bybrooklyn/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-05 06:52:34 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
e623b4ebee9d3a4b1e408b2c3e60cfc99b4e61ea
linux/net/bluetooth/hidp/core.c
Luiz Augusto von Dentz dbf666e4fc Bluetooth: HIDP: Fix possible UAF 
This fixes the following trace caused by not dropping l2cap_conn
reference when user->remove callback is called:

[   97.809249] l2cap_conn_free: freeing conn ffff88810a171c00
[   97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)
[   97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
[   97.809947] Call Trace:
[   97.809954]  <TASK>
[   97.809961]  dump_stack_lvl (lib/dump_stack.c:122)
[   97.809990]  l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)
[   97.810017]  l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798)
[   97.810055]  l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1))
[   97.810086]  ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341)
[   97.810117]  hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2))
[   97.810148]  hci_dev_close_sync (net/bluetooth/hci_sync.c:5360)
[   97.810180]  ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285)
[   97.810212]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[   97.810242]  ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5))
[   97.810267]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[   97.810290]  ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)
[   97.810320]  hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716)
[   97.810346]  vhci_release (drivers/bluetooth/hci_vhci.c:691)
[   97.810375]  ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678)
[   97.810404]  __fput (fs/file_table.c:470)
[   97.810430]  task_work_run (kernel/task_work.c:235)
[   97.810451]  ? __pfx_task_work_run (kernel/task_work.c:201)
[   97.810472]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[   97.810495]  ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5))
[   97.810527]  do_exit (kernel/exit.c:972)
[   97.810547]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[   97.810574]  ? __pfx_do_exit (kernel/exit.c:897)
[   97.810594]  ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))
[   97.810616]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[   97.810639]  ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))
[   97.810664]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[   97.810688]  ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
[   97.810721]  do_group_exit (kernel/exit.c:1093)
[   97.810745]  get_signal (kernel/signal.c:3007 (discriminator 1))
[   97.810772]  ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366)
[   97.810803]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[   97.810826]  ? vfs_read (fs/read_write.c:555)
[   97.810854]  ? __pfx_get_signal (kernel/signal.c:2800)
[   97.810880]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[   97.810905]  ? __pfx_vfs_read (fs/read_write.c:555)
[   97.810932]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[   97.810960]  arch_do_signal_or_restart (arch/x86/kernel/signal.c:337 (discriminator 1))
[   97.810990]  ? __pfx_arch_do_signal_or_restart (arch/x86/kernel/signal.c:334)
[   97.811021]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[   97.811055]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[   97.811078]  ? ksys_read (fs/read_write.c:707)
[   97.811106]  ? __pfx_ksys_read (fs/read_write.c:707)
[   97.811137]  exit_to_user_mode_loop (kernel/entry/common.c:66 kernel/entry/common.c:98)
[   97.811169]  ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)
[   97.811192]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[   97.811215]  ? trace_hardirqs_off (./include/trace/events/preemptirq.h:36 (discriminator 33) kernel/trace/trace_preemptirq.c:95 (discriminator 33) kernel/trace/trace_preemptirq.c:90 (discriminator 33))
[   97.811240]  do_syscall_64 (./include/linux/irq-entry-common.h:226 ./include/linux/irq-entry-common.h:256 ./include/linux/entry-common.h:325 arch/x86/entry/syscall_64.c:100)
[   97.811268]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[   97.811292]  ? exc_page_fault (arch/x86/mm/fault.c:1480 (discriminator 3) arch/x86/mm/fault.c:1527 (discriminator 3))
[   97.811318]  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[   97.811338] RIP: 0033:0x445cfe
[   97.811352] Code: Unable to access opcode bytes at 0x445cd4.

Code starting with the faulting instruction
===========================================
[   97.811360] RSP: 002b:00007f65c41c6dc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[   97.811378] RAX: fffffffffffffe00 RBX: 00007f65c41c76c0 RCX: 0000000000445cfe
[   97.811391] RDX: 0000000000000400 RSI: 00007f65c41c6e40 RDI: 0000000000000004
[   97.811403] RBP: 00007f65c41c7250 R08: 0000000000000000 R09: 0000000000000000
[   97.811415] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffe8
[   97.811428] R13: 0000000000000000 R14: 00007fff780a8c00 R15: 00007f65c41c76c0
[   97.811453]  </TASK>
[   98.402453] ==================================================================
[   98.403560] BUG: KASAN: use-after-free in __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
[   98.404541] Read of size 8 at addr ffff888113ee40a8 by task khidpd_00050004/1430
[   98.405361]
[   98.405563] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)
[   98.405588] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
[   98.405600] Call Trace:
[   98.405607]  <TASK>
[   98.405614]  dump_stack_lvl (lib/dump_stack.c:122)
[   98.405641]  print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)
[   98.405667]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[   98.405691]  ? __virt_addr_valid (arch/x86/mm/physaddr.c:55)
[   98.405724]  ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
[   98.405748]  kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:597)
[   98.405778]  ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
[   98.405807]  __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
[   98.405832]  ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))
[   98.405859]  ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
[   98.405888]  ? __pfx_do_raw_spin_lock (kernel/locking/spinlock_debug.c:114)
[   98.405915]  ? __pfx___mutex_lock (kernel/locking/mutex.c:775)
