projects / deliverable / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
HID: hidraw, fix a NULL pointer dereference in hidraw_ioctl
[deliverable/linux.git] / drivers / hid / hidraw.c
1 /*
2 * HID raw devices, giving access to raw HID events.
3 *
4 * In comparison to hiddev, this device does not process the
5 * hid events at all (no parsing, no lookups). This lets applications
6 * to work on raw hid events as they want to, and avoids a need to
7 * use a transport-specific userspace libhid/libusb libraries.
8 *
9 * Copyright (c) 2007 Jiri Kosina
10 */
11
12 /*
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms and conditions of the GNU General Public License,
15 * version 2, as published by the Free Software Foundation.
16 *
17 * You should have received a copy of the GNU General Public License along with
18 * this program; if not, write to the Free Software Foundation, Inc.,
19 * 51 Franklin St - Fifth Floor, Boston, MA 02110-1301 USA.
20 */
21
22 #include <linux/fs.h>
23 #include <linux/module.h>
24 #include <linux/errno.h>
25 #include <linux/kernel.h>
26 #include <linux/init.h>
27 #include <linux/cdev.h>
28 #include <linux/poll.h>
29 #include <linux/device.h>
30 #include <linux/major.h>
31 #include <linux/slab.h>
32 #include <linux/hid.h>
33 #include <linux/mutex.h>
34 #include <linux/sched.h>
35 #include <linux/smp_lock.h>
36
37 #include <linux/hidraw.h>
38
39 static int hidraw_major;
40 static struct cdev hidraw_cdev;
41 static struct class *hidraw_class;
42 static struct hidraw *hidraw_table[HIDRAW_MAX_DEVICES];
43 static DEFINE_MUTEX(minors_lock);
44
45 static ssize_t hidraw_read(struct file *file, char __user *buffer, size_t count, loff_t *ppos)
46 {
47 struct hidraw_list *list = file->private_data;
48 int ret = 0, len;
49 DECLARE_WAITQUEUE(wait, current);
50
51 mutex_lock(&list->read_mutex);
52
53 while (ret == 0) {
54 if (list->head == list->tail) {
55 add_wait_queue(&list->hidraw->wait, &wait);
56 set_current_state(TASK_INTERRUPTIBLE);
57
58 while (list->head == list->tail) {
59 if (file->f_flags & O_NONBLOCK) {
60 ret = -EAGAIN;
61 break;
62 }
63 if (signal_pending(current)) {
64 ret = -ERESTARTSYS;
65 break;
66 }
67 if (!list->hidraw->exist) {
68 ret = -EIO;
69 break;
70 }
71
72 /* allow O_NONBLOCK to work well from other threads */
73 mutex_unlock(&list->read_mutex);
74 schedule();
75 mutex_lock(&list->read_mutex);
76 set_current_state(TASK_INTERRUPTIBLE);
77 }
78
79 set_current_state(TASK_RUNNING);
80 remove_wait_queue(&list->hidraw->wait, &wait);
81 }
82
83 if (ret)
84 goto out;
85
86 len = list->buffer[list->tail].len > count ?
87 count : list->buffer[list->tail].len;
88
89 if (copy_to_user(buffer, list->buffer[list->tail].value, len)) {
90 ret = -EFAULT;
91 goto out;
92 }
93 ret += len;
94
95 kfree(list->buffer[list->tail].value);
96 list->tail = (list->tail + 1) & (HIDRAW_BUFFER_SIZE - 1);
97 }
98 out:
99 mutex_unlock(&list->read_mutex);
100 return ret;
101 }
102
103 /* the first byte is expected to be a report number */
104 static ssize_t hidraw_write(struct file *file, const char __user *buffer, size_t count, loff_t *ppos)
105 {
106 unsigned int minor = iminor(file->f_path.dentry->d_inode);
107 struct hid_device *dev;
108 __u8 *buf;
109 int ret = 0;
110
111 mutex_lock(&minors_lock);
112 dev = hidraw_table[minor]->hid;
113
114 if (!dev->hid_output_raw_report) {
115 ret = -ENODEV;
116 goto out;
117 }
118
119 if (count > HID_MAX_BUFFER_SIZE) {
120 printk(KERN_WARNING "hidraw: pid %d passed too large report\n",
121 task_pid_nr(current));
122 ret = -EINVAL;
123 goto out;
124 }
125
126 if (count < 2) {
127 printk(KERN_WARNING "hidraw: pid %d passed too short report\n",
128 task_pid_nr(current));
129 ret = -EINVAL;
130 goto out;
131 }
132
133 buf = kmalloc(count * sizeof(__u8), GFP_KERNEL);
134 if (!buf) {
135 ret = -ENOMEM;
136 goto out;
137 }
138
139 if (copy_from_user(buf, buffer, count)) {
140 ret = -EFAULT;
141 goto out_free;
142 }
143
144 ret = dev->hid_output_raw_report(dev, buf, count, HID_OUTPUT_REPORT);
