1 /*
2    HIDP implementation for Linux Bluetooth stack (BlueZ).
3    Copyright (C) 2003-2004 Marcel Holtmann <marcel@holtmann.org>
4    Copyright (C) 2013 David Herrmann <dh.herrmann@gmail.com>
5 
6    This program is free software; you can redistribute it and/or modify
7    it under the terms of the GNU General Public License version 2 as
8    published by the Free Software Foundation;
9 
10    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 
19    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21    SOFTWARE IS DISCLAIMED.
22 */
23 
24 #include <linux/kref.h>
25 #include <linux/module.h>
26 #include <linux/file.h>
27 #include <linux/kthread.h>
28 #include <linux/hidraw.h>
29 
30 #include <net/bluetooth/bluetooth.h>
31 #include <net/bluetooth/hci_core.h>
32 #include <net/bluetooth/l2cap.h>
33 
34 #include "hidp.h"
35 
36 #define VERSION "1.2"
37 
38 static DECLARE_RWSEM(hidp_session_sem);
39 static DECLARE_WAIT_QUEUE_HEAD(hidp_session_wq);
40 static LIST_HEAD(hidp_session_list);
41 
42 static unsigned char hidp_keycode[256] = {
43 	  0,   0,   0,   0,  30,  48,  46,  32,  18,  33,  34,  35,  23,  36,
44 	 37,  38,  50,  49,  24,  25,  16,  19,  31,  20,  22,  47,  17,  45,
45 	 21,  44,   2,   3,   4,   5,   6,   7,   8,   9,  10,  11,  28,   1,
46 	 14,  15,  57,  12,  13,  26,  27,  43,  43,  39,  40,  41,  51,  52,
47 	 53,  58,  59,  60,  61,  62,  63,  64,  65,  66,  67,  68,  87,  88,
48 	 99,  70, 119, 110, 102, 104, 111, 107, 109, 106, 105, 108, 103,  69,
49 	 98,  55,  74,  78,  96,  79,  80,  81,  75,  76,  77,  71,  72,  73,
50 	 82,  83,  86, 127, 116, 117, 183, 184, 185, 186, 187, 188, 189, 190,
51 	191, 192, 193, 194, 134, 138, 130, 132, 128, 129, 131, 137, 133, 135,
52 	136, 113, 115, 114,   0,   0,   0, 121,   0,  89,  93, 124,  92,  94,
53 	 95,   0,   0,   0, 122, 123,  90,  91,  85,   0,   0,   0,   0,   0,
54 	  0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,
55 	  0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,
56 	  0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,
57 	  0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,
58 	  0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,
59 	 29,  42,  56, 125,  97,  54, 100, 126, 164, 166, 165, 163, 161, 115,
60 	114, 113, 150, 158, 159, 128, 136, 177, 178, 176, 142, 152, 173, 140
61 };
62 
63 static unsigned char hidp_mkeyspat[] = { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 };
64 
65 static int hidp_session_probe(struct l2cap_conn *conn,
66 			      struct l2cap_user *user);
67 static void hidp_session_remove(struct l2cap_conn *conn,
68 				struct l2cap_user *user);
69 static int hidp_session_thread(void *arg);
70 static void hidp_session_terminate(struct hidp_session *s);
71 
hidp_copy_session(struct hidp_session * session,struct hidp_conninfo * ci)72 static void hidp_copy_session(struct hidp_session *session, struct hidp_conninfo *ci)
73 {
74 	u32 valid_flags = 0;
75 	memset(ci, 0, sizeof(*ci));
76 	bacpy(&ci->bdaddr, &session->bdaddr);
77 
78 	ci->flags = session->flags & valid_flags;
79 	ci->state = BT_CONNECTED;
80 
81 	if (session->input) {
82 		ci->vendor  = session->input->id.vendor;
83 		ci->product = session->input->id.product;
84 		ci->version = session->input->id.version;
85 		if (session->input->name)
86 			strlcpy(ci->name, session->input->name, 128);
87 		else
88 			strlcpy(ci->name, "HID Boot Device", 128);
89 	} else if (session->hid) {
90 		ci->vendor  = session->hid->vendor;
91 		ci->product = session->hid->product;
92 		ci->version = session->hid->version;
93 		strlcpy(ci->name, session->hid->name, 128);
94 	}
95 }
96 
97 /* assemble skb, queue message on @transmit and wake up the session thread */
hidp_send_message(struct hidp_session * session,struct socket * sock,struct sk_buff_head * transmit,unsigned char hdr,const unsigned char * data,int size)98 static int hidp_send_message(struct hidp_session *session, struct socket *sock,
99 			     struct sk_buff_head *transmit, unsigned char hdr,
100 			     const unsigned char *data, int size)
101 {
102 	struct sk_buff *skb;
103 	struct sock *sk = sock->sk;
104 
105 	BT_DBG("session %p data %p size %d", session, data, size);
106 
107 	if (atomic_read(&session->terminate))
108 		return -EIO;
109 
110 	skb = alloc_skb(size + 1, GFP_ATOMIC);
111 	if (!skb) {
112 		BT_ERR("Can't allocate memory for new frame");
113 		return -ENOMEM;
114 	}
115 
116 	skb_put_u8(skb, hdr);
117 	if (data && size > 0)
118 		skb_put_data(skb, data, size);
119 
120 	skb_queue_tail(transmit, skb);
121 	wake_up_interruptible(sk_sleep(sk));
122 
123 	return 0;
124 }
125 
hidp_send_ctrl_message(struct hidp_session * session,unsigned char hdr,const unsigned char * data,int size)126 static int hidp_send_ctrl_message(struct hidp_session *session,
127 				  unsigned char hdr, const unsigned char *data,
128 				  int size)
129 {
130 	return hidp_send_message(session, session->ctrl_sock,
131 				 &session->ctrl_transmit, hdr, data, size);
132 }
133 
hidp_send_intr_message(struct hidp_session * session,unsigned char hdr,const unsigned char * data,int size)134 static int hidp_send_intr_message(struct hidp_session *session,
135 				  unsigned char hdr, const unsigned char *data,
136 				  int size)
137 {
138 	return hidp_send_message(session, session->intr_sock,
139 				 &session->intr_transmit, hdr, data, size);
140 }
141 
hidp_input_event(struct input_dev * dev,unsigned int type,unsigned int code,int value)142 static int hidp_input_event(struct input_dev *dev, unsigned int type,
143 			    unsigned int code, int value)
144 {
145 	struct hidp_session *session = input_get_drvdata(dev);
146 	unsigned char newleds;
147 	unsigned char hdr, data[2];
148 
149 	BT_DBG("session %p type %d code %d value %d",
150 	       session, type, code, value);
151 
152 	if (type != EV_LED)
153 		return -1;
154 
155 	newleds = (!!test_bit(LED_KANA,    dev->led) << 3) |
156 		  (!!test_bit(LED_COMPOSE, dev->led) << 3) |
157 		  (!!test_bit(LED_SCROLLL, dev->led) << 2) |
