drivers/input/evdev.c

   1 /*
   2  * Event char devices, giving access to raw input device events.
   3  *
   4  * Copyright (c) 1999-2002 Vojtech Pavlik
   5  *
   6  * This program is free software; you can redistribute it and/or modify it
   7  * under the terms of the GNU General Public License version 2 as published by
   8  * the Free Software Foundation.
   9  */
  10
  11 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  12
  13 #define EVDEV_MINOR_BASE        64
  14 #define EVDEV_MINORS            32
  15 #define EVDEV_MIN_BUFFER_SIZE   64U
  16 #define EVDEV_BUF_PACKETS       8
  17
  18 #include <linux/poll.h>
  19 #include <linux/sched.h>
  20 #include <linux/slab.h>
  21 #include <linux/module.h>
  22 #include <linux/init.h>
  23 #include <linux/input/mt.h>
  24 #include <linux/major.h>
  25 #include <linux/device.h>
  26 #include <linux/cdev.h>
  27 #include "input-compat.h"
  28
  29 struct evdev {
  30         int open;
  31         struct input_handle handle;
  32         wait_queue_head_t wait;
  33         struct evdev_client __rcu *grab;
  34         struct list_head client_list;
  35         spinlock_t client_lock; /* protects client_list */
  36         struct mutex mutex;
  37         struct device dev;
  38         struct cdev cdev;
  39         bool exist;
  40 };
  41
  42 struct evdev_client {
  43         unsigned int head;
  44         unsigned int tail;
  45         unsigned int packet_head; /* [future] position of the first element of next packet */
  46         spinlock_t buffer_lock; /* protects access to buffer, head and tail */
  47         struct fasync_struct *fasync;
  48         struct evdev *evdev;
  49         struct list_head node;
  50         int clkid;
  51         bool revoked;
  52         unsigned int bufsize;
  53         struct input_event buffer[];
  54 };
  55
  56 /* flush queued events of type @type, caller must hold client->buffer_lock */
  57 static void __evdev_flush_queue(struct evdev_client *client, unsigned int type)
  58 {
  59         unsigned int i, head, num;
  60         unsigned int mask = client->bufsize - 1;
  61         bool is_report;
  62         struct input_event *ev;
  63
  64         BUG_ON(type == EV_SYN);
  65
  66         head = client->tail;
  67         client->packet_head = client->tail;
  68
  69         /* init to 1 so a leading SYN_REPORT will not be dropped */
  70         num = 1;
  71
  72         for (i = client->tail; i != client->head; i = (i + 1) & mask) {
  73                 ev = &client->buffer[i];
  74                 is_report = ev->type == EV_SYN && ev->code == SYN_REPORT;
  75
  76                 if (ev->type == type) {
  77                         /* drop matched entry */
  78                         continue;
  79                 } else if (is_report && !num) {
  80                         /* drop empty SYN_REPORT groups */
  81                         continue;
  82                 } else if (head != i) {
  83                         /* move entry to fill the gap */
  84                         client->buffer[head].time = ev->time;
  85                         client->buffer[head].type = ev->type;
  86                         client->buffer[head].code = ev->code;
  87                         client->buffer[head].value = ev->value;
  88                 }
  89
  90                 num++;
  91                 head = (head + 1) & mask;
  92
  93                 if (is_report) {
  94                         num = 0;
  95                         client->packet_head = head;
  96                 }
  97         }
  98
  99         client->head = head;
 100 }
 101
 102 /* queue SYN_DROPPED event */
 103 static void evdev_queue_syn_dropped(struct evdev_client *client)
 104 {
 105         unsigned long flags;
 106         struct input_event ev;
 107         ktime_t time;
 108
 109         time = ktime_get();
 110         if (client->clkid != CLOCK_MONOTONIC)
 111                 time = ktime_sub(time, ktime_get_monotonic_offset());
 112
 113         ev.time = ktime_to_timeval(time);
 114         ev.type = EV_SYN;
 115         ev.code = SYN_DROPPED;
 116         ev.value = 0;
 117
 118         spin_lock_irqsave(&client->buffer_lock, flags);
 119
 120         client->buffer[client->head++] = ev;
 121         client->head &= client->bufsize - 1;
 122
 123         if (unlikely(client->head == client->tail)) {
 124                 /* drop queue but keep our SYN_DROPPED event */
 125                 client->tail = (client->head - 1) & (client->bufsize - 1);
 126                 client->packet_head = client->tail;
 127         }
 128
 129         spin_unlock_irqrestore(&client->buffer_lock, flags);
 130 }
 131
 132 static void __pass_event(struct evdev_client *client,
 133                          const struct input_event *event)
 134 {
 135         client->buffer[client->head++] = *event;
 136         client->head &= client->bufsize - 1;
 137
 138         if (unlikely(client->head == client->tail)) {
 139                 /*
 140                  * This effectively "drops" all unconsumed events, leaving
 141                  * EV_SYN/SYN_DROPPED plus the newest event in the queue.
