• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  *  User level driver support for input subsystem
3  *
4  * Heavily based on evdev.c by Vojtech Pavlik
5  *
6  * This program is free software; you can redistribute it and/or modify
7  * it under the terms of the GNU General Public License as published by
8  * the Free Software Foundation; either version 2 of the License, or
9  * (at your option) any later version.
10  *
11  * This program is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  * GNU General Public License for more details.
15  *
16  * You should have received a copy of the GNU General Public License
17  * along with this program; if not, write to the Free Software
18  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
19  *
20  * Author: Aristeu Sergio Rozanski Filho <aris@cathedrallabs.org>
21  *
22  * Changes/Revisions:
23  *	0.4	01/09/2014 (Benjamin Tissoires <benjamin.tissoires@redhat.com>)
24  *		- add UI_GET_SYSNAME ioctl
25  *	0.3	09/04/2006 (Anssi Hannula <anssi.hannula@gmail.com>)
26  *		- updated ff support for the changes in kernel interface
27  *		- added MODULE_VERSION
28  *	0.2	16/10/2004 (Micah Dowty <micah@navi.cx>)
29  *		- added force feedback support
30  *              - added UI_SET_PHYS
31  *	0.1	20/06/2002
32  *		- first public version
33  */
34 #include <linux/poll.h>
35 #include <linux/sched.h>
36 #include <linux/slab.h>
37 #include <linux/module.h>
38 #include <linux/init.h>
39 #include <linux/fs.h>
40 #include <linux/miscdevice.h>
41 #include <linux/uinput.h>
42 #include <linux/input/mt.h>
43 #include "../input-compat.h"
44 
uinput_dev_event(struct input_dev * dev,unsigned int type,unsigned int code,int value)45 static int uinput_dev_event(struct input_dev *dev,
46 			    unsigned int type, unsigned int code, int value)
47 {
48 	struct uinput_device	*udev = input_get_drvdata(dev);
49 
50 	udev->buff[udev->head].type = type;
51 	udev->buff[udev->head].code = code;
52 	udev->buff[udev->head].value = value;
53 	do_gettimeofday(&udev->buff[udev->head].time);
54 	udev->head = (udev->head + 1) % UINPUT_BUFFER_SIZE;
55 
56 	wake_up_interruptible(&udev->waitq);
57 
58 	return 0;
59 }
60 
61 /* Atomically allocate an ID for the given request. Returns 0 on success. */
uinput_request_alloc_id(struct uinput_device * udev,struct uinput_request * request)62 static bool uinput_request_alloc_id(struct uinput_device *udev,
63 				    struct uinput_request *request)
64 {
65 	unsigned int id;
66 	bool reserved = false;
67 
68 	spin_lock(&udev->requests_lock);
69 
70 	for (id = 0; id < UINPUT_NUM_REQUESTS; id++) {
71 		if (!udev->requests[id]) {
72 			request->id = id;
73 			udev->requests[id] = request;
74 			reserved = true;
75 			break;
76 		}
77 	}
78 
79 	spin_unlock(&udev->requests_lock);
80 	return reserved;
81 }
82 
uinput_request_find(struct uinput_device * udev,unsigned int id)83 static struct uinput_request *uinput_request_find(struct uinput_device *udev,
84 						  unsigned int id)
85 {
86 	/* Find an input request, by ID. Returns NULL if the ID isn't valid. */
87 	if (id >= UINPUT_NUM_REQUESTS)
88 		return NULL;
89 
90 	return udev->requests[id];
91 }
92 
uinput_request_reserve_slot(struct uinput_device * udev,struct uinput_request * request)93 static int uinput_request_reserve_slot(struct uinput_device *udev,
94 				       struct uinput_request *request)
95 {
96 	/* Allocate slot. If none are available right away, wait. */
97 	return wait_event_interruptible(udev->requests_waitq,
98 					uinput_request_alloc_id(udev, request));
99 }
100 
uinput_request_done(struct uinput_device * udev,struct uinput_request * request)101 static void uinput_request_done(struct uinput_device *udev,
102 				struct uinput_request *request)
103 {
104 	/* Mark slot as available */
105 	udev->requests[request->id] = NULL;
106 	wake_up(&udev->requests_waitq);
107 
108 	complete(&request->done);
109 }
110 
uinput_request_send(struct uinput_device * udev,struct uinput_request * request)111 static int uinput_request_send(struct uinput_device *udev,
112 			       struct uinput_request *request)
113 {
114 	int retval;
115 
116 	retval = mutex_lock_interruptible(&udev->mutex);
117 	if (retval)
118 		return retval;
119 
120 	if (udev->state != UIST_CREATED) {
121 		retval = -ENODEV;
122 		goto out;
123 	}
124 
125 	init_completion(&request->done);
126 
127 	/*
128 	 * Tell our userspace application about this new request
129 	 * by queueing an input event.