158 		  (!!test_bit(LED_CAPSL,   dev->led) << 1) |
159 		  (!!test_bit(LED_NUML,    dev->led) << 0);
160 
161 	if (session->leds == newleds)
162 		return 0;
163 
164 	session->leds = newleds;
165 
166 	hdr = HIDP_TRANS_DATA | HIDP_DATA_RTYPE_OUPUT;
167 	data[0] = 0x01;
168 	data[1] = newleds;
169 
170 	return hidp_send_intr_message(session, hdr, data, 2);
171 }
172 
hidp_input_report(struct hidp_session * session,struct sk_buff * skb)173 static void hidp_input_report(struct hidp_session *session, struct sk_buff *skb)
174 {
175 	struct input_dev *dev = session->input;
176 	unsigned char *keys = session->keys;
177 	unsigned char *udata = skb->data + 1;
178 	signed char *sdata = skb->data + 1;
179 	int i, size = skb->len - 1;
180 
181 	switch (skb->data[0]) {
182 	case 0x01:	/* Keyboard report */
183 		for (i = 0; i < 8; i++)
184 			input_report_key(dev, hidp_keycode[i + 224], (udata[0] >> i) & 1);
185 
186 		/* If all the key codes have been set to 0x01, it means
187 		 * too many keys were pressed at the same time. */
188 		if (!memcmp(udata + 2, hidp_mkeyspat, 6))
189 			break;
190 
191 		for (i = 2; i < 8; i++) {
192 			if (keys[i] > 3 && memscan(udata + 2, keys[i], 6) == udata + 8) {
193 				if (hidp_keycode[keys[i]])
194 					input_report_key(dev, hidp_keycode[keys[i]], 0);
195 				else
196 					BT_ERR("Unknown key (scancode %#x) released.", keys[i]);
197 			}
198 
199 			if (udata[i] > 3 && memscan(keys + 2, udata[i], 6) == keys + 8) {
200 				if (hidp_keycode[udata[i]])
201 					input_report_key(dev, hidp_keycode[udata[i]], 1);
202 				else
203 					BT_ERR("Unknown key (scancode %#x) pressed.", udata[i]);
204 			}
205 		}
206 
207 		memcpy(keys, udata, 8);
208 		break;
209 
210 	case 0x02:	/* Mouse report */
211 		input_report_key(dev, BTN_LEFT,   sdata[0] & 0x01);
212 		input_report_key(dev, BTN_RIGHT,  sdata[0] & 0x02);
213 		input_report_key(dev, BTN_MIDDLE, sdata[0] & 0x04);
214 		input_report_key(dev, BTN_SIDE,   sdata[0] & 0x08);
215 		input_report_key(dev, BTN_EXTRA,  sdata[0] & 0x10);
216 
217 		input_report_rel(dev, REL_X, sdata[1]);
218 		input_report_rel(dev, REL_Y, sdata[2]);
219 
220 		if (size > 3)
221 			input_report_rel(dev, REL_WHEEL, sdata[3]);
222 		break;
223 	}
224 
225 	input_sync(dev);
226 }
227 
hidp_get_raw_report(struct hid_device * hid,unsigned char report_number,unsigned char * data,size_t count,unsigned char report_type)228 static int hidp_get_raw_report(struct hid_device *hid,
229 		unsigned char report_number,
230 		unsigned char *data, size_t count,
231 		unsigned char report_type)
232 {
233 	struct hidp_session *session = hid->driver_data;
234 	struct sk_buff *skb;
235 	size_t len;
236 	int numbered_reports = hid->report_enum[report_type].numbered;
237 	int ret;
238 
239 	if (atomic_read(&session->terminate))
240 		return -EIO;
241 
242 	switch (report_type) {
243 	case HID_FEATURE_REPORT:
244 		report_type = HIDP_TRANS_GET_REPORT | HIDP_DATA_RTYPE_FEATURE;
245 		break;
246 	case HID_INPUT_REPORT:
247 		report_type = HIDP_TRANS_GET_REPORT | HIDP_DATA_RTYPE_INPUT;
248 		break;
249 	case HID_OUTPUT_REPORT:
250 		report_type = HIDP_TRANS_GET_REPORT | HIDP_DATA_RTYPE_OUPUT;
251 		break;
252 	default:
253 		return -EINVAL;
254 	}
255 
256 	if (mutex_lock_interruptible(&session->report_mutex))
257 		return -ERESTARTSYS;
258 
259 	/* Set up our wait, and send the report request to the device. */
260 	session->waiting_report_type = report_type & HIDP_DATA_RTYPE_MASK;
261 	session->waiting_report_number = numbered_reports ? report_number : -1;
262 	set_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
263 	data[0] = report_number;
264 	ret = hidp_send_ctrl_message(session, report_type, data, 1);
265 	if (ret)
266 		goto err;
267 
268 	/* Wait for the return of the report. The returned report
269 	   gets put in session->report_return.  */
270 	while (test_bit(HIDP_WAITING_FOR_RETURN, &session->flags) &&
271 	       !atomic_read(&session->terminate)) {
272 		int res;
273 
274 		res = wait_event_interruptible_timeout(session->report_queue,
275 			!test_bit(HIDP_WAITING_FOR_RETURN, &session->flags)
276 				|| atomic_read(&session->terminate),
277 			5*HZ);
278 		if (res == 0) {
279 			/* timeout */
280 			ret = -EIO;
281 			goto err;
282 		}
283 		if (res < 0) {
284 			/* signal */
285 			ret = -ERESTARTSYS;
286 			goto err;
287 		}
288 	}
289 
290 	skb = session->report_return;
291 	if (skb) {
292 		len = skb->len < count ? skb->len : count;
293 		memcpy(data, skb->data, len);
294 
295 		kfree_skb(skb);
296 		session->report_return = NULL;
297 	} else {
298 		/* Device returned a HANDSHAKE, indicating  protocol error. */
299 		len = -EIO;
300 	}
301 
302 	clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
303 	mutex_unlock(&session->report_mutex);
304 
305 	return len;
306 
307 err:
308 	clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
309 	mutex_unlock(&session->report_mutex);
310 	return ret;
311 }
312 
hidp_set_raw_report(struct hid_device * hid,unsigned char reportnum,unsigned char * data,size_t count,unsigned char report_type)313 static int hidp_set_raw_report(struct hid_device *hid, unsigned char reportnum,
314 			       unsigned char *data, size_t count,
315 			       unsigned char report_type)
316 {
317 	struct hidp_session *session = hid->driver_data;
318 	int ret;
319 
320 	switch (report_type) {
321 	case HID_FEATURE_REPORT:
322 		report_type = HIDP_TRANS_SET_REPORT | HIDP_DATA_RTYPE_FEATURE;
323 		break;
324 	case HID_INPUT_REPORT:
325 		report_type = HIDP_TRANS_SET_REPORT | HIDP_DATA_RTYPE_INPUT;
326 		break;
327 	case HID_OUTPUT_REPORT:
328 		report_type = HIDP_TRANS_SET_REPORT | HIDP_DATA_RTYPE_OUPUT;
329 		break;
330 	default:
331 		return -EINVAL;
332 	}
333 
334 	if (mutex_lock_interruptible(&session->report_mutex))
335 		return -ERESTARTSYS;
336 
337 	/* Set up our wait, and send the report request to the device. */
338 	data[0] = reportnum;
339 	set_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags);
