1/*
2 * User level driver support for input subsystem
3 *
4 * Heavily based on evdev.c by Vojtech Pavlik
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
19 *
20 * Author: Aristeu Sergio Rozanski Filho <aris@cathedrallabs.org>
21 *
22 * Changes/Revisions:
23 * 0.4 01/09/2014 (Benjamin Tissoires <benjamin.tissoires@redhat.com>)
24 * - add UI_GET_SYSNAME ioctl
25 * 0.3 09/04/2006 (Anssi Hannula <anssi.hannula@gmail.com>)
26 * - updated ff support for the changes in kernel interface
27 * - added MODULE_VERSION
28 * 0.2 16/10/2004 (Micah Dowty <micah@navi.cx>)
29 * - added force feedback support
30 * - added UI_SET_PHYS
31 * 0.1 20/06/2002
32 * - first public version
33 */
34#include <uapi/linux/uinput.h>
35#include <linux/poll.h>
36#include <linux/sched.h>
37#include <linux/slab.h>
38#include <linux/module.h>
39#include <linux/init.h>
40#include <linux/fs.h>
41#include <linux/miscdevice.h>
42#include <linux/overflow.h>
43#include <linux/input/mt.h>
44#include "../input-compat.h"
45
46#define UINPUT_NAME "uinput"
47#define UINPUT_BUFFER_SIZE 16
48#define UINPUT_NUM_REQUESTS 16
49
50enum uinput_state { UIST_NEW_DEVICE, UIST_SETUP_COMPLETE, UIST_CREATED };
51
52struct uinput_request {
53 unsigned int id;
54 unsigned int code; /* UI_FF_UPLOAD, UI_FF_ERASE */
55
56 int retval;
57 struct completion done;
58
59 union {
60 unsigned int effect_id;
61 struct {
62 struct ff_effect *effect;
63 struct ff_effect *old;
64 } upload;
65 } u;
66};
67
68struct uinput_device {
69 struct input_dev *dev;
70 struct mutex mutex;
71 enum uinput_state state;
72 wait_queue_head_t waitq;
73 unsigned char ready;
74 unsigned char head;
75 unsigned char tail;
76 struct input_event buff[UINPUT_BUFFER_SIZE];
77 unsigned int ff_effects_max;
78
79 struct uinput_request *requests[UINPUT_NUM_REQUESTS];
80 wait_queue_head_t requests_waitq;
81 spinlock_t requests_lock;
82};
83
84static int uinput_dev_event(struct input_dev *dev,
85 unsigned int type, unsigned int code, int value)
86{
87 struct uinput_device *udev = input_get_drvdata(dev);
88 struct timespec64 ts;
89
90 udev->buff[udev->head].type = type;
91 udev->buff[udev->head].code = code;
92 udev->buff[udev->head].value = value;
93 ktime_get_ts64(&ts);
94 udev->buff[udev->head].input_event_sec = ts.tv_sec;
95 udev->buff[udev->head].input_event_usec = ts.tv_nsec / NSEC_PER_USEC;
96 udev->head = (udev->head + 1) % UINPUT_BUFFER_SIZE;
97
98 wake_up_interruptible(&udev->waitq);
99
100 return 0;
101}
102
103/* Atomically allocate an ID for the given request. Returns 0 on success. */
104static bool uinput_request_alloc_id(struct uinput_device *udev,
105 struct uinput_request *request)
106{
107 unsigned int id;
108 bool reserved = false;
109
110 spin_lock(&udev->requests_lock);
111
112 for (id = 0; id < UINPUT_NUM_REQUESTS; id++) {
113 if (!udev->requests[id]) {
114 request->id = id;
115 udev->requests[id] = request;
116 reserved = true;
117 break;
118 }
119 }
120
121 spin_unlock(&udev->requests_lock);
122 return reserved;
123}
124
125static struct uinput_request *uinput_request_find(struct uinput_device *udev,
126 unsigned int id)
127{
128 /* Find an input request, by ID. Returns NULL if the ID isn't valid. */
129 if (id >= UINPUT_NUM_REQUESTS)
130 return NULL;
131
132 return udev->requests[id];
133}
134
135static int uinput_request_reserve_slot(struct uinput_device *udev,
136 struct uinput_request *request)
137{
138 /* Allocate slot. If none are available right away, wait. */
139 return wait_event_interruptible(udev->requests_waitq,
140 uinput_request_alloc_id(udev, request));
141}
142
143static void uinput_request_release_slot(struct uinput_device *udev,
144 unsigned int id)
145{
146 /* Mark slot as available */
147 spin_lock(&udev->requests_lock);
148 udev->requests[id] = NULL;
149 spin_unlock(&udev->requests_lock);
150
151 wake_up(&udev->requests_waitq);
152}
153
154static int uinput_request_send(struct uinput_device *udev,
155 struct uinput_request *request)
156{
157 int retval;
158
159 retval = mutex_lock_interruptible(&udev->mutex);
160 if (retval)
161 return retval;
162
163 if (udev->state != UIST_CREATED) {
164 retval = -ENODEV;
165 goto out;
166 }
167
168 init_completion(&request->done);
169
170 /*
171 * Tell our userspace application about this new request
172 * by queueing an input event.