130 	 */
131 	uinput_dev_event(udev->dev, EV_UINPUT, request->code, request->id);
132 
133  out:
134 	mutex_unlock(&udev->mutex);
135 	return retval;
136 }
137 
uinput_request_submit(struct uinput_device * udev,struct uinput_request * request)138 static int uinput_request_submit(struct uinput_device *udev,
139 				 struct uinput_request *request)
140 {
141 	int error;
142 
143 	error = uinput_request_reserve_slot(udev, request);
144 	if (error)
145 		return error;
146 
147 	error = uinput_request_send(udev, request);
148 	if (error) {
149 		uinput_request_done(udev, request);
150 		return error;
151 	}
152 
153 	wait_for_completion(&request->done);
154 	return request->retval;
155 }
156 
157 /*
158  * Fail all outstanding requests so handlers don't wait for the userspace
159  * to finish processing them.
160  */
uinput_flush_requests(struct uinput_device * udev)161 static void uinput_flush_requests(struct uinput_device *udev)
162 {
163 	struct uinput_request *request;
164 	int i;
165 
166 	spin_lock(&udev->requests_lock);
167 
168 	for (i = 0; i < UINPUT_NUM_REQUESTS; i++) {
169 		request = udev->requests[i];
170 		if (request) {
171 			request->retval = -ENODEV;
172 			uinput_request_done(udev, request);
173 		}
174 	}
175 
176 	spin_unlock(&udev->requests_lock);
177 }
178 
uinput_dev_set_gain(struct input_dev * dev,u16 gain)179 static void uinput_dev_set_gain(struct input_dev *dev, u16 gain)
180 {
181 	uinput_dev_event(dev, EV_FF, FF_GAIN, gain);
182 }
183 
uinput_dev_set_autocenter(struct input_dev * dev,u16 magnitude)184 static void uinput_dev_set_autocenter(struct input_dev *dev, u16 magnitude)
185 {
186 	uinput_dev_event(dev, EV_FF, FF_AUTOCENTER, magnitude);
187 }
188 
uinput_dev_playback(struct input_dev * dev,int effect_id,int value)189 static int uinput_dev_playback(struct input_dev *dev, int effect_id, int value)
190 {
191 	return uinput_dev_event(dev, EV_FF, effect_id, value);
192 }
193 
uinput_dev_upload_effect(struct input_dev * dev,struct ff_effect * effect,struct ff_effect * old)194 static int uinput_dev_upload_effect(struct input_dev *dev,
195 				    struct ff_effect *effect,
196 				    struct ff_effect *old)
197 {
198 	struct uinput_device *udev = input_get_drvdata(dev);
199 	struct uinput_request request;
200 
201 	/*
202 	 * uinput driver does not currently support periodic effects with
203 	 * custom waveform since it does not have a way to pass buffer of
204 	 * samples (custom_data) to userspace. If ever there is a device
205 	 * supporting custom waveforms we would need to define an additional
206 	 * ioctl (UI_UPLOAD_SAMPLES) but for now we just bail out.
207 	 */
208 	if (effect->type == FF_PERIODIC &&
209 			effect->u.periodic.waveform == FF_CUSTOM)
210 		return -EINVAL;
211 
212 	request.code = UI_FF_UPLOAD;
213 	request.u.upload.effect = effect;
214 	request.u.upload.old = old;
215 
216 	return uinput_request_submit(udev, &request);
217 }
218 
uinput_dev_erase_effect(struct input_dev * dev,int effect_id)219 static int uinput_dev_erase_effect(struct input_dev *dev, int effect_id)
220 {
221 	struct uinput_device *udev = input_get_drvdata(dev);
222 	struct uinput_request request;
223 
224 	if (!test_bit(EV_FF, dev->evbit))
225 		return -ENOSYS;
226 
227 	request.code = UI_FF_ERASE;
228 	request.u.effect_id = effect_id;
229 
230 	return uinput_request_submit(udev, &request);
231 }
232 
uinput_destroy_device(struct uinput_device * udev)233 static void uinput_destroy_device(struct uinput_device *udev)
234 {
235 	const char *name, *phys;
236 	struct input_dev *dev = udev->dev;
237 	enum uinput_state old_state = udev->state;
238 
239 	udev->state = UIST_NEW_DEVICE;
