uinput.c (24929B)
1// SPDX-License-Identifier: GPL-2.0-or-later 2/* 3 * User level driver support for input subsystem 4 * 5 * Heavily based on evdev.c by Vojtech Pavlik 6 * 7 * Author: Aristeu Sergio Rozanski Filho <aris@cathedrallabs.org> 8 * 9 * Changes/Revisions: 10 * 0.4 01/09/2014 (Benjamin Tissoires <benjamin.tissoires@redhat.com>) 11 * - add UI_GET_SYSNAME ioctl 12 * 0.3 09/04/2006 (Anssi Hannula <anssi.hannula@gmail.com>) 13 * - updated ff support for the changes in kernel interface 14 * - added MODULE_VERSION 15 * 0.2 16/10/2004 (Micah Dowty <micah@navi.cx>) 16 * - added force feedback support 17 * - added UI_SET_PHYS 18 * 0.1 20/06/2002 19 * - first public version 20 */ 21#include <uapi/linux/uinput.h> 22#include <linux/poll.h> 23#include <linux/sched.h> 24#include <linux/slab.h> 25#include <linux/module.h> 26#include <linux/init.h> 27#include <linux/fs.h> 28#include <linux/miscdevice.h> 29#include <linux/overflow.h> 30#include <linux/input/mt.h> 31#include "../input-compat.h" 32 33#define UINPUT_NAME "uinput" 34#define UINPUT_BUFFER_SIZE 16 35#define UINPUT_NUM_REQUESTS 16 36 37enum uinput_state { UIST_NEW_DEVICE, UIST_SETUP_COMPLETE, UIST_CREATED }; 38 39struct uinput_request { 40 unsigned int id; 41 unsigned int code; /* UI_FF_UPLOAD, UI_FF_ERASE */ 42 43 int retval; 44 struct completion done; 45 46 union { 47 unsigned int effect_id; 48 struct { 49 struct ff_effect *effect; 50 struct ff_effect *old; 51 } upload; 52 } u; 53}; 54 55struct uinput_device { 56 struct input_dev *dev; 57 struct mutex mutex; 58 enum uinput_state state; 59 wait_queue_head_t waitq; 60 unsigned char ready; 61 unsigned char head; 62 unsigned char tail; 63 struct input_event buff[UINPUT_BUFFER_SIZE]; 64 unsigned int ff_effects_max; 65 66 struct uinput_request *requests[UINPUT_NUM_REQUESTS]; 67 wait_queue_head_t requests_waitq; 68 spinlock_t requests_lock; 69}; 70 71static int uinput_dev_event(struct input_dev *dev, 72 unsigned int type, unsigned int code, int value) 73{ 74 struct uinput_device *udev = input_get_drvdata(dev); 75 struct timespec64 ts; 76 77 ktime_get_ts64(&ts); 78 79 udev->buff[udev->head] = (struct input_event) { 80 .input_event_sec = ts.tv_sec, 81 .input_event_usec = ts.tv_nsec / NSEC_PER_USEC, 82 .type = type, 83 .code = code, 84 .value = value, 85 }; 86 87 udev->head = (udev->head + 1) % UINPUT_BUFFER_SIZE; 88 89 wake_up_interruptible(&udev->waitq); 90 91 return 0; 92} 93 94/* Atomically allocate an ID for the given request. Returns 0 on success. */ 95static bool uinput_request_alloc_id(struct uinput_device *udev, 96 struct uinput_request *request) 97{ 98 unsigned int id; 99 bool reserved = false; 100 101 spin_lock(&udev->requests_lock); 102 103 for (id = 0; id < UINPUT_NUM_REQUESTS; id++) { 104 if (!udev->requests[id]) { 105 request->id = id; 106 udev->requests[id] = request; 107 reserved = true; 108 break; 109 } 110 } 111 112 spin_unlock(&udev->requests_lock); 113 return reserved; 114} 115 116static struct uinput_request *uinput_request_find(struct uinput_device *udev, 117 unsigned int id) 118{ 119 /* Find an input request, by ID. Returns NULL if the ID isn't valid. */ 120 if (id >= UINPUT_NUM_REQUESTS) 121 return NULL; 122 123 return udev->requests[id]; 124} 125 126static int uinput_request_reserve_slot(struct uinput_device *udev, 127 struct uinput_request *request) 128{ 129 /* Allocate slot. If none are available right away, wait. */ 130 return wait_event_interruptible(udev->requests_waitq, 