input/misc/uinput.c

0001 // SPDX-License-Identifier: GPL-2.0-or-later
0002 /*
0003  *  User level driver support for input subsystem
0004  *
0005  * Heavily based on evdev.c by Vojtech Pavlik
0006  *
0007  * Author: Aristeu Sergio Rozanski Filho <aris@cathedrallabs.org>
0008  *
0009  * Changes/Revisions:
0010  *  0.4 01/09/2014 (Benjamin Tissoires <benjamin.tissoires@redhat.com>)
0011  *      - add UI_GET_SYSNAME ioctl
0012  *  0.3 09/04/2006 (Anssi Hannula <anssi.hannula@gmail.com>)
0013  *      - updated ff support for the changes in kernel interface
0014  *      - added MODULE_VERSION
0015  *  0.2 16/10/2004 (Micah Dowty <micah@navi.cx>)
0016  *      - added force feedback support
0017  *              - added UI_SET_PHYS
0018  *  0.1 20/06/2002
0019  *      - first public version
0020  */
0021 #include <uapi/linux/uinput.h>
0022 #include <linux/poll.h>
0023 #include <linux/sched.h>
0024 #include <linux/slab.h>
0025 #include <linux/module.h>
0026 #include <linux/init.h>
0027 #include <linux/fs.h>
0028 #include <linux/miscdevice.h>
0029 #include <linux/overflow.h>
0030 #include <linux/input/mt.h>
0031 #include "../input-compat.h"
0032
0033 #define UINPUT_NAME     "uinput"
0034 #define UINPUT_BUFFER_SIZE  16
0035 #define UINPUT_NUM_REQUESTS 16
0036
0037 enum uinput_state { UIST_NEW_DEVICE, UIST_SETUP_COMPLETE, UIST_CREATED };
0038
0039 struct uinput_request {
0040     unsigned int        id;
0041     unsigned int        code;   /* UI_FF_UPLOAD, UI_FF_ERASE */
0042
0043     int         retval;
0044     struct completion   done;
0045
0046     union {
0047         unsigned int    effect_id;
0048         struct {
0049             struct ff_effect *effect;
0050             struct ff_effect *old;
0051         } upload;
0052     } u;
0053 };
0054
0055 struct uinput_device {
0056     struct input_dev    *dev;
0057     struct mutex        mutex;
0058     enum uinput_state   state;
0059     wait_queue_head_t   waitq;
0060     unsigned char       ready;
0061     unsigned char       head;
0062     unsigned char       tail;
0063     struct input_event  buff[UINPUT_BUFFER_SIZE];
0064     unsigned int        ff_effects_max;
0065
0066     struct uinput_request   *requests[UINPUT_NUM_REQUESTS];
0067     wait_queue_head_t   requests_waitq;
0068     spinlock_t      requests_lock;
0069 };
0070
0071 static int uinput_dev_event(struct input_dev *dev,
0072                 unsigned int type, unsigned int code, int value)
0073 {
0074     struct uinput_device    *udev = input_get_drvdata(dev);
0075     struct timespec64   ts;
0076
0077     ktime_get_ts64(&ts);
0078
0079     udev->buff[udev->head] = (struct input_event) {
0080         .input_event_sec = ts.tv_sec,
0081         .input_event_usec = ts.tv_nsec / NSEC_PER_USEC,
0082         .type = type,
0083         .code = code,
0084         .value = value,
0085     };
0086
0087     udev->head = (udev->head + 1) % UINPUT_BUFFER_SIZE;
0088
0089     wake_up_interruptible(&udev->waitq);
0090
0091     return 0;
0092 }
0093
0094 /* Atomically allocate an ID for the given request. Returns 0 on success. */
0095 static bool uinput_request_alloc_id(struct uinput_device *udev,
0096                     struct uinput_request *request)
0097 {
0098     unsigned int id;
0099     bool reserved = false;
0100
0101     spin_lock(&udev->requests_lock);
0102
0103     for (id = 0; id < UINPUT_NUM_REQUESTS; id++) {
0104         if (!udev->requests[id]) {
0105             request->id = id;
0106             udev->requests[id] = request;
0107             reserved = true;
0108             break;
0109         }
0110     }
0111
0112     spin_unlock(&udev->requests_lock);
0113     return reserved;
0114 }
0115
0116 static struct uinput_request *uinput_request_find(struct uinput_device *udev,
0117                           unsigned int id)
0118 {
0119     /* Find an input request, by ID. Returns NULL if the ID isn't valid. */
0120     if (id >= UINPUT_NUM_REQUESTS)
0121         return NULL;
0122
0123     return udev->requests[id];
0124 }
0125
0126 static int uinput_request_reserve_slot(struct uinput_device *udev,
0127                        struct uinput_request *request)
0128 {
0129     /* Allocate slot. If none are available right away, wait. */
0130     return wait_event_interruptible(udev->requests_waitq,
0131                     uinput_request_alloc_id(udev, request));
0132 }
0133
0134 static void uinput_request_release_slot(struct uinput_device *udev,
0135                     unsigned int id)
0136 {
0137     /* Mark slot as available */
0138     spin_lock(&udev->requests_lock);
0139     udev->requests[id] = NULL;
0140     spin_unlock(&udev->requests_lock);
0141
0142     wake_up(&udev->requests_waitq);
0143 }
0144
0145 static int uinput_request_send(struct uinput_device *udev,
0146                    struct uinput_request *request)
0147 {
0148     int retval;
0149
0150     retval = mutex_lock_interruptible(&udev->mutex);
0151     if (retval)
0152         return retval;
0153
0154     if (udev->state != UIST_CREATED) {
0155         retval = -ENODEV;
0156         goto out;
0157     }
0158
0159     init_completion(&request->done);
0160
0161     /*
0162      * Tell our userspace application about this new request
0163      * by queueing an input event.