 142                  */
 143                 client->tail = (client->head - 2) & (client->bufsize - 1);
 144
 145                 client->buffer[client->tail].time = event->time;
 146                 client->buffer[client->tail].type = EV_SYN;
 147                 client->buffer[client->tail].code = SYN_DROPPED;
 148                 client->buffer[client->tail].value = 0;
 149
 150                 client->packet_head = client->tail;
 151         }
 152
 153         if (event->type == EV_SYN && event->code == SYN_REPORT) {
 154                 client->packet_head = client->head;
 155                 kill_fasync(&client->fasync, SIGIO, POLL_IN);
 156         }
 157 }
 158
 159 static void evdev_pass_values(struct evdev_client *client,
 160                         const struct input_value *vals, unsigned int count,
 161                         ktime_t mono, ktime_t real)
 162 {
 163         struct evdev *evdev = client->evdev;
 164         const struct input_value *v;
 165         struct input_event event;
 166         bool wakeup = false;
 167
 168         if (client->revoked)
 169                 return;
 170
 171         event.time = ktime_to_timeval(client->clkid == CLOCK_MONOTONIC ?
 172                                       mono : real);
 173
 174         /* Interrupts are disabled, just acquire the lock. */
 175         spin_lock(&client->buffer_lock);
 176
 177         for (v = vals; v != vals + count; v++) {
 178                 event.type = v->type;
 179                 event.code = v->code;
 180                 event.value = v->value;
 181                 __pass_event(client, &event);
 182                 if (v->type == EV_SYN && v->code == SYN_REPORT)
 183                         wakeup = true;
 184         }
 185
 186         spin_unlock(&client->buffer_lock);
 187
 188         if (wakeup)
 189                 wake_up_interruptible(&evdev->wait);
 190 }
 191
 192 /*
 193  * Pass incoming events to all connected clients.
 194  */
 195 static void evdev_events(struct input_handle *handle,
 196                          const struct input_value *vals, unsigned int count)
 197 {
 198         struct evdev *evdev = handle->private;
 199         struct evdev_client *client;
 200         ktime_t time_mono, time_real;
 201
 202         time_mono = ktime_get();
 203         time_real = ktime_sub(time_mono, ktime_get_monotonic_offset());
 204
 205         rcu_read_lock();
 206
 207         client = rcu_dereference(evdev->grab);
 208
 209         if (client)
 210                 evdev_pass_values(client, vals, count, time_mono, time_real);
 211         else
 212                 list_for_each_entry_rcu(client, &evdev->client_list, node)
 213                         evdev_pass_values(client, vals, count,
 214                                           time_mono, time_real);
 215
 216         rcu_read_unlock();
 217 }
 218
 219 /*
 220  * Pass incoming event to all connected clients.
 221  */
 222 static void evdev_event(struct input_handle *handle,
 223                         unsigned int type, unsigned int code, int value)
 224 {
 225         struct input_value vals[] = { { type, code, value } };
 226
 227         evdev_events(handle, vals, 1);
 228 }
 229
 230 static int evdev_fasync(int fd, struct file *file, int on)
 231 {
 232         struct evdev_client *client = file->private_data;
 233
 234         return fasync_helper(fd, file, on, &client->fasync);
 235 }
 236
 237 static int evdev_flush(struct file *file, fl_owner_t id)
 238 {
 239         struct evdev_client *client = file->private_data;
 240         struct evdev *evdev = client->evdev;
 241         int retval;
 242
 243         retval = mutex_lock_interruptible(&evdev->mutex);
 244         if (retval)
 245                 return retval;
 246
 247         if (!evdev->exist || client->revoked)
 248                 retval = -ENODEV;
 249         else
 250                 retval = input_flush_device(&evdev->handle, file);
 251
 252         mutex_unlock(&evdev->mutex);
 253         return retval;
 254 }
 255
 256 static void evdev_free(struct device *dev)
 257 {
 258         struct evdev *evdev = container_of(dev, struct evdev, dev);
 259
 260         input_put_device(evdev->handle.dev);
 261         kfree(evdev);
 262 }
 263
 264 /*
 265  * Grabs an event device (along with underlying input device).
 266  * This function is called with evdev->mutex taken.
 267  */
 268 static int evdev_grab(struct evdev *evdev, struct evdev_client *client)
 269 {
 270         int error;
 271
 272         if (evdev->grab)
 273                 return -EBUSY;
 274
 275         error = input_grab_device(&evdev->handle);
 276         if (error)
 277                 return error;
 278
 279         rcu_assign_pointer(evdev->grab, client);
 280
 281         return 0;
 282 }
 283
 284 static int evdev_ungrab(struct evdev *evdev, struct evdev_client *client)
 285 {
 286         struct evdev_client *grab = rcu_dereference_protected(evdev->grab,
 287                                         lockdep_is_held(&evdev->mutex));
 288
 289         if (grab != client)
 290                 return  -EINVAL;
 291
 292         rcu_assign_pointer(evdev->grab, NULL);
 293         synchronize_rcu();
 294         input_release_device(&evdev->handle);
 295
 296         return 0;
 297 }
 298
 299 static void evdev_attach_client(struct evdev *evdev,
 300                                 struct evdev_client *client)
 301 {
 302         spin_lock(&evdev->client_lock);
 303         list_add_tail_rcu(&client->node, &evdev->client_list);
 304         spin_unlock(&evdev->client_lock);
 305 }
 306
 307 static void evdev_detach_client(struct evdev *evdev,
 308                                 struct evdev_client *client)
 309 {
 310         spin_lock(&evdev->client_lock);
 311         list_del_rcu(&client->node);
 312         spin_unlock(&evdev->client_lock);
 313         synchronize_rcu();
 314 }
 315
 316 static int evdev_open_device(struct evdev *evdev)
 317 {
 318         int retval;
 319
 320         retval = mutex_lock_interruptible(&evdev->mutex);
 321         if (retval)
 322                 return retval;
 323
 324         if (!evdev->exist)
 325                 retval = -ENODEV;
 326         else if (!evdev->open++) {
 327                 retval = input_open_device(&evdev->handle);
 328                 if (retval)
 329                         evdev->open--;
 330         }
 331
 332         mutex_unlock(&evdev->mutex);
 333         return retval;
 334 }
 335
 336 static void evdev_close_device(struct evdev *evdev)
 337 {
 338         mutex_lock(&evdev->mutex);
 339
 340         if (evdev->exist && !--evdev->open)
 341                 input_close_device(&evdev->handle);
 342
 343         mutex_unlock(&evdev->mutex);
 344 }
 345
 346 /*
 347  * Wake up users waiting for IO so they can disconnect from
 348  * dead device.
