1/* 2 HIDP implementation for Linux Bluetooth stack (BlueZ). 3 Copyright (C) 2003-2004 Marcel Holtmann <marcel@holtmann.org> 4 Copyright (C) 2013 David Herrmann <dh.herrmann@gmail.com> 5 6 This program is free software; you can redistribute it and/or modify 7 it under the terms of the GNU General Public License version 2 as 8 published by the Free Software Foundation; 9 10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 21 SOFTWARE IS DISCLAIMED. 22*/ 23 24#include <linux/kref.h> 25#include <linux/module.h> 26#include <linux/file.h> 27#include <linux/kthread.h> 28#include <linux/hidraw.h> 29 30#include <net/bluetooth/bluetooth.h> 31#include <net/bluetooth/hci_core.h> 32#include <net/bluetooth/l2cap.h> 33 34#include "hidp.h" 35 36#define VERSION "1.2" 37 38static DECLARE_RWSEM(hidp_session_sem); 39static LIST_HEAD(hidp_session_list); 40 41static unsigned char hidp_keycode[256] = { 42 0, 0, 0, 0, 30, 48, 46, 32, 18, 33, 34, 35, 23, 36, 43 37, 38, 50, 49, 24, 25, 16, 19, 31, 20, 22, 47, 17, 45, 44 21, 44, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 28, 1, 45 14, 15, 57, 12, 13, 26, 27, 43, 43, 39, 40, 41, 51, 52, 46 53, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 87, 88, 47 99, 70, 119, 110, 102, 104, 111, 107, 109, 106, 105, 108, 103, 69, 48 98, 55, 74, 78, 96, 79, 80, 81, 75, 76, 77, 71, 72, 73, 49 82, 83, 86, 127, 116, 117, 183, 184, 185, 186, 187, 188, 189, 190, 50 191, 192, 193, 194, 134, 138, 130, 132, 128, 129, 131, 137, 133, 135, 51 136, 113, 115, 114, 0, 0, 0, 121, 0, 89, 93, 124, 92, 94, 52 95, 0, 0, 0, 122, 123, 90, 91, 85, 0, 0, 0, 0, 0, 53 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 54 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 55 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 56 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 57 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 58 29, 42, 56, 125, 97, 54, 100, 126, 164, 166, 165, 163, 161, 115, 59 114, 113, 150, 158, 159, 128, 136, 177, 178, 176, 142, 152, 173, 140 60}; 61 62static unsigned char hidp_mkeyspat[] = { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 }; 63 64static int hidp_session_probe(struct l2cap_conn *conn, 65 struct l2cap_user *user); 66static void hidp_session_remove(struct l2cap_conn *conn, 67 struct l2cap_user *user); 68static int hidp_session_thread(void *arg); 69static void hidp_session_terminate(struct hidp_session *s); 70 71static void hidp_copy_session(struct hidp_session *session, struct hidp_conninfo *ci) 72{ 73 memset(ci, 0, sizeof(*ci)); 74 bacpy(&ci->bdaddr, &session->bdaddr); 75 76 ci->flags = session->flags; 77 ci->state = BT_CONNECTED; 78 79 ci->vendor = 0x0000; 80 ci->product = 0x0000; 81 ci->version = 0x0000; 82 83 if (session->input) { 84 ci->vendor = session->input->id.vendor; 85 ci->product = session->input->id.product; 86 ci->version = session->input->id.version; 87 if (session->input->name) 88 strncpy(ci->name, session->input->name, 128); 89 else 90 strncpy(ci->name, "HID Boot Device", 128); 91 } 92 93 if (session->hid) { 94 ci->vendor = session->hid->vendor; 95 ci->product = session->hid->product; 96 ci->version = session->hid->version; 97 strncpy(ci->name, session->hid->name, 128); 98 } 99} 100 101/* assemble skb, queue message on @transmit and wake up the session thread */ 102static int hidp_send_message(struct hidp_session *session, struct socket *sock, 103 struct sk_buff_head *transmit, unsigned char hdr, 104 const unsigned char *data, int size) 105{ 106 struct sk_buff *skb; 107 struct sock *sk = sock->sk; 108 109 BT_DBG("session %p data %p size %d", session, data, size); 110 111 if (atomic_read(&session->terminate)) 112 return -EIO; 113 114 skb = alloc_skb(size + 1, GFP_ATOMIC); 115 if (!skb) { 116 BT_ERR("Can't allocate memory for new frame"); 117 return -ENOMEM; 118 } 119 120 *skb_put(skb, 1) = hdr; 121 if (data && size > 0) 122 memcpy(skb_put(skb, size), data, size); 123 124 skb_queue_tail(transmit, skb); 125 wake_up_interruptible(sk_sleep(sk)); 126 127 return 0; 128} 129 130static int hidp_send_ctrl_message(struct hidp_session *session, 131 unsigned char hdr, const unsigned char *data, 132 int size) 133{ 134 return hidp_send_message(session, session->ctrl_sock, 135 &session->ctrl_transmit, hdr, data, size); 136} 137 138static int hidp_send_intr_message(struct hidp_session *session, 139 unsigned char hdr, const unsigned char *data, 140 int size) 141{ 142 return hidp_send_message(session, session->intr_sock, 143 &session->intr_transmit, hdr, data, size); 144} 145 146static int hidp_input_event(struct input_dev *dev, unsigned int type, 147 unsigned int code, int value) 148{ 149 struct hidp_session *session = input_get_drvdata(dev); 150 unsigned char newleds; 151 unsigned char hdr, data[2]; 152 153 BT_DBG("session %p type %d code %d value %d", 154 session, type, code, value); 155 156 if (type != EV_LED) 157 return -1; 158 159 newleds = (!!test_bit(LED_KANA, dev->led) << 3) | 160 (!!test_bit(LED_COMPOSE, dev->led) << 3) | 161 (!!test_bit(LED_SCROLLL, dev->led) << 2) | 162 (!!test_bit(LED_CAPSL, dev->led) << 1) | 163 (!!test_bit(LED_NUML, dev->led)); 164 165 if (session->leds == newleds) 166 return 0; 167 168 session->leds = newleds; 169 170 hdr = HIDP_TRANS_DATA | HIDP_DATA_RTYPE_OUPUT; 171 data[0] = 0x01; 172 data[1] = newleds; 173 174 return hidp_send_intr_message(session, hdr, data, 2); 175} 176 177static void hidp_input_report(struct hidp_session *session, struct sk_buff *skb) 178{ 179 struct input_dev *dev = session->input; 180 unsigned char *keys = session->keys; 181 unsigned char *udata = skb->data + 1; 182 signed char *sdata = skb->data + 1; 183 int i, size = skb->len - 1; 184 185 switch (skb->data[0]) { 186 case 0x01: /* Keyboard report */ 187 for (i = 0; i < 8; i++) 188 input_report_key(dev, hidp_keycode[i + 224], (udata[0] >> i) & 1); 189 190 /* If all the key codes have been set to 0x01, it means 191 * too many keys were pressed at the same time. */ 192 if (!memcmp(udata + 2, hidp_mkeyspat, 6)) 193 break; 194 195 for (i = 2; i < 8; i++) { 196 if (keys[i] > 3 && memscan(udata + 2, keys[i], 6) == udata + 8) { 197 if (hidp_keycode[keys[i]]) 198 input_report_key(dev, hidp_keycode[keys[i]], 0); 199 else 200 BT_ERR("Unknown key (scancode %#x) released.", keys[i]); 201 } 202 203 if (udata[i] > 3 && memscan(keys + 2, udata[i], 6) == keys + 8) { 204 if (hidp_keycode[udata[i]]) 205 input_report_key(dev, hidp_keycode[udata[i]], 1); 206 else 207 BT_ERR("Unknown key (scancode %#x) pressed.", udata[i]); 208 } 209 } 210 211 memcpy(keys, udata, 8); 212 break; 213 214 case 0x02: /* Mouse report */ 215 input_report_key(dev, BTN_LEFT, sdata[0] & 0x01); 216 input_report_key(dev, BTN_RIGHT, sdata[0] & 0x02); 217 input_report_key(dev, BTN_MIDDLE, sdata[0] & 0x04); 218 input_report_key(dev, BTN_SIDE, sdata[0] & 0x08); 219 input_report_key(dev, BTN_EXTRA, sdata[0] & 0x10); 220 221 input_report_rel(dev, REL_X, sdata[1]); 222 input_report_rel(dev, REL_Y, sdata[2]); 223 224 if (size > 3) 225 input_report_rel(dev, REL_WHEEL, sdata[3]); 226 break; 227 } 228 229 input_sync(dev); 230} 231 232static int hidp_send_report(struct hidp_session *session, struct hid_report *report) 233{ 234 unsigned char buf[32], hdr; 235 int rsize; 236 237 rsize = ((report->size - 1) >> 3) + 1 + (report->id > 0); 238 if (rsize > sizeof(buf)) 239 return -EIO; 240 241 hid_output_report(report, buf); 242 hdr = HIDP_TRANS_DATA | HIDP_DATA_RTYPE_OUPUT; 243 244 return hidp_send_intr_message(session, hdr, buf, rsize); 245} 246 247static int hidp_get_raw_report(struct hid_device *hid, 248 unsigned char report_number, 249 unsigned char *data, size_t count, 250 unsigned char report_type) 251{ 252 struct hidp_session *session = hid->driver_data; 253 struct sk_buff *skb; 254 size_t len; 255 int numbered_reports = hid->report_enum[report_type].numbered; 256 int ret; 257 258 if (atomic_read(&session->terminate)) 259 return -EIO; 260 261 switch (report_type) { 262 case HID_FEATURE_REPORT: 263 report_type = HIDP_TRANS_GET_REPORT | HIDP_DATA_RTYPE_FEATURE; 264 break; 265 case HID_INPUT_REPORT: 266 report_type = HIDP_TRANS_GET_REPORT | HIDP_DATA_RTYPE_INPUT; 267 break; 268 case HID_OUTPUT_REPORT: 269 report_type = HIDP_TRANS_GET_REPORT | HIDP_DATA_RTYPE_OUPUT; 270 break; 271 default: 272 return -EINVAL; 273 } 274 275 if (mutex_lock_interruptible(&session->report_mutex)) 276 return -ERESTARTSYS; 277 278 /* Set up our wait, and send the report request to the device. */ 279 session->waiting_report_type = report_type & HIDP_DATA_RTYPE_MASK; 280 session->waiting_report_number = numbered_reports ? report_number : -1; 281 set_bit(HIDP_WAITING_FOR_RETURN, &session->flags); 282 data[0] = report_number; 283 ret = hidp_send_ctrl_message(session, report_type, data, 1); 284 if (ret) 285 goto err; 286 287 /* Wait for the return of the report. The returned report 288 gets put in session->report_return. */ 289 while (test_bit(HIDP_WAITING_FOR_RETURN, &session->flags) && 290 !atomic_read(&session->terminate)) { 291 int res; 292 293 res = wait_event_interruptible_timeout(session->report_queue, 294 !test_bit(HIDP_WAITING_FOR_RETURN, &session->flags) 295 || atomic_read(&session->terminate), 296 5*HZ); 297 if (res == 0) { 298 /* timeout */ 299 ret = -EIO; 300 goto err; 301 } 302 if (res < 0) { 303 /* signal */ 304 ret = -ERESTARTSYS; 305 goto err; 306 } 307 } 308 309 skb = session->report_return; 310 if (skb) { 311 len = skb->len < count ? skb->len : count; 312 memcpy(data, skb->data, len); 313 314 kfree_skb(skb); 315 session->report_return = NULL; 316 } else { 317 /* Device returned a HANDSHAKE, indicating protocol error. */ 318 len = -EIO; 319 } 320 321 clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags); 322 mutex_unlock(&session->report_mutex); 323 324 return len; 325 326err: 327 clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags); 328 mutex_unlock(&session->report_mutex); 329 return ret; 330} 