projects / deliverable / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Bluetooth: hidp: verify l2cap sockets
[deliverable/linux.git] / net / bluetooth / hidp / core.c
1 /*
2 HIDP implementation for Linux Bluetooth stack (BlueZ).
3 Copyright (C) 2003-2004 Marcel Holtmann <marcel@holtmann.org>
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
8
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
21 */
22
23 #include <linux/module.h>
24 #include <linux/file.h>
25 #include <linux/kthread.h>
26 #include <linux/hidraw.h>
27
28 #include <net/bluetooth/bluetooth.h>
29 #include <net/bluetooth/hci_core.h>
30 #include <net/bluetooth/l2cap.h>
31
32 #include "hidp.h"
33
34 #define VERSION "1.2"
35
36 static DECLARE_RWSEM(hidp_session_sem);
37 static LIST_HEAD(hidp_session_list);
38
39 static unsigned char hidp_keycode[256] = {
40 0, 0, 0, 0, 30, 48, 46, 32, 18, 33, 34, 35, 23, 36,
41 37, 38, 50, 49, 24, 25, 16, 19, 31, 20, 22, 47, 17, 45,
42 21, 44, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 28, 1,
43 14, 15, 57, 12, 13, 26, 27, 43, 43, 39, 40, 41, 51, 52,
44 53, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 87, 88,
45 99, 70, 119, 110, 102, 104, 111, 107, 109, 106, 105, 108, 103, 69,
46 98, 55, 74, 78, 96, 79, 80, 81, 75, 76, 77, 71, 72, 73,
47 82, 83, 86, 127, 116, 117, 183, 184, 185, 186, 187, 188, 189, 190,
48 191, 192, 193, 194, 134, 138, 130, 132, 128, 129, 131, 137, 133, 135,
49 136, 113, 115, 114, 0, 0, 0, 121, 0, 89, 93, 124, 92, 94,
50 95, 0, 0, 0, 122, 123, 90, 91, 85, 0, 0, 0, 0, 0,
51 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
52 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
53 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
54 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
55 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
56 29, 42, 56, 125, 97, 54, 100, 126, 164, 166, 165, 163, 161, 115,
57 114, 113, 150, 158, 159, 128, 136, 177, 178, 176, 142, 152, 173, 140
58 };
59
60 static unsigned char hidp_mkeyspat[] = { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 };
61
62 static struct hidp_session *__hidp_get_session(bdaddr_t *bdaddr)
63 {
64 struct hidp_session *session;
65
66 BT_DBG("");
67
68 list_for_each_entry(session, &hidp_session_list, list) {
69 if (!bacmp(bdaddr, &session->bdaddr))
70 return session;
71 }
72
73 return NULL;
74 }
75
76 static void __hidp_link_session(struct hidp_session *session)
77 {
78 list_add(&session->list, &hidp_session_list);
79 }
80
81 static void __hidp_unlink_session(struct hidp_session *session)
82 {
83 hci_conn_put_device(session->conn);
84
85 list_del(&session->list);
86 }
87
88 static void __hidp_copy_session(struct hidp_session *session, struct hidp_conninfo *ci)
89 {
90 memset(ci, 0, sizeof(*ci));
91 bacpy(&ci->bdaddr, &session->bdaddr);
92
93 ci->flags = session->flags;
94 ci->state = session->state;
95
96 ci->vendor = 0x0000;
97 ci->product = 0x0000;
98 ci->version = 0x0000;
99
100 if (session->input) {
101 ci->vendor = session->input->id.vendor;
102 ci->product = session->input->id.product;
103 ci->version = session->input->id.version;
104 if (session->input->name)
105 strncpy(ci->name, session->input->name, 128);
106 else
107 strncpy(ci->name, "HID Boot Device", 128);
108 }
109
110 if (session->hid) {
111 ci->vendor = session->hid->vendor;
112 ci->product = session->hid->product;
113 ci->version = session->hid->version;
114 strncpy(ci->name, session->hid->name, 128);
115 }
116 }
117
118 static int hidp_queue_event(struct hidp_session *session, struct input_dev *dev,
119 unsigned int type, unsigned int code, int value)
120 {
121 unsigned char newleds;
122 struct sk_buff *skb;
123
124 BT_DBG("session %p type %d code %d value %d", session, type, code, value);
125
126 if (type != EV_LED)
127 return -1;
128
129 newleds = (!!test_bit(LED_KANA, dev->led) << 3) |
130 (!!test_bit(LED_COMPOSE, dev->led) << 3) |
131 (!!test_bit(LED_SCROLLL, dev->led) << 2) |
132 (!!test_bit(LED_CAPSL, dev->led) << 1) |
133 (!!test_bit(LED_NUML, dev->led));