340 	ret = hidp_send_ctrl_message(session, report_type, data, count);
341 	if (ret)
342 		goto err;
343 
344 	/* Wait for the ACK from the device. */
345 	while (test_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags) &&
346 	       !atomic_read(&session->terminate)) {
347 		int res;
348 
349 		res = wait_event_interruptible_timeout(session->report_queue,
350 			!test_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags)
351 				|| atomic_read(&session->terminate),
352 			10*HZ);
353 		if (res == 0) {
354 			/* timeout */
355 			ret = -EIO;
356 			goto err;
357 		}
358 		if (res < 0) {
359 			/* signal */
360 			ret = -ERESTARTSYS;
361 			goto err;
362 		}
363 	}
364 
365 	if (!session->output_report_success) {
366 		ret = -EIO;
367 		goto err;
368 	}
369 
370 	ret = count;
371 
372 err:
373 	clear_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags);
374 	mutex_unlock(&session->report_mutex);
375 	return ret;
376 }
377 
hidp_output_report(struct hid_device * hid,__u8 * data,size_t count)378 static int hidp_output_report(struct hid_device *hid, __u8 *data, size_t count)
379 {
380 	struct hidp_session *session = hid->driver_data;
381 
382 	return hidp_send_intr_message(session,
383 				      HIDP_TRANS_DATA | HIDP_DATA_RTYPE_OUPUT,
384 				      data, count);
385 }
386 
hidp_raw_request(struct hid_device * hid,unsigned char reportnum,__u8 * buf,size_t len,unsigned char rtype,int reqtype)387 static int hidp_raw_request(struct hid_device *hid, unsigned char reportnum,
388 			    __u8 *buf, size_t len, unsigned char rtype,
389 			    int reqtype)
390 {
391 	switch (reqtype) {
392 	case HID_REQ_GET_REPORT:
393 		return hidp_get_raw_report(hid, reportnum, buf, len, rtype);
394 	case HID_REQ_SET_REPORT:
395 		return hidp_set_raw_report(hid, reportnum, buf, len, rtype);
396 	default:
397 		return -EIO;
398 	}
399 }
400 
hidp_idle_timeout(struct timer_list * t)401 static void hidp_idle_timeout(struct timer_list *t)
402 {
403 	struct hidp_session *session = from_timer(session, t, timer);
404 
405 	/* The HIDP user-space API only contains calls to add and remove
406 	 * devices. There is no way to forward events of any kind. Therefore,
407 	 * we have to forcefully disconnect a device on idle-timeouts. This is
408 	 * unfortunate and weird API design, but it is spec-compliant and
409 	 * required for backwards-compatibility. Hence, on idle-timeout, we
410 	 * signal driver-detach events, so poll() will be woken up with an
411 	 * error-condition on both sockets.
412 	 */
413 
414 	session->intr_sock->sk->sk_err = EUNATCH;
415 	session->ctrl_sock->sk->sk_err = EUNATCH;
416 	wake_up_interruptible(sk_sleep(session->intr_sock->sk));
417 	wake_up_interruptible(sk_sleep(session->ctrl_sock->sk));
418 
419 	hidp_session_terminate(session);
420 }
421 
hidp_set_timer(struct hidp_session * session)422 static void hidp_set_timer(struct hidp_session *session)
423 {
424 	if (session->idle_to > 0)
425 		mod_timer(&session->timer, jiffies + HZ * session->idle_to);
426 }
427 
hidp_del_timer(struct hidp_session * session)428 static void hidp_del_timer(struct hidp_session *session)
429 {
430 	if (session->idle_to > 0)
431 		del_timer(&session->timer);
432 }
433 
hidp_process_report(struct hidp_session * session,int type,const u8 * data,unsigned int len,int intr)434 static void hidp_process_report(struct hidp_session *session, int type,
435 				const u8 *data, unsigned int len, int intr)
436 {
437 	if (len > HID_MAX_BUFFER_SIZE)
438 		len = HID_MAX_BUFFER_SIZE;
439 
440 	memcpy(session->input_buf, data, len);
441 	hid_input_report(session->hid, type, session->input_buf, len, intr);
442 }
443 
hidp_process_handshake(struct hidp_session * session,unsigned char param)444 static void hidp_process_handshake(struct hidp_session *session,
445 					unsigned char param)
446 {
447 	BT_DBG("session %p param 0x%02x", session, param);
448 	session->output_report_success = 0; /* default condition */
449 
450 	switch (param) {
451 	case HIDP_HSHK_SUCCESSFUL:
452 		/* FIXME: Call into SET_ GET_ handlers here */
453 		session->output_report_success = 1;
454 		break;
455 
456 	case HIDP_HSHK_NOT_READY:
457 	case HIDP_HSHK_ERR_INVALID_REPORT_ID:
458 	case HIDP_HSHK_ERR_UNSUPPORTED_REQUEST:
459 	case HIDP_HSHK_ERR_INVALID_PARAMETER:
460 		if (test_and_clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags))
461 			wake_up_interruptible(&session->report_queue);
462 
463 		/* FIXME: Call into SET_ GET_ handlers here */
464 		break;
465 
466 	case HIDP_HSHK_ERR_UNKNOWN:
467 		break;
468 
469 	case HIDP_HSHK_ERR_FATAL:
470 		/* Device requests a reboot, as this is the only way this error
471 		 * can be recovered. */
472 		hidp_send_ctrl_message(session,
473 			HIDP_TRANS_HID_CONTROL | HIDP_CTRL_SOFT_RESET, NULL, 0);
474 		break;
475 
476 	default:
477 		hidp_send_ctrl_message(session,
478 			HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_INVALID_PARAMETER, NULL, 0);
479 		break;
480 	}
481 
482 	/* Wake up the waiting thread. */
483 	if (test_and_clear_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags))
484 		wake_up_interruptible(&session->report_queue);
485 }
486 
hidp_process_hid_control(struct hidp_session * session,unsigned char param)487 static void hidp_process_hid_control(struct hidp_session *session,
488 					unsigned char param)
489 {
490 	BT_DBG("session %p param 0x%02x", session, param);
491 
492 	if (param == HIDP_CTRL_VIRTUAL_CABLE_UNPLUG) {
493 		/* Flush the transmit queues */
494 		skb_queue_purge(&session->ctrl_transmit);
495 		skb_queue_purge(&session->intr_transmit);
496 
497 		hidp_session_terminate(session);
498 	}
499 }
500 
501 /* Returns true if the passed-in skb should be freed by the caller. */
hidp_process_data(struct hidp_session * session,struct sk_buff * skb,unsigned char param)502 static int hidp_process_data(struct hidp_session *session, struct sk_buff *skb,
503 				unsigned char param)
504 {
505 	int done_with_skb = 1;
506 	BT_DBG("session %p skb %p len %d param 0x%02x", session, skb, skb->len, param);