240 
241 	if (dev) {
242 		name = dev->name;
243 		phys = dev->phys;
244 		if (old_state == UIST_CREATED) {
245 			uinput_flush_requests(udev);
246 			input_unregister_device(dev);
247 		} else {
248 			input_free_device(dev);
249 		}
250 		kfree(name);
251 		kfree(phys);
252 		udev->dev = NULL;
253 	}
254 }
255 
uinput_create_device(struct uinput_device * udev)256 static int uinput_create_device(struct uinput_device *udev)
257 {
258 	struct input_dev *dev = udev->dev;
259 	int error, nslot;
260 
261 	if (udev->state != UIST_SETUP_COMPLETE) {
262 		printk(KERN_DEBUG "%s: write device info first\n", UINPUT_NAME);
263 		return -EINVAL;
264 	}
265 
266 	if (test_bit(EV_ABS, dev->evbit)) {
267 		input_alloc_absinfo(dev);
268 		if (!dev->absinfo) {
269 			error = -EINVAL;
270 			goto fail1;
271 		}
272 
273 		if (test_bit(ABS_MT_SLOT, dev->absbit)) {
274 			nslot = input_abs_get_max(dev, ABS_MT_SLOT) + 1;
275 			error = input_mt_init_slots(dev, nslot, 0);
276 			if (error)
277 				goto fail1;
278 		} else if (test_bit(ABS_MT_POSITION_X, dev->absbit)) {
279 			input_set_events_per_packet(dev, 60);
280 		}
281 	}
282 
283 	if (test_bit(EV_FF, dev->evbit) && !udev->ff_effects_max) {
284 		printk(KERN_DEBUG "%s: ff_effects_max should be non-zero when FF_BIT is set\n",
285 			UINPUT_NAME);
286 		error = -EINVAL;
287 		goto fail1;
288 	}
289 
290 	if (udev->ff_effects_max) {
291 		error = input_ff_create(dev, udev->ff_effects_max);
292 		if (error)
293 			goto fail1;
294 
295 		dev->ff->upload = uinput_dev_upload_effect;
296 		dev->ff->erase = uinput_dev_erase_effect;
297 		dev->ff->playback = uinput_dev_playback;
298 		dev->ff->set_gain = uinput_dev_set_gain;
299 		dev->ff->set_autocenter = uinput_dev_set_autocenter;
300 	}
301 
302 	error = input_register_device(udev->dev);
303 	if (error)
304 		goto fail2;
305 
306 	udev->state = UIST_CREATED;
307 
308 	return 0;
309 
310  fail2:	input_ff_destroy(dev);
311  fail1: uinput_destroy_device(udev);
312 	return error;
313 }
314 
uinput_open(struct inode * inode,struct file * file)315 static int uinput_open(struct inode *inode, struct file *file)
316 {
317 	struct uinput_device *newdev;
318 
319 	newdev = kzalloc(sizeof(struct uinput_device), GFP_KERNEL);
320 	if (!newdev)
321 		return -ENOMEM;
322 
323 	mutex_init(&newdev->mutex);
324 	spin_lock_init(&newdev->requests_lock);
325 	init_waitqueue_head(&newdev->requests_waitq);
326 	init_waitqueue_head(&newdev->waitq);
327 	newdev->state = UIST_NEW_DEVICE;
328 
329 	file->private_data = newdev;
330 	nonseekable_open(inode, file);
331 
332 	return 0;
333 }
334 
uinput_validate_absinfo(struct input_dev * dev,unsigned int code,const struct input_absinfo * abs)335 static int uinput_validate_absinfo(struct input_dev *dev, unsigned int code,
336 				   const struct input_absinfo *abs)
337 {
338 	int min, max;
339 
340 	min = abs->minimum;
341 	max = abs->maximum;
342 
343 	if ((min != 0 || max != 0) && max <= min) {
344 		printk(KERN_DEBUG
345 		       "%s: invalid abs[%02x] min:%d max:%d\n",
346 		       UINPUT_NAME, code, min, max);
347 		return -EINVAL;
348 	}
349 
350 	if (abs->flat > max - min) {
351 		printk(KERN_DEBUG
352 		       "%s: abs_flat #%02x out of range: %d (min:%d/max:%d)\n",
353 		       UINPUT_NAME, code, abs->flat, min, max);
354 		return -EINVAL;
355 	}
356 
357 	return 0;
358 }
359 
uinput_validate_absbits(struct input_dev * dev)360 static int uinput_validate_absbits(struct input_dev *dev)
361 {
362 	unsigned int cnt;
363 	int error;
364 
365 	if (!test_bit(EV_ABS, dev->evbit))
366 		return 0;
367 
368 	/*
369 	 * Check if absmin/absmax/absfuzz/absflat are sane.