134
135 if (session->leds == newleds)
136 return 0;
137
138 session->leds = newleds;
139
140 skb = alloc_skb(3, GFP_ATOMIC);
141 if (!skb) {
142 BT_ERR("Can't allocate memory for new frame");
143 return -ENOMEM;
144 }
145
146 *skb_put(skb, 1) = HIDP_TRANS_DATA | HIDP_DATA_RTYPE_OUPUT;
147 *skb_put(skb, 1) = 0x01;
148 *skb_put(skb, 1) = newleds;
149
150 skb_queue_tail(&session->intr_transmit, skb);
151
152 hidp_schedule(session);
153
154 return 0;
155 }
156
157 static int hidp_hidinput_event(struct input_dev *dev, unsigned int type, unsigned int code, int value)
158 {
159 struct hid_device *hid = input_get_drvdata(dev);
160 struct hidp_session *session = hid->driver_data;
161
162 return hidp_queue_event(session, dev, type, code, value);
163 }
164
165 static int hidp_input_event(struct input_dev *dev, unsigned int type, unsigned int code, int value)
166 {
167 struct hidp_session *session = input_get_drvdata(dev);
168
169 return hidp_queue_event(session, dev, type, code, value);
170 }
171
172 static void hidp_input_report(struct hidp_session *session, struct sk_buff *skb)
173 {
174 struct input_dev *dev = session->input;
175 unsigned char *keys = session->keys;
176 unsigned char *udata = skb->data + 1;
177 signed char *sdata = skb->data + 1;
178 int i, size = skb->len - 1;
179
180 switch (skb->data[0]) {
181 case 0x01: /* Keyboard report */
182 for (i = 0; i < 8; i++)
183 input_report_key(dev, hidp_keycode[i + 224], (udata[0] >> i) & 1);
184
185 /* If all the key codes have been set to 0x01, it means
186 * too many keys were pressed at the same time. */
187 if (!memcmp(udata + 2, hidp_mkeyspat, 6))
188 break;
189
190 for (i = 2; i < 8; i++) {
191 if (keys[i] > 3 && memscan(udata + 2, keys[i], 6) == udata + 8) {
192 if (hidp_keycode[keys[i]])
193 input_report_key(dev, hidp_keycode[keys[i]], 0);
194 else
195 BT_ERR("Unknown key (scancode %#x) released.", keys[i]);
196 }
197
198 if (udata[i] > 3 && memscan(keys + 2, udata[i], 6) == keys + 8) {
199 if (hidp_keycode[udata[i]])
200 input_report_key(dev, hidp_keycode[udata[i]], 1);
201 else
202 BT_ERR("Unknown key (scancode %#x) pressed.", udata[i]);
203 }
204 }
205
206 memcpy(keys, udata, 8);
207 break;
208
209 case 0x02: /* Mouse report */
210 input_report_key(dev, BTN_LEFT, sdata[0] & 0x01);
211 input_report_key(dev, BTN_RIGHT, sdata[0] & 0x02);
212 input_report_key(dev, BTN_MIDDLE, sdata[0] & 0x04);
213 input_report_key(dev, BTN_SIDE, sdata[0] & 0x08);
214 input_report_key(dev, BTN_EXTRA, sdata[0] & 0x10);
215
216 input_report_rel(dev, REL_X, sdata[1]);
217 input_report_rel(dev, REL_Y, sdata[2]);
218
219 if (size > 3)
220 input_report_rel(dev, REL_WHEEL, sdata[3]);
221 break;
222 }
223
224 input_sync(dev);
225 }
226
227 static int __hidp_send_ctrl_message(struct hidp_session *session,
228 unsigned char hdr, unsigned char *data,
229 int size)
230 {
231 struct sk_buff *skb;
232
233 BT_DBG("session %p data %p size %d", session, data, size);
234
235 if (atomic_read(&session->terminate))
236 return -EIO;
237
238 skb = alloc_skb(size + 1, GFP_ATOMIC);
239 if (!skb) {
240 BT_ERR("Can't allocate memory for new frame");
241 return -ENOMEM;
242 }
243
244 *skb_put(skb, 1) = hdr;
245 if (data && size > 0)
246 memcpy(skb_put(skb, size), data, size);
247
248 skb_queue_tail(&session->ctrl_transmit, skb);
249
250 return 0;
251 }
252
253 static int hidp_send_ctrl_message(struct hidp_session *session,
254 unsigned char hdr, unsigned char *data, int size)
255 {
256 int err;
257
258 err = __hidp_send_ctrl_message(session, hdr, data, size);
259
260 hidp_schedule(session);
261
262 return err;
263 }
264
265 static int hidp_queue_report(struct hidp_session *session,
266 unsigned char *data, int size)
267 {
268 struct sk_buff *skb;
269
270 BT_DBG("session %p hid %p data %p size %d", session, session->hid, data, size);
271
272 skb = alloc_skb(size + 1, GFP_ATOMIC);
273 if (!skb) {
274 BT_ERR("Can't allocate memory for new frame");
275 return -ENOMEM;
276 }
277
278 *skb_put(skb, 1) = 0xa2;
279 if (size > 0)