[   98.405939]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[   98.405963]  ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))
[   98.405984]  ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
[   98.406015]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[   98.406038]  ? lock_release (kernel/locking/lockdep.c:5536 kernel/locking/lockdep.c:5889 kernel/locking/lockdep.c:5875)
[   98.406061]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[   98.406085]  ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 ./arch/x86/include/asm/irqflags.h:159 ./include/linux/spinlock_api_smp.h:178 kernel/locking/spinlock.c:194)
[   98.406107]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[   98.406130]  ? __timer_delete_sync (kernel/time/timer.c:1592)
[   98.406158]  ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
[   98.406186]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[   98.406210]  l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
[   98.406263]  hidp_session_thread (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/linux/kref.h:64 net/bluetooth/hidp/core.c:996 net/bluetooth/hidp/core.c:1305)
[   98.406293]  ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
[   98.406323]  ? kthread (kernel/kthread.c:433)
[   98.406340]  ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
[   98.406370]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[   98.406393]  ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
[   98.406424]  ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
[   98.406453]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[   98.406476]  ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1))
[   98.406499]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[   98.406523]  ? kthread (kernel/kthread.c:433)
[   98.406539]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[   98.406565]  ? kthread (kernel/kthread.c:433)
[   98.406581]  ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
[   98.406610]  kthread (kernel/kthread.c:467)
[   98.406627]  ? __pfx_kthread (kernel/kthread.c:412)
[   98.406645]  ret_from_fork (arch/x86/kernel/process.c:164)
[   98.406674]  ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153)
[   98.406704]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[   98.406728]  ? __pfx_kthread (kernel/kthread.c:412)
[   98.406747]  ret_from_fork_asm (arch/x86/entry/entry_64.S:258)
[   98.406774]  </TASK>
[   98.406780]
[   98.433693] The buggy address belongs to the physical page:
[   98.434405] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888113ee7c40 pfn:0x113ee4
[   98.435557] flags: 0x200000000000000(node=0|zone=2)
[   98.436198] raw: 0200000000000000 ffffea0004244308 ffff8881f6f3ebc0 0000000000000000
[   98.437195] raw: ffff888113ee7c40 0000000000000000 00000000ffffffff 0000000000000000
[   98.438115] page dumped because: kasan: bad access detected
[   98.438951]
[   98.439211] Memory state around the buggy address:
[   98.439871]  ffff888113ee3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   98.440714]  ffff888113ee4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   98.441580] >ffff888113ee4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   98.442458]                                   ^
[   98.443011]  ffff888113ee4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   98.443889]  ffff888113ee4180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   98.444768] ==================================================================
[   98.445719] Disabling lock debugging due to kernel taint
[   98.448074] l2cap_conn_free: freeing conn ffff88810c22b400
[   98.450012] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Tainted: G    B               7.0.0-rc1-dirty #14 PREEMPT(lazy)
[   98.450040] Tainted: [B]=BAD_PAGE
[   98.450047] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
[   98.450059] Call Trace:
[   98.450065]  <TASK>
[   98.450071]  dump_stack_lvl (lib/dump_stack.c:122)
[   98.450099]  l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)
[   98.450125]  l2cap_conn_put (net/bluetooth/l2cap_core.c:1822)
[   98.450154]  session_free (net/bluetooth/hidp/core.c:990)
[   98.450181]  hidp_session_thread (net/bluetooth/hidp/core.c:1307)
[   98.450213]  ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
[   98.450271]  ? kthread (kernel/kthread.c:433)
[   98.450293]  ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
[   98.450339]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[   98.450368]  ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
[   98.450406]  ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
[   98.450442]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[   98.450471]  ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1))
[   98.450499]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[   98.450528]  ? kthread (kernel/kthread.c:433)
[   98.450547]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[   98.450578]  ? kthread (kernel/kthread.c:433)
[   98.450598]  ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
[   98.450637]  kthread (kernel/kthread.c:467)
[   98.450657]  ? __pfx_kthread (kernel/kthread.c:412)
[   98.450680]  ret_from_fork (arch/x86/kernel/process.c:164)
[   98.450715]  ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153)
[   98.450752]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[   98.450782]  ? __pfx_kthread (kernel/kthread.c:412)
[   98.450804]  ret_from_fork_asm (arch/x86/entry/entry_64.S:258)
[   98.450836]  </TASK>

Fixes: b4f34d8d9d ("Bluetooth: hidp: add new session-management helpers")
Reported-by: soufiane el hachmi <kilwa10@gmail.com>
Tested-by: soufiane el hachmi <kilwa10@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2026-03-12 15:27:46 -04:00

1492 lines
39 KiB
C
Raw Blame History

/*
HIDP implementation for Linux Bluetooth stack (BlueZ).
Copyright (C) 2003-2004 Marcel Holtmann <marcel@holtmann.org>
Copyright (C) 2013 David Herrmann <dh.herrmann@gmail.com>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License version 2 as
published by the Free Software Foundation;
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
SOFTWARE IS DISCLAIMED.
*/
#include <linux/kref.h>
#include <linux/module.h>
#include <linux/file.h>
