core.c revision 41edc0c034160408feaa78c9a50cc5e91a5928c7
1/* 2 HIDP implementation for Linux Bluetooth stack (BlueZ). 3 Copyright (C) 2003-2004 Marcel Holtmann <marcel@holtmann.org> 4 Copyright (C) 2013 David Herrmann <dh.herrmann@gmail.com> 5 6 This program is free software; you can redistribute it and/or modify 7 it under the terms of the GNU General Public License version 2 as 8 published by the Free Software Foundation; 9 10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 21 SOFTWARE IS DISCLAIMED. 22*/ 23 24#include <linux/kref.h> 25#include <linux/module.h> 26#include <linux/file.h> 27#include <linux/kthread.h> 28#include <linux/hidraw.h> 29 30#include <net/bluetooth/bluetooth.h> 31#include <net/bluetooth/hci_core.h> 32#include <net/bluetooth/l2cap.h> 33 34#include "hidp.h" 35 36#define VERSION "1.2" 37 38static DECLARE_RWSEM(hidp_session_sem); 39static LIST_HEAD(hidp_session_list); 40 41static unsigned char hidp_keycode[256] = { 42 0, 0, 0, 0, 30, 48, 46, 32, 18, 33, 34, 35, 23, 36, 43 37, 38, 50, 49, 24, 25, 16, 19, 31, 20, 22, 47, 17, 45, 44 21, 44, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 28, 1, 45 14, 15, 57, 12, 13, 26, 27, 43, 43, 39, 40, 41, 51, 52, 46 53, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 87, 88, 47 99, 70, 119, 110, 102, 104, 111, 107, 109, 106, 105, 108, 103, 69, 48 98, 55, 74, 78, 96, 79, 80, 81, 75, 76, 77, 71, 72, 73, 49 82, 83, 86, 127, 116, 117, 183, 184, 185, 186, 187, 188, 189, 190, 50 191, 192, 193, 194, 134, 138, 130, 132, 128, 129, 131, 137, 133, 135, 51 136, 113, 115, 114, 0, 0, 0, 121, 0, 89, 93, 124, 92, 94, 52 95, 0, 0, 0, 122, 123, 90, 91, 85, 0, 0, 0, 0, 0, 53 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 54 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 55 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 56 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 57 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 58 29, 42, 56, 125, 97, 54, 100, 126, 164, 166, 165, 163, 161, 115, 59 114, 113, 150, 158, 159, 128, 136, 177, 178, 176, 142, 152, 173, 140 60}; 61 62static unsigned char hidp_mkeyspat[] = { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 }; 63 64static int hidp_session_probe(struct l2cap_conn *conn, 65 struct l2cap_user *user); 66static void hidp_session_remove(struct l2cap_conn *conn, 67 struct l2cap_user *user); 68static int hidp_session_thread(void *arg); 69static void hidp_session_terminate(struct hidp_session *s); 70 71static void hidp_copy_session(struct hidp_session *session, struct hidp_conninfo *ci) 72{ 73 memset(ci, 0, sizeof(*ci)); 74 bacpy(&ci->bdaddr, &session->bdaddr); 75 76 ci->flags = session->flags; 77 ci->state = BT_CONNECTED; 78 79 ci->vendor = 0x0000; 80 ci->product = 0x0000; 81 ci->version = 0x0000; 82 83 if (session->input) { 84 ci->vendor = session->input->id.vendor; 85 ci->product = session->input->id.product; 86 ci->version = session->input->id.version; 87 if (session->input->name) 88 strncpy(ci->name, session->input->name, 128); 89 else 90 strncpy(ci->name, "HID Boot Device", 128); 91 } 92 93 if (session->hid) { 94 ci->vendor = session->hid->vendor; 95 ci->product = session->hid->product; 96 ci->version = session->hid->version; 97 strncpy(ci->name, session->hid->name, 128); 98 } 99} 100 101/* assemble skb, queue message on @transmit and wake up the session thread */ 102static int hidp_send_message(struct hidp_session *session, struct socket *sock, 103 struct sk_buff_head *transmit, unsigned char hdr, 104 const unsigned char *data, int size) 105{ 106 struct sk_buff *skb; 107 struct sock *sk = sock->sk; 108 109 BT_DBG("session %p data %p size %d", session, data, size); 110 111 if (atomic_read(&session->terminate)) 112 return -EIO; 113 114 skb = alloc_skb(size + 1, GFP_ATOMIC); 115 if (!skb) { 116 BT_ERR("Can't allocate memory for new frame"); 117 return -ENOMEM; 118 } 119 120 *skb_put(skb, 1) = hdr; 121 if (data && size > 0) 122 memcpy(skb_put(skb, size), data, size); 123 124 skb_queue_tail(transmit, skb); 125 wake_up_interruptible(sk_sleep(sk)); 126 127 return 0; 128} 129 130static int hidp_send_ctrl_message(struct hidp_session *session, 131 unsigned char hdr, const unsigned char *data, 132 int size) 133{ 134 return hidp_send_message(session, session->ctrl_sock, 135 &session->ctrl_transmit, hdr, data, size); 136} 137 138static int hidp_send_intr_message(struct hidp_session *session, 139 unsigned char hdr, const unsigned char *data, 140 int size) 141{ 142 return hidp_send_message(session, session->intr_sock, 143 &session->intr_transmit, hdr, data, size); 144} 145 146static int hidp_queue_event(struct hidp_session *session, struct input_dev *dev, 147 unsigned int type, unsigned int code, int value) 148{ 149 unsigned char newleds; 150 unsigned char hdr, data[2]; 151 152 BT_DBG("session %p type %d code %d value %d", session, type, code, value); 153 154 if (type != EV_LED) 155 return -1; 156 157 newleds = (!!test_bit(LED_KANA, dev->led) << 3) | 158 (!!test_bit(LED_COMPOSE, dev->led) << 3) | 159 (!!test_bit(LED_SCROLLL, dev->led) << 2) | 160 (!!test_bit(LED_CAPSL, dev->led) << 1) | 161 (!!test_bit(LED_NUML, dev->led)); 162 163 if (session->leds == newleds) 164 return 0; 165 166 session->leds = newleds; 167 168 hdr = HIDP_TRANS_DATA | HIDP_DATA_RTYPE_OUPUT; 169 data[0] = 0x01; 170 data[1] = newleds; 171 172 return hidp_send_intr_message(session, hdr, data, 2); 173} 174 175static int hidp_hidinput_event(struct input_dev *dev, unsigned int type, unsigned int code, int value) 176{ 177 struct hid_device *hid = input_get_drvdata(dev); 178 struct hidp_session *session = hid->driver_data; 179 180 return hidp_queue_event(session, dev, type, code, value); 181} 182 183static int hidp_input_event(struct input_dev *dev, unsigned int type, unsigned int code, int value) 184{ 185 struct hidp_session *session = input_get_drvdata(dev); 186 187 return hidp_queue_event(session, dev, type, code, value); 188} 189 190static void hidp_input_report(struct hidp_session *session, struct sk_buff *skb) 191{ 192 struct input_dev *dev = session->input; 193 unsigned char *keys = session->keys; 194 unsigned char *udata = skb->data + 1; 195 signed char *sdata = skb->data + 1; 196 int i, size = skb->len - 1; 197 198 switch (skb->data[0]) { 199 case 0x01: /* Keyboard report */ 200 for (i = 0; i < 8; i++) 201 input_report_key(dev, hidp_keycode[i + 224], (udata[0] >> i) & 1); 202 203 /* If all the key codes have been set to 0x01, it means 204 * too many keys were pressed at the same time. */ 205 if (!memcmp(udata + 2, hidp_mkeyspat, 6)) 206 break; 207 208 for (i = 2; i < 8; i++) { 209 if (keys[i] > 3 && memscan(udata + 2, keys[i], 6) == udata + 8) { 210 if (hidp_keycode[keys[i]]) 211 input_report_key(dev, hidp_keycode[keys[i]], 0); 212 else 213 BT_ERR("Unknown key (scancode %#x) released.", keys[i]); 214 } 215 216 if (udata[i] > 3 && memscan(keys + 2, udata[i], 6) == keys + 8) { 217 if (hidp_keycode[udata[i]]) 218 input_report_key(dev, hidp_keycode[udata[i]], 1); 219 else 220 BT_ERR("Unknown key (scancode %#x) pressed.", udata[i]); 221 } 222 } 223 224 memcpy(keys, udata, 8); 225 break; 226 227 case 0x02: /* Mouse report */ 228 input_report_key(dev, BTN_LEFT, sdata[0] & 0x01); 229 input_report_key(dev, BTN_RIGHT, sdata[0] & 0x02); 230 input_report_key(dev, BTN_MIDDLE, sdata[0] & 0x04); 231 input_report_key(dev, BTN_SIDE, sdata[0] & 0x08); 232 input_report_key(dev, BTN_EXTRA, sdata[0] & 0x10); 233 234 input_report_rel(dev, REL_X, sdata[1]); 235 input_report_rel(dev, REL_Y, sdata[2]); 236 237 if (size > 3) 238 input_report_rel(dev, REL_WHEEL, sdata[3]); 239 break; 240 } 241 242 input_sync(dev); 243} 244 245static int hidp_send_report(struct hidp_session *session, struct hid_report *report) 246{ 247 unsigned char buf[32], hdr; 248 int rsize; 249 250 rsize = ((report->size - 1) >> 3) + 1 + (report->id > 0); 251 if (rsize > sizeof(buf)) 252 return -EIO; 253 254 hid_output_report(report, buf); 255 hdr = HIDP_TRANS_DATA | HIDP_DATA_RTYPE_OUPUT; 256 257 return hidp_send_intr_message(session, hdr, buf, rsize); 258} 259 260static int hidp_get_raw_report(struct hid_device *hid, 261 unsigned char report_number, 262 unsigned char *data, size_t count, 263 unsigned char report_type) 264{ 265 struct hidp_session *session = hid->driver_data; 266 struct sk_buff *skb; 267 size_t len; 268 int numbered_reports = hid->report_enum[report_type].numbered; 269 int ret; 270 271 if (atomic_read(&session->terminate)) 272 return -EIO; 273 274 switch (report_type) { 275 case HID_FEATURE_REPORT: 276 report_type = HIDP_TRANS_GET_REPORT | HIDP_DATA_RTYPE_FEATURE; 277 break; 278 case HID_INPUT_REPORT: 279 report_type = HIDP_TRANS_GET_REPORT | HIDP_DATA_RTYPE_INPUT; 280 break; 281 case HID_OUTPUT_REPORT: 282 report_type = HIDP_TRANS_GET_REPORT | HIDP_DATA_RTYPE_OUPUT; 283 break; 284 default: 285 return -EINVAL; 286 } 287 288 if (mutex_lock_interruptible(&session->report_mutex)) 289 return -ERESTARTSYS; 290 291 /* Set up our wait, and send the report request to the device. */ 292 session->waiting_report_type = report_type & HIDP_DATA_RTYPE_MASK; 293 session->waiting_report_number = numbered_reports ? report_number : -1; 294 set_bit(HIDP_WAITING_FOR_RETURN, &session->flags); 295 data[0] = report_number; 296 ret = hidp_send_ctrl_message(session, report_type, data, 1); 297 if (ret) 298 goto err; 299 300 /* Wait for the return of the report. The returned report 301 gets put in session->report_return. */ 302 while (test_bit(HIDP_WAITING_FOR_RETURN, &session->flags) && 303 !atomic_read(&session->terminate)) { 304 int res; 305 306 res = wait_event_interruptible_timeout(session->report_queue, 307 !test_bit(HIDP_WAITING_FOR_RETURN, &session->flags) 308 || atomic_read(&session->terminate), 309 5*HZ); 310 if (res == 0) { 311 /* timeout */ 312 ret = -EIO; 313 goto err; 314 } 315 if (res < 0) { 316 /* signal */ 317 ret = -ERESTARTSYS; 318 goto err; 319 } 320 } 321 322 skb = session->report_return; 323 if (skb) { 324 len = skb->len < count ? skb->len : count; 325 memcpy(data, skb->data, len); 326 327 