0164      */
0165     uinput_dev_event(udev->dev, EV_UINPUT, request->code, request->id);
0166
0167  out:
0168     mutex_unlock(&udev->mutex);
0169     return retval;
0170 }
0171
0172 static int uinput_request_submit(struct uinput_device *udev,
0173                  struct uinput_request *request)
0174 {
0175     int retval;
0176
0177     retval = uinput_request_reserve_slot(udev, request);
0178     if (retval)
0179         return retval;
0180
0181     retval = uinput_request_send(udev, request);
0182     if (retval)
0183         goto out;
0184
0185     if (!wait_for_completion_timeout(&request->done, 30 * HZ)) {
0186         retval = -ETIMEDOUT;
0187         goto out;
0188     }
0189
0190     retval = request->retval;
0191
0192  out:
0193     uinput_request_release_slot(udev, request->id);
0194     return retval;
0195 }
0196
0197 /*
0198  * Fail all outstanding requests so handlers don't wait for the userspace
0199  * to finish processing them.
0200  */
0201 static void uinput_flush_requests(struct uinput_device *udev)
0202 {
0203     struct uinput_request *request;
0204     int i;
0205
0206     spin_lock(&udev->requests_lock);
0207
0208     for (i = 0; i < UINPUT_NUM_REQUESTS; i++) {
0209         request = udev->requests[i];
0210         if (request) {
0211             request->retval = -ENODEV;
0212             complete(&request->done);
0213         }
0214     }
0215
0216     spin_unlock(&udev->requests_lock);
0217 }
0218
0219 static void uinput_dev_set_gain(struct input_dev *dev, u16 gain)
0220 {
0221     uinput_dev_event(dev, EV_FF, FF_GAIN, gain);
0222 }
0223
0224 static void uinput_dev_set_autocenter(struct input_dev *dev, u16 magnitude)
0225 {
0226     uinput_dev_event(dev, EV_FF, FF_AUTOCENTER, magnitude);
0227 }
0228
0229 static int uinput_dev_playback(struct input_dev *dev, int effect_id, int value)
0230 {
0231     return uinput_dev_event(dev, EV_FF, effect_id, value);
0232 }
0233
0234 static int uinput_dev_upload_effect(struct input_dev *dev,
0235                     struct ff_effect *effect,
0236                     struct ff_effect *old)
0237 {
0238     struct uinput_device *udev = input_get_drvdata(dev);
0239     struct uinput_request request;
0240
0241     /*
0242      * uinput driver does not currently support periodic effects with
0243      * custom waveform since it does not have a way to pass buffer of
0244      * samples (custom_data) to userspace. If ever there is a device
0245      * supporting custom waveforms we would need to define an additional
0246      * ioctl (UI_UPLOAD_SAMPLES) but for now we just bail out.
0247      */
0248     if (effect->type == FF_PERIODIC &&
0249             effect->u.periodic.waveform == FF_CUSTOM)
0250         return -EINVAL;
0251
0252     request.code = UI_FF_UPLOAD;
0253     request.u.upload.effect = effect;
0254     request.u.upload.old = old;
0255
0256     return uinput_request_submit(udev, &request);
0257 }
0258
0259 static int uinput_dev_erase_effect(struct input_dev *dev, int effect_id)
0260 {
0261     struct uinput_device *udev = input_get_drvdata(dev);
0262     struct uinput_request request;
0263
0264     if (!test_bit(EV_FF, dev->evbit))
0265         return -ENOSYS;
0266
0267     request.code = UI_FF_ERASE;
0268     request.u.effect_id = effect_id;
0269
0270     return uinput_request_submit(udev, &request);
0271 }
0272
0273 static int uinput_dev_flush(struct input_dev *dev, struct file *file)
0274 {
0275     /*
0276      * If we are called with file == NULL that means we are tearing
0277      * down the device, and therefore we can not handle FF erase
0278      * requests: either we are handling UI_DEV_DESTROY (and holding
0279      * the udev->mutex), or the file descriptor is closed and there is
0280      * nobody on the other side anymore.