145 out_free:
146 kfree(buf);
147 out:
148 mutex_unlock(&minors_lock);
149 return ret;
150 }
151
152 static unsigned int hidraw_poll(struct file *file, poll_table *wait)
153 {
154 struct hidraw_list *list = file->private_data;
155
156 poll_wait(file, &list->hidraw->wait, wait);
157 if (list->head != list->tail)
158 return POLLIN | POLLRDNORM;
159 if (!list->hidraw->exist)
160 return POLLERR | POLLHUP;
161 return 0;
162 }
163
164 static int hidraw_open(struct inode *inode, struct file *file)
165 {
166 unsigned int minor = iminor(inode);
167 struct hidraw *dev;
168 struct hidraw_list *list;
169 int err = 0;
170
171 if (!(list = kzalloc(sizeof(struct hidraw_list), GFP_KERNEL))) {
172 err = -ENOMEM;
173 goto out;
174 }
175
176 mutex_lock(&minors_lock);
177 if (!hidraw_table[minor]) {
178 kfree(list);
179 err = -ENODEV;
180 goto out_unlock;
181 }
182
183 list->hidraw = hidraw_table[minor];
184 mutex_init(&list->read_mutex);
185 list_add_tail(&list->node, &hidraw_table[minor]->list);
186 file->private_data = list;
187
188 dev = hidraw_table[minor];
189 if (!dev->open++) {
190 if (dev->hid->ll_driver->power) {
191 err = dev->hid->ll_driver->power(dev->hid, PM_HINT_FULLON);
192 if (err < 0)
193 goto out_unlock;
194 }
195 err = dev->hid->ll_driver->open(dev->hid);
196 if (err < 0) {
197 if (dev->hid->ll_driver->power)
198 dev->hid->ll_driver->power(dev->hid, PM_HINT_NORMAL);
199 dev->open--;
200 }
201 }
202
203 out_unlock:
204 mutex_unlock(&minors_lock);
205 out:
206 return err;
207
208 }
209
210 static int hidraw_release(struct inode * inode, struct file * file)
211 {
212 unsigned int minor = iminor(inode);
213 struct hidraw *dev;
214 struct hidraw_list *list = file->private_data;
215
216 if (!hidraw_table[minor])
217 return -ENODEV;
218
219 list_del(&list->node);
220 dev = hidraw_table[minor];
221 if (!--dev->open) {
222 if (list->hidraw->exist) {
223 if (dev->hid->ll_driver->power)
224 dev->hid->ll_driver->power(dev->hid, PM_HINT_NORMAL);
225 dev->hid->ll_driver->close(dev->hid);
226 } else {
227 kfree(list->hidraw);
228 }
229 }
230
231 kfree(list);
232
233 return 0;
234 }
235
236 static long hidraw_ioctl(struct file *file, unsigned int cmd,
237 unsigned long arg)
238 {
239 struct inode *inode = file->f_path.dentry->d_inode;
240 unsigned int minor = iminor(inode);
241 long ret = 0;
242 struct hidraw *dev;
243 void __user *user_arg = (void __user*) arg;
244
245 mutex_lock(&minors_lock);
246 dev = hidraw_table[minor];
247 if (!dev) {
248 ret = -ENODEV;
249 goto out;
250 }
251
252 switch (cmd) {
253 case HIDIOCGRDESCSIZE:
254 if (put_user(dev->hid->rsize, (int __user *)arg))
255 ret = -EFAULT;
256 break;
257
258 case HIDIOCGRDESC:
259 {
260 __u32 len;
261
262 if (get_user(len, (int __user *)arg))
263 ret = -EFAULT;
264 else if (len > HID_MAX_DESCRIPTOR_SIZE - 1)
265 ret = -EINVAL;
266 else if (copy_to_user(user_arg + offsetof(
267 struct hidraw_report_descriptor,
268 value[0]),
269 dev->hid->rdesc,
270 min(dev->hid->rsize, len)))
271 ret = -EFAULT;
272 break;
273 }
274 case HIDIOCGRAWINFO:
275 {
276 struct hidraw_devinfo dinfo;
277
278 dinfo.bustype = dev->hid->bus;
279 dinfo.vendor = dev->hid->vendor;
280 dinfo.product = dev->hid->product;
281 if (copy_to_user(user_arg, &dinfo, sizeof(dinfo)))
282 ret = -EFAULT;
283 break;
284 }
285 default:
286 {
287 struct hid_device *hid = dev->hid;
288 if (_IOC_TYPE(cmd) != 'H' || _IOC_DIR(cmd) != _IOC_READ) {
289 ret = -EINVAL;
290 break;
291 }
292
293 if (_IOC_NR(cmd) == _IOC_NR(HIDIOCGRAWNAME(0))) {
294 int len;
295 if (!hid->name) {
296 ret = 0;
297 break;
298 }
299 len = strlen(hid->name) + 1;
300 if (len > _IOC_SIZE(cmd))
301 len = _IOC_SIZE(cmd);
302 ret = copy_to_user(user_arg, hid->name, len) ?
303 -EFAULT : len;
304 break;
305 }
306
307 if (_IOC_NR(cmd) == _IOC_NR(HIDIOCGRAWPHYS(0))) {
308 int len;
309 if (!hid->phys) {
310 ret = 0;
311 break;
312 }
313 len = strlen(hid->phys) + 1;
314 if (len > _IOC_SIZE(cmd))
315 len = _IOC_SIZE(cmd);
316 ret = copy_to_user(user_arg, hid->phys, len) ?
