1 /*
2 HIDP implementation for Linux Bluetooth stack (BlueZ).
3 Copyright (C) 2003-2004 Marcel Holtmann <marcel@holtmann.org>
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
8
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
21 */
22
23 #include <linux/module.h>
24
25 #include <linux/types.h>
26 #include <linux/errno.h>
27 #include <linux/kernel.h>
28 #include <linux/sched.h>
29 #include <linux/slab.h>
30 #include <linux/poll.h>
31 #include <linux/freezer.h>
32 #include <linux/fcntl.h>
33 #include <linux/skbuff.h>
34 #include <linux/socket.h>
35 #include <linux/ioctl.h>
36 #include <linux/file.h>
37 #include <linux/init.h>
38 #include <linux/wait.h>
39 #include <linux/mutex.h>
40 #include <linux/kthread.h>
41 #include <net/sock.h>
42
43 #include <linux/input.h>
44 #include <linux/hid.h>
45 #include <linux/hidraw.h>
46
47 #include <net/bluetooth/bluetooth.h>
48 #include <net/bluetooth/hci_core.h>
49 #include <net/bluetooth/l2cap.h>
50
51 #include "hidp.h"
52
53 #define VERSION "1.2"
54
55 static DECLARE_RWSEM(hidp_session_sem);
56 static LIST_HEAD(hidp_session_list);
57
58 static unsigned char hidp_keycode[256] = {
59 0, 0, 0, 0, 30, 48, 46, 32, 18, 33, 34, 35, 23, 36,
60 37, 38, 50, 49, 24, 25, 16, 19, 31, 20, 22, 47, 17, 45,
61 21, 44, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 28, 1,
62 14, 15, 57, 12, 13, 26, 27, 43, 43, 39, 40, 41, 51, 52,
63 53, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 87, 88,
64 99, 70, 119, 110, 102, 104, 111, 107, 109, 106, 105, 108, 103, 69,
65 98, 55, 74, 78, 96, 79, 80, 81, 75, 76, 77, 71, 72, 73,
66 82, 83, 86, 127, 116, 117, 183, 184, 185, 186, 187, 188, 189, 190,
67 191, 192, 193, 194, 134, 138, 130, 132, 128, 129, 131, 137, 133, 135,
68 136, 113, 115, 114, 0, 0, 0, 121, 0, 89, 93, 124, 92, 94,
69 95, 0, 0, 0, 122, 123, 90, 91, 85, 0, 0, 0, 0, 0,
70 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
71 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
72 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
73 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
74 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
75 29, 42, 56, 125, 97, 54, 100, 126, 164, 166, 165, 163, 161, 115,
76 114, 113, 150, 158, 159, 128, 136, 177, 178, 176, 142, 152, 173, 140
77 };
78
79 static unsigned char hidp_mkeyspat[] = { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 };
80
__hidp_get_session(bdaddr_t * bdaddr)81 static struct hidp_session *__hidp_get_session(bdaddr_t *bdaddr)
82 {
83 struct hidp_session *session;
84
85 BT_DBG("");
86
87 list_for_each_entry(session, &hidp_session_list, list) {
88 if (!bacmp(bdaddr, &session->bdaddr))
89 return session;
90 }
91
92 return NULL;
93 }
94
__hidp_link_session(struct hidp_session * session)95 static void __hidp_link_session(struct hidp_session *session)
96 {
97 list_add(&session->list, &hidp_session_list);
98 }
99
__hidp_unlink_session(struct hidp_session * session)100 static void __hidp_unlink_session(struct hidp_session *session)
101 {
102 hci_conn_put_device(session->conn);
103
104 list_del(&session->list);
105 }
106
__hidp_copy_session(struct hidp_session * session,struct hidp_conninfo * ci)107 static void __hidp_copy_session(struct hidp_session *session, struct hidp_conninfo *ci)
108 {
109 memset(ci, 0, sizeof(*ci));
110 bacpy(&ci->bdaddr, &session->bdaddr);
111
112 ci->flags = session->flags;
113 ci->state = session->state;
114
115 ci->vendor = 0x0000;
116 ci->product = 0x0000;
117 ci->version = 0x0000;
118
119 if (session->input) {
120 ci->vendor = session->input->id.vendor;
121 ci->product = session->input->id.product;
122 ci->version = session->input->id.version;
123 if (session->input->name)
124 strncpy(ci->name, session->input->name, 128);
125 else
126 strncpy(ci->name, "HID Boot Device", 128);
127 }
128
129 if (session->hid) {
130 ci->vendor = session->hid->vendor;
131 ci->product = session->hid->product;
132 ci->version = session->hid->version;
133 strncpy(ci->name, session->hid->name, 128);
134 }
135 }
136
hidp_queue_event(struct hidp_session * session,struct input_dev * dev,unsigned int type,unsigned int code,int value)137 static int hidp_queue_event(struct hidp_session *session, struct input_dev *dev,
138 unsigned int type, unsigned int code, int value)
139 {
140 unsigned char newleds;
141 struct sk_buff *skb;
142
143 BT_DBG("session %p type %d code %d value %d", session, type, code, value);
144
145 if (type != EV_LED)
