HID: hidraw, fix a NULL pointer dereference in hidraw_ioctl
[linux-2.6.git] / drivers / hid / hidraw.c
1 /*
2  * HID raw devices, giving access to raw HID events.
3  *
4  * In comparison to hiddev, this device does not process the
5  * hid events at all (no parsing, no lookups). This lets applications
6  * to work on raw hid events as they want to, and avoids a need to
7  * use a transport-specific userspace libhid/libusb libraries.
8  *
9  *  Copyright (c) 2007 Jiri Kosina
10  */
11
12 /*
13  * This program is free software; you can redistribute it and/or modify it
14  * under the terms and conditions of the GNU General Public License,
15  * version 2, as published by the Free Software Foundation.
16  *
17  * You should have received a copy of the GNU General Public License along with
18  * this program; if not, write to the Free Software Foundation, Inc.,
19  * 51 Franklin St - Fifth Floor, Boston, MA 02110-1301 USA.
20  */
21
22 #include <linux/fs.h>
23 #include <linux/module.h>
24 #include <linux/errno.h>
25 #include <linux/kernel.h>
26 #include <linux/init.h>
27 #include <linux/cdev.h>
28 #include <linux/poll.h>
29 #include <linux/device.h>
30 #include <linux/major.h>
31 #include <linux/slab.h>
32 #include <linux/hid.h>
33 #include <linux/mutex.h>
34 #include <linux/sched.h>
35 #include <linux/smp_lock.h>
36
37 #include <linux/hidraw.h>
38
39 static int hidraw_major;
40 static struct cdev hidraw_cdev;
41 static struct class *hidraw_class;
42 static struct hidraw *hidraw_table[HIDRAW_MAX_DEVICES];
43 static DEFINE_MUTEX(minors_lock);
44
45 static ssize_t hidraw_read(struct file *file, char __user *buffer, size_t count, loff_t *ppos)
46 {
47         struct hidraw_list *list = file->private_data;
48         int ret = 0, len;
49         DECLARE_WAITQUEUE(wait, current);
50
51         mutex_lock(&list->read_mutex);
52
53         while (ret == 0) {
54                 if (list->head == list->tail) {
55                         add_wait_queue(&list->hidraw->wait, &wait);
56                         set_current_state(TASK_INTERRUPTIBLE);
57
58                         while (list->head == list->tail) {
59                                 if (file->f_flags & O_NONBLOCK) {
60                                         ret = -EAGAIN;
61                                         break;
62                                 }
63                                 if (signal_pending(current)) {
64                                         ret = -ERESTARTSYS;
65                                         break;
66                                 }
67                                 if (!list->hidraw->exist) {
68                                         ret = -EIO;
69                                         break;
70                                 }
71
72                                 /* allow O_NONBLOCK to work well from other threads */
73                                 mutex_unlock(&list->read_mutex);
74                                 schedule();
75                                 mutex_lock(&list->read_mutex);
76                                 set_current_state(TASK_INTERRUPTIBLE);
77                         }
78
79                         set_current_state(TASK_RUNNING);
80                         remove_wait_queue(&list->hidraw->wait, &wait);
81                 }
82
83                 if (ret)
84                         goto out;
85
86                 len = list->buffer[list->tail].len > count ?