131 uinput_request_alloc_id(udev, request)); 132} 133 134static void uinput_request_release_slot(struct uinput_device *udev, 135 unsigned int id) 136{ 137 /* Mark slot as available */ 138 spin_lock(&udev->requests_lock); 139 udev->requests[id] = NULL; 140 spin_unlock(&udev->requests_lock); 141 142 wake_up(&udev->requests_waitq); 143} 144 145static int uinput_request_send(struct uinput_device *udev, 146 struct uinput_request *request) 147{ 148 int retval; 149 150 retval = mutex_lock_interruptible(&udev->mutex); 151 if (retval) 152 return retval; 153 154 if (udev->state != UIST_CREATED) { 155 retval = -ENODEV; 156 goto out; 157 } 158 159 init_completion(&request->done); 160 161 /* 162 * Tell our userspace application about this new request 163 * by queueing an input event. 164 */ 165 uinput_dev_event(udev->dev, EV_UINPUT, request->code, request->id); 166 167 out: 168 mutex_unlock(&udev->mutex); 169 return retval; 170} 171 172static int uinput_request_submit(struct uinput_device *udev, 173 struct uinput_request *request) 174{ 175 int retval; 176 177 retval = uinput_request_reserve_slot(udev, request); 178 if (retval) 179 return retval; 180 181 retval = uinput_request_send(udev, request); 182 if (retval) 183 goto out; 184 185 if (!wait_for_completion_timeout(&request->done, 30 * HZ)) { 186 retval = -ETIMEDOUT; 187 goto out; 188 } 189 190 retval = request->retval; 191 192 out: 193 uinput_request_release_slot(udev, request->id); 194 return retval; 195} 196 197/* 198 * Fail all outstanding requests so handlers don't wait for the userspace 199 * to finish processing them. 200 */ 201static void uinput_flush_requests(struct uinput_device *udev) 202{ 203 struct uinput_request *request; 204 int i; 205 206 spin_lock(&udev->requests_lock); 207 208 for (i = 0; i < UINPUT_NUM_REQUESTS; i++) { 209 request = udev->requests[i]; 210 if (request) { 211 request->retval = -ENODEV; 212 complete(&request->done); 213 } 214 } 215 216 spin_unlock(&udev->requests_lock); 217} 218 219static void uinput_dev_set_gain(struct input_dev *dev, u16 gain) 220{ 221 uinput_dev_event(dev, EV_FF, FF_GAIN, gain); 222} 223 224static void uinput_dev_set_autocenter(struct input_dev *dev, u16 magnitude) 225{ 226 uinput_dev_event(dev, EV_FF, FF_AUTOCENTER, magnitude); 227} 228 229static int uinput_dev_playback(struct input_dev *dev, int effect_id, int value) 230{ 231 return uinput_dev_event(dev, EV_FF, effect_id, value); 232} 233 234static int uinput_dev_upload_effect(struct input_dev *dev, 235 struct ff_effect *effect, 236 struct ff_effect *old) 237{ 238 struct uinput_device *udev = input_get_drvdata(dev); 239 struct uinput_request request; 240 241 /* 242 * uinput driver does not currently support periodic effects with 243 * custom waveform since it does not have a way to pass buffer of 244 * samples (custom_data) to userspace. If ever there is a device 245 * supporting custom waveforms we would need to define an additional 246 * ioctl (UI_UPLOAD_SAMPLES) but for now we just bail out. 247 */ 248 if (effect->type == FF_PERIODIC && 249 effect->u.periodic.waveform == FF_CUSTOM) 250 return -EINVAL; 251 252 request.code = UI_FF_UPLOAD; 253 request.u.upload.effect = effect; 254 request.u.upload.old = old; 255 256 return uinput_request_submit(udev, &request); 257} 258 259static int uinput_dev_erase_effect(struct input_dev *dev, int effect_id) 260{ 261 struct uinput_device *udev = input_get_drvdata(dev); 