507 
508 	switch (param) {
509 	case HIDP_DATA_RTYPE_INPUT:
510 		hidp_set_timer(session);
511 
512 		if (session->input)
513 			hidp_input_report(session, skb);
514 
515 		if (session->hid)
516 			hidp_process_report(session, HID_INPUT_REPORT,
517 					    skb->data, skb->len, 0);
518 		break;
519 
520 	case HIDP_DATA_RTYPE_OTHER:
521 	case HIDP_DATA_RTYPE_OUPUT:
522 	case HIDP_DATA_RTYPE_FEATURE:
523 		break;
524 
525 	default:
526 		hidp_send_ctrl_message(session,
527 			HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_INVALID_PARAMETER, NULL, 0);
528 	}
529 
530 	if (test_bit(HIDP_WAITING_FOR_RETURN, &session->flags) &&
531 				param == session->waiting_report_type) {
532 		if (session->waiting_report_number < 0 ||
533 		    session->waiting_report_number == skb->data[0]) {
534 			/* hidp_get_raw_report() is waiting on this report. */
535 			session->report_return = skb;
536 			done_with_skb = 0;
537 			clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
538 			wake_up_interruptible(&session->report_queue);
539 		}
540 	}
541 
542 	return done_with_skb;
543 }
544 
hidp_recv_ctrl_frame(struct hidp_session * session,struct sk_buff * skb)545 static void hidp_recv_ctrl_frame(struct hidp_session *session,
546 					struct sk_buff *skb)
547 {
548 	unsigned char hdr, type, param;
549 	int free_skb = 1;
550 
551 	BT_DBG("session %p skb %p len %d", session, skb, skb->len);
552 
553 	hdr = skb->data[0];
554 	skb_pull(skb, 1);
555 
556 	type = hdr & HIDP_HEADER_TRANS_MASK;
557 	param = hdr & HIDP_HEADER_PARAM_MASK;
558 
559 	switch (type) {
560 	case HIDP_TRANS_HANDSHAKE:
561 		hidp_process_handshake(session, param);
562 		break;
563 
564 	case HIDP_TRANS_HID_CONTROL:
565 		hidp_process_hid_control(session, param);
566 		break;
567 
568 	case HIDP_TRANS_DATA:
569 		free_skb = hidp_process_data(session, skb, param);
570 		break;
571 
572 	default:
573 		hidp_send_ctrl_message(session,
574 			HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_UNSUPPORTED_REQUEST, NULL, 0);
575 		break;
576 	}
577 
578 	if (free_skb)
579 		kfree_skb(skb);
580 }
581 
hidp_recv_intr_frame(struct hidp_session * session,struct sk_buff * skb)582 static void hidp_recv_intr_frame(struct hidp_session *session,
583 				struct sk_buff *skb)
584 {
585 	unsigned char hdr;
586 
587 	BT_DBG("session %p skb %p len %d", session, skb, skb->len);
588 
589 	hdr = skb->data[0];
590 	skb_pull(skb, 1);
591 
592 	if (hdr == (HIDP_TRANS_DATA | HIDP_DATA_RTYPE_INPUT)) {
593 		hidp_set_timer(session);
594 
595 		if (session->input)
596 			hidp_input_report(session, skb);
597 
598 		if (session->hid) {
599 			hidp_process_report(session, HID_INPUT_REPORT,
600 					    skb->data, skb->len, 1);
601 			BT_DBG("report len %d", skb->len);
602 		}
603 	} else {
604 		BT_DBG("Unsupported protocol header 0x%02x", hdr);
605 	}
606 
607 	kfree_skb(skb);
608 }
609 
hidp_send_frame(struct socket * sock,unsigned char * data,int len)610 static int hidp_send_frame(struct socket *sock, unsigned char *data, int len)
611 {
612 	struct kvec iv = { data, len };
613 	struct msghdr msg;
614 
615 	BT_DBG("sock %p data %p len %d", sock, data, len);
616 
617 	if (!len)
618 		return 0;
619 
620 	memset(&msg, 0, sizeof(msg));
621 
622 	return kernel_sendmsg(sock, &msg, &iv, 1, len);
623 }
624 
625 /* dequeue message from @transmit and send via @sock */
hidp_process_transmit(struct hidp_session * session,struct sk_buff_head * transmit,struct socket * sock)626 static void hidp_process_transmit(struct hidp_session *session,
627 				  struct sk_buff_head *transmit,
628 				  struct socket *sock)
629 {
630 	struct sk_buff *skb;
631 	int ret;
632 
633 	BT_DBG("session %p", session);
634 
635 	while ((skb = skb_dequeue(transmit))) {
636 		ret = hidp_send_frame(sock, skb->data, skb->len);
637 		if (ret == -EAGAIN) {
638 			skb_queue_head(transmit, skb);
639 			break;
640 		} else if (ret < 0) {
641 			hidp_session_terminate(session);
642 			kfree_skb(skb);
643 			break;
644 		}
645 
646 		hidp_set_timer(session);
647 		kfree_skb(skb);
648 	}
649 }
650 
hidp_setup_input(struct hidp_session * session,struct hidp_connadd_req * req)651 static int hidp_setup_input(struct hidp_session *session,
652 				struct hidp_connadd_req *req)
653 {
654 	struct input_dev *input;
655 	int i;
656 
657 	input = input_allocate_device();
658 	if (!input)
659 		return -ENOMEM;
660 
661 	session->input = input;
662 
663 	input_set_drvdata(input, session);
664 
665 	input->name = "Bluetooth HID Boot Protocol Device";
666 
667 	input->id.bustype = BUS_BLUETOOTH;
668 	input->id.vendor  = req->vendor;
669 	input->id.product = req->product;
670 	input->id.version = req->version;
671 
672 	if (req->subclass & 0x40) {
673 		set_bit(EV_KEY, input->evbit);
674 		set_bit(EV_LED, input->evbit);
675 		set_bit(EV_REP, input->evbit);
676 
677 		set_bit(LED_NUML,    input->ledbit);
678 		set_bit(LED_CAPSL,   input->ledbit);
679 		set_bit(LED_SCROLLL, input->ledbit);
680 		set_bit(LED_COMPOSE, input->ledbit);
681 		set_bit(LED_KANA,    input->ledbit);
682 
683 		for (i = 0; i < sizeof(hidp_keycode); i++)
684 			set_bit(hidp_keycode[i], input->keybit);
685 		clear_bit(0, input->keybit);
686 	}
687 
688 	if (req->subclass & 0x80) {
689 		input->evbit[0] = BIT_MASK(EV_KEY) | BIT_MASK(EV_REL);
690 		input->keybit[BIT_WORD(BTN_MOUSE)] = BIT_MASK(BTN_LEFT) |
691 			BIT_MASK(BTN_RIGHT) | BIT_MASK(BTN_MIDDLE);
692 		input->relbit[0] = BIT_MASK(REL_X) | BIT_MASK(REL_Y);
693 		input->keybit[BIT_WORD(BTN_MOUSE)] |= BIT_MASK(BTN_SIDE) |
694 			BIT_MASK(BTN_EXTRA);
695 		input->relbit[0] |= BIT_MASK(REL_WHEEL);
696 	}
697 
698 	input->dev.parent = &session->conn->hcon->dev;
699 
700 	input->event = hidp_input_event;
701 
702 	return 0;
703 }
704 
hidp_open(struct hid_device * hid)705 static int hidp_open(struct hid_device *hid)
706 {
707 	return 0;
708 }
709 
hidp_close(struct hid_device * hid)710 static void hidp_close(struct hid_device *hid)
711 {
712 }
713 
hidp_parse(struct hid_device * hid)714 static int hidp_parse(struct hid_device *hid)