280 memcpy(skb_put(skb, size), data, size);
281
282 skb_queue_tail(&session->intr_transmit, skb);
283
284 hidp_schedule(session);
285
286 return 0;
287 }
288
289 static int hidp_send_report(struct hidp_session *session, struct hid_report *report)
290 {
291 unsigned char buf[32];
292 int rsize;
293
294 rsize = ((report->size - 1) >> 3) + 1 + (report->id > 0);
295 if (rsize > sizeof(buf))
296 return -EIO;
297
298 hid_output_report(report, buf);
299
300 return hidp_queue_report(session, buf, rsize);
301 }
302
303 static int hidp_get_raw_report(struct hid_device *hid,
304 unsigned char report_number,
305 unsigned char *data, size_t count,
306 unsigned char report_type)
307 {
308 struct hidp_session *session = hid->driver_data;
309 struct sk_buff *skb;
310 size_t len;
311 int numbered_reports = hid->report_enum[report_type].numbered;
312 int ret;
313
314 if (atomic_read(&session->terminate))
315 return -EIO;
316
317 switch (report_type) {
318 case HID_FEATURE_REPORT:
319 report_type = HIDP_TRANS_GET_REPORT | HIDP_DATA_RTYPE_FEATURE;
320 break;
321 case HID_INPUT_REPORT:
322 report_type = HIDP_TRANS_GET_REPORT | HIDP_DATA_RTYPE_INPUT;
323 break;
324 case HID_OUTPUT_REPORT:
325 report_type = HIDP_TRANS_GET_REPORT | HIDP_DATA_RTYPE_OUPUT;
326 break;
327 default:
328 return -EINVAL;
329 }
330
331 if (mutex_lock_interruptible(&session->report_mutex))
332 return -ERESTARTSYS;
333
334 /* Set up our wait, and send the report request to the device. */
335 session->waiting_report_type = report_type & HIDP_DATA_RTYPE_MASK;
336 session->waiting_report_number = numbered_reports ? report_number : -1;
337 set_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
338 data[0] = report_number;
339 ret = hidp_send_ctrl_message(hid->driver_data, report_type, data, 1);
340 if (ret)
341 goto err;
342
343 /* Wait for the return of the report. The returned report
344 gets put in session->report_return. */
345 while (test_bit(HIDP_WAITING_FOR_RETURN, &session->flags)) {
346 int res;
347
348 res = wait_event_interruptible_timeout(session->report_queue,
349 !test_bit(HIDP_WAITING_FOR_RETURN, &session->flags),
350 5*HZ);
351 if (res == 0) {
352 /* timeout */
353 ret = -EIO;
354 goto err;
355 }
356 if (res < 0) {
357 /* signal */
358 ret = -ERESTARTSYS;
359 goto err;
360 }
361 }
362
363 skb = session->report_return;
364 if (skb) {
365 len = skb->len < count ? skb->len : count;
366 memcpy(data, skb->data, len);
367
368 kfree_skb(skb);
369 session->report_return = NULL;
370 } else {
371 /* Device returned a HANDSHAKE, indicating protocol error. */
372 len = -EIO;
373 }
374
375 clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
376 mutex_unlock(&session->report_mutex);
377
378 return len;
379
380 err:
381 clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
382 mutex_unlock(&session->report_mutex);
383 return ret;
384 }
385
386 static int hidp_output_raw_report(struct hid_device *hid, unsigned char *data, size_t count,
387 unsigned char report_type)
388 {
389 struct hidp_session *session = hid->driver_data;
390 int ret;
391
392 switch (report_type) {
393 case HID_FEATURE_REPORT:
394 report_type = HIDP_TRANS_SET_REPORT | HIDP_DATA_RTYPE_FEATURE;
395 break;
396 case HID_OUTPUT_REPORT:
397 report_type = HIDP_TRANS_SET_REPORT | HIDP_DATA_RTYPE_OUPUT;
398 break;
399 default:
400 return -EINVAL;
401 }
402
403 if (mutex_lock_interruptible(&session->report_mutex))
404 return -ERESTARTSYS;
405
406 /* Set up our wait, and send the report request to the device. */
407 set_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags);
408 ret = hidp_send_ctrl_message(hid->driver_data, report_type, data,
409 count);
410 if (ret)
411 goto err;
412
413 /* Wait for the ACK from the device. */
414 while (test_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags)) {
415 int res;
416
417 res = wait_event_interruptible_timeout(session->report_queue,
418 !test_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags),
419 10*HZ);
420 if (res == 0) {
421 /* timeout */
422 ret = -EIO;
423 goto err;
424 }