 349  */
 350 static void evdev_hangup(struct evdev *evdev)
 351 {
 352         struct evdev_client *client;
 353
 354         spin_lock(&evdev->client_lock);
 355         list_for_each_entry(client, &evdev->client_list, node)
 356                 kill_fasync(&client->fasync, SIGIO, POLL_HUP);
 357         spin_unlock(&evdev->client_lock);
 358
 359         wake_up_interruptible(&evdev->wait);
 360 }
 361
 362 static int evdev_release(struct inode *inode, struct file *file)
 363 {
 364         struct evdev_client *client = file->private_data;
 365         struct evdev *evdev = client->evdev;
 366
 367         mutex_lock(&evdev->mutex);
 368         evdev_ungrab(evdev, client);
 369         mutex_unlock(&evdev->mutex);
 370
 371         evdev_detach_client(evdev, client);
 372         kfree(client);
 373
 374         evdev_close_device(evdev);
 375
 376         return 0;
 377 }
 378
 379 static unsigned int evdev_compute_buffer_size(struct input_dev *dev)
 380 {
 381         unsigned int n_events =
 382                 max(dev->hint_events_per_packet * EVDEV_BUF_PACKETS,
 383                     EVDEV_MIN_BUFFER_SIZE);
 384
 385         return roundup_pow_of_two(n_events);
 386 }
 387
 388 static int evdev_open(struct inode *inode, struct file *file)
 389 {
 390         struct evdev *evdev = container_of(inode->i_cdev, struct evdev, cdev);
 391         unsigned int bufsize = evdev_compute_buffer_size(evdev->handle.dev);
 392         struct evdev_client *client;
 393         int error;
 394
 395         client = kzalloc(sizeof(struct evdev_client) +
 396                                 bufsize * sizeof(struct input_event),
 397                          GFP_KERNEL);
 398         if (!client)
 399                 return -ENOMEM;
 400
 401         client->bufsize = bufsize;
 402         spin_lock_init(&client->buffer_lock);
 403         client->evdev = evdev;
 404         evdev_attach_client(evdev, client);
 405
 406         error = evdev_open_device(evdev);
 407         if (error)
 408                 goto err_free_client;
 409
 410         file->private_data = client;
 411         nonseekable_open(inode, file);
 412
 413         return 0;
 414
 415  err_free_client:
 416         evdev_detach_client(evdev, client);
 417         kfree(client);
 418         return error;
 419 }
 420
 421 static ssize_t evdev_write(struct file *file, const char __user *buffer,
 422                            size_t count, loff_t *ppos)
 423 {
 424         struct evdev_client *client = file->private_data;
 425         struct evdev *evdev = client->evdev;
 426         struct input_event event;
 427         int retval = 0;
 428
 429         if (count != 0 && count < input_event_size())
 430                 return -EINVAL;
 431
 432         retval = mutex_lock_interruptible(&evdev->mutex);
 433         if (retval)
 434                 return retval;
 435
 436         if (!evdev->exist || client->revoked) {
 437                 retval = -ENODEV;
 438                 goto out;
 439         }
 440
 441         while (retval + input_event_size() <= count) {
 442
 443                 if (input_event_from_user(buffer + retval, &event)) {
 444                         retval = -EFAULT;
 445                         goto out;
 446                 }
 447                 retval += input_event_size();
 448
 449                 input_inject_event(&evdev->handle,
 450                                    event.type, event.code, event.value);
 451         }
 452
 453  out:
 454         mutex_unlock(&evdev->mutex);
 455         return retval;
 456 }
 457
 458 static int evdev_fetch_next_event(struct evdev_client *client,
 459                                   struct input_event *event)
 460 {
 461         int have_event;
 462
 463         spin_lock_irq(&client->buffer_lock);
 464
 465         have_event = client->packet_head != client->tail;
 466         if (have_event) {
 467                 *event = client->buffer[client->tail++];
 468                 client->tail &= client->bufsize - 1;
 469         }
 470
 471         spin_unlock_irq(&client->buffer_lock);
 472
 473         return have_event;
 474 }
 475
 476 static ssize_t evdev_read(struct file *file, char __user *buffer,
 477                           size_t count, loff_t *ppos)
 478 {
 479         struct evdev_client *client = file->private_data;
 480         struct evdev *evdev = client->evdev;
 481         struct input_event event;
 482         size_t read = 0;
 483         int error;
 484
 485         if (count != 0 && count < input_event_size())
 486                 return -EINVAL;
 487
 488         for (;;) {
 489                 if (!evdev->exist || client->revoked)
 490                         return -ENODEV;
 491
 492                 if (client->packet_head == client->tail &&
 493                     (file->f_flags & O_NONBLOCK))
 494                         return -EAGAIN;
 495
 496                 /*
 497                  * count == 0 is special - no IO is done but we check
 498                  * for error conditions (see above).