146 return -1;
147
148 newleds = (!!test_bit(LED_KANA, dev->led) << 3) |
149 (!!test_bit(LED_COMPOSE, dev->led) << 3) |
150 (!!test_bit(LED_SCROLLL, dev->led) << 2) |
151 (!!test_bit(LED_CAPSL, dev->led) << 1) |
152 (!!test_bit(LED_NUML, dev->led));
153
154 if (session->leds == newleds)
155 return 0;
156
157 session->leds = newleds;
158
159 skb = alloc_skb(3, GFP_ATOMIC);
160 if (!skb) {
161 BT_ERR("Can't allocate memory for new frame");
162 return -ENOMEM;
163 }
164
165 *skb_put(skb, 1) = HIDP_TRANS_DATA | HIDP_DATA_RTYPE_OUPUT;
166 *skb_put(skb, 1) = 0x01;
167 *skb_put(skb, 1) = newleds;
168
169 skb_queue_tail(&session->intr_transmit, skb);
170
171 hidp_schedule(session);
172
173 return 0;
174 }
175
hidp_hidinput_event(struct input_dev * dev,unsigned int type,unsigned int code,int value)176 static int hidp_hidinput_event(struct input_dev *dev, unsigned int type, unsigned int code, int value)
177 {
178 struct hid_device *hid = input_get_drvdata(dev);
179 struct hidp_session *session = hid->driver_data;
180
181 return hidp_queue_event(session, dev, type, code, value);
182 }
183
hidp_input_event(struct input_dev * dev,unsigned int type,unsigned int code,int value)184 static int hidp_input_event(struct input_dev *dev, unsigned int type, unsigned int code, int value)
185 {
186 struct hidp_session *session = input_get_drvdata(dev);
187
188 return hidp_queue_event(session, dev, type, code, value);
189 }
190
hidp_input_report(struct hidp_session * session,struct sk_buff * skb)191 static void hidp_input_report(struct hidp_session *session, struct sk_buff *skb)
192 {
193 struct input_dev *dev = session->input;
194 unsigned char *keys = session->keys;
195 unsigned char *udata = skb->data + 1;
196 signed char *sdata = skb->data + 1;
197 int i, size = skb->len - 1;
198
199 switch (skb->data[0]) {
200 case 0x01: /* Keyboard report */
201 for (i = 0; i < 8; i++)
202 input_report_key(dev, hidp_keycode[i + 224], (udata[0] >> i) & 1);
203
204 /* If all the key codes have been set to 0x01, it means
205 * too many keys were pressed at the same time. */
206 if (!memcmp(udata + 2, hidp_mkeyspat, 6))
207 break;
208
209 for (i = 2; i < 8; i++) {
210 if (keys[i] > 3 && memscan(udata + 2, keys[i], 6) == udata + 8) {
211 if (hidp_keycode[keys[i]])
212 input_report_key(dev, hidp_keycode[keys[i]], 0);
213 else
214 BT_ERR("Unknown key (scancode %#x) released.", keys[i]);
215 }
216
217 if (udata[i] > 3 && memscan(keys + 2, udata[i], 6) == keys + 8) {
218 if (hidp_keycode[udata[i]])
219 input_report_key(dev, hidp_keycode[udata[i]], 1);
220 else
221 BT_ERR("Unknown key (scancode %#x) pressed.", udata[i]);
222 }
223 }
224
225 memcpy(keys, udata, 8);
226 break;
227
228 case 0x02: /* Mouse report */
229 input_report_key(dev, BTN_LEFT, sdata[0] & 0x01);
230 input_report_key(dev, BTN_RIGHT, sdata[0] & 0x02);
231 input_report_key(dev, BTN_MIDDLE, sdata[0] & 0x04);
232 input_report_key(dev, BTN_SIDE, sdata[0] & 0x08);
233 input_report_key(dev, BTN_EXTRA, sdata[0] & 0x10);
234
235 input_report_rel(dev, REL_X, sdata[1]);
236 input_report_rel(dev, REL_Y, sdata[2]);
237
238 if (size > 3)
239 input_report_rel(dev, REL_WHEEL, sdata[3]);
240 break;
241 }
242
243 input_sync(dev);
244 }
245
__hidp_send_ctrl_message(struct hidp_session * session,unsigned char hdr,unsigned char * data,int size)246 static int __hidp_send_ctrl_message(struct hidp_session *session,
247 unsigned char hdr, unsigned char *data, int size)
248 {
249 struct sk_buff *skb;
250
251 BT_DBG("session %p data %p size %d", session, data, size);
252
253 if (atomic_read(&session->terminate))
254 return -EIO;
255
256 skb = alloc_skb(size + 1, GFP_ATOMIC);
257 if (!skb) {
258 BT_ERR("Can't allocate memory for new frame");
259 return -ENOMEM;
260 }
261
262 *skb_put(skb, 1) = hdr;
263 if (data && size > 0)
264 memcpy(skb_put(skb, size), data, size);
265
266 skb_queue_tail(&session->ctrl_transmit, skb);
267
268 return 0;
269 }
270
hidp_send_ctrl_message(struct hidp_session * session,unsigned char hdr,unsigned char * data,int size)271 static inline int hidp_send_ctrl_message(struct hidp_session *session,
272 unsigned char hdr, unsigned char *data, int size)
273 {
274 int err;
275
276 err = __hidp_send_ctrl_message(session, hdr, data, size);
277
278 hidp_schedule(session);
279
280 return err;
281 }
282
hidp_queue_report(struct hidp_session * session,unsigned char * data,int size)283 static int hidp_queue_report(struct hidp_session *session,