317 -EFAULT : len;
318 break;
319 }
320 }
321
322 ret = -ENOTTY;
323 }
324 out:
325 mutex_unlock(&minors_lock);
326 return ret;
327 }
328
329 static const struct file_operations hidraw_ops = {
330 .owner = THIS_MODULE,
331 .read = hidraw_read,
332 .write = hidraw_write,
333 .poll = hidraw_poll,
334 .open = hidraw_open,
335 .release = hidraw_release,
336 .unlocked_ioctl = hidraw_ioctl,
337 };
338
339 void hidraw_report_event(struct hid_device *hid, u8 *data, int len)
340 {
341 struct hidraw *dev = hid->hidraw;
342 struct hidraw_list *list;
343
344 list_for_each_entry(list, &dev->list, node) {
345 list->buffer[list->head].value = kmemdup(data, len, GFP_ATOMIC);
346 list->buffer[list->head].len = len;
347 list->head = (list->head + 1) & (HIDRAW_BUFFER_SIZE - 1);
348 kill_fasync(&list->fasync, SIGIO, POLL_IN);
349 }
350
351 wake_up_interruptible(&dev->wait);
352 }
353 EXPORT_SYMBOL_GPL(hidraw_report_event);
354
355 int hidraw_connect(struct hid_device *hid)
356 {
357 int minor, result;
358 struct hidraw *dev;
359
360 /* we accept any HID device, no matter the applications */
361
362 dev = kzalloc(sizeof(struct hidraw), GFP_KERNEL);
363 if (!dev)
364 return -ENOMEM;
365
366 result = -EINVAL;
367
368 mutex_lock(&minors_lock);
369
370 for (minor = 0; minor < HIDRAW_MAX_DEVICES; minor++) {
371 if (hidraw_table[minor])
372 continue;
373 hidraw_table[minor] = dev;
374 result = 0;
375 break;
376 }
377
378 if (result) {
379 mutex_unlock(&minors_lock);
380 kfree(dev);
381 goto out;
382 }
383
384 dev->dev = device_create(hidraw_class, &hid->dev, MKDEV(hidraw_major, minor),
385 NULL, "%s%d", "hidraw", minor);
386
387 if (IS_ERR(dev->dev)) {
388 hidraw_table[minor] = NULL;
389 mutex_unlock(&minors_lock);
390 result = PTR_ERR(dev->dev);
391 kfree(dev);
392 goto out;
393 }
394
395 mutex_unlock(&minors_lock);
396 init_waitqueue_head(&dev->wait);
397 INIT_LIST_HEAD(&dev->list);
398
399 dev->hid = hid;
400 dev->minor = minor;
401
402 dev->exist = 1;
403 hid->hidraw = dev;
404
405 out:
406 return result;
407
408 }
409 EXPORT_SYMBOL_GPL(hidraw_connect);
410
411 void hidraw_disconnect(struct hid_device *hid)
412 {
413 struct hidraw *hidraw = hid->hidraw;
414
415 hidraw->exist = 0;
416
417 mutex_lock(&minors_lock);
418 hidraw_table[hidraw->minor] = NULL;
419 mutex_unlock(&minors_lock);
420
421 device_destroy(hidraw_class, MKDEV(hidraw_major, hidraw->minor));
422
423 if (hidraw->open) {
424 hid->ll_driver->close(hid);
425 wake_up_interruptible(&hidraw->wait);
426 } else {
427 kfree(hidraw);
428 }
429 }
430 EXPORT_SYMBOL_GPL(hidraw_disconnect);
431
432 int __init hidraw_init(void)
433 {
434 int result;
435 dev_t dev_id;
436
437 result = alloc_chrdev_region(&dev_id, HIDRAW_FIRST_MINOR,
438 HIDRAW_MAX_DEVICES, "hidraw");
439
440 hidraw_major = MAJOR(dev_id);
441
442 if (result < 0) {
443 printk(KERN_WARNING "hidraw: can't get major number\n");
444 result = 0;
445 goto out;
446 }
447
448 hidraw_class = class_create(THIS_MODULE, "hidraw");
449 if (IS_ERR(hidraw_class)) {
450 result = PTR_ERR(hidraw_class);
451 unregister_chrdev(hidraw_major, "hidraw");
452 goto out;
453 }
454
455 cdev_init(&hidraw_cdev, &hidraw_ops);
456 cdev_add(&hidraw_cdev, dev_id, HIDRAW_MAX_DEVICES);
457 out:
458 return result;
459 }
460
461 void hidraw_exit(void)
462 {
463 dev_t dev_id = MKDEV(hidraw_major, 0);
464
465 cdev_del(&hidraw_cdev);
466 class_destroy(hidraw_class);
467 unregister_chrdev_region(dev_id, HIDRAW_MAX_DEVICES);
468
469 }
Linux kernel - Deliverables
This page took 0.040771 seconds and 5 git commands to generate.