425 if (res < 0) {
426 /* signal */
427 ret = -ERESTARTSYS;
428 goto err;
429 }
430 }
431
432 if (!session->output_report_success) {
433 ret = -EIO;
434 goto err;
435 }
436
437 ret = count;
438
439 err:
440 clear_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags);
441 mutex_unlock(&session->report_mutex);
442 return ret;
443 }
444
445 static void hidp_idle_timeout(unsigned long arg)
446 {
447 struct hidp_session *session = (struct hidp_session *) arg;
448
449 atomic_inc(&session->terminate);
450 wake_up_process(session->task);
451 }
452
453 static void hidp_set_timer(struct hidp_session *session)
454 {
455 if (session->idle_to > 0)
456 mod_timer(&session->timer, jiffies + HZ * session->idle_to);
457 }
458
459 static void hidp_del_timer(struct hidp_session *session)
460 {
461 if (session->idle_to > 0)
462 del_timer(&session->timer);
463 }
464
465 static void hidp_process_handshake(struct hidp_session *session,
466 unsigned char param)
467 {
468 BT_DBG("session %p param 0x%02x", session, param);
469 session->output_report_success = 0; /* default condition */
470
471 switch (param) {
472 case HIDP_HSHK_SUCCESSFUL:
473 /* FIXME: Call into SET_ GET_ handlers here */
474 session->output_report_success = 1;
475 break;
476
477 case HIDP_HSHK_NOT_READY:
478 case HIDP_HSHK_ERR_INVALID_REPORT_ID:
479 case HIDP_HSHK_ERR_UNSUPPORTED_REQUEST:
480 case HIDP_HSHK_ERR_INVALID_PARAMETER:
481 if (test_and_clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags))
482 wake_up_interruptible(&session->report_queue);
483
484 /* FIXME: Call into SET_ GET_ handlers here */
485 break;
486
487 case HIDP_HSHK_ERR_UNKNOWN:
488 break;
489
490 case HIDP_HSHK_ERR_FATAL:
491 /* Device requests a reboot, as this is the only way this error
492 * can be recovered. */
493 __hidp_send_ctrl_message(session,
494 HIDP_TRANS_HID_CONTROL | HIDP_CTRL_SOFT_RESET, NULL, 0);
495 break;
496
497 default:
498 __hidp_send_ctrl_message(session,
499 HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_INVALID_PARAMETER, NULL, 0);
500 break;
501 }
502
503 /* Wake up the waiting thread. */
504 if (test_and_clear_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags))
505 wake_up_interruptible(&session->report_queue);
506 }
507
508 static void hidp_process_hid_control(struct hidp_session *session,
509 unsigned char param)
510 {
511 BT_DBG("session %p param 0x%02x", session, param);
512
513 if (param == HIDP_CTRL_VIRTUAL_CABLE_UNPLUG) {
514 /* Flush the transmit queues */
515 skb_queue_purge(&session->ctrl_transmit);
516 skb_queue_purge(&session->intr_transmit);
517
518 atomic_inc(&session->terminate);
519 wake_up_process(current);
520 }
521 }
522
523 /* Returns true if the passed-in skb should be freed by the caller. */
524 static int hidp_process_data(struct hidp_session *session, struct sk_buff *skb,
525 unsigned char param)
526 {
527 int done_with_skb = 1;
528 BT_DBG("session %p skb %p len %d param 0x%02x", session, skb, skb->len, param);
529
530 switch (param) {
531 case HIDP_DATA_RTYPE_INPUT:
532 hidp_set_timer(session);
533
534 if (session->input)
535 hidp_input_report(session, skb);
536
537 if (session->hid)
538 hid_input_report(session->hid, HID_INPUT_REPORT, skb->data, skb->len, 0);
539 break;
540
541 case HIDP_DATA_RTYPE_OTHER:
542 case HIDP_DATA_RTYPE_OUPUT:
543 case HIDP_DATA_RTYPE_FEATURE:
544 break;
545
546 default:
547 __hidp_send_ctrl_message(session,
548 HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_INVALID_PARAMETER, NULL, 0);
549 }
550
551 if (test_bit(HIDP_WAITING_FOR_RETURN, &session->flags) &&
552 param == session->waiting_report_type) {
553 if (session->waiting_report_number < 0 ||
554 session->waiting_report_number == skb->data[0]) {
555 /* hidp_get_raw_report() is waiting on this report. */
556 session->report_return = skb;
557 done_with_skb = 0;
558 clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
559 wake_up_interruptible(&session->report_queue);
560 }
561 }
562
563 return done_with_skb;
564 }
565
566 static void hidp_recv_ctrl_frame(struct hidp_session *session,