 499                  */
 500                 if (count == 0)
 501                         break;
 502
 503                 while (read + input_event_size() <= count &&
 504                        evdev_fetch_next_event(client, &event)) {
 505
 506                         if (input_event_to_user(buffer + read, &event))
 507                                 return -EFAULT;
 508
 509                         read += input_event_size();
 510                 }
 511
 512                 if (read)
 513                         break;
 514
 515                 if (!(file->f_flags & O_NONBLOCK)) {
 516                         error = wait_event_interruptible(evdev->wait,
 517                                         client->packet_head != client->tail ||
 518                                         !evdev->exist || client->revoked);
 519                         if (error)
 520                                 return error;
 521                 }
 522         }
 523
 524         return read;
 525 }
 526
 527 /* No kernel lock - fine */
 528 static unsigned int evdev_poll(struct file *file, poll_table *wait)
 529 {
 530         struct evdev_client *client = file->private_data;
 531         struct evdev *evdev = client->evdev;
 532         unsigned int mask;
 533
 534         poll_wait(file, &evdev->wait, wait);
 535
 536         if (evdev->exist && !client->revoked)
 537                 mask = POLLOUT | POLLWRNORM;
 538         else
 539                 mask = POLLHUP | POLLERR;
 540
 541         if (client->packet_head != client->tail)
 542                 mask |= POLLIN | POLLRDNORM;
 543
 544         return mask;
 545 }
 546
 547 #ifdef CONFIG_COMPAT
 548
 549 #define BITS_PER_LONG_COMPAT (sizeof(compat_long_t) * 8)
 550 #define BITS_TO_LONGS_COMPAT(x) ((((x) - 1) / BITS_PER_LONG_COMPAT) + 1)
 551
 552 #ifdef __BIG_ENDIAN
 553 static int bits_to_user(unsigned long *bits, unsigned int maxbit,
 554                         unsigned int maxlen, void __user *p, int compat)
 555 {
 556         int len, i;
 557
 558         if (compat) {
 559                 len = BITS_TO_LONGS_COMPAT(maxbit) * sizeof(compat_long_t);
 560                 if (len > maxlen)
 561                         len = maxlen;
 562
 563                 for (i = 0; i < len / sizeof(compat_long_t); i++)
 564                         if (copy_to_user((compat_long_t __user *) p + i,
 565                                          (compat_long_t *) bits +
 566                                                 i + 1 - ((i % 2) << 1),
 567                                          sizeof(compat_long_t)))
 568                                 return -EFAULT;
 569         } else {
 570                 len = BITS_TO_LONGS(maxbit) * sizeof(long);
 571                 if (len > maxlen)
 572                         len = maxlen;
 573
 574                 if (copy_to_user(p, bits, len))
 575                         return -EFAULT;
 576         }
 577
 578         return len;
 579 }
 580 #else
 581 static int bits_to_user(unsigned long *bits, unsigned int maxbit,
 582                         unsigned int maxlen, void __user *p, int compat)
 583 {
 584         int len = compat ?
 585                         BITS_TO_LONGS_COMPAT(maxbit) * sizeof(compat_long_t) :
 586                         BITS_TO_LONGS(maxbit) * sizeof(long);
 587
 588         if (len > maxlen)
 589                 len = maxlen;
 590
 591         return copy_to_user(p, bits, len) ? -EFAULT : len;
 592 }
 593 #endif /* __BIG_ENDIAN */
 594
 595 #else
 596
 597 static int bits_to_user(unsigned long *bits, unsigned int maxbit,
 598                         unsigned int maxlen, void __user *p, int compat)
 599 {
 600         int len = BITS_TO_LONGS(maxbit) * sizeof(long);
 601
 602         if (len > maxlen)
 603                 len = maxlen;
 604
 605         return copy_to_user(p, bits, len) ? -EFAULT : len;
 606 }
 607
 608 #endif /* CONFIG_COMPAT */
 609
 610 static int str_to_user(const char *str, unsigned int maxlen, void __user *p)
 611 {
 612         int len;
 613
 614         if (!str)
 615                 return -ENOENT;
 616
 617         len = strlen(str) + 1;
 618         if (len > maxlen)
 619                 len = maxlen;
 620
 621         return copy_to_user(p, str, len) ? -EFAULT : len;
 622 }
 623
 624 #define OLD_KEY_MAX     0x1ff
 625 static int handle_eviocgbit(struct input_dev *dev,
 626                             unsigned int type, unsigned int size,
 627                             void __user *p, int compat_mode)
 628 {
 629         static unsigned long keymax_warn_time;
 630         unsigned long *bits;
 631         int len;
 632
 633         switch (type) {
 634
 635         case      0: bits = dev->evbit;  len = EV_MAX;  break;
 636         case EV_KEY: bits = dev->keybit; len = KEY_MAX; break;
 637         case EV_REL: bits = dev->relbit; len = REL_MAX; break;
 638         case EV_ABS: bits = dev->absbit; len = ABS_MAX; break;
 639         case EV_MSC: bits = dev->mscbit; len = MSC_MAX; break;
 640         case EV_LED: bits = dev->ledbit; len = LED_MAX; break;
 641         case EV_SND: bits = dev->sndbit; len = SND_MAX; break;
 642         case EV_FF:  bits = dev->ffbit;  len = FF_MAX;  break;
 643         case EV_SW:  bits = dev->swbit;  len = SW_MAX;  break;
 644         default: return -EINVAL;
 645         }
 646
 647         /*
 648          * Work around bugs in userspace programs that like to do
 649          * EVIOCGBIT(EV_KEY, KEY_MAX) and not realize that 'len'
 650          * should be in bytes, not in bits.