262 struct uinput_request request; 263 264 if (!test_bit(EV_FF, dev->evbit)) 265 return -ENOSYS; 266 267 request.code = UI_FF_ERASE; 268 request.u.effect_id = effect_id; 269 270 return uinput_request_submit(udev, &request); 271} 272 273static int uinput_dev_flush(struct input_dev *dev, struct file *file) 274{ 275 /* 276 * If we are called with file == NULL that means we are tearing 277 * down the device, and therefore we can not handle FF erase 278 * requests: either we are handling UI_DEV_DESTROY (and holding 279 * the udev->mutex), or the file descriptor is closed and there is 280 * nobody on the other side anymore. 281 */ 282 return file ? input_ff_flush(dev, file) : 0; 283} 284 285static void uinput_destroy_device(struct uinput_device *udev) 286{ 287 const char *name, *phys; 288 struct input_dev *dev = udev->dev; 289 enum uinput_state old_state = udev->state; 290 291 udev->state = UIST_NEW_DEVICE; 292 293 if (dev) { 294 name = dev->name; 295 phys = dev->phys; 296 if (old_state == UIST_CREATED) { 297 uinput_flush_requests(udev); 298 input_unregister_device(dev); 299 } else { 300 input_free_device(dev); 301 } 302 kfree(name); 303 kfree(phys); 304 udev->dev = NULL; 305 } 306} 307 308static int uinput_create_device(struct uinput_device *udev) 309{ 310 struct input_dev *dev = udev->dev; 311 int error, nslot; 312 313 if (udev->state != UIST_SETUP_COMPLETE) { 314 printk(KERN_DEBUG "%s: write device info first\n", UINPUT_NAME); 315 return -EINVAL; 316 } 317 318 if (test_bit(EV_ABS, dev->evbit)) { 319 input_alloc_absinfo(dev); 320 if (!dev->absinfo) { 321 error = -EINVAL; 322 goto fail1; 323 } 324 325 if (test_bit(ABS_MT_SLOT, dev->absbit)) { 326 nslot = input_abs_get_max(dev, ABS_MT_SLOT) + 1; 327 error = input_mt_init_slots(dev, nslot, 0); 328 if (error) 329 goto fail1; 330 } else if (test_bit(ABS_MT_POSITION_X, dev->absbit)) { 331 input_set_events_per_packet(dev, 60); 332 } 333 } 334 335 if (test_bit(EV_FF, dev->evbit) && !udev->ff_effects_max) { 336 printk(KERN_DEBUG "%s: ff_effects_max should be non-zero when FF_BIT is set\n", 337 UINPUT_NAME); 338 error = -EINVAL; 339 goto fail1; 340 } 341 342 if (udev->ff_effects_max) { 343 error = input_ff_create(dev, udev->ff_effects_max); 344 if (error) 345 goto fail1; 346 347 dev->ff->upload = uinput_dev_upload_effect; 348 dev->ff->erase = uinput_dev_erase_effect; 349 dev->ff->playback = uinput_dev_playback; 350 dev->ff->set_gain = uinput_dev_set_gain; 351 dev->ff->set_autocenter = uinput_dev_set_autocenter; 352 /* 353 * The standard input_ff_flush() implementation does 354 * not quite work for uinput as we can't reasonably 355 * handle FF requests during device teardown. 356 */ 357 dev->flush = uinput_dev_flush; 358 } 359 360 dev->event = uinput_dev_event; 361 362 input_set_drvdata(udev->dev, udev); 363 364 error = input_register_device(udev->dev); 365 if (error) 366 goto fail2; 367 368 udev->state = UIST_CREATED; 369 370 return 0; 371 372 fail2: input_ff_destroy(dev); 373 fail1: uinput_destroy_device(udev); 374 return error; 375} 376 377static int uinput_open(struct inode *inode, struct file *file) 378{ 379 struct uinput_device *newdev; 380 381 newdev = kzalloc(sizeof(struct uinput_device), GFP_KERNEL); 382 if (!newdev) 383 return -ENOMEM; 384 385 mutex_init(&newdev->mutex); 386 spin_lock_init(&newdev->requests_lock); 387 init_waitqueue_head(&newdev->requests_waitq); 388 init_waitqueue_head(&newdev->waitq); 389 newdev->state = UIST_NEW_DEVICE; 