kfree_skb(skb); 328 session->report_return = NULL; 329 } else { 330 /* Device returned a HANDSHAKE, indicating protocol error. */ 331 len = -EIO; 332 } 333 334 clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags); 335 mutex_unlock(&session->report_mutex); 336 337 return len; 338 339err: 340 clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags); 341 mutex_unlock(&session->report_mutex); 342 return ret; 343} 344 345static int hidp_output_raw_report(struct hid_device *hid, unsigned char *data, size_t count, 346 unsigned char report_type) 347{ 348 struct hidp_session *session = hid->driver_data; 349 int ret; 350 351 switch (report_type) { 352 case HID_FEATURE_REPORT: 353 report_type = HIDP_TRANS_SET_REPORT | HIDP_DATA_RTYPE_FEATURE; 354 break; 355 case HID_OUTPUT_REPORT: 356 report_type = HIDP_TRANS_DATA | HIDP_DATA_RTYPE_OUPUT; 357 break; 358 default: 359 return -EINVAL; 360 } 361 362 if (mutex_lock_interruptible(&session->report_mutex)) 363 return -ERESTARTSYS; 364 365 /* Set up our wait, and send the report request to the device. */ 366 set_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags); 367 ret = hidp_send_ctrl_message(session, report_type, data, count); 368 if (ret) 369 goto err; 370 371 /* Wait for the ACK from the device. */ 372 while (test_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags) && 373 !atomic_read(&session->terminate)) { 374 int res; 375 376 res = wait_event_interruptible_timeout(session->report_queue, 377 !test_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags) 378 || atomic_read(&session->terminate), 379 10*HZ); 380 if (res == 0) { 381 /* timeout */ 382 ret = -EIO; 383 goto err; 384 } 385 if (res < 0) { 386 /* signal */ 387 ret = -ERESTARTSYS; 388 goto err; 389 } 390 } 391 392 if (!session->output_report_success) { 393 ret = -EIO; 394 goto err; 395 } 396 397 ret = count; 398 399err: 400 clear_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags); 401 mutex_unlock(&session->report_mutex); 402 return ret; 403} 404 405static void hidp_idle_timeout(unsigned long arg) 406{ 407 struct hidp_session *session = (struct hidp_session *) arg; 408 409 hidp_session_terminate(session); 410} 411 412static void hidp_set_timer(struct hidp_session *session) 413{ 414 if (session->idle_to > 0) 415 mod_timer(&session->timer, jiffies + HZ * session->idle_to); 416} 417 418static void hidp_del_timer(struct hidp_session *session) 419{ 420 if (session->idle_to > 0) 421 del_timer(&session->timer); 422} 423 424static void hidp_process_handshake(struct hidp_session *session, 425 unsigned char param) 426{ 427 BT_DBG("session %p param 0x%02x", session, param); 428 session->output_report_success = 0; /* default condition */ 429 430 switch (param) { 431 case HIDP_HSHK_SUCCESSFUL: 432 /* FIXME: Call into SET_ GET_ handlers here */ 433 session->output_report_success = 1; 434 break; 435 436 case HIDP_HSHK_NOT_READY: 437 case HIDP_HSHK_ERR_INVALID_REPORT_ID: 438 case HIDP_HSHK_ERR_UNSUPPORTED_REQUEST: 439 case HIDP_HSHK_ERR_INVALID_PARAMETER: 440 if (test_and_clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags)) 441 wake_up_interruptible(&session->report_queue); 442 443 /* FIXME: Call into SET_ GET_ handlers here */ 444 break; 445 446 case HIDP_HSHK_ERR_UNKNOWN: 447 break; 448 449 case HIDP_HSHK_ERR_FATAL: 450 /* Device requests a reboot, as this is the only way this error 451 * can be recovered. */ 452 hidp_send_ctrl_message(session, 453 HIDP_TRANS_HID_CONTROL | HIDP_CTRL_SOFT_RESET, NULL, 0); 454 break; 455 456 default: 457 hidp_send_ctrl_message(session, 458 HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_INVALID_PARAMETER, NULL, 0); 459 break; 460 } 461 462 /* Wake up the waiting thread. */ 463 if (test_and_clear_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags)) 464 wake_up_interruptible(&session->report_queue); 465} 466 467static void hidp_process_hid_control(struct hidp_session *session, 468 unsigned char param) 469{ 470 BT_DBG("session %p param 0x%02x", session, param); 471 472 if (param == HIDP_CTRL_VIRTUAL_CABLE_UNPLUG) { 473 /* Flush the transmit queues */ 474 skb_queue_purge(&session->ctrl_transmit); 475 skb_queue_purge(&session->intr_transmit); 476 477 hidp_session_terminate(session); 478 } 479} 480 481/* Returns true if the passed-in skb should be freed by the caller. */ 482static int hidp_process_data(struct hidp_session *session, struct sk_buff *skb, 483 unsigned char param) 484{ 485 int done_with_skb = 1; 486 BT_DBG("session %p skb %p len %d param 0x%02x", session, skb, skb->len, param); 487 488 switch (param) { 489 case HIDP_DATA_RTYPE_INPUT: 490 hidp_set_timer(session); 491 492 if (session->input) 493 hidp_input_report(session, skb); 494 495 if (session->hid) 496 hid_input_report(session->hid, HID_INPUT_REPORT, skb->data, skb->len, 0); 497 break; 498 499 case HIDP_DATA_RTYPE_OTHER: 500 case HIDP_DATA_RTYPE_OUPUT: 501 case HIDP_DATA_RTYPE_FEATURE: 502 break; 503 504 default: 505 hidp_send_ctrl_message(session, 506 HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_INVALID_PARAMETER, NULL, 