 651          */
 652         if (type == EV_KEY && size == OLD_KEY_MAX) {
 653                 len = OLD_KEY_MAX;
 654                 if (printk_timed_ratelimit(&keymax_warn_time, 10 * 1000))
 655                         pr_warning("(EVIOCGBIT): Suspicious buffer size %u, "
 656                                    "limiting output to %zu bytes. See "
 657                                    "http://userweb.kernel.org/~dtor/eviocgbit-bug.html\n",
 658                                    OLD_KEY_MAX,
 659                                    BITS_TO_LONGS(OLD_KEY_MAX) * sizeof(long));
 660         }
 661
 662         return bits_to_user(bits, len, size, p, compat_mode);
 663 }
 664 #undef OLD_KEY_MAX
 665
 666 static int evdev_handle_get_keycode(struct input_dev *dev, void __user *p)
 667 {
 668         struct input_keymap_entry ke = {
 669                 .len    = sizeof(unsigned int),
 670                 .flags  = 0,
 671         };
 672         int __user *ip = (int __user *)p;
 673         int error;
 674
 675         /* legacy case */
 676         if (copy_from_user(ke.scancode, p, sizeof(unsigned int)))
 677                 return -EFAULT;
 678
 679         error = input_get_keycode(dev, &ke);
 680         if (error)
 681                 return error;
 682
 683         if (put_user(ke.keycode, ip + 1))
 684                 return -EFAULT;
 685
 686         return 0;
 687 }
 688
 689 static int evdev_handle_get_keycode_v2(struct input_dev *dev, void __user *p)
 690 {
 691         struct input_keymap_entry ke;
 692         int error;
 693
 694         if (copy_from_user(&ke, p, sizeof(ke)))
 695                 return -EFAULT;
 696
 697         error = input_get_keycode(dev, &ke);
 698         if (error)
 699                 return error;
 700
 701         if (copy_to_user(p, &ke, sizeof(ke)))
 702                 return -EFAULT;
 703
 704         return 0;
 705 }
 706
 707 static int evdev_handle_set_keycode(struct input_dev *dev, void __user *p)
 708 {
 709         struct input_keymap_entry ke = {
 710                 .len    = sizeof(unsigned int),
 711                 .flags  = 0,
 712         };
 713         int __user *ip = (int __user *)p;
 714
 715         if (copy_from_user(ke.scancode, p, sizeof(unsigned int)))
 716                 return -EFAULT;
 717
 718         if (get_user(ke.keycode, ip + 1))
 719                 return -EFAULT;
 720
 721         return input_set_keycode(dev, &ke);
 722 }
 723
 724 static int evdev_handle_set_keycode_v2(struct input_dev *dev, void __user *p)
 725 {
 726         struct input_keymap_entry ke;
 727
 728         if (copy_from_user(&ke, p, sizeof(ke)))
 729                 return -EFAULT;
 730
 731         if (ke.len > sizeof(ke.scancode))
 732                 return -EINVAL;
 733
 734         return input_set_keycode(dev, &ke);
 735 }
 736
 737 /*
 738  * If we transfer state to the user, we should flush all pending events
 739  * of the same type from the client's queue. Otherwise, they might end up
 740  * with duplicate events, which can screw up client's state tracking.
 741  * If bits_to_user fails after flushing the queue, we queue a SYN_DROPPED
 742  * event so user-space will notice missing events.
 743  *
 744  * LOCKING:
 745  * We need to take event_lock before buffer_lock to avoid dead-locks. But we
 746  * need the even_lock only to guarantee consistent state. We can safely release
 747  * it while flushing the queue. This allows input-core to handle filters while
 748  * we flush the queue.
