1 /* SPDX-License-Identifier: GPL-2.0 */
2 /*
3  * vboxguest linux pci driver, char-dev and input-device code,
4  *
5  * Copyright (C) 2006-2016 Oracle Corporation
6  */
7 
8 #include <linux/cred.h>
9 #include <linux/input.h>
10 #include <linux/kernel.h>
11 #include <linux/miscdevice.h>
12 #include <linux/module.h>
13 #include <linux/pci.h>
14 #include <linux/poll.h>
15 #include <linux/vbox_utils.h>
16 #include "vboxguest_core.h"
17 
18 /** The device name. */
19 #define DEVICE_NAME		"vboxguest"
20 /** The device name for the device node open to everyone. */
21 #define DEVICE_NAME_USER	"vboxuser"
22 /** VirtualBox PCI vendor ID. */
23 #define VBOX_VENDORID		0x80ee
24 /** VMMDev PCI card product ID. */
25 #define VMMDEV_DEVICEID		0xcafe
26 
27 /** Mutex protecting the global vbg_gdev pointer used by vbg_get/put_gdev. */
28 static DEFINE_MUTEX(vbg_gdev_mutex);
29 /** Global vbg_gdev pointer used by vbg_get/put_gdev. */
30 static struct vbg_dev *vbg_gdev;
31 
vbg_misc_device_requestor(struct inode * inode)32 static u32 vbg_misc_device_requestor(struct inode *inode)
33 {
34 	u32 requestor = VMMDEV_REQUESTOR_USERMODE |
35 			VMMDEV_REQUESTOR_CON_DONT_KNOW |
36 			VMMDEV_REQUESTOR_TRUST_NOT_GIVEN;
37 
38 	if (from_kuid(current_user_ns(), current_uid()) == 0)
39 		requestor |= VMMDEV_REQUESTOR_USR_ROOT;
40 	else
41 		requestor |= VMMDEV_REQUESTOR_USR_USER;
42 
43 	if (in_egroup_p(inode->i_gid))
44 		requestor |= VMMDEV_REQUESTOR_GRP_VBOX;
45 
46 	return requestor;
47 }
48 
vbg_misc_device_open(struct inode * inode,struct file * filp)49 static int vbg_misc_device_open(struct inode *inode, struct file *filp)
50 {
51 	struct vbg_session *session;
52 	struct vbg_dev *gdev;
53 
54 	/* misc_open sets filp->private_data to our misc device */
55 	gdev = container_of(filp->private_data, struct vbg_dev, misc_device);
56 
57 	session = vbg_core_open_session(gdev, vbg_misc_device_requestor(inode));
58 	if (IS_ERR(session))
59 		return PTR_ERR(session);
60 
61 	filp->private_data = session;
62 	return 0;
63 }
64 
vbg_misc_device_user_open(struct inode * inode,struct file * filp)65 static int vbg_misc_device_user_open(struct inode *inode, struct file *filp)
66 {
67 	struct vbg_session *session;
68 	struct vbg_dev *gdev;
69 
70 	/* misc_open sets filp->private_data to our misc device */
71 	gdev = container_of(filp->private_data, struct vbg_dev,
72 			    misc_device_user);
73 
74 	session = vbg_core_open_session(gdev, vbg_misc_device_requestor(inode) |
75 					      VMMDEV_REQUESTOR_USER_DEVICE);
76 	if (IS_ERR(session))
77 		return PTR_ERR(session);
78 
79 	filp->private_data = session;
80 	return 0;
81 }
82 
83 /**
84  * Close device.
85  * Return: 0 on success, negated errno on failure.
86  * @inode:		Pointer to inode info structure.
87  * @filp:		Associated file pointer.
88  */
vbg_misc_device_close(struct inode * inode,struct file * filp)89 static int vbg_misc_device_close(struct inode *inode, struct file *filp)
90 {
91 	vbg_core_close_session(filp->private_data);
92 	filp->private_data = NULL;
93 	return 0;
94 }
95 
96 /**
97  * Device I/O Control entry point.
98  * Return: 0 on success, negated errno on failure.
99  * @filp:		Associated file pointer.
100  * @req:		The request specified to ioctl().
101  * @arg:		The argument specified to ioctl().