370 	 */
371 
372 	for_each_set_bit(cnt, dev->absbit, ABS_CNT) {
373 		if (!dev->absinfo)
374 			return -EINVAL;
375 
376 		error = uinput_validate_absinfo(dev, cnt, &dev->absinfo[cnt]);
377 		if (error)
378 			return error;
379 	}
380 
381 	return 0;
382 }
383 
uinput_allocate_device(struct uinput_device * udev)384 static int uinput_allocate_device(struct uinput_device *udev)
385 {
386 	udev->dev = input_allocate_device();
387 	if (!udev->dev)
388 		return -ENOMEM;
389 
390 	udev->dev->event = uinput_dev_event;
391 	input_set_drvdata(udev->dev, udev);
392 
393 	return 0;
394 }
395 
uinput_dev_setup(struct uinput_device * udev,struct uinput_setup __user * arg)396 static int uinput_dev_setup(struct uinput_device *udev,
397 			    struct uinput_setup __user *arg)
398 {
399 	struct uinput_setup setup;
400 	struct input_dev *dev;
401 
402 	if (udev->state == UIST_CREATED)
403 		return -EINVAL;
404 
405 	if (copy_from_user(&setup, arg, sizeof(setup)))
406 		return -EFAULT;
407 
408 	if (!setup.name[0])
409 		return -EINVAL;
410 
411 	dev = udev->dev;
412 	dev->id = setup.id;
413 	udev->ff_effects_max = setup.ff_effects_max;
414 
415 	kfree(dev->name);
416 	dev->name = kstrndup(setup.name, UINPUT_MAX_NAME_SIZE, GFP_KERNEL);
417 	if (!dev->name)
418 		return -ENOMEM;
419 
420 	udev->state = UIST_SETUP_COMPLETE;
421 	return 0;
422 }
423 
uinput_abs_setup(struct uinput_device * udev,struct uinput_setup __user * arg,size_t size)424 static int uinput_abs_setup(struct uinput_device *udev,
425 			    struct uinput_setup __user *arg, size_t size)
426 {
427 	struct uinput_abs_setup setup = {};
428 	struct input_dev *dev;
429 	int error;
430 
431 	if (size > sizeof(setup))
432 		return -E2BIG;
433 
434 	if (udev->state == UIST_CREATED)
435 		return -EINVAL;
436 
437 	if (copy_from_user(&setup, arg, size))
438 		return -EFAULT;
439 
440 	if (setup.code > ABS_MAX)
441 		return -ERANGE;
442 
443 	dev = udev->dev;
444 
445 	error = uinput_validate_absinfo(dev, setup.code, &setup.absinfo);
446 	if (error)
447 		return error;
448 
449 	input_alloc_absinfo(dev);
450 	if (!dev->absinfo)
451 		return -ENOMEM;
452 
453 	set_bit(setup.code, dev->absbit);
454 	dev->absinfo[setup.code] = setup.absinfo;
455 	return 0;
456 }
457 
458 /* legacy setup via write() */
uinput_setup_device_legacy(struct uinput_device * udev,const char __user * buffer,size_t count)459 static int uinput_setup_device_legacy(struct uinput_device *udev,
460 				      const char __user *buffer, size_t count)
461 {
462 	struct uinput_user_dev	*user_dev;
463 	struct input_dev	*dev;
464 	int			i;
465 	int			retval;
466 
467 	if (count != sizeof(struct uinput_user_dev))
468 		return -EINVAL;
469 
470 	if (!udev->dev) {
471 		retval = uinput_allocate_device(udev);
472 		if (retval)
473 			return retval;
474 	}
475 
476 	dev = udev->dev;
477 
478 	user_dev = memdup_user(buffer, sizeof(struct uinput_user_dev));
479 	if (IS_ERR(user_dev))
480 		return PTR_ERR(user_dev);
481 
482 	udev->ff_effects_max = user_dev->ff_effects_max;
483 
484 	/* Ensure name is filled in */
485 	if (!user_dev->name[0]) {
486 		retval = -EINVAL;
487 		goto exit;
488 	}
489 
490 	kfree(dev->name);
491 	dev->name = kstrndup(user_dev->name, UINPUT_MAX_NAME_SIZE,
492 			     GFP_KERNEL);
493 	if (!dev->name) {
494 		retval = -ENOMEM;
495 		goto exit;
496 	}
497 
498 	dev->id.bustype	= user_dev->id.bustype;
499 	dev->id.vendor	= user_dev->id.vendor;
500 	dev->id.product	= user_dev->id.product;
501 	dev->id.version	= user_dev->id.version;
502 
503 	for (i = 0; i < ABS_CNT; i++) {
504 		input_abs_set_max(dev, i, user_dev->absmax[i]);
505 		input_abs_set_min(dev, i, user_dev->absmin[i]);
506 		input_abs_set_fuzz(dev, i, user_dev->absfuzz[i]);
507 		input_abs_set_flat(dev, i, user_dev->absflat[i]);
508 	}
509 
510 	retval = uinput_validate_absbits(dev);
511 	if (retval < 0)
512 		goto exit;
513 
514 	udev->state = UIST_SETUP_COMPLETE;
515 	retval = count;
516 
517  exit:
518 	kfree(user_dev);
519 	return retval;
520 }
521 
uinput_inject_events(struct uinput_device * udev,const char __user * buffer,size_t count)522 static ssize_t uinput_inject_events(struct uinput_device *udev,
523 				    const char __user *buffer, size_t count)
524 {
525 	struct input_event ev;
526 	size_t bytes = 0;
527 
528 	if (count != 0 && count < input_event_size())
529 		return -EINVAL;
530 
531 	while (bytes + input_event_size() <= count) {
532 		/*
533 		 * Note that even if some events were fetched successfully
534 		 * we are still going to return EFAULT instead of partial
535 		 * count to let userspace know that it got it's buffers
536 		 * all wrong.