173 */
174 uinput_dev_event(udev->dev, EV_UINPUT, request->code, request->id);
175
176 out:
177 mutex_unlock(&udev->mutex);
178 return retval;
179}
180
181static int uinput_request_submit(struct uinput_device *udev,
182 struct uinput_request *request)
183{
184 int retval;
185
186 retval = uinput_request_reserve_slot(udev, request);
187 if (retval)
188 return retval;
189
190 retval = uinput_request_send(udev, request);
191 if (retval)
192 goto out;
193
194 if (!wait_for_completion_timeout(&request->done, 30 * HZ)) {
195 retval = -ETIMEDOUT;
196 goto out;
197 }
198
199 retval = request->retval;
200
201 out:
202 uinput_request_release_slot(udev, request->id);
203 return retval;
204}
205
206/*
207 * Fail all outstanding requests so handlers don't wait for the userspace
208 * to finish processing them.
209 */
210static void uinput_flush_requests(struct uinput_device *udev)
211{
212 struct uinput_request *request;
213 int i;
214
215 spin_lock(&udev->requests_lock);
216
217 for (i = 0; i < UINPUT_NUM_REQUESTS; i++) {
218 request = udev->requests[i];
219 if (request) {
220 request->retval = -ENODEV;
221 complete(&request->done);
222 }
223 }
224
225 spin_unlock(&udev->requests_lock);
226}
227
228static void uinput_dev_set_gain(struct input_dev *dev, u16 gain)
229{
230 uinput_dev_event(dev, EV_FF, FF_GAIN, gain);
231}
232
233static void uinput_dev_set_autocenter(struct input_dev *dev, u16 magnitude)
234{
235 uinput_dev_event(dev, EV_FF, FF_AUTOCENTER, magnitude);
236}
237
238static int uinput_dev_playback(struct input_dev *dev, int effect_id, int value)
239{
240 return uinput_dev_event(dev, EV_FF, effect_id, value);
241}
242
243static int uinput_dev_upload_effect(struct input_dev *dev,
244 struct ff_effect *effect,
245 struct ff_effect *old)
246{
247 struct uinput_device *udev = input_get_drvdata(dev);
248 struct uinput_request request;
249
250 /*
251 * uinput driver does not currently support periodic effects with
252 * custom waveform since it does not have a way to pass buffer of
253 * samples (custom_data) to userspace. If ever there is a device
254 * supporting custom waveforms we would need to define an additional
255 * ioctl (UI_UPLOAD_SAMPLES) but for now we just bail out.
256 */
257 if (effect->type == FF_PERIODIC &&
258 effect->u.periodic.waveform == FF_CUSTOM)
259 return -EINVAL;
260
261 request.code = UI_FF_UPLOAD;
262 request.u.upload.effect = effect;
263 request.u.upload.old = old;
264
265 return uinput_request_submit(udev, &request);
266}
267
268static int uinput_dev_erase_effect(struct input_dev *dev, int effect_id)
269{
270 struct uinput_device *udev = input_get_drvdata(dev);
271 struct uinput_request request;
272
273 if (!test_bit(EV_FF, dev->evbit))
274 return -ENOSYS;
275
276 request.code = UI_FF_ERASE;
277 request.u.effect_id = effect_id;
278
279 return uinput_request_submit(udev, &request);
280}
281
282static int uinput_dev_flush(struct input_dev *dev, struct file *file)
283{
284 /*
285 * If we are called with file == NULL that means we are tearing
286 * down the device, and therefore we can not handle FF erase
287 * requests: either we are handling UI_DEV_DESTROY (and holding
288 * the udev->mutex), or the file descriptor is closed and there is
289 * nobody on the other side anymore.