102  */
vbg_misc_device_ioctl(struct file * filp,unsigned int req,unsigned long arg)103 static long vbg_misc_device_ioctl(struct file *filp, unsigned int req,
104 				  unsigned long arg)
105 {
106 	struct vbg_session *session = filp->private_data;
107 	size_t returned_size, size;
108 	struct vbg_ioctl_hdr hdr;
109 	bool is_vmmdev_req;
110 	int ret = 0;
111 	void *buf;
112 
113 	if (copy_from_user(&hdr, (void *)arg, sizeof(hdr)))
114 		return -EFAULT;
115 
116 	if (hdr.version != VBG_IOCTL_HDR_VERSION)
117 		return -EINVAL;
118 
119 	if (hdr.size_in < sizeof(hdr) ||
120 	    (hdr.size_out && hdr.size_out < sizeof(hdr)))
121 		return -EINVAL;
122 
123 	size = max(hdr.size_in, hdr.size_out);
124 	if (_IOC_SIZE(req) && _IOC_SIZE(req) != size)
125 		return -EINVAL;
126 	if (size > SZ_16M)
127 		return -E2BIG;
128 
129 	/*
130 	 * IOCTL_VMMDEV_REQUEST needs the buffer to be below 4G to avoid
131 	 * the need for a bounce-buffer and another copy later on.
132 	 */
133 	is_vmmdev_req = (req & ~IOCSIZE_MASK) == VBG_IOCTL_VMMDEV_REQUEST(0) ||
134 			 req == VBG_IOCTL_VMMDEV_REQUEST_BIG ||
135 			 req == VBG_IOCTL_VMMDEV_REQUEST_BIG_ALT;
136 
137 	if (is_vmmdev_req)
138 		buf = vbg_req_alloc(size, VBG_IOCTL_HDR_TYPE_DEFAULT,
139 				    session->requestor);
140 	else
141 		buf = kmalloc(size, GFP_KERNEL);
142 	if (!buf)
143 		return -ENOMEM;
144 
145 	*((struct vbg_ioctl_hdr *)buf) = hdr;
146 	if (copy_from_user(buf + sizeof(hdr), (void *)arg + sizeof(hdr),
147 			   hdr.size_in - sizeof(hdr))) {
148 		ret = -EFAULT;
149 		goto out;
150 	}
151 	if (hdr.size_in < size)
152 		memset(buf + hdr.size_in, 0, size -  hdr.size_in);
153 
154 	ret = vbg_core_ioctl(session, req, buf);
155 	if (ret)
156 		goto out;
157 
158 	returned_size = ((struct vbg_ioctl_hdr *)buf)->size_out;
159 	if (returned_size > size) {
160 		vbg_debug("%s: too much output data %zu > %zu\n",
161 			  __func__, returned_size, size);
162 		returned_size = size;
163 	}
164 	if (copy_to_user((void *)arg, buf, returned_size) != 0)
165 		ret = -EFAULT;
166 
167 out:
168 	if (is_vmmdev_req)
169 		vbg_req_free(buf, size);
170 	else
171 		kfree(buf);
172 
173 	return ret;
174 }
175 
176 /** The file_operations structures. */
177 static const struct file_operations vbg_misc_device_fops = {
178 	.owner			= THIS_MODULE,
179 	.open			= vbg_misc_device_open,
180 	.release		= vbg_misc_device_close,
181 	.unlocked_ioctl		= vbg_misc_device_ioctl,
182 #ifdef CONFIG_COMPAT
183 	.compat_ioctl		= vbg_misc_device_ioctl,
184 #endif
185 };
186 static const struct file_operations vbg_misc_device_user_fops = {
187 	.owner			= THIS_MODULE,
188 	.open			= vbg_misc_device_user_open,
189 	.release		= vbg_misc_device_close,
190 	.unlocked_ioctl		= vbg_misc_device_ioctl,
191 #ifdef CONFIG_COMPAT
192 	.compat_ioctl		= vbg_misc_device_ioctl,
193 #endif
194 };
195 
196 /**
197  * Called when the input device is first opened.
198  *
199  * Sets up absolute mouse reporting.