331 332static int hidp_output_raw_report(struct hid_device *hid, unsigned char *data, size_t count, 333 unsigned char report_type) 334{ 335 struct hidp_session *session = hid->driver_data; 336 int ret; 337 338 if (report_type == HID_OUTPUT_REPORT) { 339 report_type = HIDP_TRANS_DATA | HIDP_DATA_RTYPE_OUPUT; 340 return hidp_send_intr_message(session, report_type, 341 data, count); 342 } else if (report_type != HID_FEATURE_REPORT) { 343 return -EINVAL; 344 } 345 346 if (mutex_lock_interruptible(&session->report_mutex)) 347 return -ERESTARTSYS; 348 349 /* Set up our wait, and send the report request to the device. */ 350 set_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags); 351 report_type = HIDP_TRANS_SET_REPORT | HIDP_DATA_RTYPE_FEATURE; 352 ret = hidp_send_ctrl_message(session, report_type, data, count); 353 if (ret) 354 goto err; 355 356 /* Wait for the ACK from the device. */ 357 while (test_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags) && 358 !atomic_read(&session->terminate)) { 359 int res; 360 361 res = wait_event_interruptible_timeout(session->report_queue, 362 !test_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags) 363 || atomic_read(&session->terminate), 364 10*HZ); 365 if (res == 0) { 366 /* timeout */ 367 ret = -EIO; 368 goto err; 369 } 370 if (res < 0) { 371 /* signal */ 372 ret = -ERESTARTSYS; 373 goto err; 374 } 375 } 376 377 if (!session->output_report_success) { 378 ret = -EIO; 379 goto err; 380 } 381 382 ret = count; 383 384err: 385 clear_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags); 386 mutex_unlock(&session->report_mutex); 387 return ret; 388} 389 390static void hidp_idle_timeout(unsigned long arg) 391{ 392 struct hidp_session *session = (struct hidp_session *) arg; 393 394 hidp_session_terminate(session); 395} 396 397static void hidp_set_timer(struct hidp_session *session) 398{ 399 if (session->idle_to > 0) 400 mod_timer(&session->timer, jiffies + HZ * session->idle_to); 401} 402 403static void hidp_del_timer(struct hidp_session *session) 404{ 405 if (session->idle_to > 0) 406 del_timer(&session->timer); 407} 408 409static void hidp_process_handshake(struct hidp_session *session, 410 unsigned char param) 411{ 412 BT_DBG("session %p param 0x%02x", session, param); 413 session->output_report_success = 0; /* default condition */ 414 415 switch (param) { 416 case HIDP_HSHK_SUCCESSFUL: 417 /* FIXME: Call into SET_ GET_ handlers here */ 418 session->output_report_success = 1; 419 break; 420 421 case HIDP_HSHK_NOT_READY: 422 case HIDP_HSHK_ERR_INVALID_REPORT_ID: 423 case HIDP_HSHK_ERR_UNSUPPORTED_REQUEST: 424 case HIDP_HSHK_ERR_INVALID_PARAMETER: 425 if (test_and_clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags)) 426 wake_up_interruptible(&session->report_queue); 427 428 /* FIXME: Call into SET_ GET_ handlers here */ 429 break; 430 431 case HIDP_HSHK_ERR_UNKNOWN: 432 break; 433 434 case HIDP_HSHK_ERR_FATAL: 435 /* Device requests a reboot, as this is the only way this error 436 * can be recovered. */ 437 hidp_send_ctrl_message(session, 438 HIDP_TRANS_HID_CONTROL | HIDP_CTRL_SOFT_RESET, NULL, 0); 439 break; 440 441 default: 442 hidp_send_ctrl_message(session, 443 HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_INVALID_PARAMETER, NULL, 0); 444 break; 445 } 446 447 /* Wake up the waiting thread. */ 448 if (test_and_clear_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags)) 449 wake_up_interruptible(&session->report_queue); 450} 451 452static void hidp_process_hid_control(struct hidp_session *session, 453 unsigned char param) 454{ 455 BT_DBG("session %p param 0x%02x", session, param); 456 457 if (param == HIDP_CTRL_VIRTUAL_CABLE_UNPLUG) { 458 /* Flush the transmit queues */ 459 skb_queue_purge(&session->ctrl_transmit); 460 skb_queue_purge(&session->intr_transmit); 461 462 hidp_session_terminate(session); 463 } 464} 465 466/* Returns true if the passed-in skb should be freed by the caller. */ 467static int hidp_process_data(struct hidp_session *session, struct sk_buff *skb, 468 unsigned char param) 469{ 470 int done_with_skb = 1; 471 BT_DBG("session %p skb %p len %d param 0x%02x", session, skb, skb->len, param); 472 473 switch (param) { 474 case HIDP_DATA_RTYPE_INPUT: 475 hidp_set_timer(session); 476 477 if (session->input) 478 hidp_input_report(session, skb); 479 480 if (session->hid) 481 hid_input_report(session->hid, HID_INPUT_REPORT, skb->data, skb->len, 0); 482 break; 483 484 case HIDP_DATA_RTYPE_OTHER: 485 case HIDP_DATA_RTYPE_OUPUT: 486 case HIDP_DATA_RTYPE_FEATURE: 487 break; 488 489 default: 490 hidp_send_ctrl_message(session, 491 HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_INVALID_PARAMETER, NULL, 0); 492 } 493 494 if (test_bit(HIDP_WAITING_FOR_RETURN, &session->flags) && 495 param == session->waiting_report_type) { 496 if (session->waiting_report_number < 0 || 497 session->waiting_report_number == skb->data[0]) { 498 /* hidp_get_raw_report() is waiting on this