290 */
291 return file ? input_ff_flush(dev, file) : 0;
292}
293
294static void uinput_destroy_device(struct uinput_device *udev)
295{
296 const char *name, *phys;
297 struct input_dev *dev = udev->dev;
298 enum uinput_state old_state = udev->state;
299
300 udev->state = UIST_NEW_DEVICE;
301
302 if (dev) {
303 name = dev->name;
304 phys = dev->phys;
305 if (old_state == UIST_CREATED) {
306 uinput_flush_requests(udev);
307 input_unregister_device(dev);
308 } else {
309 input_free_device(dev);
310 }
311 kfree(name);
312 kfree(phys);
313 udev->dev = NULL;
314 }
315}
316
317static int uinput_create_device(struct uinput_device *udev)
318{
319 struct input_dev *dev = udev->dev;
320 int error, nslot;
321
322 if (udev->state != UIST_SETUP_COMPLETE) {
323 printk(KERN_DEBUG "%s: write device info first\n", UINPUT_NAME);
324 return -EINVAL;
325 }
326
327 if (test_bit(EV_ABS, dev->evbit)) {
328 input_alloc_absinfo(dev);
329 if (!dev->absinfo) {
330 error = -EINVAL;
331 goto fail1;
332 }
333
334 if (test_bit(ABS_MT_SLOT, dev->absbit)) {
335 nslot = input_abs_get_max(dev, ABS_MT_SLOT) + 1;
336 error = input_mt_init_slots(dev, nslot, 0);
337 if (error)
338 goto fail1;
339 } else if (test_bit(ABS_MT_POSITION_X, dev->absbit)) {
340 input_set_events_per_packet(dev, 60);
341 }
342 }
343
344 if (test_bit(EV_FF, dev->evbit) && !udev->ff_effects_max) {
345 printk(KERN_DEBUG "%s: ff_effects_max should be non-zero when FF_BIT is set\n",
346 UINPUT_NAME);
347 error = -EINVAL;
348 goto fail1;
349 }
350
351 if (udev->ff_effects_max) {
352 error = input_ff_create(dev, udev->ff_effects_max);
353 if (error)
354 goto fail1;
355
356 dev->ff->upload = uinput_dev_upload_effect;
357 dev->ff->erase = uinput_dev_erase_effect;
358 dev->ff->playback = uinput_dev_playback;
359 dev->ff->set_gain = uinput_dev_set_gain;
360 dev->ff->set_autocenter = uinput_dev_set_autocenter;
361 /*
362 * The standard input_ff_flush() implementation does
363 * not quite work for uinput as we can't reasonably
364 * handle FF requests during device teardown.
365 */
366 dev->flush = uinput_dev_flush;
367 }
368
369 dev->event = uinput_dev_event;
370
371 input_set_drvdata(udev->dev, udev);
372
373 error = input_register_device(udev->dev);
374 if (error)
375 goto fail2;
376
377 udev->state = UIST_CREATED;
378
379 return 0;
380
381 fail2: input_ff_destroy(dev);
382 fail1: uinput_destroy_device(udev);
383 return error;
384}
385
386static int uinput_open(struct inode *inode, struct file *file)
387{
388 struct uinput_device *newdev;
389
390 newdev = kzalloc(sizeof(struct uinput_device), GFP_KERNEL);
391 if (!newdev)
392 return -ENOMEM;
393
394 mutex_init(&newdev->mutex);
395 spin_lock_init(&newdev->requests_lock);
396 init_waitqueue_head(&newdev->requests_waitq);
397 init_waitqueue_head(&newdev->waitq);
398 newdev->state = UIST_NEW_DEVICE;
399
400 file->private_data = newdev;
401 nonseekable_open(inode, file);
402
403 return 0;
404}
405
406static int uinput_validate_absinfo(struct input_dev *dev, unsigned int code,
407 const struct input_absinfo *abs)
408{
409 int min, max, range;
410
411 min = abs->minimum;
412 max = abs->maximum;
413
414 if ((min != 0 || max != 0) && max < min) {
415 printk(KERN_DEBUG
416 "%s: invalid abs[%02x] min:%d max:%d\n",
417 UINPUT_NAME, code, min, max);
418 return -EINVAL;
419 }
420
421 if (!check_sub_overflow(max, min, &range) && abs->flat > range) {
422 printk(KERN_DEBUG
423 "%s: abs_flat #%02x out of range: %d (min:%d/max:%d)\n",
424 UINPUT_NAME, code, abs->flat, min, max);
425 return -EINVAL;
426 }
427
428 return 0;
429}
430
431static int uinput_validate_absbits(struct input_dev *dev)
432{
433 unsigned int cnt;
434 int error;
435
436 if (!test_bit(EV_ABS, dev->evbit))
437 return 0;
438
439 /*
440 * Check if absmin/absmax/absfuzz/absflat are sane.