#include <linux/kthread.h>
#include <linux/hidraw.h>
#include <net/bluetooth/bluetooth.h>
#include <net/bluetooth/hci_core.h>
#include <net/bluetooth/l2cap.h>
#include "hidp.h"
#define VERSION "1.2"
static DECLARE_RWSEM(hidp_session_sem);
static DECLARE_WAIT_QUEUE_HEAD(hidp_session_wq);
static LIST_HEAD(hidp_session_list);
static unsigned char hidp_keycode[256] = {
0, 0, 0, 0, 30, 48, 46, 32, 18, 33, 34, 35, 23, 36,
37, 38, 50, 49, 24, 25, 16, 19, 31, 20, 22, 47, 17, 45,
21, 44, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 28, 1,
14, 15, 57, 12, 13, 26, 27, 43, 43, 39, 40, 41, 51, 52,
53, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 87, 88,
99, 70, 119, 110, 102, 104, 111, 107, 109, 106, 105, 108, 103, 69,
98, 55, 74, 78, 96, 79, 80, 81, 75, 76, 77, 71, 72, 73,
82, 83, 86, 127, 116, 117, 183, 184, 185, 186, 187, 188, 189, 190,
191, 192, 193, 194, 134, 138, 130, 132, 128, 129, 131, 137, 133, 135,
136, 113, 115, 114, 0, 0, 0, 121, 0, 89, 93, 124, 92, 94,
95, 0, 0, 0, 122, 123, 90, 91, 85, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
29, 42, 56, 125, 97, 54, 100, 126, 164, 166, 165, 163, 161, 115,
114, 113, 150, 158, 159, 128, 136, 177, 178, 176, 142, 152, 173, 140
};
static unsigned char hidp_mkeyspat[] = { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 };
static int hidp_session_probe(struct l2cap_conn *conn,
struct l2cap_user *user);
static void hidp_session_remove(struct l2cap_conn *conn,
struct l2cap_user *user);
static int hidp_session_thread(void *arg);
static void hidp_session_terminate(struct hidp_session *s);
static void hidp_copy_session(struct hidp_session *session, struct hidp_conninfo *ci)
{
u32 valid_flags = 0;
memset(ci, 0, sizeof(*ci));
bacpy(&ci->bdaddr, &session->bdaddr);
ci->flags = session->flags & valid_flags;
ci->state = BT_CONNECTED;
if (session->input) {
ci->vendor = session->input->id.vendor;
ci->product = session->input->id.product;
ci->version = session->input->id.version;
if (session->input->name)
strscpy(ci->name, session->input->name, 128);
else
strscpy(ci->name, "HID Boot Device", 128);
} else if (session->hid) {
ci->vendor = session->hid->vendor;
ci->product = session->hid->product;
ci->version = session->hid->version;
strscpy(ci->name, session->hid->name, 128);
}
}
/* assemble skb, queue message on @transmit and wake up the session thread */
static int hidp_send_message(struct hidp_session *session, struct socket *sock,
struct sk_buff_head *transmit, unsigned char hdr,
const unsigned char *data, int size)
{
struct sk_buff *skb;
struct sock *sk = sock->sk;
int ret;
BT_DBG("session %p data %p size %d", session, data, size);
if (atomic_read(&session->terminate))
return -EIO;
skb = alloc_skb(size + 1, GFP_ATOMIC);
if (!skb) {
BT_ERR("Can't allocate memory for new frame");
return -ENOMEM;
}
skb_put_u8(skb, hdr);
if (data && size > 0) {
skb_put_data(skb, data, size);
ret = size;
} else {
ret = 0;
}
skb_queue_tail(transmit, skb);
wake_up_interruptible(sk_sleep(sk));
return ret;
}
static int hidp_send_ctrl_message(struct hidp_session *session,
unsigned char hdr, const unsigned char *data,
int size)
{
return hidp_send_message(session, session->ctrl_sock,
&session->ctrl_transmit, hdr, data, size);
}
static int hidp_send_intr_message(struct hidp_session *session,
unsigned char hdr, const unsigned char *data,
int size)
{
return hidp_send_message(session, session->intr_sock,
&session->intr_transmit, hdr, data, size);
}
static int hidp_input_event(struct input_dev *dev, unsigned int type,
unsigned int code, int value)
{
struct hidp_session *session = input_get_drvdata(dev);
unsigned char newleds;
unsigned char hdr, data[2];
BT_DBG("session %p type %d code %d value %d",
session, type, code, value);
if (type != EV_LED)
return -1;
newleds = (!!test_bit(LED_KANA, dev->led) << 3) |
(!!test_bit(LED_COMPOSE, dev->led) << 3) |
(!!test_bit(LED_SCROLLL, dev->led) << 2) |
(!!test_bit(LED_CAPSL, dev->led) << 1) |
(!!test_bit(LED_NUML, dev->led) << 0);
if (session->leds == newleds)
return 0;
session->leds = newleds;
hdr = HIDP_TRANS_DATA | HIDP_DATA_RTYPE_OUPUT;
data[0] = 0x01;
data[1] = newleds;
return hidp_send_intr_message(session, hdr, data, 2);
}
static void hidp_input_report(struct hidp_session *session, struct sk_buff *skb)
{
struct input_dev *dev = session->input;
unsigned char *keys = session->keys;
unsigned char *udata = skb->data + 1;
signed char *sdata = skb->data + 1;
int i, size = skb->len - 1;
switch (skb->data[0]) {
case 0x01: /* Keyboard report */
for (i = 0; i < 8; i++)
input_report_key(dev, hidp_keycode[i + 224], (udata[0] >> i) & 1);
/* If all the key codes have been set to 0x01, it means
* too many keys were pressed at the same time. */
if (!memcmp(udata + 2, hidp_mkeyspat, 6))
break;
for (i = 2; i < 8; i++) {
if (keys[i] > 3 && memscan(udata + 2, keys[i], 6) == udata + 8) {
if (hidp_keycode[keys[i]])
input_report_key(dev, hidp_keycode[keys[i]], 0);
else
BT_ERR("Unknown key (scancode %#x) released.", keys[i]);
}
if (udata[i] > 3 && memscan(keys + 2, udata[i], 6) == keys + 8) {
if (hidp_keycode[udata[i]])
input_report_key(dev, hidp_keycode[udata[i]], 1);
else
BT_ERR("Unknown key (scancode %#x) pressed.", udata[i]);
}
}
memcpy(keys, udata, 8);
break;
case 0x02: /* Mouse report */
input_report_key(dev, BTN_LEFT, sdata[0] & 0x01);
input_report_key(dev, BTN_RIGHT, sdata[0] & 0x02);
input_report_key(dev, BTN_MIDDLE, sdata[0] & 0x04);
input_report_key(dev, BTN_SIDE, sdata[0] & 0x08);
input_report_key(dev, BTN_EXTRA, sdata[0] & 0x10);
input_report_rel(dev, REL_X, sdata[1]);
input_report_rel(dev, REL_Y, sdata[2]);
if (size > 3)
input_report_rel(dev, REL_WHEEL, sdata[3]);
break;
}
input_sync(dev);
}
static int hidp_get_raw_report(struct hid_device *hid,
unsigned char report_number,
unsigned char *data, size_t count,
unsigned char report_type)
{
struct hidp_session *session = hid->driver_data;
struct sk_buff *skb;
size_t len;
int numbered_reports = hid->report_enum[report_type].numbered;
int ret;
if (atomic_read(&session->terminate))
return -EIO;
switch (report_type) {
case HID_FEATURE_REPORT:
report_type = HIDP_TRANS_GET_REPORT | HIDP_DATA_RTYPE_FEATURE;
break;
case HID_INPUT_REPORT:
report_type = HIDP_TRANS_GET_REPORT | HIDP_DATA_RTYPE_INPUT;
break;
case HID_OUTPUT_REPORT:
report_type = HIDP_TRANS_GET_REPORT | HIDP_DATA_RTYPE_OUPUT;
break;
default:
return -EINVAL;
}
if (mutex_lock_interruptible(&session->report_mutex))
return -ERESTARTSYS;
/* Set up our wait, and send the report request to the device. */
session->waiting_report_type = report_type & HIDP_DATA_RTYPE_MASK;
session->waiting_report_number = numbered_reports ? report_number : -1;
set_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
data[0] = report_number;
ret = hidp_send_ctrl_message(session, report_type, data, 1);
if (ret < 0)
goto err;
/* Wait for the return of the report. The returned report
gets put in session->report_return. */
while (test_bit(HIDP_WAITING_FOR_RETURN, &session->flags) &&
!atomic_read(&session->terminate)) {
int res;
res = wait_event_interruptible_timeout(session->report_queue,
!test_bit(HIDP_WAITING_FOR_RETURN, &session->flags)
|| atomic_read(&session->terminate),
5*HZ);
if (res == 0) {
/* timeout */
ret = -EIO;
goto err;
}
if (res < 0) {
/* signal */
ret = -ERESTARTSYS;
goto err;
}
}
skb = session->report_return;
if (skb) {
len = skb->len < count ? skb->len : count;
memcpy(data, skb->data, len);
kfree_skb(skb);
session->report_return = NULL;
} else {
/* Device returned a HANDSHAKE, indicating protocol error. */
len = -EIO;
}
clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
mutex_unlock(&session->report_mutex);
return len;
err:
clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
mutex_unlock(&session->report_mutex);
return ret;
}
static int hidp_set_raw_report(struct hid_device *hid, unsigned char reportnum,
unsigned char *data, size_t count,
unsigned char report_type)
{
struct hidp_session *session = hid->driver_data;
int ret;
switch (report_type) {
case HID_FEATURE_REPORT:
report_type = HIDP_TRANS_SET_REPORT | HIDP_DATA_RTYPE_FEATURE;
break;
case HID_INPUT_REPORT:
report_type = HIDP_TRANS_SET_REPORT | HIDP_DATA_RTYPE_INPUT;
break;
case HID_OUTPUT_REPORT:
report_type = HIDP_TRANS_SET_REPORT | HIDP_DATA_RTYPE_OUPUT;
break;
default:
return -EINVAL;
}
if (mutex_lock_interruptible(&session->report_mutex))
return -ERESTARTSYS;
/* Set up our wait, and send the report request to the device. */
data[0] = reportnum;
set_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags);
ret = hidp_send_ctrl_message(session, report_type, data, count);
if (ret < 0)
goto err;
/* Wait for the ACK from the device. */
while (test_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags) &&
!atomic_read(&session->terminate)) {
int res;
res = wait_event_interruptible_timeout(session->report_queue,
!test_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags)
|| atomic_read(&session->terminate),
10*HZ);
if (res == 0) {
/* timeout */
ret = -EIO;
goto err;
}
if (res < 0) {
/* signal */
ret = -ERESTARTSYS;
goto err;
}
}
if (!session->output_report_success) {
ret = -EIO;
goto err;
}
ret = count;
err:
clear_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags);
mutex_unlock(&session->report_mutex);
return ret;
}
static int hidp_output_report(struct hid_device *hid, __u8 *data, size_t count)
{
struct hidp_session *session = hid->driver_data;
return hidp_send_intr_message(session,
HIDP_TRANS_DATA | HIDP_DATA_RTYPE_OUPUT,
data, count);
}
static int hidp_raw_request(struct hid_device *hid, unsigned char reportnum,
__u8 *buf, size_t len, unsigned char rtype,
int reqtype)
{
switch (reqtype) {
case HID_REQ_GET_REPORT:
return hidp_get_raw_report(hid, reportnum, buf, len, rtype);
case HID_REQ_SET_REPORT:
return hidp_set_raw_report(hid, reportnum, buf, len, rtype);
default:
return -EIO;
}
}
static void hidp_idle_timeout(struct timer_list *t)
{
struct hidp_session *session = timer_container_of(session, t, timer);
/* The HIDP user-space API only contains calls to add and remove
* devices. There is no way to forward events of any kind. Therefore,
* we have to forcefully disconnect a device on idle-timeouts. This is
* unfortunate and weird API design, but it is spec-compliant and
* required for backwards-compatibility. Hence, on idle-timeout, we
* signal driver-detach events, so poll() will be woken up with an
* error-condition on both sockets.
*/
session->intr_sock->sk->sk_err = EUNATCH;
session->ctrl_sock->sk->sk_err = EUNATCH;
wake_up_interruptible(sk_sleep(session->intr_sock->sk));
wake_up_interruptible(sk_sleep(session->ctrl_sock->sk));
hidp_session_terminate(session);
}
static void hidp_set_timer(struct hidp_session *session)
{
if (session->idle_to > 0)
mod_timer(&session->timer, jiffies + HZ * session->idle_to);
}
static void hidp_del_timer(struct hidp_session *session)
{
if (session->idle_to > 0)
timer_delete_sync(&session->timer);
}
static void hidp_process_report(struct hidp_session *session, int type,
const u8 *data, unsigned int len, int intr)
{
if (len > HID_MAX_BUFFER_SIZE)
len = HID_MAX_BUFFER_SIZE;
memcpy(session->input_buf, data, len);
hid_input_report(session->hid, type, session->input_buf, len, intr);
}
static void hidp_process_handshake(struct hidp_session *session,
unsigned char param)
{
BT_DBG("session %p param 0x%02x", session, param);
session->output_report_success = 0; /* default condition */
switch (param) {
case HIDP_HSHK_SUCCESSFUL:
/* FIXME: Call into SET_ GET_ handlers here */
session->output_report_success = 1;
break;
case HIDP_HSHK_NOT_READY:
case HIDP_HSHK_ERR_INVALID_REPORT_ID:
case HIDP_HSHK_ERR_UNSUPPORTED_REQUEST:
case HIDP_HSHK_ERR_INVALID_PARAMETER:
if (test_and_clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags))
wake_up_interruptible(&session->report_queue);
/* FIXME: Call into SET_ GET_ handlers here */
break;
case HIDP_HSHK_ERR_UNKNOWN:
break;
case HIDP_HSHK_ERR_FATAL:
/* Device requests a reboot, as this is the only way this error
* can be recovered. */
hidp_send_ctrl_message(session,
HIDP_TRANS_HID_CONTROL | HIDP_CTRL_SOFT_RESET, NULL, 0);
break;
default:
hidp_send_ctrl_message(session,
HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_INVALID_PARAMETER, NULL, 0);
break;
}
/* Wake up the waiting thread. */
if (test_and_clear_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags))
wake_up_interruptible(&session->report_queue);
}
static void hidp_process_hid_control(struct hidp_session *session,
unsigned char param)
{
BT_DBG("session %p param 0x%02x", session, param);
if (param == HIDP_CTRL_VIRTUAL_CABLE_UNPLUG) {
/* Flush the transmit queues */
skb_queue_purge(&session->ctrl_transmit);