715 {
716 	struct hidp_session *session = hid->driver_data;
717 
718 	return hid_parse_report(session->hid, session->rd_data,
719 			session->rd_size);
720 }
721 
hidp_start(struct hid_device * hid)722 static int hidp_start(struct hid_device *hid)
723 {
724 	return 0;
725 }
726 
hidp_stop(struct hid_device * hid)727 static void hidp_stop(struct hid_device *hid)
728 {
729 	struct hidp_session *session = hid->driver_data;
730 
731 	skb_queue_purge(&session->ctrl_transmit);
732 	skb_queue_purge(&session->intr_transmit);
733 
734 	hid->claimed = 0;
735 }
736 
737 struct hid_ll_driver hidp_hid_driver = {
738 	.parse = hidp_parse,
739 	.start = hidp_start,
740 	.stop = hidp_stop,
741 	.open  = hidp_open,
742 	.close = hidp_close,
743 	.raw_request = hidp_raw_request,
744 	.output_report = hidp_output_report,
745 };
746 EXPORT_SYMBOL_GPL(hidp_hid_driver);
747 
748 /* This function sets up the hid device. It does not add it
749    to the HID system. That is done in hidp_add_connection(). */
hidp_setup_hid(struct hidp_session * session,struct hidp_connadd_req * req)750 static int hidp_setup_hid(struct hidp_session *session,
751 				struct hidp_connadd_req *req)
752 {
753 	struct hid_device *hid;
754 	int err;
755 
756 	session->rd_data = memdup_user(req->rd_data, req->rd_size);
757 	if (IS_ERR(session->rd_data))
758 		return PTR_ERR(session->rd_data);
759 
760 	session->rd_size = req->rd_size;
761 
762 	hid = hid_allocate_device();
763 	if (IS_ERR(hid)) {
764 		err = PTR_ERR(hid);
765 		goto fault;
766 	}
767 
768 	session->hid = hid;
769 
770 	hid->driver_data = session;
771 
772 	hid->bus     = BUS_BLUETOOTH;
773 	hid->vendor  = req->vendor;
774 	hid->product = req->product;
775 	hid->version = req->version;
776 	hid->country = req->country;
777 
778 	strncpy(hid->name, req->name, sizeof(hid->name));
779 
780 	snprintf(hid->phys, sizeof(hid->phys), "%pMR",
781 		 &l2cap_pi(session->ctrl_sock->sk)->chan->src);
782 
783 	/* NOTE: Some device modules depend on the dst address being stored in
784 	 * uniq. Please be aware of this before making changes to this behavior.
785 	 */
786 	snprintf(hid->uniq, sizeof(hid->uniq), "%pMR",
787 		 &l2cap_pi(session->ctrl_sock->sk)->chan->dst);
788 
789 	hid->dev.parent = &session->conn->hcon->dev;
790 	hid->ll_driver = &hidp_hid_driver;
791 
792 	/* True if device is blacklisted in drivers/hid/hid-quirks.c */
793 	if (hid_ignore(hid)) {
794 		hid_destroy_device(session->hid);
795 		session->hid = NULL;
796 		return -ENODEV;
797 	}
798 
799 	return 0;
800 
801 fault:
802 	kfree(session->rd_data);
803 	session->rd_data = NULL;
804 
805 	return err;
806 }
807 
808 /* initialize session devices */
hidp_session_dev_init(struct hidp_session * session,struct hidp_connadd_req * req)809 static int hidp_session_dev_init(struct hidp_session *session,
810 				 struct hidp_connadd_req *req)
811 {
812 	int ret;
813 
814 	if (req->rd_size > 0) {
815 		ret = hidp_setup_hid(session, req);
816 		if (ret && ret != -ENODEV)
817 			return ret;
818 	}
819 
820 	if (!session->hid) {
821 		ret = hidp_setup_input(session, req);
822 		if (ret < 0)
823 			return ret;
824 	}
825 
826 	return 0;
827 }
828 
829 /* destroy session devices */
hidp_session_dev_destroy(struct hidp_session * session)830 static void hidp_session_dev_destroy(struct hidp_session *session)
831 {
832 	if (session->hid)
833 		put_device(&session->hid->dev);
834 	else if (session->input)
835 		input_put_device(session->input);
836 
837 	kfree(session->rd_data);
838 	session->rd_data = NULL;
839 }
840 
841 /* add HID/input devices to their underlying bus systems */
hidp_session_dev_add(struct hidp_session * session)842 static int hidp_session_dev_add(struct hidp_session *session)
843 {
844 	int ret;
845 
846 	/* Both HID and input systems drop a ref-count when unregistering the
847 	 * device but they don't take a ref-count when registering them. Work
848 	 * around this by explicitly taking a refcount during registration
849 	 * which is dropped automatically by unregistering the devices. */
850 
851 	if (session->hid) {
852 		ret = hid_add_device(session->hid);
853 		if (ret)
854 			return ret;
855 		get_device(&session->hid->dev);
856 	} else if (session->input) {
857 		ret = input_register_device(session->input);
858 		if (ret)
859 			return ret;
860 		input_get_device(session->input);
861 	}
862 
863 	return 0;
864 }
865 
866 /* remove HID/input devices from their bus systems */
hidp_session_dev_del(struct hidp_session * session)867 static void hidp_session_dev_del(struct hidp_session *session)
868 {
869 	if (session->hid)
870 		hid_destroy_device(session->hid);
871 	else if (session->input)
872 		input_unregister_device(session->input);
873 }
874 
875 /*
876  * Asynchronous device registration
877  * HID device drivers might want to perform I/O during initialization to
878  * detect device types. Therefore, call device registration in a separate
879  * worker so the HIDP thread can schedule I/O operations.
880  * Note that this must be called after the worker thread was initialized
881  * successfully. This will then add the devices and increase session state
882  * on success, otherwise it will terminate the session thread.
883  */
hidp_session_dev_work(struct work_struct * work)884 static void hidp_session_dev_work(struct work_struct *work)
885 {
886 	struct hidp_session *session = container_of(work,
887 						    struct hidp_session,
888 						    dev_init);
889 	int ret;
890 
891 	ret = hidp_session_dev_add(session);
892 	if (!ret)
893 		atomic_inc(&session->state);
894 	else
895 		hidp_session_terminate(session);
896 }
897 
898 /*
899  * Create new session object
900  * Allocate session object, initialize static fields, copy input data into the
901  * object and take a reference to all sub-objects.
902  * This returns 0 on success and puts a pointer to the new session object in
903  * \out. Otherwise, an error code is returned.
904  * The new session object has an initial ref-count of 1.