 749  */
 750 static int evdev_handle_get_val(struct evdev_client *client,
 751                                 struct input_dev *dev, unsigned int type,
 752                                 unsigned long *bits, unsigned int max,
 753                                 unsigned int size, void __user *p, int compat)
 754 {
 755         int ret;
 756         unsigned long *mem;
 757
 758         mem = kmalloc(sizeof(unsigned long) * max, GFP_KERNEL);
 759         if (!mem)
 760                 return -ENOMEM;
 761
 762         spin_lock_irq(&dev->event_lock);
 763         spin_lock(&client->buffer_lock);
 764
 765         memcpy(mem, bits, sizeof(unsigned long) * max);
 766
 767         spin_unlock(&dev->event_lock);
 768
 769         __evdev_flush_queue(client, type);
 770
 771         spin_unlock_irq(&client->buffer_lock);
 772
 773         ret = bits_to_user(mem, max, size, p, compat);
 774         if (ret < 0)
 775                 evdev_queue_syn_dropped(client);
 776
 777         kfree(mem);
 778
 779         return ret;
 780 }
 781
 782 static int evdev_handle_mt_request(struct input_dev *dev,
 783                                    unsigned int size,
 784                                    int __user *ip)
 785 {
 786         const struct input_mt *mt = dev->mt;
 787         unsigned int code;
 788         int max_slots;
 789         int i;
 790
 791         if (get_user(code, &ip[0]))
 792                 return -EFAULT;
 793         if (!mt || !input_is_mt_value(code))
 794                 return -EINVAL;
 795
 796         max_slots = (size - sizeof(__u32)) / sizeof(__s32);
 797         for (i = 0; i < mt->num_slots && i < max_slots; i++) {
 798                 int value = input_mt_get_value(&mt->slots[i], code);
 799                 if (put_user(value, &ip[1 + i]))
 800                         return -EFAULT;
 801         }
 802
 803         return 0;
 804 }
 805
 806 static int evdev_revoke(struct evdev *evdev, struct evdev_client *client,
 807                         struct file *file)
 808 {
 809         client->revoked = true;
 810         evdev_ungrab(evdev, client);
 811         input_flush_device(&evdev->handle, file);
 812         wake_up_interruptible(&evdev->wait);
 813
 814         return 0;
 815 }
 816
 817 static long evdev_do_ioctl(struct file *file, unsigned int cmd,
 818                            void __user *p, int compat_mode)
 819 {
 820         struct evdev_client *client = file->private_data;
 821         struct evdev *evdev = client->evdev;
 822         struct input_dev *dev = evdev->handle.dev;
 823         struct input_absinfo abs;
 824         struct ff_effect effect;
 825         int __user *ip = (int __user *)p;
 826         unsigned int i, t, u, v;
 827         unsigned int size;
 828         int error;
 829
 830         /* First we check for fixed-length commands */
 831         switch (cmd) {
 832
 833         case EVIOCGVERSION:
 834                 return put_user(EV_VERSION, ip);
 835
 836         case EVIOCGID:
 837                 if (copy_to_user(p, &dev->id, sizeof(struct input_id)))
 838                         return -EFAULT;
 839                 return 0;
 840
 841         case EVIOCGREP:
 842                 if (!test_bit(EV_REP, dev->evbit))
 843                         return -ENOSYS;
 844                 if (put_user(dev->rep[REP_DELAY], ip))
 845                         return -EFAULT;
 846                 if (put_user(dev->rep[REP_PERIOD], ip + 1))
 847                         return -EFAULT;
 848                 return 0;
 849
 850         case EVIOCSREP:
 851                 if (!test_bit(EV_REP, dev->evbit))
 852                         return -ENOSYS;
 853                 if (get_user(u, ip))
 854                         return -EFAULT;
 855                 if (get_user(v, ip + 1))
 856                         return -EFAULT;
 857
 858                 input_inject_event(&evdev->handle, EV_REP, REP_DELAY, u);
 859                 input_inject_event(&evdev->handle, EV_REP, REP_PERIOD, v);
 860
 861                 return 0;
 862
 863         case EVIOCRMFF:
 864                 return input_ff_erase(dev, (int)(unsigned long) p, file);
 865
 866         case EVIOCGEFFECTS:
 867                 i = test_bit(EV_FF, dev->evbit) ?
 868                                 dev->ff->max_effects : 0;
 869                 if (put_user(i, ip))
 870                         return -EFAULT;
 871                 return 0;
 872
 873         case EVIOCGRAB:
 874                 if (p)
 875                         return evdev_grab(evdev, client);
 876                 else
 877                         return evdev_ungrab(evdev, client);
 878
 879         case EVIOCREVOKE:
 880                 if (p)
 881                         return -EINVAL;
 882                 else
 883                         return evdev_revoke(evdev, client, file);
 884
 885         case EVIOCSCLOCKID:
 886                 if (copy_from_user(&i, p, sizeof(unsigned int)))
 887                         return -EFAULT;
 888                 if (i != CLOCK_MONOTONIC && i != CLOCK_REALTIME)
 889                         return -EINVAL;
 890                 client->clkid = i;
 891                 return 0;
 892
 893         case EVIOCGKEYCODE:
 894                 return evdev_handle_get_keycode(dev, p);
 895
 896         case EVIOCSKEYCODE:
 897                 return evdev_handle_set_keycode(dev, p);
 898
 899         case EVIOCGKEYCODE_V2:
 900                 return evdev_handle_get_keycode_v2(dev, p);
 901
 902         case EVIOCSKEYCODE_V2:
 903                 return evdev_handle_set_keycode_v2(dev, p);
 904         }
 905
 906         size = _IOC_SIZE(cmd);
 907
 908         /* Now check variable-length commands */
 909 #define EVIOC_MASK_SIZE(nr)     ((nr) & ~(_IOC_SIZEMASK << _IOC_SIZESHIFT))
 910         switch (EVIOC_MASK_SIZE(cmd)) {
 911
 912         case EVIOCGPROP(0):
 913                 return bits_to_user(dev->propbit, INPUT_PROP_MAX,
 914                                     size, p, compat_mode);
 915