0281      */
0282     return file ? input_ff_flush(dev, file) : 0;
0283 }
0284
0285 static void uinput_destroy_device(struct uinput_device *udev)
0286 {
0287     const char *name, *phys;
0288     struct input_dev *dev = udev->dev;
0289     enum uinput_state old_state = udev->state;
0290
0291     udev->state = UIST_NEW_DEVICE;
0292
0293     if (dev) {
0294         name = dev->name;
0295         phys = dev->phys;
0296         if (old_state == UIST_CREATED) {
0297             uinput_flush_requests(udev);
0298             input_unregister_device(dev);
0299         } else {
0300             input_free_device(dev);
0301         }
0302         kfree(name);
0303         kfree(phys);
0304         udev->dev = NULL;
0305     }
0306 }
0307
0308 static int uinput_create_device(struct uinput_device *udev)
0309 {
0310     struct input_dev *dev = udev->dev;
0311     int error, nslot;
0312
0313     if (udev->state != UIST_SETUP_COMPLETE) {
0314         printk(KERN_DEBUG "%s: write device info first\n", UINPUT_NAME);
0315         return -EINVAL;
0316     }
0317
0318     if (test_bit(EV_ABS, dev->evbit)) {
0319         input_alloc_absinfo(dev);
0320         if (!dev->absinfo) {
0321             error = -EINVAL;
0322             goto fail1;
0323         }
0324
0325         if (test_bit(ABS_MT_SLOT, dev->absbit)) {
0326             nslot = input_abs_get_max(dev, ABS_MT_SLOT) + 1;
0327             error = input_mt_init_slots(dev, nslot, 0);
0328             if (error)
0329                 goto fail1;
0330         } else if (test_bit(ABS_MT_POSITION_X, dev->absbit)) {
0331             input_set_events_per_packet(dev, 60);
0332         }
0333     }
0334
0335     if (test_bit(EV_FF, dev->evbit) && !udev->ff_effects_max) {
0336         printk(KERN_DEBUG "%s: ff_effects_max should be non-zero when FF_BIT is set\n",
0337             UINPUT_NAME);
0338         error = -EINVAL;
0339         goto fail1;
0340     }
0341
0342     if (udev->ff_effects_max) {
0343         error = input_ff_create(dev, udev->ff_effects_max);
0344         if (error)
0345             goto fail1;
0346
0347         dev->ff->upload = uinput_dev_upload_effect;
0348         dev->ff->erase = uinput_dev_erase_effect;
0349         dev->ff->playback = uinput_dev_playback;
0350         dev->ff->set_gain = uinput_dev_set_gain;
0351         dev->ff->set_autocenter = uinput_dev_set_autocenter;
0352         /*
0353          * The standard input_ff_flush() implementation does
0354          * not quite work for uinput as we can't reasonably
0355          * handle FF requests during device teardown.
0356          */
0357         dev->flush = uinput_dev_flush;
0358     }
0359
0360     dev->event = uinput_dev_event;
0361
0362     input_set_drvdata(udev->dev, udev);
0363
0364     error = input_register_device(udev->dev);
0365     if (error)
0366         goto fail2;
0367
0368     udev->state = UIST_CREATED;
0369
0370     return 0;
0371
0372  fail2: input_ff_destroy(dev);
0373  fail1: uinput_destroy_device(udev);
0374     return error;
0375 }
0376
0377 static int uinput_open(struct inode *inode, struct file *file)
0378 {
0379     struct uinput_device *newdev;
0380
0381     newdev = kzalloc(sizeof(struct uinput_device), GFP_KERNEL);
0382     if (!newdev)
0383         return -ENOMEM;
0384
0385     mutex_init(&newdev->mutex);
0386     spin_lock_init(&newdev->requests_lock);
0387     init_waitqueue_head(&newdev->requests_waitq);
0388     init_waitqueue_head(&newdev->waitq);
0389     newdev->state = UIST_NEW_DEVICE;
0390
0391     file->private_data = newdev;
0392     stream_open(inode, file);
0393
0394     return 0;
0395 }
0396
0397 static int uinput_validate_absinfo(struct input_dev *dev, unsigned int code,
0398                    const struct input_absinfo *abs)
0399 {
0400     int min, max, range;
0401
0402     min = abs->minimum;
0403     max = abs->maximum;
0404
0405     if ((min != 0 || max != 0) && max < min) {
0406         printk(KERN_DEBUG
0407                "%s: invalid abs[%02x] min:%d max:%d\n",
0408                UINPUT_NAME, code, min, max);
0409         return -EINVAL;
0410     }
0411
0412     if (!check_sub_overflow(max, min, &range) && abs->flat > range) {
0413         printk(KERN_DEBUG
0414                "%s: abs_flat #%02x out of range: %d (min:%d/max:%d)\n",
0415                UINPUT_NAME, code, abs->flat, min, max);
0416         return -EINVAL;
0417     }
0418
0419     return 0;
0420 }
0421
0422 static int uinput_validate_absbits(struct input_dev *dev)
0423 {
0424     unsigned int cnt;
0425     int error;
0426
0427     if (!test_bit(EV_ABS, dev->evbit))
0428         return 0;
0429
0430     /*
0431      * Check if absmin/absmax/absfuzz/absflat are sane.