567 struct sk_buff *skb)
568 {
569 unsigned char hdr, type, param;
570 int free_skb = 1;
571
572 BT_DBG("session %p skb %p len %d", session, skb, skb->len);
573
574 hdr = skb->data[0];
575 skb_pull(skb, 1);
576
577 type = hdr & HIDP_HEADER_TRANS_MASK;
578 param = hdr & HIDP_HEADER_PARAM_MASK;
579
580 switch (type) {
581 case HIDP_TRANS_HANDSHAKE:
582 hidp_process_handshake(session, param);
583 break;
584
585 case HIDP_TRANS_HID_CONTROL:
586 hidp_process_hid_control(session, param);
587 break;
588
589 case HIDP_TRANS_DATA:
590 free_skb = hidp_process_data(session, skb, param);
591 break;
592
593 default:
594 __hidp_send_ctrl_message(session,
595 HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_UNSUPPORTED_REQUEST, NULL, 0);
596 break;
597 }
598
599 if (free_skb)
600 kfree_skb(skb);
601 }
602
603 static void hidp_recv_intr_frame(struct hidp_session *session,
604 struct sk_buff *skb)
605 {
606 unsigned char hdr;
607
608 BT_DBG("session %p skb %p len %d", session, skb, skb->len);
609
610 hdr = skb->data[0];
611 skb_pull(skb, 1);
612
613 if (hdr == (HIDP_TRANS_DATA | HIDP_DATA_RTYPE_INPUT)) {
614 hidp_set_timer(session);
615
616 if (session->input)
617 hidp_input_report(session, skb);
618
619 if (session->hid) {
620 hid_input_report(session->hid, HID_INPUT_REPORT, skb->data, skb->len, 1);
621 BT_DBG("report len %d", skb->len);
622 }
623 } else {
624 BT_DBG("Unsupported protocol header 0x%02x", hdr);
625 }
626
627 kfree_skb(skb);
628 }
629
630 static int hidp_send_frame(struct socket *sock, unsigned char *data, int len)
631 {
632 struct kvec iv = { data, len };
633 struct msghdr msg;
634
635 BT_DBG("sock %p data %p len %d", sock, data, len);
636
637 if (!len)
638 return 0;
639
640 memset(&msg, 0, sizeof(msg));
641
642 return kernel_sendmsg(sock, &msg, &iv, 1, len);
643 }
644
645 static void hidp_process_intr_transmit(struct hidp_session *session)
646 {
647 struct sk_buff *skb;
648
649 BT_DBG("session %p", session);
650
651 while ((skb = skb_dequeue(&session->intr_transmit))) {
652 if (hidp_send_frame(session->intr_sock, skb->data, skb->len) < 0) {
653 skb_queue_head(&session->intr_transmit, skb);
654 break;
655 }
656
657 hidp_set_timer(session);
658 kfree_skb(skb);
659 }
660 }
661
662 static void hidp_process_ctrl_transmit(struct hidp_session *session)
663 {
664 struct sk_buff *skb;
665
666 BT_DBG("session %p", session);
667
668 while ((skb = skb_dequeue(&session->ctrl_transmit))) {
669 if (hidp_send_frame(session->ctrl_sock, skb->data, skb->len) < 0) {
670 skb_queue_head(&session->ctrl_transmit, skb);
671 break;
672 }
673
674 hidp_set_timer(session);
675 kfree_skb(skb);
676 }
677 }
678
679 static int hidp_session(void *arg)
680 {
681 struct hidp_session *session = arg;
682 struct sock *ctrl_sk = session->ctrl_sock->sk;
683 struct sock *intr_sk = session->intr_sock->sk;
684 struct sk_buff *skb;
685 wait_queue_t ctrl_wait, intr_wait;
686
687 BT_DBG("session %p", session);
688
689 __module_get(THIS_MODULE);
690 set_user_nice(current, -15);
691
692 init_waitqueue_entry(&ctrl_wait, current);
693 init_waitqueue_entry(&intr_wait, current);
694 add_wait_queue(sk_sleep(ctrl_sk), &ctrl_wait);
695 add_wait_queue(sk_sleep(intr_sk), &intr_wait);
696 session->waiting_for_startup = 0;
697 wake_up_interruptible(&session->startup_queue);
698 set_current_state(TASK_INTERRUPTIBLE);
699 while (!atomic_read(&session->terminate)) {
700 if (ctrl_sk->sk_state != BT_CONNECTED ||
701 intr_sk->sk_state != BT_CONNECTED)
702 break;
703
704 while ((skb = skb_dequeue(&intr_sk->sk_receive_queue))) {
705 skb_orphan(skb);
706 if (!skb_linearize(skb))
707 hidp_recv_intr_frame(session, skb);
708 else
709 kfree_skb(skb);
710 }
711
712 hidp_process_intr_transmit(session);
713
714 while ((skb = skb_dequeue(&ctrl_sk->sk_receive_queue))) {
715 skb_orphan(skb);
716 if (!skb_linearize(skb))
717 hidp_recv_ctrl_frame(session, skb);
718 else
719 kfree_skb(skb);
720 }
721
722 hidp_process_ctrl_transmit(session);
723
724 schedule();
725 set_current_state(TASK_INTERRUPTIBLE);