537 		 */
538 		if (input_event_from_user(buffer + bytes, &ev))
539 			return -EFAULT;
540 
541 		input_event(udev->dev, ev.type, ev.code, ev.value);
542 		bytes += input_event_size();
543 	}
544 
545 	return bytes;
546 }
547 
uinput_write(struct file * file,const char __user * buffer,size_t count,loff_t * ppos)548 static ssize_t uinput_write(struct file *file, const char __user *buffer,
549 			    size_t count, loff_t *ppos)
550 {
551 	struct uinput_device *udev = file->private_data;
552 	int retval;
553 
554 	if (count == 0)
555 		return 0;
556 
557 	retval = mutex_lock_interruptible(&udev->mutex);
558 	if (retval)
559 		return retval;
560 
561 	retval = udev->state == UIST_CREATED ?
562 			uinput_inject_events(udev, buffer, count) :
563 			uinput_setup_device_legacy(udev, buffer, count);
564 
565 	mutex_unlock(&udev->mutex);
566 
567 	return retval;
568 }
569 
uinput_fetch_next_event(struct uinput_device * udev,struct input_event * event)570 static bool uinput_fetch_next_event(struct uinput_device *udev,
571 				    struct input_event *event)
572 {
573 	bool have_event;
574 
575 	spin_lock_irq(&udev->dev->event_lock);
576 
577 	have_event = udev->head != udev->tail;
578 	if (have_event) {
579 		*event = udev->buff[udev->tail];
580 		udev->tail = (udev->tail + 1) % UINPUT_BUFFER_SIZE;
581 	}
582 
583 	spin_unlock_irq(&udev->dev->event_lock);
584 
585 	return have_event;
586 }
587 
uinput_events_to_user(struct uinput_device * udev,char __user * buffer,size_t count)588 static ssize_t uinput_events_to_user(struct uinput_device *udev,
589 				     char __user *buffer, size_t count)
590 {
591 	struct input_event event;
592 	size_t read = 0;
593 
594 	while (read + input_event_size() <= count &&
595 	       uinput_fetch_next_event(udev, &event)) {
596 
597 		if (input_event_to_user(buffer + read, &event))
598 			return -EFAULT;
599 
600 		read += input_event_size();
601 	}
602 
603 	return read;
604 }
605 
uinput_read(struct file * file,char __user * buffer,size_t count,loff_t * ppos)606 static ssize_t uinput_read(struct file *file, char __user *buffer,
607 			   size_t count, loff_t *ppos)
608 {
609 	struct uinput_device *udev = file->private_data;
610 	ssize_t retval;
611 
612 	if (count != 0 && count < input_event_size())
613 		return -EINVAL;
614 
615 	do {
616 		retval = mutex_lock_interruptible(&udev->mutex);
617 		if (retval)
618 			return retval;
619 
620 		if (udev->state != UIST_CREATED)
621 			retval = -ENODEV;
622 		else if (udev->head == udev->tail &&
623 			 (file->f_flags & O_NONBLOCK))
624 			retval = -EAGAIN;
625 		else
626 			retval = uinput_events_to_user(udev, buffer, count);
627 
628 		mutex_unlock(&udev->mutex);
629 
630 		if (retval || count == 0)
631 			break;
632 
633 		if (!(file->f_flags & O_NONBLOCK))
634 			retval = wait_event_interruptible(udev->waitq,
635 						  udev->head != udev->tail ||
636 						  udev->state != UIST_CREATED);
637 	} while (retval == 0);
638 
639 	return retval;
640 }
641 
uinput_poll(struct file * file,poll_table * wait)642 static unsigned int uinput_poll(struct file *file, poll_table *wait)
643 {
644 	struct uinput_device *udev = file->private_data;
645 
646 	poll_wait(file, &udev->waitq, wait);
647 
648 	if (udev->head != udev->tail)
649 		return POLLIN | POLLRDNORM;
650 
651 	return 0;
652 }
653 
uinput_release(struct inode * inode,struct file * file)654 static int uinput_release(struct inode *inode, struct file *file)
655 {
656 	struct uinput_device *udev = file->private_data;
657 
658 	uinput_destroy_device(udev);
659 	kfree(udev);
660 
661 	return 0;
662 }
663 
664 #ifdef CONFIG_COMPAT
665 struct uinput_ff_upload_compat {
666 	__u32			request_id;
667 	__s32			retval;
668 	struct ff_effect_compat	effect;
669 	struct ff_effect_compat	old;
670 };
671 
uinput_ff_upload_to_user(char __user * buffer,const struct uinput_ff_upload * ff_up)672 static int uinput_ff_upload_to_user(char __user *buffer,
673 				    const struct uinput_ff_upload *ff_up)
674 {
675 	if (in_compat_syscall()) {
676 		struct uinput_ff_upload_compat ff_up_compat;
677 
678 		ff_up_compat.request_id = ff_up->request_id;
679 		ff_up_compat.retval = ff_up->retval;
680 		/*
681 		 * It so happens that the pointer that gives us the trouble
682 		 * is the last field in the structure. Since we don't support
683 		 * custom waveforms in uinput anyway we can just copy the whole
684 		 * thing (to the compat size) and ignore the pointer.