905  */
hidp_session_new(struct hidp_session ** out,const bdaddr_t * bdaddr,struct socket * ctrl_sock,struct socket * intr_sock,struct hidp_connadd_req * req,struct l2cap_conn * conn)906 static int hidp_session_new(struct hidp_session **out, const bdaddr_t *bdaddr,
907 			    struct socket *ctrl_sock,
908 			    struct socket *intr_sock,
909 			    struct hidp_connadd_req *req,
910 			    struct l2cap_conn *conn)
911 {
912 	struct hidp_session *session;
913 	int ret;
914 	struct bt_sock *ctrl, *intr;
915 
916 	ctrl = bt_sk(ctrl_sock->sk);
917 	intr = bt_sk(intr_sock->sk);
918 
919 	session = kzalloc(sizeof(*session), GFP_KERNEL);
920 	if (!session)
921 		return -ENOMEM;
922 
923 	/* object and runtime management */
924 	kref_init(&session->ref);
925 	atomic_set(&session->state, HIDP_SESSION_IDLING);
926 	init_waitqueue_head(&session->state_queue);
927 	session->flags = req->flags & BIT(HIDP_BLUETOOTH_VENDOR_ID);
928 
929 	/* connection management */
930 	bacpy(&session->bdaddr, bdaddr);
931 	session->conn = l2cap_conn_get(conn);
932 	session->user.probe = hidp_session_probe;
933 	session->user.remove = hidp_session_remove;
934 	INIT_LIST_HEAD(&session->user.list);
935 	session->ctrl_sock = ctrl_sock;
936 	session->intr_sock = intr_sock;
937 	skb_queue_head_init(&session->ctrl_transmit);
938 	skb_queue_head_init(&session->intr_transmit);
939 	session->ctrl_mtu = min_t(uint, l2cap_pi(ctrl)->chan->omtu,
940 					l2cap_pi(ctrl)->chan->imtu);
941 	session->intr_mtu = min_t(uint, l2cap_pi(intr)->chan->omtu,
942 					l2cap_pi(intr)->chan->imtu);
943 	session->idle_to = req->idle_to;
944 
945 	/* device management */
946 	INIT_WORK(&session->dev_init, hidp_session_dev_work);
947 	timer_setup(&session->timer, hidp_idle_timeout, 0);
948 
949 	/* session data */
950 	mutex_init(&session->report_mutex);
951 	init_waitqueue_head(&session->report_queue);
952 
953 	ret = hidp_session_dev_init(session, req);
954 	if (ret)
955 		goto err_free;
956 
957 	get_file(session->intr_sock->file);
958 	get_file(session->ctrl_sock->file);
959 	*out = session;
960 	return 0;
961 
962 err_free:
963 	l2cap_conn_put(session->conn);
964 	kfree(session);
965 	return ret;
966 }
967 
968 /* increase ref-count of the given session by one */
hidp_session_get(struct hidp_session * session)969 static void hidp_session_get(struct hidp_session *session)
970 {
971 	kref_get(&session->ref);
972 }
973 
974 /* release callback */
session_free(struct kref * ref)975 static void session_free(struct kref *ref)
976 {
977 	struct hidp_session *session = container_of(ref, struct hidp_session,
978 						    ref);
979 
980 	hidp_session_dev_destroy(session);
981 	skb_queue_purge(&session->ctrl_transmit);
982 	skb_queue_purge(&session->intr_transmit);
983 	fput(session->intr_sock->file);
984 	fput(session->ctrl_sock->file);
985 	l2cap_conn_put(session->conn);
986 	kfree(session);
987 }
988 
989 /* decrease ref-count of the given session by one */
hidp_session_put(struct hidp_session * session)990 static void hidp_session_put(struct hidp_session *session)
991 {
992 	kref_put(&session->ref, session_free);
993 }
994 
995 /*
996  * Search the list of active sessions for a session with target address
997  * \bdaddr. You must hold at least a read-lock on \hidp_session_sem. As long as
998  * you do not release this lock, the session objects cannot vanish and you can
999  * safely take a reference to the session yourself.
1000  */
__hidp_session_find(const bdaddr_t * bdaddr)1001 static struct hidp_session *__hidp_session_find(const bdaddr_t *bdaddr)
1002 {
1003 	struct hidp_session *session;
1004 
1005 	list_for_each_entry(session, &hidp_session_list, list) {
1006 		if (!bacmp(bdaddr, &session->bdaddr))
1007 			return session;
1008 	}
1009 
1010 	return NULL;
1011 }
1012 
1013 /*
1014  * Same as __hidp_session_find() but no locks must be held. This also takes a
1015  * reference of the returned session (if non-NULL) so you must drop this
1016  * reference if you no longer use the object.
1017  */
hidp_session_find(const bdaddr_t * bdaddr)1018 static struct hidp_session *hidp_session_find(const bdaddr_t *bdaddr)
1019 {
1020 	struct hidp_session *session;
1021 
1022 	down_read(&hidp_session_sem);
1023 
1024 	session = __hidp_session_find(bdaddr);
1025 	if (session)
1026 		hidp_session_get(session);
1027 
1028 	up_read(&hidp_session_sem);
1029 
1030 	return session;
1031 }
1032 
1033 /*
1034  * Start session synchronously
1035  * This starts a session thread and waits until initialization
1036  * is done or returns an error if it couldn't be started.
1037  * If this returns 0 the session thread is up and running. You must call
1038  * hipd_session_stop_sync() before deleting any runtime resources.
1039  */
hidp_session_start_sync(struct hidp_session * session)1040 static int hidp_session_start_sync(struct hidp_session *session)
1041 {
1042 	unsigned int vendor, product;
1043 
1044 	if (session->hid) {
1045 		vendor  = session->hid->vendor;
1046 		product = session->hid->product;
1047 	} else if (session->input) {
1048 		vendor  = session->input->id.vendor;
1049 		product = session->input->id.product;
1050 	} else {
1051 		vendor = 0x0000;
1052 		product = 0x0000;
1053 	}
1054 
1055 	session->task = kthread_run(hidp_session_thread, session,
1056 				    "khidpd_%04x%04x", vendor, product);
1057 	if (IS_ERR(session->task))
1058 		return PTR_ERR(session->task);
1059 
1060 	while (atomic_read(&session->state) <= HIDP_SESSION_IDLING)
1061 		wait_event(session->state_queue,
1062 			   atomic_read(&session->state) > HIDP_SESSION_IDLING);
1063 
1064 	return 0;
1065 }
1066 
1067 /*
1068  * Terminate session thread
1069  * Wake up session thread and notify it to stop. This is asynchronous and
1070  * returns immediately. Call this whenever a runtime error occurs and you want
1071  * the session to stop.
1072  * Note: wake_up_interruptible() performs any necessary memory-barriers for us.
1073  */
hidp_session_terminate(struct hidp_session * session)1074 static void hidp_session_terminate(struct hidp_session *session)
1075 {
1076 	atomic_inc(&session->terminate);
1077 	wake_up_interruptible(&hidp_session_wq);
1078 }
1079 
1080 /*
1081  * Probe HIDP session
1082  * This is called from the l2cap_conn core when our l2cap_user object is bound
1083  * to the hci-connection. We get the session via the \user object and can now
1084  * start the session thread, link it into the global session list and
1085  * schedule HID/input device registration.
1086  * The global session-list owns its own reference to the session object so you
1087  * can drop your own reference after registering the l2cap_user object.