skb_queue_purge(&session->intr_transmit);
hidp_session_terminate(session);
}
}
/* Returns true if the passed-in skb should be freed by the caller. */
static int hidp_process_data(struct hidp_session *session, struct sk_buff *skb,
unsigned char param)
{
int done_with_skb = 1;
BT_DBG("session %p skb %p len %u param 0x%02x", session, skb, skb->len, param);
switch (param) {
case HIDP_DATA_RTYPE_INPUT:
hidp_set_timer(session);
if (session->input)
hidp_input_report(session, skb);
if (session->hid)
hidp_process_report(session, HID_INPUT_REPORT,
skb->data, skb->len, 0);
break;
case HIDP_DATA_RTYPE_OTHER:
case HIDP_DATA_RTYPE_OUPUT:
case HIDP_DATA_RTYPE_FEATURE:
break;
default:
hidp_send_ctrl_message(session,
HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_INVALID_PARAMETER, NULL, 0);
}
if (test_bit(HIDP_WAITING_FOR_RETURN, &session->flags) &&
param == session->waiting_report_type) {
if (session->waiting_report_number < 0 ||
session->waiting_report_number == skb->data[0]) {
/* hidp_get_raw_report() is waiting on this report. */
session->report_return = skb;
done_with_skb = 0;
clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
wake_up_interruptible(&session->report_queue);
}
}
return done_with_skb;
}
static void hidp_recv_ctrl_frame(struct hidp_session *session,
struct sk_buff *skb)
{
unsigned char hdr, type, param;
int free_skb = 1;
BT_DBG("session %p skb %p len %u", session, skb, skb->len);
hdr = skb->data[0];
skb_pull(skb, 1);
type = hdr & HIDP_HEADER_TRANS_MASK;
param = hdr & HIDP_HEADER_PARAM_MASK;
switch (type) {
case HIDP_TRANS_HANDSHAKE:
hidp_process_handshake(session, param);
break;
case HIDP_TRANS_HID_CONTROL:
hidp_process_hid_control(session, param);
break;
case HIDP_TRANS_DATA:
free_skb = hidp_process_data(session, skb, param);
break;
default:
hidp_send_ctrl_message(session,
HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_UNSUPPORTED_REQUEST, NULL, 0);
break;
}
if (free_skb)
kfree_skb(skb);
}
static void hidp_recv_intr_frame(struct hidp_session *session,
struct sk_buff *skb)
{
unsigned char hdr;
BT_DBG("session %p skb %p len %u", session, skb, skb->len);
hdr = skb->data[0];
skb_pull(skb, 1);
if (hdr == (HIDP_TRANS_DATA | HIDP_DATA_RTYPE_INPUT)) {
hidp_set_timer(session);
if (session->input)
hidp_input_report(session, skb);
if (session->hid) {
hidp_process_report(session, HID_INPUT_REPORT,
skb->data, skb->len, 1);
BT_DBG("report len %d", skb->len);
}
} else {
BT_DBG("Unsupported protocol header 0x%02x", hdr);
}
kfree_skb(skb);
}
static int hidp_send_frame(struct socket *sock, unsigned char *data, int len)
{
struct kvec iv = { data, len };
struct msghdr msg;
BT_DBG("sock %p data %p len %d", sock, data, len);
if (!len)
return 0;
memset(&msg, 0, sizeof(msg));
return kernel_sendmsg(sock, &msg, &iv, 1, len);
}
/* dequeue message from @transmit and send via @sock */
static void hidp_process_transmit(struct hidp_session *session,
struct sk_buff_head *transmit,
struct socket *sock)
{
struct sk_buff *skb;
int ret;
BT_DBG("session %p", session);
while ((skb = skb_dequeue(transmit))) {
ret = hidp_send_frame(sock, skb->data, skb->len);
if (ret == -EAGAIN) {
skb_queue_head(transmit, skb);
break;
} else if (ret < 0) {
hidp_session_terminate(session);
kfree_skb(skb);
break;
}
hidp_set_timer(session);
kfree_skb(skb);
}
}
static int hidp_setup_input(struct hidp_session *session,
const struct hidp_connadd_req *req)
{
struct input_dev *input;
int i;
input = input_allocate_device();
if (!input)
return -ENOMEM;
session->input = input;
input_set_drvdata(input, session);
input->name = "Bluetooth HID Boot Protocol Device";
input->id.bustype = BUS_BLUETOOTH;
input->id.vendor = req->vendor;
input->id.product = req->product;
input->id.version = req->version;
if (req->subclass & 0x40) {
set_bit(EV_KEY, input->evbit);
set_bit(EV_LED, input->evbit);
set_bit(EV_REP, input->evbit);
set_bit(LED_NUML, input->ledbit);
set_bit(LED_CAPSL, input->ledbit);
set_bit(LED_SCROLLL, input->ledbit);
set_bit(LED_COMPOSE, input->ledbit);
set_bit(LED_KANA, input->ledbit);
for (i = 0; i < sizeof(hidp_keycode); i++)
set_bit(hidp_keycode[i], input->keybit);
clear_bit(0, input->keybit);
}
if (req->subclass & 0x80) {
input->evbit[0] = BIT_MASK(EV_KEY) | BIT_MASK(EV_REL);
input->keybit[BIT_WORD(BTN_MOUSE)] = BIT_MASK(BTN_LEFT) |
BIT_MASK(BTN_RIGHT) | BIT_MASK(BTN_MIDDLE);
input->relbit[0] = BIT_MASK(REL_X) | BIT_MASK(REL_Y);
input->keybit[BIT_WORD(BTN_MOUSE)] |= BIT_MASK(BTN_SIDE) |
BIT_MASK(BTN_EXTRA);
input->relbit[0] |= BIT_MASK(REL_WHEEL);
}
input->dev.parent = &session->conn->hcon->dev;
input->event = hidp_input_event;
return 0;
}
static int hidp_open(struct hid_device *hid)
{
return 0;
}
static void hidp_close(struct hid_device *hid)
{
}
static int hidp_parse(struct hid_device *hid)
{
struct hidp_session *session = hid->driver_data;
return hid_parse_report(session->hid, session->rd_data,
session->rd_size);
}
static int hidp_start(struct hid_device *hid)
{
return 0;
}
static void hidp_stop(struct hid_device *hid)
{
struct hidp_session *session = hid->driver_data;
skb_queue_purge(&session->ctrl_transmit);
skb_queue_purge(&session->intr_transmit);
hid->claimed = 0;
}
static const struct hid_ll_driver hidp_hid_driver = {
.parse = hidp_parse,
.start = hidp_start,
.stop = hidp_stop,
.open = hidp_open,
.close = hidp_close,
.raw_request = hidp_raw_request,
.output_report = hidp_output_report,
};
/* This function sets up the hid device. It does not add it
to the HID system. That is done in hidp_add_connection(). */
static int hidp_setup_hid(struct hidp_session *session,
const struct hidp_connadd_req *req)
{
struct hid_device *hid;
int err;
session->rd_data = memdup_user(req->rd_data, req->rd_size);
if (IS_ERR(session->rd_data))
return PTR_ERR(session->rd_data);
session->rd_size = req->rd_size;
hid = hid_allocate_device();
if (IS_ERR(hid)) {
err = PTR_ERR(hid);
goto fault;
}
session->hid = hid;
hid->driver_data = session;
hid->bus = BUS_BLUETOOTH;
hid->vendor = req->vendor;
hid->product = req->product;
hid->version = req->version;
hid->country = req->country;
strscpy(hid->name, req->name, sizeof(hid->name));
snprintf(hid->phys, sizeof(hid->phys), "%pMR",
&l2cap_pi(session->ctrl_sock->sk)->chan->src);
/* NOTE: Some device modules depend on the dst address being stored in
* uniq. Please be aware of this before making changes to this behavior.