 916         case EVIOCGMTSLOTS(0):
 917                 return evdev_handle_mt_request(dev, size, ip);
 918
 919         case EVIOCGKEY(0):
 920                 return evdev_handle_get_val(client, dev, EV_KEY, dev->key,
 921                                             KEY_MAX, size, p, compat_mode);
 922
 923         case EVIOCGLED(0):
 924                 return evdev_handle_get_val(client, dev, EV_LED, dev->led,
 925                                             LED_MAX, size, p, compat_mode);
 926
 927         case EVIOCGSND(0):
 928                 return evdev_handle_get_val(client, dev, EV_SND, dev->snd,
 929                                             SND_MAX, size, p, compat_mode);
 930
 931         case EVIOCGSW(0):
 932                 return evdev_handle_get_val(client, dev, EV_SW, dev->sw,
 933                                             SW_MAX, size, p, compat_mode);
 934
 935         case EVIOCGNAME(0):
 936                 return str_to_user(dev->name, size, p);
 937
 938         case EVIOCGPHYS(0):
 939                 return str_to_user(dev->phys, size, p);
 940
 941         case EVIOCGUNIQ(0):
 942                 return str_to_user(dev->uniq, size, p);
 943
 944         case EVIOC_MASK_SIZE(EVIOCSFF):
 945                 if (input_ff_effect_from_user(p, size, &effect))
 946                         return -EFAULT;
 947
 948                 error = input_ff_upload(dev, &effect, file);
 949
 950                 if (put_user(effect.id, &(((struct ff_effect __user *)p)->id)))
 951                         return -EFAULT;
 952
 953                 return error;
 954         }
 955
 956         /* Multi-number variable-length handlers */
 957         if (_IOC_TYPE(cmd) != 'E')
 958                 return -EINVAL;
 959
 960         if (_IOC_DIR(cmd) == _IOC_READ) {
 961
 962                 if ((_IOC_NR(cmd) & ~EV_MAX) == _IOC_NR(EVIOCGBIT(0, 0)))
 963                         return handle_eviocgbit(dev,
 964                                                 _IOC_NR(cmd) & EV_MAX, size,
 965                                                 p, compat_mode);
 966
 967                 if ((_IOC_NR(cmd) & ~ABS_MAX) == _IOC_NR(EVIOCGABS(0))) {
 968
 969                         if (!dev->absinfo)
 970                                 return -EINVAL;
 971
 972                         t = _IOC_NR(cmd) & ABS_MAX;
 973                         abs = dev->absinfo[t];
 974
 975                         if (copy_to_user(p, &abs, min_t(size_t,
 976                                         size, sizeof(struct input_absinfo))))
 977                                 return -EFAULT;
 978
 979                         return 0;
 980                 }
 981         }
 982
 983         if (_IOC_DIR(cmd) == _IOC_WRITE) {
 984
 985                 if ((_IOC_NR(cmd) & ~ABS_MAX) == _IOC_NR(EVIOCSABS(0))) {
 986
 987                         if (!dev->absinfo)
 988                                 return -EINVAL;
 989
 990                         t = _IOC_NR(cmd) & ABS_MAX;
 991
 992                         if (copy_from_user(&abs, p, min_t(size_t,
 993                                         size, sizeof(struct input_absinfo))))
 994                                 return -EFAULT;
 995
 996                         if (size < sizeof(struct input_absinfo))
 997                                 abs.resolution = 0;
 998
 999                         /* We can't change number of reserved MT slots */
1000                         if (t == ABS_MT_SLOT)
1001                                 return -EINVAL;
1002
1003                         /*
1004                          * Take event lock to ensure that we are not
1005                          * changing device parameters in the middle
1006                          * of event.
1007                          */
1008                         spin_lock_irq(&dev->event_lock);
1009                         dev->absinfo[t] = abs;
1010                         spin_unlock_irq(&dev->event_lock);
1011
1012                         return 0;
1013                 }
1014         }
1015
1016         return -EINVAL;
1017 }
1018
1019 static long evdev_ioctl_handler(struct file *file, unsigned int cmd,
1020                                 void __user *p, int compat_mode)
1021 {
1022         struct evdev_client *client = file->private_data;
1023         struct evdev *evdev = client->evdev;
1024         int retval;
1025
1026         retval = mutex_lock_interruptible(&evdev->mutex);
1027         if (retval)
1028                 return retval;
1029
1030         if (!evdev->exist || client->revoked) {
1031                 retval = -ENODEV;
1032                 goto out;
1033         }
1034
1035         retval = evdev_do_ioctl(file, cmd, p, compat_mode);
1036
1037  out:
1038         mutex_unlock(&evdev->mutex);
1039         return retval;
1040 }
1041
1042 static long evdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
1043 {
1044         return evdev_ioctl_handler(file, cmd, (void __user *)arg, 0);
1045 }
1046
1047 #ifdef CONFIG_COMPAT
1048 static long evdev_ioctl_compat(struct file *file,
1049                                 unsigned int cmd, unsigned long arg)
1050 {
1051         return evdev_ioctl_handler(file, cmd, compat_ptr(arg), 1);
1052 }
1053 #endif
1054
1055 static const struct file_operations evdev_fops = {
1056         .owner          = THIS_MODULE,
1057         .read           = evdev_read,
1058         .write          = evdev_write,
1059         .poll           = evdev_poll,
1060         .open           = evdev_open,
1061         .release        = evdev_release,
1062         .unlocked_ioctl = evdev_ioctl,
1063 #ifdef CONFIG_COMPAT
1064         .compat_ioctl   = evdev_ioctl_compat,
1065 #endif
1066         .fasync         = evdev_fasync,
1067         .flush          = evdev_flush,
1068         .llseek         = no_llseek,
1069 };
1070
1071 /*
1072  * Mark device non-existent. This disables writes, ioctls and
1073  * prevents new users from opening the device. Already posted
1074  * blocking reads will stay, however new ones will fail.