726 }
727 set_current_state(TASK_RUNNING);
728 atomic_inc(&session->terminate);
729 remove_wait_queue(sk_sleep(intr_sk), &intr_wait);
730 remove_wait_queue(sk_sleep(ctrl_sk), &ctrl_wait);
731
732 clear_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags);
733 clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
734 wake_up_interruptible(&session->report_queue);
735
736 down_write(&hidp_session_sem);
737
738 hidp_del_timer(session);
739
740 if (session->input) {
741 input_unregister_device(session->input);
742 session->input = NULL;
743 }
744
745 if (session->hid) {
746 hid_destroy_device(session->hid);
747 session->hid = NULL;
748 }
749
750 /* Wakeup user-space polling for socket errors */
751 session->intr_sock->sk->sk_err = EUNATCH;
752 session->ctrl_sock->sk->sk_err = EUNATCH;
753
754 hidp_schedule(session);
755
756 fput(session->intr_sock->file);
757
758 wait_event_timeout(*(sk_sleep(ctrl_sk)),
759 (ctrl_sk->sk_state == BT_CLOSED), msecs_to_jiffies(500));
760
761 fput(session->ctrl_sock->file);
762
763 __hidp_unlink_session(session);
764
765 up_write(&hidp_session_sem);
766
767 kfree(session->rd_data);
768 kfree(session);
769 module_put_and_exit(0);
770 return 0;
771 }
772
773 static struct hci_conn *hidp_get_connection(struct hidp_session *session)
774 {
775 bdaddr_t *src = &bt_sk(session->ctrl_sock->sk)->src;
776 bdaddr_t *dst = &bt_sk(session->ctrl_sock->sk)->dst;
777 struct hci_conn *conn;
778 struct hci_dev *hdev;
779
780 hdev = hci_get_route(dst, src);
781 if (!hdev)
782 return NULL;
783
784 hci_dev_lock(hdev);
785 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
786 if (conn)
787 hci_conn_hold_device(conn);
788 hci_dev_unlock(hdev);
789
790 hci_dev_put(hdev);
791
792 return conn;
793 }
794
795 static int hidp_setup_input(struct hidp_session *session,
796 struct hidp_connadd_req *req)
797 {
798 struct input_dev *input;
799 int i;
800
801 input = input_allocate_device();
802 if (!input)
803 return -ENOMEM;
804
805 session->input = input;
806
807 input_set_drvdata(input, session);
808
809 input->name = "Bluetooth HID Boot Protocol Device";
810
811 input->id.bustype = BUS_BLUETOOTH;
812 input->id.vendor = req->vendor;
813 input->id.product = req->product;
814 input->id.version = req->version;
815
816 if (req->subclass & 0x40) {
817 set_bit(EV_KEY, input->evbit);
818 set_bit(EV_LED, input->evbit);
819 set_bit(EV_REP, input->evbit);
820
821 set_bit(LED_NUML, input->ledbit);
822 set_bit(LED_CAPSL, input->ledbit);
823 set_bit(LED_SCROLLL, input->ledbit);
824 set_bit(LED_COMPOSE, input->ledbit);
825 set_bit(LED_KANA, input->ledbit);
826
827 for (i = 0; i < sizeof(hidp_keycode); i++)
828 set_bit(hidp_keycode[i], input->keybit);
829 clear_bit(0, input->keybit);
830 }
831
832 if (req->subclass & 0x80) {
833 input->evbit[0] = BIT_MASK(EV_KEY) | BIT_MASK(EV_REL);
834 input->keybit[BIT_WORD(BTN_MOUSE)] = BIT_MASK(BTN_LEFT) |
835 BIT_MASK(BTN_RIGHT) | BIT_MASK(BTN_MIDDLE);
836 input->relbit[0] = BIT_MASK(REL_X) | BIT_MASK(REL_Y);
837 input->keybit[BIT_WORD(BTN_MOUSE)] |= BIT_MASK(BTN_SIDE) |
838 BIT_MASK(BTN_EXTRA);
839 input->relbit[0] |= BIT_MASK(REL_WHEEL);
840 }
841
842 input->dev.parent = &session->conn->dev;
843
844 input->event = hidp_input_event;
845
846 return 0;
847 }
848
849 static int hidp_open(struct hid_device *hid)
850 {
851 return 0;
852 }
853
854 static void hidp_close(struct hid_device *hid)
855 {
856 }
857
858 static int hidp_parse(struct hid_device *hid)
859 {
860 struct hidp_session *session = hid->driver_data;
861
862 return hid_parse_report(session->hid, session->rd_data,
863 session->rd_size);
864 }
865
866 static int hidp_start(struct hid_device *hid)
867 {
868 struct hidp_session *session = hid->driver_data;
869 struct hid_report *report;
870
871 if (hid->quirks & HID_QUIRK_NO_INIT_REPORTS)
872 return 0;
873
874 list_for_each_entry(report, &hid->report_enum[HID_INPUT_REPORT].
875 report_list, list)
876 hidp_send_report(session, report);
877
878 list_for_each_entry(report, &hid->report_enum[HID_FEATURE_REPORT].