390 391 file->private_data = newdev; 392 stream_open(inode, file); 393 394 return 0; 395} 396 397static int uinput_validate_absinfo(struct input_dev *dev, unsigned int code, 398 const struct input_absinfo *abs) 399{ 400 int min, max, range; 401 402 min = abs->minimum; 403 max = abs->maximum; 404 405 if ((min != 0 || max != 0) && max < min) { 406 printk(KERN_DEBUG 407 "%s: invalid abs[%02x] min:%d max:%d\n", 408 UINPUT_NAME, code, min, max); 409 return -EINVAL; 410 } 411 412 if (!check_sub_overflow(max, min, &range) && abs->flat > range) { 413 printk(KERN_DEBUG 414 "%s: abs_flat #%02x out of range: %d (min:%d/max:%d)\n", 415 UINPUT_NAME, code, abs->flat, min, max); 416 return -EINVAL; 417 } 418 419 return 0; 420} 421 422static int uinput_validate_absbits(struct input_dev *dev) 423{ 424 unsigned int cnt; 425 int error; 426 427 if (!test_bit(EV_ABS, dev->evbit)) 428 return 0; 429 430 /* 431 * Check if absmin/absmax/absfuzz/absflat are sane. 432 */ 433 434 for_each_set_bit(cnt, dev->absbit, ABS_CNT) { 435 if (!dev->absinfo) 436 return -EINVAL; 437 438 error = uinput_validate_absinfo(dev, cnt, &dev->absinfo[cnt]); 439 if (error) 440 return error; 441 } 442 443 return 0; 444} 445 446static int uinput_dev_setup(struct uinput_device *udev, 447 struct uinput_setup __user *arg) 448{ 449 struct uinput_setup setup; 450 struct input_dev *dev; 451 452 if (udev->state == UIST_CREATED) 453 return -EINVAL; 454 455 if (copy_from_user(&setup, arg, sizeof(setup))) 456 return -EFAULT; 457 458 if (!setup.name[0]) 459 return -EINVAL; 460 461 dev = udev->dev; 462 dev->id = setup.id; 463 udev->ff_effects_max = setup.ff_effects_max; 464 465 kfree(dev->name); 466 dev->name = kstrndup(setup.name, UINPUT_MAX_NAME_SIZE, GFP_KERNEL); 467 if (!dev->name) 468 return -ENOMEM; 469 470 udev->state = UIST_SETUP_COMPLETE; 471 return 0; 472} 473 474static int uinput_abs_setup(struct uinput_device *udev, 475 struct uinput_setup __user *arg, size_t size) 476{ 477 struct uinput_abs_setup setup = {}; 478 struct input_dev *dev; 479 int error; 480 481 if (size > sizeof(setup)) 482 return -E2BIG; 483 484 if (udev->state == UIST_CREATED) 485 return -EINVAL; 486 487 if (copy_from_user(&setup, arg, size)) 488 return -EFAULT; 489 490 if (setup.code > ABS_MAX) 491 return -ERANGE; 492 493 dev = udev->dev; 494 495 error = uinput_validate_absinfo(dev, setup.code, &setup.absinfo); 496 if (error) 497 return error; 498 499 input_alloc_absinfo(dev); 500 if (!dev->absinfo) 501 return -ENOMEM; 502 503 set_bit(setup.code, dev->absbit); 504 dev->absinfo[setup.code] = setup.absinfo; 505 return 0; 506} 507 508/* legacy setup via write() */ 509static int uinput_setup_device_legacy(struct uinput_device *udev, 510 const char __user *buffer, size_t count) 511{ 512 struct uinput_user_dev *user_dev; 513 struct input_dev *dev; 514 int i; 515 int retval; 516 517 if (count != sizeof(struct uinput_user_dev)) 518 return -EINVAL; 519 520 if (!udev->dev) { 521 udev->dev = input_allocate_device(); 522 if (!udev->dev) 523 return -ENOMEM; 524 } 525 526 dev = udev->dev; 527 528 user_dev = memdup_user(buffer, sizeof(struct uinput_user_dev)); 529 if (IS_ERR(user_dev)) 530 return PTR_ERR(user_dev); 531 532 udev->ff_effects_max = user_dev->ff_effects_max; 533 534 /* Ensure name is filled in */ 535 if (!user_dev->name[0]) { 536 retval = -EINVAL; 537 goto exit; 538 } 539 540 kfree(dev->name); 541 dev->name = kstrndup(user_dev->name, UINPUT_MAX_NAME_SIZE, 