0); 507 } 508 509 if (test_bit(HIDP_WAITING_FOR_RETURN, &session->flags) && 510 param == session->waiting_report_type) { 511 if (session->waiting_report_number < 0 || 512 session->waiting_report_number == skb->data[0]) { 513 /* hidp_get_raw_report() is waiting on this report. */ 514 session->report_return = skb; 515 done_with_skb = 0; 516 clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags); 517 wake_up_interruptible(&session->report_queue); 518 } 519 } 520 521 return done_with_skb; 522} 523 524static void hidp_recv_ctrl_frame(struct hidp_session *session, 525 struct sk_buff *skb) 526{ 527 unsigned char hdr, type, param; 528 int free_skb = 1; 529 530 BT_DBG("session %p skb %p len %d", session, skb, skb->len); 531 532 hdr = skb->data[0]; 533 skb_pull(skb, 1); 534 535 type = hdr & HIDP_HEADER_TRANS_MASK; 536 param = hdr & HIDP_HEADER_PARAM_MASK; 537 538 switch (type) { 539 case HIDP_TRANS_HANDSHAKE: 540 hidp_process_handshake(session, param); 541 break; 542 543 case HIDP_TRANS_HID_CONTROL: 544 hidp_process_hid_control(session, param); 545 break; 546 547 case HIDP_TRANS_DATA: 548 free_skb = hidp_process_data(session, skb, param); 549 break; 550 551 default: 552 hidp_send_ctrl_message(session, 553 HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_UNSUPPORTED_REQUEST, NULL, 0); 554 break; 555 } 556 557 if (free_skb) 558 kfree_skb(skb); 559} 560 561static void hidp_recv_intr_frame(struct hidp_session *session, 562 struct sk_buff *skb) 563{ 564 unsigned char hdr; 565 566 BT_DBG("session %p skb %p len %d", session, skb, skb->len); 567 568 hdr = skb->data[0]; 569 skb_pull(skb, 1); 570 571 if (hdr == (HIDP_TRANS_DATA | HIDP_DATA_RTYPE_INPUT)) { 572 hidp_set_timer(session); 573 574 if (session->input) 575 hidp_input_report(session, skb); 576 577 if (session->hid) { 578 hid_input_report(session->hid, HID_INPUT_REPORT, skb->data, skb->len, 1); 579 BT_DBG("report len %d", skb->len); 580 } 581 } else { 582 BT_DBG("Unsupported protocol header 0x%02x", hdr); 583 } 584 585 kfree_skb(skb); 586} 587 588static int hidp_send_frame(struct socket *sock, unsigned char *data, int len) 589{ 590 struct kvec iv = { data, len }; 591 struct msghdr msg; 592 593 BT_DBG("sock %p data %p len %d", sock, data, len); 594 595 if (!len) 596 return 0; 597 598 memset(&msg, 0, sizeof(msg)); 599 600 return kernel_sendmsg(sock, &msg, &iv, 1, len); 601} 602 603/* dequeue message from @transmit and send via @sock */ 604static void hidp_process_transmit(struct hidp_session *session, 605 struct sk_buff_head *transmit, 606 struct socket *sock) 607{ 608 struct sk_buff *skb; 609 int ret; 610 611 BT_DBG("session %p", session); 612 613 while ((skb = skb_dequeue(transmit))) { 614 ret = hidp_send_frame(sock, skb->data, skb->len); 615 if (ret == -EAGAIN) { 616 skb_queue_head(transmit, skb); 617 break; 618 } else if (ret < 0) { 619 hidp_session_terminate(session); 620 kfree_skb(skb); 621 break; 622 } 623 624 hidp_set_timer(session); 625 kfree_skb(skb); 626 } 627} 628 629static int hidp_setup_input(struct hidp_session *session, 630 struct hidp_connadd_req *req) 631{ 632 struct input_dev *input; 633 int i; 634 635 input = input_allocate_device(); 636 if (!input) 637 return -ENOMEM; 638 639 session->input = input; 640 641 input_set_drvdata(input, session); 642 643 input->name = "Bluetooth HID Boot Protocol Device"; 644 645 input->id.bustype = BUS_BLUETOOTH; 646 input->id.vendor = req->vendor; 647 input->id.product = req->product; 648 input->id.version = req->version; 649 650 if (req->subclass & 0x40) { 651 set_bit(EV_KEY, input->evbit); 652 set_bit(EV_LED, input->evbit); 653 set_bit(EV_REP, input->evbit); 654 655 set_bit(LED_NUML, input->ledbit); 656 set_bit(LED_CAPSL, input->ledbit); 657 set_bit(LED_SCROLLL, input->ledbit); 658 set_bit(LED_COMPOSE, input->ledbit); 659 set_bit(LED_KANA, input->ledbit); 660 661 for (i = 0; i < sizeof(hidp_keycode); i++) 662 set_bit(hidp_keycode[i], input->keybit); 663 clear_bit(0, input->keybit); 664 } 665 666 if (req->subclass & 0x80) { 667 input->evbit[0] = BIT_MASK(EV_KEY) | BIT_MASK(EV_REL); 668 input->keybit[BIT_WORD(BTN_MOUSE)] = BIT_MASK(BTN_LEFT) | 669 BIT_MASK(BTN_RIGHT) | BIT_MASK(BTN_MIDDLE); 670 input->relbit[0] = BIT_MASK(REL_X) | BIT_MASK(REL_Y); 671 input->keybit[BIT_WORD(BTN_MOUSE)] |= BIT_MASK(BTN_SIDE) | 672 BIT_MASK(BTN_EXTRA); 673 input->relbit[0] |= BIT_MASK(REL_WHEEL); 674 } 675 676 input->dev.parent = &session->conn->hcon->dev; 677 678 input->event = hidp_input_event; 679 680 return 0; 681} 682 683static int hidp_open(struct hid_device *hid) 684{ 685 return 0; 686} 687 688static void hidp_close(struct hid_device *hid) 689{ 690} 691 692static int hidp_parse(struct hid_device *hid) 693{ 694 struct hidp_session *session = hid->driver_data; 695 696 return hid_parse_report(session->hid, session->rd_data, 697 session->rd_size); 698} 699 700static int hidp_start(struct hid_device *hid) 701{ 702 struct hidp_session *session = hid->driver_data; 703 struct hid_report *report; 704 705 if (hid->quirks & HID_QUIRK_NO_INIT_REPORTS) 706 return 0; 707 708 list_for_each_entry(report, &hid->report_enum[HID_INPUT_REPORT]. 