284 unsigned char *data, int size)
285 {
286 struct sk_buff *skb;
287
288 BT_DBG("session %p hid %p data %p size %d", session, session->hid, data, size);
289
290 skb = alloc_skb(size + 1, GFP_ATOMIC);
291 if (!skb) {
292 BT_ERR("Can't allocate memory for new frame");
293 return -ENOMEM;
294 }
295
296 *skb_put(skb, 1) = 0xa2;
297 if (size > 0)
298 memcpy(skb_put(skb, size), data, size);
299
300 skb_queue_tail(&session->intr_transmit, skb);
301
302 hidp_schedule(session);
303
304 return 0;
305 }
306
hidp_send_report(struct hidp_session * session,struct hid_report * report)307 static int hidp_send_report(struct hidp_session *session, struct hid_report *report)
308 {
309 unsigned char buf[32];
310 int rsize;
311
312 rsize = ((report->size - 1) >> 3) + 1 + (report->id > 0);
313 if (rsize > sizeof(buf))
314 return -EIO;
315
316 hid_output_report(report, buf);
317
318 return hidp_queue_report(session, buf, rsize);
319 }
320
hidp_get_raw_report(struct hid_device * hid,unsigned char report_number,unsigned char * data,size_t count,unsigned char report_type)321 static int hidp_get_raw_report(struct hid_device *hid,
322 unsigned char report_number,
323 unsigned char *data, size_t count,
324 unsigned char report_type)
325 {
326 struct hidp_session *session = hid->driver_data;
327 struct sk_buff *skb;
328 size_t len;
329 int numbered_reports = hid->report_enum[report_type].numbered;
330 int ret;
331
332 switch (report_type) {
333 case HID_FEATURE_REPORT:
334 report_type = HIDP_TRANS_GET_REPORT | HIDP_DATA_RTYPE_FEATURE;
335 break;
336 case HID_INPUT_REPORT:
337 report_type = HIDP_TRANS_GET_REPORT | HIDP_DATA_RTYPE_INPUT;
338 break;
339 case HID_OUTPUT_REPORT:
340 report_type = HIDP_TRANS_GET_REPORT | HIDP_DATA_RTYPE_OUPUT;
341 break;
342 default:
343 return -EINVAL;
344 }
345
346 if (mutex_lock_interruptible(&session->report_mutex))
347 return -ERESTARTSYS;
348
349 /* Set up our wait, and send the report request to the device. */
350 session->waiting_report_type = report_type & HIDP_DATA_RTYPE_MASK;
351 session->waiting_report_number = numbered_reports ? report_number : -1;
352 set_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
353 data[0] = report_number;
354 ret = hidp_send_ctrl_message(hid->driver_data, report_type, data, 1);
355 if (ret)
356 goto err;
357
358 /* Wait for the return of the report. The returned report
359 gets put in session->report_return. */
360 while (test_bit(HIDP_WAITING_FOR_RETURN, &session->flags)) {
361 int res;
362
363 res = wait_event_interruptible_timeout(session->report_queue,
364 !test_bit(HIDP_WAITING_FOR_RETURN, &session->flags),
365 5*HZ);
366 if (res == 0) {
367 /* timeout */
368 ret = -EIO;
369 goto err;
370 }
371 if (res < 0) {
372 /* signal */
373 ret = -ERESTARTSYS;
374 goto err;
375 }
376 }
377
378 skb = session->report_return;
379 if (skb) {
380 len = skb->len < count ? skb->len : count;
381 memcpy(data, skb->data, len);
382
383 kfree_skb(skb);
384 session->report_return = NULL;
385 } else {
386 /* Device returned a HANDSHAKE, indicating protocol error. */
387 len = -EIO;
388 }
389
390 clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
391 mutex_unlock(&session->report_mutex);
392
393 return len;
394
395 err:
396 clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
397 mutex_unlock(&session->report_mutex);
398 return ret;
399 }
400
hidp_output_raw_report(struct hid_device * hid,unsigned char * data,size_t count,unsigned char report_type)401 static int hidp_output_raw_report(struct hid_device *hid, unsigned char *data, size_t count,
402 unsigned char report_type)
403 {
404 struct hidp_session *session = hid->driver_data;
405 int ret;
406
407 switch (report_type) {
408 case HID_FEATURE_REPORT:
409 report_type = HIDP_TRANS_SET_REPORT | HIDP_DATA_RTYPE_FEATURE;
410 break;
411 case HID_OUTPUT_REPORT:
412 report_type = HIDP_TRANS_SET_REPORT | HIDP_DATA_RTYPE_OUPUT;
413 break;
414 default:
415 return -EINVAL;
416 }
417
418 if (mutex_lock_interruptible(&session->report_mutex))
419 return -ERESTARTSYS;
420
421 /* Set up our wait, and send the report request to the device. */
422 set_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags);
423 ret = hidp_send_ctrl_message(hid->driver_data, report_type, data,
424 count);
425 if (ret)
426 goto err;
427
428 /* Wait for the ACK from the device. */
429 while (test_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags)) {