542 GFP_KERNEL); 543 if (!dev->name) { 544 retval = -ENOMEM; 545 goto exit; 546 } 547 548 dev->id.bustype = user_dev->id.bustype; 549 dev->id.vendor = user_dev->id.vendor; 550 dev->id.product = user_dev->id.product; 551 dev->id.version = user_dev->id.version; 552 553 for (i = 0; i < ABS_CNT; i++) { 554 input_abs_set_max(dev, i, user_dev->absmax[i]); 555 input_abs_set_min(dev, i, user_dev->absmin[i]); 556 input_abs_set_fuzz(dev, i, user_dev->absfuzz[i]); 557 input_abs_set_flat(dev, i, user_dev->absflat[i]); 558 } 559 560 retval = uinput_validate_absbits(dev); 561 if (retval < 0) 562 goto exit; 563 564 udev->state = UIST_SETUP_COMPLETE; 565 retval = count; 566 567 exit: 568 kfree(user_dev); 569 return retval; 570} 571 572static ssize_t uinput_inject_events(struct uinput_device *udev, 573 const char __user *buffer, size_t count) 574{ 575 struct input_event ev; 576 size_t bytes = 0; 577 578 if (count != 0 && count < input_event_size()) 579 return -EINVAL; 580 581 while (bytes + input_event_size() <= count) { 582 /* 583 * Note that even if some events were fetched successfully 584 * we are still going to return EFAULT instead of partial 585 * count to let userspace know that it got it's buffers 586 * all wrong. 587 */ 588 if (input_event_from_user(buffer + bytes, &ev)) 589 return -EFAULT; 590 591 input_event(udev->dev, ev.type, ev.code, ev.value); 592 bytes += input_event_size(); 593 cond_resched(); 594 } 595 596 return bytes; 597} 598 599static ssize_t uinput_write(struct file *file, const char __user *buffer, 600 size_t count, loff_t *ppos) 601{ 602 struct uinput_device *udev = file->private_data; 603 int retval; 604 605 if (count == 0) 606 return 0; 607 608 retval = mutex_lock_interruptible(&udev->mutex); 609 if (retval) 610 return retval; 611 612 retval = udev->state == UIST_CREATED ? 613 uinput_inject_events(udev, buffer, count) : 614 uinput_setup_device_legacy(udev, buffer, count); 615 616 mutex_unlock(&udev->mutex); 617 618 return retval; 619} 620 621static bool uinput_fetch_next_event(struct uinput_device *udev, 622 struct input_event *event) 623{ 624 bool have_event; 625 626 spin_lock_irq(&udev->dev->event_lock); 627 628 have_event = udev->head != udev->tail; 629 if (have_event) { 630 *event = udev->buff[udev->tail]; 631 udev->tail = (udev->tail + 1) % UINPUT_BUFFER_SIZE; 632 } 633 634 spin_unlock_irq(&udev->dev->event_lock); 635 636 return have_event; 637} 638 639static ssize_t uinput_events_to_user(struct uinput_device *udev, 640 char __user *buffer, size_t count) 641{ 642 struct input_event event; 643 size_t read = 0; 644 645 while (read + input_event_size() <= count && 646 uinput_fetch_next_event(udev, &event)) { 647 648 if (input_event_to_user(buffer + read, &event)) 649 return -EFAULT; 650 651 read += input_event_size(); 652 } 653 654 return read; 655} 656 657static ssize_t uinput_read(struct file *file, char __user *buffer, 658 size_t count, loff_t *ppos) 659{ 660 struct uinput_device *udev = file->private_data; 661 ssize_t retval; 662 663 if (count != 0 && count < input_event_size()) 664 return -EINVAL; 665 666 do { 667 retval = mutex_lock_interruptible(&udev->mutex); 668 if (retval) 669 return retval; 670 671 if (udev->state != UIST_CREATED) 672 retval = -ENODEV; 673 else if (udev->head == udev->tail && 674 (file->f_flags & O_NONBLOCK)) 675 retval = -EAGAIN; 676 else 677 retval = uinput_events_to_user(udev, buffer, count); 678 679 mutex_unlock(&udev->mutex); 680 681 if (retval || count == 0) 682 break; 683 684 if (!