0432      */
0433
0434     for_each_set_bit(cnt, dev->absbit, ABS_CNT) {
0435         if (!dev->absinfo)
0436             return -EINVAL;
0437
0438         error = uinput_validate_absinfo(dev, cnt, &dev->absinfo[cnt]);
0439         if (error)
0440             return error;
0441     }
0442
0443     return 0;
0444 }
0445
0446 static int uinput_dev_setup(struct uinput_device *udev,
0447                 struct uinput_setup __user *arg)
0448 {
0449     struct uinput_setup setup;
0450     struct input_dev *dev;
0451
0452     if (udev->state == UIST_CREATED)
0453         return -EINVAL;
0454
0455     if (copy_from_user(&setup, arg, sizeof(setup)))
0456         return -EFAULT;
0457
0458     if (!setup.name[0])
0459         return -EINVAL;
0460
0461     dev = udev->dev;
0462     dev->id = setup.id;
0463     udev->ff_effects_max = setup.ff_effects_max;
0464
0465     kfree(dev->name);
0466     dev->name = kstrndup(setup.name, UINPUT_MAX_NAME_SIZE, GFP_KERNEL);
0467     if (!dev->name)
0468         return -ENOMEM;
0469
0470     udev->state = UIST_SETUP_COMPLETE;
0471     return 0;
0472 }
0473
0474 static int uinput_abs_setup(struct uinput_device *udev,
0475                 struct uinput_setup __user *arg, size_t size)
0476 {
0477     struct uinput_abs_setup setup = {};
0478     struct input_dev *dev;
0479     int error;
0480
0481     if (size > sizeof(setup))
0482         return -E2BIG;
0483
0484     if (udev->state == UIST_CREATED)
0485         return -EINVAL;
0486
0487     if (copy_from_user(&setup, arg, size))
0488         return -EFAULT;
0489
0490     if (setup.code > ABS_MAX)
0491         return -ERANGE;
0492
0493     dev = udev->dev;
0494
0495     error = uinput_validate_absinfo(dev, setup.code, &setup.absinfo);
0496     if (error)
0497         return error;
0498
0499     input_alloc_absinfo(dev);
0500     if (!dev->absinfo)
0501         return -ENOMEM;
0502
0503     set_bit(setup.code, dev->absbit);
0504     dev->absinfo[setup.code] = setup.absinfo;
0505     return 0;
0506 }
0507
0508 /* legacy setup via write() */
0509 static int uinput_setup_device_legacy(struct uinput_device *udev,
0510                       const char __user *buffer, size_t count)
0511 {
0512     struct uinput_user_dev  *user_dev;
0513     struct input_dev    *dev;
0514     int         i;
0515     int         retval;
0516
0517     if (count != sizeof(struct uinput_user_dev))
0518         return -EINVAL;
0519
0520     if (!udev->dev) {
0521         udev->dev = input_allocate_device();
0522         if (!udev->dev)
0523             return -ENOMEM;
0524     }
0525
0526     dev = udev->dev;
0527
0528     user_dev = memdup_user(buffer, sizeof(struct uinput_user_dev));
0529     if (IS_ERR(user_dev))
0530         return PTR_ERR(user_dev);
0531
0532     udev->ff_effects_max = user_dev->ff_effects_max;
0533
0534     /* Ensure name is filled in */
0535     if (!user_dev->name[0]) {
0536         retval = -EINVAL;
0537         goto exit;
0538     }
0539
0540     kfree(dev->name);
0541     dev->name = kstrndup(user_dev->name, UINPUT_MAX_NAME_SIZE,
0542                  GFP_KERNEL);
0543     if (!dev->name) {
0544         retval = -ENOMEM;
0545         goto exit;
0546     }
0547
0548     dev->id.bustype = user_dev->id.bustype;
0549     dev->id.vendor  = user_dev->id.vendor;
0550     dev->id.product = user_dev->id.product;
0551     dev->id.version = user_dev->id.version;
0552
0553     for (i = 0; i < ABS_CNT; i++) {
0554         input_abs_set_max(dev, i, user_dev->absmax[i]);
0555         input_abs_set_min(dev, i, user_dev->absmin[i]);
0556         input_abs_set_fuzz(dev, i, user_dev->absfuzz[i]);
0557         input_abs_set_flat(dev, i, user_dev->absflat[i]);
0558     }
0559
0560     retval = uinput_validate_absbits(dev);
0561     if (retval < 0)
0562         goto exit;
0563
0564     udev->state = UIST_SETUP_COMPLETE;
0565     retval = count;
0566
0567  exit:
0568     kfree(user_dev);
0569     return retval;
0570 }
0571
0572 static ssize_t uinput_inject_events(struct uinput_device *udev,
0573                     const char __user *buffer, size_t count)
0574 {
0575     struct input_event ev;
0576     size_t bytes = 0;
0577
0578     if (count != 0 && count < input_event_size())
0579         return -EINVAL;
0580
0581     while (bytes + input_event_size() <= count) {
0582         /*
0583          * Note that even if some events were fetched successfully
0584          * we are still going to return EFAULT instead of partial
0585          * count to let userspace know that it got it's buffers
0586          * all wrong.