87                         count : list->buffer[list->tail].len;
88
89                 if (copy_to_user(buffer, list->buffer[list->tail].value, len)) {
90                         ret = -EFAULT;
91                         goto out;
92                 }
93                 ret += len;
94
95                 kfree(list->buffer[list->tail].value);
96                 list->tail = (list->tail + 1) & (HIDRAW_BUFFER_SIZE - 1);
97         }
98 out:
99         mutex_unlock(&list->read_mutex);
100         return ret;
101 }
102
103 /* the first byte is expected to be a report number */
104 static ssize_t hidraw_write(struct file *file, const char __user *buffer, size_t count, loff_t *ppos)
105 {
106         unsigned int minor = iminor(file->f_path.dentry->d_inode);
107         struct hid_device *dev;
108         __u8 *buf;
109         int ret = 0;
110
111         mutex_lock(&minors_lock);
112         dev = hidraw_table[minor]->hid;
113
114         if (!dev->hid_output_raw_report) {
115                 ret = -ENODEV;
116                 goto out;
117         }
118
119         if (count > HID_MAX_BUFFER_SIZE) {
120                 printk(KERN_WARNING "hidraw: pid %d passed too large report\n",
121                                 task_pid_nr(current));
122                 ret = -EINVAL;
123                 goto out;
124         }
125
126         if (count < 2) {
127                 printk(KERN_WARNING "hidraw: pid %d passed too short report\n",
128                                 task_pid_nr(current));
129                 ret = -EINVAL;
130                 goto out;
131         }
132
133         buf = kmalloc(count * sizeof(__u8), GFP_KERNEL);
134         if (!buf) {
135                 ret = -ENOMEM;
136                 goto out;
137         }
138
139         if (copy_from_user(buf, buffer, count)) {
140                 ret = -EFAULT;
141                 goto out_free;
142         }
143
144         ret = dev->hid_output_raw_report(dev, buf, count, HID_OUTPUT_REPORT);
145 out_free:
146         kfree(buf);
147 out:
148         mutex_unlock(&minors_lock);
149         return ret;
150 }
151
152 static unsigned int hidraw_poll(struct file *file, poll_table *wait)
153 {
154         struct hidraw_list *list = file->private_data;
155
156         poll_wait(file, &list->hidraw->wait, wait);
157         if (list->head != list->tail)
158                 return POLLIN | POLLRDNORM;
159         if (!list->hidraw->exist)
160                 return POLLERR | POLLHUP;
161         return 0;
162 }
163
164 static int hidraw_open(struct inode *inode, struct file *file)
165 {
166         unsigned int minor = iminor(inode);
167         struct hidraw *dev;
168         struct hidraw_list *list;
169         int err = 0;
170
171         if (!(list = kzalloc(sizeof(struct hidraw_list), GFP_KERNEL))) {
172                 err = -ENOMEM;
173                 goto out;
174         }
175
176         mutex_lock(&minors_lock);
177         if (!hidraw_table[minor]) {
178                 kfree(list);
179                 err = -ENODEV;
180                 goto out_unlock;
181         }
182
183         list->hidraw = hidraw_table[minor];
184         mutex_init(&list->read_mutex);
185         list_add_tail(&list->node, &hidraw_table[minor]->list);
186         file->private_data = list;
187
188         dev = hidraw_table[minor];
189         if (!dev->open++) {
190                 if (dev->hid->ll_driver->power) {
191                         err = dev->hid->ll_driver->power(dev->hid, PM_HINT_FULLON);
192                         if (err < 0)
193                                 goto out_unlock;
194                 }
195                 err = dev->hid->ll_driver->open(dev->hid);
196                 if (err < 0) {
197                         if (dev->hid->ll_driver->power)
198                                 dev->hid->ll_driver->power(dev->hid, PM_HINT_NORMAL);
199                         dev->open--;
200                 }
201         }
202
203 out_unlock:
204         mutex_unlock(&minors_lock);
205 out:
206         return err;
207
208 }
209
210 static int hidraw_release(struct inode * inode, struct file * file)
211 {
212         unsigned int minor = iminor(inode);
213         struct hidraw *dev;
214         struct hidraw_list *list = file->private_data;
215
216         if (!hidraw_table[minor])
217                 return -ENODEV;
218
219         list_del(&list->node);
220         dev = hidraw_table[minor];
221         if (!--dev->open) {
222                 if (list->hidraw->exist) {