*/
snprintf(hid->uniq, sizeof(hid->uniq), "%pMR",
&l2cap_pi(session->ctrl_sock->sk)->chan->dst);
hid->dev.parent = &session->conn->hcon->dev;
hid->ll_driver = &hidp_hid_driver;
/* True if device is blocked in drivers/hid/hid-quirks.c */
if (hid_ignore(hid)) {
hid_destroy_device(session->hid);
session->hid = NULL;
return -ENODEV;
}
return 0;
fault:
kfree(session->rd_data);
session->rd_data = NULL;
return err;
}
/* initialize session devices */
static int hidp_session_dev_init(struct hidp_session *session,
const struct hidp_connadd_req *req)
{
int ret;
if (req->rd_size > 0) {
ret = hidp_setup_hid(session, req);
if (ret && ret != -ENODEV)
return ret;
}
if (!session->hid) {
ret = hidp_setup_input(session, req);
if (ret < 0)
return ret;
}
return 0;
}
/* destroy session devices */
static void hidp_session_dev_destroy(struct hidp_session *session)
{
if (session->hid)
put_device(&session->hid->dev);
else if (session->input)
input_put_device(session->input);
kfree(session->rd_data);
session->rd_data = NULL;
}
/* add HID/input devices to their underlying bus systems */
static int hidp_session_dev_add(struct hidp_session *session)
{
int ret;
/* Both HID and input systems drop a ref-count when unregistering the
* device but they don't take a ref-count when registering them. Work
* around this by explicitly taking a refcount during registration
* which is dropped automatically by unregistering the devices. */
if (session->hid) {
ret = hid_add_device(session->hid);
if (ret)
return ret;
get_device(&session->hid->dev);
} else if (session->input) {
ret = input_register_device(session->input);
if (ret)
return ret;
input_get_device(session->input);
}
return 0;
}
/* remove HID/input devices from their bus systems */
static void hidp_session_dev_del(struct hidp_session *session)
{
if (session->hid)
hid_destroy_device(session->hid);
else if (session->input)
input_unregister_device(session->input);
}
/*
* Asynchronous device registration
* HID device drivers might want to perform I/O during initialization to
* detect device types. Therefore, call device registration in a separate
* worker so the HIDP thread can schedule I/O operations.
* Note that this must be called after the worker thread was initialized
* successfully. This will then add the devices and increase session state
* on success, otherwise it will terminate the session thread.
*/
static void hidp_session_dev_work(struct work_struct *work)
{
struct hidp_session *session = container_of(work,
struct hidp_session,
dev_init);
int ret;
ret = hidp_session_dev_add(session);
if (!ret)
atomic_inc(&session->state);
else
hidp_session_terminate(session);
}
/*
* Create new session object
* Allocate session object, initialize static fields, copy input data into the
* object and take a reference to all sub-objects.
* This returns 0 on success and puts a pointer to the new session object in
* \out. Otherwise, an error code is returned.
* The new session object has an initial ref-count of 1.
*/
static int hidp_session_new(struct hidp_session **out, const bdaddr_t *bdaddr,
struct socket *ctrl_sock,
struct socket *intr_sock,
const struct hidp_connadd_req *req,
struct l2cap_conn *conn)
{
struct hidp_session *session;
int ret;
struct bt_sock *ctrl, *intr;
ctrl = bt_sk(ctrl_sock->sk);
intr = bt_sk(intr_sock->sk);
session = kzalloc_obj(*session);
if (!session)
return -ENOMEM;
/* object and runtime management */
kref_init(&session->ref);
atomic_set(&session->state, HIDP_SESSION_IDLING);
init_waitqueue_head(&session->state_queue);
session->flags = req->flags & BIT(HIDP_BLUETOOTH_VENDOR_ID);
/* connection management */
bacpy(&session->bdaddr, bdaddr);
session->conn = l2cap_conn_get(conn);
session->user.probe = hidp_session_probe;
session->user.remove = hidp_session_remove;
INIT_LIST_HEAD(&session->user.list);
session->ctrl_sock = ctrl_sock;
session->intr_sock = intr_sock;
skb_queue_head_init(&session->ctrl_transmit);
skb_queue_head_init(&session->intr_transmit);
session->ctrl_mtu = min_t(uint, l2cap_pi(ctrl)->chan->omtu,
l2cap_pi(ctrl)->chan->imtu);
session->intr_mtu = min_t(uint, l2cap_pi(intr)->chan->omtu,
l2cap_pi(intr)->chan->imtu);
session->idle_to = req->idle_to;
/* device management */
INIT_WORK(&session->dev_init, hidp_session_dev_work);
timer_setup(&session->timer, hidp_idle_timeout, 0);
/* session data */
mutex_init(&session->report_mutex);
init_waitqueue_head(&session->report_queue);
ret = hidp_session_dev_init(session, req);
if (ret)
goto err_free;
get_file(session->intr_sock->file);
get_file(session->ctrl_sock->file);
*out = session;
return 0;
err_free:
l2cap_conn_put(session->conn);
kfree(session);
return ret;
}
/* increase ref-count of the given session by one */
static void hidp_session_get(struct hidp_session *session)
{
kref_get(&session->ref);
}
/* release callback */
static void session_free(struct kref *ref)
{
struct hidp_session *session = container_of(ref, struct hidp_session,
ref);
hidp_session_dev_destroy(session);
skb_queue_purge(&session->ctrl_transmit);
skb_queue_purge(&session->intr_transmit);
fput(session->intr_sock->file);
fput(session->ctrl_sock->file);
if (session->conn)
l2cap_conn_put(session->conn);
kfree(session);
}
/* decrease ref-count of the given session by one */
static void hidp_session_put(struct hidp_session *session)
{
kref_put(&session->ref, session_free);
}
/*
* Search the list of active sessions for a session with target address
* \bdaddr. You must hold at least a read-lock on \hidp_session_sem. As long as
* you do not release this lock, the session objects cannot vanish and you can
* safely take a reference to the session yourself.
*/
static struct hidp_session *__hidp_session_find(const bdaddr_t *bdaddr)
{
struct hidp_session *session;
list_for_each_entry(session, &hidp_session_list, list) {
if (!bacmp(bdaddr, &session->bdaddr))
return session;
}
return NULL;
}
/*
* Same as __hidp_session_find() but no locks must be held. This also takes a
* reference of the returned session (if non-NULL) so you must drop this
* reference if you no longer use the object.