0587          */
0588         if (input_event_from_user(buffer + bytes, &ev))
0589             return -EFAULT;
0590
0591         input_event(udev->dev, ev.type, ev.code, ev.value);
0592         bytes += input_event_size();
0593         cond_resched();
0594     }
0595
0596     return bytes;
0597 }
0598
0599 static ssize_t uinput_write(struct file *file, const char __user *buffer,
0600                 size_t count, loff_t *ppos)
0601 {
0602     struct uinput_device *udev = file->private_data;
0603     int retval;
0604
0605     if (count == 0)
0606         return 0;
0607
0608     retval = mutex_lock_interruptible(&udev->mutex);
0609     if (retval)
0610         return retval;
0611
0612     retval = udev->state == UIST_CREATED ?
0613             uinput_inject_events(udev, buffer, count) :
0614             uinput_setup_device_legacy(udev, buffer, count);
0615
0616     mutex_unlock(&udev->mutex);
0617
0618     return retval;
0619 }
0620
0621 static bool uinput_fetch_next_event(struct uinput_device *udev,
0622                     struct input_event *event)
0623 {
0624     bool have_event;
0625
0626     spin_lock_irq(&udev->dev->event_lock);
0627
0628     have_event = udev->head != udev->tail;
0629     if (have_event) {
0630         *event = udev->buff[udev->tail];
0631         udev->tail = (udev->tail + 1) % UINPUT_BUFFER_SIZE;
0632     }
0633
0634     spin_unlock_irq(&udev->dev->event_lock);
0635
0636     return have_event;
0637 }
0638
0639 static ssize_t uinput_events_to_user(struct uinput_device *udev,
0640                      char __user *buffer, size_t count)
0641 {
0642     struct input_event event;
0643     size_t read = 0;
0644
0645     while (read + input_event_size() <= count &&
0646            uinput_fetch_next_event(udev, &event)) {
0647
0648         if (input_event_to_user(buffer + read, &event))
0649             return -EFAULT;
0650
0651         read += input_event_size();
0652     }
0653
0654     return read;
0655 }
0656
0657 static ssize_t uinput_read(struct file *file, char __user *buffer,
0658                size_t count, loff_t *ppos)
0659 {
0660     struct uinput_device *udev = file->private_data;
0661     ssize_t retval;
0662
0663     if (count != 0 && count < input_event_size())
0664         return -EINVAL;
0665
0666     do {
0667         retval = mutex_lock_interruptible(&udev->mutex);
0668         if (retval)
0669             return retval;
0670
0671         if (udev->state != UIST_CREATED)
0672             retval = -ENODEV;
0673         else if (udev->head == udev->tail &&
0674              (file->f_flags & O_NONBLOCK))
0675             retval = -EAGAIN;
0676         else
0677             retval = uinput_events_to_user(udev, buffer, count);
0678
0679         mutex_unlock(&udev->mutex);
0680
0681         if (retval || count == 0)
0682             break;
0683
0684         if (!(file->f_flags & O_NONBLOCK))
0685             retval = wait_event_interruptible(udev->waitq,
0686                           udev->head != udev->tail ||
0687                           udev->state != UIST_CREATED);
0688     } while (retval == 0);
0689
0690     return retval;
0691 }
0692
0693 static __poll_t uinput_poll(struct file *file, poll_table *wait)
0694 {
0695     struct uinput_device *udev = file->private_data;
0696     __poll_t mask = EPOLLOUT | EPOLLWRNORM; /* uinput is always writable */
0697
0698     poll_wait(file, &udev->waitq, wait);
0699
0700     if (udev->head != udev->tail)
0701         mask |= EPOLLIN | EPOLLRDNORM;
0702
0703     return mask;
0704 }
0705
0706 static int uinput_release(struct inode *inode, struct file *file)
0707 {
0708     struct uinput_device *udev = file->private_data;
0709
0710     uinput_destroy_device(udev);
0711     kfree(udev);
0712
0713     return 0;
0714 }
0715
0716 #ifdef CONFIG_COMPAT
0717 struct uinput_ff_upload_compat {
0718     __u32           request_id;
0719     __s32           retval;
0720     struct ff_effect_compat effect;
0721     struct ff_effect_compat old;
0722 };
0723
0724 static int uinput_ff_upload_to_user(char __user *buffer,
0725                     const struct uinput_ff_upload *ff_up)
0726 {
0727     if (in_compat_syscall()) {
0728         struct uinput_ff_upload_compat ff_up_compat;
0729
0730         ff_up_compat.request_id = ff_up->request_id;
0731         ff_up_compat.retval = ff_up->retval;
0732         /*
0733          * It so happens that the pointer that gives us the trouble
0734          * is the last field in the structure. Since we don't support
0735          * custom waveforms in uinput anyway we can just copy the whole
0736          * thing (to the compat size) and ignore the pointer.
