .open = uinput_open,
1048 .release = uinput_release,
1049 .read = uinput_read,
1050 .write = uinput_write,
1051 .poll = uinput_poll,
1052 .unlocked_ioctl = uinput_ioctl,
1053 #ifdef CONFIG_COMPAT
1054 .compat_ioctl = uinput_compat_ioctl,
1055 #endif
1056 .llseek = no_llseek,
1057 };
1058
1059 static struct miscdevice uinput_misc = {
1060 .fops = &uinput_fops,
1061 .minor = UINPUT_MINOR,
1062 .name = UINPUT_NAME,
1063 };
1064 module_misc_device(uinput_misc);
1065
1066 MODULE_ALIAS_MISCDEV(UINPUT_MINOR);
1067 MODULE_ALIAS("devname:" UINPUT_NAME);
1068
1069 MODULE_AUTHOR("Aristeu Sergio Rozanski Filho");
1070 MODULE_DESCRIPTION("User level driver support for input subsystem");
1071 MODULE_LICENSE("GPL");
1072 MODULE_VERSION("0.3");
1073