709 report_list, list) 710 hidp_send_report(session, report); 711 712 list_for_each_entry(report, &hid->report_enum[HID_FEATURE_REPORT]. 713 report_list, list) 714 hidp_send_report(session, report); 715 716 return 0; 717} 718 719static void hidp_stop(struct hid_device *hid) 720{ 721 struct hidp_session *session = hid->driver_data; 722 723 skb_queue_purge(&session->ctrl_transmit); 724 skb_queue_purge(&session->intr_transmit); 725 726 hid->claimed = 0; 727} 728 729static struct hid_ll_driver hidp_hid_driver = { 730 .parse = hidp_parse, 731 .start = hidp_start, 732 .stop = hidp_stop, 733 .open = hidp_open, 734 .close = hidp_close, 735 .hidinput_input_event = hidp_hidinput_event, 736}; 737 738/* This function sets up the hid device. It does not add it 739 to the HID system. That is done in hidp_add_connection(). */ 740static int hidp_setup_hid(struct hidp_session *session, 741 struct hidp_connadd_req *req) 742{ 743 struct hid_device *hid; 744 int err; 745 746 session->rd_data = kzalloc(req->rd_size, GFP_KERNEL); 747 if (!session->rd_data) 748 return -ENOMEM; 749 750 if (copy_from_user(session->rd_data, req->rd_data, req->rd_size)) { 751 err = -EFAULT; 752 goto fault; 753 } 754 session->rd_size = req->rd_size; 755 756 hid = hid_allocate_device(); 757 if (IS_ERR(hid)) { 758 err = PTR_ERR(hid); 759 goto fault; 760 } 761 762 session->hid = hid; 763 764 hid->driver_data = session; 765 766 hid->bus = BUS_BLUETOOTH; 767 hid->vendor = req->vendor; 768 hid->product = req->product; 769 hid->version = req->version; 770 hid->country = req->country; 771 772 strncpy(hid->name, req->name, sizeof(req->name) - 1); 773 774 snprintf(hid->phys, sizeof(hid->phys), "%pMR", 775 &bt_sk(session->ctrl_sock->sk)->src); 776 777 snprintf(hid->uniq, sizeof(hid->uniq), "%pMR", 778 &bt_sk(session->ctrl_sock->sk)->dst); 779 780 hid->dev.parent = &session->conn->hcon->dev; 781 hid->ll_driver = &hidp_hid_driver; 782 783 hid->hid_get_raw_report = hidp_get_raw_report; 784 hid->hid_output_raw_report = hidp_output_raw_report; 785 786 /* True if device is blacklisted in drivers/hid/hid-core.c */ 787 if (hid_ignore(hid)) { 788 hid_destroy_device(session->hid); 789 session->hid = NULL; 790 return -ENODEV; 791 } 792 793 return 0; 794 795fault: 796 kfree(session->rd_data); 797 session->rd_data = NULL; 798 799 return err; 800} 801 802/* initialize session devices */ 803static int hidp_session_dev_init(struct hidp_session *session, 804 struct hidp_connadd_req *req) 805{ 806 int ret; 807 808 if (req->rd_size > 0) { 809 ret = hidp_setup_hid(session, req); 810 if (ret && ret != -ENODEV) 811 return ret; 812 } 813 814 if (!session->hid) { 815 ret = hidp_setup_input(session, req); 816 if (ret < 0) 817 return ret; 818 } 819 820 return 0; 821} 822 823/* destroy session devices */ 824static void hidp_session_dev_destroy(struct hidp_session *session) 825{ 826 if (session->hid) 827 put_device(&session->hid->dev); 828 else if (session->input) 829 input_put_device(session->input); 830 831 kfree(session->rd_data); 832 session->rd_data = NULL; 833} 834 835/* add HID/input devices to their underlying bus systems */ 836static int hidp_session_dev_add(struct hidp_session *session) 837{ 838 int ret; 839 840 /* Both HID and input systems drop a ref-count when unregistering the 841 * device but they don't take a ref-count when registering them. Work 842 * around this by explicitly taking a refcount during registration 843 * which is dropped automatically by unregistering the devices. */ 844 845 if (session->hid) { 846 ret = hid_add_device(session->hid); 847 if (ret) 848 return ret; 849 get_device(&session->hid->dev); 850 } else if (session->input) { 851 ret = input_register_device(session->input); 852 if (ret) 853 return ret; 854 input_get_device(session->input); 855 } 856 857 return 0; 858} 859 860/* remove HID/input devices from their bus systems */ 861static void hidp_session_dev_del(struct hidp_session *session) 862{ 863 if (session->hid) 864 hid_destroy_device(session->hid); 865 else if (session->input) 866 input_unregister_device(session->input); 867} 868 869/* 870 * Create new session object 871 * Allocate session object, initialize static fields, copy input data into the 872 * object and take a reference to all sub-objects. 873 * This returns 0 on success and puts a pointer to the new session object in 874 * \out. Otherwise, an error code is returned. 875 * The new session object has an initial ref-count of 1. 