report. */ 499 session->report_return = skb; 500 done_with_skb = 0; 501 clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags); 502 wake_up_interruptible(&session->report_queue); 503 } 504 } 505 506 return done_with_skb; 507} 508 509static void hidp_recv_ctrl_frame(struct hidp_session *session, 510 struct sk_buff *skb) 511{ 512 unsigned char hdr, type, param; 513 int free_skb = 1; 514 515 BT_DBG("session %p skb %p len %d", session, skb, skb->len); 516 517 hdr = skb->data[0]; 518 skb_pull(skb, 1); 519 520 type = hdr & HIDP_HEADER_TRANS_MASK; 521 param = hdr & HIDP_HEADER_PARAM_MASK; 522 523 switch (type) { 524 case HIDP_TRANS_HANDSHAKE: 525 hidp_process_handshake(session, param); 526 break; 527 528 case HIDP_TRANS_HID_CONTROL: 529 hidp_process_hid_control(session, param); 530 break; 531 532 case HIDP_TRANS_DATA: 533 free_skb = hidp_process_data(session, skb, param); 534 break; 535 536 default: 537 hidp_send_ctrl_message(session, 538 HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_UNSUPPORTED_REQUEST, NULL, 0); 539 break; 540 } 541 542 if (free_skb) 543 kfree_skb(skb); 544} 545 546static void hidp_recv_intr_frame(struct hidp_session *session, 547 struct sk_buff *skb) 548{ 549 unsigned char hdr; 550 551 BT_DBG("session %p skb %p len %d", session, skb, skb->len); 552 553 hdr = skb->data[0]; 554 skb_pull(skb, 1); 555 556 if (hdr == (HIDP_TRANS_DATA | HIDP_DATA_RTYPE_INPUT)) { 557 hidp_set_timer(session); 558 559 if (session->input) 560 hidp_input_report(session, skb); 561 562 if (session->hid) { 563 hid_input_report(session->hid, HID_INPUT_REPORT, skb->data, skb->len, 1); 564 BT_DBG("report len %d", skb->len); 565 } 566 } else { 567 BT_DBG("Unsupported protocol header 0x%02x", hdr); 568 } 569 570 kfree_skb(skb); 571} 572 573static int hidp_send_frame(struct socket *sock, unsigned char *data, int len) 574{ 575 struct kvec iv = { data, len }; 576 struct msghdr msg; 577 578 BT_DBG("sock %p data %p len %d", sock, data, len); 579 580 if (!len) 581 return 0; 582 583 memset(&msg, 0, sizeof(msg)); 584 585 return kernel_sendmsg(sock, &msg, &iv, 1, len); 586} 587 588/* dequeue message from @transmit and send via @sock */ 589static void hidp_process_transmit(struct hidp_session *session, 590 struct sk_buff_head *transmit, 591 struct socket *sock) 592{ 593 struct sk_buff *skb; 594 int ret; 595 596 BT_DBG("session %p", session); 597 598 while ((skb = skb_dequeue(transmit))) { 599 ret = hidp_send_frame(sock, skb->data, skb->len); 600 if (ret == -EAGAIN) { 601 skb_queue_head(transmit, skb); 602 break; 603 } else if (ret < 0) { 604 hidp_session_terminate(session); 605 kfree_skb(skb); 606 break; 607 } 608 609 hidp_set_timer(session); 610 kfree_skb(skb); 611 } 612} 613 614static int hidp_setup_input(struct hidp_session *session, 615 struct hidp_connadd_req *req) 616{ 617 struct input_dev *input; 618 int i; 619 620 input = input_allocate_device(); 621 if (!input) 622 return -ENOMEM; 623 624 session->input = input; 625 626 input_set_drvdata(input, session); 627 628 input->name = "Bluetooth HID Boot Protocol Device"; 629 630 input->id.bustype = BUS_BLUETOOTH; 631 input->id.vendor = req->vendor; 632 input->id.product = req->product; 633 input->id.version = req->version; 634 635 if (req->subclass & 0x40) { 636 set_bit(EV_KEY, input->evbit); 637 set_bit(EV_LED, input->evbit); 638 set_bit(EV_REP, input->evbit); 639 640 set_bit(LED_NUML, input->ledbit); 641 set_bit(LED_CAPSL, input->ledbit); 642 set_bit(LED_SCROLLL, input->ledbit); 643 set_bit(LED_COMPOSE, input->ledbit); 644 set_bit(LED_KANA, input->ledbit); 645 646 for (i = 0; i < sizeof(hidp_keycode); i++) 647 set_bit(hidp_keycode[i], input->keybit); 648 clear_bit(0, input->keybit); 649 } 650 651 if (req->subclass & 0x80) { 652 input->evbit[0] = BIT_MASK(EV_KEY) | BIT_MASK(EV_REL); 653 input->keybit[BIT_WORD(BTN_MOUSE)] = BIT_MASK(BTN_LEFT) | 654 BIT_MASK(BTN_RIGHT) | BIT_MASK(BTN_MIDDLE); 655 input->relbit[0] = BIT_MASK(REL_X) | BIT_MASK(REL_Y); 656 input->keybit[BIT_WORD(BTN_MOUSE)] |= BIT_MASK(BTN_SIDE) | 657 BIT_MASK(BTN_EXTRA); 658 input->relbit[0] |= BIT_MASK(REL_WHEEL); 659 } 660 661 input->dev.parent = &session->conn->hcon->dev; 662 663 input->event = hidp_input_event; 664 665 return 0; 666} 667 668static int hidp_open(struct hid_device *hid) 669{ 670 return 0; 671} 672 673static void hidp_close(struct hid_device *hid) 674{ 675} 676 677static int hidp_parse(struct hid_device *hid) 678{ 679 struct hidp_session *session = hid->driver_data; 680 681 return hid_parse_report(session->hid, session->rd_data, 682 session->rd_size); 683} 684 685static int hidp_start(struct hid_device *hid) 686{ 687 struct hidp_session *session = hid->driver_data; 688 struct hid_report *report; 689 690 if (hid->quirks & HID_QUIRK_NO_INIT_REPORTS) 691 return 0; 692 693 list_for_each_entry(report, &hid->report_enum[HID_INPUT_REPORT]. 694 report_list, list) 695 hidp_send_report(session, report); 696 697 list_for_each_entry(report, &hid->report_enum[HID_FEATURE_REPORT]. 