*/
static struct hidp_session *hidp_session_find(const bdaddr_t *bdaddr)
{
struct hidp_session *session;
down_read(&hidp_session_sem);
session = __hidp_session_find(bdaddr);
if (session)
hidp_session_get(session);
up_read(&hidp_session_sem);
return session;
}
/*
* Start session synchronously
* This starts a session thread and waits until initialization
* is done or returns an error if it couldn't be started.
* If this returns 0 the session thread is up and running. You must call
* hipd_session_stop_sync() before deleting any runtime resources.
*/
static int hidp_session_start_sync(struct hidp_session *session)
{
unsigned int vendor, product;
if (session->hid) {
vendor = session->hid->vendor;
product = session->hid->product;
} else if (session->input) {
vendor = session->input->id.vendor;
product = session->input->id.product;
} else {
vendor = 0x0000;
product = 0x0000;
}
session->task = kthread_run(hidp_session_thread, session,
"khidpd_%04x%04x", vendor, product);
if (IS_ERR(session->task))
return PTR_ERR(session->task);
while (atomic_read(&session->state) <= HIDP_SESSION_IDLING)
wait_event(session->state_queue,
atomic_read(&session->state) > HIDP_SESSION_IDLING);
return 0;
}
/*
* Terminate session thread
* Wake up session thread and notify it to stop. This is asynchronous and
* returns immediately. Call this whenever a runtime error occurs and you want
* the session to stop.
* Note: wake_up_interruptible() performs any necessary memory-barriers for us.
*/
static void hidp_session_terminate(struct hidp_session *session)
{
atomic_inc(&session->terminate);
/*
* See the comment preceding the call to wait_woken()
* in hidp_session_run().
*/
wake_up_interruptible(&hidp_session_wq);
}
/*
* Probe HIDP session
* This is called from the l2cap_conn core when our l2cap_user object is bound
* to the hci-connection. We get the session via the \user object and can now
* start the session thread, link it into the global session list and
* schedule HID/input device registration.
* The global session-list owns its own reference to the session object so you
* can drop your own reference after registering the l2cap_user object.
*/
static int hidp_session_probe(struct l2cap_conn *conn,
struct l2cap_user *user)
{
struct hidp_session *session = container_of(user,
struct hidp_session,
user);
struct hidp_session *s;
int ret;
down_write(&hidp_session_sem);
/* check that no other session for this device exists */
s = __hidp_session_find(&session->bdaddr);
if (s) {
ret = -EEXIST;
goto out_unlock;
}
if (session->input) {
ret = hidp_session_dev_add(session);
if (ret)
goto out_unlock;
}
ret = hidp_session_start_sync(session);
if (ret)
goto out_del;
/* HID device registration is async to allow I/O during probe */
if (session->input)
atomic_inc(&session->state);
else
schedule_work(&session->dev_init);
hidp_session_get(session);
list_add(&session->list, &hidp_session_list);
ret = 0;
goto out_unlock;
out_del:
if (session->input)
hidp_session_dev_del(session);
out_unlock:
up_write(&hidp_session_sem);
return ret;
}
/*
* Remove HIDP session
* Called from the l2cap_conn core when either we explicitly unregistered
* the l2cap_user object or if the underlying connection is shut down.
* We signal the hidp-session thread to shut down, unregister the HID/input
* devices and unlink the session from the global list.
* This drops the reference to the session that is owned by the global
* session-list.
* Note: We _must_ not synchronosly wait for the session-thread to shut down.
* This is, because the session-thread might be waiting for an HCI lock that is
* held while we are called. Therefore, we only unregister the devices and
* notify the session-thread to terminate. The thread itself owns a reference
* to the session object so it can safely shut down.
*/
static void hidp_session_remove(struct l2cap_conn *conn,
struct l2cap_user *user)
{
struct hidp_session *session = container_of(user,
struct hidp_session,
user);
down_write(&hidp_session_sem);
/* Drop L2CAP reference immediately to indicate that
* l2cap_unregister_user() shall not be called as it is already
* considered removed.
*/
if (session->conn) {
l2cap_conn_put(session->conn);
session->conn = NULL;
}
hidp_session_terminate(session);
cancel_work_sync(&session->dev_init);
if (session->input ||
atomic_read(&session->state) > HIDP_SESSION_PREPARING)
hidp_session_dev_del(session);
list_del(&session->list);
up_write(&hidp_session_sem);
hidp_session_put(session);
}
/*
* Session Worker
* This performs the actual main-loop of the HIDP worker. We first check
* whether the underlying connection is still alive, then parse all pending
* messages and finally send all outstanding messages.
*/
static void hidp_session_run(struct hidp_session *session)
{
struct sock *ctrl_sk = session->ctrl_sock->sk;
struct sock *intr_sk = session->intr_sock->sk;
struct sk_buff *skb;
DEFINE_WAIT_FUNC(wait, woken_wake_function);
add_wait_queue(&hidp_session_wq, &wait);
for (;;) {
/*
* This thread can be woken up two ways:
* - You call hidp_session_terminate() which sets the
* session->terminate flag and wakes this thread up.
* - Via modifying the socket state of ctrl/intr_sock. This
* thread is woken up by ->sk_state_changed().
*/
if (atomic_read(&session->terminate))
break;
if (ctrl_sk->sk_state != BT_CONNECTED ||
intr_sk->sk_state != BT_CONNECTED)
break;
/* parse incoming intr-skbs */
while ((skb = skb_dequeue(&intr_sk->sk_receive_queue))) {
skb_orphan(skb);
if (!skb_linearize(skb))
hidp_recv_intr_frame(session, skb);
else
kfree_skb(skb);
}
/* send pending intr-skbs */
hidp_process_transmit(session, &session->intr_transmit,
session->intr_sock);
/* parse incoming ctrl-skbs */
while ((skb = skb_dequeue(&ctrl_sk->sk_receive_queue))) {
skb_orphan(skb);
if (!skb_linearize(skb))
hidp_recv_ctrl_frame(session, skb);
else
kfree_skb(skb);
}
/* send pending ctrl-skbs */
hidp_process_transmit(session, &session->ctrl_transmit,
session->ctrl_sock);
/*
* wait_woken() performs the necessary memory barriers
* for us; see the header comment for this primitive.
*/
wait_woken(&wait, TASK_INTERRUPTIBLE, MAX_SCHEDULE_TIMEOUT);
}
remove_wait_queue(&hidp_session_wq, &wait);
atomic_inc(&session->terminate);
}
static int hidp_session_wake_function(wait_queue_entry_t *wait,
unsigned int mode,
int sync, void *key)
{
wake_up_interruptible(&hidp_session_wq);
return false;
}
/*
* HIDP session thread
* This thread runs the I/O for a single HIDP session. Startup is synchronous
* which allows us to take references to ourself here instead of doing that in
* the caller.