879 report_list, list)
880 hidp_send_report(session, report);
881
882 return 0;
883 }
884
885 static void hidp_stop(struct hid_device *hid)
886 {
887 struct hidp_session *session = hid->driver_data;
888
889 skb_queue_purge(&session->ctrl_transmit);
890 skb_queue_purge(&session->intr_transmit);
891
892 hid->claimed = 0;
893 }
894
895 static struct hid_ll_driver hidp_hid_driver = {
896 .parse = hidp_parse,
897 .start = hidp_start,
898 .stop = hidp_stop,
899 .open = hidp_open,
900 .close = hidp_close,
901 .hidinput_input_event = hidp_hidinput_event,
902 };
903
904 /* This function sets up the hid device. It does not add it
905 to the HID system. That is done in hidp_add_connection(). */
906 static int hidp_setup_hid(struct hidp_session *session,
907 struct hidp_connadd_req *req)
908 {
909 struct hid_device *hid;
910 int err;
911
912 session->rd_data = kzalloc(req->rd_size, GFP_KERNEL);
913 if (!session->rd_data)
914 return -ENOMEM;
915
916 if (copy_from_user(session->rd_data, req->rd_data, req->rd_size)) {
917 err = -EFAULT;
918 goto fault;
919 }
920 session->rd_size = req->rd_size;
921
922 hid = hid_allocate_device();
923 if (IS_ERR(hid)) {
924 err = PTR_ERR(hid);
925 goto fault;
926 }
927
928 session->hid = hid;
929
930 hid->driver_data = session;
931
932 hid->bus = BUS_BLUETOOTH;
933 hid->vendor = req->vendor;
934 hid->product = req->product;
935 hid->version = req->version;
936 hid->country = req->country;
937
938 strncpy(hid->name, req->name, sizeof(req->name) - 1);
939
940 snprintf(hid->phys, sizeof(hid->phys), "%pMR",
941 &bt_sk(session->ctrl_sock->sk)->src);
942
943 snprintf(hid->uniq, sizeof(hid->uniq), "%pMR",
944 &bt_sk(session->ctrl_sock->sk)->dst);
945
946 hid->dev.parent = &session->conn->dev;
947 hid->ll_driver = &hidp_hid_driver;
948
949 hid->hid_get_raw_report = hidp_get_raw_report;
950 hid->hid_output_raw_report = hidp_output_raw_report;
951
952 /* True if device is blacklisted in drivers/hid/hid-core.c */
953 if (hid_ignore(hid)) {
954 hid_destroy_device(session->hid);
955 session->hid = NULL;
956 return -ENODEV;
957 }
958
959 return 0;
960
961 fault:
962 kfree(session->rd_data);
963 session->rd_data = NULL;
964
965 return err;
966 }
967
968 int hidp_add_connection(struct hidp_connadd_req *req, struct socket *ctrl_sock, struct socket *intr_sock)
969 {
970 struct hidp_session *session, *s;
971 int vendor, product;
972 int err;
973
974 BT_DBG("");
975
976 if (!l2cap_is_socket(ctrl_sock) || !l2cap_is_socket(intr_sock))
977 return -EINVAL;
978 if (bacmp(&bt_sk(ctrl_sock->sk)->src, &bt_sk(intr_sock->sk)->src) ||
979 bacmp(&bt_sk(ctrl_sock->sk)->dst, &bt_sk(intr_sock->sk)->dst))
980 return -ENOTUNIQ;
981
982 BT_DBG("rd_data %p rd_size %d", req->rd_data, req->rd_size);
983
984 down_write(&hidp_session_sem);
985
986 s = __hidp_get_session(&bt_sk(ctrl_sock->sk)->dst);
987 if (s && s->state == BT_CONNECTED) {
988 up_write(&hidp_session_sem);
989 return -EEXIST;
990 }
991
992 session = kzalloc(sizeof(struct hidp_session), GFP_KERNEL);
993 if (!session) {
994 up_write(&hidp_session_sem);
995 return -ENOMEM;
996 }
997
998 bacpy(&session->bdaddr, &bt_sk(ctrl_sock->sk)->dst);
999
1000 session->ctrl_mtu = min_t(uint, l2cap_pi(ctrl_sock->sk)->chan->omtu,
1001 l2cap_pi(ctrl_sock->sk)->chan->imtu);
1002 session->intr_mtu = min_t(uint, l2cap_pi(intr_sock->sk)->chan->omtu,
1003 l2cap_pi(intr_sock->sk)->chan->imtu);
1004
1005 BT_DBG("ctrl mtu %d intr mtu %d", session->ctrl_mtu, session->intr_mtu);
1006
1007 session->ctrl_sock = ctrl_sock;
1008 session->intr_sock = intr_sock;
1009 session->state = BT_CONNECTED;
1010
1011 session->conn = hidp_get_connection(session);
1012 if (!session->conn) {
1013 err = -ENOTCONN;
1014 goto failed;
1015 }
1016
1017 setup_timer(&session->timer, hidp_idle_timeout, (unsigned long)session);
1018
1019 skb_queue_head_init(&session->ctrl_transmit);
1020 skb_queue_head_init(&session->intr_transmit);
1021
1022 mutex_init(&session->report_mutex);
1023 init_waitqueue_head(&session->report_queue);
1024 init_waitqueue_head(&session->startup_queue);
1025 session->waiting_for_startup = 1;
1026 session->flags = req->flags & (1 << HIDP_BLUETOOTH_VENDOR_ID);
1027 session->idle_to = req->idle_to;
1028
1029 __hidp_link_session(session);
1030
1031 if (req->rd_size > 0) {
1032 err = hidp_setup_hid(session, req);
1033 if (err && err != -ENODEV)