698 report_list, list) 699 hidp_send_report(session, report); 700 701 return 0; 702} 703 704static void hidp_stop(struct hid_device *hid) 705{ 706 struct hidp_session *session = hid->driver_data; 707 708 skb_queue_purge(&session->ctrl_transmit); 709 skb_queue_purge(&session->intr_transmit); 710 711 hid->claimed = 0; 712} 713 714static struct hid_ll_driver hidp_hid_driver = { 715 .parse = hidp_parse, 716 .start = hidp_start, 717 .stop = hidp_stop, 718 .open = hidp_open, 719 .close = hidp_close, 720}; 721 722/* This function sets up the hid device. It does not add it 723 to the HID system. That is done in hidp_add_connection(). */ 724static int hidp_setup_hid(struct hidp_session *session, 725 struct hidp_connadd_req *req) 726{ 727 struct hid_device *hid; 728 int err; 729 730 session->rd_data = kzalloc(req->rd_size, GFP_KERNEL); 731 if (!session->rd_data) 732 return -ENOMEM; 733 734 if (copy_from_user(session->rd_data, req->rd_data, req->rd_size)) { 735 err = -EFAULT; 736 goto fault; 737 } 738 session->rd_size = req->rd_size; 739 740 hid = hid_allocate_device(); 741 if (IS_ERR(hid)) { 742 err = PTR_ERR(hid); 743 goto fault; 744 } 745 746 session->hid = hid; 747 748 hid->driver_data = session; 749 750 hid->bus = BUS_BLUETOOTH; 751 hid->vendor = req->vendor; 752 hid->product = req->product; 753 hid->version = req->version; 754 hid->country = req->country; 755 756 strncpy(hid->name, req->name, sizeof(req->name) - 1); 757 758 snprintf(hid->phys, sizeof(hid->phys), "%pMR", 759 &bt_sk(session->ctrl_sock->sk)->src); 760 761 snprintf(hid->uniq, sizeof(hid->uniq), "%pMR", 762 &bt_sk(session->ctrl_sock->sk)->dst); 763 764 hid->dev.parent = &session->conn->hcon->dev; 765 hid->ll_driver = &hidp_hid_driver; 766 767 hid->hid_get_raw_report = hidp_get_raw_report; 768 hid->hid_output_raw_report = hidp_output_raw_report; 769 770 /* True if device is blacklisted in drivers/hid/hid-core.c */ 771 if (hid_ignore(hid)) { 772 hid_destroy_device(session->hid); 773 session->hid = NULL; 774 return -ENODEV; 775 } 776 777 return 0; 778 779fault: 780 kfree(session->rd_data); 781 session->rd_data = NULL; 782 783 return err; 784} 785 786/* initialize session devices */ 787static int hidp_session_dev_init(struct hidp_session *session, 788 struct hidp_connadd_req *req) 789{ 790 int ret; 791 792 if (req->rd_size > 0) { 793 ret = hidp_setup_hid(session, req); 794 if (ret && ret != -ENODEV) 795 return ret; 796 } 797 798 if (!session->hid) { 799 ret = hidp_setup_input(session, req); 800 if (ret < 0) 801 return ret; 802 } 803 804 return 0; 805} 806 807/* destroy session devices */ 808static void hidp_session_dev_destroy(struct hidp_session *session) 809{ 810 if (session->hid) 811 put_device(&session->hid->dev); 812 else if (session->input) 813 input_put_device(session->input); 814 815 kfree(session->rd_data); 816 session->rd_data = NULL; 817} 818 819/* add HID/input devices to their underlying bus systems */ 820static int hidp_session_dev_add(struct hidp_session *session) 821{ 822 int ret; 823 824 /* Both HID and input systems drop a ref-count when unregistering the 825 * device but they don't take a ref-count when registering them. Work 826 * around this by explicitly taking a refcount during registration 827 * which is dropped automatically by unregistering the devices. */ 828 829 if (session->hid) { 830 ret = hid_add_device(session->hid); 831 if (ret) 832 return ret; 833 get_device(&session->hid->dev); 834 } else if (session->input) { 835 ret = input_register_device(session->input); 836 if (ret) 837 return ret; 838 input_get_device(session->input); 839 } 840 841 return 0; 842} 843 844/* remove HID/input devices from their bus systems */ 845static void hidp_session_dev_del(struct hidp_session *session) 846{ 847 if (session->hid) 848 hid_destroy_device(session->hid); 849 else if (session->input) 850 input_unregister_device(session->input); 851} 852 853/* 854 * Create new session object 855 * Allocate session object, initialize static fields, copy input data into the 856 * object and take a reference to all sub-objects. 857 * This returns 0 on success and puts a pointer to the new session object in 858 * \out. Otherwise, an error code is returned. 859 * The new session object has an initial ref-count of 1. 