430 int res;
431
432 res = wait_event_interruptible_timeout(session->report_queue,
433 !test_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags),
434 10*HZ);
435 if (res == 0) {
436 /* timeout */
437 ret = -EIO;
438 goto err;
439 }
440 if (res < 0) {
441 /* signal */
442 ret = -ERESTARTSYS;
443 goto err;
444 }
445 }
446
447 if (!session->output_report_success) {
448 ret = -EIO;
449 goto err;
450 }
451
452 ret = count;
453
454 err:
455 clear_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags);
456 mutex_unlock(&session->report_mutex);
457 return ret;
458 }
459
hidp_idle_timeout(unsigned long arg)460 static void hidp_idle_timeout(unsigned long arg)
461 {
462 struct hidp_session *session = (struct hidp_session *) arg;
463
464 atomic_inc(&session->terminate);
465 wake_up_process(session->task);
466 }
467
hidp_set_timer(struct hidp_session * session)468 static void hidp_set_timer(struct hidp_session *session)
469 {
470 if (session->idle_to > 0)
471 mod_timer(&session->timer, jiffies + HZ * session->idle_to);
472 }
473
hidp_del_timer(struct hidp_session * session)474 static inline void hidp_del_timer(struct hidp_session *session)
475 {
476 if (session->idle_to > 0)
477 del_timer(&session->timer);
478 }
479
hidp_process_handshake(struct hidp_session * session,unsigned char param)480 static void hidp_process_handshake(struct hidp_session *session,
481 unsigned char param)
482 {
483 BT_DBG("session %p param 0x%02x", session, param);
484 session->output_report_success = 0; /* default condition */
485
486 switch (param) {
487 case HIDP_HSHK_SUCCESSFUL:
488 /* FIXME: Call into SET_ GET_ handlers here */
489 session->output_report_success = 1;
490 break;
491
492 case HIDP_HSHK_NOT_READY:
493 case HIDP_HSHK_ERR_INVALID_REPORT_ID:
494 case HIDP_HSHK_ERR_UNSUPPORTED_REQUEST:
495 case HIDP_HSHK_ERR_INVALID_PARAMETER:
496 if (test_and_clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags))
497 wake_up_interruptible(&session->report_queue);
498
499 /* FIXME: Call into SET_ GET_ handlers here */
500 break;
501
502 case HIDP_HSHK_ERR_UNKNOWN:
503 break;
504
505 case HIDP_HSHK_ERR_FATAL:
506 /* Device requests a reboot, as this is the only way this error
507 * can be recovered. */
508 __hidp_send_ctrl_message(session,
509 HIDP_TRANS_HID_CONTROL | HIDP_CTRL_SOFT_RESET, NULL, 0);
510 break;
511
512 default:
513 __hidp_send_ctrl_message(session,
514 HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_INVALID_PARAMETER, NULL, 0);
515 break;
516 }
517
518 /* Wake up the waiting thread. */
519 if (test_and_clear_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags))
520 wake_up_interruptible(&session->report_queue);
521 }
522
hidp_process_hid_control(struct hidp_session * session,unsigned char param)523 static void hidp_process_hid_control(struct hidp_session *session,
524 unsigned char param)
525 {
526 BT_DBG("session %p param 0x%02x", session, param);
527
528 if (param == HIDP_CTRL_VIRTUAL_CABLE_UNPLUG) {
529 /* Flush the transmit queues */
530 skb_queue_purge(&session->ctrl_transmit);
531 skb_queue_purge(&session->intr_transmit);
532
533 atomic_inc(&session->terminate);
534 wake_up_process(current);
535 }
536 }
537
538 /* Returns true if the passed-in skb should be freed by the caller. */
hidp_process_data(struct hidp_session * session,struct sk_buff * skb,unsigned char param)539 static int hidp_process_data(struct hidp_session *session, struct sk_buff *skb,
540 unsigned char param)
541 {
542 int done_with_skb = 1;
543 BT_DBG("session %p skb %p len %d param 0x%02x", session, skb, skb->len, param);
544
545 switch (param) {
546 case HIDP_DATA_RTYPE_INPUT:
547 hidp_set_timer(session);
548
549 if (session->input)
550 hidp_input_report(session, skb);
551
552 if (session->hid)
553 hid_input_report(session->hid, HID_INPUT_REPORT, skb->data, skb->len, 0);
554 break;
555
556 case HIDP_DATA_RTYPE_OTHER:
557 case HIDP_DATA_RTYPE_OUPUT:
558 case HIDP_DATA_RTYPE_FEATURE:
559 break;
560
561 default:
562 __hidp_send_ctrl_message(session,
563 HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_INVALID_PARAMETER, NULL, 0);
564 }
565
566 if (test_bit(HIDP_WAITING_FOR_RETURN, &session->flags) &&
567 param == session->waiting_report_type) {
568 if (session->waiting_report_number < 0 ||
569 session->waiting_report_number == skb->data[0]) {
570 /* hidp_get_raw_report() is waiting on this report. */
571 session->report_return = skb;
572 done_with_skb = 0;