200  */
vbg_input_open(struct input_dev * input)201 static int vbg_input_open(struct input_dev *input)
202 {
203 	struct vbg_dev *gdev = input_get_drvdata(input);
204 	u32 feat = VMMDEV_MOUSE_GUEST_CAN_ABSOLUTE | VMMDEV_MOUSE_NEW_PROTOCOL;
205 
206 	return vbg_core_set_mouse_status(gdev, feat);
207 }
208 
209 /**
210  * Called if all open handles to the input device are closed.
211  *
212  * Disables absolute reporting.
213  */
vbg_input_close(struct input_dev * input)214 static void vbg_input_close(struct input_dev *input)
215 {
216 	struct vbg_dev *gdev = input_get_drvdata(input);
217 
218 	vbg_core_set_mouse_status(gdev, 0);
219 }
220 
221 /**
222  * Creates the kernel input device.
223  *
224  * Return: 0 on success, negated errno on failure.
225  */
vbg_create_input_device(struct vbg_dev * gdev)226 static int vbg_create_input_device(struct vbg_dev *gdev)
227 {
228 	struct input_dev *input;
229 
230 	input = devm_input_allocate_device(gdev->dev);
231 	if (!input)
232 		return -ENOMEM;
233 
234 	input->id.bustype = BUS_PCI;
235 	input->id.vendor = VBOX_VENDORID;
236 	input->id.product = VMMDEV_DEVICEID;
237 	input->open = vbg_input_open;
238 	input->close = vbg_input_close;
239 	input->dev.parent = gdev->dev;
240 	input->name = "VirtualBox mouse integration";
241 
242 	input_set_abs_params(input, ABS_X, VMMDEV_MOUSE_RANGE_MIN,
243 			     VMMDEV_MOUSE_RANGE_MAX, 0, 0);
244 	input_set_abs_params(input, ABS_Y, VMMDEV_MOUSE_RANGE_MIN,
245 			     VMMDEV_MOUSE_RANGE_MAX, 0, 0);
246 	input_set_capability(input, EV_KEY, BTN_MOUSE);
247 	input_set_drvdata(input, gdev);
248 
249 	gdev->input = input;
250 
251 	return input_register_device(gdev->input);
252 }
253 
host_version_show(struct device * dev,struct device_attribute * attr,char * buf)254 static ssize_t host_version_show(struct device *dev,
255 				 struct device_attribute *attr, char *buf)
256 {
257 	struct vbg_dev *gdev = dev_get_drvdata(dev);
258 
259 	return sprintf(buf, "%s\n", gdev->host_version);
260 }
261 
host_features_show(struct device * dev,struct device_attribute * attr,char * buf)262 static ssize_t host_features_show(struct device *dev,
263 				 struct device_attribute *attr, char *buf)
264 {
265 	struct vbg_dev *gdev = dev_get_drvdata(dev);
266 
267 	return sprintf(buf, "%#x\n", gdev->host_features);
268 }
269 
270 static DEVICE_ATTR_RO(host_version);
271 static DEVICE_ATTR_RO(host_features);
272 
273 /**
274  * Does the PCI detection and init of the device.
275  *
276  * Return: 0 on success, negated errno on failure.