441 */
442
443 for_each_set_bit(cnt, dev->absbit, ABS_CNT) {
444 if (!dev->absinfo)
445 return -EINVAL;
446
447 error = uinput_validate_absinfo(dev, cnt, &dev->absinfo[cnt]);
448 if (error)
449 return error;
450 }
451
452 return 0;
453}
454
455static int uinput_dev_setup(struct uinput_device *udev,
456 struct uinput_setup __user *arg)
457{
458 struct uinput_setup setup;
459 struct input_dev *dev;
460
461 if (udev->state == UIST_CREATED)
462 return -EINVAL;
463
464 if (copy_from_user(&setup, arg, sizeof(setup)))
465 return -EFAULT;
466
467 if (!setup.name[0])
468 return -EINVAL;
469
470 dev = udev->dev;
471 dev->id = setup.id;
472 udev->ff_effects_max = setup.ff_effects_max;
473
474 kfree(dev->name);
475 dev->name = kstrndup(setup.name, UINPUT_MAX_NAME_SIZE, GFP_KERNEL);
476 if (!dev->name)
477 return -ENOMEM;
478
479 udev->state = UIST_SETUP_COMPLETE;
480 return 0;
481}
482
483static int uinput_abs_setup(struct uinput_device *udev,
484 struct uinput_setup __user *arg, size_t size)
485{
486 struct uinput_abs_setup setup = {};
487 struct input_dev *dev;
488 int error;
489
490 if (size > sizeof(setup))
491 return -E2BIG;
492
493 if (udev->state == UIST_CREATED)
494 return -EINVAL;
495
496 if (copy_from_user(&setup, arg, size))
497 return -EFAULT;
498
499 if (setup.code > ABS_MAX)
500 return -ERANGE;
501
502 dev = udev->dev;
503
504 error = uinput_validate_absinfo(dev, setup.code, &setup.absinfo);
505 if (error)
506 return error;
507
508 input_alloc_absinfo(dev);
509 if (!dev->absinfo)
510 return -ENOMEM;
511
512 set_bit(setup.code, dev->absbit);
513 dev->absinfo[setup.code] = setup.absinfo;
514 return 0;
515}
516
517/* legacy setup via write() */
518static int uinput_setup_device_legacy(struct uinput_device *udev,
519 const char __user *buffer, size_t count)
520{
521 struct uinput_user_dev *user_dev;
522 struct input_dev *dev;
523 int i;
524 int retval;
525
526 if (count != sizeof(struct uinput_user_dev))
527 return -EINVAL;
528
529 if (!udev->dev) {
530 udev->dev = input_allocate_device();
531 if (!udev->dev)
532 return -ENOMEM;
533 }
534
535 dev = udev->dev;
536
537 user_dev = memdup_user(buffer, sizeof(struct uinput_user_dev));
538 if (IS_ERR(user_dev))
539 return PTR_ERR(user_dev);
540
541 udev->ff_effects_max = user_dev->ff_effects_max;
542
543 /* Ensure name is filled in */
544 if (!user_dev->name[0]) {
545 retval = -EINVAL;
546 goto exit;
547 }
548
549 kfree(dev->name);
550 dev->name = kstrndup(user_dev->name, UINPUT_MAX_NAME_SIZE,
551 GFP_KERNEL);
552 if (!dev->name) {
553 retval = -ENOMEM;
554 goto exit;
555 }
556
557 dev->id.bustype = user_dev->id.bustype;
558 dev->id.vendor = user_dev->id.vendor;
559 dev->id.product = user_dev->id.product;
560 dev->id.version = user_dev->id.version;
561
562 for (i = 0; i < ABS_CNT; i++) {
563 input_abs_set_max(dev, i, user_dev->absmax[i]);
564 input_abs_set_min(dev, i, user_dev->absmin[i]);
565 input_abs_set_fuzz(dev, i, user_dev->absfuzz[i]);
566 input_abs_set_flat(dev, i, user_dev->absflat[i]);
567 }
568
569 retval = uinput_validate_absbits(dev);
570 if (retval < 0)
571 goto exit;
572
573 udev->state = UIST_SETUP_COMPLETE;