860 */ 861static int hidp_session_new(struct hidp_session **out, const bdaddr_t *bdaddr, 862 struct socket *ctrl_sock, 863 struct socket *intr_sock, 864 struct hidp_connadd_req *req, 865 struct l2cap_conn *conn) 866{ 867 struct hidp_session *session; 868 int ret; 869 struct bt_sock *ctrl, *intr; 870 871 ctrl = bt_sk(ctrl_sock->sk); 872 intr = bt_sk(intr_sock->sk); 873 874 session = kzalloc(sizeof(*session), GFP_KERNEL); 875 if (!session) 876 return -ENOMEM; 877 878 /* object and runtime management */ 879 kref_init(&session->ref); 880 atomic_set(&session->state, HIDP_SESSION_IDLING); 881 init_waitqueue_head(&session->state_queue); 882 session->flags = req->flags & (1 << HIDP_BLUETOOTH_VENDOR_ID); 883 884 /* connection management */ 885 bacpy(&session->bdaddr, bdaddr); 886 session->conn = conn; 887 session->user.probe = hidp_session_probe; 888 session->user.remove = hidp_session_remove; 889 session->ctrl_sock = ctrl_sock; 890 session->intr_sock = intr_sock; 891 skb_queue_head_init(&session->ctrl_transmit); 892 skb_queue_head_init(&session->intr_transmit); 893 session->ctrl_mtu = min_t(uint, l2cap_pi(ctrl)->chan->omtu, 894 l2cap_pi(ctrl)->chan->imtu); 895 session->intr_mtu = min_t(uint, l2cap_pi(intr)->chan->omtu, 896 l2cap_pi(intr)->chan->imtu); 897 session->idle_to = req->idle_to; 898 899 /* device management */ 900 setup_timer(&session->timer, hidp_idle_timeout, 901 (unsigned long)session); 902 903 /* session data */ 904 mutex_init(&session->report_mutex); 905 init_waitqueue_head(&session->report_queue); 906 907 ret = hidp_session_dev_init(session, req); 908 if (ret) 909 goto err_free; 910 911 l2cap_conn_get(session->conn); 912 get_file(session->intr_sock->file); 913 get_file(session->ctrl_sock->file); 914 *out = session; 915 return 0; 916 917err_free: 918 kfree(session); 919 return ret; 920} 921 922/* increase ref-count of the given session by one */ 923static void hidp_session_get(struct hidp_session *session) 924{ 925 kref_get(&session->ref); 926} 927 928/* release callback */ 929static void session_free(struct kref *ref) 930{ 931 struct hidp_session *session = container_of(ref, struct hidp_session, 932 ref); 933 934 hidp_session_dev_destroy(session); 935 skb_queue_purge(&session->ctrl_transmit); 936 skb_queue_purge(&session->intr_transmit); 937 fput(session->intr_sock->file); 938 fput(session->ctrl_sock->file); 939 l2cap_conn_put(session->conn); 940 kfree(session); 941} 942 943/* decrease ref-count of the given session by one */ 944static void hidp_session_put(struct hidp_session *session) 945{ 946 kref_put(&session->ref, session_free); 947} 948 949/* 950 * Search the list of active sessions for a session with target address 951 * \bdaddr. You must hold at least a read-lock on \hidp_session_sem. As long as 952 * you do not release this lock, the session objects cannot vanish and you can 953 * safely take a reference to the session yourself. 954 */ 955static struct hidp_session *__hidp_session_find(const bdaddr_t *bdaddr) 956{ 957 struct hidp_session *session; 958 959 list_for_each_entry(session, &hidp_session_list, list) { 960 if (!bacmp(bdaddr, &session->bdaddr)) 961 return session; 962 } 963 964 return NULL; 965} 966 967/* 968 * Same as __hidp_session_find() but no locks must be held. This also takes a 969 * reference of the returned session (if non-NULL) so you must drop this 970 * reference if you no longer use the object. 971 */ 972static struct hidp_session *hidp_session_find(const bdaddr_t *bdaddr) 973{ 974 struct hidp_session *session; 975 976 down_read(&hidp_session_sem); 977 978 session = __hidp_session_find(bdaddr); 979 if (session) 980 hidp_session_get(session); 981 982 up_read(&hidp_session_sem); 983 984 return session; 985} 986 987/* 988 * Start session synchronously 989 * This starts a session thread and waits until initialization 990 * is done or returns an error if it couldn't be started. 991 * If this returns 0 the session thread is up and running. You must call 992 * hipd_session_stop_sync() before deleting any runtime resources. 993 */ 994static int hidp_session_start_sync(struct hidp_session *session) 995{ 996 unsigned int vendor, product; 997 998 if (session->hid) { 999 vendor = session->hid->vendor; 1000 product = session->hid->product; 1001 } else if (session->input) { 1002 vendor = session->input->id.vendor; 1003 product = session->input->id.product; 1004 } else { 1005 vendor = 0x0000; 1006 product = 0x0000; 1007 } 1008 1009 session->task = kthread_run(hidp_session_thread, session, 1010 "khidpd_%04x%04x", vendor, product); 1011 if (IS_ERR(session->task)) 1012 return PTR_ERR(session->task); 1013 1014 while (atomic_read(&session->state) <= HIDP_SESSION_IDLING) 1015 wait_event(session->state_queue, 1016 atomic_read(&session->state) > HIDP_SESSION_IDLING); 1017 1018 return 0; 1019} 1020 1021/* 1022 * Terminate session thread 1023 * Wake up session thread and notify it to stop. This is asynchronous and 1024 * returns immediately. Call this whenever a runtime error occurs and you want 1025 * the session to stop. 1026 * Note: wake_up_process() performs any necessary memory-barriers for us. 1027 */ 1028static void hidp_session_terminate(struct hidp_session *session) 1029{ 1030 atomic_inc(&session->terminate); 1031 wake_up_process(session->task); 1032} 1033 1034/* 1035 * Probe HIDP session 1036 * This is called from the l2cap_conn core when our l2cap_user object is bound 1037 * to the hci-connection. We get the session via the \user object and can now 1038 * start the session thread, register the HID/input devices and link it into 1039 * the global session list. 1040 * The global session-list owns its own reference to the session object so you 1041 * can drop your own reference after registering the l2cap_user object. 