1088  */
hidp_session_probe(struct l2cap_conn * conn,struct l2cap_user * user)1089 static int hidp_session_probe(struct l2cap_conn *conn,
1090 			      struct l2cap_user *user)
1091 {
1092 	struct hidp_session *session = container_of(user,
1093 						    struct hidp_session,
1094 						    user);
1095 	struct hidp_session *s;
1096 	int ret;
1097 
1098 	down_write(&hidp_session_sem);
1099 
1100 	/* check that no other session for this device exists */
1101 	s = __hidp_session_find(&session->bdaddr);
1102 	if (s) {
1103 		ret = -EEXIST;
1104 		goto out_unlock;
1105 	}
1106 
1107 	if (session->input) {
1108 		ret = hidp_session_dev_add(session);
1109 		if (ret)
1110 			goto out_unlock;
1111 	}
1112 
1113 	ret = hidp_session_start_sync(session);
1114 	if (ret)
1115 		goto out_del;
1116 
1117 	/* HID device registration is async to allow I/O during probe */
1118 	if (session->input)
1119 		atomic_inc(&session->state);
1120 	else
1121 		schedule_work(&session->dev_init);
1122 
1123 	hidp_session_get(session);
1124 	list_add(&session->list, &hidp_session_list);
1125 	ret = 0;
1126 	goto out_unlock;
1127 
1128 out_del:
1129 	if (session->input)
1130 		hidp_session_dev_del(session);
1131 out_unlock:
1132 	up_write(&hidp_session_sem);
1133 	return ret;
1134 }
1135 
1136 /*
1137  * Remove HIDP session
1138  * Called from the l2cap_conn core when either we explicitly unregistered
1139  * the l2cap_user object or if the underlying connection is shut down.
1140  * We signal the hidp-session thread to shut down, unregister the HID/input
1141  * devices and unlink the session from the global list.
1142  * This drops the reference to the session that is owned by the global
1143  * session-list.
1144  * Note: We _must_ not synchronosly wait for the session-thread to shut down.
1145  * This is, because the session-thread might be waiting for an HCI lock that is
1146  * held while we are called. Therefore, we only unregister the devices and
1147  * notify the session-thread to terminate. The thread itself owns a reference
1148  * to the session object so it can safely shut down.
1149  */
hidp_session_remove(struct l2cap_conn * conn,struct l2cap_user * user)1150 static void hidp_session_remove(struct l2cap_conn *conn,
1151 				struct l2cap_user *user)
1152 {
1153 	struct hidp_session *session = container_of(user,
1154 						    struct hidp_session,
1155 						    user);
1156 
1157 	down_write(&hidp_session_sem);
1158 
1159 	hidp_session_terminate(session);
1160 
1161 	cancel_work_sync(&session->dev_init);
1162 	if (session->input ||
1163 	    atomic_read(&session->state) > HIDP_SESSION_PREPARING)
1164 		hidp_session_dev_del(session);
1165 
1166 	list_del(&session->list);
1167 
1168 	up_write(&hidp_session_sem);
1169 
1170 	hidp_session_put(session);
1171 }
1172 
1173 /*
1174  * Session Worker
1175  * This performs the actual main-loop of the HIDP worker. We first check
1176  * whether the underlying connection is still alive, then parse all pending
1177  * messages and finally send all outstanding messages.
1178  */
hidp_session_run(struct hidp_session * session)1179 static void hidp_session_run(struct hidp_session *session)
1180 {
1181 	struct sock *ctrl_sk = session->ctrl_sock->sk;
1182 	struct sock *intr_sk = session->intr_sock->sk;
1183 	struct sk_buff *skb;
1184 	DEFINE_WAIT_FUNC(wait, woken_wake_function);
1185 
1186 	add_wait_queue(&hidp_session_wq, &wait);
1187 	for (;;) {
1188 		/*
1189 		 * This thread can be woken up two ways:
1190 		 *  - You call hidp_session_terminate() which sets the
1191 		 *    session->terminate flag and wakes this thread up.
1192 		 *  - Via modifying the socket state of ctrl/intr_sock. This
1193 		 *    thread is woken up by ->sk_state_changed().
1194 		 */
1195 
1196 		/* Ensure session->terminate is updated */
1197 		smp_mb__before_atomic();
1198 		if (atomic_read(&session->terminate))
1199 			break;
1200 
1201 		if (ctrl_sk->sk_state != BT_CONNECTED ||
1202 		    intr_sk->sk_state != BT_CONNECTED)
1203 			break;
1204 
1205 		/* parse incoming intr-skbs */
1206 		while ((skb = skb_dequeue(&intr_sk->sk_receive_queue))) {
1207 			skb_orphan(skb);
1208 			if (!skb_linearize(skb))
1209 				hidp_recv_intr_frame(session, skb);
1210 			else
1211 				kfree_skb(skb);
1212 		}
1213 
1214 		/* send pending intr-skbs */
1215 		hidp_process_transmit(session, &session->intr_transmit,
1216 				      session->intr_sock);
1217 
1218 		/* parse incoming ctrl-skbs */
1219 		while ((skb = skb_dequeue(&ctrl_sk->sk_receive_queue))) {
1220 			skb_orphan(skb);
1221 			if (!skb_linearize(skb))
1222 				hidp_recv_ctrl_frame(session, skb);
1223 			else
1224 				kfree_skb(skb);
1225 		}
1226 
1227 		/* send pending ctrl-skbs */
1228 		hidp_process_transmit(session, &session->ctrl_transmit,
1229 				      session->ctrl_sock);
1230 
1231 		wait_woken(&wait, TASK_INTERRUPTIBLE, MAX_SCHEDULE_TIMEOUT);
1232 	}
1233 	remove_wait_queue(&hidp_session_wq, &wait);
1234 
1235 	atomic_inc(&session->terminate);
1236 
1237 	/* Ensure session->terminate is updated */
1238 	smp_mb__after_atomic();
1239 }
1240 
hidp_session_wake_function(wait_queue_entry_t * wait,unsigned int mode,int sync,void * key)1241 static int hidp_session_wake_function(wait_queue_entry_t *wait,
1242 				      unsigned int mode,
1243 				      int sync, void *key)
1244 {
1245 	wake_up_interruptible(&hidp_session_wq);
1246 	return false;
1247 }
1248 
1249 /*
1250  * HIDP session thread
1251  * This thread runs the I/O for a single HIDP session. Startup is synchronous
1252  * which allows us to take references to ourself here instead of doing that in
1253  * the caller.
1254  * When we are ready to run we notify the caller and call hidp_session_run().
1255  */
hidp_session_thread(void * arg)1256 static int hidp_session_thread(void *arg)
1257 {
1258 	struct hidp_session *session = arg;
1259 	DEFINE_WAIT_FUNC(ctrl_wait, hidp_session_wake_function);
1260 	DEFINE_WAIT_FUNC(intr_wait, hidp_session_wake_function);
1261 
1262 	BT_DBG("session %p", session);
1263 
1264 	/* initialize runtime environment */
1265 	hidp_session_get(session);
1266 	__module_get(THIS_MODULE);
1267 	set_user_nice(current, -15);
1268 	hidp_set_timer(session);
1269 
1270 	add_wait_queue(sk_sleep(session->ctrl_sock->sk), &ctrl_wait);
1271 	add_wait_queue(sk_sleep(session->intr_sock->sk), &intr_wait);
1272 	/* This memory barrier is paired with wq_has_sleeper(). See
1273 	 * sock_poll_wait() for more information why this is needed. */
1274 	smp_mb();
1275 
1276 	/* notify synchronous startup that we're ready */
1277 	atomic_inc(&session->state);
1278 	wake_up(&session->state_queue);
1279 
1280 	/* run session */
1281 	hidp_session_run(session);
1282 
1283 	/* cleanup runtime environment */
1284 	remove_wait_queue(sk_sleep(session->intr_sock->sk), &intr_wait);
1285 	remove_wait_queue(sk_sleep(session->intr_sock->sk), &ctrl_wait);
1286 	wake_up_interruptible(&session->report_queue);
1287 	hidp_del_timer(session);
1288 
1289 	/*
1290 	 * If we stopped ourself due to any internal signal, we should try to
1291 	 * unregister our own session here to avoid having it linger until the
1292 	 * parent l2cap_conn dies or user-space cleans it up.