223                         if (dev->hid->ll_driver->power)
224                                 dev->hid->ll_driver->power(dev->hid, PM_HINT_NORMAL);
225                         dev->hid->ll_driver->close(dev->hid);
226                 } else {
227                         kfree(list->hidraw);
228                 }
229         }
230
231         kfree(list);
232
233         return 0;
234 }
235
236 static long hidraw_ioctl(struct file *file, unsigned int cmd,
237                                                         unsigned long arg)
238 {
239         struct inode *inode = file->f_path.dentry->d_inode;
240         unsigned int minor = iminor(inode);
241         long ret = 0;
242         struct hidraw *dev;
243         void __user *user_arg = (void __user*) arg;
244
245         mutex_lock(&minors_lock);
246         dev = hidraw_table[minor];
247         if (!dev) {
248                 ret = -ENODEV;
249                 goto out;
250         }
251
252         switch (cmd) {
253                 case HIDIOCGRDESCSIZE:
254                         if (put_user(dev->hid->rsize, (int __user *)arg))
255                                 ret = -EFAULT;
256                         break;
257
258                 case HIDIOCGRDESC:
259                         {
260                                 __u32 len;
261
262                                 if (get_user(len, (int __user *)arg))
263                                         ret = -EFAULT;
264                                 else if (len > HID_MAX_DESCRIPTOR_SIZE - 1)
265                                         ret = -EINVAL;
266                                 else if (copy_to_user(user_arg + offsetof(
267                                         struct hidraw_report_descriptor,
268                                         value[0]),
269                                         dev->hid->rdesc,
270                                         min(dev->hid->rsize, len)))
271                                         ret = -EFAULT;
272                                 break;
273                         }
274                 case HIDIOCGRAWINFO:
275                         {
276                                 struct hidraw_devinfo dinfo;
277
278                                 dinfo.bustype = dev->hid->bus;
279                                 dinfo.vendor = dev->hid->vendor;
280                                 dinfo.product = dev->hid->product;
281                                 if (copy_to_user(user_arg, &dinfo, sizeof(dinfo)))
282                                         ret = -EFAULT;
283                                 break;
284                         }
285                 default:
286                         {
287                                 struct hid_device *hid = dev->hid;
288                                 if (_IOC_TYPE(cmd) != 'H' || _IOC_DIR(cmd) != _IOC_READ) {
289                                         ret = -EINVAL;
290                                         break;
291                                 }
292
293                                 if (_IOC_NR(cmd) == _IOC_NR(HIDIOCGRAWNAME(0))) {
294                                         int len;
295                                         if (!hid->name) {
296                                                 ret = 0;
297                                                 break;
298                                         }
299                                         len = strlen(hid->name) + 1;
300                                         if (len > _IOC_SIZE(cmd))
301                                                 len = _IOC_SIZE(cmd);
302                                         ret = copy_to_user(user_arg, hid->name, len) ?
303                                                 -EFAULT : len;
304                                         break;
305                                 }
306
307                                 if (_IOC_NR(cmd) == _IOC_NR(HIDIOCGRAWPHYS(0))) {
308                                         int len;
309                                         if (!hid->phys) {
310                                                 ret = 0;
311                                                 break;
312                                         }
313                                         len = strlen(hid->phys) + 1;
314                                         if (len > _IOC_SIZE(cmd))
315                                                 len = _IOC_SIZE(cmd);
316                                         ret = copy_to_user(user_arg, hid->phys, len) ?