* When we are ready to run we notify the caller and call hidp_session_run().
*/
static int hidp_session_thread(void *arg)
{
struct hidp_session *session = arg;
DEFINE_WAIT_FUNC(ctrl_wait, hidp_session_wake_function);
DEFINE_WAIT_FUNC(intr_wait, hidp_session_wake_function);
BT_DBG("session %p", session);
/* initialize runtime environment */
hidp_session_get(session);
__module_get(THIS_MODULE);
set_user_nice(current, -15);
hidp_set_timer(session);
add_wait_queue(sk_sleep(session->ctrl_sock->sk), &ctrl_wait);
add_wait_queue(sk_sleep(session->intr_sock->sk), &intr_wait);
/* This memory barrier is paired with wq_has_sleeper(). See
* sock_poll_wait() for more information why this is needed. */
smp_mb__before_atomic();
/* notify synchronous startup that we're ready */
atomic_inc(&session->state);
wake_up(&session->state_queue);
/* run session */
hidp_session_run(session);
/* cleanup runtime environment */
remove_wait_queue(sk_sleep(session->intr_sock->sk), &intr_wait);
remove_wait_queue(sk_sleep(session->ctrl_sock->sk), &ctrl_wait);
wake_up_interruptible(&session->report_queue);
hidp_del_timer(session);
/*
* If we stopped ourself due to any internal signal, we should try to
* unregister our own session here to avoid having it linger until the
* parent l2cap_conn dies or user-space cleans it up.
* This does not deadlock as we don't do any synchronous shutdown.
* Instead, this call has the same semantics as if user-space tried to
* delete the session.
*/
if (session->conn)
l2cap_unregister_user(session->conn, &session->user);
hidp_session_put(session);
module_put_and_kthread_exit(0);
return 0;
}
static int hidp_verify_sockets(struct socket *ctrl_sock,
struct socket *intr_sock)
{
struct l2cap_chan *ctrl_chan, *intr_chan;
struct bt_sock *ctrl, *intr;
struct hidp_session *session;
if (!l2cap_is_socket(ctrl_sock) || !l2cap_is_socket(intr_sock))
return -EINVAL;
ctrl_chan = l2cap_pi(ctrl_sock->sk)->chan;
intr_chan = l2cap_pi(intr_sock->sk)->chan;
if (bacmp(&ctrl_chan->src, &intr_chan->src) ||
bacmp(&ctrl_chan->dst, &intr_chan->dst))
return -ENOTUNIQ;
ctrl = bt_sk(ctrl_sock->sk);
intr = bt_sk(intr_sock->sk);
if (ctrl->sk.sk_state != BT_CONNECTED ||
intr->sk.sk_state != BT_CONNECTED)
return -EBADFD;
/* early session check, we check again during session registration */
session = hidp_session_find(&ctrl_chan->dst);
if (session) {
hidp_session_put(session);
return -EEXIST;
}
return 0;
}
int hidp_connection_add(const struct hidp_connadd_req *req,
struct socket *ctrl_sock,
struct socket *intr_sock)
{
u32 valid_flags = BIT(HIDP_VIRTUAL_CABLE_UNPLUG) |
BIT(HIDP_BOOT_PROTOCOL_MODE);
struct hidp_session *session;
struct l2cap_conn *conn;
struct l2cap_chan *chan;
int ret;
ret = hidp_verify_sockets(ctrl_sock, intr_sock);
if (ret)
return ret;
if (req->flags & ~valid_flags)
return -EINVAL;
chan = l2cap_pi(ctrl_sock->sk)->chan;
conn = NULL;
l2cap_chan_lock(chan);
if (chan->conn)
conn = l2cap_conn_get(chan->conn);
l2cap_chan_unlock(chan);
if (!conn)
return -EBADFD;
ret = hidp_session_new(&session, &chan->dst, ctrl_sock,
intr_sock, req, conn);
if (ret)
goto out_conn;
ret = l2cap_register_user(conn, &session->user);
if (ret)
goto out_session;
ret = 0;
out_session:
hidp_session_put(session);
out_conn:
l2cap_conn_put(conn);
return ret;
}
int hidp_connection_del(struct hidp_conndel_req *req)
{
u32 valid_flags = BIT(HIDP_VIRTUAL_CABLE_UNPLUG);
struct hidp_session *session;
if (req->flags & ~valid_flags)
return -EINVAL;
session = hidp_session_find(&req->bdaddr);
if (!session)
return -ENOENT;
if (req->flags & BIT(HIDP_VIRTUAL_CABLE_UNPLUG))
hidp_send_ctrl_message(session,
HIDP_TRANS_HID_CONTROL |
HIDP_CTRL_VIRTUAL_CABLE_UNPLUG,
NULL, 0);
else
l2cap_unregister_user(session->conn, &session->user);
hidp_session_put(session);
return 0;
}
int hidp_get_connlist(struct hidp_connlist_req *req)
{
struct hidp_session *session;
int err = 0, n = 0;
BT_DBG("");
down_read(&hidp_session_sem);
list_for_each_entry(session, &hidp_session_list, list) {
struct hidp_conninfo ci;
hidp_copy_session(session, &ci);
if (copy_to_user(req->ci, &ci, sizeof(ci))) {
err = -EFAULT;
break;
}
if (++n >= req->cnum)
break;
req->ci++;
}
req->cnum = n;
up_read(&hidp_session_sem);
return err;
}
int hidp_get_conninfo(struct hidp_conninfo *ci)
{
struct hidp_session *session;
session = hidp_session_find(&ci->bdaddr);
if (session) {
hidp_copy_session(session, ci);
hidp_session_put(session);
}
return session ? 0 : -ENOENT;
}
static int __init hidp_init(void)
{
BT_INFO("HIDP (Human Interface Emulation) ver %s", VERSION);
return hidp_init_sockets();
}
static void __exit hidp_exit(void)
{
hidp_cleanup_sockets();
}
module_init(hidp_init);
module_exit(hidp_exit);
MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
MODULE_AUTHOR("David Herrmann <dh.herrmann@gmail.com>");
MODULE_DESCRIPTION("Bluetooth HIDP ver " VERSION);
MODULE_VERSION(VERSION);
MODULE_LICENSE("GPL");
MODULE_ALIAS("bt-proto-6");
Reference in New Issue View Git Blame Copy Permalink