277  */
vbg_pci_probe(struct pci_dev * pci,const struct pci_device_id * id)278 static int vbg_pci_probe(struct pci_dev *pci, const struct pci_device_id *id)
279 {
280 	struct device *dev = &pci->dev;
281 	resource_size_t io, io_len, mmio, mmio_len;
282 	struct vmmdev_memory *vmmdev;
283 	struct vbg_dev *gdev;
284 	int ret;
285 
286 	gdev = devm_kzalloc(dev, sizeof(*gdev), GFP_KERNEL);
287 	if (!gdev)
288 		return -ENOMEM;
289 
290 	ret = pci_enable_device(pci);
291 	if (ret != 0) {
292 		vbg_err("vboxguest: Error enabling device: %d\n", ret);
293 		return ret;
294 	}
295 
296 	ret = -ENODEV;
297 
298 	io = pci_resource_start(pci, 0);
299 	io_len = pci_resource_len(pci, 0);
300 	if (!io || !io_len) {
301 		vbg_err("vboxguest: Error IO-port resource (0) is missing\n");
302 		goto err_disable_pcidev;
303 	}
304 	if (devm_request_region(dev, io, io_len, DEVICE_NAME) == NULL) {
305 		vbg_err("vboxguest: Error could not claim IO resource\n");
306 		ret = -EBUSY;
307 		goto err_disable_pcidev;
308 	}
309 
310 	mmio = pci_resource_start(pci, 1);
311 	mmio_len = pci_resource_len(pci, 1);
312 	if (!mmio || !mmio_len) {
313 		vbg_err("vboxguest: Error MMIO resource (1) is missing\n");
314 		goto err_disable_pcidev;
315 	}
316 
317 	if (devm_request_mem_region(dev, mmio, mmio_len, DEVICE_NAME) == NULL) {
318 		vbg_err("vboxguest: Error could not claim MMIO resource\n");
319 		ret = -EBUSY;
320 		goto err_disable_pcidev;
321 	}
322 
323 	vmmdev = devm_ioremap(dev, mmio, mmio_len);
324 	if (!vmmdev) {
325 		vbg_err("vboxguest: Error ioremap failed; MMIO addr=%pap size=%pap\n",
326 			&mmio, &mmio_len);
327 		goto err_disable_pcidev;
328 	}
329 
330 	/* Validate MMIO region version and size. */
331 	if (vmmdev->version != VMMDEV_MEMORY_VERSION ||
332 	    vmmdev->size < 32 || vmmdev->size > mmio_len) {
333 		vbg_err("vboxguest: Bogus VMMDev memory; version=%08x (expected %08x) size=%d (expected <= %d)\n",
334 			vmmdev->version, VMMDEV_MEMORY_VERSION,
335 			vmmdev->size, (int)mmio_len);
336 		goto err_disable_pcidev;
337 	}
338 
339 	gdev->io_port = io;
340 	gdev->mmio = vmmdev;
341 	gdev->dev = dev;
342 	gdev->misc_device.minor = MISC_DYNAMIC_MINOR;
343 	gdev->misc_device.name = DEVICE_NAME;
344 	gdev->misc_device.fops = &vbg_misc_device_fops;
345 	gdev->misc_device_user.minor = MISC_DYNAMIC_MINOR;
346 	gdev->misc_device_user.name = DEVICE_NAME_USER;
347 	gdev->misc_device_user.fops = &vbg_misc_device_user_fops;
348 
349 	ret = vbg_core_init(gdev, VMMDEV_EVENT_MOUSE_POSITION_CHANGED);
350 	if (ret)
351 		goto err_disable_pcidev;
352 
353 	ret = vbg_create_input_device(gdev);
354 	if (ret) {
355 		vbg_err("vboxguest: Error creating input device: %d\n", ret);
356 		goto err_vbg_core_exit;
357 	}
358 
359 	ret = devm_request_irq(dev, pci->irq, vbg_core_isr, IRQF_SHARED,
360 			       DEVICE_NAME, gdev);
361 	if (ret) {
362 		vbg_err("vboxguest: Error requesting irq: %d\n", ret);
363 		goto err_vbg_core_exit;
364 	}
365 
366 	ret = misc_register(&gdev->misc_device);
367 	if (ret) {
368 		vbg_err("vboxguest: Error misc_register %s failed: %d\n",
369 			DEVICE_NAME, ret);
370 		goto err_vbg_core_exit;
371 	}
372 
373 	ret = misc_register(&gdev->misc_device_user);
374 	if (ret) {
375 		vbg_err("vboxguest: Error misc_register %s failed: %d\n",
376 			DEVICE_NAME_USER, ret);
377 		goto err_unregister_misc_device;
378 	}
379 
380 	mutex_lock(&vbg_gdev_mutex);
381 	if (!vbg_gdev)
382 		vbg_gdev = gdev;
383 	else
384 		ret = -EBUSY;