574 retval = count;
575
576 exit:
577 kfree(user_dev);
578 return retval;
579}
580
581static ssize_t uinput_inject_events(struct uinput_device *udev,
582 const char __user *buffer, size_t count)
583{
584 struct input_event ev;
585 size_t bytes = 0;
586
587 if (count != 0 && count < input_event_size())
588 return -EINVAL;
589
590 while (bytes + input_event_size() <= count) {
591 /*
592 * Note that even if some events were fetched successfully
593 * we are still going to return EFAULT instead of partial
594 * count to let userspace know that it got it's buffers
595 * all wrong.
596 */
597 if (input_event_from_user(buffer + bytes, &ev))
598 return -EFAULT;
599
600 input_event(udev->dev, ev.type, ev.code, ev.value);
601 bytes += input_event_size();
602 cond_resched();
603 }
604
605 return bytes;
606}
607
608static ssize_t uinput_write(struct file *file, const char __user *buffer,
609 size_t count, loff_t *ppos)
610{
611 struct uinput_device *udev = file->private_data;
612 int retval;
613
614 if (count == 0)
615 return 0;
616
617 retval = mutex_lock_interruptible(&udev->mutex);
618 if (retval)
619 return retval;
620
621 retval = udev->state == UIST_CREATED ?
622 uinput_inject_events(udev, buffer, count) :
623 uinput_setup_device_legacy(udev, buffer, count);
624
625 mutex_unlock(&udev->mutex);
626
627 return retval;
628}
629
630static bool uinput_fetch_next_event(struct uinput_device *udev,
631 struct input_event *event)
632{
633 bool have_event;
634
635 spin_lock_irq(&udev->dev->event_lock);
636
637 have_event = udev->head != udev->tail;
638 if (have_event) {
639 *event = udev->buff[udev->tail];
640 udev->tail = (udev->tail + 1) % UINPUT_BUFFER_SIZE;
641 }
642
643 spin_unlock_irq(&udev->dev->event_lock);
644
645 return have_event;
646}
647
648static ssize_t uinput_events_to_user(struct uinput_device *udev,
649 char __user *buffer, size_t count)
650{
651 struct input_event event;
652 size_t read = 0;
653
654 while (read + input_event_size() <= count &&
655 uinput_fetch_next_event(udev, &event)) {
656
657 if (input_event_to_user(buffer + read, &event))
658 return -EFAULT;
659
660 read += input_event_size();
661 }
662
663 return read;
664}
665
666static ssize_t uinput_read(struct file *file, char __user *buffer,
667 size_t count, loff_t *ppos)
668{
669 struct uinput_device *udev = file->private_data;
670 ssize_t retval;
671
672 if (count != 0 && count < input_event_size())
673 return -EINVAL;
674
675 do {
676 retval = mutex_lock_interruptible(&udev->mutex);
677 if (retval)
678 return retval;
679
680 if (udev->state != UIST_CREATED)
681 retval = -ENODEV;
682 else if (udev->head == udev->tail &&
683 (file->f_flags & O_NONBLOCK))
684 retval = -EAGAIN;
685 else
686 retval = uinput_events_to_user(udev, buffer, count);
687
688 mutex_unlock(&udev->mutex);
689
690 if (retval || count == 0)
691 break;
692
693 if (!(file->f_flags & O_NONBLOCK))
694 retval = wait_event_interruptible(udev->waitq,
695 udev->head != udev->tail ||
696 udev->state != UIST_CREATED);
697 } while (retval == 0);
698
699 return retval;
700}
701
702static __poll_t uinput_poll(struct file *file, poll_table *wait)
703{