685 		 */
686 		memcpy(&ff_up_compat.effect, &ff_up->effect,
687 			sizeof(struct ff_effect_compat));
688 		memcpy(&ff_up_compat.old, &ff_up->old,
689 			sizeof(struct ff_effect_compat));
690 
691 		if (copy_to_user(buffer, &ff_up_compat,
692 				 sizeof(struct uinput_ff_upload_compat)))
693 			return -EFAULT;
694 	} else {
695 		if (copy_to_user(buffer, ff_up,
696 				 sizeof(struct uinput_ff_upload)))
697 			return -EFAULT;
698 	}
699 
700 	return 0;
701 }
702 
uinput_ff_upload_from_user(const char __user * buffer,struct uinput_ff_upload * ff_up)703 static int uinput_ff_upload_from_user(const char __user *buffer,
704 				      struct uinput_ff_upload *ff_up)
705 {
706 	if (in_compat_syscall()) {
707 		struct uinput_ff_upload_compat ff_up_compat;
708 
709 		if (copy_from_user(&ff_up_compat, buffer,
710 				   sizeof(struct uinput_ff_upload_compat)))
711 			return -EFAULT;
712 
713 		ff_up->request_id = ff_up_compat.request_id;
714 		ff_up->retval = ff_up_compat.retval;
715 		memcpy(&ff_up->effect, &ff_up_compat.effect,
716 			sizeof(struct ff_effect_compat));
717 		memcpy(&ff_up->old, &ff_up_compat.old,
718 			sizeof(struct ff_effect_compat));
719 
720 	} else {
721 		if (copy_from_user(ff_up, buffer,
722 				   sizeof(struct uinput_ff_upload)))
723 			return -EFAULT;
724 	}
725 
726 	return 0;
727 }
728 
729 #else
730 
uinput_ff_upload_to_user(char __user * buffer,const struct uinput_ff_upload * ff_up)731 static int uinput_ff_upload_to_user(char __user *buffer,
732 				    const struct uinput_ff_upload *ff_up)
733 {
734 	if (copy_to_user(buffer, ff_up, sizeof(struct uinput_ff_upload)))
735 		return -EFAULT;
736 
737 	return 0;
738 }
739 
uinput_ff_upload_from_user(const char __user * buffer,struct uinput_ff_upload * ff_up)740 static int uinput_ff_upload_from_user(const char __user *buffer,
741 				      struct uinput_ff_upload *ff_up)
742 {
743 	if (copy_from_user(ff_up, buffer, sizeof(struct uinput_ff_upload)))
744 		return -EFAULT;
745 
746 	return 0;
747 }
748 
749 #endif
750 
751 #define uinput_set_bit(_arg, _bit, _max)		\
752 ({							\
753 	int __ret = 0;					\
754 	if (udev->state == UIST_CREATED)		\
755 		__ret =  -EINVAL;			\
756 	else if ((_arg) > (_max))			\
757 		__ret = -EINVAL;			\
758 	else set_bit((_arg), udev->dev->_bit);		\
759 	__ret;						\
760 })
761 
uinput_str_to_user(void __user * dest,const char * str,unsigned int maxlen)762 static int uinput_str_to_user(void __user *dest, const char *str,
763 			      unsigned int maxlen)
764 {
765 	char __user *p = dest;
766 	int len, ret;
767 
768 	if (!str)
769 		return -ENOENT;
770 
771 	if (maxlen == 0)
772 		return -EINVAL;
773 
774 	len = strlen(str) + 1;
775 	if (len > maxlen)
776 		len = maxlen;
777 
778 	ret = copy_to_user(p, str, len);
779 	if (ret)
780 		return -EFAULT;
781 
782 	/* force terminating '\0' */
783 	ret = put_user(0, p + len - 1);
784 	return ret ? -EFAULT : len;
785 }
786 
uinput_ioctl_handler(struct file * file,unsigned int cmd,unsigned long arg,void __user * p)787 static long uinput_ioctl_handler(struct file *file, unsigned int cmd,
788 				 unsigned long arg, void __user *p)
789 {
790 	int			retval;
791 	struct uinput_device	*udev = file->private_data;