573 clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
574 wake_up_interruptible(&session->report_queue);
575 }
576 }
577
578 return done_with_skb;
579 }
580
hidp_recv_ctrl_frame(struct hidp_session * session,struct sk_buff * skb)581 static void hidp_recv_ctrl_frame(struct hidp_session *session,
582 struct sk_buff *skb)
583 {
584 unsigned char hdr, type, param;
585 int free_skb = 1;
586
587 BT_DBG("session %p skb %p len %d", session, skb, skb->len);
588
589 hdr = skb->data[0];
590 skb_pull(skb, 1);
591
592 type = hdr & HIDP_HEADER_TRANS_MASK;
593 param = hdr & HIDP_HEADER_PARAM_MASK;
594
595 switch (type) {
596 case HIDP_TRANS_HANDSHAKE:
597 hidp_process_handshake(session, param);
598 break;
599
600 case HIDP_TRANS_HID_CONTROL:
601 hidp_process_hid_control(session, param);
602 break;
603
604 case HIDP_TRANS_DATA:
605 free_skb = hidp_process_data(session, skb, param);
606 break;
607
608 default:
609 __hidp_send_ctrl_message(session,
610 HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_UNSUPPORTED_REQUEST, NULL, 0);
611 break;
612 }
613
614 if (free_skb)
615 kfree_skb(skb);
616 }
617
hidp_recv_intr_frame(struct hidp_session * session,struct sk_buff * skb)618 static void hidp_recv_intr_frame(struct hidp_session *session,
619 struct sk_buff *skb)
620 {
621 unsigned char hdr;
622
623 BT_DBG("session %p skb %p len %d", session, skb, skb->len);
624
625 hdr = skb->data[0];
626 skb_pull(skb, 1);
627
628 if (hdr == (HIDP_TRANS_DATA | HIDP_DATA_RTYPE_INPUT)) {
629 hidp_set_timer(session);
630
631 if (session->input)
632 hidp_input_report(session, skb);
633
634 if (session->hid) {
635 hid_input_report(session->hid, HID_INPUT_REPORT, skb->data, skb->len, 1);
636 BT_DBG("report len %d", skb->len);
637 }
638 } else {
639 BT_DBG("Unsupported protocol header 0x%02x", hdr);
640 }
641
642 kfree_skb(skb);
643 }
644
hidp_send_frame(struct socket * sock,unsigned char * data,int len)645 static int hidp_send_frame(struct socket *sock, unsigned char *data, int len)
646 {
647 struct kvec iv = { data, len };
648 struct msghdr msg;
649
650 BT_DBG("sock %p data %p len %d", sock, data, len);
651
652 if (!len)
653 return 0;
654
655 memset(&msg, 0, sizeof(msg));
656
657 return kernel_sendmsg(sock, &msg, &iv, 1, len);
658 }
659
hidp_process_intr_transmit(struct hidp_session * session)660 static void hidp_process_intr_transmit(struct hidp_session *session)
661 {
662 struct sk_buff *skb;
663
664 BT_DBG("session %p", session);
665
666 while ((skb = skb_dequeue(&session->intr_transmit))) {
667 if (hidp_send_frame(session->intr_sock, skb->data, skb->len) < 0) {
668 skb_queue_head(&session->intr_transmit, skb);
669 break;
670 }
671
672 hidp_set_timer(session);
673 kfree_skb(skb);
674 }
675 }
676
hidp_process_ctrl_transmit(struct hidp_session * session)677 static void hidp_process_ctrl_transmit(struct hidp_session *session)
678 {
679 struct sk_buff *skb;
680
681 BT_DBG("session %p", session);
682
683 while ((skb = skb_dequeue(&session->ctrl_transmit))) {
684 if (hidp_send_frame(session->ctrl_sock, skb->data, skb->len) < 0) {
685 skb_queue_head(&session->ctrl_transmit, skb);
686 break;
687 }
688
689 hidp_set_timer(session);
690 kfree_skb(skb);
691 }
692 }
693
hidp_session(void * arg)694 static int hidp_session(void *arg)
695 {
696 struct hidp_session *session = arg;
697 struct sock *ctrl_sk = session->ctrl_sock->sk;
698 struct sock *intr_sk = session->intr_sock->sk;
699 struct sk_buff *skb;
700 wait_queue_t ctrl_wait, intr_wait;
701
702 BT_DBG("session %p", session);
703
704 __module_get(THIS_MODULE);
705 set_user_nice(current, -15);
706
707 init_waitqueue_entry(&ctrl_wait, current);
708 init_waitqueue_entry(&intr_wait, current);
709 add_wait_queue(sk_sleep(ctrl_sk), &ctrl_wait);
710 add_wait_queue(sk_sleep(intr_sk), &intr_wait);
711 session->waiting_for_startup = 0;
712 wake_up_interruptible(&session->startup_queue);
713 set_current_state(TASK_INTERRUPTIBLE);
714 while (!atomic_read(&session->terminate)) {
715 if (ctrl_sk->sk_state != BT_CONNECTED ||
716 intr_sk->sk_state != BT_CONNECTED)
717 break;
718
719 while ((skb = skb_dequeue(&intr_sk->sk_receive_queue))) {
720 skb_orphan(skb);
721 if (!skb_linearize(skb))
722 hidp_recv_intr_frame(session, skb);
723 else
724 kfree_skb(skb);
725 }
726
727 hidp_process_intr_transmit(session);
728
729 while ((skb = skb_dequeue(&ctrl_sk->sk_receive_queue))) {
730 skb_orphan(skb);
731 if (!skb_linearize(skb))