876 */ 877static int hidp_session_new(struct hidp_session **out, const bdaddr_t *bdaddr, 878 struct socket *ctrl_sock, 879 struct socket *intr_sock, 880 struct hidp_connadd_req *req, 881 struct l2cap_conn *conn) 882{ 883 struct hidp_session *session; 884 int ret; 885 struct bt_sock *ctrl, *intr; 886 887 ctrl = bt_sk(ctrl_sock->sk); 888 intr = bt_sk(intr_sock->sk); 889 890 session = kzalloc(sizeof(*session), GFP_KERNEL); 891 if (!session) 892 return -ENOMEM; 893 894 /* object and runtime management */ 895 kref_init(&session->ref); 896 atomic_set(&session->state, HIDP_SESSION_IDLING); 897 init_waitqueue_head(&session->state_queue); 898 session->flags = req->flags & (1 << HIDP_BLUETOOTH_VENDOR_ID); 899 900 /* connection management */ 901 bacpy(&session->bdaddr, bdaddr); 902 session->conn = conn; 903 session->user.probe = hidp_session_probe; 904 session->user.remove = hidp_session_remove; 905 session->ctrl_sock = ctrl_sock; 906 session->intr_sock = intr_sock; 907 skb_queue_head_init(&session->ctrl_transmit); 908 skb_queue_head_init(&session->intr_transmit); 909 session->ctrl_mtu = min_t(uint, l2cap_pi(ctrl)->chan->omtu, 910 l2cap_pi(ctrl)->chan->imtu); 911 session->intr_mtu = min_t(uint, l2cap_pi(intr)->chan->omtu, 912 l2cap_pi(intr)->chan->imtu); 913 session->idle_to = req->idle_to; 914 915 /* device management */ 916 setup_timer(&session->timer, hidp_idle_timeout, 917 (unsigned long)session); 918 919 /* session data */ 920 mutex_init(&session->report_mutex); 921 init_waitqueue_head(&session->report_queue); 922 923 ret = hidp_session_dev_init(session, req); 924 if (ret) 925 goto err_free; 926 927 l2cap_conn_get(session->conn); 928 get_file(session->intr_sock->file); 929 get_file(session->ctrl_sock->file); 930 *out = session; 931 return 0; 932 933err_free: 934 kfree(session); 935 return ret; 936} 937 938/* increase ref-count of the given session by one */ 939static void hidp_session_get(struct hidp_session *session) 940{ 941 kref_get(&session->ref); 942} 943 944/* release callback */ 945static void session_free(struct kref *ref) 946{ 947 struct hidp_session *session = container_of(ref, struct hidp_session, 948 ref); 949 950 hidp_session_dev_destroy(session); 951 skb_queue_purge(&session->ctrl_transmit); 952 skb_queue_purge(&session->intr_transmit); 953 fput(session->intr_sock->file); 954 fput(session->ctrl_sock->file); 955 l2cap_conn_put(session->conn); 956 kfree(session); 957} 958 959/* decrease ref-count of the given session by one */ 960static void hidp_session_put(struct hidp_session *session) 961{ 962 kref_put(&session->ref, session_free); 963} 964 965/* 966 * Search the list of active sessions for a session with target address 967 * \bdaddr. You must hold at least a read-lock on \hidp_session_sem. As long as 968 * you do not release this lock, the session objects cannot vanish and you can 969 * safely take a reference to the session yourself. 970 */ 971static struct hidp_session *__hidp_session_find(const bdaddr_t *bdaddr) 972{ 973 struct hidp_session *session; 974 975 list_for_each_entry(session, &hidp_session_list, list) { 976 if (!bacmp(bdaddr, &session->bdaddr)) 977 return session; 978 } 979 980 return NULL; 981} 982 983/* 984 * Same as __hidp_session_find() but no locks must be held. This also takes a 985 * reference of the returned session (if non-NULL) so you must drop this 986 * reference if you no longer use the object. 987 */ 988static struct hidp_session *hidp_session_find(const bdaddr_t *bdaddr) 989{ 990 struct hidp_session *session; 991 992 down_read(&hidp_session_sem); 993 994 session = __hidp_session_find(bdaddr); 995 if (session) 996 hidp_session_get(session); 997 998 up_read(&hidp_session_sem); 999 1000 return session; 1001} 1002 1003/* 1004 * Start session synchronously 1005 * This starts a session thread and waits until initialization 1006 * is done or returns an error if it couldn't be started. 1007 * If this returns 0 the session thread is up and running. You must call 1008 * hipd_session_stop_sync() before deleting any runtime resources. 1009 */ 1010static int hidp_session_start_sync(struct hidp_session *session) 1011{ 1012 unsigned int vendor, product; 1013 1014 if (session->hid) { 1015 vendor = session->hid->vendor; 1016 product = session->hid->product; 1017 } else if (session->input) { 1018 vendor = session->input->id.vendor; 1019 product = session->input->id.product; 1020 } else { 1021 vendor = 0x0000; 1022 product = 0x0000; 1023 } 1024 1025 session->task = kthread_run(hidp_session_thread, session, 1026 "khidpd_%04x%04x", vendor, product); 1027 if (IS_ERR(session->task)) 1028 return PTR_ERR(session->task); 1029 1030 while (atomic_read(&session->state) <= HIDP_SESSION_IDLING) 1031 wait_event(session->state_queue, 1032 atomic_read(&session->state) > HIDP_SESSION_IDLING); 1033 1034 return 0; 1035} 1036 1037/* 1038 * Terminate session thread 1039 * Wake up session thread and notify it to stop. This is asynchronous and 1040 * returns immediately. Call this whenever a runtime error occurs and you want 1041 * the session to stop. 1042 * Note: wake_up_process() performs any necessary memory-barriers for us. 1043 */ 1044static void hidp_session_terminate(struct hidp_session *session) 1045{ 1046 atomic_inc(&session->terminate); 1047 wake_up_process(session->task); 1048} 1049 1050/* 1051 * Probe HIDP session 1052 * This is called from the l2cap_conn core when our l2cap_user object is bound 1053 * to the hci-connection. We get the session via the \user object and can now 1054 * start the session thread, register the HID/input devices and link it into 1055 * the global session list. 1056 * The global session-list owns its own reference to the session object so you 1057 * can drop your own reference after registering the l2cap_user object. 