704 struct uinput_device *udev = file->private_data;
705
706 poll_wait(file, &udev->waitq, wait);
707
708 if (udev->head != udev->tail)
709 return EPOLLIN | EPOLLRDNORM;
710
711 return 0;
712}
713
714static int uinput_release(struct inode *inode, struct file *file)
715{
716 struct uinput_device *udev = file->private_data;
717
718 uinput_destroy_device(udev);
719 kfree(udev);
720
721 return 0;
722}
723
724#ifdef CONFIG_COMPAT
725struct uinput_ff_upload_compat {
726 __u32 request_id;
727 __s32 retval;
728 struct ff_effect_compat effect;
729 struct ff_effect_compat old;
730};
731
732static int uinput_ff_upload_to_user(char __user *buffer,
733 const struct uinput_ff_upload *ff_up)
734{
735 if (in_compat_syscall()) {
736 struct uinput_ff_upload_compat ff_up_compat;
737
738 ff_up_compat.request_id = ff_up->request_id;
739 ff_up_compat.retval = ff_up->retval;
740 /*
741 * It so happens that the pointer that gives us the trouble
742 * is the last field in the structure. Since we don't support
743 * custom waveforms in uinput anyway we can just copy the whole
744 * thing (to the compat size) and ignore the pointer.
745 */
746 memcpy(&ff_up_compat.effect, &ff_up->effect,
747 sizeof(struct ff_effect_compat));
748 memcpy(&ff_up_compat.old, &ff_up->old,
749 sizeof(struct ff_effect_compat));
750
751 if (copy_to_user(buffer, &ff_up_compat,
752 sizeof(struct uinput_ff_upload_compat)))
753 return -EFAULT;
754 } else {
755 if (copy_to_user(buffer, ff_up,
756 sizeof(struct uinput_ff_upload)))
757 return -EFAULT;
758 }
759
760 return 0;
761}
762
763static int uinput_ff_upload_from_user(const char __user *buffer,
764 struct uinput_ff_upload *ff_up)
765{
766 if (in_compat_syscall()) {
767 struct uinput_ff_upload_compat ff_up_compat;
768
769 if (copy_from_user(&ff_up_compat, buffer,
770 sizeof(struct uinput_ff_upload_compat)))
771 return -EFAULT;
772
773 ff_up->request_id = ff_up_compat.request_id;
774 ff_up->retval = ff_up_compat.retval;
775 memcpy(&ff_up->effect, &ff_up_compat.effect,
776 sizeof(struct ff_effect_compat));
777 memcpy(&ff_up->old, &ff_up_compat.old,
778 sizeof(struct ff_effect_compat));
779
780 } else {
781 if (copy_from_user(ff_up, buffer,
782 sizeof(struct uinput_ff_upload)))
783 return -EFAULT;
784 }
785
786 return 0;
787}
788
789#else
790
791static int uinput_ff_upload_to_user(char __user *buffer,
792 const struct uinput_ff_upload *ff_up)
793{
794 if (copy_to_user(buffer, ff_up, sizeof(struct uinput_ff_upload)))
795 return -EFAULT;
796
797 return 0;
798}
799
800static int uinput_ff_upload_from_user(const char __user *buffer,
801 struct uinput_ff_upload *ff_up)
802{
803 if (copy_from_user(ff_up, buffer, sizeof(struct uinput_ff_upload)))
804 return -EFAULT;
805
806 return 0;
807}
808
809#endif
810
811#define uinput_set_bit(_arg, _bit, _max) \
812({ \
813 int __ret = 0; \
814 if (udev->state == UIST_CREATED) \
815 __ret = -EINVAL; \
816 else if ((_arg) > (_max)) \
817 __ret = -EINVAL; \
818 else set_bit((_arg), udev->dev->_bit); \
819 __ret; \
820})
821
822static int uinput_str_to_user(void __user *dest, const char *str,
823 unsigned int maxlen)
824{
825 char __user *p = dest;