732 hidp_recv_ctrl_frame(session, skb);
733 else
734 kfree_skb(skb);
735 }
736
737 hidp_process_ctrl_transmit(session);
738
739 schedule();
740 set_current_state(TASK_INTERRUPTIBLE);
741 }
742 set_current_state(TASK_RUNNING);
743 remove_wait_queue(sk_sleep(intr_sk), &intr_wait);
744 remove_wait_queue(sk_sleep(ctrl_sk), &ctrl_wait);
745
746 clear_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags);
747 clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
748 wake_up_interruptible(&session->report_queue);
749
750 down_write(&hidp_session_sem);
751
752 hidp_del_timer(session);
753
754 if (session->input) {
755 input_unregister_device(session->input);
756 session->input = NULL;
757 }
758
759 if (session->hid) {
760 hid_destroy_device(session->hid);
761 session->hid = NULL;
762 }
763
764 /* Wakeup user-space polling for socket errors */
765 session->intr_sock->sk->sk_err = EUNATCH;
766 session->ctrl_sock->sk->sk_err = EUNATCH;
767
768 hidp_schedule(session);
769
770 fput(session->intr_sock->file);
771
772 wait_event_timeout(*(sk_sleep(ctrl_sk)),
773 (ctrl_sk->sk_state == BT_CLOSED), msecs_to_jiffies(500));
774
775 fput(session->ctrl_sock->file);
776
777 __hidp_unlink_session(session);
778
779 up_write(&hidp_session_sem);
780
781 kfree(session->rd_data);
782 kfree(session);
783 module_put_and_exit(0);
784 return 0;
785 }
786
hidp_get_connection(struct hidp_session * session)787 static struct hci_conn *hidp_get_connection(struct hidp_session *session)
788 {
789 bdaddr_t *src = &bt_sk(session->ctrl_sock->sk)->src;
790 bdaddr_t *dst = &bt_sk(session->ctrl_sock->sk)->dst;
791 struct hci_conn *conn;
792 struct hci_dev *hdev;
793
794 hdev = hci_get_route(dst, src);
795 if (!hdev)
796 return NULL;
797
798 hci_dev_lock(hdev);
799 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
800 if (conn)
801 hci_conn_hold_device(conn);
802 hci_dev_unlock(hdev);
803
804 hci_dev_put(hdev);
805
806 return conn;
807 }
808
hidp_setup_input(struct hidp_session * session,struct hidp_connadd_req * req)809 static int hidp_setup_input(struct hidp_session *session,
810 struct hidp_connadd_req *req)
811 {
812 struct input_dev *input;
813 int i;
814
815 input = input_allocate_device();
816 if (!input)
817 return -ENOMEM;
818
819 session->input = input;
820
821 input_set_drvdata(input, session);
822
823 input->name = "Bluetooth HID Boot Protocol Device";
824
825 input->id.bustype = BUS_BLUETOOTH;
826 input->id.vendor = req->vendor;
827 input->id.product = req->product;
828 input->id.version = req->version;
829
830 if (req->subclass & 0x40) {
831 set_bit(EV_KEY, input->evbit);
832 set_bit(EV_LED, input->evbit);
833 set_bit(EV_REP, input->evbit);
834
835 set_bit(LED_NUML, input->ledbit);
836 set_bit(LED_CAPSL, input->ledbit);
837 set_bit(LED_SCROLLL, input->ledbit);
838 set_bit(LED_COMPOSE, input->ledbit);
839 set_bit(LED_KANA, input->ledbit);
840
841 for (i = 0; i < sizeof(hidp_keycode); i++)
842 set_bit(hidp_keycode[i], input->keybit);
843 clear_bit(0, input->keybit);
844 }
845
846 if (req->subclass & 0x80) {
847 input->evbit[0] = BIT_MASK(EV_KEY) | BIT_MASK(EV_REL);
848 input->keybit[BIT_WORD(BTN_MOUSE)] = BIT_MASK(BTN_LEFT) |
849 BIT_MASK(BTN_RIGHT) | BIT_MASK(BTN_MIDDLE);
850 input->relbit[0] = BIT_MASK(REL_X) | BIT_MASK(REL_Y);
851 input->keybit[BIT_WORD(BTN_MOUSE)] |= BIT_MASK(BTN_SIDE) |
852 BIT_MASK(BTN_EXTRA);
853 input->relbit[0] |= BIT_MASK(REL_WHEEL);
854 }
855
856 input->dev.parent = &session->conn->dev;
857
858 input->event = hidp_input_event;
859
860 return 0;
861 }
862
hidp_open(struct hid_device * hid)863 static int hidp_open(struct hid_device *hid)
864 {
865 return 0;
866 }
867
hidp_close(struct hid_device * hid)868 static void hidp_close(struct hid_device *hid)
869 {
870 }
871
hidp_parse(struct hid_device * hid)872 static int hidp_parse(struct hid_device *hid)
873 {
874 struct hidp_session *session = hid->driver_data;
875
876 return hid_parse_report(session->hid, session->rd_data,
877 session->rd_size);
878 }
879
hidp_start(struct hid_device * hid)880 static int hidp_start(struct hid_device *hid)
881 {
882 struct hidp_session *session = hid->driver_data;
883 struct hid_report *report;
884
885 if (hid->quirks & HID_QUIRK_NO_INIT_REPORTS)
886 return 0;
887
888 list_for_each_entry(report, &hid->report_enum[HID_INPUT_REPORT].
889 report_list, list)
890 hidp_send_report(session, report);
891
892 list_for_each_entry(report, &hid->report_enum[HID_FEATURE_REPORT].