(file->f_flags & O_NONBLOCK)) 685 retval = wait_event_interruptible(udev->waitq, 686 udev->head != udev->tail || 687 udev->state != UIST_CREATED); 688 } while (retval == 0); 689 690 return retval; 691} 692 693static __poll_t uinput_poll(struct file *file, poll_table *wait) 694{ 695 struct uinput_device *udev = file->private_data; 696 __poll_t mask = EPOLLOUT | EPOLLWRNORM; /* uinput is always writable */ 697 698 poll_wait(file, &udev->waitq, wait); 699 700 if (udev->head != udev->tail) 701 mask |= EPOLLIN | EPOLLRDNORM; 702 703 return mask; 704} 705 706static int uinput_release(struct inode *inode, struct file *file) 707{ 708 struct uinput_device *udev = file->private_data; 709 710 uinput_destroy_device(udev); 711 kfree(udev); 712 713 return 0; 714} 715 716#ifdef CONFIG_COMPAT 717struct uinput_ff_upload_compat { 718 __u32 request_id; 719 __s32 retval; 720 struct ff_effect_compat effect; 721 struct ff_effect_compat old; 722}; 723 724static int uinput_ff_upload_to_user(char __user *buffer, 725 const struct uinput_ff_upload *ff_up) 726{ 727 if (in_compat_syscall()) { 728 struct uinput_ff_upload_compat ff_up_compat; 729 730 ff_up_compat.request_id = ff_up->request_id; 731 ff_up_compat.retval = ff_up->retval; 732 /* 733 * It so happens that the pointer that gives us the trouble 734 * is the last field in the structure. Since we don't support 735 * custom waveforms in uinput anyway we can just copy the whole 736 * thing (to the compat size) and ignore the pointer. 737 */ 738 memcpy(&ff_up_compat.effect, &ff_up->effect, 739 sizeof(struct ff_effect_compat)); 740 memcpy(&ff_up_compat.old, &ff_up->old, 741 sizeof(struct ff_effect_compat)); 742 743 if (copy_to_user(buffer, &ff_up_compat, 744 sizeof(struct uinput_ff_upload_compat))) 745 return -EFAULT; 746 } else { 747 if (copy_to_user(buffer, ff_up, 748 sizeof(struct uinput_ff_upload))) 749 return -EFAULT; 750 } 751 752 return 0; 753} 754 755static int uinput_ff_upload_from_user(const char __user *buffer, 756 struct uinput_ff_upload *ff_up) 757{ 758 if (in_compat_syscall()) { 759 struct uinput_ff_upload_compat ff_up_compat; 760 761 if (copy_from_user(&ff_up_compat, buffer, 762 sizeof(struct uinput_ff_upload_compat))) 763 return -EFAULT; 764 765 ff_up->request_id = ff_up_compat.request_id; 766 ff_up->retval = ff_up_compat.retval; 767 memcpy(&ff_up->effect, &ff_up_compat.effect, 768 sizeof(struct ff_effect_compat)); 769 memcpy(&ff_up->old, &ff_up_compat.old, 770 sizeof(struct ff_effect_compat)); 771 772 } else { 773 if (copy_from_user(ff_up, buffer, 774 sizeof(struct uinput_ff_upload))) 775 return -EFAULT; 776 } 777 778 return 0; 779} 780 781#else 782 783static int uinput_ff_upload_to_user(char __user *buffer, 784 const struct uinput_ff_upload *ff_up) 785{ 786 if (copy_to_user(buffer, ff_up, sizeof(struct uinput_ff_upload))) 787 return -EFAULT; 788 789 return 0; 790} 791 792static int uinput_ff_upload_from_user(const char __user *buffer, 793 struct uinput_ff_upload *ff_up) 794{ 795 if (copy_from_user(ff_up, buffer, sizeof(struct uinput_ff_upload))) 796 return -EFAULT; 797 798 return 0; 799} 800 801#endif 802 803#define uinput_set_bit(_arg, _bit, _max) \ 804({ \ 805 int __ret = 0; \ 806 if (udev->state == UIST_CREATED) \ 807 __ret = -EINVAL; \ 808 else if ((_arg) > (_max)) \ 809 __ret = -EINVAL; \ 810 else set_bit((_arg), udev->dev->_bit); \ 811 __ret; \ 812}) 813 814static int