385 	mutex_unlock(&vbg_gdev_mutex);
386 
387 	if (ret) {
388 		vbg_err("vboxguest: Error more then 1 vbox guest pci device\n");
389 		goto err_unregister_misc_device_user;
390 	}
391 
392 	pci_set_drvdata(pci, gdev);
393 	device_create_file(dev, &dev_attr_host_version);
394 	device_create_file(dev, &dev_attr_host_features);
395 
396 	vbg_info("vboxguest: misc device minor %d, IRQ %d, I/O port %x, MMIO at %pap (size %pap)\n",
397 		 gdev->misc_device.minor, pci->irq, gdev->io_port,
398 		 &mmio, &mmio_len);
399 
400 	return 0;
401 
402 err_unregister_misc_device_user:
403 	misc_deregister(&gdev->misc_device_user);
404 err_unregister_misc_device:
405 	misc_deregister(&gdev->misc_device);
406 err_vbg_core_exit:
407 	vbg_core_exit(gdev);
408 err_disable_pcidev:
409 	pci_disable_device(pci);
410 
411 	return ret;
412 }
413 
vbg_pci_remove(struct pci_dev * pci)414 static void vbg_pci_remove(struct pci_dev *pci)
415 {
416 	struct vbg_dev *gdev = pci_get_drvdata(pci);
417 
418 	mutex_lock(&vbg_gdev_mutex);
419 	vbg_gdev = NULL;
420 	mutex_unlock(&vbg_gdev_mutex);
421 
422 	device_remove_file(gdev->dev, &dev_attr_host_features);
423 	device_remove_file(gdev->dev, &dev_attr_host_version);
424 	misc_deregister(&gdev->misc_device_user);
425 	misc_deregister(&gdev->misc_device);
426 	vbg_core_exit(gdev);
427 	pci_disable_device(pci);
428 }
429 
vbg_get_gdev(void)430 struct vbg_dev *vbg_get_gdev(void)
431 {
432 	mutex_lock(&vbg_gdev_mutex);
433 
434 	/*
435 	 * Note on success we keep the mutex locked until vbg_put_gdev(),
436 	 * this stops vbg_pci_remove from removing the device from underneath
437 	 * vboxsf. vboxsf will only hold a reference for a short while.
438 	 */
439 	if (vbg_gdev)
440 		return vbg_gdev;
441 
442 	mutex_unlock(&vbg_gdev_mutex);
443 	return ERR_PTR(-ENODEV);
444 }
445 EXPORT_SYMBOL(vbg_get_gdev);
446 
vbg_put_gdev(struct vbg_dev * gdev)447 void vbg_put_gdev(struct vbg_dev *gdev)
448 {
449 	WARN_ON(gdev != vbg_gdev);
450 	mutex_unlock(&vbg_gdev_mutex);
451 }
452 EXPORT_SYMBOL(vbg_put_gdev);
453 
454 /**
455  * Callback for mouse events.
456  *
457  * This is called at the end of the ISR, after leaving the event spinlock, if
458  * VMMDEV_EVENT_MOUSE_POSITION_CHANGED was raised by the host.
459  *
460  * @gdev:		The device extension.
461  */
vbg_linux_mouse_event(struct vbg_dev * gdev)462 void vbg_linux_mouse_event(struct vbg_dev *gdev)
463 {
464 	int rc;
465 
466 	/* Report events to the kernel input device */
467 	gdev->mouse_status_req->mouse_features = 0;
468 	gdev->mouse_status_req->pointer_pos_x = 0;
469 	gdev->mouse_status_req->pointer_pos_y = 0;
470 	rc = vbg_req_perform(gdev, gdev->mouse_status_req);
471 	if (rc >= 0) {
472 		input_report_abs(gdev->input, ABS_X,
473 				 gdev->mouse_status_req->pointer_pos_x);
474 		input_report_abs(gdev->input, ABS_Y,
475 				 gdev->mouse_status_req->pointer_pos_y);
476 		input_sync(gdev->input);
477 	}
478 }
479 
480 static const struct pci_device_id vbg_pci_ids[] = {
481 	{ .vendor = VBOX_VENDORID, .device = VMMDEV_DEVICEID },
482 	{}
483 };
484 MODULE_DEVICE_TABLE(pci,  vbg_pci_ids);
485 
486 static struct pci_driver vbg_pci_driver = {
487 	.name		= DEVICE_NAME,
488 	.id_table	= vbg_pci_ids,
489 	.probe		= vbg_pci_probe,
490 	.remove		= vbg_pci_remove,
491 };
492 
493 module_pci_driver(vbg_pci_driver);
494 
495 MODULE_AUTHOR("Oracle Corporation");
496 MODULE_DESCRIPTION("Oracle VM VirtualBox Guest Additions for Linux Module");
497 MODULE_LICENSE("GPL");
498