893 report_list, list)
894 hidp_send_report(session, report);
895
896 return 0;
897 }
898
hidp_stop(struct hid_device * hid)899 static void hidp_stop(struct hid_device *hid)
900 {
901 struct hidp_session *session = hid->driver_data;
902
903 skb_queue_purge(&session->ctrl_transmit);
904 skb_queue_purge(&session->intr_transmit);
905
906 hid->claimed = 0;
907 }
908
909 static struct hid_ll_driver hidp_hid_driver = {
910 .parse = hidp_parse,
911 .start = hidp_start,
912 .stop = hidp_stop,
913 .open = hidp_open,
914 .close = hidp_close,
915 .hidinput_input_event = hidp_hidinput_event,
916 };
917
918 /* This function sets up the hid device. It does not add it
919 to the HID system. That is done in hidp_add_connection(). */
hidp_setup_hid(struct hidp_session * session,struct hidp_connadd_req * req)920 static int hidp_setup_hid(struct hidp_session *session,
921 struct hidp_connadd_req *req)
922 {
923 struct hid_device *hid;
924 int err;
925
926 session->rd_data = kzalloc(req->rd_size, GFP_KERNEL);
927 if (!session->rd_data)
928 return -ENOMEM;
929
930 if (copy_from_user(session->rd_data, req->rd_data, req->rd_size)) {
931 err = -EFAULT;
932 goto fault;
933 }
934 session->rd_size = req->rd_size;
935
936 hid = hid_allocate_device();
937 if (IS_ERR(hid)) {
938 err = PTR_ERR(hid);
939 goto fault;
940 }
941
942 session->hid = hid;
943
944 hid->driver_data = session;
945
946 hid->bus = BUS_BLUETOOTH;
947 hid->vendor = req->vendor;
948 hid->product = req->product;
949 hid->version = req->version;
950 hid->country = req->country;
951
952 strncpy(hid->name, req->name, sizeof(req->name) - 1);
953 strncpy(hid->phys, batostr(&bt_sk(session->ctrl_sock->sk)->src), 64);
954 strncpy(hid->uniq, batostr(&bt_sk(session->ctrl_sock->sk)->dst), 64);
955
956 hid->dev.parent = &session->conn->dev;
957 hid->ll_driver = &hidp_hid_driver;
958
959 hid->hid_get_raw_report = hidp_get_raw_report;
960 hid->hid_output_raw_report = hidp_output_raw_report;
961
962 return 0;
963
964 fault:
965 kfree(session->rd_data);
966 session->rd_data = NULL;
967
968 return err;
969 }
970
hidp_add_connection(struct hidp_connadd_req * req,struct socket * ctrl_sock,struct socket * intr_sock)971 int hidp_add_connection(struct hidp_connadd_req *req, struct socket *ctrl_sock, struct socket *intr_sock)
972 {
973 struct hidp_session *session, *s;
974 int vendor, product;
975 int err;
976
977 BT_DBG("");
978
979 if (bacmp(&bt_sk(ctrl_sock->sk)->src, &bt_sk(intr_sock->sk)->src) ||
980 bacmp(&bt_sk(ctrl_sock->sk)->dst, &bt_sk(intr_sock->sk)->dst))
981 return -ENOTUNIQ;
982
983 BT_DBG("rd_data %p rd_size %d", req->rd_data, req->rd_size);
984
985 down_write(&hidp_session_sem);
986
987 s = __hidp_get_session(&bt_sk(ctrl_sock->sk)->dst);
988 if (s && s->state == BT_CONNECTED) {
989 up_write(&hidp_session_sem);
990 return -EEXIST;
991 }
992
993 session = kzalloc(sizeof(struct hidp_session), GFP_KERNEL);
994 if (!session) {
995 up_write(&hidp_session_sem);
996 return -ENOMEM;
997 }
998
999 bacpy(&session->bdaddr, &bt_sk(ctrl_sock->sk)->dst);
1000
1001 session->ctrl_mtu = min_t(uint, l2cap_pi(ctrl_sock->sk)->chan->omtu,
1002 l2cap_pi(ctrl_sock->sk)->chan->imtu);
1003 session->intr_mtu = min_t(uint, l2cap_pi(intr_sock->sk)->chan->omtu,
1004 l2cap_pi(intr_sock->sk)->chan->imtu);
1005
1006 BT_DBG("ctrl mtu %d intr mtu %d", session->ctrl_mtu, session->intr_mtu);
1007
1008 session->ctrl_sock = ctrl_sock;
1009 session->intr_sock = intr_sock;
1010 session->state = BT_CONNECTED;
1011
1012 session->conn = hidp_get_connection(session);
1013 if (!session->conn) {
1014 err = -ENOTCONN;
1015 goto failed;
1016 }
1017
1018 setup_timer(&session->timer, hidp_idle_timeout, (unsigned long)session);
1019
1020 skb_queue_head_init(&session->ctrl_transmit);
1021 skb_queue_head_init(&session->intr_transmit);
1022
1023 mutex_init(&session->report_mutex);
1024 init_waitqueue_head(&session->report_queue);
1025 init_waitqueue_head(&session->startup_queue);
1026 session->waiting_for_startup = 1;
1027 session->flags = req->flags & (1 << HIDP_BLUETOOTH_VENDOR_ID);
1028 session->idle_to = req->idle_to;
1029
1030 __hidp_link_session(session);
1031
1032 if (req->rd_size > 0) {
1033 err = hidp_setup_hid(session, req);
1034 if (err)
1035 goto purge;
1036 }
1037
1038 if (!session->hid) {
1039 err = hidp_setup_input(session, req);
1040 if (err < 0)
1041 goto purge;
1042 }
1043
1044 hidp_set_timer(session);
1045
1046 if (session->hid) {
1047 vendor = session->hid->vendor;
1048 product = session->hid->product;
1049 } else if (session->input) {
1050 vendor = session->input->id.vendor;