0737          */
0738         memcpy(&ff_up_compat.effect, &ff_up->effect,
0739             sizeof(struct ff_effect_compat));
0740         memcpy(&ff_up_compat.old, &ff_up->old,
0741             sizeof(struct ff_effect_compat));
0742
0743         if (copy_to_user(buffer, &ff_up_compat,
0744                  sizeof(struct uinput_ff_upload_compat)))
0745             return -EFAULT;
0746     } else {
0747         if (copy_to_user(buffer, ff_up,
0748                  sizeof(struct uinput_ff_upload)))
0749             return -EFAULT;
0750     }
0751
0752     return 0;
0753 }
0754
0755 static int uinput_ff_upload_from_user(const char __user *buffer,
0756                       struct uinput_ff_upload *ff_up)
0757 {
0758     if (in_compat_syscall()) {
0759         struct uinput_ff_upload_compat ff_up_compat;
0760
0761         if (copy_from_user(&ff_up_compat, buffer,
0762                    sizeof(struct uinput_ff_upload_compat)))
0763             return -EFAULT;
0764
0765         ff_up->request_id = ff_up_compat.request_id;
0766         ff_up->retval = ff_up_compat.retval;
0767         memcpy(&ff_up->effect, &ff_up_compat.effect,
0768             sizeof(struct ff_effect_compat));
0769         memcpy(&ff_up->old, &ff_up_compat.old,
0770             sizeof(struct ff_effect_compat));
0771
0772     } else {
0773         if (copy_from_user(ff_up, buffer,
0774                    sizeof(struct uinput_ff_upload)))
0775             return -EFAULT;
0776     }
0777
0778     return 0;
0779 }
0780
0781 #else
0782
0783 static int uinput_ff_upload_to_user(char __user *buffer,
0784                     const struct uinput_ff_upload *ff_up)
0785 {
0786     if (copy_to_user(buffer, ff_up, sizeof(struct uinput_ff_upload)))
0787         return -EFAULT;
0788
0789     return 0;
0790 }
0791
0792 static int uinput_ff_upload_from_user(const char __user *buffer,
0793                       struct uinput_ff_upload *ff_up)
0794 {
0795     if (copy_from_user(ff_up, buffer, sizeof(struct uinput_ff_upload)))
0796         return -EFAULT;
0797
0798     return 0;
0799 }
0800
0801 #endif
0802
0803 #define uinput_set_bit(_arg, _bit, _max)        \
0804 ({                          \
0805     int __ret = 0;                  \
0806     if (udev->state == UIST_CREATED)        \
0807         __ret =  -EINVAL;           \
0808     else if ((_arg) > (_max))           \
0809         __ret = -EINVAL;            \
0810     else set_bit((_arg), udev->dev->_bit);      \
0811     __ret;                      \
0812 })
0813
0814 static int uinput_str_to_user(void __user *dest, const char *str,
0815                   unsigned int maxlen)
0816 {
0817     char __user *p = dest;
0818     int len, ret;
0819
0820     if (!str)
0821         return -ENOENT;
0822
0823     if (maxlen == 0)
0824         return -EINVAL;
0825
0826     len = strlen(str) + 1;
0827     if (len > maxlen)
0828         len = maxlen;
0829
0830     ret = copy_to_user(p, str, len);
0831     if (ret)
0832         return -EFAULT;
0833
0834     /* force terminating '\0' */
0835     ret = put_user(0, p + len - 1);
0836     return ret ? -EFAULT : len;
0837 }
0838
0839 static long uinput_ioctl_handler(struct file *file, unsigned int cmd,
0840                  unsigned long arg, void __user *p)
0841 {
0842     int         retval;
0843     struct uinput_device    *udev = file->private_data;
0844     struct uinput_ff_upload ff_up;
0845     struct uinput_ff_erase  ff_erase;
0846     struct uinput_request   *req;
0847     char            *phys;
0848     const char      *name;
0849     unsigned int        size;
0850
0851     retval = mutex_lock_interruptible(&udev->mutex);
0852     if (retval)
0853         return retval;
0854
0855     if (!udev->dev) {