1058 */ 1059static int hidp_session_probe(struct l2cap_conn *conn, 1060 struct l2cap_user *user) 1061{ 1062 struct hidp_session *session = container_of(user, 1063 struct hidp_session, 1064 user); 1065 struct hidp_session *s; 1066 int ret; 1067 1068 down_write(&hidp_session_sem); 1069 1070 /* check that no other session for this device exists */ 1071 s = __hidp_session_find(&session->bdaddr); 1072 if (s) { 1073 ret = -EEXIST; 1074 goto out_unlock; 1075 } 1076 1077 ret = hidp_session_start_sync(session); 1078 if (ret) 1079 goto out_unlock; 1080 1081 ret = hidp_session_dev_add(session); 1082 if (ret) 1083 goto out_stop; 1084 1085 hidp_session_get(session); 1086 list_add(&session->list, &hidp_session_list); 1087 ret = 0; 1088 goto out_unlock; 1089 1090out_stop: 1091 hidp_session_terminate(session); 1092out_unlock: 1093 up_write(&hidp_session_sem); 1094 return ret; 1095} 1096 1097/* 1098 * Remove HIDP session 1099 * Called from the l2cap_conn core when either we explicitly unregistered 1100 * the l2cap_user object or if the underlying connection is shut down. 1101 * We signal the hidp-session thread to shut down, unregister the HID/input 1102 * devices and unlink the session from the global list. 1103 * This drops the reference to the session that is owned by the global 1104 * session-list. 1105 * Note: We _must_ not synchronosly wait for the session-thread to shut down. 1106 * This is, because the session-thread might be waiting for an HCI lock that is 1107 * held while we are called. Therefore, we only unregister the devices and 1108 * notify the session-thread to terminate. The thread itself owns a reference 1109 * to the session object so it can safely shut down. 1110 */ 1111static void hidp_session_remove(struct l2cap_conn *conn, 1112 struct l2cap_user *user) 1113{ 1114 struct hidp_session *session = container_of(user, 1115 struct hidp_session, 1116 user); 1117 1118 down_write(&hidp_session_sem); 1119 1120 hidp_session_terminate(session); 1121 hidp_session_dev_del(session); 1122 list_del(&session->list); 1123 1124 up_write(&hidp_session_sem); 1125 1126 hidp_session_put(session); 1127} 1128 1129/* 1130 * Session Worker 1131 * This performs the actual main-loop of the HIDP worker. We first check 1132 * whether the underlying connection is still alive, then parse all pending 1133 * messages and finally send all outstanding messages. 1134 */ 1135static void hidp_session_run(struct hidp_session *session) 1136{ 1137 struct sock *ctrl_sk = session->ctrl_sock->sk; 1138 struct sock *intr_sk = session->intr_sock->sk; 1139 struct sk_buff *skb; 1140 1141 for (;;) { 1142 /* 1143 * This thread can be woken up two ways: 1144 * - You call hidp_session_terminate() which sets the 1145 * session->terminate flag and wakes this thread up. 1146 * - Via modifying the socket state of ctrl/intr_sock. This 1147 * thread is woken up by ->sk_state_changed(). 1148 * 1149 * Note: set_current_state() performs any necessary 1150 * memory-barriers for us. 1151 */ 1152 set_current_state(TASK_INTERRUPTIBLE); 1153 1154 if (atomic_read(&session->terminate)) 1155 break; 1156 1157 if (ctrl_sk->sk_state != BT_CONNECTED || 1158 intr_sk->sk_state != BT_CONNECTED) 1159 break; 1160 1161 /* parse incoming intr-skbs */ 1162 while ((skb = skb_dequeue(&intr_sk->sk_receive_queue))) { 1163 skb_orphan(skb); 1164 if (!skb_linearize(skb)) 1165 hidp_recv_intr_frame(session, skb); 1166 else 1167 kfree_skb(skb); 1168 } 1169 1170 /* send pending intr-skbs */ 1171 hidp_process_transmit(session, &session->intr_transmit, 1172 session->intr_sock); 1173 1174 /* parse incoming ctrl-skbs */ 1175 while ((skb = skb_dequeue(&ctrl_sk->sk_receive_queue))) { 1176 skb_orphan(skb); 1177 if (!skb_linearize(skb)) 1178 hidp_recv_ctrl_frame(session, skb); 1179 else 1180 kfree_skb(skb); 1181 } 1182 1183 /* send pending ctrl-skbs */ 1184 hidp_process_transmit(session, &session->ctrl_transmit, 1185 session->ctrl_sock); 1186 1187 schedule(); 1188 } 1189 1190 atomic_inc(&session->terminate); 1191 set_current_state(TASK_RUNNING); 1192} 1193 1194/* 1195 * HIDP session thread 1196 * This thread runs the I/O for a single HIDP session. Startup is synchronous 1197 * which allows us to take references to ourself here instead of doing that in 1198 * the caller. 1199 * When we are ready to run we notify the caller and call hidp_session_run(). 