317                                                 -EFAULT : len;
318                                         break;
319                                 }
320                 }
321
322                 ret = -ENOTTY;
323         }
324 out:
325         mutex_unlock(&minors_lock);
326         return ret;
327 }
328
329 static const struct file_operations hidraw_ops = {
330         .owner =        THIS_MODULE,
331         .read =         hidraw_read,
332         .write =        hidraw_write,
333         .poll =         hidraw_poll,
334         .open =         hidraw_open,
335         .release =      hidraw_release,
336         .unlocked_ioctl = hidraw_ioctl,
337 };
338
339 void hidraw_report_event(struct hid_device *hid, u8 *data, int len)
340 {
341         struct hidraw *dev = hid->hidraw;
342         struct hidraw_list *list;
343
344         list_for_each_entry(list, &dev->list, node) {
345                 list->buffer[list->head].value = kmemdup(data, len, GFP_ATOMIC);
346                 list->buffer[list->head].len = len;
347                 list->head = (list->head + 1) & (HIDRAW_BUFFER_SIZE - 1);
348                 kill_fasync(&list->fasync, SIGIO, POLL_IN);
349         }
350
351         wake_up_interruptible(&dev->wait);
352 }
353 EXPORT_SYMBOL_GPL(hidraw_report_event);
354
355 int hidraw_connect(struct hid_device *hid)
356 {
357         int minor, result;
358         struct hidraw *dev;
359
360         /* we accept any HID device, no matter the applications */
361
362         dev = kzalloc(sizeof(struct hidraw), GFP_KERNEL);
363         if (!dev)
364                 return -ENOMEM;
365
366         result = -EINVAL;
367
368         mutex_lock(&minors_lock);
369
370         for (minor = 0; minor < HIDRAW_MAX_DEVICES; minor++) {
371                 if (hidraw_table[minor])
372                         continue;
373                 hidraw_table[minor] = dev;
374                 result = 0;
375                 break;
376         }
377
378         if (result) {
379                 mutex_unlock(&minors_lock);
380                 kfree(dev);
381                 goto out;
382         }
383
384         dev->dev = device_create(hidraw_class, &hid->dev, MKDEV(hidraw_major, minor),
385                                  NULL, "%s%d", "hidraw", minor);
386
387         if (IS_ERR(dev->dev)) {
388                 hidraw_table[minor] = NULL;
389                 mutex_unlock(&minors_lock);
390                 result = PTR_ERR(dev->dev);
391                 kfree(dev);
392                 goto out;
393         }
394
395         mutex_unlock(&minors_lock);
396         init_waitqueue_head(&dev->wait);
397         INIT_LIST_HEAD(&dev->list);
398
399         dev->hid = hid;
400         dev->minor = minor;
401
402         dev->exist = 1;
403         hid->hidraw = dev;
404
405 out:
406         return result;
407
408 }
409 EXPORT_SYMBOL_GPL(hidraw_connect);
410
411 void hidraw_disconnect(struct hid_device *hid)
412 {
413         struct hidraw *hidraw = hid->hidraw;
414
415         hidraw->exist = 0;
416
417         mutex_lock(&minors_lock);
418         hidraw_table[hidraw->minor] = NULL;
419         mutex_unlock(&minors_lock);
420
421         device_destroy(hidraw_class, MKDEV(hidraw_major, hidraw->minor));
422
423         if (hidraw->open) {
424                 hid->ll_driver->close(hid);
425                 wake_up_interruptible(&hidraw->wait);
426         } else {
427                 kfree(hidraw);
428         }
429 }
430 EXPORT_SYMBOL_GPL(hidraw_disconnect);
431
432 int __init hidraw_init(void)
433 {
434         int result;
435         dev_t dev_id;
436
437         result = alloc_chrdev_region(&dev_id, HIDRAW_FIRST_MINOR,
438                         HIDRAW_MAX_DEVICES, "hidraw");
439
440         hidraw_major = MAJOR(dev_id);
441
442         if (result < 0) {
443                 printk(KERN_WARNING "hidraw: can't get major number\n");
444                 result = 0;
445                 goto out;
446         }
447
448         hidraw_class = class_create(THIS_MODULE, "hidraw");
449         if (IS_ERR(hidraw_class)) {
450                 result = PTR_ERR(hidraw_class);
451                 unregister_chrdev(hidraw_major, "hidraw");
452                 goto out;
453         }
454
455         cdev_init(&hidraw_cdev, &hidraw_ops);
456         cdev_add(&hidraw_cdev, dev_id, HIDRAW_MAX_DEVICES);
457 out:
458         return result;
459 }
460
461 void hidraw_exit(void)
462 {
463         dev_t dev_id = MKDEV(hidraw_major, 0);
464
465         cdev_del(&hidraw_cdev);
466         class_destroy(hidraw_class);
467         unregister_chrdev_region(dev_id, HIDRAW_MAX_DEVICES);
468
469 }