0856         udev->dev = input_allocate_device();
0857         if (!udev->dev) {
0858             retval = -ENOMEM;
0859             goto out;
0860         }
0861     }
0862
0863     switch (cmd) {
0864     case UI_GET_VERSION:
0865         if (put_user(UINPUT_VERSION, (unsigned int __user *)p))
0866             retval = -EFAULT;
0867         goto out;
0868
0869     case UI_DEV_CREATE:
0870         retval = uinput_create_device(udev);
0871         goto out;
0872
0873     case UI_DEV_DESTROY:
0874         uinput_destroy_device(udev);
0875         goto out;
0876
0877     case UI_DEV_SETUP:
0878         retval = uinput_dev_setup(udev, p);
0879         goto out;
0880
0881     /* UI_ABS_SETUP is handled in the variable size ioctls */
0882
0883     case UI_SET_EVBIT:
0884         retval = uinput_set_bit(arg, evbit, EV_MAX);
0885         goto out;
0886
0887     case UI_SET_KEYBIT:
0888         retval = uinput_set_bit(arg, keybit, KEY_MAX);
0889         goto out;
0890
0891     case UI_SET_RELBIT:
0892         retval = uinput_set_bit(arg, relbit, REL_MAX);
0893         goto out;
0894
0895     case UI_SET_ABSBIT:
0896         retval = uinput_set_bit(arg, absbit, ABS_MAX);
0897         goto out;
0898
0899     case UI_SET_MSCBIT:
0900         retval = uinput_set_bit(arg, mscbit, MSC_MAX);
0901         goto out;
0902
0903     case UI_SET_LEDBIT:
0904         retval = uinput_set_bit(arg, ledbit, LED_MAX);
0905         goto out;
0906
0907     case UI_SET_SNDBIT:
0908         retval = uinput_set_bit(arg, sndbit, SND_MAX);
0909         goto out;
0910
0911     case UI_SET_FFBIT:
0912         retval = uinput_set_bit(arg, ffbit, FF_MAX);
0913         goto out;
0914
0915     case UI_SET_SWBIT:
0916         retval = uinput_set_bit(arg, swbit, SW_MAX);
0917         goto out;
0918
0919     case UI_SET_PROPBIT:
0920         retval = uinput_set_bit(arg, propbit, INPUT_PROP_MAX);
0921         goto out;
0922
0923     case UI_SET_PHYS:
0924         if (udev->state == UIST_CREATED) {
0925             retval = -EINVAL;
0926             goto out;
0927         }
0928
0929         phys = strndup_user(p, 1024);
0930         if (IS_ERR(phys)) {
0931             retval = PTR_ERR(phys);
0932             goto out;
0933         }
0934
0935         kfree(udev->dev->phys);
0936         udev->dev->phys = phys;
0937         goto out;
0938
0939     case UI_BEGIN_FF_UPLOAD:
0940         retval = uinput_ff_upload_from_user(p, &ff_up);
0941         if (retval)
0942             goto out;
0943
0944         req = uinput_request_find(udev, ff_up.request_id);
0945         if (!req || req->code != UI_FF_UPLOAD ||
0946             !req->u.upload.effect) {
0947             retval = -EINVAL;
0948             goto out;
0949         }
0950
0951         ff_up.retval = 0;
0952         ff_up.effect = *req->u.upload.effect;
0953         if (req->u.upload.old)
0954             ff_up.old = *req->u.upload.old;
0955         else
0956             memset(&ff_up.old, 0, sizeof(struct ff_effect));
0957
0958         retval = uinput_ff_upload_to_user(p, &ff_up);
0959         goto out;
0960
0961     case UI_BEGIN_FF_ERASE:
0962         if (copy_from_user(&ff_erase, p, sizeof(ff_erase))) {
0963             retval = -EFAULT;
0964             goto out;
0965         }
0966
0967         req = uinput_request_find(udev, ff_erase.request_id);
0968         if (!req || req->code != UI_FF_ERASE) {
0969             retval = -EINVAL;
0970             goto out;
0971         }
0972
0973         ff_erase.retval = 0;
0974         ff_erase.effect_id = req->u.effect_id;
0975         if (copy_to_user(p, &ff_erase, sizeof(ff_erase))) {
0976             retval = -EFAULT;
0977             goto out;
0978         }
0979
0980         goto out;
0981