826 int len, ret;
827
828 if (!str)
829 return -ENOENT;
830
831 if (maxlen == 0)
832 return -EINVAL;
833
834 len = strlen(str) + 1;
835 if (len > maxlen)
836 len = maxlen;
837
838 ret = copy_to_user(p, str, len);
839 if (ret)
840 return -EFAULT;
841
842 /* force terminating '\0' */
843 ret = put_user(0, p + len - 1);
844 return ret ? -EFAULT : len;
845}
846
847static long uinput_ioctl_handler(struct file *file, unsigned int cmd,
848 unsigned long arg, void __user *p)
849{
850 int retval;
851 struct uinput_device *udev = file->private_data;
852 struct uinput_ff_upload ff_up;
853 struct uinput_ff_erase ff_erase;
854 struct uinput_request *req;
855 char *phys;
856 const char *name;
857 unsigned int size;
858
859 retval = mutex_lock_interruptible(&udev->mutex);
860 if (retval)
861 return retval;
862
863 if (!udev->dev) {
864 udev->dev = input_allocate_device();
865 if (!udev->dev) {
866 retval = -ENOMEM;
867 goto out;
868 }
869 }
870
871 switch (cmd) {
872 case UI_GET_VERSION:
873 if (put_user(UINPUT_VERSION, (unsigned int __user *)p))
874 retval = -EFAULT;
875 goto out;
876
877 case UI_DEV_CREATE:
878 retval = uinput_create_device(udev);
879 goto out;
880
881 case UI_DEV_DESTROY:
882 uinput_destroy_device(udev);
883 goto out;
884
885 case UI_DEV_SETUP:
886 retval = uinput_dev_setup(udev, p);
887 goto out;
888
889 /* UI_ABS_SETUP is handled in the variable size ioctls */
890
891 case UI_SET_EVBIT:
892 retval = uinput_set_bit(arg, evbit, EV_MAX);
893 goto out;
894
895 case UI_SET_KEYBIT:
896 retval = uinput_set_bit(arg, keybit, KEY_MAX);
897 goto out;
898
899 case UI_SET_RELBIT:
900 retval = uinput_set_bit(arg, relbit, REL_MAX);
901 goto out;
902
903 case UI_SET_ABSBIT:
904 retval = uinput_set_bit(arg, absbit, ABS_MAX);
905 goto out;
906
907 case UI_SET_MSCBIT:
908 retval = uinput_set_bit(arg, mscbit, MSC_MAX);
909 goto out;
910
911 case UI_SET_LEDBIT:
912 retval = uinput_set_bit(arg, ledbit, LED_MAX);
913 goto out;
914
915 case UI_SET_SNDBIT:
916 retval = uinput_set_bit(arg, sndbit, SND_MAX);
917 goto out;
918
919 case UI_SET_FFBIT:
920 retval = uinput_set_bit(arg, ffbit, FF_MAX);
921 goto out;
922
923 case UI_SET_SWBIT:
924 retval = uinput_set_bit(arg, swbit, SW_MAX);
925 goto out;
926
927 case UI_SET_PROPBIT:
928 retval = uinput_set_bit(arg, propbit, INPUT_PROP_MAX);
929 goto out;
930
931 case UI_SET_PHYS:
932 if (udev->state == UIST_CREATED) {
933 retval = -EINVAL;
934 goto out;
935 }
936
937 phys = strndup_user(p, 1024);
938 if (IS_ERR(phys)) {
939 retval = PTR_ERR(phys);
940 goto out;
941 }
942
943 kfree(udev->dev->phys);
944 udev->dev->phys = phys;
945 goto out;
946
947 case UI_BEGIN_FF_UPLOAD:
948 retval = uinput_ff_upload_from_user(p, &ff_up);
949 if (retval)
950 goto out;
951
952 req = uinput_request_find(udev, ff_up.request_id);
953 if (!req || req->code != UI_FF_UPLOAD ||
954 !req->u.upload.effect) {
955 retval = -EINVAL;
956 goto out;
957 }
958
959 ff_up.retval = 0;
960 ff_up.effect = *req->u.upload.effect;
961 if (req->u.upload.old)
962 ff_up.old = *req->u.upload.old;
963 else
964 memset(&ff_up.old, 0, sizeof(struct ff_effect));
965
966 retval = uinput_ff_upload_to_user(p, &ff_up);