1042 */ 1043static int hidp_session_probe(struct l2cap_conn *conn, 1044 struct l2cap_user *user) 1045{ 1046 struct hidp_session *session = container_of(user, 1047 struct hidp_session, 1048 user); 1049 struct hidp_session *s; 1050 int ret; 1051 1052 down_write(&hidp_session_sem); 1053 1054 /* check that no other session for this device exists */ 1055 s = __hidp_session_find(&session->bdaddr); 1056 if (s) { 1057 ret = -EEXIST; 1058 goto out_unlock; 1059 } 1060 1061 ret = hidp_session_start_sync(session); 1062 if (ret) 1063 goto out_unlock; 1064 1065 ret = hidp_session_dev_add(session); 1066 if (ret) 1067 goto out_stop; 1068 1069 hidp_session_get(session); 1070 list_add(&session->list, &hidp_session_list); 1071 ret = 0; 1072 goto out_unlock; 1073 1074out_stop: 1075 hidp_session_terminate(session); 1076out_unlock: 1077 up_write(&hidp_session_sem); 1078 return ret; 1079} 1080 1081/* 1082 * Remove HIDP session 1083 * Called from the l2cap_conn core when either we explicitly unregistered 1084 * the l2cap_user object or if the underlying connection is shut down. 1085 * We signal the hidp-session thread to shut down, unregister the HID/input 1086 * devices and unlink the session from the global list. 1087 * This drops the reference to the session that is owned by the global 1088 * session-list. 1089 * Note: We _must_ not synchronosly wait for the session-thread to shut down. 1090 * This is, because the session-thread might be waiting for an HCI lock that is 1091 * held while we are called. Therefore, we only unregister the devices and 1092 * notify the session-thread to terminate. The thread itself owns a reference 1093 * to the session object so it can safely shut down. 1094 */ 1095static void hidp_session_remove(struct l2cap_conn *conn, 1096 struct l2cap_user *user) 1097{ 1098 struct hidp_session *session = container_of(user, 1099 struct hidp_session, 1100 user); 1101 1102 down_write(&hidp_session_sem); 1103 1104 hidp_session_terminate(session); 1105 hidp_session_dev_del(session); 1106 list_del(&session->list); 1107 1108 up_write(&hidp_session_sem); 1109 1110 hidp_session_put(session); 1111} 1112 1113/* 1114 * Session Worker 1115 * This performs the actual main-loop of the HIDP worker. We first check 1116 * whether the underlying connection is still alive, then parse all pending 1117 * messages and finally send all outstanding messages. 1118 */ 1119static void hidp_session_run(struct hidp_session *session) 1120{ 1121 struct sock *ctrl_sk = session->ctrl_sock->sk; 1122 struct sock *intr_sk = session->intr_sock->sk; 1123 struct sk_buff *skb; 1124 1125 for (;;) { 1126 /* 1127 * This thread can be woken up two ways: 1128 * - You call hidp_session_terminate() which sets the 1129 * session->terminate flag and wakes this thread up. 1130 * - Via modifying the socket state of ctrl/intr_sock. This 1131 * thread is woken up by ->sk_state_changed(). 1132 * 1133 * Note: set_current_state() performs any necessary 1134 * memory-barriers for us. 1135 */ 1136 set_current_state(TASK_INTERRUPTIBLE); 1137 1138 if (atomic_read(&session->terminate)) 1139 break; 1140 1141 if (ctrl_sk->sk_state != BT_CONNECTED || 1142 intr_sk->sk_state != BT_CONNECTED) 1143 break; 1144 1145 /* parse incoming intr-skbs */ 1146 while ((skb = skb_dequeue(&intr_sk->sk_receive_queue))) { 1147 skb_orphan(skb); 1148 if (!skb_linearize(skb)) 1149 hidp_recv_intr_frame(session, skb); 1150 else 1151 kfree_skb(skb); 1152 } 1153 1154 /* send pending intr-skbs */ 1155 hidp_process_transmit(session, &session->intr_transmit, 1156 session->intr_sock); 1157 1158 /* parse incoming ctrl-skbs */ 1159 while ((skb = skb_dequeue(&ctrl_sk->sk_receive_queue))) { 1160 skb_orphan(skb); 1161 if (!skb_linearize(skb)) 1162 hidp_recv_ctrl_frame(session, skb); 1163 else 1164 kfree_skb(skb); 1165 } 1166 1167 /* send pending ctrl-skbs */ 1168 hidp_process_transmit(session, &session->ctrl_transmit, 1169 session->ctrl_sock); 1170 1171 schedule(); 1172 } 1173 1174 atomic_inc(&session->terminate); 1175 set_current_state(TASK_RUNNING); 1176} 1177 1178/* 1179 * HIDP session thread 1180 * This thread runs the I/O for a single HIDP session. Startup is synchronous 1181 * which allows us to take references to ourself here instead of doing that in 1182 * the caller. 1183 * When we are ready to run we notify the caller and call hidp_session_run(). 