0982     case UI_END_FF_UPLOAD:
0983         retval = uinput_ff_upload_from_user(p, &ff_up);
0984         if (retval)
0985             goto out;
0986
0987         req = uinput_request_find(udev, ff_up.request_id);
0988         if (!req || req->code != UI_FF_UPLOAD ||
0989             !req->u.upload.effect) {
0990             retval = -EINVAL;
0991             goto out;
0992         }
0993
0994         req->retval = ff_up.retval;
0995         complete(&req->done);
0996         goto out;
0997
0998     case UI_END_FF_ERASE:
0999         if (copy_from_user(&ff_erase, p, sizeof(ff_erase))) {
1000             retval = -EFAULT;
1001             goto out;
1002         }
1003
1004         req = uinput_request_find(udev, ff_erase.request_id);
1005         if (!req || req->code != UI_FF_ERASE) {
1006             retval = -EINVAL;
1007             goto out;
1008         }
1009
1010         req->retval = ff_erase.retval;
1011         complete(&req->done);
1012         goto out;
1013     }
1014
1015     size = _IOC_SIZE(cmd);
1016
1017     /* Now check variable-length commands */
1018     switch (cmd & ~IOCSIZE_MASK) {
1019     case UI_GET_SYSNAME(0):
1020         if (udev->state != UIST_CREATED) {
1021             retval = -ENOENT;
1022             goto out;
1023         }
1024         name = dev_name(&udev->dev->dev);
1025         retval = uinput_str_to_user(p, name, size);
1026         goto out;
1027
1028     case UI_ABS_SETUP & ~IOCSIZE_MASK:
1029         retval = uinput_abs_setup(udev, p, size);
1030         goto out;
1031     }
1032
1033     retval = -EINVAL;
1034  out:
1035     mutex_unlock(&udev->mutex);
1036     return retval;
1037 }
1038
1039 static long uinput_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
1040 {
1041     return uinput_ioctl_handler(file, cmd, arg, (void __user *)arg);
1042 }
1043
1044 #ifdef CONFIG_COMPAT
1045
1046 /*
1047  * These IOCTLs change their size and thus their numbers between
1048  * 32 and 64 bits.
1049  */
1050 #define UI_SET_PHYS_COMPAT      \
1051     _IOW(UINPUT_IOCTL_BASE, 108, compat_uptr_t)
1052 #define UI_BEGIN_FF_UPLOAD_COMPAT   \
1053     _IOWR(UINPUT_IOCTL_BASE, 200, struct uinput_ff_upload_compat)
1054 #define UI_END_FF_UPLOAD_COMPAT     \
1055     _IOW(UINPUT_IOCTL_BASE, 201, struct uinput_ff_upload_compat)
1056
1057 static long uinput_compat_ioctl(struct file *file,
1058                 unsigned int cmd, unsigned long arg)
1059 {
1060     switch (cmd) {
1061     case UI_SET_PHYS_COMPAT:
1062         cmd = UI_SET_PHYS;
1063         break;
1064     case UI_BEGIN_FF_UPLOAD_COMPAT:
1065         cmd = UI_BEGIN_FF_UPLOAD;
1066         break;
1067     case UI_END_FF_UPLOAD_COMPAT:
1068         cmd = UI_END_FF_UPLOAD;
1069         break;
1070     }
1071
1072     return uinput_ioctl_handler(file, cmd, arg, compat_ptr(arg));
1073 }
1074 #endif
1075
1076 static const struct file_operations uinput_fops = {
1077     .owner      = THIS_MODULE,
1078     .open       = uinput_open,
1079     .release    = uinput_release,
1080     .read       = uinput_read,
1081     .write      = uinput_write,
1082     .poll       = uinput_poll,
1083     .unlocked_ioctl = uinput_ioctl,
1084 #ifdef CONFIG_COMPAT
1085     .compat_ioctl   = uinput_compat_ioctl,
1086 #endif
1087     .llseek     = no_llseek,
1088 };
1089
1090 static struct miscdevice uinput_misc = {
1091     .fops       = &uinput_fops,
1092     .minor      = UINPUT_MINOR,
1093     .name       = UINPUT_NAME,
1094 };
1095 module_misc_device(uinput_misc);
1096
1097 MODULE_ALIAS_MISCDEV(UINPUT_MINOR);
1098 MODULE_ALIAS("devname:" UINPUT_NAME);
1099
1100 MODULE_AUTHOR("Aristeu Sergio Rozanski Filho");
1101 MODULE_DESCRIPTION("User level driver support for input subsystem");
1102 MODULE_LICENSE("GPL");