1293 	 * This does not deadlock as we don't do any synchronous shutdown.
1294 	 * Instead, this call has the same semantics as if user-space tried to
1295 	 * delete the session.
1296 	 */
1297 	l2cap_unregister_user(session->conn, &session->user);
1298 	hidp_session_put(session);
1299 
1300 	module_put_and_exit(0);
1301 	return 0;
1302 }
1303 
hidp_verify_sockets(struct socket * ctrl_sock,struct socket * intr_sock)1304 static int hidp_verify_sockets(struct socket *ctrl_sock,
1305 			       struct socket *intr_sock)
1306 {
1307 	struct l2cap_chan *ctrl_chan, *intr_chan;
1308 	struct bt_sock *ctrl, *intr;
1309 	struct hidp_session *session;
1310 
1311 	if (!l2cap_is_socket(ctrl_sock) || !l2cap_is_socket(intr_sock))
1312 		return -EINVAL;
1313 
1314 	ctrl_chan = l2cap_pi(ctrl_sock->sk)->chan;
1315 	intr_chan = l2cap_pi(intr_sock->sk)->chan;
1316 
1317 	if (bacmp(&ctrl_chan->src, &intr_chan->src) ||
1318 	    bacmp(&ctrl_chan->dst, &intr_chan->dst))
1319 		return -ENOTUNIQ;
1320 
1321 	ctrl = bt_sk(ctrl_sock->sk);
1322 	intr = bt_sk(intr_sock->sk);
1323 
1324 	if (ctrl->sk.sk_state != BT_CONNECTED ||
1325 	    intr->sk.sk_state != BT_CONNECTED)
1326 		return -EBADFD;
1327 
1328 	/* early session check, we check again during session registration */
1329 	session = hidp_session_find(&ctrl_chan->dst);
1330 	if (session) {
1331 		hidp_session_put(session);
1332 		return -EEXIST;
1333 	}
1334 
1335 	return 0;
1336 }
1337 
hidp_connection_add(struct hidp_connadd_req * req,struct socket * ctrl_sock,struct socket * intr_sock)1338 int hidp_connection_add(struct hidp_connadd_req *req,
1339 			struct socket *ctrl_sock,
1340 			struct socket *intr_sock)
1341 {
1342 	u32 valid_flags = BIT(HIDP_VIRTUAL_CABLE_UNPLUG) |
1343 			  BIT(HIDP_BOOT_PROTOCOL_MODE);
1344 	struct hidp_session *session;
1345 	struct l2cap_conn *conn;
1346 	struct l2cap_chan *chan;
1347 	int ret;
1348 
1349 	ret = hidp_verify_sockets(ctrl_sock, intr_sock);
1350 	if (ret)
1351 		return ret;
1352 
1353 	if (req->flags & ~valid_flags)
1354 		return -EINVAL;
1355 
1356 	chan = l2cap_pi(ctrl_sock->sk)->chan;
1357 	conn = NULL;
1358 	l2cap_chan_lock(chan);
1359 	if (chan->conn)
1360 		conn = l2cap_conn_get(chan->conn);
1361 	l2cap_chan_unlock(chan);
1362 
1363 	if (!conn)
1364 		return -EBADFD;
1365 
1366 	ret = hidp_session_new(&session, &chan->dst, ctrl_sock,
1367 			       intr_sock, req, conn);
1368 	if (ret)
1369 		goto out_conn;
1370 
1371 	ret = l2cap_register_user(conn, &session->user);
1372 	if (ret)
1373 		goto out_session;
1374 
1375 	ret = 0;
1376 
1377 out_session:
1378 	hidp_session_put(session);
1379 out_conn:
1380 	l2cap_conn_put(conn);
1381 	return ret;
1382 }
1383 
hidp_connection_del(struct hidp_conndel_req * req)1384 int hidp_connection_del(struct hidp_conndel_req *req)
1385 {
1386 	u32 valid_flags = BIT(HIDP_VIRTUAL_CABLE_UNPLUG);
1387 	struct hidp_session *session;
1388 
1389 	if (req->flags & ~valid_flags)
1390 		return -EINVAL;
1391 
1392 	session = hidp_session_find(&req->bdaddr);
1393 	if (!session)
1394 		return -ENOENT;
1395 
1396 	if (req->flags & BIT(HIDP_VIRTUAL_CABLE_UNPLUG))
1397 		hidp_send_ctrl_message(session,
1398 				       HIDP_TRANS_HID_CONTROL |
1399 				         HIDP_CTRL_VIRTUAL_CABLE_UNPLUG,
1400 				       NULL, 0);
1401 	else
1402 		l2cap_unregister_user(session->conn, &session->user);
1403 
1404 	hidp_session_put(session);
1405 
1406 	return 0;
1407 }
1408 
hidp_get_connlist(struct hidp_connlist_req * req)1409 int hidp_get_connlist(struct hidp_connlist_req *req)
1410 {
1411 	struct hidp_session *session;
1412 	int err = 0, n = 0;
1413 
1414 	BT_DBG("");
1415 
1416 	down_read(&hidp_session_sem);
1417 
1418 	list_for_each_entry(session, &hidp_session_list, list) {
1419 		struct hidp_conninfo ci;
1420 
1421 		hidp_copy_session(session, &ci);
1422 
1423 		if (copy_to_user(req->ci, &ci, sizeof(ci))) {
1424 			err = -EFAULT;
1425 			break;
1426 		}
1427 
1428 		if (++n >= req->cnum)
1429 			break;
1430 
1431 		req->ci++;
1432 	}
1433 	req->cnum = n;
1434 
1435 	up_read(&hidp_session_sem);
1436 	return err;
1437 }
1438 
hidp_get_conninfo(struct hidp_conninfo * ci)1439 int hidp_get_conninfo(struct hidp_conninfo *ci)
1440 {
1441 	struct hidp_session *session;
1442 
1443 	session = hidp_session_find(&ci->bdaddr);
1444 	if (session) {
1445 		hidp_copy_session(session, ci);
1446 		hidp_session_put(session);
1447 	}
1448 
1449 	return session ? 0 : -ENOENT;
1450 }
1451 
hidp_init(void)1452 static int __init hidp_init(void)
1453 {
1454 	BT_INFO("HIDP (Human Interface Emulation) ver %s", VERSION);
1455 
1456 	return hidp_init_sockets();
1457 }
1458 
hidp_exit(void)1459 static void __exit hidp_exit(void)
1460 {
1461 	hidp_cleanup_sockets();
1462 }
1463 
1464 module_init(hidp_init);
1465 module_exit(hidp_exit);
1466 
1467 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
1468 MODULE_AUTHOR("David Herrmann <dh.herrmann@gmail.com>");
1469 MODULE_DESCRIPTION("Bluetooth HIDP ver " VERSION);
1470 MODULE_VERSION(VERSION);
1471 MODULE_LICENSE("GPL");
1472 MODULE_ALIAS("bt-proto-6");
1473