1034 goto purge;
1035 }
1036
1037 if (!session->hid) {
1038 err = hidp_setup_input(session, req);
1039 if (err < 0)
1040 goto purge;
1041 }
1042
1043 hidp_set_timer(session);
1044
1045 if (session->hid) {
1046 vendor = session->hid->vendor;
1047 product = session->hid->product;
1048 } else if (session->input) {
1049 vendor = session->input->id.vendor;
1050 product = session->input->id.product;
1051 } else {
1052 vendor = 0x0000;
1053 product = 0x0000;
1054 }
1055
1056 session->task = kthread_run(hidp_session, session, "khidpd_%04x%04x",
1057 vendor, product);
1058 if (IS_ERR(session->task)) {
1059 err = PTR_ERR(session->task);
1060 goto unlink;
1061 }
1062
1063 while (session->waiting_for_startup) {
1064 wait_event_interruptible(session->startup_queue,
1065 !session->waiting_for_startup);
1066 }
1067
1068 if (session->hid)
1069 err = hid_add_device(session->hid);
1070 else
1071 err = input_register_device(session->input);
1072
1073 if (err < 0) {
1074 atomic_inc(&session->terminate);
1075 wake_up_process(session->task);
1076 up_write(&hidp_session_sem);
1077 return err;
1078 }
1079
1080 if (session->input) {
1081 hidp_send_ctrl_message(session,
1082 HIDP_TRANS_SET_PROTOCOL | HIDP_PROTO_BOOT, NULL, 0);
1083 session->flags |= (1 << HIDP_BOOT_PROTOCOL_MODE);
1084
1085 session->leds = 0xff;
1086 hidp_input_event(session->input, EV_LED, 0, 0);
1087 }
1088
1089 up_write(&hidp_session_sem);
1090 return 0;
1091
1092 unlink:
1093 hidp_del_timer(session);
1094
1095 if (session->input) {
1096 input_unregister_device(session->input);
1097 session->input = NULL;
1098 }
1099
1100 if (session->hid) {
1101 hid_destroy_device(session->hid);
1102 session->hid = NULL;
1103 }
1104
1105 kfree(session->rd_data);
1106 session->rd_data = NULL;
1107
1108 purge:
1109 __hidp_unlink_session(session);
1110
1111 skb_queue_purge(&session->ctrl_transmit);
1112 skb_queue_purge(&session->intr_transmit);
1113
1114 failed:
1115 up_write(&hidp_session_sem);
1116
1117 kfree(session);
1118 return err;
1119 }
1120
1121 int hidp_del_connection(struct hidp_conndel_req *req)
1122 {
1123 struct hidp_session *session;
1124 int err = 0;
1125
1126 BT_DBG("");
1127
1128 down_read(&hidp_session_sem);
1129
1130 session = __hidp_get_session(&req->bdaddr);
1131 if (session) {
1132 if (req->flags & (1 << HIDP_VIRTUAL_CABLE_UNPLUG)) {
1133 hidp_send_ctrl_message(session,
1134 HIDP_TRANS_HID_CONTROL | HIDP_CTRL_VIRTUAL_CABLE_UNPLUG, NULL, 0);
1135 } else {
1136 /* Flush the transmit queues */
1137 skb_queue_purge(&session->ctrl_transmit);
1138 skb_queue_purge(&session->intr_transmit);
1139
1140 atomic_inc(&session->terminate);
1141 wake_up_process(session->task);
1142 }
1143 } else
1144 err = -ENOENT;
1145
1146 up_read(&hidp_session_sem);
1147 return err;
1148 }
1149
1150 int hidp_get_connlist(struct hidp_connlist_req *req)
1151 {
1152 struct hidp_session *session;
1153 int err = 0, n = 0;
1154
1155 BT_DBG("");
1156
1157 down_read(&hidp_session_sem);
1158
1159 list_for_each_entry(session, &hidp_session_list, list) {
1160 struct hidp_conninfo ci;
1161
1162 __hidp_copy_session(session, &ci);
1163
1164 if (copy_to_user(req->ci, &ci, sizeof(ci))) {
1165 err = -EFAULT;
1166 break;
1167 }
1168
1169 if (++n >= req->cnum)
1170 break;
1171
1172 req->ci++;
1173 }
1174 req->cnum = n;
1175
1176 up_read(&hidp_session_sem);
1177 return err;
1178 }
1179
1180 int hidp_get_conninfo(struct hidp_conninfo *ci)
1181 {
1182 struct hidp_session *session;
1183 int err = 0;
1184
1185 down_read(&hidp_session_sem);
1186
1187 session = __hidp_get_session(&ci->bdaddr);
1188 if (session)
1189 __hidp_copy_session(session, ci);
1190 else
1191 err = -ENOENT;
1192
1193 up_read(&hidp_session_sem);
1194 return err;
1195 }
1196
1197 static int __init hidp_init(void)
1198 {
1199 BT_INFO("HIDP (Human Interface Emulation) ver %s", VERSION);
1200
1201 return hidp_init_sockets();
1202 }
1203
1204 static void __exit hidp_exit(void)
1205 {
1206 hidp_cleanup_sockets();
1207 }
1208
1209 module_init(hidp_init);
1210 module_exit(hidp_exit);
1211
1212 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
1213 MODULE_DESCRIPTION("Bluetooth HIDP ver " VERSION);
1214 MODULE_VERSION(VERSION);
1215 MODULE_LICENSE("GPL");
1216 MODULE_ALIAS("bt-proto-6");
Linux kernel - Deliverables
This page took 0.077953 seconds and 5 git commands to generate.