1075  */
1076 static void evdev_mark_dead(struct evdev *evdev)
1077 {
1078         mutex_lock(&evdev->mutex);
1079         evdev->exist = false;
1080         mutex_unlock(&evdev->mutex);
1081 }
1082
1083 static void evdev_cleanup(struct evdev *evdev)
1084 {
1085         struct input_handle *handle = &evdev->handle;
1086
1087         evdev_mark_dead(evdev);
1088         evdev_hangup(evdev);
1089
1090         cdev_del(&evdev->cdev);
1091
1092         /* evdev is marked dead so no one else accesses evdev->open */
1093         if (evdev->open) {
1094                 input_flush_device(handle, NULL);
1095                 input_close_device(handle);
1096         }
1097 }
1098
1099 /*
1100  * Create new evdev device. Note that input core serializes calls
1101  * to connect and disconnect.
1102  */
1103 static int evdev_connect(struct input_handler *handler, struct input_dev *dev,
1104                          const struct input_device_id *id)
1105 {
1106         struct evdev *evdev;
1107         int minor;
1108         int dev_no;
1109         int error;
1110
1111         minor = input_get_new_minor(EVDEV_MINOR_BASE, EVDEV_MINORS, true);
1112         if (minor < 0) {
1113                 error = minor;
1114                 pr_err("failed to reserve new minor: %d\n", error);
1115                 return error;
1116         }
1117
1118         evdev = kzalloc(sizeof(struct evdev), GFP_KERNEL);
1119         if (!evdev) {
1120                 error = -ENOMEM;
1121                 goto err_free_minor;
1122         }
1123
1124         INIT_LIST_HEAD(&evdev->client_list);
1125         spin_lock_init(&evdev->client_lock);
1126         mutex_init(&evdev->mutex);
1127         init_waitqueue_head(&evdev->wait);
1128         evdev->exist = true;
1129
1130         dev_no = minor;
1131         /* Normalize device number if it falls into legacy range */
1132         if (dev_no < EVDEV_MINOR_BASE + EVDEV_MINORS)
1133                 dev_no -= EVDEV_MINOR_BASE;
1134         dev_set_name(&evdev->dev, "event%d", dev_no);
1135
1136         evdev->handle.dev = input_get_device(dev);
1137         evdev->handle.name = dev_name(&evdev->dev);
1138         evdev->handle.handler = handler;
1139         evdev->handle.private = evdev;
1140
1141         evdev->dev.devt = MKDEV(INPUT_MAJOR, minor);
1142         evdev->dev.class = &input_class;
1143         evdev->dev.parent = &dev->dev;
1144         evdev->dev.release = evdev_free;
1145         device_initialize(&evdev->dev);
1146
1147         error = input_register_handle(&evdev->handle);
1148         if (error)
1149                 goto err_free_evdev;
1150
1151         cdev_init(&evdev->cdev, &evdev_fops);
1152         evdev->cdev.kobj.parent = &evdev->dev.kobj;
1153         error = cdev_add(&evdev->cdev, evdev->dev.devt, 1);
1154         if (error)
1155                 goto err_unregister_handle;
1156
1157         error = device_add(&evdev->dev);
1158         if (error)
1159                 goto err_cleanup_evdev;
1160
1161         return 0;
1162
1163  err_cleanup_evdev:
1164         evdev_cleanup(evdev);
1165  err_unregister_handle:
1166         input_unregister_handle(&evdev->handle);
1167  err_free_evdev:
1168         put_device(&evdev->dev);
1169  err_free_minor:
1170         input_free_minor(minor);
1171         return error;
1172 }
1173
1174 static void evdev_disconnect(struct input_handle *handle)
1175 {
1176         struct evdev *evdev = handle->private;
1177
1178         device_del(&evdev->dev);
1179         evdev_cleanup(evdev);
1180         input_free_minor(MINOR(evdev->dev.devt));
1181         input_unregister_handle(handle);
1182         put_device(&evdev->dev);
1183 }
1184
1185 static const struct input_device_id evdev_ids[] = {
1186         { .driver_info = 1 },   /* Matches all devices */
1187         { },                    /* Terminating zero entry */
1188 };
1189
1190 MODULE_DEVICE_TABLE(input, evdev_ids);
1191
1192 static struct input_handler evdev_handler = {
1193         .event          = evdev_event,
1194         .events         = evdev_events,
1195         .connect        = evdev_connect,
1196         .disconnect     = evdev_disconnect,
1197         .legacy_minors  = true,
1198         .minor          = EVDEV_MINOR_BASE,
1199         .name           = "evdev",
1200         .id_table       = evdev_ids,
1201 };
1202
1203 static int __init evdev_init(void)
1204 {
1205         return input_register_handler(&evdev_handler);
1206 }
1207
1208 static void __exit evdev_exit(void)
1209 {
1210         input_unregister_handler(&evdev_handler);
1211 }
1212
1213 module_init(evdev_init);
1214 module_exit(evdev_exit);
1215
1216 MODULE_AUTHOR("Vojtech Pavlik <vojtech@ucw.cz>");
1217 MODULE_DESCRIPTION("Input driver event char devices");
1218 MODULE_LICENSE("GPL");