967 goto out;
968
969 case UI_BEGIN_FF_ERASE:
970 if (copy_from_user(&ff_erase, p, sizeof(ff_erase))) {
971 retval = -EFAULT;
972 goto out;
973 }
974
975 req = uinput_request_find(udev, ff_erase.request_id);
976 if (!req || req->code != UI_FF_ERASE) {
977 retval = -EINVAL;
978 goto out;
979 }
980
981 ff_erase.retval = 0;
982 ff_erase.effect_id = req->u.effect_id;
983 if (copy_to_user(p, &ff_erase, sizeof(ff_erase))) {
984 retval = -EFAULT;
985 goto out;
986 }
987
988 goto out;
989
990 case UI_END_FF_UPLOAD:
991 retval = uinput_ff_upload_from_user(p, &ff_up);
992 if (retval)
993 goto out;
994
995 req = uinput_request_find(udev, ff_up.request_id);
996 if (!req || req->code != UI_FF_UPLOAD ||
997 !req->u.upload.effect) {
998 retval = -EINVAL;
999 goto out;
1000 }
1001
1002 req->retval = ff_up.retval;
1003 complete(&req->done);
1004 goto out;
1005
1006 case UI_END_FF_ERASE:
1007 if (copy_from_user(&ff_erase, p, sizeof(ff_erase))) {
1008 retval = -EFAULT;
1009 goto out;
1010 }
1011
1012 req = uinput_request_find(udev, ff_erase.request_id);
1013 if (!req || req->code != UI_FF_ERASE) {
1014 retval = -EINVAL;
1015 goto out;
1016 }
1017
1018 req->retval = ff_erase.retval;
1019 complete(&req->done);
1020 goto out;
1021 }
1022
1023 size = _IOC_SIZE(cmd);
1024
1025 /* Now check variable-length commands */
1026 switch (cmd & ~IOCSIZE_MASK) {
1027 case UI_GET_SYSNAME(0):
1028 if (udev->state != UIST_CREATED) {
1029 retval = -ENOENT;
1030 goto out;
1031 }
1032 name = dev_name(&udev->dev->dev);
1033 retval = uinput_str_to_user(p, name, size);
1034 goto out;
1035
1036 case UI_ABS_SETUP & ~IOCSIZE_MASK:
1037 retval = uinput_abs_setup(udev, p, size);
1038 goto out;
1039 }
1040
1041 retval = -EINVAL;
1042 out:
1043 mutex_unlock(&udev->mutex);
1044 return retval;
1045}
1046
1047static long uinput_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
1048{
1049 return uinput_ioctl_handler(file, cmd, arg, (void __user *)arg);
1050}
1051
1052#ifdef CONFIG_COMPAT
1053
1054#define UI_SET_PHYS_COMPAT _IOW(UINPUT_IOCTL_BASE, 108, compat_uptr_t)
1055
1056static long uinput_compat_ioctl(struct file *file,
1057 unsigned int cmd, unsigned long arg)
1058{
1059 if (cmd == UI_SET_PHYS_COMPAT)
1060 cmd = UI_SET_PHYS;
1061
1062 return uinput_ioctl_handler(file, cmd, arg, compat_ptr(arg));
1063}
1064#endif
1065
1066static const struct file_operations uinput_fops = {
1067 .owner = THIS_MODULE,
1068 .open = uinput_open,
1069 .release = uinput_release,
1070 .read = uinput_read,
1071 .write = uinput_write,
1072 .poll = uinput_poll,
1073 .unlocked_ioctl = uinput_ioctl,
1074#ifdef CONFIG_COMPAT
1075 .compat_ioctl = uinput_compat_ioctl,
1076#endif
1077 .llseek = no_llseek,
1078};
1079
1080static struct miscdevice uinput_misc = {
1081 .fops = &uinput_fops,
1082 .minor = UINPUT_MINOR,
1083 .name = UINPUT_NAME,
1084};
1085module_misc_device(uinput_misc);
1086
1087MODULE_ALIAS_MISCDEV(UINPUT_MINOR);
1088MODULE_ALIAS("devname:" UINPUT_NAME);
1089
1090MODULE_AUTHOR("Aristeu Sergio Rozanski Filho");
1091MODULE_DESCRIPTION("User level driver support for input subsystem");
1092MODULE_LICENSE("GPL");
1093