1184 */ 1185static int hidp_session_thread(void *arg) 1186{ 1187 struct hidp_session *session = arg; 1188 wait_queue_t ctrl_wait, intr_wait; 1189 1190 BT_DBG("session %p", session); 1191 1192 /* initialize runtime environment */ 1193 hidp_session_get(session); 1194 __module_get(THIS_MODULE); 1195 set_user_nice(current, -15); 1196 hidp_set_timer(session); 1197 1198 init_waitqueue_entry(&ctrl_wait, current); 1199 init_waitqueue_entry(&intr_wait, current); 1200 add_wait_queue(sk_sleep(session->ctrl_sock->sk), &ctrl_wait); 1201 add_wait_queue(sk_sleep(session->intr_sock->sk), &intr_wait); 1202 /* This memory barrier is paired with wq_has_sleeper(). See 1203 * sock_poll_wait() for more information why this is needed. */ 1204 smp_mb(); 1205 1206 /* notify synchronous startup that we're ready */ 1207 atomic_inc(&session->state); 1208 wake_up(&session->state_queue); 1209 1210 /* run session */ 1211 hidp_session_run(session); 1212 1213 /* cleanup runtime environment */ 1214 remove_wait_queue(sk_sleep(session->intr_sock->sk), &intr_wait); 1215 remove_wait_queue(sk_sleep(session->intr_sock->sk), &ctrl_wait); 1216 wake_up_interruptible(&session->report_queue); 1217 hidp_del_timer(session); 1218 1219 /* 1220 * If we stopped ourself due to any internal signal, we should try to 1221 * unregister our own session here to avoid having it linger until the 1222 * parent l2cap_conn dies or user-space cleans it up. 1223 * This does not deadlock as we don't do any synchronous shutdown. 1224 * Instead, this call has the same semantics as if user-space tried to 1225 * delete the session. 1226 */ 1227 l2cap_unregister_user(session->conn, &session->user); 1228 hidp_session_put(session); 1229 1230 module_put_and_exit(0); 1231 return 0; 1232} 1233 1234static int hidp_verify_sockets(struct socket *ctrl_sock, 1235 struct socket *intr_sock) 1236{ 1237 struct bt_sock *ctrl, *intr; 1238 struct hidp_session *session; 1239 1240 if (!l2cap_is_socket(ctrl_sock) || !l2cap_is_socket(intr_sock)) 1241 return -EINVAL; 1242 1243 ctrl = bt_sk(ctrl_sock->sk); 1244 intr = bt_sk(intr_sock->sk); 1245 1246 if (bacmp(&ctrl->src, &intr->src) || bacmp(&ctrl->dst, &intr->dst)) 1247 return -ENOTUNIQ; 1248 if (ctrl->sk.sk_state != BT_CONNECTED || 1249 intr->sk.sk_state != BT_CONNECTED) 1250 return -EBADFD; 1251 1252 /* early session check, we check again during session registration */ 1253 session = hidp_session_find(&ctrl->dst); 1254 if (session) { 1255 hidp_session_put(session); 1256 return -EEXIST; 1257 } 1258 1259 return 0; 1260} 1261 1262int hidp_connection_add(struct hidp_connadd_req *req, 1263 struct socket *ctrl_sock, 1264 struct socket *intr_sock) 1265{ 1266 struct hidp_session *session; 1267 struct l2cap_conn *conn; 1268 struct l2cap_chan *chan = l2cap_pi(ctrl_sock->sk)->chan; 1269 int ret; 1270 1271 ret = hidp_verify_sockets(ctrl_sock, intr_sock); 1272 if (ret) 1273 return ret; 1274 1275 conn = NULL; 1276 l2cap_chan_lock(chan); 1277 if (chan->conn) { 1278 l2cap_conn_get(chan->conn); 1279 conn = chan->conn; 1280 } 1281 l2cap_chan_unlock(chan); 1282 1283 if (!conn) 1284 return -EBADFD; 1285 1286 ret = hidp_session_new(&session, &bt_sk(ctrl_sock->sk)->dst, ctrl_sock, 1287 intr_sock, req, conn); 1288 if (ret) 1289 goto out_conn; 1290 1291 ret = l2cap_register_user(conn, &session->user); 1292 if (ret) 1293 goto out_session; 1294 1295 ret = 0; 1296 1297out_session: 1298 hidp_session_put(session); 1299out_conn: 1300 l2cap_conn_put(conn); 1301 return ret; 1302} 1303 1304int hidp_connection_del(struct hidp_conndel_req *req) 1305{ 1306 struct hidp_session *session; 1307 1308 session = hidp_session_find(&req->bdaddr); 1309 if (!session) 1310 return -ENOENT; 1311 1312 if (req->flags & (1 << HIDP_VIRTUAL_CABLE_UNPLUG)) 1313 hidp_send_ctrl_message(session, 1314 HIDP_TRANS_HID_CONTROL | 1315 HIDP_CTRL_VIRTUAL_CABLE_UNPLUG, 1316 NULL, 0); 1317 else 1318 l2cap_unregister_user(session->conn, &session->user); 1319 1320 hidp_session_put(session); 1321 1322 return 0; 1323} 1324 1325int hidp_get_connlist(struct hidp_connlist_req *req) 1326{ 1327 struct hidp_session *session; 1328 int err = 0, n = 0; 1329 1330 BT_DBG(""); 1331 1332 down_read(&hidp_session_sem); 1333 1334 list_for_each_entry(session, &hidp_session_list, list) { 1335 struct hidp_conninfo ci; 1336 1337 hidp_copy_session(session, &ci); 1338 1339 if (copy_to_user(req->ci, &ci, sizeof(ci))) { 1340 err = -EFAULT; 1341 break; 1342 } 1343 1344 if (++n >= req->cnum) 1345 break; 1346 1347 req->ci++; 1348 } 1349 req->cnum = n; 1350 1351 up_read(&hidp_session_sem); 1352 return err; 1353} 1354 1355int hidp_get_conninfo(struct hidp_conninfo *ci) 1356{ 1357 struct hidp_session *session; 1358 1359 session = hidp_session_find(&ci->bdaddr); 1360 if (session) { 1361 hidp_copy_session(session, ci); 1362 hidp_session_put(session); 1363 } 1364 1365 return session ? 0 : -ENOENT; 1366} 1367 1368static int __init hidp_init(void) 1369{ 1370 BT_INFO("HIDP (Human Interface Emulation) ver %s", VERSION); 1371 1372 return hidp_init_sockets(); 1373} 1374 1375static void __exit hidp_exit(void) 1376{ 1377 hidp_cleanup_sockets(); 1378} 1379 1380module_init(hidp_init); 1381module_exit(hidp_exit); 1382 1383MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>"); 1384MODULE_AUTHOR("David Herrmann <dh.herrmann@gmail.com>"); 1385MODULE_DESCRIPTION("Bluetooth HIDP ver " VERSION); 1386MODULE_VERSION(VERSION); 1387MODULE_LICENSE("GPL"); 1388MODULE_ALIAS("bt-proto-6"); 1389