1051 product = session->input->id.product;
1052 } else {
1053 vendor = 0x0000;
1054 product = 0x0000;
1055 }
1056
1057 session->task = kthread_run(hidp_session, session, "khidpd_%04x%04x",
1058 vendor, product);
1059 if (IS_ERR(session->task)) {
1060 err = PTR_ERR(session->task);
1061 goto unlink;
1062 }
1063
1064 while (session->waiting_for_startup) {
1065 wait_event_interruptible(session->startup_queue,
1066 !session->waiting_for_startup);
1067 }
1068
1069 if (session->hid)
1070 err = hid_add_device(session->hid);
1071 else
1072 err = input_register_device(session->input);
1073
1074 if (err < 0) {
1075 atomic_inc(&session->terminate);
1076 wake_up_process(session->task);
1077 up_write(&hidp_session_sem);
1078 return err;
1079 }
1080
1081 if (session->input) {
1082 hidp_send_ctrl_message(session,
1083 HIDP_TRANS_SET_PROTOCOL | HIDP_PROTO_BOOT, NULL, 0);
1084 session->flags |= (1 << HIDP_BOOT_PROTOCOL_MODE);
1085
1086 session->leds = 0xff;
1087 hidp_input_event(session->input, EV_LED, 0, 0);
1088 }
1089
1090 up_write(&hidp_session_sem);
1091 return 0;
1092
1093 unlink:
1094 hidp_del_timer(session);
1095
1096 if (session->input) {
1097 input_unregister_device(session->input);
1098 session->input = NULL;
1099 }
1100
1101 if (session->hid) {
1102 hid_destroy_device(session->hid);
1103 session->hid = NULL;
1104 }
1105
1106 kfree(session->rd_data);
1107 session->rd_data = NULL;
1108
1109 purge:
1110 __hidp_unlink_session(session);
1111
1112 skb_queue_purge(&session->ctrl_transmit);
1113 skb_queue_purge(&session->intr_transmit);
1114
1115 failed:
1116 up_write(&hidp_session_sem);
1117
1118 kfree(session);
1119 return err;
1120 }
1121
hidp_del_connection(struct hidp_conndel_req * req)1122 int hidp_del_connection(struct hidp_conndel_req *req)
1123 {
1124 struct hidp_session *session;
1125 int err = 0;
1126
1127 BT_DBG("");
1128
1129 down_read(&hidp_session_sem);
1130
1131 session = __hidp_get_session(&req->bdaddr);
1132 if (session) {
1133 if (req->flags & (1 << HIDP_VIRTUAL_CABLE_UNPLUG)) {
1134 hidp_send_ctrl_message(session,
1135 HIDP_TRANS_HID_CONTROL | HIDP_CTRL_VIRTUAL_CABLE_UNPLUG, NULL, 0);
1136 } else {
1137 /* Flush the transmit queues */
1138 skb_queue_purge(&session->ctrl_transmit);
1139 skb_queue_purge(&session->intr_transmit);
1140
1141 atomic_inc(&session->terminate);
1142 wake_up_process(session->task);
1143 }
1144 } else
1145 err = -ENOENT;
1146
1147 up_read(&hidp_session_sem);
1148 return err;
1149 }
1150
hidp_get_connlist(struct hidp_connlist_req * req)1151 int hidp_get_connlist(struct hidp_connlist_req *req)
1152 {
1153 struct hidp_session *session;
1154 int err = 0, n = 0;
1155
1156 BT_DBG("");
1157
1158 down_read(&hidp_session_sem);
1159
1160 list_for_each_entry(session, &hidp_session_list, list) {
1161 struct hidp_conninfo ci;
1162
1163 __hidp_copy_session(session, &ci);
1164
1165 if (copy_to_user(req->ci, &ci, sizeof(ci))) {
1166 err = -EFAULT;
1167 break;
1168 }
1169
1170 if (++n >= req->cnum)
1171 break;
1172
1173 req->ci++;
1174 }
1175 req->cnum = n;
1176
1177 up_read(&hidp_session_sem);
1178 return err;
1179 }
1180
hidp_get_conninfo(struct hidp_conninfo * ci)1181 int hidp_get_conninfo(struct hidp_conninfo *ci)
1182 {
1183 struct hidp_session *session;
1184 int err = 0;
1185
1186 down_read(&hidp_session_sem);
1187
1188 session = __hidp_get_session(&ci->bdaddr);
1189 if (session)
1190 __hidp_copy_session(session, ci);
1191 else
1192 err = -ENOENT;
1193
1194 up_read(&hidp_session_sem);
1195 return err;
1196 }
1197
1198 static const struct hid_device_id hidp_table[] = {
1199 { HID_BLUETOOTH_DEVICE(HID_ANY_ID, HID_ANY_ID) },
1200 { }
1201 };
1202
1203 static struct hid_driver hidp_driver = {
1204 .name = "generic-bluetooth",
1205 .id_table = hidp_table,
1206 };
1207
hidp_init(void)1208 static int __init hidp_init(void)
1209 {
1210 int ret;
1211
1212 BT_INFO("HIDP (Human Interface Emulation) ver %s", VERSION);
1213
1214 ret = hid_register_driver(&hidp_driver);
1215 if (ret)
1216 goto err;
1217
1218 ret = hidp_init_sockets();
1219 if (ret)
1220 goto err_drv;
1221
1222 return 0;
1223 err_drv:
1224 hid_unregister_driver(&hidp_driver);
1225 err:
1226 return ret;
1227 }
1228
hidp_exit(void)1229 static void __exit hidp_exit(void)
1230 {
1231 hidp_cleanup_sockets();
1232 hid_unregister_driver(&hidp_driver);
1233 }
1234
1235 module_init(hidp_init);
1236 module_exit(hidp_exit);
1237
1238 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
1239 MODULE_DESCRIPTION("Bluetooth HIDP ver " VERSION);
1240 MODULE_VERSION(VERSION);
1241 MODULE_LICENSE("GPL");
1242 MODULE_ALIAS("bt-proto-6");
1243