792 	struct uinput_ff_upload ff_up;
793 	struct uinput_ff_erase  ff_erase;
794 	struct uinput_request   *req;
795 	char			*phys;
796 	const char		*name;
797 	unsigned int		size;
798 
799 	retval = mutex_lock_interruptible(&udev->mutex);
800 	if (retval)
801 		return retval;
802 
803 	if (!udev->dev) {
804 		retval = uinput_allocate_device(udev);
805 		if (retval)
806 			goto out;
807 	}
808 
809 	switch (cmd) {
810 		case UI_GET_VERSION:
811 			if (put_user(UINPUT_VERSION,
812 				     (unsigned int __user *)p))
813 				retval = -EFAULT;
814 			goto out;
815 
816 		case UI_DEV_CREATE:
817 			retval = uinput_create_device(udev);
818 			goto out;
819 
820 		case UI_DEV_DESTROY:
821 			uinput_destroy_device(udev);
822 			goto out;
823 
824 		case UI_DEV_SETUP:
825 			retval = uinput_dev_setup(udev, p);
826 			goto out;
827 
828 		/* UI_ABS_SETUP is handled in the variable size ioctls */
829 
830 		case UI_SET_EVBIT:
831 			retval = uinput_set_bit(arg, evbit, EV_MAX);
832 			goto out;
833 
834 		case UI_SET_KEYBIT:
835 			retval = uinput_set_bit(arg, keybit, KEY_MAX);
836 			goto out;
837 
838 		case UI_SET_RELBIT:
839 			retval = uinput_set_bit(arg, relbit, REL_MAX);
840 			goto out;
841 
842 		case UI_SET_ABSBIT:
843 			retval = uinput_set_bit(arg, absbit, ABS_MAX);
844 			goto out;
845 
846 		case UI_SET_MSCBIT:
847 			retval = uinput_set_bit(arg, mscbit, MSC_MAX);
848 			goto out;
849 
850 		case UI_SET_LEDBIT:
851 			retval = uinput_set_bit(arg, ledbit, LED_MAX);
852 			goto out;
853 
854 		case UI_SET_SNDBIT:
855 			retval = uinput_set_bit(arg, sndbit, SND_MAX);
856 			goto out;
857 
858 		case UI_SET_FFBIT:
859 			retval = uinput_set_bit(arg, ffbit, FF_MAX);
860 			goto out;
861 
862 		case UI_SET_SWBIT:
863 			retval = uinput_set_bit(arg, swbit, SW_MAX);
864 			goto out;
865 
866 		case UI_SET_PROPBIT:
867 			retval = uinput_set_bit(arg, propbit, INPUT_PROP_MAX);
868 			goto out;
869 
870 		case UI_SET_PHYS:
871 			if (udev->state == UIST_CREATED) {
872 				retval = -EINVAL;
873 				goto out;
874 			}
875 
876 			phys = strndup_user(p, 1024);
877 			if (IS_ERR(phys)) {
878 				retval = PTR_ERR(phys);
879 				goto out;
880 			}
881 
882 			kfree(udev->dev->phys);
883 			udev->dev->phys = phys;
884 			goto out;
885 
886 		case UI_BEGIN_FF_UPLOAD:
887 			retval = uinput_ff_upload_from_user(p, &ff_up);
888 			if (retval)
889 				goto out;
890 
891 			req = uinput_request_find(udev, ff_up.request_id);
892 			if (!req || req->code != UI_FF_UPLOAD ||
893 			    !req->u.upload.effect) {
894 				retval = -EINVAL;
895 				goto out;
896 			}
897 
898 			ff_up.retval = 0;
899 			ff_up.effect = *req->u.upload.effect;
900 			if (req->u.upload.old)
901 				ff_up.old = *req->u.upload.old;
902 			else
903 				memset(&ff_up.old, 0, sizeof(struct ff_effect));
904 
905 			retval = uinput_ff_upload_to_user(p, &ff_up);
906 			goto out;
907 
908 		case UI_BEGIN_FF_ERASE:
909 			if (copy_from_user(&ff_erase, p, sizeof(ff_erase))) {
910 				retval = -EFAULT;
911 				goto out;
912 			}
913 
914 			req = uinput_request_find(udev, ff_erase.request_id);
915 			if (!req || req->code != UI_FF_ERASE) {
916 				retval = -EINVAL;