1200 */ 1201static int hidp_session_thread(void *arg) 1202{ 1203 struct hidp_session *session = arg; 1204 wait_queue_t ctrl_wait, intr_wait; 1205 1206 BT_DBG("session %p", session); 1207 1208 /* initialize runtime environment */ 1209 hidp_session_get(session); 1210 __module_get(THIS_MODULE); 1211 set_user_nice(current, -15); 1212 hidp_set_timer(session); 1213 1214 init_waitqueue_entry(&ctrl_wait, current); 1215 init_waitqueue_entry(&intr_wait, current); 1216 add_wait_queue(sk_sleep(session->ctrl_sock->sk), &ctrl_wait); 1217 add_wait_queue(sk_sleep(session->intr_sock->sk), &intr_wait); 1218 /* This memory barrier is paired with wq_has_sleeper(). See 1219 * sock_poll_wait() for more information why this is needed. */ 1220 smp_mb(); 1221 1222 /* notify synchronous startup that we're ready */ 1223 atomic_inc(&session->state); 1224 wake_up(&session->state_queue); 1225 1226 /* run session */ 1227 hidp_session_run(session); 1228 1229 /* cleanup runtime environment */ 1230 remove_wait_queue(sk_sleep(session->intr_sock->sk), &intr_wait); 1231 remove_wait_queue(sk_sleep(session->intr_sock->sk), &ctrl_wait); 1232 wake_up_interruptible(&session->report_queue); 1233 hidp_del_timer(session); 1234 1235 /* 1236 * If we stopped ourself due to any internal signal, we should try to 1237 * unregister our own session here to avoid having it linger until the 1238 * parent l2cap_conn dies or user-space cleans it up. 1239 * This does not deadlock as we don't do any synchronous shutdown. 1240 * Instead, this call has the same semantics as if user-space tried to 1241 * delete the session. 1242 */ 1243 l2cap_unregister_user(session->conn, &session->user); 1244 hidp_session_put(session); 1245 1246 module_put_and_exit(0); 1247 return 0; 1248} 1249 1250static int hidp_verify_sockets(struct socket *ctrl_sock, 1251 struct socket *intr_sock) 1252{ 1253 struct bt_sock *ctrl, *intr; 1254 struct hidp_session *session; 1255 1256 if (!l2cap_is_socket(ctrl_sock) || !l2cap_is_socket(intr_sock)) 1257 return -EINVAL; 1258 1259 ctrl = bt_sk(ctrl_sock->sk); 1260 intr = bt_sk(intr_sock->sk); 1261 1262 if (bacmp(&ctrl->src, &intr->src) || bacmp(&ctrl->dst, &intr->dst)) 1263 return -ENOTUNIQ; 1264 if (ctrl->sk.sk_state != BT_CONNECTED || 1265 intr->sk.sk_state != BT_CONNECTED) 1266 return -EBADFD; 1267 1268 /* early session check, we check again during session registration */ 1269 session = hidp_session_find(&ctrl->dst); 1270 if (session) { 1271 hidp_session_put(session); 1272 return -EEXIST; 1273 } 1274 1275 return 0; 1276} 1277 1278int hidp_connection_add(struct hidp_connadd_req *req, 1279 struct socket *ctrl_sock, 1280 struct socket *intr_sock) 1281{ 1282 struct hidp_session *session; 1283 struct l2cap_conn *conn; 1284 struct l2cap_chan *chan = l2cap_pi(ctrl_sock->sk)->chan; 1285 int ret; 1286 1287 ret = hidp_verify_sockets(ctrl_sock, intr_sock); 1288 if (ret) 1289 return ret; 1290 1291 conn = NULL; 1292 l2cap_chan_lock(chan); 1293 if (chan->conn) { 1294 l2cap_conn_get(chan->conn); 1295 conn = chan->conn; 1296 } 1297 l2cap_chan_unlock(chan); 1298 1299 if (!conn) 1300 return -EBADFD; 1301 1302 ret = hidp_session_new(&session, &bt_sk(ctrl_sock->sk)->dst, ctrl_sock, 1303 intr_sock, req, conn); 1304 if (ret) 1305 goto out_conn; 1306 1307 ret = l2cap_register_user(conn, &session->user); 1308 if (ret) 1309 goto out_session; 1310 1311 ret = 0; 1312 1313out_session: 1314 hidp_session_put(session); 1315out_conn: 1316 l2cap_conn_put(conn); 1317 return ret; 1318} 1319 1320int hidp_connection_del(struct hidp_conndel_req *req) 1321{ 1322 struct hidp_session *session; 1323 1324 session = hidp_session_find(&req->bdaddr); 1325 if (!session) 1326 return -ENOENT; 1327 1328 if (req->flags & (1 << HIDP_VIRTUAL_CABLE_UNPLUG)) 1329 hidp_send_ctrl_message(session, 1330 HIDP_TRANS_HID_CONTROL | 1331 HIDP_CTRL_VIRTUAL_CABLE_UNPLUG, 1332 NULL, 0); 1333 else 1334 l2cap_unregister_user(session->conn, &session->user); 1335 1336 hidp_session_put(session); 1337 1338 return 0; 1339} 1340 1341int hidp_get_connlist(struct hidp_connlist_req *req) 1342{ 1343 struct hidp_session *session; 1344 int err = 0, n = 0; 1345 1346 BT_DBG(""); 1347 1348 down_read(&hidp_session_sem); 1349 1350 list_for_each_entry(session, &hidp_session_list, list) { 1351 struct hidp_conninfo ci; 1352 1353 hidp_copy_session(session, &ci); 1354 1355 if (copy_to_user(req->ci, &ci, sizeof(ci))) { 1356 err = -EFAULT; 1357 break; 1358 } 1359 1360 if (++n >= req->cnum) 1361 break; 1362 1363 req->ci++; 1364 } 1365 req->cnum = n; 1366 1367 up_read(&hidp_session_sem); 1368 return err; 1369} 1370 1371int hidp_get_conninfo(struct hidp_conninfo *ci) 1372{ 1373 struct hidp_session *session; 1374 1375 session = hidp_session_find(&ci->bdaddr); 1376 if (session) { 1377 hidp_copy_session(session, ci); 1378 hidp_session_put(session); 1379 } 1380 1381 return session ? 0 : -ENOENT; 1382} 1383 1384static int __init hidp_init(void) 1385{ 1386 BT_INFO("HIDP (Human Interface Emulation) ver %s", VERSION); 1387 1388 return hidp_init_sockets(); 1389} 1390 1391static void __exit hidp_exit(void) 1392{ 1393 hidp_cleanup_sockets(); 1394} 1395 1396module_init(hidp_init); 1397module_exit(hidp_exit); 1398 1399MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>"); 1400MODULE_AUTHOR("David Herrmann <dh.herrmann@gmail.com>"); 1401MODULE_DESCRIPTION("Bluetooth HIDP ver " VERSION); 1402MODULE_VERSION(VERSION); 1403MODULE_LICENSE("GPL"); 1404MODULE_ALIAS("bt-proto-6"); 1405