uinput_str_to_user(void __user *dest, const char *str, 815 unsigned int maxlen) 816{ 817 char __user *p = dest; 818 int len, ret; 819 820 if (!str) 821 return -ENOENT; 822 823 if (maxlen == 0) 824 return -EINVAL; 825 826 len = strlen(str) + 1; 827 if (len > maxlen) 828 len = maxlen; 829 830 ret = copy_to_user(p, str, len); 831 if (ret) 832 return -EFAULT; 833 834 /* force terminating '\0' */ 835 ret = put_user(0, p + len - 1); 836 return ret ? -EFAULT : len; 837} 838 839static long uinput_ioctl_handler(struct file *file, unsigned int cmd, 840 unsigned long arg, void __user *p) 841{ 842 int retval; 843 struct uinput_device *udev = file->private_data; 844 struct uinput_ff_upload ff_up; 845 struct uinput_ff_erase ff_erase; 846 struct uinput_request *req; 847 char *phys; 848 const char *name; 849 unsigned int size; 850 851 retval = mutex_lock_interruptible(&udev->mutex); 852 if (retval) 853 return retval; 854 855 if (!udev->dev) { 856 udev->dev = input_allocate_device(); 857 if (!udev->dev) { 858 retval = -ENOMEM; 859 goto out; 860 } 861 } 862 863 switch (cmd) { 864 case UI_GET_VERSION: 865 if (put_user(UINPUT_VERSION, (unsigned int __user *)p)) 866 retval = -EFAULT; 867 goto out; 868 869 case UI_DEV_CREATE: 870 retval = uinput_create_device(udev); 871 goto out; 872 873 case UI_DEV_DESTROY: 874 uinput_destroy_device(udev); 875 goto out; 876 877 case UI_DEV_SETUP: 878 retval = uinput_dev_setup(udev, p); 879 goto out; 880 881 /* UI_ABS_SETUP is handled in the variable size ioctls */ 882 883 case UI_SET_EVBIT: 884 retval = uinput_set_bit(arg, evbit, EV_MAX); 885 goto out; 886 887 case UI_SET_KEYBIT: 888 retval = uinput_set_bit(arg, keybit, KEY_MAX); 889 goto out; 890 891 case UI_SET_RELBIT: 892 retval = uinput_set_bit(arg, relbit, REL_MAX); 893 goto out; 894 895 case UI_SET_ABSBIT: 896 retval = uinput_set_bit(arg, absbit, ABS_MAX); 897 goto out; 898 899 case UI_SET_MSCBIT: 900 retval = uinput_set_bit(arg, mscbit, MSC_MAX); 901 goto out; 902 903 case UI_SET_LEDBIT: 904 retval = uinput_set_bit(arg, ledbit, LED_MAX); 905 goto out; 906 907 case UI_SET_SNDBIT: 908 retval = uinput_set_bit(arg, sndbit, SND_MAX); 909 goto out; 910 911 case UI_SET_FFBIT: 912 retval = uinput_set_bit(arg, ffbit, FF_MAX); 913 goto out; 914 915 case UI_SET_SWBIT: 916 retval = uinput_set_bit(arg, swbit, SW_MAX); 917 goto out; 918 919 case UI_SET_PROPBIT: 920 retval = uinput_set_bit(arg, propbit, INPUT_PROP_MAX); 921 goto out; 922 923 case UI_SET_PHYS: 924 if (udev->state == UIST_CREATED) { 925 retval = -EINVAL; 926 goto out; 927 } 928 929 phys = strndup_user(p, 1024); 930 if (IS_ERR(phys)) { 931 retval = PTR_ERR(phys); 932 goto out; 933 } 934 935 kfree(udev->dev->phys); 936 udev->dev->phys = phys; 937 goto out; 938 939 case UI_BEGIN_FF_UPLOAD: 940 retval = uinput_ff_upload_from_user(p, &ff_up); 941 if (retval) 942 goto out; 943 944 req = uinput_request_find(udev, ff_up.request_id); 945 if (!req || req->code != UI_FF_UPLOAD || 946 !req->u.upload.effect) { 947 retval = -EINVAL; 948 goto out; 949 } 950 951 ff_up.retval = 0; 952 ff_up.effect = *req->u.upload.effect; 953 if (req->u.upload.old) 954 ff_up.old = *req->u.upload.old; 955 else 956 memset(&ff_up.old, 0, sizeof(struct ff_effect)); 957 958 retval = uinput_ff_upload_to_user(p, &ff_up); 959 goto out; 960 961 case UI_BEGIN_FF_ERASE: 962 if (copy_from_user(&ff_erase, p, sizeof(ff_erase))) { 963 retval = -EFAULT; 964 goto out; 965 } 966 967 req = uinput_request_find(udev, ff_erase.request_id); 968 if (!req || req->code != UI_FF_ERASE) { 969 retval = -EINVAL; 970 goto out; 971 } 972 973 ff_erase.retval = 0; 974 ff_erase.effect_id = req->u.effect_id; 975 if (copy_to_user(p, &ff_erase, sizeof(ff_erase))) { 976 retval = -EFAULT; 977 goto out; 978 } 979 980 goto out; 981 982 case UI_END_FF_UPLOAD: 983 retval = uinput_ff_upload_from_user(p, &ff_up); 984 if (retval) 985 goto out; 986 987 req = uinput_request_find(udev, ff_up.request_id); 988 if (!req || req->code != UI_FF_UPLOAD || 989 !req->u.upload.effect) { 990 retval = -EINVAL; 991 goto out; 992 } 993 994 req->retval = ff_up.retval; 995 complete(&req->done); 996 goto out; 997 998 case UI_END_FF_ERASE: 999 if (copy_from_user(&ff_erase, p, sizeof(ff_erase))) { 1000 retval = -EFAULT; 1001 goto out; 1002 } 1003 1004 req = uinput_request_find(udev, ff_erase.request_id); 1005 if (!req || req->code != UI_FF_ERASE) { 1006 retval = -EINVAL; 1007 goto out; 1008 } 1009 1010 req->retval = ff_erase.retval; 1011 complete(&req->done); 1012 goto out; 1013 } 1014 1015 size = _IOC_SIZE(cmd); 1016 1017 /* Now check variable-length commands */ 1018 switch (cmd & ~IOCSIZE_MASK) { 1019 case UI_GET_SYSNAME(0): 1020 if (udev->state != UIST_CREATED) { 1021 retval = -ENOENT; 1022 goto out; 1023 } 1024 name = dev_name(&udev->dev->dev); 1025 retval = uinput_str_to_user(p, name, size); 1026 goto out; 1027 1028 case UI_ABS_SETUP & ~IOCSIZE_MASK: 1029 retval = uinput_abs_setup(udev, p, size); 1030 goto out; 1031 } 1032 1033 retval = -EINVAL; 1034 out: 1035 mutex_unlock(&udev->mutex); 1036 return retval; 1037} 1038 1039static long uinput_ioctl(struct file *file, unsigned int cmd, unsigned long arg) 1040{ 1041 return uinput_ioctl_handler(file, cmd, arg, (void __user *)arg); 1042} 1043 1044#ifdef CONFIG_COMPAT 1045 1046/* 1047 * These IOCTLs change their size and thus their numbers between 1048 * 32 and 64 bits. 1049 */ 1050#define UI_SET_PHYS_COMPAT \ 1051 _IOW(UINPUT_IOCTL_BASE, 108, compat_uptr_t) 1052#define UI_BEGIN_FF_UPLOAD_COMPAT \ 1053 _IOWR(UINPUT_IOCTL_BASE, 200, struct uinput_ff_upload_compat) 1054#define UI_END_FF_UPLOAD_COMPAT \ 1055 _IOW(UINPUT_IOCTL_BASE, 201, struct uinput_ff_upload_compat) 1056 1057static long uinput_compat_ioctl(struct file *file, 1058 unsigned int cmd, unsigned long arg) 1059{ 1060 switch (cmd) { 1061 case UI_SET_PHYS_COMPAT: 1062 cmd = UI_SET_PHYS; 1063 break; 1064 case UI_BEGIN_FF_UPLOAD_COMPAT: 1065 cmd = UI_BEGIN_FF_UPLOAD; 1066 break; 1067 case UI_END_FF_UPLOAD_COMPAT: 1068 cmd = UI_END_FF_UPLOAD; 1069 break; 1070 } 1071 1072 return uinput_ioctl_handler(file, cmd, arg, compat_ptr(arg)); 1073} 1074#endif 1075 1076static const struct file_operations uinput_fops = { 1077 .owner = THIS_MODULE, 1078 .open = uinput_open, 1079 .release = uinput_release, 1080 .read = uinput_read, 1081 .write = uinput_write, 1082 .poll = uinput_poll, 1083 .unlocked_ioctl = uinput_ioctl, 1084#ifdef CONFIG_COMPAT 1085 .compat_ioctl = uinput_compat_ioctl, 1086#endif 1087 .llseek = no_llseek, 1088}; 1089 1090static struct miscdevice uinput_misc = { 1091 .fops = &uinput_fops, 1092 .minor = UINPUT_MINOR, 1093 .name = UINPUT_NAME, 1094}; 1095module_misc_device(uinput_misc); 1096 1097MODULE_ALIAS_MISCDEV(UINPUT_MINOR); 1098MODULE_ALIAS("devname:" UINPUT_NAME); 1099 1100MODULE_AUTHOR("Aristeu Sergio Rozanski Filho"); 1101MODULE_DESCRIPTION("User level driver support for input subsystem"); 1102MODULE_LICENSE("GPL");