917 				goto out;
918 			}
919 
920 			ff_erase.retval = 0;
921 			ff_erase.effect_id = req->u.effect_id;
922 			if (copy_to_user(p, &ff_erase, sizeof(ff_erase))) {
923 				retval = -EFAULT;
924 				goto out;
925 			}
926 
927 			goto out;
928 
929 		case UI_END_FF_UPLOAD:
930 			retval = uinput_ff_upload_from_user(p, &ff_up);
931 			if (retval)
932 				goto out;
933 
934 			req = uinput_request_find(udev, ff_up.request_id);
935 			if (!req || req->code != UI_FF_UPLOAD ||
936 			    !req->u.upload.effect) {
937 				retval = -EINVAL;
938 				goto out;
939 			}
940 
941 			req->retval = ff_up.retval;
942 			uinput_request_done(udev, req);
943 			goto out;
944 
945 		case UI_END_FF_ERASE:
946 			if (copy_from_user(&ff_erase, p, sizeof(ff_erase))) {
947 				retval = -EFAULT;
948 				goto out;
949 			}
950 
951 			req = uinput_request_find(udev, ff_erase.request_id);
952 			if (!req || req->code != UI_FF_ERASE) {
953 				retval = -EINVAL;
954 				goto out;
955 			}
956 
957 			req->retval = ff_erase.retval;
958 			uinput_request_done(udev, req);
959 			goto out;
960 	}
961 
962 	size = _IOC_SIZE(cmd);
963 
964 	/* Now check variable-length commands */
965 	switch (cmd & ~IOCSIZE_MASK) {
966 	case UI_GET_SYSNAME(0):
967 		if (udev->state != UIST_CREATED) {
968 			retval = -ENOENT;
969 			goto out;
970 		}
971 		name = dev_name(&udev->dev->dev);
972 		retval = uinput_str_to_user(p, name, size);
973 		goto out;
974 
975 	case UI_ABS_SETUP & ~IOCSIZE_MASK:
976 		retval = uinput_abs_setup(udev, p, size);
977 		goto out;
978 	}
979 
980 	retval = -EINVAL;
981  out:
982 	mutex_unlock(&udev->mutex);
983 	return retval;
984 }
985 
uinput_ioctl(struct file * file,unsigned int cmd,unsigned long arg)986 static long uinput_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
987 {
988 	return uinput_ioctl_handler(file, cmd, arg, (void __user *)arg);
989 }
990 
991 #ifdef CONFIG_COMPAT
992 
993 #define UI_SET_PHYS_COMPAT	_IOW(UINPUT_IOCTL_BASE, 108, compat_uptr_t)
994 
uinput_compat_ioctl(struct file * file,unsigned int cmd,unsigned long arg)995 static long uinput_compat_ioctl(struct file *file,
996 				unsigned int cmd, unsigned long arg)
997 {
998 	if (cmd == UI_SET_PHYS_COMPAT)
999 		cmd = UI_SET_PHYS;
1000 
1001 	return uinput_ioctl_handler(file, cmd, arg, compat_ptr(arg));
1002 }
1003 #endif
1004 
1005 static const struct file_operations uinput_fops = {
1006 	.owner		= THIS_MODULE,
1007 	.open		= uinput_open,
1008 	.release	= uinput_release,
1009 	.read		= uinput_read,
1010 	.write		= uinput_write,
1011 	.poll		= uinput_poll,
1012 	.unlocked_ioctl	= uinput_ioctl,
1013 #ifdef CONFIG_COMPAT
1014 	.compat_ioctl	= uinput_compat_ioctl,
1015 #endif
1016 	.llseek		= no_llseek,
1017 };
1018 
1019 static struct miscdevice uinput_misc = {
1020 	.fops		= &uinput_fops,
1021 	.minor		= UINPUT_MINOR,
1022 	.name		= UINPUT_NAME,
1023 };
1024 module_misc_device(uinput_misc);
1025 
1026 MODULE_ALIAS_MISCDEV(UINPUT_MINOR);
1027 MODULE_ALIAS("devname:" UINPUT_NAME);
1028 
1029 MODULE_AUTHOR("Aristeu Sergio Rozanski Filho");
1030 MODULE_DESCRIPTION("User level driver support for input subsystem");
1031 MODULE_LICENSE("GPL");
1032 MODULE_VERSION("0.3");
1033